TISS-Taking Information Security Seriously!

Guess the personalityTISS – Trust and Information Security? Seriously?? Who are we kidding?

It has now been a long year since I got into blogging and thanks to all my friends and well-wishers each blogpost was prompted by a discussion or a line from them.There has also been a long hiatus in me writing another blog piece for sometime. There was quite a bit of activity happening in the infosec arena and definitely big hits in the hackerspace. This all led me to sit back and reflect on the current issues that surround us.

  1. Finger pointing between nations that the other was using cyberspace as a the new cold-war front
  2. Several vulnerabilities in Java, Adobe discovered and more pouring in each day
  3. Companies/Agencies that want to use your data for their own ends (Consumer-Spying)
  4. The NSA building a massive data centre to store the data pouring in from all touchpoints
  5. Privacy of the common cybercitizen at inflection point
  6. Security Breaches in organisations holding your consumer data
  7. Governments storing data on each and every citizen, to be trawled and mined
  8. Targeted DOS attacks on Institutions rising
  9. Specfic targeted attacks on the White House staff and other governmental agencies

I will only discuss the few prominent topics in this post and keep the others for a later post.

The first 3 months of 2013 saw the number of DOS attacks on UK educational institutions equal the total number of DOS attacks that happened in 2012. This unprecedented rise of attacks could mean that this could be used as a test-bed for larger attacks or just that reporting mechanisms have improved. However, information sharing about attacks and breaches among corporates and other Institutions are yet not openly discussed so it is difficult to pinpoint actual numbers, but we will have to surmise what’s happening. For a better judgement of what is actually happening is that there needs to be maturity in the Information Security industry and while small initiatives are in place, we need a consolidated view that can be shared easily across the industry.

On another track Information Security is sold to the Infosec Officer who may well know the threats and what needs to be done. But, are we really selling to CEO and to the Board? The threat scenario really needs to be sold at the top level, CIO/CISOs cannot convince the CEO when large investments are required to ensure the security of the organisation. The language of the security domain needs new translators; it needs to go beyond compliance to something bigger; quantified in terms of revenue loss, reputation be quantified in justifiable money terms. Product release has to have security built into it from the design and not as an add-on. Why not have a Balanced Scorecard that reflects Information Security and Information Governance right there on the Balance Sheet? Proactive Information Security instead of Defensive Strategy?

There is a definite shortage of information security professionals, beyond the tick-marker level. This includes all levels; from encryption algorithm design, ethical hackers, secure coding, auditors, information governance, et. al.

Organisations have to invest more substantially in infosec; especially in trained professionals and ensure that these professionals are well trained and contribute to the Infosec domain knowledge periodically.

As Bruce Schneier aptly describes the internet as a surveillance state; and we have to unequivocally admit it. Google, Apple, Facebook all track us, whether we use it or not. According to one report, 105 companies can track us while we are on the internet (test was done over a period of 36 hours- tool used Collusion). Schneier further goes on to say “Increasingly, what we do on the Internet is being combined with other data about us. Unmasking Broadwell’s identity involved correlating her Internet activity with her hotel stays. Everything we do now involves computers, and computers produce data as a natural by-product. Everything is now being saved and correlated, and many big-data companies make money by building up intimate profiles of our lives from a variety of sources.

Facebook, for example, correlates your online behavior with your purchasing habits offline. And there’s more. There’s location data from your cell phone, there’s a record of your movements from closed-circuit TVs.This is ubiquitous surveillance: All of us being watched, all the time, and that data is being stored forever. This is what a surveillance state looks like, and it’s efficient beyond the wildest dreams of George Orwell.”

Organisations, corporations, governments have collected the data and the new mantra is BIG DATA – resulting problem — now how do we secure it? Do we place our trust in our computing ecosystem and the institutions that run it?

Till the next week – TIPS!! Take Individual Privacy Seriously!!

Identify the gentleman in the photo alongside and what is he famous for?

Advertisements

i-spy

Use a privacy screenSitting in the train from London to Manchester yesterday, my passenger an HR Manager in a leading UK Bank pulled out her laptop and started reviewing the numbers for her department, a spreadsheet that contained details of a month-on-month comparison for the business and made for very interesting reading. Next she started on the report that gave me a detailed understanding of the business model and the financials which according to me was very confidential and should have not been out in the open.

This report mentioned a few names that were based out of the practise in Mumbai and indicated the next moves that involved promotions and team details. Not being content with this, I accessed the internet and figured out her role in the organisation, her colleagues(named in the emails) and their roles within the department and the nature of the business. As the journey progressed, I also was able to review a tribunal case that was in progress of an individual within the organisation.

I am sure that this bank does have a great information security program and regularly holds security awareness within departments, but one does not have to enter the building to get data, this data is provided to the external world by the employees themselves. Employees want access to the data and want to be a part of the mobile workforce, but then this exposes an organisation to great security breaches. I’m sure that a privacy screen would have helped in this case and would have been a very effective solution.

Just for a moment imagine that I was a news reporter, or had a malicious intent; further digging could have yielded more useful information. I have informed the bank that their security awareness should improve.

Employees must understand that with great freedom comes great responsibility.

Bring Your Own Devices – BYOD Challenges

Bring your Own Devices or Bring Your Organisation Down?

BYOD Statistics

Secure corporate infrastructure: Ensure mobile devices are sanitised!

A significantly large number of employees have started bringing their devices to work, akin to chefs using their own knives.  Organisations should get their security policy in place before the proliferation of these devices pose a significant risk to the organisation.

As an example, IBM provides Blackberrys for about 40,000 of its 400,000 workers while 80,000 more use their own smartphones or tablets to access IBM networks. Soon IBM realised that it did not have a grasp on which services and apps employees were using on their phones.

BYOD support will put a tremendous amount of strain on an IT support department according to a CISCO Systems study, BYOD will bring multiple devices with different apps; and organisations have to ensure quality of service for organisational apps.

  1. Devise a BYOD policy that dove-tails with your current policy, by involving managers from all departments. Has your legal department evaluated the privacy legal risks?
  2. Build a comprehensive AUA (Acceptable Use Agreement). Will users devices be seized if there is a legal dispute?
  3. Are the devices in use wipe selective? Keep the separation between corporate and mobile data.
  4. Work out a simple and secure enrollment strategy, and allow users to configure their devices seamlessly.
  5. Monitor the devices, ensure that jailbroken devices do not hold corporate data. What is the maximum exposure time that has been factored in, say, between discovery of the loss of the mobile device and closure of access?

Many banish the BYOD challenges as myths and say it’s relatively simple, I personally do not think so. Policy development, implementation, sourcing of the right MDM tool, negotiation, vendor selection, deployment, awareness all take considerable time. Organisations are just getting to grips on PC/Server hardening and Endpoint protection, and now have to deal with the BYOD challenge.

Who is paying for the mobile data charges? As long as you are on the company WiFi that’s great! But, what about if you are mobile? With ShadowIT and the rise of the underground IT, workers are using more of their own devices, applications and facilties to do the work that their employers need them to do.

Further Reading

Ken Hess on the significant BYOD flaw discovery

James Kendrick thinks that BYOD will cause burnout, putting workers on emails even during vacation.

10 BYOD MDM suites that you can select from

BYOD drives IT underground

IBM stung by BYOD pitfalls

BYOD: The downside is beginning to show

10 Myths of BYOD in the enterprise

Legal Implications of BYOD

Raspberry Pi to reboot computing worldwide

I am now the proud owner of a Raspberry Pi, which is a credit-card size computer that can be connected to a TV and needs just a keyboard/mouse. The Raspberry Pi is very capable of doing your word-processing, spreadsheets, games and also plays high-definition video.
The boot-up is straightforward with a Debian squeeze and took me just 10 minutes to get it up and running (see below). A Fedora or ArchLinux distro may also be used.

Raspberry Pi hooked up to flatscreen TV

Raspberry Pi hooked up to flatscreen TV

The creators of the Raspberry Pi intended this to be used in schools and colleges to shape the future of younger students whose life will be shaped by software. Google is also funding computer teachers and Raspberry Pis in England in a move to reboot computing in the UK. The initiative is likely to power-up the new generation into learning computing skills, akin to what the BBC Micro did in the 1980s. With the current cost of $35 (Model B), it does make good sense that students in developing countries stand to benefit. Old TVs can be put into use, and with low power requirement (4 AA cells), I foresee a revolution in computing in these places.

I shall be keen to  see what vulnerabilities this device may have (if any), I shall be posting on the testing that I carry out in the in the days to come.

Thanks to my mates Charudatt Uplap for nudging me to get one and Tim Langton for assisting me with the infrastructure and support.

Further reading
http://www.raspberrypi.org
http://www.bbc.co.uk/news/technology-18182280
http://www.guardian.co.uk/technology/2012/mar/04/raspberry-pi-schools-computer-science

How app secure are we?

An important but much overlooked area is the security of applications that are hosted either externally or internally. According to the report ‘Study of Software Related Cybersecurity Risks in Public Companies’ published by Veracode, more than 8 out of 10 web applications from public companies fail to comply with the OWASP Top 10 vulnerabilities when first tested. The actual results are 84% (unacceptable) and 16% (acceptable). Non web applications also suffer a similar fate, having a low score of 37% – tested against the CWE/SANS Top 25 standard.

Application Security: Are we secure?

Application Security: Are we secure?

Cross-site scripting (XSS) being the most prevalent vulnerability category and affects 67% of the Web applications. The other vulnerablities include Information Leakage (64%), CRLF Injection (59%), Cryptographic Issues (52%), Directory Traversal (48%), SQL Injection (32%).

This could mean that there are a number of factors that require consideration, some top of the mind recall include…

  1. Increasing web applications portfolio
    With organisations putting a large number of applications for an enhanced customer experience. Is the CISO in a race against time to secure applications?
  2. There is a need to set out time for testing the code…
    Applications need to be developed in time for a market launch, or based on a national day /festival.
    Do strict timelines prevent a comprehensive test to be carried out?
  3. Software Engineers may not have knowledge of secure coding
    Have all our application programmers trained and tested formally in secure application development? Do they understand the risks?
  4. Communication between Pen-Testers and application Programmers
    With a large increase in the terminology, application programmers may not grasp the full significance of an issue, or could Pen-testers not be able to convey the full impact of the vulnerability in terms understood by the programmer?

Software that is not secure gravely undermines our ability to defend ourselves, thereby allowing us to be attacked at will by script-kiddies and as connectivity grows we lose control on our digital infrastucture. All executives need to consider what risks their organisation is exposed to as a result of insecure applications. I am not venturing on mobile apps, this opens up another pandora’s box and will be discussed separately.

Further reading
Top 25 Most Dangerous Software Errors: http://cwe.mitre.org/top25/
Top 10 application security risks: https://www.owasp.org/index.php/Top_10_2010-Main
State of Software Security Report: http://info.veracode.com/state-of-software-security-volume-4-supplement.html

This week’s puzzle: The Triangle

How many Triangles are there in the figure below?

How many Triangles are there?

How many Triangles are there?

Can you guess the correct number? If you can email me your answer!

The Enigma Machine and modern day security

During World War II, the Enigma machine was used to send secret messages within the military. It had a combinatorial strength of 150 million million million to one. It was unbreakable and British Intelligence would have had no easy task in unravelling its secrets. However, the Poles had broken the cipher in 1932 when the machine was undergoing trials, and at that time the cipher was changed just once a month as compared to wartime when it was changed once every day.

Enigma Machine at Thales Stand at InfoSec 2012

Enigma Machine on display at the Thales Stand at Infosecurity Europe 2012

However, in 1939 the Poles passed on their knowledge to the British who were able to exploit this information, led by Alan Turing at Bletchley Park. While this was useful it was not enough to help the code-breaking effort in large volumes (changing cipher).

Another important breakthrough was the capture of U-33 a submarine in February 1940, this gave the British access to the rotors (in haste one of the German navy men forgot to dispose of it and kept it in his pants), and the regulations for sending coded messages. U-110 captured in a daring raid (made famous by the fictional movie U-57), provided the British with another Enigma machine and codebooks. Errors in messages sent by lazy, tired or stressed operators further helped the code-breaking effort.

Over the years we have developed sophisticated systems such as access control, complex passwords, physical access security and so on. But how many take this really really seriously? Looking at parallels between the ENIGMA and our current environment

1. Secure Installation
During setup and installation of data-centres, have the default passwords changed to a more difficult hard-to-guess(impossible-to-guess) password, applicable to all software, operating systems, network equipment, or have we just changed the password to a standard phrase which is known throughout the enterprise and across all clients (in case we are working with several clients). Have we changed the default password on our smartphone?

2. Secure passwords
Do we use just one password for all our email accounts, work, jobsites, social media and so on? Or do we save our passwords in our email account? Or on a scrap of paper? Or in a text file on our computer that read ‘Passwords’. What is our definition of a strong password? Do we change our password often? If so how often? Are we plain careless? or ignorant? Do we send credentials in one single text messages/email rather than separate channels?

3. Secure disposal
How many of us securely destroy confidential documents bearing identifiable information such as our name, address, phone number, credit card numbers? Do we just give away our cellphone with all the data in it in an exchange offer? Have we sold off our old PC with the hard-disk? Do we know who has access to our waste-paper basket?

4. Eavesdropping
How many times have we heard confidential information/passwords in public transport?

5. Loss of equipment
Do we take care NOT to lose our electronic devices in public places? I’m sure that there are surveys of items lost: USB drives, portable Hard-disks, smartphones. (More on this in my next post…)

Further reading
http://www.bletchleypark.org.uk/content/hist/wartime.rhtm
http://www.usna.edu/Users/math/wdj/sm230_cooper_enigma.html

A nice simulator for the ENIGMA machine can be found here:
http://enigmaco.de/enigma/enigma.html

Incidentally, it is The Alan Turing Year
http://www.turing.org.uk/turing/
http://www.turingcentenary.eu/

Liars & Outliers

Bruce has touched upon the 16 interdisciplinary and inter-related subject areas (answers can be found in the 16×16 matrix below) that make up the core of his new book. His new book is all about TRUST and SECURITY. Liars & Outliers is an excellent read with just over 16 chapters and a clear focus on how humans developed the trust they needed to survive over the centuries.

Bruce Schneier and Myself at the BT Stand @ Infosecurity Europe 2012

Bruce Schneier and Myself at the BT Stand @ Infosecurity Europe 2012

The book poses several ideas that may seem new to us security professionals such as Dunbar’s numbers, and the Red Queen effect, and the Hawk-Dove game. Wonderfully explained in Liars and Outliers is the model of trust based on societal, moral, reputational and institutional pressures that security systems need to address to be effective.

The real world examples help to deep-dive into the human mind to understand conflicts and how humans could respond when torn between personal objectives and corporate objectives.

An excellent read for all security professionals, human resource executives and almost anyone with an interest in interpersonal relationships.

Thank you Bruce for the wonderful opportunity to meet up with you and to the BT(British Telecom) staff at Infosecurity Europe 2012 who managed to get me a copy of the book. The hospitality at the BT stand was wonderful – and  lovely coffee too!!

16 interdisciplinary and inter-related subject areas matrix

The interdisciplinary and inter-related subject areas matrix, can you find all 16? If you get stuck have a look at page 8 of Liars & Outliers. Send an email to me if you find all of them!