Safe & Secure?

We are aware of the liberal license used by vendor marketing departments. The latest and greatest shiny object, with the most up to date security or LEDs.

Unfortunately this seems to have extended recently into the area of product certification. This is often blended with not being as expansive with the descriptions as possible. For example if a product was EAL4 certified it is easy for the marketing department to overlook the fact that only some of the specific models within a range of appliances are actually EAL4.

The next issue is not clearly identifying the functions that are certified for an appliance of solution. For example certification for IPSEC VPN but not the firewall functionality.

It is very important to review the ToE for all certification and testing to ensure that what you wish to buy is suitable to meet your business requirements. This must be followed up by actually implementing the device in the correct manner, otherwise you can increase the risks to your business.

If you are preparing to procure solutions ensure that you check the certification web sites to cross reference the vendors web sites.

http://www.commoncriteriaportal.org/

CESG in the UK provide additional resources in this area which should also be used if the solution is to be utilised with HMG.

http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/index.shtml

I was recently working with a major hardware vendor discussing solutions and the information security aspects to the support services offered. Having had a very bad experience of hardware support many years ago from another vendor (D***), where corporate data with both financial and public safety issues was sent to another company, I was keen to explore the topic.

The final location of the logs was not a great surprise but the contents were. It does seem that a very small amount of business data is included in the system dumps that are required for fault diagnosis. The replication of this support data to ‘follow the sun’ locations around the globe should also be determined.

This should be considered by those responsible for support and services when selecting solutions as this may effect the business based on the risk appetite that the organisation has.

I am beginning to dislike SSL. It should not be used to pass management traffic in a secure environment, so why do people try and do it?

If you are building a robust infrastructure with security devices in place to review traffic and inspect the contents then please do not choose to encrypt the management traffic from edge devices to central syslog servers or management information collectors. You may as well stand outside and start ripping $100 bills into pieces.  You will never see the compromise coming and may never even know it occured if it is any good.

It would appear that Google has been developing along with others the capacity to incorporate Digg style voting on search results. This is likely to be popular, but it will require robust measures to prevent items being buried otherwise there will be no improvement over the current outcomes.

Voting on or responding to ‘voting’ on outcomes has produced some knee jerk issues in the ‘real world’. With the advent of this capacity are we to suffer lots more of this within the information sphere? How quickly might the integrity of the information you seek be reduced? Wikipedia anyone? If the results begin to resemble a Jerry Springer show and popular is used to replace accurate then we will have created a new way of making our information mining lives harder.

It will be important to have the capacity to choose between ’standard’ and ‘community enhanced’ search results.

http://www.techcrunch.com/2008/07/16/is-this-the-future-of-search/

I came across this little solution recently. While the use of FPGAs for this is not very new the clean and neat design of this bit of kit is worth a look. Reason for keeping a tower case )

http://www.dataduplication.co.uk/details/tacc1441.html

At this time of year large parts of the world move into a position of having holidays. Some countries conduct this with focus (France closes and they all head south, nice idea). Many others move to a position where large numbers of staff take time off to holiday with their families. To prevent organisations coming to a complete halt with the exodus, temporary or contract staff are often brought in. This event is known about 12 months in advance and comes round every year, yet many scrabble around at the last minute to find suitably skilled and competent staff.

Once the staff are secured even less effort appears to be taken ensuring that they are suitably trained in the correct processes, practices and procedures of the organisation. They may be shown the specific mechanics of completing their role, if this is particular to the organisation, but it is less likely that they would have signed up to the Acceptable Use Policy (AUP). The chances of a suitable induction including InfoSec awareness and training are slim.

Now while these people maybe from an agency that has vetted and checked the candidates for suitability within the area of work conducted by the client organisation it is also possible that they are not.

Without well delivered awareness and training campaigns organisations can find that the risk to their information systems increases rapidly during this time. Threats actors will move to take advantage of the turmoil and subtle disturbances in the knowledge and running of the business. Many of these will take the form of socially engineered or ‘Wetware’ attacks. Taking the opportunity to draw enough information that can be pieced together without drawing attention.

So ensure that your organisation has a smooth holiday period and that well rested staff do not return to find more to fix, secure and unpick than there was before they left, re-run your awareness campaigns.

Well less than a month until the 2008 Olympic Games in China.  Many people from around the world have been working very hard to ensure that they are ready for the games.  Not just atheletes but a huge number of support staff.  These people have a huge amount of data relating to their work and the pursuit of excellence in their area of work.  From the competitors side you have info on past and current performance, diet, health, training and ‘tactics’.  Information about family, friends and external factors that influence the behaviour of individuals.  This information is, in some cases, travelling out to China to be on hand as required to use during the games.  There is already and will be much more communication between the teams ‘on site’ and the families or support structures back home. 

But why raise this now?  Well this event is proving to be a real IA challenge for all involved.  This is compounded by the fact that many of the people involved have never come across these issues before in their work and so the user awareness and training issues have been huge.  It would also seem that many organisations and individuals have not been keen to take the advice and guidance available to them.

What are the IA issues?

Confidentiality – Have all reasonable efforts been made to secure the information taken to the games or to be transmitted while at the games?

Integrity – Are the teams sure that the data that they are working from is correct and has not been altered by a third party to reduce or inhibit performance?

Availability – Will the information that the team relies upon to deliver be there when required?

The Chinese authorities have already placed some interesting restrictions on the IT equipment that can be brought to the games and used.  Information relating to OS and firmware on networking equipment is required by the authorities for example. 

Teams are to be all located in one area with full wireless coverage available.  But where does that wireless coverage go before it hits the Internet?  Who owns the GSM infrastructure that provides mobile data services to everyone on site?  Who can ’see’ all of this traffic as it passes by?

There have already been stories of personal and Team IT equipment arriving only to find on closer inspection that HDDs have been removed and then put back into the wrong individuals laptops while being ‘transported to the facilities’.

When the will to win, national pride and financial gain through gambling combine they produce a very, very strong force.  It would be fool hardy for any team attending the games to ignore good advice on Information Assurance.

Today is the day..

I received a telephone call yesterday on my mobile (cell) phone.  The display showed that the incoming number was withheld.  I answered the call and the lady on the other end explained that she was from the credit card company.  She went on to explain that for her to continue I had to answer some security questions.  ‘Was that OK?’ she asked.  I paused and then replied ‘I am afraid not.  Can you prove who you are and where you are calling from?’.  Why would I present an unknown party with information relating to my identity and possible financial issues?  The caller explained that she could not but went offline to identify with someone else what could be done to continue.

About a minute later she returned and explained that they would just like to know my DOB and postcode and then they would be able to update me on a number of transactions that they wanted to check.  As both of these pieces of information are already in the public domain I agreed and we continued.  The result of the telephone call was that I became reassured that they were paying attention to my account activities and they had provided me with a good service.

There is a straight forward expectation among many organisations and service providers that as they are contacting you, the customer, you should authenticate to them the unknown.  I have seen the same thing when working with clients and conducting exercises on social engineering to review security policies.

Remember ‘Who are you?’  and ‘Can you prove that?’ otherwise it might cost you or your organisation more than you expected.