Safe & Secure?

Longer ago than I care to mention I was on a stag event overseas.  It was the first time that I remember hearing the term “What Happens on Tour stays on Tour”.  Now this was a lighthearted serious statement to ensure that all parties new the position.  The same or similar comment has been used by millions no doubt.  With this comes the capacity for reasonably robust information management.  Were you there?  Then you can discuss events.  If not then you get nothing.  This also appears to work by establishing trust relationships that produce a reputation.  Once a suitable reputation for Information Management (or keeping quiet if you prefer) is established then further events appear to be available.  Failure to adhere to the code and a reputation for Information Leakage is produced.  This tends to result in little or no further event invites at best or ‘direct action’ at worst.

If this system works well for many people and situations and no further training, guidance and participant awareness campaigns are needed why is it completely impossible for individuals working for the private and public sector to protect their information assets?

You could be forgiven for not managing to keep up with the sunami of Information Security issues this last 7 days.  Here are a few links to remind yourself of how well everyone is doing.

http://news.bbc.co.uk/1/hi/uk/7449845.stm

http://www.theregister.co.uk/2008/06/16/more_papers_go_missing/

http://www.theregister.co.uk/2008/06/17/blears_laptop/

http://news.bbc.co.uk/1/hi/world/7461619.stm

These events seem to continue like aftershocks despite policies, procedures and guidlines.

They do demonstrate that despite the recent hysteria around IT issues that Information Assurance is a broader topic.  People will still pick up paper and walk out of the door with it.

An incident in London this weekend was another example of why good service continuity plans will support good information assurance.

A fire broke out at an electricty sub-station early on Sunday morning.  There was fire, there was smoke, there was drama…  Then came the energy supplier isolating the supply as you would hope for safety reasons. 

8.51am that is the point when power to Lewisham, Eltham, Sydenham, Brockley, Forest Hill, Catford, Bromley, Beckenham, New Addington and Orpington was stopped.  This affected homes and businesses, communication exchanges and transport services.  Trains, traffic lights and tunnels were affected. 

The power was restored to ‘the majority of locations’ by the evening. 

So how long does your UPS run for?  If you have a generator does it have enough fuel to run for the day without intervention?  Can your support staff effectively work if they cannot get to the building due to transport disruption or a safety cordon?

The Availability of information systems is for many organisations becoming as important, and for some more important than the Confidentiality.  Loss of service, loss of revenue and the loss of reputation due to the reduction of availability are not as acceptable as they once were.  Customers and partner organisation expect a degree of risk assessment and risk management that now extends into the ‘real time’ environments that make information systems and the data they contain.  Business processes can now rely on availability without carefully ensuring that services and systems will meet the expectations.  They soon become business failures.

The metropolitan areas are now quite well served with networking technologies including ‘dark’ or ‘lit’ fibre.  The capacity to use your meshed network to access your data will be significantly reduced if your service providers sites are similarly affected by the incident that has effected you. 

This is just one example of why it is worth taking the time to draft and check your IA policy.  It is worth actually testing the solutions that are inplace to protect the organisation.  It is worth testing or securing suitable assurances from your suppliers that their capacity to meet you requirement includes incidents that are often overlooked in the rush by business managers and accountants to secure that ‘great deal’ i.e. cheaper solution.

http://news.bbc.co.uk/1/hi/england/london/7442424.stm

“Which is the best IPS to prevent intrusions on to my network?”

This question was asked by an individual with primary responsibility for a company’s network. I believe the person thought that they were going to receive a short answer. The extensive list of questions asked of them in return was the only logical reply.

The short answer would have been that no such device exists and that like firewalls and anti virus products these solution can, when configured properly (more on that to follow), provide the organisation with more information to enable them to act as they see fit.

Different organisations have different risk appetites and as such they will react to exactly the same ‘alert’ in a different manner. It is important that this appetite to risk is studied and at the least draft policies and procedures for such events are ready. There is little benefit in the implementation of an IDS or IPS if basic system operating procedures and incident procedures are not in place. This will lead to lots of staff time being wasted chasing around trying to make policy and procedure on the fly while the IDS/IPS produces a stream of ‘we are under attack’ events.

So once you have an idea of what appetite for risk the organisation has and some intitial policies and procedures are in place you should ensure that you have a good understanding of the assets that you are trying to protect. For example, there is little point in putting an alarm system on the ground floor of your property leaving your first floor bedroom with big windows and all of your jewelery unsecured.

Can we dive into the Tech bit now? Almost. A check to review the ‘insider threat’ is wise. Should you be monitoring for events associated with inside activity as well as external intrusions on your network? Well using the house example once more, if you have a cleaner or gardener would you trust them to move unattended around your property? What use is your house alarm if it is just protecting the external entry points and not zoned to enable selective protection? This maybe true of your network too.

Once you have made your choice of technology the challenging part starts. Like most administrators when they are starting out in their career and presented with a server that can monitor hundreds or thousands of variables, an IDS/IPS could warn you about everything. This is of no use and yet this is what happens on many installations. Be realistic and expect the process of collecting data, baselining and setting thresholds to take time. Expect false positives. But remember that now you know more about the network activity than you did before.

Here is the problem for many. Not knowing was easier. The expression ‘Not knowing what you did not know’ is often fitting for the ‘before IDS/IPS’ period. With this new information comes the responsibility to investigate and in cases act upon it.

There are examples where relationships between organisations change once an IPS/IDS is in place as a CoCo will mandate activities and standards of the IDS/IPS. These can often be challenging and place additional workload on staff, all of which would not be required if the devices had not been implemented.

So IDS or IPS, Good or Bad? They can be considered both, but in reality they are a good complimentary tool to the network systems provided all of the additional work around them has been completed and resources allocated for the ongoing running and support.

Over the last month there has been much hype about the demonstration of ‘freezing’ RAM in laptops and then using the extra time gained by the cooling process to extract information from the memory that had not been fulled cleared down once the machine was powered off.

This was immediately used as a marketing tool at the Infosecurity Europe show by a vendor (you know who you are) to highlight the vulnerability of information even on a machine with full disc encryption. 

I was suprised that so many people were taken in by this.  Has no one been conducting proper risk assessments on the data that they are trying to protect?

While technically this is a vulnerability in device encryption there are numerous ways to protect against this issue.

1. Be vigilant to individuals sneeking around with cooling liquids or portable cooling systems that have their eye on your, server/workstation/laptop.

2. Do not leave your device unattended in an insecure location.

3. Use 2 factor authentication for any full disc encryption product.

4. Do not take very sensitive data from a secure working environment.

None of these points are new.  They were relevant before the ‘cooling the RAM’ excitement and they are as relevant now.  Do not be put off using device encryption because someone tells you about this ‘vulnerability’.

Now where did I leave the liquid nitrogen…

This is a nice little story the week before the big show.  It is good to highlight issues.. including a key aspect of Information Assurance, Integrity.  Can you prove the passwords were real?  Not too easily.  Not the point of an awareness campaign though.

http://blogs.guardian.co.uk/technology/2008/04/16/woman_4_times_more_likely_than_men_to_give_passwords_for_chocolate.html

It is now possible to implement policies within Windows Mobile 6.1 and Exchange 2007 SP1 to enable or prevent services on mobile devices. This is a good step forward and should enable the use of Windows Mobile devices to be considered as enterprise end points in environments where strong controls are required.

The capacity to disable Cameras and Bluetooth features is a welcome addition. Both of these features are much loved by many businesses and individual users and provide some real benefit to them. There are however a number of environments where the choice of handset has been limited due to many ‘business handsets’ and Windows devices providing too many features and creating and compliance issues for the organisational IA or InfoSec policies. Design secrets or secure installations do not enjoy the benefits of a 3 megapixel camera available to mobile phone users. The ‘benefit’ to business of the always on Bluetooth culture can now be managed in a way that should enable an enterprise to reduce the risk of employees having their devices remotely accessed as they move around, restaurants, coffee shops and bars.

Now if only you could enable a policy to ensure that people stopped leaving the mobile devices in cabs, restaurants, bars….

Last month the BBC ran a story about how nice and safe card readers involved in the ‘Chip ‘n’ Pin’ process for purchases were.  These devices had been amended to enable the card information and the ‘Pin’ Number to be stolen.  In effect acting in a manner similar to a key logger.  This is quite a problem as most people are not in a position to ensure that no one tampers with the device that you are placing your card and pin number into.  One of the reasons that this is even possible is down to limited security between the card and reader.  This is not secured in earlier cards (apparently if your card has been issued since the start of 2008 then the ‘improved technology’ will protect you…) why would you not encrypt  all data sent from the card and keypad to the banking system?  Why would you not make the devices tamper proof?

I have never understood why the banks and retailers did not take the opportunity to combine the ‘Chip ‘n’ Pin’ technology with the existing technology…A Signature!  By combining the two you would reduce the threat further as duplicate cards made with the stolen electronic data would have to have all of the signature foils as well.

If you have ever implemented 2 factor authentication systems you will be familiar with the addition of the token information to your existing authentication details such as a uniques username and (strong!)password.  Try convincing an accreditor that the new system with a token no longer needs the strong password.

The evolution of events in 2007 where the ‘Spamthru’ trojan moved to become the ‘Storm Worm’ is leaving the threat landscape with a lasting issue for 2008. The great ’success’ of Fast Flux or Bullet Proof Hosting has enabled the malware to keep a large install base across the globe. This resilience is enabling the controllers to continue delivering ’services’ from the Bots. The capacity of this network is beyond the current use observed by the security vendors working to protect their customers and reduce the threat landscape. The bots have a theoretical spamming capacity almost 10 times the current activity. But it is not just the volume of traffic that is different from the past. Traffic profile for this has also changed from the previous bots and spam engines. The new profile that can be measured is now in narrow spikes of activity set to reduce the chances of an electronic fingerprint being created for the spam message and associated malware. If this is achieved then the success of delivering the spam is increased. The fine tuning of this has been reviewed over the past 12 months and it can be shown that the time frame for the attack is as short as 11 minutes.

The history of these botnets or even the earlier mechanisms for spam and malware distribution has been through untargeted or ‘carpet spamming’. The growing trend for 2008 is the targeted distribution based on the aggregation of relevant information relating to individuals or positions within organisations based upon their business. These are growing to be very sophisticated and individuals are unwittingly assisting the criminals by publishing greater and greater volumes of information about themselves directly onto the web. The continued growth and enthusiasm for social networking sites combined with public records are making the targeting easier and easier. Individuals need to pay much closer attention to the way that they propagate information about themselves and how it will effect them individually and as an employee. Some companies have witnessed targeted attacks escalate from a couple a week to almost 1,000 in a few hours per day. This is a real growing threat.

So what is being delivered through this increase in sophisticated, targeted, swift and resilient infrastructure?

Well this is changing also. The number of direct attachments to mail items is reducing. A decade of internet based email in common use in industry and in the home has led (very slowly..) to some awareness of the risks of attachments. Now this is due to real incidents and to urban myths but which ever is the most effective the result can be the same. Some degree of thought prior to opening an attachment (but only a little). The rise (also slowly!) in AV products deployed properly and kept up to date in the work environment and within the domestic situation is beginning to reduce the effectiveness of attachment based vectors. The growing trend is now malware in URLs within the email message. These are very rarely blocked by AV/AS tools or firewall applications. These really do require another round of education for people who do not work within IT Sec or InfoSec. So many email messages have URLs in them that it is difficult to get this message across. They are almost like background noise, you could be forgiven for not noticing them at first. But beware these are a real risk to you…

Is testing patches really worth it?
 

Usually when patches are released IT departments should be taking the patches and implementing there test procedures to determine any business impact from implementing the patch. This can include preventing that important application in marketing from working, but mostly the crayons are still OK. After this has happened within the separated Test Environment, the Change Control Procedure is conducted before this new patch is deployed into the live environment of the organisation.

Now in one or two organisations this process may be slightly less rigorous than in others. This process takes time and resources. A risk assessment should have been undertaken to determine the likelihood and impact of the vulnerability being exploited for that organisation. It could take a week or more to conduct this process effectively.

So we then ask ‘How long does it take from the patch for the vulnerabilities being released to the first attacks using that exploit being available?’ …

This used to be a time frame in keeping with the above effective process in testing and change control, recently though it appears that the game has moved on. It has been shown that attacks are often available 4 days after Patch Tuesday and in some cases even faster.

The combination of less than perfect ‘test environments and procedures’ and short timescales to attacks being available has led several large organisations to consider deploying patches immediately they are released to protect their systems.  This view is assisted by ever expanding mechanisms for application and system delivery including thin client, centralised virtual desktops and application virtualisation.  By providing the capacity to ‘roll back’ to a known state swiftly and effectively it is becoming possible for orgainsations to reduce the risk in patching early and gain the benefits.

Mobile computing it a marvel of the modern age.  Only a generation ago a portable computer required a healthy physique to carry it around and use in the manner advertised or intended.  Fast forward to today and many people will know of families where the children have a laptop rather than a access to a regular PC.  They can be seen used everywhere, planes, trains and yes automobiles (have you seen them perched on the dashboards of European trucks as they trundle along the motorways?).

The reduced weight has really brought the use of mobile computing to the fore.  There does appear to be a down side.  Physically keeping hold of what is yours. 

In the last week the media has once again highlighted several instances of organisations ‘losing’ laptops.  The loss of these is likely to be very inconvenient for the people who were meant to use them.  It is however the wealth of information that can be extracted from the devices that is of grave concern to everyone else.

First to break cover was Middlesborough Council with the loss of 9 laptops containing sensitive Social Care information relating to a reported 63 cases.  It was explained when asked about security and the possibility of encryption that some measures where in place but the Council had an ‘adhoc’ attitude to Information Security.  It also became clear that the Council had suffered a burglary and the loss of another laptop last year.

Only days later the next story to break relates to the loss of another laptop.  This time from the MOD.  The data this time included a reasonable amount of personal data for 600,000 people.  When the question about security was raised a very suprised answer came that this laptop also had no drive encryption software in use. 

This leads to so many questions.  Why did a laptop contain so much live data that should be securely stored in a database in a data centre? Why was no full disc encryption tool deployed to this device as outlined by organisations such as CESG?  Why was nothing changed after the previous losses? 

Oh Yes..previous losses.. roll call;

Two military laptops containing the unencrypted details of at least 500 military personnel and potential new recruits had been lost in the last two years

68 MoD laptops were stolen in 2007

66 in 2006

40 in 2005

173 in 2004

After that number you might expect that taking your own advice on security seriously would be important but apparently not.  We have been told that they are recalling all the similar laptops.

Let this be a lesson to any organisation.  A laptop will cost you £450 and drive encryption software can be purchased for approx £80.  The overall cost compared to the risk is low.  If you create, read, transport, store or use sensitive information relating to your line of business be smart..secure the information