Removable Media Security

•February 5, 2009 • 1 Comment

Removable media has been a standard part of information technology systems for many years.  This has not been removed by the ever expanding networks connecting systems to enable information to be shared.

The various devices that are currently used based on USB or portable storage devices are still accompanied in service by the venerable CD or DVD format.

The relative price of all of these solutions, especially the CD or DVD, and the size and weight of these devices have led people to be less careful with them than would be the case with a laptop, a server or a large storage array.  People do not appear to report a security incident relating to the loss of such a device or disc.

So to reduce the impact of a lost device or disc the data can be encrypted.  The basics on the use of a strong  password are a given and often lamented by myself and others.  The difficulty arises with the intended use of the device or disc.  For example, where will the device/disc be used?  Many organisation will want to share information with other organisations or end points that are outside of their control or sphere of influence.  If this is the case then it may not be possible to ensure that the same encryption software is available at the recipient end.  This can be resolved by utilising a product that moves with the platform and is always available with data that is encrypted.

There are a number of products that will work with portable media devices to achieve this, some devices come with this capacity within them.  Many of these are certified to a standard such as FIPS 140-2.  In the UK this is similar to the CCT mark (though this mark has a smaller product group that has achieved approval).

Unfortunately the options for CD or DVDs is not so good.  This media is still used in many industries, especially when the business need to send large amounts of adhoc data between organisations is required.

Information Security Policies should include a section on or reference to the organisation standards for the correct use of transferring information to all removable media.  This should be in parallel with technical measures where required to enforce these policies and standards to provide additional mitigations against the risk of users transferring unencrypted  data to removable media.

So do not overlook the easiest route for your organisation to operate, like water users will find their way through the cracks in your policies and controls and you are likely to be the last to know that the data has gone.


Common Criteria vs Vendor Marketing

•November 24, 2008 • Leave a Comment

We are aware of the liberal license used by vendor marketing departments. The latest and greatest shiny object, with the most up to date security or LEDs.

Unfortunately this seems to have extended recently into the area of product certification. This is often blended with not being as expansive with the descriptions as possible. For example if a product was EAL4 certified it is easy for the marketing department to overlook the fact that only some of the specific models within a range of appliances are actually EAL4.

The next issue is not clearly identifying the functions that are certified for an appliance of solution. For example certification for IPSEC VPN but not the firewall functionality.

It is very important to review the ToE for all certification and testing to ensure that what you wish to buy is suitable to meet your business requirements. This must be followed up by actually implementing the device in the correct manner, otherwise you can increase the risks to your business.

If you are preparing to procure solutions ensure that you check the certification web sites to cross reference the vendors web sites.



CESG in the UK provide additional resources in this area which should also be used if the solution is to be utilised with HMG.

Where has my log data gone?

•November 24, 2008 • Leave a Comment

I was recently working with a major hardware vendor discussing solutions and the information security aspects to the support services offered. Having had a very bad experience of hardware support many years ago from another vendor (D***), where corporate data with both financial and public safety issues was sent to another company, I was keen to explore the topic.

The final location of the logs was not a great surprise but the contents were. It does seem that a very small amount of business data is included in the system dumps that are required for fault diagnosis. The replication of this support data to ‘follow the sun’ locations around the globe should also be determined.

This should be considered by those responsible for support and services when selecting solutions as this may effect the business based on the risk appetite that the organisation has.

Use SSL wisely

•October 26, 2008 • 2 Comments

I am beginning to dislike SSL. It should not be used to pass management traffic in a secure environment, so why do people try and do it?

If you are building a robust infrastructure with security devices in place to review traffic and inspect the contents then please do not choose to encrypt the management traffic from edge devices to central syslog servers or management information collectors. You may as well stand outside and start ripping $100 bills into pieces.  You will never see the compromise coming and may never even know it occured if it is any good.

Community Enhanced Search Results – The Future?

•July 17, 2008 • Leave a Comment

It would appear that Google has been developing along with others the capacity to incorporate Digg style voting on search results. This is likely to be popular, but it will require robust measures to prevent items being buried otherwise there will be no improvement over the current outcomes.

Voting on or responding to ‘voting’ on outcomes has produced some knee jerk issues in the ‘real world’. With the advent of this capacity are we to suffer lots more of this within the information sphere? How quickly might the integrity of the information you seek be reduced? Wikipedia anyone? If the results begin to resemble a Jerry Springer show and popular is used to replace accurate then we will have created a new way of making our information mining lives harder.

It will be important to have the capacity to choose between ‘standard’ and ‘community enhanced’ search results.

Password Recovery

•July 14, 2008 • Leave a Comment

I came across this little solution recently. While the use of FPGAs for this is not very new the clean and neat design of this bit of kit is worth a look. Reason for keeping a tower case :o)

Oh good it is temp season

•July 12, 2008 • Leave a Comment

At this time of year large parts of the world move into a position of having holidays. Some countries conduct this with focus (France closes and they all head south, nice idea). Many others move to a position where large numbers of staff take time off to holiday with their families. To prevent organisations coming to a complete halt with the exodus, temporary or contract staff are often brought in. This event is known about 12 months in advance and comes round every year, yet many scrabble around at the last minute to find suitably skilled and competent staff.

Once the staff are secured even less effort appears to be taken ensuring that they are suitably trained in the correct processes, practices and procedures of the organisation. They may be shown the specific mechanics of completing their role, if this is particular to the organisation, but it is less likely that they would have signed up to the Acceptable Use Policy (AUP). The chances of a suitable induction including InfoSec awareness and training are slim.

Now while these people maybe from an agency that has vetted and checked the candidates for suitability within the area of work conducted by the client organisation it is also possible that they are not.

Without well delivered awareness and training campaigns organisations can find that the risk to their information systems increases rapidly during this time. Threats actors will move to take advantage of the turmoil and subtle disturbances in the knowledge and running of the business. Many of these will take the form of socially engineered or ‘Wetware’ attacks. Taking the opportunity to draw enough information that can be pieced together without drawing attention.

So ensure that your organisation has a smooth holiday period and that well rested staff do not return to find more to fix, secure and unpick than there was before they left, re-run your awareness campaigns.