The Olympic Spirit

•July 10, 2008 • Leave a Comment

Well less than a month until the 2008 Olympic Games in China.  Many people from around the world have been working very hard to ensure that they are ready for the games.  Not just atheletes but a huge number of support staff.  These people have a huge amount of data relating to their work and the pursuit of excellence in their area of work.  From the competitors side you have info on past and current performance, diet, health, training and ‘tactics’.  Information about family, friends and external factors that influence the behaviour of individuals.  This information is, in some cases, travelling out to China to be on hand as required to use during the games.  There is already and will be much more communication between the teams ‘on site’ and the families or support structures back home. 


But why raise this now?  Well this event is proving to be a real IA challenge for all involved.  This is compounded by the fact that many of the people involved have never come across these issues before in their work and so the user awareness and training issues have been huge.  It would also seem that many organisations and individuals have not been keen to take the advice and guidance available to them.


What are the IA issues?

Confidentiality – Have all reasonable efforts been made to secure the information taken to the games or to be transmitted while at the games?

Integrity – Are the teams sure that the data that they are working from is correct and has not been altered by a third party to reduce or inhibit performance?

Availability – Will the information that the team relies upon to deliver be there when required?


The Chinese authorities have already placed some interesting restrictions on the IT equipment that can be brought to the games and used.  Information relating to OS and firmware on networking equipment is required by the authorities for example. 


Teams are to be all located in one area with full wireless coverage available.  But where does that wireless coverage go before it hits the Internet?  Who owns the GSM infrastructure that provides mobile data services to everyone on site?  Who can ‘see’ all of this traffic as it passes by?


There have already been stories of personal and Team IT equipment arriving only to find on closer inspection that HDDs have been removed and then put back into the wrong individuals laptops while being ‘transported to the facilities’.


When the will to win, national pride and financial gain through gambling combine they produce a very, very strong force.  It would be fool hardy for any team attending the games to ignore good advice on Information Assurance.


My identity may have been compromised

•July 2, 2008 • Leave a Comment



Today is the day..

Who are you?

•June 19, 2008 • 1 Comment

I received a telephone call yesterday on my mobile (cell) phone.  The display showed that the incoming number was withheld.  I answered the call and the lady on the other end explained that she was from the credit card company.  She went on to explain that for her to continue I had to answer some security questions.  ‘Was that OK?’ she asked.  I paused and then replied ‘I am afraid not.  Can you prove who you are and where you are calling from?’.  Why would I present an unknown party with information relating to my identity and possible financial issues?  The caller explained that she could not but went offline to identify with someone else what could be done to continue.


About a minute later she returned and explained that they would just like to know my DOB and postcode and then they would be able to update me on a number of transactions that they wanted to check.  As both of these pieces of information are already in the public domain I agreed and we continued.  The result of the telephone call was that I became reassured that they were paying attention to my account activities and they had provided me with a good service.


There is a straight forward expectation among many organisations and service providers that as they are contacting you, the customer, you should authenticate to them the unknown.  I have seen the same thing when working with clients and conducting exercises on social engineering to review security policies.


Remember ‘Who are you?’  and ‘Can you prove that?’ otherwise it might cost you or your organisation more than you expected.

What Happens on Tour stays on Tour

•June 18, 2008 • Leave a Comment

Longer ago than I care to mention I was on a stag event overseas.  It was the first time that I remember hearing the term “What Happens on Tour stays on Tour”.  Now this was a lighthearted serious statement to ensure that all parties new the position.  The same or similar comment has been used by millions no doubt.  With this comes the capacity for reasonably robust information management.  Were you there?  Then you can discuss events.  If not then you get nothing.  This also appears to work by establishing trust relationships that produce a reputation.  Once a suitable reputation for Information Management (or keeping quiet if you prefer) is established then further events appear to be available.  Failure to adhere to the code and a reputation for Information Leakage is produced.  This tends to result in little or no further event invites at best or ‘direct action’ at worst.


If this system works well for many people and situations and no further training, guidance and participant awareness campaigns are needed why is it completely impossible for individuals working for the private and public sector to protect their information assets?

You could be forgiven for not managing to keep up with the sunami of Information Security issues this last 7 days.  Here are a few links to remind yourself of how well everyone is doing.

These events seem to continue like aftershocks despite policies, procedures and guidlines.


They do demonstrate that despite the recent hysteria around IT issues that Information Assurance is a broader topic.  People will still pick up paper and walk out of the door with it.

Fire and your availability

•June 9, 2008 • Leave a Comment

An incident in London this weekend was another example of why good service continuity plans will support good information assurance.

A fire broke out at an electricty sub-station early on Sunday morning.  There was fire, there was smoke, there was drama…  Then came the energy supplier isolating the supply as you would hope for safety reasons. 

8.51am that is the point when power to Lewisham, Eltham, Sydenham, Brockley, Forest Hill, Catford, Bromley, Beckenham, New Addington and Orpington was stopped.  This affected homes and businesses, communication exchanges and transport services.  Trains, traffic lights and tunnels were affected. 

The power was restored to ‘the majority of locations’ by the evening. 


So how long does your UPS run for?  If you have a generator does it have enough fuel to run for the day without intervention?  Can your support staff effectively work if they cannot get to the building due to transport disruption or a safety cordon?


The Availability of information systems is for many organisations becoming as important, and for some more important than the Confidentiality.  Loss of service, loss of revenue and the loss of reputation due to the reduction of availability are not as acceptable as they once were.  Customers and partner organisation expect a degree of risk assessment and risk management that now extends into the ‘real time’ environments that make information systems and the data they contain.  Business processes can now rely on availability without carefully ensuring that services and systems will meet the expectations.  They soon become business failures.


The metropolitan areas are now quite well served with networking technologies including ‘dark’ or ‘lit’ fibre.  The capacity to use your meshed network to access your data will be significantly reduced if your service providers sites are similarly affected by the incident that has effected you. 

This is just one example of why it is worth taking the time to draft and check your IA policy.  It is worth actually testing the solutions that are inplace to protect the organisation.  It is worth testing or securing suitable assurances from your suppliers that their capacity to meet you requirement includes incidents that are often overlooked in the rush by business managers and accountants to secure that ‘great deal’ i.e. cheaper solution.


IDS/IPS – Good or Bad?

•May 26, 2008 • Leave a Comment

“Which is the best IPS to prevent intrusions on to my network?”

This question was asked by an individual with primary responsibility for a company’s network. I believe the person thought that they were going to receive a short answer. The extensive list of questions asked of them in return was the only logical reply.

The short answer would have been that no such device exists and that like firewalls and anti virus products these solution can, when configured properly (more on that to follow), provide the organisation with more information to enable them to act as they see fit.

Different organisations have different risk appetites and as such they will react to exactly the same ‘alert’ in a different manner. It is important that this appetite to risk is studied and at the least draft policies and procedures for such events are ready. There is little benefit in the implementation of an IDS or IPS if basic system operating procedures and incident procedures are not in place. This will lead to lots of staff time being wasted chasing around trying to make policy and procedure on the fly while the IDS/IPS produces a stream of ‘we are under attack’ events.

So once you have an idea of what appetite for risk the organisation has and some intitial policies and procedures are in place you should ensure that you have a good understanding of the assets that you are trying to protect. For example, there is little point in putting an alarm system on the ground floor of your property leaving your first floor bedroom with big windows and all of your jewelery unsecured.

Can we dive into the Tech bit now? Almost. A check to review the ‘insider threat’ is wise. Should you be monitoring for events associated with inside activity as well as external intrusions on your network? Well using the house example once more, if you have a cleaner or gardener would you trust them to move unattended around your property? What use is your house alarm if it is just protecting the external entry points and not zoned to enable selective protection? This maybe true of your network too.

Once you have made your choice of technology the challenging part starts. Like most administrators when they are starting out in their career and presented with a server that can monitor hundreds or thousands of variables, an IDS/IPS could warn you about everything. This is of no use and yet this is what happens on many installations. Be realistic and expect the process of collecting data, baselining and setting thresholds to take time. Expect false positives. But remember that now you know more about the network activity than you did before.

Here is the problem for many. Not knowing was easier. The expression ‘Not knowing what you did not know’ is often fitting for the ‘before IDS/IPS’ period. With this new information comes the responsibility to investigate and in cases act upon it.

There are examples where relationships between organisations change once an IPS/IDS is in place as a CoCo will mandate activities and standards of the IDS/IPS. These can often be challenging and place additional workload on staff, all of which would not be required if the devices had not been implemented.

So IDS or IPS, Good or Bad? They can be considered both, but in reality they are a good complimentary tool to the network systems provided all of the additional work around them has been completed and resources allocated for the ongoing running and support.

Perceived weakness in device encryption

•May 15, 2008 • Leave a Comment

Over the last month there has been much hype about the demonstration of ‘freezing’ RAM in laptops and then using the extra time gained by the cooling process to extract information from the memory that had not been fulled cleared down once the machine was powered off.


This was immediately used as a marketing tool at the Infosecurity Europe show by a vendor (you know who you are) to highlight the vulnerability of information even on a machine with full disc encryption. 


I was suprised that so many people were taken in by this.  Has no one been conducting proper risk assessments on the data that they are trying to protect?


While technically this is a vulnerability in device encryption there are numerous ways to protect against this issue.

1. Be vigilant to individuals sneeking around with cooling liquids or portable cooling systems that have their eye on your, server/workstation/laptop.

2. Do not leave your device unattended in an insecure location.

3. Use 2 factor authentication for any full disc encryption product.

4. Do not take very sensitive data from a secure working environment.


None of these points are new.  They were relevant before the ‘cooling the RAM’ excitement and they are as relevant now.  Do not be put off using device encryption because someone tells you about this ‘vulnerability’.

Now where did I leave the liquid nitrogen…