Skip to main content


Showing posts from 2012

Infosec Professional 2012 Review

This is the 2012 Infosec Professional review, containing all the articles and interviews from the past 12 months.  It's been a fascinating year from an information security perspective, with some eye-watering data breaches, great conferences and innovative new products coming to market.  A thank you to all who spent some time being interviewed and giving their comments on the industry - some great chats and thought provoking comments. 
Interviews The Future of Cloud Based Identity? Interview Series - David Emm Snr Researcher at Kaspersky Interview Series - Mourad Ben Lakhoua at SecTechno Interview Series - Jo Stewart-Rattray VP of ISACA Interview Series - Barry Hodge CEO SecurLinx Corp Interview Series - Javvad Malik
Conferences Infosec Europe 2012 Review Infocrime Summit 2012 - London Keynote Review RSA 2012 San Francisco - Keynote Review
Cyber Security Cyber Security Part V - Critical Infrastructure Cyber Security Part IV - Consumer Protection Cyber Security Part III - Enterprise Protection Cyb…

The Obligatory 2013 Infosec Predictions Post

2012.  Been and gone pretty much, in the blink of an eye.  Well it's lasted pretty much as long as 2011, give or take, but one thing's for sure, it seems information security became more of a big deal.  In my eyes, it always has been a big deal.  Security is a default in my opinion, both in my personal and professional life.  I fail safe when it comes to processes or technical changes.  I believe security is essential, not only for an individual team, system, person or organisation level, but also from an industry and society perspective too.

The Year That's Been

The biggest take away for me, seemed to be that non-security people started to take security seriously.  Governments got involved with information security in a big way.  The US had several issues with SOPA, the online piracy act and then turned its attention to cyber war, with several policy discussions and hardening of attitude towards the likes of China and Iran, from a cyber security standpoint.  October saw t…

Do Better Technical Controls Increase People Focused Attacks?

Technical controls are often the default security response for many organisations.  When I refer to technical controls, there is obviously a people element to that, from a design and implementation perspective, but ultimately the control is focused on a piece of hardware or software.  For example, cryptographic algorithms have continued to evolve over the last 40 years, to levels which allow them to be computational secure and can be used on a wide scale without major concern.  PKI and other crypto infrastructures are often too focused on the algorithms; hardware security module usage and technical touch points, than for example, the people related process and awareness.  It is all very well having an industry standard algorithm, but that becomes less useful if a user doesn't protect the un-encrypted payload when it’s at rest, or allows it to be stored in temporary memory for example.
Casually thinking of the default security controls for many organisations and many are in fact s…

Information Security: Why Bother?

I have heard this sentiment, perhaps not put quite as bluntly as that, on several occasions over the last few years when working with clients and engineers on security related projects. My role would have been to help embed a particular piece of security software or introduce a piece of consultancy or business process which would help improve the organisations security posture.

The question, often raised as a bargaining tool, is often focused on the, ‘well I understand what you propose and I know it will increase the security of scenario X, but why should I do it?’. In honesty, it is a good question. Organisations have finite budgets which will cover all of IT and related services, and it is a fair objective, to have to show and prove, either via tangible or intangible RoI, that a piece of software or consultancy will have a beneficial impact on the organisation as a whole.

Justification and SRoI Return on Investments, or Security Return on Investments are clearly a useful tool for p…

Preventative -v- Detective Security

There's an Italian proverb which reads 'vivere da malato per morire sano' - living like an invalid to die healthy.  Whilst that is looking at one lifestyle extreme, looking after your body is generally seen as a positive if you want to live a long and healthy life.  Prevention is indeed, generally seen as being better than the cure.  The same concept applied to information systems can produce some interesting results.

From a non-security perspective, I would say, most management approaches and project budgets, are focused on the reactive.  IT has historically, not always been seen as an efficiency provider for the business, with budget often only being assigned, when it's acknowledged that the business front line would be negatively impacted if a system, project or team would were not present.  From a security perspective, I think reactionary policy is still deep in the mindset too.

Reactionary Security When you casually think of information security tools and products…

Cyber Security Part V - Critical Infrastructure

The final part in the cyber security series, will focus on the issues critical infrastructure environments face.  Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS) are two of the standard environments that can constitute a critical environment.  Whilst many financial services environments can be described as critical, critical infrastructure is more focused on the key assets described by a government as being essential to the standard function of the society and economy.  This would include key utilities such as electricity and water supply, public health institutions and national security groups such as policing and the military.

In recent years they have been subject to specific and prolonged attacks, opening up long standing vulnerabilities.

Difference of priorities: CIA to AIC The standard information security triad consists of confidentiality, integrity and availability.  The priorities for many business information systems will follow …

Protect Information Not Data

In an ideal world, should we not be protecting information instead of data?  This is an interesting concept.  We backup data.  We secure data.  We create and manage access control lists that allow the subject, access to an object.  The object is generally classified as data.  We talk about 'big data'.  Moving data to the cloud and so on.  But is the data component actually that important?  Obviously certain individual pieces of data are very important.  Certain documents, files and so on, have significant importance and exposure levels.  But on the whole, is an organisation run on data or information?

I guess we need to define both of the key terms here.  What is 'data' and what is 'information' and more importantly what are the differences?

What is 'data'? A basic technical definition would be that data is the low level bits and bytes of an object.  This object on its own, comprises of basic, raw and unorganised facts.  The actual word would have a Lat…

Infosec Product Release Review - 16th Nov

An overview of recently released information security products, services, frameworks and policies from the last 7 days:

NETGEAR Debuts More Powerful Version Of Popular VDSL13 Nov 2012 In addition, like other members of the ProSecure UTM family of security appliances, ... As the second entry in the NETGEAR ProSecure UTM S product line, the UTM25S ... Inc. an InformationTechnology services company based in New York.
Cloud Security Alliance Releases Security Guidance 1.014 Nov 2012 The Cloud Security Alliance (CSA) has released version 1.0 of the "Security... Additionalinformation about Trend Micro Incorporated and the products and ...

Who Do You Trust?

This is a tough question, whether it's focused on technology or real life.  'Who can you trust?' is often an easier angle to take, but ultimately that is a precursor to the main scene.  Peeling the onion a little, you can focus on bite sized chunks and respond with, 'trust with what?'.  If it's my life then the picture changes substantially.  I might trust Google with my search engine results, but perhaps not with diagnosing a disease.

The context will obviously help to determine the scope of who and what are trusted, but the decision making process will generally take on the same route.  We ultimately start off with a blank canvas of pre-decision making, slightly marked by some bias and framing, before ending up with a person, product or service that we then utilise to perform an action we can not perform ourselves.  Once that 3rd party has been chosen, we often fail to perform the checks again, placing our trust in them implicitly and explicitly.  This when i…

Skyfall - Cyber War Becomes Cool

I went to see James Bond's 23rd outing in Skyfall yesterday - for a second time this week I admit, I do love a bit Bond.  The film is great - go and see it! - and intertwines the new world action film, with all the old world British spy touches that has made Bond the longest running movie franchise of all time.

Gone were the gimmicky gadgets of old, with megalomaniacs trying to run the world, destroy the world or recreate the world, and in came a cyber terrorist with a personal vengeance.  Technology has always played a part in Bond.  The British secret service, Bletchley Park and GCHQ have all had their fair share of computer-related innovations, from encryption through to surveillance, so seeing a control room full of screens 'processing' unintelligible code and instructions is nothing new.  However, this time around, it was more the concept of cyber war that was more prominent as opposed to the technology.

Cyber Security Part IV - Consumer Protection

This is the 4th part of the cyber security series I started, and I want to focus on the consumer a little more.  Cyber attacks have been well documented in their ability to damage large organisations, government websites and critical infrastructure.  However, there is still a large volume of non-technical home and mobile users who are ending up as the victim of on line attacks and identity theft.

"The use of more portable devices, including smart phones, has increased user convenience, but also opened up a can of worms when it comes to security.  Smartphones are not really phones.  They're computers, that happen to make calls"

Cash, Credit Cards, Convenience and Security

I was recently asked by Microsoft to make a comment regarding the concept of 'User Convenience -v- Security' from a software perspective.  Security is often seen as restrictive or inhibitive, so is generally not the first thing many (non-technical) users think about or implement.  Also, from an SDLC perspective, security is often seen as an add-on and left to the QA and audit teams to implement before an application or piece of software is released into the wild.  Convenience in both counts, takes hold, reducing security to a post-incident action.

Convenience Wins Out The same can be applied to many things.  Convenience versus safety is another angle.  How many of us don't bother with the seat belt on a roller coaster, flight or car journey if it's too tight and uncomfortable?  If it's restrictive we avoid it, even though in those examples, our lives could be at stake.  A broader view could look at the market for insurance.  The inconvenience component is the cost …

Social Networking Security Management

Like it or loathe it, social networking is omnipresent.  From the youthful party picture posting, to professional networking and virtual discussion boards, your on line personality and data sharing can be both powerful and an exploitable vulnerability.

The usefulness of many social networking sites is often increased, the more of your personal information you make available.  This in recent years, has seen many criticisms of the likes of both Facebook and Google+ for how they manage and make use of your personal identifiable information (PII).  Whilst there can be risks will publishing any personal data on line, careful management and protection of such data makes social networking less risky and more powerful than ever before.

Cyber Security Part III - Enterprise Protection

This is the third part of the cyber security series (Part I, Part II), with this week focusing on enterprise protection.  Any device connected to the internet is open to attack from either highly complex botnets right through to an individual port scanning for on line ftp or database servers.  Corporate networks are no stranger to being specifically targeted, or infected with malware that is delivered via the public network.

Attack Vectors and Entry Points
Firewall & Network Perimeter - Historically, enterprise security was often viewed with an 'us and them' mentality.  Everything on the internal LAN was safe, anything past the DMZ and on the internet was potentially bad.  The main attack vector in, was through the corporate firewall and any other perimeter network entry points.  The firewall was seen as the ultimate protection mechanism and as long as desktops had anti-virus software installed, that was as much as many organisations needed to do.

Infosec Product Release Review - 26th Oct

Tech Centre - the weekly review of newly released information security products, services, frameworks and policies.
LANDesk Raises the Bar with Release of Integrated Systems24 Oct 2012 "Management Suite and Security Suite 9.5 were created in order to help solve the ... "With theseproducts, our current and prospective customers now have the tools they ... This informationincludes power consumption per device, the health of ...
Objective releases Govt-standard DropBox24 Oct 2012 While DropBox is a very popular information sharing service among consumers and ... According toproduct marketing manager Michael Warrilow, the service will be ... Government Information Security Manual up to and including “Protected”...

The Problem With Passwords (again, still)

Passw0rds!  The bane of most user and sys-admins lives.  I started talking about passwords earlier in the year, with the theme of 'the password's dead...long live the password'.  Obviously, the password isn't dead and is very much alive.  The story generally unfolds something like this:

The infosec team, create a corporate password policy that requires a password to contain something like the following: to have a minimum length, include a number, an upper case character and also a special character, perhaps have a minimum age and be historically uniqueA sys-admin or developer, creates a function within an app/system/website to check the newly created passwords for complexity, in line with corporate password policyA user is created within a system / registers on a siteA user is prompted to enter a new password for themselves, which must match the above policyIf the policy is too complex, the user's initial password selection will generally be bounced for being too in…

Cyber Security Part II - Botnets, APT's & AET's

This is the second of a five part series focusing on Cyber Security.  This article will examine some of the key terms and components that comprise of a cyber attack in 2012.  I'll take a look at the individual 'lone wolf' style attacks, right through to the complex networks of robots, capable of distributing malware on a vast scale.  I'll also quickly examine the components of an Advanced Persistent Attack and the increasing rise of Advanced Evasion Techniques, being used by malware to avoid detection.

From Lone Wolf to BotnetsThe Lone WolfIn any walk of life the lone wolf is seen to be independent, agile and potentially unpredictable.  Whilst these characteristics are often seen to be difficult to defend against in a cyber security landscape, being an individual can have it's limitations.  In the new dawn of the internet era (yes I know, what was that like?) in the early 90's, the appearance of individual hackers was often portrayed as glamorous and cool.  …

6 Steps to Selling Security to the Business

I spent a little time this week on two Twitter virtual discussions (#secchat, #hpprotect) covering security innovation and the like, where invariably the topic ended up focussing on how to basically promote or sell security into a business. This could be either from a vendor perspective, trying to promote new products or features, ultimately to make license revenue, or for the likes of internal security staff, attempting to justify business cases or budget for infosec related projects.

Kaspersky to Build Secure OS

Kaspersky recently confirmed the rumours that they are creating a new, built from scratch, secure operating system for the Industrial Control Systems (ICS) market.  Kaspersky argue that the well known issues with ICS, such as the Stuxnet, Duqu and Flame infections, have prompted them to re-evaluate the security of critical infrastructure type environments.  The conclusion was that a new, independently developed operating system, built using secure principles is the way forward.

The main issue with ICS environments is the fact they nearly always require 24 x 7 x 365 up time.  Not the usual 5-nines availability for critical or data storage or web apps.  These environments cannot be stopped.  Think oil pumps, water extraction systems, electricity production plants, gas transportation systems and so on.  It's not really a case of finishing at 6pm, doing a few hours patching and updating, testing and ready for the 8am login rush.  Those sorts of outage windows simply don't exist. T…

Cyber Security Part I - (Cyber) War on Terror

This is the first in a five part series covering cyber security.  Each Monday, Infosec Professional will focus on many of the key aspects of cyber security, from government lead strategic defences, right through to individual consumer level protection.  Any device that connects to the internet is now a potential target, with the motives now becoming political, as control of the information highway becomes paramount.

US government security expert Richard A. Clarke, in his book Cyber War (May 2010), defines "cyberwarfare", as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption".  This initial sentence is paraphrased straight from Wikipedia, but could just as well have come from a sci-fi movie of the mid 1980's.  Cyber war is no longer an imaginary concept, cocooned in the realms of laser gun protection and x-ray vision.  It's an everyday occurrence, impacting governments, corporat…

Security as a Service - Infosec the Cloud Way?

Last month Google acquired VirusTotal, an on line virus and malware scanning tool.  VirusTotal has been around about 8 years, and provides a simple and focused virus and URL scanning service.  They basically act as a service wrapper and aggregator for some 60 anti-virus engines and tools.  They then provide the ability for a file or URL to be scanned by the the underlying engines, before returning a scan result from the various different partners.  This is a simple, yet powerful concept for several reasons.

I'd imagine Google's main interest would be in the ability to scan a particular URL that is returned from a user's Google search, before they go ahead and click through it.  This would help Google to identify any malicious links, trojan destinations and so on, increasing their credibility and the safety of it's users. VirusTotal also provides various internet browser plugins, which would likely become an integral default part of the Chrome browser too.

Security Intelligence - Reactive -v- Proactive

The RSA Conference bandwagon rolled into London this week, which promises to bring some interesting sound bites from the big players in the security sector.  Yesterday's opening key note speech from RSA's own Arthur Coviello, focused on some of the key challenges organisations face from an information security perspective.  The lack of skilled personnel, shrinking security budgets and the difficulties of ever complex risk management, make attacks more difficult to identify and overcome.

Coviello called for more of an 'intelligence-driven' security model to help evolve the traditional security operations centre into something more analytical and proactive.  Whilst being able to carefully understand and dissect and attack source, flow and impact, security intelligence could also be seen as just another level of reaction, albeit a more detailed one.

The Future of Cloud Based Identity?

This week I was fortunate to spend some time with Mike Schwartz, CEO and founder of Gluu, the leading open source and on-demand cloud identity management provider.  Gluu is an Austin based start-up, that leverages open standards such as OpenID Connect, SAML 2.0, Shibboleth, and SCIM to make achieving single sign-on (SSO) secure and easy.

How has the concept of online identity management and federation services changed in the last few years?

Mike: Several fundamental changes are converging to the create the perfect storm of online identity: (1) Facebook Connect is bubbling up from the consumer space into the enterprise market, creating demand for instant connectivity based on user controlled decisions; (2) OpenID Connect is positioned to replace a plethora of other standards - SAML, OpenID versions 1 and 2, OAuth versions 1.0 and 1.1, WS-Fed and Information Cards;  (3) there has been a proliferation of authentication technologies - username / password is not the only option any more, and…

IPv6 Security

IPv6 is the natural progression for internet addressing.  With IPv4 addresses limited to just over 4 billion,  estimates have predicted a public address space shortage in months rather than years.  With over 7 billion people on the planet, it's easy to see why, especially as many in the western world, use smart phones and tablets as well as standard laptops, resulting in a individual using more than one address simultaneously.

What is IPv6 Internet Protocol version 6 is seen as a direct replacement for Internet Protocol version 4, operating at the internet layer of the OSI model.  There are a few main differences between the two approaches, mainly the fact that IPv6, has a considerably larger pool of available addresses - around 340 undecillion (lots of zero's..).  An IPv6 address is longer too, at 128 bits compared to the shorter 4 byte, 32 bit IPv4 address.  IPv6 also contains a fixed host identifier based on the devices MAC (Media Access Control) address.

Ransomware - Pay Up or Lose Your Files?

Ransomware has been around for years, but has seen a rapid rise to the popular mainstream in the last couple of months.  Ransomware is generally seen as a type of malware that restricts access to the computer or device it infects, not releasing control until some sort of monetary payment has been extracted.

The malware can generally operate at the boot or pre-OS level, encrypting the underlying files, photos and music that the user deems so important.  This encryption process is managed by the malware, with the contents not being decrypted until either a bank transfer, SMS or premium rate phone call is made to the malware operator.  Other basic ransomware payloads, simply restrict access to the main interfaces of the operating system.  So instead of encrypting the contents, access to things like explorer.exe in Windows or the command line shell are prevented, making the machine practically useless.

Why Information Security Metrics Are Important

"He uses statistics as a drunken man uses lampposts - for support rather than for illumination" ~ Andrew Lang

Metrics and statistics, whilst subtly different, are often seen as the accountants yardstick and the pragmatists whipping stick.  The use of metrics in IT has had a long and perhaps uneasy route.  Technicians want to implement, design and fix.  Managers and budget owners need to show value, deliver service and ultimately keep the customer, production line or CFO happy.  An efficient and sustainable business position is a meeting place between the two, where tangible (and intangible) metrics (not statistics) are important to both parties.

Why Use Metrics?
IT security has often been seen as a cost within the overall component of IT, which until very recently was also seen as a cost to the business.  IT was a necessary component granted, but organisations have historically not seen IT as a strategic part of the overall business delivery cycle.  It was never capable of d…

Iran's Own Internet

The 'summer' break has been and gone and as the winter rains become a thing of unrelenting omnipresence, the main story that caught my eye was that of Iran building it's own internal intranet.

The politics and propaganda behind such a move are far beyond the scope of an information security blog, but idea has some interesting concepts.

Firstly there a few basic drivers behind such a move.  Control and censorship is one.  Regardless of political motives, building a brand new network, allows the creator to have a lot more control over the number and types of the devices that are connected and the information and data those devices share.  In a lot of regions where the internet is freely available, control and censorship is a big agenda item.

Mobile Security - Why You Should Care

Nearly all professional working people in the western world, have access to a mobile phone.  These phones are generally not just phones.  They're portable laptops, with processing and storage capabilities greater then a desktop PC 25 years ago, yet we treat them like toys that can easily be replaced.

With every pay monthly contracted sold (especially in the UK), an equivalent monthly insurance policy is sold too.  We're constantly reminded about the dangers of dropping the phone down the toilet, or smashing the screen, after inadvertently leaving the phone in your back pocket, or by damaging the outer casing by not having the correct protective membrane.  For another £12 a month, you can have 'piece of mind' that you're protected.  Great.

But what about the stuff the phone is actually used for?  Does that get protected too?  What stuff, why should I care about protecting that?

Are Security Qualifications Important?

Over the years I, like many IT professionals, have amassed a fair few number of qualifications.  Some vendor specific (MCSA, CNE, CCNA), some process related (PRINCE2, ITIL) and some security related (CISSP, CISA).  But in reality, has it been worthwhile pursuing them and have they made a difference to my career?

Well, there are a few ways to look at this.  Many people start out within IT either straight from college or university with a basic theoretical understanding of information systems or computer science principles.  Whilst this provides a basic understanding of some of the key technical and non-technical aspects of computing, I think it really acts to lay a foundation for how the person can pick up new information going forward, either through professional study or simply via on the job exposure.

When someone junior starts a new role, often, their main aim is to get promoted or gain a pay rise.  This can happen in a few ways - either through longevity (simply working in a role…