IRISSCERT, (the Irish Reporting and Information Security Service) will be holding its annual conference on Cyber Crime in the D4 Berkley Hotel on November the 18th. The event looks to be very interesting especially as attendance will be free.
This all day conference will focus on providing you with an overview of the current cyber threats facing businesses in Ireland and what you can do to help deal with those threats.
Experts on various aspects of cyber crime and cyber security will share their thoughts and experiences with yousuch as representatives from;
In parallel to the above speaking sessions Ireland’s premier Cyber Security Challenge, HackEire, will be held to identify Ireland’s top cyber security experts. HackEire will see 10 teams, up to a maximum of four people per team, compete against each other in a controlled environment to see which team will be the first to exploit weaknesses in a number of systems and declare victory. The purpose the HackEire competition is to demonstrate how attackers could gain access to your systems and allow you to learn from the event on how to prevent such attacks from impacting your network.
The conference will be open to anyone with the responsibility for securing their business information assets. There is no charge for those who wish to attend.
The IRISSCERT Annual Conference is an opportunity to not only increase your knowledge but also to meet and network with your peers in a relaxed environment.
If you are interested in attending please register at info@iriss.ie
I will be speaking at the 5th Annual Privacy & Data Protection Conference this year on the 27th of October. The theme for the event is “Data Protection: Global Compliance Management” and I will be speaking on “Building an Information Security Culture and Policy”. I will also be taking part in a panel discussion in information security.
The conference promises to be very informative and the organisers, Transatlantic Events, have brought together experts from the regulators, the lawmakers and the legal community from Ireland, the US, the EU, and the UK in order to debate the full range of issues that make up data protection compliance. The conference will enable you to hear from experts as well as debate in open forum a range of issues from multi-jurisdictional compliance to niche areas such as outsourcing, monitoring, cloud computing, children’s privacy and data security breach management.
I am looking forward to hearing many of the other speakers at the event and hopefully meeting with some of you as well.
Monday the 23rd of August was a big day for many Irish students as their anxious wait to see if they had been accepted into their preferred third level college was finally over. Many logged onto their computers and nervously accessed the CAO website. However, many were ùnable to access the site as the CAO website was victim to a malicious attack. According to a press release issued by the CAO yesterday “Access to the CAO website was affected because of a malicious attack from an unknown source this morning. The CAO website was available intermittently between 6.10 am and 1 pm today when the problem was resolved by CAO technical staff. The system is being monitored 24 hours a day to ensure continuity of online services.”
Without hard facts on exactly what type of DOS attack it was and other details of the attack it is difficult to make any judgement on the event. However, yesterday’s attack highlights that no matter what business your organisation is in you need to accept that once you are connected to the Internet you are a potential victim of an attack. At IRISSCERT, www.iriss.ie, we see attacks against Irish websites on a daily basis. Most of these attacks are by criminals targeting websites to use them to host their criminal activity, be that hosting a phishing site or spreading computer viruses.
Without the details of the attack it is hard to know what exactly happened. DOS attacks can take various forms from flooding the network bandwidth with so much traffic you cannot reach the site, to the server not having enough CPU or memory to cope with the load, to exploiting software bugs in the operating system, website software or the web application to cause the server to become unavailable.
Defending against a DOS or DDOS attack can be difficult but some steps can be taken to reduce the risk of becoming a victim;
Have appropriate perimeter defences in place such as firewalls and intrusion detection systems. Make sure these are configured properly and updated with the latest software patches and that their rules on these devices are reviewed regularly.
Ensure you have adequate bandwidth with burst capacity (i.e. the ability to get more bandwidth) in the event an attack happens.
Agree with your ISP or hosting provider that DOS defence capabilities are built into the service you are getting from them.
Have all the software on the system patched and up to date with the latest releases to ensure you are protected from a software based attack.
Make sure your incident response plans are documented and up to date with how to tackle such an attack.
Have key logging and alerting facilities turned on to detect such an attack as early as possible.
For times that are crucial and demand is expected to be high you should have extra servers, or mirrored servers in multiple locations, configured to take the unexpected load.
They are other techniques that can be used to mitigate the impact of these attacks but the bill can soon start getting higher and higher and it ends up with who has the most resources, the attacker or the defender.
I recently wote an article for Silicon Republic on how to engage with senior management in your organisation so that they will buy into your information security program. The key is communicating with the key players in a language that they understand and in a way that you can appreciate the challenges and needs of the business.
The article “FUD for Thought” is available on SiliconRepublic.com‘s site. If you have any thoughts on how best to sell information security to senior management why not share them in the comments below.
We may be in the middle of the summer but already the calendar for the autumn is starting to fill up. I will be presenting at Source Barcelona and also at BruCON in September. For both of these seminars I will be talking about the lessons learnt from when I set up IRISS-CERT and how those lessons can be applied to those looking to set up their own incident response team. While the topic may be similar the approach to each talk will be different.
Source Barcelona has two tracks, one business and the other technical, and my presentation will be in the business track. So the focus of that talk will be on the business aspects of setting up an incident response team. Xavier Mertens gives a great overview of the different tracks in Source Barcelona over on his /dev/random blog.
BruCON is a more traditional technical security event and my presentation at that seminar will focus more on the technical aspects of setting up an incident response team and the tools, challenges and solutions one can face.
Also in September I will be speaking at the Cloud Computing Summit 2010 which will be held in Dublin. I will be on a panel discussing issues surrounding the Security, Compliance and Regulatory requirements with cloud computing.
Then of course in November there is the IRISS-CERT Annual Cyber Crime conference. Details have yet to be finalised regarding the speaker lineup but already it is looking excellent and it promises to be another exciting event this year.
Hopefully I will get to meet some of you at one of the above conferences.
Bob McCardle has made me aware of these upcoming community SANS events to be held in Dublin this coming September. Bob and Owen are both very well regarded for their expertise and I highly recommend attending any, or both, of these courses.
Bob also kindly offered a discount code for those of you wishing to attend. Contact me on brian dot honan at bhconsulting dot ie and I will pass the code along to you.
The two upcoming coureses are;
20-25 September for SEC504: Hacker Techniques, Exploits & Incident Handling
27 September – 2 October for SEC542: Web App Penetration Testing and Ethical Hacking.
Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.
In this intermediate to advanced level class, you will learn the art of exploiting Web applications so you can find flaws in your enterprise’s Web apps before the bad guys do. Through detailed, hands-on exercises and training from an experienced instructor you will learn the four-step process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And you will explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen. Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization’s Web applications to find some of the most common and damaging Web application vulnerabilities today.
The Community SANS format in EMEA (Europe, Middle East and Africa Region) offers the most popular SANS courses in your local community and in your local language. The classroom setting is small with fewer than 25 students. The instructors are pulled from the best of the local mentor program or qualified security experts who have passed SANS rigorous screening process. The course material is delivered over consecutive days, and the course content is the same as ones provided at a larger training event. In addition to the excellent courseware, not only will you be able to use the skills that you learned as soon as you return to the office, but you will be able to continue to network with colleagues in your community that you meet at the training.
As someone who has been campaigning for mandatory data breach disclosure laws in Ireland for a number of years I am pleased to see the proposed Data Security Breach Code of Practise from the office of the Data Protection Commissioner. I have long argued that organisations need to realise that the data they hold on staff and customers is not theirs but rather has been entrusted to them by those individuals. The purpose of breach notification should not be to punish the organisation that suffered a breach but rather to help the affected individuals take appropriate steps to protect themselves, especially nowadays with identity theft and financial fraud being so rife.
The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small amounts of sensitive personal data. Yet, companies who have not taken the appropriate measures will indeed be obliged to admit to their shortcomings and shoulder the responsibility for same.
The other benefit I see from this proposed code is how as an industry we all can learn from the mistakes or misfortunes of those who suffer a breach. I believe we would not have as many encrypted laptops and other mobile devices that we do today were it not been for the widespread publicity of lost unencrypted devices in the past. While you can argue that encryption alone is not the answer and may simply be a knee jerk reaction it is at least a step in the right direction. Those attacking our systems are sharing the potential exploits and weaknesses amongst each other, having breach disclosure laws in place helps those of us tasked with defending those systems to better shore up those defences and potential weaknesses.
Ireland has shown itself to be a leader in introducing legislation to benefit its citizens, the smoking ban and plastic bag tax being two that come to mind. The introduction of the Breach Code of Practise is another example of how Ireland can better protect her citizens and provide an effective information security governance framework for businesses to follow.
I would be interested in your thoughts on the matter. Why not share them below in the comments or indeed submit your feedback to the Data Protection Commissioner.
I had the pleasure of finally meeting Javvad Malik, otherwise known as the infoseccynic, at the recent Infosec show in London. Javvad takes a refreshing look at the issues we face in the information security profession and you should visit his site or follow him on twitter to get his view on things.
Javvad kindly took the time to meet with me and have a chat about some of the things happening in the world of information security.
Recent investigations by German authorities discovered that the Google street car was recording information about Wireless Access Points it detected during its journeys. More seriously it was revealed that the system recording that data was also gathering any data being transmitted over any unsecured wireless networks it detected. Google claims that this was a mistake and has promised to delete all such data.
On Tuesday the 18th May the RTE news covered the story and I was interviewed as part of the piece which is available here.
The next ISSA Ireland chapter event will be a lunchtime meeting (noon to 2:30) on Thursday May 27th at the Radisson Hotel, Golden Lane, Dublin 8. This event is free to members and while it is open to non-members it should be noted that non-members will have to pay a cash entrance fee of €10.
This lunchtime seminar will include three presentations covering very timely subjects:
The first speaker will be Justin Clarke, co-founder and Director at Gotham Digital Science, who will speak about how SQL Injection attacks still pose a major security threat despite being first discovered over 10 years ago. Justin has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand. As author of a number of well regarded information security books, including “SQL Injection Attacks and Defense” and having spoken at various conferences on security topics including Black Hat USA, EuSecWest, RSA, and OWASP, Justin is a recognised authority on this topic and well placed to discuss some of the deeper and darker areas of SQL injection attacks.
The second presentation will be from Mathieu Gorge, CEO and founder of VigiTrust, who will discuss the impact data privacy laws and regulations are having on information security. Mathieu has been in the security industry for over 10 years and has focused on the areas around key legal aspects of corporate security such as compliance with international data protection legislation as well as industry security frameworks. He is a regular speaker at international security conferences (RSA, ENISA, ISACA) and a well respected figure in the security industry in EMEA and North America. Given the increasing requirements on information security professionals to understand the legal and regulatory impact privacy legislation has on information security Mathieu’s talk will be a timely and informative one.
The final speaker will be Owen Connolly, CTO of Veridian Applied Intelligence, who will give a practical demonstration of how privacy controls can be circumvented in many of the popular online social networking sites. Owen has over 18 years experience in the IT and telecoms industries having worked in a number of large blue chips across a range of industries as well as in consultancy and managed services. Owen holds many security certifications CISM, GCIH, GCFW, GPEN, GWAPT, CFIA and CPE and is a member of SANS’ Advisory Board and GIAC Mentor program. With the recent publicity surrounding privacy issues associated with many popular social networking sites Owen’s talk will be a timely reminder to us all of the potential dangers posed by such sites.
