As many of you know I am passionate about how we as a country secure the systems, networks and the critical elements of our national infrastructure that we all depend on. I was recently interviewed by the Irish Examiner for an article Cyber Crime: The New Battleground, they ran on the threat posed to Ireland by criminals and others with malicious intent.
The article is available online here and my previous thoughts and comments on this area are available, and still applicable four years later, in this old blog post “Securing Ireland’s Digital Future“.
This week will prove to be very exciting for all of us involved in the information security scene. The excellent Source Conference is coming to Dublin. Source already hosts conferences in Boston, Seattle, Barcelona and now Dublin.
Having spoken at the Source Conference in Barcelona I can attest that it is one of the better conferences available. It is unique in that it offers an opportunity for those with a technical background to mix with those from the non-technical side of information security.
There is a great lineup for the first Source Dublin Conference. If you want the chance to hear some top rate speakers and a place where everyone can mingle and chat then come along. You can register for the conference here.
I will be speaking at the conference and I hope to see you there.
I recently attended the Infosecurity Europe 2013 show in London. As part of that trip I took part in an analyst panel hosted by Infosecurity Magazine on what we thought about the current and future landscape regarding information security.
The panel discussion was recorded and is available below;
The SC Magazine Awards are held each year during the Infosec conference in London. It is one of the most prestigious events in the information security field and the awards are one of the most coveted. Having been selected as one of the finalists for the award last year, I was honoured when I first heard I had been selected again as a finalist this year.
On the night of the event I was delighted and honoured to hear the announcement that I was selected as the Information Security Person of the Year for 2013. Below is a picture of the moment itself;
I would like to thank all my family, friends, colleagues, and clients who have supported me over the years and helped make the above award possible. I see the award as a reflection as to how the information security field is growing here in Ireland. We have many excellent indigenous security companies growing here, a large number of industry giants in the security field have selected Ireland for their European HQs, and we have many skilled professional supporting the financial and pharmaceutical sectors. On top of that Irish people have been involved in security in various forms for centuries, so you could say security is part of our heritage. Hopefully we can build on all this and make Ireland a recognised centre of excellence for information security.
More highlights of the night are available in this video,
Last week was the annual trek to London for Infosec to which I’ve gone for more years than I care to remember. This year saw the second European Security Bloggers meetup which was organised by both Jack Daniel and myself. It was also the first year for the EU Security Blogger Awards.
Alan Shimel has been running the Security Blogger Awards for the past few years as part of RSA in the US. However, many of those nominated were US based so we decided this year to set up a similar event here in Europe to shine a light on some of the excellent European focused blogs.
Congratulations to all who were nominated and especially those who won. A big thank you to Tenable Network Security and Qualys for hosting the night and the awards. Do take some time to visit the above blogs, you won’t be disappointed.
My latest article for Help Net Security magazine is now online. In this piece I highlight how the lack fo leadership in the information security industry will cause us a lot of problems and ask that we all do what we can to address this problem.
Earlier this year I attended the RSA Conference in San Francisco. While there I met up with my friends from Tripwire, including David Sparks. David and I started talking about the challenges security professionals have in securing the business environments they work in. He was intrigued when I said the problems I see are not really technical issues but rather how we fail to communicate properly to the business. I refered to the talk I gave at RSA Confernce Europe 2012 called Hacking Senior Management.
David then interviewed me on the main issues from that talk. The video is below and more details on my comments can be got on the Tripwire blog.
As you may know Infosec Europe is on from the 23rd to the 25th of April. There will be plenty of events and parties taking place around the show. But if you are a blogger in the information security arena then you should drop by to the Information Security Blogger Meetup. This will be the second year that the event has been held here. Last year was an enjoyable one for all and this year promises to be even more fun.
The event has been kindly organised by Jack Daniel with some help from my good self. The good crew at Tenable Network Security are sponsoring the event. It will be held from 18:00 on Tuesday the 23rd of April in the Prince of Teck Pub 161 Earl’s Court Road London, London (SW5 9RQ), you can get directions to the pub here. This will be a great opportunity to meet with other information security bloggers.
Well yesterday was a big day for me. It was my first time attending RSA Conference in the US. I have attended RSA Europe many times and was looking forward to seeing how different the US conference is to the European one.
All I can say is that everything is BIG, and when I say big I really mean big. Firstly the Moscone centre is absolutely huge, I have got lost a number of times going from talk to talk. Then the number of delegates is astounding. At RSA Europe there is normally between 1,000 to 2,000 delegates. Here there are approximately 15,000 delegates. The social element of RSA US is astounding too, nearly every vendor is hosting a party of some kind.
Speaking of vendors the exhibition hall is huge. I went onto the floor at 11:30 to simply walk from stand to stand to see if there was anything that was cool or innovative and it was not until 2:15 that I finished my exploration. Unfortunately I did not see anything too cool or innovative. In fact I found it telling that the most exciting technology that I came across was an original Enigma machine displayed on the at Thales stand. To think that a technology that is now over seventy years old creates more excitement and buzz than many modern solutions is a sad indictment of where we are in the security industry today.
Finally the theme for the event is BIG and by that I mean it seems most vendors and talks are all focusing on Big Data and its implications for security. I would say though that big data is not what we need to focus on but rather big information. Data without context is just that, data, and is something we cannot act or work with. Data with context is information and that is something that we need to identify threats, incidents and trends so we can better secure our systems.
So far RSA Conference has been very enjoyable with the chance to meet many people I know online in real life and to meet and talk with vendors directly. I am looking forward to seeing what the next few days bring.
Facebook announced this evening that they have been the subject of a security breach impacting laptops used by some of their employees. According to the Facebook statement the laptops of some of their employees were last month infected with malware when they visited a compromised mobile developer website. The compromised site hosted a previosuly unknown Java vulnerability which was used to download malware onto the laptops of the Facebook engineers. Even though those laptops were fully patched and also had up to date anti-virus sofware installed on them the previously unknown malware was able to penetrate these defences and infect the computers.
Facebook discovered the breach when reviewing their DNS logs and noticed traffic going to an unusual destination. Further investigation identified an engineer’s laptop was sending that traffic. Forensic examination of the laptop identified it had been infected with malware. After examining the malware they were able to identify how it behaved and subsequently discovered other compromised laptops on their network. Facebook state that no user data was compromised in the breach.
Facebook also informed Oracle about the previously unknown Java vulnerability. Shortly afterwards Oracle released a patch.
The infected laptops were forensically examined and the information from them and from Facebook’s logs have been shared with law enforcement. The server controlling the malware has been sinkholed and using the data gathered from that server other compromised companies have been identified and informed. For some of those companies the first they knew about the compromise was when they were contacted by Facebook.
Some lessons we can learn from the attack are;
Criminals will no longer attack your systems directly but use various techniques to indirectly compromise your systems. In this case it was a waterhole attack where exploits are planted on a compromised website known to be visited by the desired target. Note at this stage we do not know whether this particular compromised website was used to target Facebook specifically. It could be this site was being used to target mobile developers in general to subsequently compromise some high value targets.
Having your systems fully patched with up to data anti-virus software is an important part of your defences but you cannot rely on them as your sole defences. You need to have other layers in place to protect your systems.
Effective log monitoring and management can provide early indicators of an attack allowing you to react quckly and effectively to the breach. Criminals will target certain group within your organisation due to the access they may have to certain data or systems. In many organisations we’ve worked with IT always have elevated privileges and admin rights to their computers. This makes them an ideal target group for criminals. I do not think it is a coincidence in this case that the criminals compromised a server for mobile developers.
Good forensic investigations can discover exactly what was compromised and the extent of that compromise. In many cases the response to an infection is to reformat the affected maching and reinstal the software and applications. While this is a quicker way to deal with the issue you sacrifice the ability to properly understand the extent of the breach.
Working with law enforcement can help in identifying who is behind the attack and disrupt their operation or indeed it could lead to arrests and convictions.
Sharing information with law enforcement can help identify other potential victims, who may not be aware they were compromised.
Providing clear and detailed information on how the compromise happened, what was impacted and what is being done to rectify the situation can provide a lot of comfort to your clients.
Well done to Facebook on being able to detect and respond to the attack. I would also commend them on the details they have shared about the incident and hopefully it can help others to learn and improve their own defences.