Security Watch

Irish Business Targeted by Online Criminals

The SiliconRepublic.Com and RTE both report today that the Garda Bureau of Fraud Investigation is investigating a number of incidents where businesses in the west and midlands of Ireland have been targeted by online criminals.  Apparently the criminals have accessed the computer systems of the affected businesses and encrypted important business information belonging to those businesses thereby making it unavailable to them.  The criminals are looking for a sum of $700 to provide the victims with the key to decrypt their information.

The Gardai have asked that any businesses that have suffered this attack to make themselves known to the Gardai.

In the abscense of knowing the details of how the criminals were able to gain access to the affected systems I recommend the following steps to protect your company falling victim to the attack;

• Ensure you have a robust firewall installed on your network to protect it from unauthorised access from the Internet.
• Ensure your anti-virus software is up to date and has the latest signatures.
• Make sure all your software have all the latest security patches installed.
• Educate your users so they do not fall for online social engineering scams and they do not open attachments or click on links in emails that they are not expecting.
• Check your critical security logs for any suspicious behaviour.
• Ensure users only have access to data that they absolutely only need access to.
• Make regular backups of your software and data.  In the event you fall victim to the attack you can recover your information from a recent backup.
• Regularly test your backups to make sure that they are working and that you can restore from them

Posted in InfoSec | 2 Comments »

Lessons In Cloud Security

The bunker scene in the movie Downfall has been adopted by many to spoof many modern events.  Recently a spoof video based on the same meme has been produced by Marcus Ranum and Gunnar Petersonon Cloud Security.  It is a very good and humorous spoof highlighting a number of security issues and misconceptions with moving your data/systems to the cloud. 

While this video is done with much tongue in cheek it does highlight a number of key lessons that you should take on board before moving any of your data and/or systems to the cloud;

• If you application security is not good enough then moving your applications to the cloud will not make them any more secure.
• Outsourcing a security problem does not eliminate the problem, it simply moves it from your datacentre to that of your provider.
• Information security is more than complying with standards or having anti-virus installed on your systems.
• You need to ensure that the SLA you have with your provider satisfies your requirements and not that of the provider.
• Your SLA should also clearly state the roles and responsibilities for information security.  The SLA should clearly demarcate those responsibilities between your service provider and you.
• Just because your competitors are moving their systems to the cloud it does not necessarily mean that cloud computing suits your requirements.
• Before moving your systems to a cloud provider you need to conduct a thorough risk assessment. 
• Remember though that you should run that risk assessment at regular intervals to ensure that you are dealing with the most current risks to your data.
• You need to review your incident response capabilities to ensure you can react to a security breach impacting your data and/or systems that are hosted in the cloud.  Remember your clients or shareholders won’t care who you outsourced their data to, your company will still take the blame and bad press.

Posted in InfoSec | No Comments »

The Next ISSA Ireland Chapter Special Event

The next ISSA Ireland chapter meeting will be a special event and will be held next Thursday, the 4th of March, at the offices of Ernst & Young in Harcourt Street.

There will be two speakers for this event.  The first will be Peter Lennon from the Department of Health and Children who will speak about the proposed Health Information Bill and in particular the information security.  The second will be Damian Gordon, lecturer in the School of Computing at Dublin Institute of Technology.  Damian will be talking about his research into “Hackers in the Movies”.  Given the audience for the event I am sure it will be of interest to many of us.

You can register for the event on the ISSA Website, but in the meantime this may whet your appetite.

Posted in InfoSec | No Comments »

Passport Control?

There has been a lot of coverage regarding the use of fake Irish passports by the team that assassinated a senior Hamas official Mahmud al-Mabhouh in Dubai last month.  Details of how or what types of passports were used are still unavailable and it is not clear yet whether the passports were of the old type or the new biometric passports that are said to be more secure. 

I was interviewed about this topic by the Irish Daily Mail (unfortunatelythe article is not available online).  The discussion focused on how could fake passports end up in the hands of criminals and/or terrorists.  Last year I done a lot of research in this area and highlighted how easy it is now, thanks to the Internet and in particular social networks, to gather personal details on individuals and then steal their identity. 

With the appropriate pieces of critical personal information it is then possible to get a copy of that person’s birth certificate and then in turn apply for a legitimate passport (or other forms of Government id) using their identity but with the criminal’s photograph and/or biometrics.   I have given various presentations based on this research and most lately spoke at the December meeting of the IISF and the slides for that talk are available below.

• Trust is key to security.  This is true whether that is in real life or in the computer world.  If ways are found to undermine that trust then security can be circumvented.
• We do not control our identity, it is controlled by third parties.  The only time we can equivocally state that we are someone is while we are still attached to the umbilical chord at birth.  Once that chord is cut we rely on third parties from then on in to verify who we are.
• Processes that were designed years ago for a different type of society can now be undermined by those who know the system and fool others into verifying that we are someone that we are not.
• Technology by itself cannot be relied upon solely to provide security as time and time again we see that anything made by man can be broken by man

Posted in InfoSec, identity theft | No Comments »

Securing Your VPN

The Sunday Business Post ran an article in their Computers In Business magazine last Sunday.  I am quoted in the article giving some recommendations on how businesses should approach securing their VPN access.  The full article is available on the Sunday Business Post site.

Posted in InfoSec | No Comments »

Speaking at the 2nd Annual Data Protection Conference

The Second Annual Data Protection Conference which is run by the Irish Computer Societywill be held this year on Thursday the 25th of March in the Radison BLU Hotel, Golden Lane, Dublin 8.  I will be speaking at the conference as will

• Billy Hawkes – Data Protection Commissioner
• Bruce Scheier – BT
• Linda Ni Chualladh – An Post
• Las Kelly – Bank of Ireland
• Murieann O’Dea – BearingPoint

Registration for the event is now open and those who register before February 25th can avail of the early bird pricing which is €170 for members of the Irish Computer Society and €295 for non-members.  After February 25th the registration fee increases to the standard fee of €200 for members of the Irish Computer Society and €350 for non-members. 

For more information and to register please visit the ICS website.

Posted in Events | No Comments »

Boards.ie Hacked

On Thursday the 21st of January Boards.ie announced that they were the victims of an external attackwhich may have led to the compromise of their user database.  As that database contained more than 280,000 users it was potentially a major issue.  Details of what happened are available on Boards.ie’s website where they give a good summary of the main points that happened during the attack.  What was really impressive was the way that the management and staff of Boards.ie managed the communications throughout the event.  Damien Mulley has a good post on the whole area of crisis communication, a key element many overlook in their incident response plans.  I was also interviewed on the late news on Network 2 that night and make a brief appearance on the news item which starts are 12 minutes or so into the bulletin.

Posted in InfoSec | 1 Comment »

Next IISF Meeting

The next meeting of the Irish Information Security Forum will be held on the 28th of January at 14:00 in the Oak Room in Buswells Hotel on Molesworth St. Dublin 2.  The topic for the meeting will be “What’s hot in Information Security in 2010″.

I will be addressing the meeting with what I think will be hot for 2010 as will speakers from RITs, Grant Thornton, Espion, Deloitte and Ernst & Young.

It promises to be an interesting event and I look forward to seeing some of you there.

Posted in InfoSec | No Comments »

Morning Ireland Interview

I was interviewed by RTE Radio 1’s Morning Ireland show about the latest vulnerability in Microsoft’s Internet Explorer.  The interview focused on the calls by the French and German governments for people not to use Internet Explorer until a patch is released and to move to a different browser instead.  The full interview is available on RTE’s website.

Since the interview Microsoft announcedthey will release an out of cycle patch to address this issue.  Also it is interesting to note that the Australian CERT, AusCERT, has a different view to the French and German governments on this issue and claim that the issue has been overblown.  The Trend Micro Countermeasures blog also has some good guidance regarding how to deal with this vulnerability and indeed any other vulnerabilities that have no patches available.

Posted in InfoSec | No Comments »

Snow Go

A few people have asked me about what they should do regarding business continuity as a result of the recent heavy snow falls.  I have pointed many of them to the excellent business continuity plan template that the Department of Enterprise Trade and Employment published recently for the H1N1 flu virus and which is equally applicable to the current weather conditions.

Also the following post from February of last year is also worth reading;

Weather wise it has been an interesting week in Dublin to say the least.  We had our first major snow fall in many years.  While the volume of snow we got may not be anything compared to what some of you get in more continental climes, it was still large enough to make life uncomfortable for us Irish people who are used to our winters being windy and wet (kind of like our summers).

As a child I remember when snow would fall heavily enough for the schools to close and we ended up with free time on our hands thanks to a “snow day”.

So it was interesting to see how businesses were impacted by the weather this week and how they were impacted by the grown up version of “snow day”.  While these businesses did not close their doors, I know of many people who decided to work from home rather than face the chaotic traffic resulting from Irish drivers’ inability to deal with snow on the road.  Quite a few meetings were cancelled as people could/would not travel to attend. 

This made me wonder how many companies have their Business Continuity Plans updated to include how to deal with adverse weather conditions impacting on their staff not being able to get to work or to attend meetings with clients.  Most companies I have audited regarding their Business Continuity Management System seem to focus solely on the IT aspect of their company and what would happen if a disaster were to make those systems unavailable.  Very few include in the Business Continuity Plans what to do if key staff are suddenly unavailable.

So why not take a look at your own organisation and try and figure out what would you need to have in place should some of your key staff be unable to get to their place of work?  Some key questions to ponder;

• How many concurrent remote users can your VPN support? 
• If a large number of staff were to try to work from home on the same day would the VPN be able to cope with the traffic? 
• Should you have a VIP VPN that can only be used by those staff in such scenarios?
• Do your staff have work laptops or PCs to work from home?  If not how will you secure any data they may have on them while working from home?
• Can staff use alternative mean to meet with clients such as online conferences or conference call facilities? 
• Is your support desk prepared for the increased number of calls that they will get from remote workers who may not have tried to connect remotely for a while? 
• Do they have appropriate tools to diagnose VPN issues and problems or indeed to remotely take over a PC to help troubleshoot it?
• Will you have people on your support desk to support your users or will they too be victims of the snow day?

When it comes to Business Continuity planning you need to look beyond the availability of the systems and think of the impact different circumstances can have on them.  You should look closely at the ISO 27001 Information Security or the BS 25999 Business Continuity Standard to ensure that you have taken a structured and business focuses approach to your business continuity planning. 

Lets not make a snow day a no business day.

Posted in InfoSec | No Comments »