Fight for Kisses – Lessons for Infosec

A friend emailed me a link to the video below.  It is a very amusing advert for a gents shaving product highlighting how babies can monopolise their mother’s affections, to the cost of the father.
Of course being in information security I could not help look at the video from the infosec viewpoint and it made me think how companies can often be like the father in the video. 

  • Just like the father who thought he was the centre of his partner’s world, companies often become lax in their security thinking everything is fine and that “it won’t happen to them”.  
  • Often the event that “won’t happen to them” materialises from a trusted insider.
  • It can take time to respond effectively to an incident.
  • Sometimes to deal with the threat you are facing you have to look for new and innovative means.  Often the solution may also be something simple.
  • You cannot become complacent as the threat may materialise again and this time it may be different, stronger or more effective.

More Details of Heartland's Breach Emerge

More details available as to how the breach occurred at Heartland resulting in potentialy the biggest breach ever of nearly 100m credit card transactions.  Investigators discovered that a piece of malware was hillden in an unallocated portion of disk on one of the Heartland servers

What puzzles me though is;

  • How did a user have the rights to install the malware on the system? Was it an administrator that was duped into loading the malware?
  • Why did the monitoring of the logs on the servers not detect any strange behaviour?
  • Where was the pilfered data being sent to?  If external to Heartlands network surely egress filtering or monitoring of outgoing traffic would have flagged the suspicious behaviour?

The CEO of Heartlands has also said that if other payment processors who had previously suffered breaches had shared their experiences then maybe Heartland would have been better prepared to prevent this type of attack.  It will be interesting to see if he live up to his own statement and publishes details of this attack so others can learn from it.

Do take the time to read the article as it is a fascinating read into how the breach occurred.

Plane Security

plane

At this stage you no doubt have heard about the miraculous emergency landing of the US Airways Flight 1549 in New York’s Hudson river.  Thanks to the skill, experience and bravery of the pilot and the crew, all 155 people on board managed to get out of the plane safely with relatively few injuries. 

So what has this got to do with Information Security I hear you ask?  As the story was breaking and I read the updates on the web and watched breaking news coverage on various TV channels, I was taken aback at how the pilot managed to do such a fantastic job.  I then started to think that if we in the Information Security industry adopted the disciplines used in the aviation industry would we would more secure systems?

When you look at is closely you can see that there are many similarities between both the Information Security and the aviation industries;

  • Both are high tech by their nature.
  • The users of each industry understand very little of how the technology works, they just want it to do what it is supposed to do without putting them in danger.
  • While both industries use automation extensively, they still rely heavily on human intervention and guidance to ensure everything works as it should.
  • When there is a failure it can have significant impact.  Although aviation failures are by their nature more serious as they can result in human casualties.
  • Both industries attract a high number of ex-military personnel.  The pilot of Flight 1549 is an ex-fighter pilot and you cannot go to an information security conference without coming across ex-military or law enforcement personnel.

But yet with all these similarities, within Information Security we tend to see a much higher failure rate.  So I began to think why this should be.  The answer is really quite simple, discipline. 

The aviation industry appears to me to be much more disciplined in every aspect.  Within Information Security we have the mantra that security is successful only if the blessed trinity of People, Process and Technology are properly integrated.  So lets take a closer look at each of the elements in that trinity.

Technology

Aeroplanes themselves are highly designed with a lot of fail safe systems put into them.  Not only that but they are regularly and rigorously maintained in line with recognised good practises.  New models of airplanes are not rushed off the production line with known issues outstanding.  Would you get on a plane that was pre-Service Pack 1? 

Yet within IT we push new applications and systems into production environments without them being adequately tested and in many cases knowing that there are bugs in the systems.  The recent SANS/MITRE list of Top 25 Most Dangerous Programming Errors highlights this approach.

Airplanes are maintained on a very regular basis during which the whole plane undergoes stringent safety testing.  Changes to an airplane have to be made in accordance with regulations and strict safety guidelines.  Contrast that to how IT systems are maintained or indeed how changes to the IT environment are managed.  Change Management has one of the biggest return for your money when it comes to ensuring the availability and security of your systems, yet very few organisations seem to do this properly If at all.

People

Every member of the crew of an airplane must undergo strict training regimes before they are allowed onboard.  That training has to be regularly updated and retested.  What is more, the training is specific to the task that each crew member does.  A flight attendant for example is not qualified to fly a plane; pilots have to be specifically trained on the type of plane they will be flying and gain hours of flight experience before they are allowed to take to the skies.

Yet within IT we do not have the same rigueur when it comes to those in charge of our critical systems.  It is not uncommon for people to be in charge of systems that they have not received any formal training on, or indeed to be working (read that as winging it) with one vendor’s technology having been trained on that of a completely different vendor.

Each plane crew member is also trained in how to react in an emergency and can do so in an efficient and professional manner.  Captain Chesley Sullenberger had the training and experience to react to the emergency on the plane and land it in the Hudson, whereby his crew had the training to safely evacuate the passengers.  Captain Sullenberger then checked the plane twice himself to check it was clear of passengers and crew before getting off himself.

With regards to information security, many organisations do not have an incident response plan that is properly documented,  regularly tested and with all staff properly trained in what they should do in the event of an incident.  Too many times responses to incidents are haphazard without any clear plan or roles and responsibilities identified.  If your company were to suffer as catastrophic event as that experienced by Fight 1549 would your team have the processes, procedures and training to ensure the event had as minimal impact on your systems?

When looking at the users of both industries it appears to me that the aviation industry once again pips information security when it comes to security awareness.  Most passengers are aware of what they are allowed to bring onto an airplane and will dutifully herd themselves like sheep as they wind their way past airport security to display their transparent plastic bag of small liquid containers.  Passengers also know not to let others take their baggage or bring someone else’s bags onto the plane.  In addition, every time a passenger gets on an airplane they are subjected to compulsory security awareness, i.e. flight safety, lecture, which in turn is backed up by easy to understand awareness material located in each seat.

Ever since the events of 9/11, passengers are more likely to report suspicious behaviour of a fellow passenger in case they are a terrorist and indeed will probably tackle someone who is behaving outside the acceptable norms. 

Contrast the passenger to the average IT user.  How often do your IT users get regular security awareness lectures?  How clear are your policies and procedures that people should follow?  Are they as easily understood as the not taking liquids onto a plane rule or the airline safety leaflet?  What are you doing to ensure users know not to click on attachments or links in emails or insert that USB or CD they found into their computer?  How confident are you that your users know not to share their login details with others or how to recognise suspicious behaviour that may indicate their systems are infected or hacked.

Processes

Before take-off every person connected with preparing the plane before, during and after the flight has to complete a set of predefined checklists.  The ground crew ensure the plane is properly set up, the pilot logs his flight plan, checks his instruments and the plane, while the cabin crew ensures all equipment within the cabin is functioning as it should.  Everybody has to go through these checklists before the plane is allowed to take off.  Once the plane is in the air the systems are continuously monitored with everything recorded and logged to the airplane’s flight recorder, commonly known as the Black Box.  On the ground the airplane is also constantly monitored by air traffic control to ensure it reaches its destination safely.

Although the airline industry is very high tech, it still relies heavily on humans to check and double check everything to minimise the risk of anything going wrong.  It seems to me that the airline industry views technology as merely the tools of the trade but it is the human element that ensures everything runs smoothly.

The information security industry is also high tech but seems to rely much more on the technology element and overlooks the human.  Shinier tools and vendor promises of silver bullet technology seem to be what we rely on.  Checklists and formal procedures are more the exception than the norm. 

Another area we are very weak on in the information security area is monitoring.  During a flight an airplane is constantly monitored, both by the onboard crew and air traffic control.  Feedback from these systems is taken into account and adjustments made where necessary.  Monitoring within the information security world is yet another area that many of us do not utilise properly.  While we have excellent logging facilities available in our systems to record everything that happens in our environments they are very rarely turned on, and if they are, it always appears that we do not record the right information we need.  Key metrics to help the business and management make necessary decisions are not measured.  System logs are not properly monitored to create alerts in the event of suspicious activity being detected.  How often have we seen IDS systems implemented and then turned off because of lack of proper configuration?  How often do we hear about breaches that have occurred where if the affected company had been monitoring their systems properly they would have detected the attack much earlier?

Time for Some Discipline

It has taken the airline industry a long time to get to where it is today.  Many hard lessons had to be learned from serious disasters to ensure they would not happen again.  But thanks to those efforts air travel is now the safest form of travel.  To get to this level required discipline, and lots of it.  So I think it is time that we as a profession and an industry raise the bar and instil a lot more discipline into how we do things.

We need to ensure that everyone, from developers, to infrastructure management, to information security professionals, to senior management and of course the users are more disciplined in what we do and how we approach protecting our data.  By disciplining ourselves to do some of the basic chores there are many quick wins that we can put in place that will raise the bar. 

  • Discipline yourself to review the checklists that you currently have and ensure that they cover all the key elements that should be checked daily, weekly, monthly, quarterly and yearly.  Once you have those checklists in place make sure the discipline is there to ensure they are completed when they should. 
  • With regards to information security policies you need to have the discipline to regularly review them, constantly monitor compliance with the policies and to deal with any non-compliance in a fair and consistent manner. 
  • Developers should have the discipline in place to check their code for common coding errors that could lead a security breach by reviewing the excellent information provided by OWASP and SANS. 
  • You should ensure that those managing the network infrastructure are disciplined enough to regularly monitor key systems and ensure that everything is patched and configured in a secure manner.
  • Instill the discipline in your organisation to develop and implement, or review existing, change management and incident response processes and procedures.  Once these are in place make sure the discipline is there to regular review and test them to ensure they operate as should and always look for ways to improve.

Discipline is a small word but if used correctly you can become a Captain Chesley Sullenberger of information security.

Estonian Government Releases Cyber Strategy Paper

The Estonian Government has released a strategy paperon enhancing cyber security.  This is an interesting read as we can all learn from the lessons of the cyber attacks against Estonia last year.  The report makes for interesting reading and yet it is still sad to see that governments and many organisations only take computer security seriously after they have suffered a major attack.

Do you think this paper would have seen the light of day had Estonia not been a victim to a major Distributed Denial of Service attack last year?  I also wonder how many government officials here in Ireland are working on a similar paper to defend the Irish Internet space?

A Tale from the Estonian CyberWar

Last year Estonia fell foul to a major DDOS attack that crippled many of that countries Internet infrastructure impacting on online banking, government and media websites.  I posted about this particular attack in the post “Botnets – Digital Weapons of Mass Destruction?”  Gadi Evron, who was involved in helping Estonia defend against these attacks has published an article on the attacks.  Entitled “Battling Botnets and Online Mobs – Estonia’s Defense Efforts during the Internet War” the article gives a good background into why the attacks happened, the impact they had on Estonia and also how Estonia defended against the attacks. 

The Estonian CERT comes into focus a lot as their efforts ensured the attacks were dealt with as effectively as possible.  The key to their success was the ability to work with other CERTs, such as those in Germany, Finland and Slovenia. 

Reading the article I could not help wonder how would we as a country fare if we were to be victims of a mass cyber attack on the scale that happened against Estonia?  We do not have a CERT team to help coordinate any responses either nationally or internationally.  I have spoken on this issue many times in the past and feel quite strongly that a CERT is fast becoming a necessity for us to have in order to ensure our growth as a knowledge economy and to protect our Internet infrastructure.

Gadi’s article makes for an interesting non-technical read.  While reading it though think how would Ireland cope with a similar attack and let me know how you think we would fare.

Protecting Your Online Reputation

An interesting series of posts on how to deal with negative publicity from the online community has just started today on Damien’s Blog.  Today’s post offers an interesting insight into how to deal with negative postings about your company from bloggers.  While focused on the customer service side of things regarding this issue, I think the points outlined by Damien are relevant to how we protect the reputation of our organisations.  After all reputation risk is something that we should factor into our thinking and our risk management plans.  The post also points out some useful ways to monitor your reputation online.

Brian

Lessons Learnt from the IBTS Information Security Incident

lessons1.gifAs discussed last month The Irish Blood Transfusion Board suffered a security incident whereby a CD containing encrypted information on blood donors was stolen in New York City.  This was the first major publicly reported data loss incident that we have seen in Ireland.  As promised in earlier posts, now that the dust has settled I would like to highlight some of the key lessons learnt from this incident.  Hopefully these lessons can be applied to your own situation to ensure that your next incident can be handled well.

Lesson 1 – Know Where Your Data Is.
Careful thought went into the process of sending the CD to New York in the first place and it was evident that the IBTS clearly knew what data was on the lost CD and who it impacted.  When the CD was lost the IBTS knew exactly the potential impact of the loss.

If you do not know where your data are then you will spend a lot of time in your incident handling trying to determine what the impact of the incident is.  Time better spent dealing with the actual incident itself.  Remember that in an incident time can be your biggest enemy and it is a very finite resource so spend it wisely.

Continue reading

Targeted Attacks Using Unpatched Vulnerability in MS Excel

The Microsoft Security Response Centre has just released an advisory alerting us to targetted attacks using an unpatched vulnerability that affects Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000 and Microsoft Excel 2004 for Mac.

Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007 and Microsoft Excel 2008 for Mac are not impacted.  This vulnerability is being actively exploited at the moment in attacks targeting specific organisations.  That is not to say however that a more widespread attack could not happen.

If you cannot upgrade your systems to the non-affected versions it may be prudent to block incoming emails or Internet downloads of Excel into your network until more details emerge and/or Microsoft release a patch.

The advisory also contains a number of suggested workarounds.

Web Application Security Guidance

Over the holiday period I spent some time catching up on news items and emails that filled up my inbox over the preceding few months.  One item I did not look at until recently was an announcement about the Web Application Security Consortium (WASC)

WASC is an open forum to stimulate and create discussions regarding web application security.  This is an area that will become more and more important to those of you tasked with protecting the online presence of your organisation.  Especially if your web sites have any interactive functions built into them.

Criminals are moving away from attacking the network and operating system layers to looking at how to break applications to get to what they want, money, yours or that of your clients. 

Thanks in part to advances in the networking and operating system technology we now use it is getting more difficult for criminals to exploit this vector.  So criminals are now looking to exploit the applications we deploy on our servers. 

WASC have set up the Web Hacking Incidents Database in which they record the various attacks that have occurred (already two major ones are recorded for 2008) and how those attacks happened.  Browsing through the database three main vectors jumped out at me;

  1. SQL Injection Attacks
  2. Cross Site Scripting Attacks
  3. Attacks using known vulnerabilities.

The above attack vectors are well known and there are plenty resources out there to help people code their applications more securely and to ensure they patch their systems regularly.  You need to ensure you are aware of how these attacks can happen and ensure that your developers or application providers have tested their applications for them.

If you have not done so already have a look at the OWASP site for some good information.  Microsoft’s ACE team have a great Blog on developing secure code and their %41%43%45%20%54%65%61%6d (translated it means ACE Team) Blog gives a 4 part tutorial entitled “First Line of Defence for Web Applications”.

While you are at it I would also recommend that you start the New Year by revising your Incident Response plan to ensure that it is up to date and that you are prepared to react to these type of attacks.

Most Popular Posts

Seeing as it is the beginning of a New Year I have reviewed the past year or so of the Security Watch Blog’s existence and thought I would highlight the most popular posts.  I picked these posts based on on a combination of the number of comments on each post, the number of links to a particular post and the number of views to a post.  In no particular order we have;

An Overview of Information Security Standards

List of Security Certifications

Safari Incident Response

Microsoft Security

Information Security – Overhyped?

Call for Breach Disclosure Laws in Ireland

Why use ISO 27001?

Botnets – Digital Weapons of Mass Destruction?

Security & Google Docs

Details of TJX Hack Emerge – Wireless Networks the Weak Point