Brian Honan Finalist in SC Magazine Awards 2013

Posted on by

 

SC_2013_shortThe year 2013 is of to a great start. Not only has this blog been shortlisted in the finals of the RSA Security Blogger Awards under the category of Most Educational Blog, I found out last week that I have been selected as a finalist in the SC Magazine Awards for Information Security Person of the year 2013.

Last year I was also nominated for this award and it is a great honour to be selected for the final again this year.  As well as being a finalist last year for Information Security Person of the year, BH Consulting received an award in the finals of Information Security Consultancy of the year.

I am looking forward to another excellent night at the awards dinner which will be held during the Infosec Europe exhibition in April and fingers crossed I could be coming back from London again this year with an award.

Bit9 Security Breach – Lessons Learnt

Posted on by

News broke on Friday evening that the security vendor BIT9 suffered a security breach. BIT9 offers a solution to clients whereby they will whitelist applications to run the PCs of their clients. This is done by digitally signing each approved application to allow it run on the protected computer. The theory behind this method is that only the whitelisted software will run on the PC. If an attacker tries to infect the computer with malware they will not succeed as it will not be on the authorised list of applications and therefore not run.

Brian Krebs broke the news that somehow attackers broke into the BIT9 network and then used BIT9’s own digital certificates to sign and push malware out onto the networks of some of BIT9’s customers. So far there is no indication as to how BIT9’s customers who were attacked detected the intrusion. It would be highly ironic if the malware was detected by anti-virus software, particularly so given this blog post “It’s the Same Old Song: Antivirus Can’t Stop Advanced Threats”.

From BIT9’s own blog post on the incident they sat “Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware”. While it would be very ironic if it was anti-virus software that detected the malware sent by BIT9, this incident is a classic example of why relying on one technology to protect your network can be so risky.

Should that technology fail then your whole security can be undermined.  This is commonly referred to a “brittle security”, a term coined by Bruce Schneier. It also highlights a phrase I have used with my clients when highlighting the trust they place with staff, partners or vendors; “those you trust the most are the ones that can end up hurting you the most”

The Bit9 breach is a classic illustration of those two statements in action. Bit9’s security was breached because of an “operational oversight” they did not manage to use their own product on all of their systems. It also shows how attackers are now using the supply chain of high value targets to attempt to breach their networks. I have no doubt that this attack, similar to other attacks such as the one against RSA in 2011, was done to leverage the trust Bit9’s customers placed in the Bit9 solution.

The lessons we should learn from this are;

  1. No software, including security software, is 100% secure (as per this old blog post). Regularly review your security software to ensure it is up to date.
  2. A layered defense, as outlined in this whitepaper I wrote for Tripwire, will help reduce the impact of a security layer failing.
  3. Ensure your security infrastructure is not reliant solely on software. Remember People, Process and Technology are the three pillars to a secure environment.
  4. Develop a patch management process that should be specific to your security software. Remember this is the software you depend on to protect your information, networks and systems so you will need to treat it differently from the accounting package deployed within your company.
  5. When selecting a product do not be afraid to question the vendor on how they manage vulnerabilities, patches and updates for their products. Also ask them how they will alert you, their customer, to security issues with their software.
  6. Your security assurances need to extend beyond your own perimeter and include your suppliers, partners and any other organisations with access to your data and/or systems that you trust and rely on.
  7. There is no such thing as 100% security. Someone or something and some particular point in time will fail and provide a potential exposure, so plan accordingly.

UPDATE 11th February

SC Magazine have covered this story with quotes from this blog post.

Likewise The Register has quoted this post in their coverage of the breach.

DarkReading interviewed me and included this post in their coverage of the breach.

UPDATE 12th February

Eric Schurr from Bit9 has commented below on the blog post to clarify how Bit9 works. My apologies if I caused any confusion in my own explanations.

Today Is Safer Internet Day

Posted on by

Today marks the 10th anniversary of Safer Internet Day. BH Consulting has long been a big supporter of this initiative.  Here are some resources that you can use to help make children and younger adults safely enjoy their online world.

Spunout,  an independent youth charity has this excellent video on encouraging young people not to stand by while others are being bullied online.

Finally, in the event that you or someone you know suffers from being harassed or bullied online here are some useful steps to follow;

  • Record every incident. Ideally do so in a bound notepad (not the type you can tear a page from) and note every event with date and time of each incident, plus details of the incident.
  • Print out all emails, messages, screen shots etc. Relating to every incident. Date them and link it back to the record in the notebook.
  • Report it to the website, social media network or forum that the abuse happens on.
  • If you believe the abuse is related to school or college report it to them and ask them to follow their policy for online bullying.
  • If the abuse is aggressive report the issue to the police.Guards, they may not be able to do anything but at least it will be reported to them and they will have a record to go back on if it becomes serious. The notebook and printed evidence can help with initial report
    and any subsequent reports.
  • Make sure your privacy settings on your online accounts are set accordingly

The Internet can be a great resource, lets make sure we can enable our children and young adults to use it in a safe and secure manner. Remember though that we should be always looking to stay safe online and not just for one day each year.

Telephone Scams

Posted on by

mobilephoneI recently appeared on the Morning Show on TV3 to discuss the issue of Irish mobile phone subscribers being targeted by a phone scam. It appears that those behind the scam would place a call to a victim’s phone but hang up before they could answer thereby creating a missed call on the person’s phone. The prefix for the missed call number is 386 which if you look at quickly looks to be the prefix for the 086 Irish mobile phone number.  However, the number 386 is actually the international dialing prefix for the country Slovenia.  Anyone dialing the number, curious to see who they missed the call from, would end up facing a hefty charge as the number actually turned out to be a premium rate number. Some people actually reported the number went to a sex line.  Comreg are investigating the case and have reportedly stated that anyone impacted by the scam should not have to pay any incurred charges.

I was invited onto the Morning Show to discuss this scam and indeed to cover other common scams. The show is available online on the TV3 Player my interview starts about 14 minutes and 50 seconds into the show.

Here are some of the other typical type of scams that are out there;

  • Winner !!

You Have Won a Prize Text or Email Message You receive a text message claiming that you have won a prize, either cash or some high value item. To receive your prize you have to pay a shipping fee for it to be sent to you. However after spending your money you never receive the prize.

  • Give Me Your Bank Account Details

You may receive an SMS message telling you that there is a problem with your bank account and you need to log into your account straight away to rectify the problem. There will be a link in the SMS message that claims to take you to your bank account. This is an attempt by criminals to get you to log into a website they have set up to look like your bank’s website and steal your login credentials to your account. Once you enter your details the criminals will then take those details and log into your account and take your money.

  • SMS Competitions

This scam is where you can enter a competition by answering questions via text messages. However what they omit to tell you is that the number you text is a premium number and you end up paying a lot of money – the more questions you answer they claim will increase your chances of winning the prize but will also cost you a lot of money.

  • Ring Tone Scams

You may be offered access to a free or cheap ring tone to install on your phone. However, what you may not realise by accepting the offer is that you are subscribing to an expensive service.

How to Identify a Scam

  • You receive a call or text from a number you do not recognise or know
  • There are no clear indications in the message as to what company or organisation you are dealing with
  • There are no mention of costs in relation to services offered by the text message
  • There are no clear instructions on how to stop receiving these text messages.
  • Numbers given in messages are premium rate numbers.

How To Protect Yourself

  • Read the messages clearly and try to identify if it is a scam
  • Your bank or financial institution will never ask for your login details via email or text If in doubt do not ring back
  • If you did not enter a competition then consider how could you win it?
  • Read terms and conditions of any offers very carefully
  • Do not give your financial details (e.g. credit card information) to anyone you have not verified
  • Be careful of messages that just contain a link. This could be a link to an infected website and the scammer is hoping you will click on the link out of curiosity

Remember, if it sounds too good to be true then it probably is !!

Securitywatch Blog Finalist in Security Blogger Awards

Posted on by

Mondays are not typically the days we greet with joy. However, today proved to be an exception.  This afternoon I saw Wendy Nather tweet that Javvad Malik’s blog had been selected as a finalist in the Most Entertaining Blog category for the Security Blogger Awards.  I was delighted to see Javvad’s work getting such recognition as I think his material in excellent and indeed I encourage my students to visit his video on why you should not encrypt passwords to learn about hashing passwords.

Imagine my surprise and delight when I say that my own blog was also selected for the finals of the Security Blogger Awards. Securitywatch is amongst an excellent list of blogs in The Most Educational Security Blog category.

So to whoever nominated the blog for the final, thank you.  It is very much appreciated and thank you to the judges for selecting the blog as one of the finalists.

If you are looking at expanding the blogs you read then I highly recommend you go and have a look at the finalists in the various categories. There are many blogs I already follow there and a few I was not aware of but am following now.

Thanks again to you all for reading this blog and if you enjoy what is published here then please do go and vote for SecurityWatch here

Upcoming Speaking Engagements

Posted on by

Tech-Security.jpgThe new year is now upon us and it already looks to be a busy one here at BH Consulting.  I wish you all a very prosperous, happy and secure 2013.

This post is simply to highlight some of the upcoming speaking engagements that I am involved in.  Hopefully I will get a chance to meet and talk to some of you at some of these events.

Information Security Magazine Patch Management Webinar

Information Security Magazine will be hosting a webinar on Thursday the 10th of January to discuss issues relating to the latest Microsoft patch releases but also on patch management issues in general.  I will be one of the panel discussing these topics.

Chartered Accountants Practitioner Technology Seminars 2013

I will be addressing both of the Dublin and Cork seminars to be held on the 16th and 17th of January respectively.  I will be talking to attendees on “Securing Business in the 21st Century – Security, Device Management (incorporatingoffice mobility) and Data Protection”

Irish Computer Society Data Protection Conference

I am delighted to say that the Irish Computer Society have asked me back to address the 5th Annual Data Protection Conference to be held on the 21st of February.

RSA Conference USA 

One of my lifetime ambitions has been to attend the RSA Conference in the USA, this year not only do I get to attend but I am also a speaker at it. I will be taking part in a panel discussion called “Mayans, Mayhem and Malware”.

Secure Computing Forum

On March 7th I will be one of the speakers at the Secure Computing Forum  2013 at the Gibson Hotel, Dublin is hosted by DataSolutions and Check Point

There may be other events coming up soon so keep an eye on the blog for those updates. If you are planning to host an event yourself and would like someone to address the event on matters relating to protection key business assets then don’t hesitate to contact us or to visit our events page for more information.

Securing the Human Comes to Ireland

Posted on by

I am delighted to say that BH Consulting will be the Irish partner for SANs Securing the Human.  As a member of the advisory board for Securing the Human I’ve seen it develop into one of the best security awareness training program currently available. Securing the Human provides organisations with a comprehensive and cost effective solution to raising security awareness amongst their staff.

It seems our partnership is timely as a recent survey by DataSolutions and ComputerScope highlights that one third of Irish companies do not have a security awareness training program in place. When you consider that the majority of breaches involve some sort of interaction by employees this is a worryingly large number.

For more information on Securing the Human Ireland you can access our page here.

STH Ireland Ad

Christmas Wishes

Posted on by

We would like to take the opportunity to wish all our readers, clients, associates and partners the very best for the Christmas season and that you all have a properous and secure New Year.

As is our tradition BH Consulting will not be sending Christmas cards, instead we donate money to a charity of our choosing.  This year we are supporting Temple Street’s Children’s Hospital Light Up a Child’s Life campaign.

Light Up a Childs Life

To get you in the festive mood here is a white Christmas

 

Security Breach At the North Pole

Posted on by

Well it had to happen. Reports are coming in of a serious security incident at the North Pole resulting in the loss of Santa’s naughty and nice list.  It appears that an unencrypted USB key containing the list was lost.  There are already reports that the information on the USB key has been leaked. Obviously the repercussions of this will be felt by many around the world.

This video goes into the breach in more detail;

Santa Gets Hacked! from Twist and Shout on Vimeo.

Latest Column Piece in HelpNet Security Magazine

Posted on by

In my latest piece for HelpNet Security Magazine I highlight a trait that I see lacking in many information security professionals lately. That is being able to ask the right question to identify what needs to be done to secure our systems. Too often we jump to the solution (usually technical) without properly understanding what the problem is.  The full article is called “Improving Information Security With One Simple Question“.

I hope you enjoy it and if you have any feedback or comments please feel free to put them in the comments below.