Sunday, 30 September 2012

e-Mail Scams


Some of the E-mail scams I receive today, particularly liked the audacity of the first one claiming to be from the FBI and they say

"Since the Federal Bureau of Investigation is involved in this transaction, you have to be rest assured for this is 100% risk free it is our duty to protect the American Citizens."

Shame the they didn't spoof an FBI address in the senders field

Also I won the UK email address Lottery in Bangkok-Thailand today and have to contact a Japanese email address to collect my winnings



Federal Bureau of Investigation (FBI)
Anti-Terrorist And Monitory Crime Division.
Federal Bureau Of Investigation.
J.Edgar.Hoover Building Washington Dc
Customers Service Hours / Monday To Saturday Office Hours Monday To Saturday.

Attn: Beneficiary,

This is to Officially inform you that it has come to our notice and we have thoroughly Investigated with the help of our Intelligence Monitoring Network System that you are having an illegal Transaction with Impostors claiming to be Prof. Charles C. Soludo of the Central Bank Of Nigeria, Mr. Patrick Aziza, Mr Frank Nweke, Dr. Philip Mogan, none officials of Oceanic Bank, Zenith Banks, Barr. Derrick Smith, kelvin Young of HSBC, Ben of FedEx, Ibrahim Sule,Larry Christopher, Dr. Usman Shamsuddeen, Dr. Philip Mogan, Paul Adim, Puppy Scammers are impostors claiming to be the Federal Bureau Of Investigation. During our Investigation, we noticed that the reason why you have not received your payment is because you have not fulfilled your Financial Obligation given to you in respect of your Contract/Inheritance Payment.

Therefore, we have contacted the Federal Ministry Of Finance on your behalf and they have brought a solution to your problem by coordinating your payment in total USD$11,000.000.00 in an ATM CARD which you can use to withdraw money from any ATM MACHINE CENTER anywhere in the world with a maximum of $4000 to $5000 United States Dollars daily. You now have the lawful right to claim your fund in an ATM CARD.

Since the Federal Bureau of Investigation is involved in this transaction, you have to be rest assured for this is 100% risk free it is our duty to protect the American Citizens. All I want you to do is to contact the ATM CARD CENTER via email for their requirements to proceed and procure your Approval Slip on your behalf which will cost you $150.00 only and note that your Approval Slip which contains details of the agent who will process your transaction.

CONTACT INFORMATION

NAME: Mr. Kelvin Williams
EMAIL:mrkelvinwillams@yahoo.cn

Do contact Mr. Kelvin Williams of the ATM PAYMENT CENTER with your details:

FULL NAME:
HOME ADDRESS:
TELL:
CELL:
CURRENT OCCUPATION:
BANK NAME:
AGE:

So your files would be updated after which he will send the payment information's which you'll use in making payment of $150.00 via Western Union Money Transfer or Money Gram Transfer for the procurement of your Approval Slip after which the delivery of your ATM CARD will be effected to your designated home address without any further delay.We order you get back to this office after you have contacted the ATM SWIFT CARD CENTER and we do await your response so we can move on with our Investigation and make sure your ATM SWIFT CARD gets to you.

Thanks and hope to read from you soon.

ROBERT S. MUELLER, III
DIRECTOR, FEDERAL BUREAU OF INVESTIGATION UNITED STATES DEPARTMENT OF JUSTICE WASHINGTON, D.C. 20535


Note: Do disregard any email you get from any impostors or offices claiming to be in possession of your ATM CARD, you are hereby advice only to be in contact with Mr. Kelvin Williams of the ATM CARD CENTER who is the rightful person to deal with in regards to your ATM CARD PAYMENT and forward any emails you get from impostors to Mr. Kelvin Williams.





UK LOTTERY ORGANIZATION
TICKET FREE/ONLINE E-MAIL ADDRESS WINNINGS DEPARTMENT.

Are you the correct owner of this email address? If yes then be glad this day as the result of the UK lotto online e-mail address and free-ticket winning draws of August 2012 held in Bangkok-Thailand has just been released and we are glad to announce to you that your email address won you the sweepstakes in the first category and you are entitled to claim the sum of Four Million, Six Hundred Thousand USA Dollars.

Your email address was entered for the online draw on this ticket #
68494-222 us  on this email address
uklottoemailwingthailand@yahoo.co.jp  for options on how to receive your won prize of US$4.6M.

To enable us ascertain you as the rightful winner and receiver of the $4.6Million , MAKE SURE you include the below listed information in your contact mail to him.

Your complete official names, country of origin and country of residence/work, contact telephone and mobile numbers, address, amount won, free ticket and lucky numbers, date of draw. OPTIONAL: - [Sex, age, occupation and job title].


Yours Faithfully,
Mr. Aaron Jones.
Online Winning Notification Department.
UK LOTTERY ORGANIZATION.



Computer Ethics (History)

Computer Ethics (History)

Just because something is not illegal does not make it right

Computer Ethics help us make decisions on what is right for society rather than what is right for ourselves


  • Ethics is a broad philosophical concept that goes beyond simple right and wrong, and looks towards ‘the good life’
  • Morals are created by and define society, philosophy, religion, or individual conscience
  • A value system is a set of consistent ethic values and measures 
  • A personal value system is held by and applied to one individual only
  • A communal or cultural value system is held by and applied to a community/group/society. Some communal value systems are reflected in the form of legal codes or law
  • Code of Ethics is an instrument that establishes a common ethical framework for a large group of people

Ethical Models

Utilitarian Ethics

  • Jeremy Bentham and John Stuart Mill created Utilitarian Ethics in the 19th century
  • The basic premise is that actions that provide the greatest amount of good over bad or evil are ethical or moral choices 
  • There have been different interpretations of it 
  • One says that, if in a particular situation that the balance of good will be greatest if a particular action is taken then to take that action 
  • The next major viewpoint on Utilitarian Ethics would take the stance that it is not the action which produces the greatest good for a particular situation but the action that produces the greatest good 'over all like situations' in a society that should be taken

The Rights Approach

  • The Rights Approach is based on the principle that individuals have the right to make their own choices 
  • To judge the right and wrong or moral vs immoral, of our actions under this system we would have to ask ourselves how our actions affect these rights of those around us
  • The greater the infraction our actions cause against those around us the more unethical those actions are
  • For example if it is immoral to lie then you should never lie under any circumstances

The Common-Good Approach

  • Plato, Aristotle, and Cicero were the beginning of the Common-Good Approach, which proposes that the common good is that which benefits the community
  • This type of system is where we get health care systems and public works programs
  • For example stealing would never be ethical because it would damage (take resources away from) society or our community

Cyber Ethics


Key points in the development of Cyber Ethics

1940’s
Norbert Wiener
The human use of human beings in 1950
Mid 1960’s
Donn B. Parker
Rules of Ethics in Information Processing, communications of the ACM in 1968
Development ofthe first code of professional conduct for the ACM in 1973
Late 1960’s
Joseph Weizenbaum
Wrote ELIZA whilst at MIT
Computer Power and Human Reason 1976
Mid 70’s
Walter Maner
Coined the phase Computer ethics
Published ‘Starter kit in computer ethics’ 1978
1980’s
James Noor
‘What is computer ethics’ in Computer & ethics
Deborah Johnson
Published ‘Computer ethics’
1991
Maner Terrell Bynum
First international, multidisciplinary conference on computer ethics



After World War 2, Norbet Weiner helped develop the theories of cybernetics, robotics, computer control, and automation. Wiener became increasingly concerned with what he believed was political interference with scientific research, and the militarization of science. He urged scientists to consider the ethical implications of their work.

Wiener Published a series of books on the subject

  • Cybernetics (1948)
  • The Human Use of Human Beings (1950)
  • God and Golem, Inc (1963)

Weiner’s ‘Ethical Methodology’

  1. Identify an ethical question or case regarding the integration of information technology into society. 
  2. Clarify any ambiguous or vague ideas or principles that may apply to the case or the issue in question. 
  3. If possible, apply already existing, ethically acceptable principles, laws, rules, and practices that govern human behaviour in the given society. 
  4. If ethically acceptable precedents, traditions and policies are insufficient to settle the question or deal with the case, use the purpose of a human life plus the great principles of justice to find a solution that fits as well as possible into the ethical traditions of the given society. 

History of Ethical Codes


The Code of Fair Information Practices. 

In 1973 the Secretary's Advisory Committee on Automated Personal Data Systems for the U.S. Department of Health, Education and Welfare recommended the adoption of the following Code of Fair Information Practices to secure the privacy and rights of citizens:

  • There must be no personal data record-keeping systems whose very existence is secret; 
  • There must be a way for an individual to find out what information is in his or her file and how the information is being used; 
  • There must be a way for an individual to correct information in his records; 
  • Any organization creating, maintaining, using, or disseminating records of personally identifiable information must assure the reliability of the data for its intended use and must take precautions to prevent misuse; and 
  • There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without his consent. 


Internet Activities Board (IAB) (now the Internet Architecture Board) and RFC 1087. 

RFC 1087 is a statement of policy by the Internet Activities Board (IAB) posted in 1989 concerning the ethical and proper use of the resources of the Internet. The IAB "strongly endorses the view of the Division Advisory Panel of the National Science Foundation Division of Network, Communications Research and Infrastructure," which characterized as unethical and unacceptable any activity that purposely:

  • Seeks to gain unauthorized access to the resources of the Internet, 
  • Disrupts the intended use of the Internet, 
  • Wastes resources (people, capacity, computer) through such actions, 
  • Destroys the integrity of computer-based information, or 
  • Compromises the privacy of users.

Ten Commandments of Computer Ethics (Computer Ethics Institute, 1992)

  • Thou shalt not use a computer to harm other people
  • Thou shalt not interfere with other people's computer work
  • Thou shalt not snoop around in other people's computer files
  • Thou shalt not use a computer to steal
  • Thou shalt not use a computer to bear false witness
  • Thou shalt not copy or use proprietary software for which you have not paid
  • Thou shalt not use other people's computer resources without authorisation or proper compensation
  • Thou shalt not appropriate other people's intellectual output
  • Thou shalt think about the social consequences of the program you are writing or the system you are designing
  • Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans 


National Conference on Computing and Values. 

The National Conference on Computing and Values (NCCV) was held on the campus of Southern Connecticut State University in August 1991. It proposed the following four primary values for computing, originally intended to serve as the ethical foundation and guidance for computer security:

  • Preserve the public trust and confidence in computers. 
  • Enforce fair information practices. 
  • Protect the legitimate interests of the constituents of the system. 
  • Resist fraud, waste, and abuse. 

The Working Group on Computer Ethics.

In 1991, the Working Group on Computer Ethics created the following End User's Basic Tenets of Responsible Computing: 
  • I understand that just because something is legal, it isn't necessarily moral or right. 
  • I understand that people are always the ones ultimately harmed when computers are used unethically. The fact that computers, software, or a communications medium exists between me and those harmed does not in any way change moral responsibility toward my fellow humans. 
  • I will respect the rights of authors, including authors and publishers of software as well as authors and owners of information. I understand that just because copying programs and data is easy, it is not necessarily right. 
  • I will not break into or use other people's computers or read or use their information without their consent. 
  • I will not write or knowingly acquire, distribute, or allow intentional distribution of harmful software like bombs, worms, and computer viruses. 

National Computer Ethics and Responsibilities Campaign (NCERC). 

In 1994, a National Computer Ethics and Responsibilities Campaign (NCERC) was launched to create an "electronic repository of information resources, training materials and sample ethics codes" that would be available on the Internet for IS managers and educators. The National Computer Security Association (NCSA) and the Computer Ethics Institute cosponsored NCERC. The NCERC Guide to Computer Ethics was developed to support the campaign. 
The goal of NCERC is to foster computer ethics awareness and education. The campaign does this by making tools and other resources available for people who want to hold events, campaigns, awareness programs, seminars, and conferences or to write or communicate about computer ethics. NCERC is a non-partisan initiative intended to increase understanding of the ethical and moral issues unique to the use, and sometimes abuse, of information technologies. 


The Hacker Ethic

Steven Levy (born 1951) is an American journalist who has written several books on computers, technology, cryptography, the Internet, cybersecurity, and privacy.

In 1984, he wrote a book called Hackers: Heroes of the Computer Revolution, in which he described a “hacker ethic”, which became a guideline to understanding how computers have advanced into the machines that we know and use today. He identified this Hacker Ethic to consist of key points such as that all information is free, and that this information should be used to “change life for the better”.

Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total. 

Always yield to the Hands-On Imperative! Levy is recounting hackers' abilities to learn and build upon pre-existing ideas and systems. He believes that access gives hackers the opportunity to take things apart, fix, or improve upon them and to learn and understand how they work. This gives them the knowledge to create new and even more interesting things. Access aids the expansion of technology.

All information should be free

Linking directly with the principle of access, information needs to be free for hackers to fix, improve, and reinvent systems. A free exchange of information allows for greater overall creativity. In the hacker viewpoint, any system could benefit from an easy flow of information, a concept known as transparency in the social sciences. As Stallman notes, "free" refers to unrestricted access; it does not refer to price.

Mistrust authority — promote decentralization

The best way to promote the free exchange of information is to have an open system that presents no boundaries between a hacker and a piece of information or an item of equipment that he needs in his quest for knowledge, improvement, and time on-line. Hackers believe that bureaucracies, whether corporate, government, or university, are flawed systems.

Hackers should be judged by their hacking, not criteria such as degrees, age, race, sex, or position

Inherent in the hacker ethic is a meritocratic system where superficiality is disregarded in esteem of skill. Levy articulates that criteria such as age, sex, race, position, and qualification are deemed irrelevant within the hacker community. Hacker skill is the ultimate determinant of acceptance. Such a code within the hacker community fosters the advance of hacking and software development. In an example of the hacker ethic of equal opportunity, L. Peter Deutsch, a twelve-year-old hacker, was accepted in the TX-0 community, though he was not recognized by non-hacker graduate students.

You can create art and beauty on a computer

Hackers deeply appreciate innovative techniques which allow programs to perform complicated tasks with few instructions. A program's code was considered to hold a beauty of its own, having been carefully composed and artfully arranged. Learning to create programs which used the least amount of space almost became a game between the early hackers.

Computers can change your life for the better

Hackers felt that computers had enriched their lives, given their lives focus, and made their lives adventurous. Hackers regarded computers as Aladdin's lamps that they could control. They believed that everyone in society could benefit from experiencing such power and that if everyone could interact with computers in the way that hackers did, then the Hacker Ethic might spread through society and computers would improve the world. The hacker succeeded in turning dreams of endless possibilities into realities. The hacker's primary object was to teach society that "the world opened up by the computer was a limitless one"






Friday, 28 September 2012

IET Cybersecurity Conference 2012

I will be attending the "The 7th International IET System Safety Conference, incorporating the Cyber Security Conference 2012" http://bit.ly/NUZuQ3 which is running from the October 15th-18th, 2012 at the Radisson Blu Hotel, Edinburgh, UKto present a paper on the "Cost effective assessment of the infrastructure security posture"

Abstract of paper


Today organisations are facing a threat from cyber-attack, whether they are international conglomerate or a one man outfit, none are immune to the possibility of attack if there have a connection to or presence on the Internet. The attacks can take many forms from the Distributed Denial of Service through to targeted phishing emails, many attacks result in low tangible costs but can have high intangible costs to the targeted organisation such as lose of brand reputation and loss of business. Many small businesses have taken weeks to find their websites have been blacklisted by search engines as their site has been compromised and is now hosting malware.

Although attack sophistication has grown since the password guessing attacks in the early 1980’s to the sophisticated Advanced Persistent Threat (APT) that is being seen today, the skill level required to launch attacks has dropped as the development of hacking toolkits and malware toolkits have given the script kiddie hack sophisticated tools with simple GUI interfaces. The hacking group Anonymous’s use of tools such as the Low Orbit Ion Cannon (LOIC) available on sourceforge and github, enabled thousands of individuals who have no programming knowledge to take part in their orchestrated campaigns. The high profile of cyber-activity is encouraging increasing number of people to dabble with easily findable tools and scripts and many progress deeper into illegal activity.

The motivation of attackers targeting an organisation is extremely wide ranging from the organised criminal gangs looking for monetary return to rival organisations or countries looking for intellectual property, hacktivists looking to extract revenge for a perceived infringement of their freedom through to random attacks because they can or they are just developing and testing their skills on a random target. All this requires an organisation to protect themselves from attack whether they are hosting a website on a third party’s infrastructure or have a large number of connected gateways on the internet and offering multiple services hosted on their own infrastructure to the general public and other organisations.

An organisation’s security posture is an indication the countermeasures that have been implemented to protect the organisations resources. The countermeasures are security best practice that are appropriate to the organisations risk appetite and the business requirements. The security posture is defined by an organisations security policy and its mission statement and business objectives.

Countermeasures come with a cost which should not exceed the value of the resources they are protecting and they should be effective, provide value for money, and a return on investment for the organisation

Measuring how the organisations actual security posture relates to it’s agreed acceptable level of risk is a problem that is faced by organisations when looking at whether their countermeasures are effective and providing value for money and a return on investment. There are two methodologies that can be used.
  1. Auditing – which is the mechanism of confirming that the processes or procedures agree to a master checklist for compliance
  2. Assessing – is a more active, or intrusive, testing methodology to adequately assess your processes or procedures that cannot be adequately verified using a checklist or security policy
This paper investigates the surface attack area of an organisations infrastructure and applications examining the cases where the use of cloud and mobile computing have extend the infrastructure beyond the traditional perimeter of organisations physical locations and the challenges this causes in assessing the security posture.

A review of the use of assessment methodologies such as vulnerability assessment and penetration testing to assess the infrastructure and application security posture of an organisation shows how they can provide identification of vulnerabilities which can aid the risk assessment process in developing a security policy. It will demonstrate how these methodologies can help in assessing the effectiveness of the implemented countermeasures and aid in evaluation as to whether there are provide value for money and a return on investment.

It is proposed that a long term strategy of using both methodologies for assessing the security posture based on the business requirements will provide the following benefits
  • Cost effective monitoring of the infrastructure and security posture
  • Ensuring that the countermeasures retain effectiveness over time
  • Responding to the continual changing threat environment
  • Ensuring that value for money and return on investment are maintained

Wednesday, 26 September 2012

PCI, Block ciphers & TLSv1


One of the common problems appearing when scanning secure websites is a reported vulnerability in TLSv1 with cipher-block chaining (CBC); see the sample report generated by scanning tools about this problem.

Summary:
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability
Synoposis: 
It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
Impact:
Vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
Resolution: 
Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers.
Apply patches if available.
Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure

The problem with configuring the server to use TLS 1.1 or TLS 1.2 only is that XP with IE8 only supports TLS 1.0 and SSL 2.0 and 3.0. Whilst Windows 7 with IE8 supports TLS 1.0, 1.1 and 1.2 it is enabled by default. This can affect the users of a website; XP is still used by around 42% of all clients as measured by Net Marketshare.

Operating System
Market Share
Windows 7
42.76%
Windows XP
42.52%
Windows Vista
6.15%
Mac OS X 10.7
2.45%
Mac OS X 10.6
2.38%


A more user friendly method to get around the vulnerability is not to use CBC ciphers on the server such as those listed

PSK-AES256-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ADH-DES-CBC3-SHA
DES-CBC3-SHA
DES-CBC3-MD5
PSK-3DES-EDE-CBC-SHA
KRB5-DES-CBC3-SHA
KRB5-DES-CBC3-MD5
RC2-CBC-MD5
PSK-AES128-CBC-SHA
IDEA-CBC-SHA
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
ADH-DES-CBC-SHA
DES-CBC-SHA
DES-CBC-MD5
KRB5-DES-CBC-SHA
KRB5-DES-CBC-MD5
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-ADH-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-KRB5-RC2-CBC-SHA
EXP-KRB5-DES-CBC-SHA
EXP-KRB5-RC2-CBC-MD5
EXP-KRB5-DES-CBC-MD5 


Sunday, 23 September 2012

Software secure development

Background

A study commissioned by Coverity Inc - "The Software Security Risk Report” - reveals the details of application security incidents experienced by North American and European web app development companies in the last 18 months.

http://news.softpedia.com/news/Report-51-of-Web-App-Developers-Experienced-Security-Incidents-in-Last-18-Months-293993.shtml

The figures from the report show that 51% of the respondents had at least one incident in the past one and a half year. 18% of these firms reported losses of over $500,000 (400,000 EUR), while 8% claim to have lost twice as much. In a few situations, the affected organizations lost over $10 million (8 million EUR).

It appears that secure development practices aren’t employed by too many web app creators. Only 42% follow secure coding guidelines and only around a quarter use threat modeling or a library of approved and banned functions.

Code auditing before integration testing is performed by less than half of the interviewed companies and only 17% of them verify their products during development.

Over 70% of them state that they don’t have funds and the right technology in order to address security issues and 41% blame time-to-market pressure for not being able to push security into development.

Secure Software Development

Secure Software development is a process that helps with the design and implement of  secure software that protects data and resources accessed through the software. 

Tools and techniques

  • Common weaknesses enumeration
  • Security architecture/design analysis
  • Logic analysis
  • Data analysis
  • Interface analysis
  • Constraint analysis
  • Secure code reviews, inspections, and walkthroughs
  • Informal reviews
  • Formal reviews
  • Inspections and walkthroughs
  • Security testing
These tools and techniques can be effective how to maximise the effectiveness the development of software should take place under a Secure Development Life-cycle, where security is designed in during requirements and followed through at every stage of software development.

Best Practices



  1. Protect the Brand  Your Customers Trust 
  2. Know Your Business and Support it with Secure Solutions
  3. Understand the Technology of the Software 
  4. Ensure Compliance to Governance, Regulations, and Privacy
  5. Know the Basic Tenets of Software Security 
  6. Ensure the Protection of Sensitive Information 
  7. Design Software with Secure Features 
  8. Develop Software with Secure Features 
  9. Deploy Software with Secure Features 
  10. Educate Yourself and Others on How to Build Secure Software





Friday, 21 September 2012

one down

A short follow up to the blog about Jessica Harper http://geraintw.blogspot.co.uk/2012/08/insider-threat.html who was convicted of £2.4m fraud against Lloyds Bank who she worked for as head of anti-fraud.

She has now been sentenced to 5 years in jail for the committing fraud and has so-far repaid £709,000, Harper had told investigating officers she deserved the money because she was rising at 5.30am and returning home at 8pm. In mitigation, Carol Hawley, defending Harper, said her client had a long history of charity fundraising.

It is one corrupt banker down, but how many other insiders are they siphoning off data and funds from their employers. Combating the insider threat can be done by the use of controls

Technical controls focus on data and computer activities, while nontechnical controls focus on human motivations and behaviour. Nontechnical controls are critical because many insider attacks do not depend on technology.

  • Job rotation,
  • segregation of duties, 
  • mandatory vacations, 
  • regular audits/reviews, 
  • periodic employee background checks

Technical solutions

  • Data loss protection (DLP) systems
  • Fraud detection tools 
  • Security information and event management (SIEM) solutions


Thursday, 20 September 2012

Hacking and Intent (UK)

A follow up to my blog what makes ethical hacker legal looking in a bit more detail at the legal requirements of being a white hat or ethical hacker. In the first article I said "a written and signed agreement between the tester and the legal owner of the system" is a requirement to ensure an ethical hacker stays legal.

In the UK the legal debate over whether you are an ethical or white hat hacker is based upon intent. When conducting a penetration test the intent of the tester is easily demonstrated as they would have a contract and a written agreement to conduct the test, it is obvious that the tester was aiming to conduct the test ethical by remaining within the law and getting permission to access the systems, hence the test is not unauthorised access and not illegal. However it is worth pointing out that it may not be just the organisation whose systems you are testing that need to give permission for the testing to occur, if the system is hosted by a 3rd party you will need authorisation from them as well, it may be covered by the hosting agreement between the 3rd party and the organisation about to be tested, but it is worth your while requesting proof of authorisation, in particular Amazon have a requirement that they need to issue permission for tests to be carried out on systems hosted on their AWS.

As a ethical or white hat hacker in the UK a big problem within the UK is the ownership of tools for conducting a penetration test, the Computer Misuse Act (CMA) of 1990 as modified by the Police and Justice Act of 2006 introduced a new offence section 3A Making, supplying or obtaining articles for use in computer misuse offences.

The offence is to do with articles that could be used for either the section 1 (unauthorised access) or the section 3 offence (carrying out unauthorised acts) just outlined. Here, articles is stated to include "any program or data held in electronic form".

Someone is guilty of the offence if
  • he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1 or 3; and/or
  • he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3; and/or
  • he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
Guidance from the Crown Prosecution Service (CPS) about considering a prosecution under section 3A CMA says -

Whilst the facts of each case will be different, the elements to prove the offence will be the same. Prosecutors dealing with dual use articles should consider the following factors in deciding whether to prosecute:
  • Does the institution, company or other body have in place robust and up to date contracts, terms and conditions or acceptable use polices?
  • Are students, customers and others made aware of the CMA and what is lawful and unlawful?
  • Do students, customers or others have to sign a declaration that they do not intend to contravene the CMA?
Section 3A (2) CMA covers the supplying or offering to supply an article likely to be used to commit, or assist in the commission of an offence contrary to section 1 or 3 CMA. Likely is not defined in CMA but, in construing what is likely, prosecutors should look at the functionality of the article and at what, if any, thought the suspect gave to who would use it; whether for example the article was circulated to a closed and vetted list of IT security professionals or was posted openly.

In determining the likelihood of an article being used (or misused) to commit a criminal offence, prosecutors should consider the following:
  • Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)? 
  • Is the article available on a wide scale commercial basis and sold through legitimate channels? 
  • Is the article widely used for legitimate purposes? 
  • Does it have a substantial installation base? 
  • What was the context in which the article was used to commit the offence compared with its original intended purpose?
Tools such as that from Rapid7 and other recognised security audit tools easily fall within the guidance offered by the CPS, however the use of less popular tools or the use of tools distributed by the underground hacker scene may fall foul of the dual use guidance, even if the only intent is to test a system using the same tools as a black hat would.

In the UK the word intent is important in many legal cases, as proving intent is proving a guilty mind. In a criminal case in the UK the measure of whether you are guilty or not is based upon the prosecution proving the case "beyond all reasonable doubt" if the members of the jury feels there is doubt as to whether the defendant acted illegally then case is not proven and the defendant should be found not guilty.

For an illegal act to take place there must be two things
  • Actus reus (guilty act)
  • Mens rea (guilty mind)
A guilty act can be quite easy to prove, the defendant accessed the system or not, a more everyday example would be the defendant smashing a window in a house that does not belong to them, a case of vandalism or not. Prove the defendant guilty would involve showing the defendant meant to break the window, a game of street football and an accidental misplaced shot hitting a neighbours window is an example of not being a guilt mind, there was no intent it was an accident. However if they had been a history of confrontation between the two parties then it could be proved there was intent to break the window.

If in the UK and you get into legal trouble as we have an adversary judicial system it will come down to how well your defence lawyer argues your case against the prosecution lawyer, in a sense it is a debate between the defence and the prosecution with the jury or magistrates making the decision on who has made the better case. The problem being is that outcome sometimes relies on who is the better debater rather than the merits of the case.

Real-World Developers Still Not Coding Securely - Dark Reading

An article about the lack of implementation of Secure Development Lifecycle by real world developers on the Dark Reading website

Real-World Developers Still Not Coding Securely - Dark Reading

One of the problems highlighted is the programmers are not trained in secure programming and much of the lack of training comes down to a lack of time, as a developer is only productive if produce code for an application and there is a demand to get applications out quickly.

Learning secure coding principles and implementing them takes time that the business is just not giving its developers, however Universities and Colleges should be helping business by teaching at least the basics of secure programming to undergraduates.

However it is not just secure programming that is important but the testing of the finished application before release has to be complete and cover testing for vulnerabilities.

The article does finish with a quote from Rob Rachwald, director of security strategy, Imperva, "SDLCs are nice but vulnerabilities are inevitable and enterprises shouldn't let secure coding practices lull them into a false sense of security."

Wednesday, 19 September 2012

Information Security Elements

Information Security Elements





Information security in an organisation consists of a number of elements if it is to be effective and a enabler of the organisations aims.

  • Information must be part of the company culture supported by senior management
  • Security needs to be built into all activities the company undertakes
  • Information security needs to be documented
  • It should provide defence in depth
  • Maintain the confidentiality, integrity and availability of information
  • It is seen as a continuous process with review of objectives continual against organisation aims undertaken


Smartphones: Information security risks, opportunities and recommendatio...

Monday, 17 September 2012

Tools (17th Sept)

A weekly update on new and updated Information Security tools that I have come across or use. The tools are mainly those for PenTesting although other tools are sometimes included. As a bit of background into how I find these tools, I keep a close watch on twitter and other websites to find updates or new releases, I also search for pen testing and security projects on Source Forge. Some of the best sites I have found for details of new tools and releases are http://www.toolswatch.org/, http://tools.hackerjournals.com/

Nikto 2.1.5
http://cirt.net/node/89
Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers.

Prenus
https://github.com/AsteriskLabs/prenusThis is a quickly hacked together Ruby script that can consume version 2 nessus files (with the help of an udpated ruby-nessus gem) and allows the output of a few different formats, including:
  • Static HTML files with jQuery Datatables and Highcharts graphs
  • XLS file (Actually a HTML Table with an .xls extension) with unique Nessus vulns and associated IPs
  • Afterglow (afterglow.sourceforge.net/), 2 column CSV files
  • Circos (circos.ca) tableviewer text file
  • Hosts information, formatted in a 3 column CSV output

Multillidae
http://sourceforge.net/projects/mutillidae/
NOWASP (Mutillidae) is a free, open source web application provided to allow security enthusiest to pen-test a web application. NOWASP (Mutillidae) can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to administrate a webserver. It is already installed on Samurai WTF and Rapid7 Metasploitable-2.

teenage-mutant-ninja-turtles
This project is fork of fuzzdb project and is about Obfuscating fuzzdb Web Application payloads
The Teenage Mutant Ninja Turtles project is four things:
  1. A Web Application payload database (heavily based on fuzzdb project for now)
  2. A Web Application error database (e.g. contain error messages that might return while fuzzing).
  3. A Web Application payload mutator.
  4. A Web Application payload manager (e.g. does database clean up).

Sunday, 16 September 2012

Info Sec & 3rd parties

Within an organisation it is the senior management that take responsibility for the actions of the company, this is no more so than with information security and 3rd parties. Although risk can be transferred to a 3rd party the responsibility stays with the senior management to ensure the 3rd party safeguards the information.

An example of what can go wrong is the ICO fining of Scottish Borders Council over a breach of the data protection act. http://www.theregister.co.uk/2012/09/14/recycle_bin_data_breach/

In the article it says "This is a classic case of an organisation taking its eye off the ball when it came to outsourcing," Ken Macdonald, the ICO's assistant commissioner for Scotland, said in a statement. "When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place."

The damming part of the above was the lack of a contract in place to control the digitising and then destruction of records, the report goes on to say "Scottish Borders Council failed to choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and take reasonable steps to ensure compliance with those measures," the watchdog said in its civil monetary penalty notice. "Such security measures might have provided for the secure disposal of the files after scanning and stipulated that the data processor would either return the documents to the data controller in person, or securely destroy them, providing the data controller with a certificate of destruction."

This shows the legal risk when outsourcing work to a 3rd party, there is a great blog entry about 3rd parties and contracts http://blog.itsecurityexpert.co.uk/2011/03/playcom-breach-dont-trust-your-third.html

In the blog it says "Sharing personal or other sensitive information with third parties carries a risk to which the business is responsible, and as such needs to be adequately controlled. Before sharing such information with any third parties, the business is suppose to fully assess their third parties service providers, to ensure they are capable of protecting the information to the same level as their own business as well as to legal requirements. "

It also discusses the role of the contract "To ensure third parties continue to obverse the level of information security desired, the business must hold them to account in a business contract, with stiff penalties for breaching the contract. This should include the right to onsite audit the third party; these measures provide incentive to the third party to keep information security ship-shape. Don’t forget to pass on any breach costs within the contract as well, as personal data breach legal fines in the UK can reach up to £500K, while industry regulatory fines can even be higher, without contractual coverage you can’t pass on those fines to a third party.  While talking about contracts, it is good to add a clause which compels the third party to report any security incidents involving the business data, furthermore add the right to conduct an onsite forensics investigation at the third party site should a data breach occur. "

He finishes the this good bit of advice "If you can’t get a third party to sign up to such clauses in a contract, it is a clear indication the third party’s information security isn’t up to scratch, as the third party business mustn’t have any confidence in their own information security."

The role of the information security officer would be to do a risk assessment of using a 3rd party and to ensure in the contracts information security has been covered adequately to reduce the risk to the organisation to an acceptable level, by including information security and doing a risk assessment the organisation is show due care and diligence

Friday, 14 September 2012

Piracy and Parents

In France 40-year-old, Alain Prevost was fined 150 euros (£121) for pirating two Rihanna tracks even though his wife admitted she downloaded the songs. The fine was levied on the 40-year-old because he paid for the web link over which the songs were downloaded.

The implications for French parents is the person who pays for the account is liable for all those who use the account, this would mean parents being responsible for what their children download. Could result in lot larger fines. In France those being prosecuted could faced a fine of up to 1,500 euros (£1,200) and having web connection cut off for a month.

If you are reliant on your Internet connection for your work, either self employed, working from home, losing your web connectivity for a month due to your children downloading the latest hit movie could be very disruptive.

In the UK, The Digital Economy Act 2010 does not currently threaten disconnection, however this has been discussed many times within the political parties of the UK.

InfoSec & CMM

Information security within an organisation should be part of the culture of the organisation, however in many organisations their information security is not a mature business function. There are various models that can help an organisation develop and mature their business processes.

A maturity model consists of a set of structured levels that describe the stages of maturity of the behaviours, practises and processes of an organisation can repeatedly, reliably and sustainably produce the required outcomes.

A maturity model does not provide behaviours, practises and processes that directly relate to the function being analysed but provides a mechanism for improving those behaviours, practises and processes that already exist in the organisation.

A maturity model provides 5 levels of maturity ranging from ad-hoc to optimised, although in some cases a 6th lower level is used to describe the situation of no behaviours, practises and processes are in place. This 6th non-existent process level is probably apt for the information security field in the case of some organisations.

For information security there are two maturity models that can be applied.
  • ISO/IEC 21827 is a Capability Maturity Model for system security engineering
  • Information Security Management Maturity Model that is focused on management
ISO/IEC 21827 describes the characteristics essential to the success of an organisation's security engineering process, and is applicable to all security engineering organisations including government, commercial, and academic. ISO/IEC 21827 does not prescribe a particular process or sequence, but captures practises generally observed in industry.

Information Security Management Maturity Model (ISM3) is another form of Information Security Management System (ISMS). The ISM3 builds on existing standards such as ISO 20000, ISO 9001, CMM, ISO/IEC 27001, and other general information governance and security concepts, rather than being control based such as ISO/IEC 27001 and CoBiT, ISM3 is process based and includes process metrics.

The standard levels of a maturity model are
  1. Initial (chaotic, ad hoc, individual heroics) - the starting point for use of a new or undocumented repeat process.
  2. Repeatable - the process is at least documented sufficiently such that repeating the same steps may be attempted.
  3. Defined - the process is defined/confirmed as a standard business process.
  4. Managed - the process is quantitatively managed in accordance with agreed-upon metrics.
  5. Optimising - process management includes deliberate process optimisation/improvement.
The way I see these levels apply is

Level 0 - Non-existent


No thought about information security is given by anyone in the organisation, a state that often exists until the first breach.

Level 1 - Ad-hoc


Information security incidents are handled by individual using their own knowledge, none of the actions are documented and each incident is often treated differently, the organisation is highly vulnerable to an individual leaving and taking their knowledge with them.

Level 2 - Repeatable


Some form of documentation is available to those responding to incidents, handling has become consistent, the documentation can be used by an individual with the relevant skill set. The organisation is no longer dependent on individuals. New incidents/events will require new documentation to be produce. No overall policy on information security has been issued, no organisation wide ISMS implemented

Level 3 - Defined


An organisation wide ISMS is in place, with full documentation (policies, procedures, standards and guidelines)

Level 4 - Managed


The ISMS is audited and ISMS lifecycle is in place to act upon the feedback from the auditing

Level 5 - Optimised


A wide class ISMS has been implemented with the organisation, accreditation against international standards. Full review lifecycle is in place ensuring the ISMS fully supports the organisations mission and changes within the organisation aim or technology are acted on and implemented within the ISMS.

Thursday, 13 September 2012

Manufacturing backdoors

Back in May I discussed the probability of hardware backdoors http://geraintw.blogspot.co.uk/2012/05/hardware-backdoors.html, where claims that organisations were building backdoors into products they were manufacturing for 3rd parties. Since then there has been a continuous discussion over Huawei and its products and actions by the USA and Australia about blocking Huawei

However today there was an article on the BBC http://www.bbc.co.uk/news/technology-19585433 about malware being inserted onto the PC's during manufacture, my first reaction was not surprise but why has this not been found before.

In 2008 there were reports http://www.pcadvisor.co.uk/news/photo-video/11985/best-buy-pulls-infected-digital-photo-frames/ of Digital Picture Frames infected with Malware that infected computers that the picture frames where connected to.

Back in 2007 there were reports of brand new hard drives http://www.zdnet.com/seagate-ships-virus-infected-hard-drives-3039290782/ infected with viruses being shipped.

Criminal gangs have been involved in cyber crime for many years, so why has it taken to now for the problem of malware introduction during manufacturing to come to light. It would be interesting to see what quality controls where in place to test the integrity of the hard drive images in the affected factories. The question that will be asked was this state sponsored or a criminal gang responsible.

It is not just hardware that is at risk operating systems are at risk as an example the Linux Kernel server in 2011 were attacked http://www.theregister.co.uk/2011/10/04/linux_repository_res/ and in 2003 an attempt to put a backdoor in the kernel was thawted http://www.theregister.co.uk/2003/11/07/linux_kernel_backdoor_blocked/

Over the years a number of cracked versions of Microsoft Windows (black versions) have circulated, other than being free, a common feature where all the inbuilt compromises in the operating system, those who downloaded it got more than they wanted for a piece of free software.

There will always be a need for new hardware and software to be tested for vulnerabilities in any environment where the user requires security, however many organisations don't have the resources to do the testing.

Training Review

One of the delegates on the CISSP preperation course I run in August gave a good review of the course I delivered.






Next courses are the 3rd-7th Dec and the 4th-8th March, bookable through IT Governance Ltd. CISSP Accelerated Training Programme

Wednesday, 12 September 2012

Change state of security

Tonight on the BBC's Watchdog programme http://www.bbc.co.uk/news/uk-19562487 they discuss a new high tech technique to steal BMW cars, in the report it quotes BMW as saying "Certain criminal threats, like the one you have highlighted, simply do not exist when cars are designed and developed." This demonstrates some of the problems faced in security, the landscape is constantly changing with the criminal able to take new products and reverse engineer criminal solutions. It also highlights when tackling design, security should be designed in and a threat analysis conducted, the ability to program replacement keys is a security weakness and measures need to be included in the project definition and the product specification to try and do this.

I am not saying BMW failed to consider security but it does show how difficult it can be to design a secure product.

The IT insider

Continuing the theme of some of my recent posts on the insider threat, I came across this article on how IT staff access unauthorised material http://bit.ly/PhmqFf on the Help Net website.

A survey of more than 450 IT professionals by Lieberman Software found that 39% of IT staff can get unauthorised access to their organisation’s most sensitive information  and one in five has already accessed data they shouldn't. 68% of respondents believe that, as an IT professional, they have more access to sensitive information than colleagues in other departments such as HR, finance and the executive team.

The survey seems to show that IT staff are aware of the additional privileges they have, but a proportion are abusing those privileges. There is also a problem in that a large percentage of organisation are not preventing access and management may not be aware of the problem and know how to prevent it.
 
There are a number of controls that can be used including the "Need to know" can be enforced with user access controls and authorisation procedures and its objective is to ensure that only authorised individuals gain access to information or systems necessary to undertake their duties. Most IT duties don't require access to another users work files. An important part of prevent abuse is having the means to detect abuse, logging access to sensitive information and auditing of the access can help control the problem by providing a detective control.

I have come across some organisations how are using additional Acceptable User Policies (AUP) for IT and Administrators which outline in more detail the organisations expectations that those with enhanced privilege access should be more responsible in the way they use their privileges. Additionally an ethics programme may help administrators and IT staff understand what responsibility is and what the expectations of the organisations is of the IT staffs professionalism.

Previous posts on the insider threat.


Tuesday, 11 September 2012

Models & information security

Information security use a number of different types of models to describe information flow and the controls that are required to prevent problems with the confidentiality, integrity and availability of information.

Information Assurance Models


CIA Triad

This is the classic model of information assurance, showing the confidentiality, integrity and availability.

 

Subjects & Objects


Most information security models discuss the flow of information or the access rights between subjects and objects, these have been defined in the Orange book as being.

Subject: An active entity, generally in the firm of a person, process, or device that causes information to flow among objects or changes in the system state.

Object: A passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects are: records, blocks, pages, segments, files, directories, directory trees, and programs, as well as bits, bytes, words, fields, processors, video displays, keyboards, clocks, printers, network nodes, etc

In addition to the above they also discuss labelling.

Labelling:  the assignment of sensitivity labels to every subject and object, part of an information classification process.

Access control models


These models look at the control of access between subjects and objects

Mandatory Access Control (MAC) http://en.wikipedia.org/wiki/Mandatory_Access_Control

Uses labelling of subjects and objects where the classification labelling is set by an organisation authority, access is based on matching the level of classification of the label on the subject and object. Classification is not controlled by the central IT department.

Discretionary Access Control (DAC) http://en.wikipedia.org/wiki/Discretionary_access_control

This is the opposite to the MAC, commonly described as the subject owners can set access by other subjects to the objects (resources) they own. However this is not the orange book definition of the term.

Role-Based Access Control (RBAC) http://en.wikipedia.org/wiki/Role-based_access_control

This is a more efficient way of setting access controls, subjects are grouped together into roles, the role is then given access rights to objects dependent on the role's requirements for the objects. If a subject changes roles, they move to another group and have a differnet set of access rules applied.

Rule-Based Access Control (RBAC)

An enhancement to the role based access control, this uses a set of rules to govern the access between subject and object, can include the use of location based access where the type of access is based upon when access is originated, this can be used to limit access for non-secure remote access.

Graham-Denning model http://en.wikipedia.org/wiki/Graham-Denning_Model 

A matrix based access control model where the access rights for a particular subject and object are defined at the intersection of the relevent column and row, often used in distributed system it is concerned with the secure creation and deletion of subjects and objects.

Harrison, Ruzzo, Ullman model http://en.wikipedia.org/wiki/HRU_(security)

Extends the Graham-Denning model and which deals with the integrity of access rights.

Confidentiality Models


Bell–LaPadula model  http://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model

The Bell-LaPadula (BLP) is concerned with confidentiality and in particuler with classified information and works with the classification labelling of objects and subjects.

Integrity Models


Biba model http://en.wikipedia.org/wiki/Biba_Integrity_Model

This model looks similiar to the BLP model have it is focussed on Integrity and not confidentiality. It is to reduce the change of information by the introduction of less accurate information.

Clark–Wilson model http://en.wikipedia.org/wiki/Clark%E2%80%93Wilson_model 

Is concerned with the protection of integrity of data and uses a set of rules to govern how data can be accessed to ensure the information is kept valid as it changes state,

Information flow models


Brewer and Nash Model http://en.wikipedia.org/wiki/Brewer_and_Nash_model

To prevent conflict of interest (COI) no information that could create a COI flows between subject and objects. Also know as the Chinese Wall

Monday, 10 September 2012

Tools (10th Sept)

A weekly update on new and updated Information Security tools that I have come across or use. The tools are mainly those for PenTesting although other tools are sometimes included. As a bit of background into how I find these tools, I keep a close watch on twitter and other websites to find updates or new releases, I also search the projects on Source Forge. Some of the best sites I have found for details of new tools and releases are http://www.toolswatch.org/, http://tools.hackerjournals.com/ and will be adding to this list with time.

Update NOWASP (Mutillidae) v-2.3.5 : Web Pen-Test Practice Application
http://sourceforge.net/projects/mutillidae/files/
NOWASP (Mutillidae) is a free, open source web application provided to allow security enthusiast to pen-test a web application. NOWASP (Mutillidae) can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to administrate a webserver. It is already installed on Samurai WTF and Rapid7 Metasploitable-2.

Netsparker Community Edition is a SQL Injection Scanner
http://www.mavitunasecurity.com/communityedition/
This is the community edition of Mavituna security, it can detect SQL Injection and XSS issues

Wireless Scanner (Beta)
http://sourceforge.net/projects/wirelessscanner/files/
It scans/connects/gives info about Wireless networks, it is also a tool I will be looking at and comparing to some of the other wireless scanners I use in wireless research

Sunday, 9 September 2012

CIA & InfoSec

Information security refers to the security triad of Confidentiality, Integrity and Availability which is a widely used Information Assurance model.



  • Confidentiality - restricting access to assets to those who need.
  • Integrity - preventing unauthorised modification of data
  • Availability - the assets can be accessed by those who are authorised when they require it.

The CIA Triad is a simply model of information assurance and there have been a number of extensions to the model, however the three most common augmentations are Authenticity, Accountability and Non-repudiation


  • Authenticity - verification of the identity
  • Accountability - assurance of a transaction by providing audit ability
  • Non-repudiation - assurance of the transaction by validity of the transaction
Information security is the provision of controls to ensure the protection of the information assets of an organisation in such a way the function of the organisation is not impeded. It must meet the requirements of the organisation. It should protect against both accidental or malicious threats whether these are natural and man-made in origin.

Saturday, 8 September 2012

InfoSec & Senior Management

Within an organisation the buck stops with the Senior Management of the organisation, they have a duty of care to all the stakeholders to ensure the organisation is run correctly. Through the process of governance which relates to consistent management, cohesive policies, guidance, processes and decision-rights for a given area of responsibility

Senior management can delegate the implementation of meeting regulatory and statutory requirements but they always retain the responsibility for compliance with those requirements.

Governance is about the prudent man rule (showing due care and due diligence) http://geraintw.blogspot.co.uk/2012/05/prudent-man-rule.html

In terms of Information Security the senior management set the agenda for information security, the priorities for implementation and provide resources to Information security in order that the Information Security Officer (ISO) and they team can implement a information security management system.

The decision the senior management make is based on the information they have about threat agents, vulnerabilities, likelihood and potential impact, along with possible countermeasures, the reduction in risk and the cost. This information will come from information security, however they can be a case of conflict of interest, often with larger organisations an enterprise wide committee with responsibility for security will provide the information, this committee will be made up of individuals from different businesses and organisation units and could include external experts.

The senior management will expect assurances that the polices have been carried out to their instructions and expectations, this will come from reports and audits.

Reporting, information security will provide reports back to senior management and other parts of the industry, a common form of reporting for those who do not understand the technical details will be the use of dashboards including the use of traffic light reporting to provide a quick visual summary of the state of security within the organisation.

Auditing provides assurances to the senior management that the information security management system is being implemented and run in a manner they find acceptable. However successful auditing requires suitable metrics and accountability.

Senior management will along with setting the corporate policy will also set the acceptable level of risk taking for the organisation, the organisations risk appetite, KPMG have a good document on this subject http://www.kpmg.com/CN/en/IssuesAndInsights/ArticlesPublications/Documents/Risk-appetite-O-200806.pdf

In summary the senior management own the information security risk, they sent what they consider to be an acceptable risk appetite for the organisation. They will empower the information security team to implement the policies, decisions and priorities as set by the senior management. However senior management will expect assurances via reporting and auditing about the success of the information security policy. They would expect the information security management system to deliver a positive return on investment of the resources they allocated.

Data centres

Within certifications such as the CISSP there is discussion on the protection of data centres, within the Physical (Environment) Security domain aspects of protecting facilites are discussed. Concepts such as Crime Prevention Through Environmental Design (CPTED) as discussed, this week I noticed the annoucement by Google about building a data centre in Chile and whilst reading about that I came across Google pages and data centres and these with other pages may help in gaining about understanding of Physical (environment) Security.

Obviously Google does not talk about it is security too much at data centres http://www.google.com/about/datacenters/# , which is a shame as it would a good case study if covered not just about security in controlling people physically visiting the data centre or working within it, but also on the network controls and on the protection of the support services required for running a data centre including utilities. Security covers the triad of confidentiality - restricted data to those who need it, integrity - ensure the data is modified by those who are authorised and availability - making sure it is available to those you need it when they need it.

Google has some limited information available from http://www.google.com/about/datacenters/inside/data-security.html# on security at its data centres which covers physical, protecting the data and reliability. It also covers the lifecycle with destruction of hard drives at the end of life.

There are also articles on the web such as the wired article on the NSA data centre http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/ being built in Bluffdale which whilst discussing the NSA and what it does looks as some aspects of security.

A basic introduction to Crime prevention through environmental design (CPTED can be found on wikipedia http://en.wikipedia.org/wiki/Crime_prevention_through_environmental_design

The Centre for the Protection of National Infrastructure (CPNI) in the UK have produced the following document http://www.cpni.gov.uk/documents/publications/2010/2010006-vp_data_centre.pdf?epslanguage=en-gb on protecting data centres

The CSO online has an article on 19 ways of building in physical security http://www.csoonline.com/article/220665/19-ways-to-build-physical-security-into-a-data-center

Thursday, 6 September 2012

Information Security & the organisation

The ultimate responsibility for governance of an organisation lies with the senior management, it will need to show that it is taking due care and due diligence with the security of its assets and with compliance in meeting regulatory and statutory requirements. In order for the senior management to select the best policies and make the necessary decisions over the best methods of protecting its assets, the board will need advice on possible controls and the impact and residual risk.

The function of the information security professional within the organisation is to provide information security to protect the assets of the organisations, those assets may be intangible such as electronically information or tangible such as the paper records and the facilities of the organisation.

The role of the information security professional is to provide senior management with information on the threats, vulnerabilities, countermeasures, risk and impacts so they can make the decisions about the information security policies. To implement the decisions of the senior management on information security and to work with other departments in the organisation to ensure that security policies are implemented within the organisation.

An effective information security program will support the organisational aims and goals, these are defined by the senior management board for the whole of the organisation and based on how they see the organisation strategic development. Security must be enabler of the goals and aims rather than being an impediment to them. In order for this to happen, those in information security must understand the business and activities within the organisation so they support those activities and not hinder them.

In addition to being an enabler of the organisations aim and goals it has to be responsive to the changes within the organisation and the environment it operates within, it has to respond to changes in the threat environment and changes to the organisations strategic aims and goals.

It will also need to make employees aware of the information security and to educate them in the policies, procedures, standards and guideline. Education ensures that the employees are not just trained but understand why the information security is being implement, the consequences to the individual and the organisation if there are breaches of the information security policies.

The position of information security in the organisation

For a long time information security has been considered a part of IT, a function to protect the IT infrastructure, however information security is more than this, it is about protecting the information assets of an organisation. The effectiveness of the information security program will be improved if the IT and IS are segregated avoiding a conflict of interest between those that are running and development the IT infrastructure and those who are responsible for securing the assets of the organisation. However it must be resourced appropriately by the senior management board.

Within some organisation this has gone further with the functions of security and information security being combined to ensure that a layered defence with both physical and environment security being incorporated with the traditional information security to protect all the organisations assets.

Cookies

News on the cookie law after it all going quiet after the deadline passed for cookies implementing the cookie directive, it was implemented this May a year after it was passed into law by the government in May 2011.

The BBC are reporting http://www.bbc.co.uk/news/technology-19505835 a company is tauting the ICO over the directive.

What has been happening in the UK since May, it appears in May the  Information Commissioner’s Office wrote to 50 top UK websites to find out what actions have been taken towards compliance with the new EU e-Privacy Directive, in June the Information Commissioner’s Office (ICO)  confirmed that some of the 75 companies that it sent a warning letter to regarding the new cookies legislation have not replied within the imposed 28-day response period.

In August it was being reported that no action had been taken against any specific site although 320 sites had been reported to the ICO

How are the rest of Europe doing, well in the May the situation was eight member states – Belgium, Cyprus, Germany, Italy, Malta, Poland, Romania and Slovenia – have yet to even transpose the directive into their national laws, let alone start enforcing it. However in the other 19 countries, there’s a pretty big variation in how national laws interpret the directive. It should also be pointed out that the UK is something of a special case here, in that its data protection authority gave businesses an extra 12 months to comply, which ended in the May. The rest had already enforcing their updated laws for the 12 months prior to May.


Information Security: concepts

In considering how Information Security can be effectively deployed within an organisation, the attitude of both the organisation and the information security need to be correct. There are some basic concepts about the effective deployment that need to be considered by those involved with information security.
  1. Effective information security needs to be part of the culture of the organisation, sponsored and supported by the senior management team, who need to lead and show by example support for the information security policies and the information security management system (ISMS).
  2. Effective information security needs to be enabler of the organisations goals and also enable the employees to go about their task with no or little hindrance. 
  3. Effective information security will be an evolving process, it will need to take into account changes in the environment. It needs to constantly aligned with the organisations aims and goals, it should adapt to changes in the organisation, it needs to reflect changes in the value of information it is protected and take into account changes in technology.
  4. Effective information security will be cost effective and provide a return on investment, it can be a cost saver by reducing the impact of incidents and disaster, by reducing the likelihood of the organisation failing to meet legal, regulatory and compliance requirements.
Information security is a lifecycle, it is often described as using the Deming cycle.
  • Plan
  • Do
  • Check
  • Act
An effective ISMS will be regular reviewed to ensure that it remains effective and gives benefit to the organisation. As part of this review process its alignment with the organisations goal and aims will be checked and if necessary changes made. The organisational aims and goal will be set by the senior management team of the organisation and these outline how the organisation will conduct its business, where it wants to be and how it will get there.

For an ISMS to be effective and enable the organisations to achieve its goals and aims, the operation of organisation must be fully understood by those in Information Security. Professionalism will require that in for us to put in place an effective ISMS we should understand what we are trying to achieve, which is not only the protections of the organisations assets but also enabling the organisation to be successful and achieve its goals and aims.