Friday 31 August 2012

UK PLC needs more variety in MP's Professions

A bit of follow up to my blog about a group of Tory MP's calling British workers idlers http://geraintw.blogspot.co.uk/2012/08/british-workers-are-idlers.html I saw this article on the BBC web site http://www.bbc.co.uk/news/business-19427545 about the UK economy needs infrastructure stimulus by the British Chambers of Commerce.

Reading through it I came acrosss a phase that rang true with me and related to the early blog entry.

The Director General of the British Chambers of Commerce, John Longworth, called on politicians to do more to help the economy grow. He told the BBC:"There are only a 150 MPs out of 650 that have ever been in business and only 30 have got any qualifications in science.

"We've now got a political class that's divorced from the reality of business and economics."

For a company and a country alike to be managed successfully, the management, in the case of the UK PLC the government must understand all parts of the organisation. Have come across the situation where engineers have started companies and the company as failed as the owner, who is an engineer does not understand marketing, finance etc, in other cases finance people have got hold of a company and ruined it as they don't understand engineering or the business sector the company operates in.

In the case of the UK PLC we need our government and the MP's who form it to understand all the business sectors that maintain and generate jobs and wealth. We need more MP's with differing business backgrounds, from engineering and science to form government as policies can not be formed that benefit the UK with out government understanding the people and businesses that make up the UK.

It is almost case for not having an elected house of Lords but rather a House of Lords made up from successful business men, trade union leaders, religious leaders who don't have to worry about getting re-elected and hence passing laws and policies to increase their re-election chances rather than making laws and policies for the long term future of the UK. The House of Lords should act as a check on the house of commons to prevent them damaging the long term health of the UK by making short term popular decisions.

Wednesday 29 August 2012

Insider threat

A follow up to my previous blog on the insider threat http://geraintw.blogspot.co.uk/2012/08/insider-threat.html which gave the example of Jessica Harper, 50 a former Lloyds Bank worker, who while working as head of fraud and security for digital banking carried out a fraud worth more than £2.4m for which she has been convicted and waiting sentencing.

Today I came across the story http://www.theregister.co.uk/2012/08/29/toyota_disgruntled_contractor_hack/ of former IT contractor for Toyota's US manufacturing who has been ordered not to leave the USA  after logging back into Toyota's systems that same night and he was released from his contract and spent roughly six hours trashing the place Toyota hasn't said what data it believes he may have stolen, it could include pricing, parts specifications, quality testing, or design information.

The Insider threat is often thought about in terms of malicious actions as in the two cases listed above, however it can be accidental actions that can lead to data leakage, in the UK an often quoted case is the missing child benefits date from HM Revenue and Customs http://www.computerweekly.com/blogs/public-sector/2008/06/hmrc-loss-of-child-benefit-cds.html

A 2009 report commissioned by RSA shows accidental security incidents caused by company insiders are more frequent and could potentially have a greater impact on information security than malicious insider attacks. There are many examples of both malicious and accidental data loss, leakage and alteration caused by insiders, many accidental losses are not reported unless there is unique circumstances surrounding the situation as in the case of HRMC.

The white paper, Insider Risk Management: A Framework Approach to Internal Security, shows that the majority of senior management give higher priority to protection against malicious insider attacks over investing to prevent more the more frequent, and potentially more harmful, accidental insider security incidents.

Information security is about Confidentiality, Integrity and Availability and all three sides of the CIA triad are involved in the insider problem. An information security professional needs to understand all the threat agents, vulnerabilities and exploits when conducting a risk assessment as part of implementing controls to reduce the insider threat and must consider both the malicious and accidental scenarios.




Tuesday 28 August 2012

CISSP Certification

As a CISSP and involved in training others to gain the CISSP certification, I was interested in the article blogged by Dave Shackleford "Your CISSP is Worthless - So Now What?" http://www.infosecisland.com/blogview/22257-Your-CISSP-is-Worthless-So-Now-What.html

The article made some points that I would agree with about the CISSP certification and the following comments after the article are worth reading as they show there is a broad range of views over the CISSP and certification in general.

For a full discussion on the CISSP, the full ecosystem of InfoSec certifications need to be considered from the foundation to the highest level, if any profession is to be considered professional it needs some level of certification above which holders are considered to be attained sufficient status to be considered professional. There also needs to be a path in place to help those wishing to work in the profession to gain the necessary knowledge and experience. Additionally there is also a need for a body to be in place to ensure that certifications is of sufficient stringent standard.

An example of a well regulated body is the medical profession where the level required to practise is in most countries is backed by legal regulation. Even with this profession there can be problems in moving from on regulatory authority area to another. It is very unlikely that InfoSec field like other "engineering" areas would reach this status, however other fields such as accountancy can be a model for the profession with the introduction of chartered status and a body to award this status.

For many InfoSec there are areas of the CISSP that appear to be unnecessary, however I have that some area that I thought should not be in the CISSP have been useful to me. I have had to work with Estates and Facilities departments on providing a secure environment and knowledge from the physical (environment) security domain has been useful, it would of possible been knowledge I could of picked on the job, but I would of struggled to ask the right questions early on when dealing with estates and facilities and as we all know it is easier to design security in during the requirements capture than afterwards.

I have always considered the (ISC)2 and the ISACA certifications to be good general management and auditor certifications, the SANS, even through I don't have any yet and I wish I could find a way of getting someone to pay for a couple of them, are very good technical certifications that are on par with CISSP, CISM and CISA although they demonstrate a high level of knowledge of a specific area compared to the less technical and more general domains of knowledge of the (ISC)2 and the ISACA certifications. I have meet those with SANS and CISSP who I can't believe they ever passed the certifications but there are those who can pass a certification but can not translate that into skills that can be used in the workplace.

Any fix to InfoSec certifications needs to be taken across all the certifications and needs to be done in a way that HR and other areas understand the level of achievement that a holder has achieved.

I will be posting more of my views on this in the coming few weeks.

Monday 27 August 2012

Tools (27th Aug)

A weekly update on new and updated Information Security tools that I have come across or use. The tools are mainly those for PenTesting although other tools are sometimes included.

Security Shepherd v1.2
http://sourceforge.net/projects/owaspshepherd/files/
Security Shepherd is a computer based training application for web application security vulnerabilities. This project strives to hurde the lost sheep of the technological world back to the safe and sound ways of secure practises. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.

SQLI Hunter v1.1
http://sourceforge.net/projects/sqlihunter/files/
SQLI Hunter is an automation tool to scan for an Sql Injection vulnerability in a website.
It automates the search of sqli vulnerable links from Google using google dorks!
SQLI Hunter can also find admin page of any website by using some predefined admin page lists.

Kautilya 0.3.0 Released
Kautilya is a toolkit which provides various payloads for Teensy device which may help in breaking in a computer. The toolkit is written in Ruby.
  • The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7.
  • The Linux payloads are mostly shell scripts (those installed by default) in combination with commands. These are tested on Ubuntu 11.
  • The OS X payloads are shell scripts (those installed by default) with usage of native commands. Tested on OS X Lion running on a VMWare

Monday 20 August 2012

CISSP Course & delegates experience

Delivering a CISSP training to the University of Bedfordshire this week (20th - 14th August 2012), it is very interesting experience returning to the University where I worked for almost 11 years and left almost 12 months ago. It is very good to meet old colleagues that I used to work and see some of the changes to the campus as the new post graduate building is taking shape.

Most of the CISSP training I have done has been to delegates from a range of companies where their differing work experiences can contribute to good discussion and debate over the points being raised during the training.

The delegates that I have on the course this time have mainly experience of the Higher Education sector and this makes the discussion different, and it is brought to light a point that I need to bear in mind if I deliver training on site to a customer where the candidates have similar work experience to recall during discussions. I will need to encourage the delegates to review the body of knowledge and try see how it could be applied in different scenarios.

Tools (Aug 20th)

Trying to get back in to doing a weekly update on new and updated Information Security tools that I have come across or use. The tools are mainly those for PenTesting although other are sometimes included.

Smartphone Pentest Framework (SPF)
https://github.com/georgiaw/Smartphone-Pentest-Framework
The Smartphone Pentest Framework (SPF) is an open source tool designed to allow users to assess the security posture of the smartphones deployed in an environment. The tool allows for assessment of remote vulnerabilities, client side attacks, social engineering attacks, post exploitation and local
privilege escalation. This is an initial release, with a subset of features from each section. SPF is the
product of DARPA Cyber Fast Track grant. 

VIPER Assessment Security Tools Linux security distribution
http://vipervast.sourceforge.net/
VAST is a Linux-based security distribution specifically designed for pentesting VoIP and UC networks. It enables security professionals and UC administrators to rapidly perform VoIP security assessments and enumerate vulnerabilities in IP Phones or IP PBX servers in a lab environment. With VAST, a security consultant has every tool necessary to carry out a successful onsite or remote penetration test or vulnerability assessment against a UC network. VAST is built on Mint Linux 13 and includes all of the open source VIPER Lab tools, in addition to some other network pentest tools.
VAST can be downloaded in .ISO format and VMWare guest image.

Wifite v2
http://www.blogger.com/blogger.g?blogID=2301584548637299230#editor/target=post;postID=3991139845481226351
To attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments. Wifite aims to be the "set it and forget it" wireless auditing tool.  

Sunday 19 August 2012

Basics of Security

This story in computing about the ICO investigating Tesco's security http://www.computing.co.uk/ctg/news/2199618/ico-to-check-out-tescocom-security highlights the need to start from the basics when implementing security.

The ICO is to start investigations after security bloggers, such as Troy Hunt, who have vented their dismay at what they claim are unsafe security practices used by Tesco.com.

They discovered
  • loads  up some components in plain HTTP, not HTTPS
  • the only passwords allowed by the website are weak, no more than 10 characters in length, with upper and lower-case characters treated the same. 
  • according to error messages spewed by the site, it remains based on Microsoft IIS6 – which is now seven years old – and ASP.NET 1.1, which is nine years old.
One of the fundementals of security is keeping applications and operating systems fully up to date and patched. The Microsoft Product Lifecycle does not have information listed for IIS6, but IIS5 Extended Support end date was 13th July 2010, IIS was released with Server 2003 for which mainstream supported ended was 13th July 2010 and Extended Support is due to end 14th July 2015.

In July the Register reported http://www.theregister.co.uk/2012/07/31/tesco_website_insecurity/ Tesco in unencrypted password email reminder rumble where it still merrily emails passwords to punters in plain text has alarmed anyone with a grasp of computer security. The passwords are not hashed and salted, this is worse than the Linkedin Password policy where they where encypted but not with a salt value.

In December 2006 Tesco had a security breach http://www.channelregister.co.uk/2006/12/12/tesco_customer_security_flap/ involving customer data.

It appears Tesco's are not following some of the basic tenets of  Computer Security and it will be interesting to see what the ICO makes of their policies.
  

Update on CISSP exam

After almost 20 years, the CISSP exam has moved from being paper based to being an Computer Based Assessment (CBA), previous the candidate had to complete a six-hour, 250 question, paper-based exam and then wait weeks to find out the score.
For the paper-based exam candidates were sometimes required to sign-up for the exam months in advance as the test was only held in their area once or twice a year. With the electronic exam, the candidate has to create an account at Pearson Vue and then schedule your exam, they can attempt the exam the next day after booking it

The real difference of the change to CBA is the test delivery system and with electronic delivery candidates ofter complete the computerised tests faster than a paper-based exams. As with most CBAs you can also mark a question and return to it later in the exam. With the change away from the paper based exam, candidates will no longer have to decide on a strategy for doing the exam, i.e. do the answer in the booklet and transfer the questions to results sheet at the end of the exam for example. However keep in mind that still have six hours to complete the exam, you have plenty of time to read all the questions carefully and it is not race across the clock or other candidates, there is no glory in finishing first.

While the test delivery has changed one thing that remains the same is the exam scoring. It is scored as pass/fail, and the passing score remains 700 points out of a scaled score of a 1000.
The biggest benefit from the chane from a candidates point of view is finding out your results. While the paper-based exam could take weeks to find out your score, with the electronic version, as soon as the test is completed, you will immediately know your score.

However, if you fail, the retake policy has changed. Candidates cannot reattempt the exam for 30 days. If for some reason the candidate failed on the second attempt, you cannot retake the exam for 90 days and if that attempt was unsuccessful, you must wait 180 days to attempt the exam again.

References

https://www.isc2.org/cissp-how-to-certify.aspx
http://www.infosecisland.com/blogview/22205-Ready-for-the-New-ISC2-Computer-Based-CISSP-Exam.html#.UC10vxu-5e0.twitter

Saturday 18 August 2012

British workers are idlers

Don't normal comment on politics, like to keep my thoughts to myself, but when British MP's decide to call British worker the worst idlers, in a BBC news story "British workers 'among worst idlers', suggest Tory MPs" http://www.bbc.co.uk/news/uk-politics-19300051 I made an exception. It is interesting to look at the background of the 5 authors of this claim, I wonder where there got the experience and knowledge to backup their claim. Unless they are talking about those who work in politics, although a lot of workers in Parliment and the polical parties that work hard. I have worked for large and small UK companies and the majority of those I have worked with are hard workers, although their is a small group of slackers just doing what is required it is unfair to label the majority of UK workers as idlers

Elizabeth Truss
http://www.elizabethtruss.com/about-elizabeth-truss-0
Elizabeth worked in the energy and telecommunications industry for ten years as a commercial manager and economics director and is a qualified management accountant. She was a Deputy Director at the think-tank Reform where she advocated more rigorous academic standards in schools, a greater focus on tackling serious and organised crime and urgent action to deal with Britain's falling competitiveness.She has an accountancy background

Dominic Raab
http://www.dominicraab.com/about_dom.html
Dom started his career as an international lawyer at Linklaters, a law firm in the City, working on project finance, international litigation and competition law. He also spent time on secondments at Liberty (the human rights NGO) and in Brussels advising on EU and WTO law. In 2000, Dom joined the Foreign & Commonwealth Office. He advised on a wide range of briefs, including UK investor protection, maritime issues, counter-proliferation and counter-terrorism, the UK overseas territories and the international law of outer space. In 2003, he was posted to The Hague to head up a new team, focused on bringing war criminals to justice. On return to London, he advised on the Arab-Israeli conflict, EU law and Gibraltar.
Dom left the FCO in 2006, and worked for three years as Chief of Staff to respective Shadow Home and Justice Secretaries, advising in the House of Commons on crime, policing, immigration, counter-terrorism, human rights and constitutional reform.

Priti Patel
http://www.priti4witham.com/about
Priti has worked in the communications industry for over ten years and until recently was the Director of Corporate Communications at a major international company. She has worked around the world and has direct experience of dealing with a diverse range of issues including; bringing education to communities in Africa and India, to foreign direct investment around the world and agricultural issues in the UK.

Chris Skidmore
http://chrisskidmore.com/about-chris-skidmore-mp/
Chris worked briefly in journalism for the People Magazine and as a historical researcher, before going on to write his first book, a biography of the Tudor king Edward VI in 2007. Chris has continued to write, publishing his second book, Death and the Virgin in 2010 and a book on the Battle of Bosworth due later in 2012. He currently teaches history part-time at Bristol University.

Kwasi Kwarteng
http://www.kwart2010.com/about/
Kwasi earned Bachelor and PhD degrees in British History, worked as a financial analyst, journalist and author

Friday 17 August 2012

Tools (Aug 17th)

A new post on computer security tools after a period of reduced activity of posting on this blog. These are tools that I have come across or use in my role as a Information Security Consultant.

BackTrack 5 release 3 was released 13th August.
http://www.backtrack-linux.org/downloads/
there are around 60 new tools in the Backtrack 5r3 release, the cyber arms blog has listed some of them http://cyberarms.wordpress.com/

Attack Surface Analyzer 1.0 Released 2nd August
http://blogs.msdn.com/b/sdl/archive/2012/08/02/attack-surface-analyzer-1-0-released.aspx
The purpose of this tool is to help software developers, Independent Software Vendors (ISVs) and IT Professionals better understand changes in Windows systems’ attack surface resulting from the installation of new applications.

NetworkMiner v1.4 released 12th AUg
http://sourceforge.net/projects/networkminer/files/
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

An interesting tool that I will be looking at is for post exloitation
Nishang
http://code.google.com/p/nishang/downloads/list
Nishang is a collection of scripts and post exploitation framework in PowerShell. The aim is to increase the usage of PowerShell in offensive security and penetration test. Nishang is a result of my own requirements during real life pen tests. Since it is a post exploitation thingy it is assumed that you have a shell access on the machine or using a HID like Teensy to drop the script on the victim.

Wednesday 8 August 2012

July ADSL Router analysis

Analysis of the logs files from my ADSL router for Jule, there was another increase in the number of UDP scans which emanated from Chinese IP addresses




The detected events broke down country wise as follows

CountrySource IPsNo of attack from country
China592938
Turkey1919
Sweden12
South Africa11





Tuesday 7 August 2012

Insider Threat

An ironic example of the insider threat is the case of Jessica Harper, 50 a former Lloyds Bank worker who while working as head of fraud and security for digital banking has been convicted of carrying out a fraud worth more than £2.4m and will be sentenced on the 21st Sept 2012.

The insider threat is a disgruntled insider with knowledge of the victim's system, see also abuse of privilege, insider attack, internal vulnerability, insider.

Combating the insider threat can be done by the use of controls

Technical controls focus on data and computer activities, while nontechnical controls focus on human motivations and behaviour. Nontechnical controls are critical because many insider attacks do not depend on technology.

Job rotation,
segregation of duties,
mandatory vacations,
regular audits/reviews,
periodic employee background checks

Technical solutions

Data loss protection (DLP) systems
Fraud detection tools
Security information and event management (SIEM) solutions