Late December I returned home after a very enjoyable Christmas break away and was savouring my bank holiday “lie in bed” when I was rudely awakened by the phone.  I was informed by the slightly accented person on the end of line that he was calling from BT, and they had observed unusual call behaviour on my home line over Christmas.  Whilst the gentleman was talking, I started to detect something dialling in the background of the call – very convincing, it had to be a scam so I hung up.

Having been rudely awoken, I made some breakfast. Just out of curiosity, I decided to check my phone bill on line.   To my horror, the early morning wake up had not been a scam. I had indeed been the victim of “call fraud,” with several hundred pounds worth of calls toSenegalwhilst I was away over Christmas.

How had it happened?  Had my line been tapped into or was a neighbour sharing my line?   Unfortunately, I had a SIP VoIP Router connected to my home phone line, which I was using for a Broadband VoIP service. This had been compromised so it was open to exploitation over the Internet.

How had the compromise happened?  I could prove the router had previously been secured correctly.  I rarely change the set-up which has been to ‘best practices’ standards since 2006.  I’m an educated consumer and had operated my setup for 5 years without issue.  So, what had changed?

 It is still under investigation, but my focus is on a home PC which my children played Flash-based games on, or a redundant PC used as a “sand box” for programming and scripting.

This incident re-enforces a key assertion I have been making for some time that Physical (my phone line) and Logical hacking attacks can merge, and the boundary between Physical and Logical security is not always as clear as it once was.

So what learning have I taken from this:

1)      VoIP is rising in popularity, but if not secured properly it is vulnerable to dial-through fraud;

2)      Ensure your network and PBX equipment are configured to the vendors Security Best Practices and check it on a periodic basis;

3)      Lock down network access for VoIP to only those who need it;

4)    Check and maintain the security on SIP devices on a regular basis, particularly if you are a small business using VoIP capable networked PBX;

5)      Check your bills regularly and look for odd international or premium rate calls –this can be indication of test calls prepping a line for a major hit;

6)      Setup alerting on your lines so that you are notified of high-value calls or bills above a certain value;

7)      Consider blocking lines that don’t need International calls;

8)      Setup the dial routing on PBX to be specific with only the International numbers you dial; and

9)      Don’t use test and lab equipment in live situations, and turn it off when completed.

There is much more advice on the net for VoIP best practice, but the final hard point of learning for me is that in these cases the liability for this type of fraud is typically with the home owner or business. Whilst residential attack is unusual, as VoIP grows so will with the exploitation of it.

In December 2011 the Iranian regime proudly displayed a state-of-the-art American UAV drone they had captured. The story circulating claimed that they managed to spoof the GPS system onboard to convince the drone to land in Iran. Many experts are sceptical of this, but concede it is remotely conceivable.  Whether or not this is the case, the episode is somewhat embarrassing for theUSA.

If true, however, it represents one of the most audacious cyber attacks in modern times. The flow of advanced computing hardware and software is a relentless force that is empowering groups and state actors at all levels, for better or worse. A useful summary of the hazards inherent in relying on military stealth technology is provided in a Wired article from 2011.  The lesson for cyber folk from this story is that complex technology is not your friend; as I iterated at length in a prior blog, we need to design for simplicity.

In the pure cyber domain the advent of stealth root kits, such as Alureon or Duku, are a source of deep concern as they use advanced code morphing techniques to scatter their functionality across the drivers and kernel code of the host system. When we see the best researchers from the vendors of the major operating systems scratching their heads in bewilderment at the sheer sophistication of these cyber threats, it is time to worry. (As was the case witnessed at a research conference on malware I chaired last year.)

At another socio-cultural level we are increasingly seeing the addition of robotic sensing, cameras and actuation in toys of all types. The potential for malware transmission, or simply malicious activity, via such active toys is a growing and real threat. My current favourite is Pinoky. This device allows you to animate any cuddly toy. The problem is that the code in such systems is never tested, scanned or even considered as a vector for malware. Then we have the imminent arrival of truly advanced entertainment and domestic robots with fully capable CPU and networked capabilities. (Check out the latest BigTrak xtr toy)  This is a hacker’s dream.

The point of this blog, (yes there is one), is that the cyber realm is an ever expanding hyper-space of data and code, in which it becomes ever easier to conceal anything. Significant research effort is now being directed at intelligent data analysis techniques to automate the process of looking for anomalies or suspicious behaviour. This is comparable to fishing with a trawler and net, rather than a single fishing line, it is better, but it is still not going to catch advanced stealth threats. The only solution for that is to develop full-on machine AI, with the ability to scan the cyber depths in a sonar-like fashion. I’m working on it, but it’s a little tricky, and might take some time! In the mean-time don’t allow teddy bears near your server rooms.

By Paul Kearney, Chief Security Researcher, BT Innovate & Design

This article continues a discussion of how to create cost-effective compliance based on a talk I gave at last year’s Information Security Forum World Congress in Berlin. The first instalment outlined the challenges, and the second considered how to judge how much you should be spending on security. But to be cost-effective, first you need to be effective, so now we turn to issues of measuring and managing compliance.  The ideas outlined here draw upon work done in MASTER, a three-year European collaborative research project I participate in, which ended in February 2011.

Compliance is about ensuring that you fulfil your commitments and providing evidence that you are doing so. These commitments can be mandatory (e.g. imposed by legislation), voluntary (e.g. abiding by industry guidelines or standards), contractual, or internal (e.g. policy decisions). Whatever the source, you can only really talk about compliance if you are able to measure or otherwise assess your success in fulfilling the relevant commitments. A first step towards this is to express the commitments in a form that can be tested practically against observation.

In MASTER, we called this testable form of commitment a Control Objective. The test for fulfilment of a Control Objective is expressed in terms of patterns of observable events, such as might be emitted by various IT systems and stored in log files. As an example, consider a policy that states only authorised users may access certain services. This could be rewritten as a Control Objective, requiring that every access event must be preceded by a successful authorisation check with the interval between the two being no longer than, say, 30 minutes.

A related MASTER concept is the Key Assurance Indicator (KAI), a performance measure expressed in terms of Control Objective violations or fulfilment. In our authorisation example, an appropriate KAI might be the proportion of access events not preceded by a corresponding authorisation event, weighted by a factor reflecting the sensitivity of the service. Notice that a KAI of this form is effectively an operational measure of risk.

Typically, one or more thresholds will be associated with KAIs, indicating degrees of acceptability of violation. Although you might expect that only 100-percent compliance is acceptable, this is not necessarily the case. Consider, for example, a healthcare context where taking short cuts through normal procedures is tolerated in emergency situations. Also, logging may be less than perfect, manual alternative procedures may be available, and so on.

In addition to measuring compliance, we should take steps to prevent non-compliance and to limit its impact. In MASTER, we do this by defining Control Processes. Again, patterns of events play an important role. A Control Process enforcing a policy will typically be triggered by an event pattern indicating that opportunity for violation is approaching, while processes triggered by actual violations can be used to limit their consequences. For example, an access request without a preceding confirmation of authorisation could be used to trigger an authorisation check with access being blocked in the meanwhile. Similarly, an ‘emergency override’ of denied access could trigger a message to a supervisor who could investigate later to make sure it was justified.

Control Processes also give rise to events that can be monitored, and we can define patterns that we would expect to see during and as a result of correct execution of a Control Process. We can use these to construct a second type of indicator, the Key Security Indicator (KSI), that is a measure of whether the Control Processes are functioning as designed. KAIs and KSI can be compared to determine whether a compliance problem is due to incorrectly designed, implemented or operated controls, or because, for example, an important threat vector has been overlooked.

Documenting the Control Objectives, KAIs, Control Processes and KSIs, and also the relationships between them and rationale for their choice, allows an auditor to assess whether controls and indicators have been chosen appropriately to the business context. Evaluating the KAIs and KSIs during operation provides evidence that the controls are working effectively in practice and that commitments are being fulfilled. Where this is not entirely the case, the information can be fed back as part of a continuous improvement process.

In addition to defining the concepts outlined above, the MASTER project produced a Methodology Handbook, a prototype Design and Verification Workbench, and a prototype run-time infrastructure consisting of Signalling, Monitoring, Enforcement, and Assessment components. Control Processes and indicators defined using the workbench can be published to the run-time infrastructure via a repository.

The results were demonstrated and assessed by means of two case studies in the healthcare and financial services domains. The healthcare study concerned compliance of a hospital drug prescription and dispensation business process with Italian regional regulations. The second study dealt with compliance of a credit rating evaluation business process with Spanish national regulations.

While the various software tools developed are still at a research prototype stage, we believe the fundamental approach has proved to be sound. There is interest in applying the methodology in practice, and the project partners are incorporating the technical developments in various software products.

If you read the security sites, blogs or view any security-related Twitter handles, you will most definitely be flooded with information and commentary on the latest and greatest attack. There is always some new, sophisticated threat out in the wild that disrupts business and steals sensitive information. But what usually gets lost in the hyperbole of the latest threat is the fact that oftentimes we lose sight of the security fundamentals.

So to start, we must re-examine our security policies. Why? Because a security policy is only as good as the paper it is written on. What is a good security policy? How do you measure its impact and evolve the policy as needs change?

Any policy, security or otherwise, that is not enforced, evaluated and refined over time is one that will most likely become outdated because the fact is that change is the norm in today’s IT and business environment. And with change (whether in the policy, whether in staff turnover, etc.) you better have good documentation or else good luck to ya. Good documentation includes the reason for the change, who requested and approved the change and date/time stamp – otherwise you will have too many resources spending too much time troubleshooting something that could’ve taken one person a matter of minutes. In the meantime, business is disrupted and/or critical systems and information are put at risk.

Ok so back to “what is a good security policy?” The answer to this will vary by organization in terms of the details, but conceptually a good policy must:

1. Have buy-in from key stakeholders – business and IT management and end users
2. Be enforceable – go back to the first line of this post. If it’s not enforceable it’s worthless. Don’t waste your time.
3. Be monitored over its lifecycle. To be clear, when talking about enforcing, managing and monitoring security policies I’m including all of the pertinent underlying info (e.g. rules and objects in a firewall, user or application permissions for accessing databases or files, etc.)

Very easy to say all of the above (these are common “best practices”), but how can we make this a reality?

Speaking more specifically about network security policies, look no further than the multitude of stats out there that show the majority of firewall breaches are caused by misconfigurations, and that gaps in change management processes create what I’d call unforced errors. We’re just hitting the ball into the net – it’s our own fault!

Enter the world of network security policy automation. Instead of manually going through hundreds, if not thousands of firewall rules, many of which are outdated and introduce unnecessary risk, you can reduce the complexity of firewall policy management through automation. Then you can get back to “what is the purpose of this policy?” to ensure the security, compliance and productivity of your business.

Please share any of your tips for ensuring good security policies or horror stories about policies gone bad.

In order to be PCI compliant It is required that customers scan their networks quarterly and for their external presence to be scanned by an Authorized Scanning Vendor program (ASV).

In 2011 the PCI Council changed the ASV program significantly. ASVs have always been required to conduct network security scanning against a test network with predefined vulnerabilities operated and configured by the PCI SSC. ASVs are expected to produce a sample report and document all of the predefined vulnerabilities.

Authorized scanning vendors were, however, criticized for not always understanding their role or being able to advise their customers appropriately, especially in the scoping arena and on how to best identify and eliminate false positives.

So, last March the PCI SSC changed the program to require that ASVs have at least two qualified ASV employees who have done the online training program and passed a multiple choice exam. The training program ensures that the authorized personnel doing the scan are not only able to do the scan but understand the PCI DSS standards and are able to act as a trusted advisor to the customer in the area of vulnerability management, much like QSA act within the security control audits.

The objective is to bring a consistent understanding on how to evaluate network segmentation and really understand the requirements of the standard. ASV organizations are also required to have a quality assurance process in place to ensure that the reports produced, and the analysis of the results, are consistent and accurate.

The requirement for a QA program to be in place has been a requirement for QSA organizations for some time. The scan customer is ultimately responsible for defining the appropriate scope of the external vulnerability scan and must provide all Internet-facing IP Addresses and/or ranges to the ASV. If an account data compromise occurs via an externally facing system component not included in the scan, the scan customer is responsible. It is critical to work with an ASV that works as a trusted advisor, scoping is a critical components in being compliant and often merchants are confused about which systems are in scope for external scans. The ASV should be able to advise on not only which systems are in scope but also how to handle anomalies and systems that are failing the scan.

Organizations that are not guided by PCI but are conducting vulnerability scans as part of best practices or other regulatory requirements would be well advised to use the ASV certification as a method of being able to select a good scanning vendor. The fact that the vendor has passed exams, has qualified staff on board and has a QA process in house and this has been validated makes a great screening process and is a definite indicator that the organization would meet the needs of any organizations concerned about vulnerability management.

Today’s business, economic, government and social climates are driven by data.  Sharing information is fundamental to how states and businesses address the world’s most pressing challenges.  And, while data connect us, it is also the source of many risks that threaten the success of these collaborative efforts.

How should world leaders and CEOs assess and manage this risk? 

Ray Stanton, BT’s Vice President of Professional Services, and one of the session co-leaders at the World Economic Forum inDavos-Klosters,Switzerland, on ‘Risk in a Hyperconnected World’. Ray will draw on his many years of experience and expertise in the field, as well as on feedback form ISF 2011 to present on issues that will loom large on the agenda of global security leaders in 2012.

This was the first time SIG topics were chosen through member elections. Close to 500 votes were cast by merchants, financial institutions, service providers and associations for the initiatives they want to prioritize in 2012. According to the PCI Security Council, a quarter of all Participating Organizations voted, which shows a high amount of interest. A third of the votes came from outside North America, which showed that concern surrounding how to secure the payment chain is truly a global endeavor. SIGs focus on providing recommendations to the Council which often results in guidance for interpreting and implementing the PCI Standards. The SIGS are not about creating new versions of the standard but, rather, clarifying existing controls and how they apply to specific technologies.

Any member of the PCI SSC community interested in participating in one of these SIG projects needed to indicate their interest by emailing sigs@pcisecuritystandards.org before November 30, 2011. However, the council has welcomed late comers. The Council SIG leads are now convening each group to formalize the group charter and precise scope of work project. This will be shared with the Community by the end of the year,  and all the SIGs now have started to meet.

The Cloud SIG no doubt will focus on the different responsibilities for companies that choose to use cloud-based security. The standards have begun to give consideration to virtualized environments with the release of the guidelines released last year. However, the standard currently does not clearly guide QSAs or those involved in the payment process with some of the more specialized threats that exist in cloud environments, including division of responsibilities, forensics, and the complexity understanding the law in distributed environment.

The e-commerce security group should cover some of the issues specifically around e-commerce for Level 3 and 4 merchants, including issues such as detailed guidance on how best to implement hosted order pages, shopping carts, and dedicated payment workstations.

Requirement 12.1.2 emphasizes the need for a formal and structured risk assessment methodology and calls out examples such as OCTAVe and ISO 27005. The need for a formal risk assessment methodology also has been moved to milestone 1 in the new prioritized approach, which shows the criticality that the Security Council regards this control. This is the group that I am most interested in as traditionally risk assessments in IT have been lacking in consistency and yet they under pin the selection of every single control and priority. The risk assessment SIG is not about to turn PCI DSS into a risk-based standard as the standard by its nature is a defined set of requirements. The standard, however, does require a risk assessment methodology and specifically within patching that the standard requires that organizations follow a risk-based methodology.

The SIGS, unlike previous incarnations, run for a defined period of one year, and the results should be available this time next year.

Since ancient times, people have constructed defences based on physical barriers – from stone-age earth banks and wooden forts, to the monumental stone castles of the late Middle Ages. However, with the advent of gunpowder and iron cannons the defensive value of such fortresses was rapidly diminished. Forts evolved in design to counter the overwhelming impact of the canon, but it was a futile exercise and most armies began to invest in stronger mobile forces, (and bigger cannons!)

The culmination of this process was the French Maginot Line, built along the French-German border from 1930 to 1939. The cost was over 3 billion francs, a huge amount of investment at the time. It was state-of-the-art, with air-conditioning, and its own underground railway network. As it turned out, it was quite impervious to attack, a stroke of pure genius.

Of course the rest is history as they say; the Germans just didn’t play fair and simply went around the wall. Worse still, the investment in the fixed fortifications had seriously eroded investment in the French mobile forces, tanks and troops that could have countered the attack.

Returning to the cyber domain, we have seen precisely the same logic played out in firewalls and most organisations’ network defence. Of course since ~ 2003 security experts have advocated the value of de-perimiterisation and having a flexible virtual wall around core assets. However, the mentality remains that there is still an inside and outside to the business network. Hence, the outrage from all sides when a major breach occurs, Sony style. Managers and executives simply refuse to accept that their multi-million pound network asset could be contaminated. The reality is that there is no spoon, (see the Matrix).

What is required is a philosophical stance built on the concept of fluid resilience. An example of this is Japanese pagodas, which remain standing in a high earthquake zone for centuries. They are flimsy towers of wood and paper! But when an earthquake occurs they flex and bend like reeds, and stay intact. This ethos is reflected across Eastern culture in the ideas of Yin and Yang in balance.

We should be teaching our system administrators and security managers Zen philosophy, rather than how to mix stronger concrete!

BT is a corporate member of the Institute of Information Security Professionals (IISP), and I’ve been a member for the last five or so years. One of the key IISP events for me is its TopGun program.

TopGun brings together two teams:

• Blue – the corporate defenders of a fictitious company; and
• Red – a rag tag bunch of miscreants who, despite turning up in suits and holding down jobs in large corporations, consultancies or government departments, assume the roles of malcontents, in the majority of cases, with relative ease.

The most recent TopGun started pretty much like any other. The blue team sat round a table, introduced themselves and started to digest the information presented to them. The red team, housed in a different room, rolled up their sleeves and started causing mischief.

There is a third group in TopGun: the control team. Control is what I do, keeping the story alive, slowing down or speeding up the proceedings by intervention and limited sharing of information between the two teams.  As control started letting the blue team know what was happening to them, they were initially in denial. Attacking before they were ready was cheating! It took a while on this occasion for the message to sink in, but eventually the defenders started to fight back. They implemented a full array of controls to counter what was happening and issues they anticipated could happen. The controls covered the range of people, process and technology. A good mix, pretty much what you’d hope the average corporation would put together.

At the end, we judged the defenders to have won the day. The reason?  After the slow start, they collaborated across virtual departments, they prioritized and multitasked, dealing with both the immediate and long-term priorities of their business. In short, they were a cohesive unit that dealt with the priorities of their business.

TopGun is make-believe, but the behavior of people, their knowledge, mistakes and assumptions are real. That is what makes the day for me. It’s always a surprise to see the low blows the attackers use that pay no respect to the niceties of fair play. It’s a pleasure, when it happens, to see the defenders adapt and change to deal with the reality of the world around them.

In the real world do you prioritize your security projects against the needs of the business? Do you manage to effectively collaborate across the business both internally and externally with your partners? Do you manage to deal with the full impact of security including business reputation? Do you manage to deal with the surprises? Do you play games to understand how you would react in real life?

Security, really good security, is as much about the people involved as it is the technology used. Understanding your organization and the behavior of your people is essential to good security.

The IISP is the Institute of Information Security Professionals. It was formed in 2005 with the objective of raising professionalism in Information Security. BT is a corporate member of the IISP and many employees are individual members.

Amongst all of the security trend data that came out near the end of 2011, one stat from the Ponemon Institute that highlighted a growing state of insecurity in the network jumped out at me.  Specifically, 66 percent of IT security professionals surveyed stated that network security is not more secure than the previous year. This trend has been creeping up from the 50 percent-ish level to now two-thirds. With all of the technological advances we’ve made, why do we feel like we’re falling behind?

• Changing threat landscape and the rise of APTs. This has been discussed ad nausea, so I won’t kick this dead horse much longer. But, the point here is that the “bad guys” continue to innovate more quickly, and we will never win a game of cat and mouse. We need to be proactive in our efforts and always balance those security efforts against impact to the business (every business has its own risk posture). 
• While increased mobility, virtualization, the cloud and next generation firewalls are all impressive technological advances, they all introduce new — or extend — complexities in the network. If not managed properly, these can open up security gaps for attackers to exploit. Putting this into something more tangible… Gartner states that 95 percent of firewall breaches are due to firewall misconfigurations, not firewall flaws. If a traditional, stateful firewall can have a thousand or more tangled rules, then you multiply that by 10, 20, 50, 100 firewalls and the math starts to get ugly. Add in the complexity of more granular policies with next-gen firewalls, and that’s a mathematical problem for only those true numbers geeks.

The increased sophistication of threats and the rising complexity of the network lead me to the discussion of “back to basics.” It’s not sexy, but it works. Too often we set and forget. In a blog I wrote for my employer, AlgoSec, called Trends Shmends, I highlighted how we have become obsessed with the latest and greatest, and in turn oftentimes overlook network security fundamentals.

To be more specific, firewall management is tough. And too many organizations are relying upon overburdened IT teams to manually deal with it via disjointed and ad hoc processes. Spreadsheet audits. Overwhelming numbers of rules per firewall, many of which are redundant or unnecessary or overly permissive. Manual change management processes to address a regular dosage of requests that leave proper testing, validation and documentation wanting… What’s the ultimate impact? Misconfigurations in your network, which lead to risky scenarios. And, potentially, business disruptions due to change management processes that do not instill confidence. Coming out of the holiday season, many organizations were in a holiday network freeze as any change, even if extremely beneficial, could potentially bring down the network. While many want to keep things as is (if network availability is up now, don’t mess with it), I would argue this is an opportunity to improve processes and security – and ultimately business continuity.

So where to focus? When it comes to your network keep in mind business risk with regards to every decision you make, from firewall management to asset management. And make sure this is continuous, not a point in time. Keep up with your documentation and controls. And leverage automation where possible. All of this will enable you to reduce human error, tighten up configurations and focus on additional initiatives to better secure the business. The next shiny object may be more exciting, but our first step should be to go back to basics.