SecureStrategies « Secure Thinking

Friday, February 3, 2012

Stealth Technology and Teddy Bears

By Dr. Robert Ghanea-Hercock, Chief Researcher, BT Security Research Practice

In December 2011 the Iranian regime proudly displayed a state-of-the-art American UAV drone they had captured. The story circulating claimed that they managed to spoof the GPS system onboard to convince the drone to land in Iran. Many experts are sceptical of this, but concede it is remotely conceivable. Whether or not this is the case, the episode is somewhat embarrassing for theUSA.

If true, however, it represents one of the most audacious cyber attacks in modern times. The flow of advanced computing hardware and software is a relentless force that is empowering groups and state actors at all levels, for better or worse. A useful summary of the hazards inherent in relying on military stealth technology is provided in a Wired article from 2011. The lesson for cyber folk from this story is that complex technology is not your friend; as I iterated at length in a prior blog, we need to design for simplicity.

In the pure cyber domain the advent of stealth root kits, such as Alureon or Duku, are a source of deep concern as they use advanced code morphing techniques to scatter their functionality across the drivers and kernel code of the host system. When we see the best researchers from the vendors of the major operating systems scratching their heads in bewilderment at the sheer sophistication of these cyber threats, it is time to worry. (As was the case witnessed at a research conference on malware I chaired last year.)

At another socio-cultural level we are increasingly seeing the addition of robotic sensing, cameras and actuation in toys of all types. The potential for malware transmission, or simply malicious activity, via such active toys is a growing and real threat. My current favourite is Pinoky. This device allows you to animate any cuddly toy. The problem is that the code in such systems is never tested, scanned or even considered as a vector for malware. Then we have the imminent arrival of truly advanced entertainment and domestic robots with fully capable CPU and networked capabilities. (Check out the latest BigTrak xtr toy) This is a hacker’s dream.

The point of this blog, (yes there is one), is that the cyber realm is an ever expanding hyper-space of data and code, in which it becomes ever easier to conceal anything. Significant research effort is now being directed at intelligent data analysis techniques to automate the process of looking for anomalies or suspicious behaviour. This is comparable to fishing with a trawler and net, rather than a single fishing line, it is better, but it is still not going to catch advanced stealth threats. The only solution for that is to develop full-on machine AI, with the ability to scan the cyber depths in a sonar-like fashion. I’m working on it, but it’s a little tricky, and might take some time! In the mean-time don’t allow teddy bears near your server rooms.

Monday, January 30, 2012

Guest Post: What Makes a Good Network Security Policy?

By Sam Erdheim, AlgoSec

If you read the security sites, blogs or view any security-related Twitter handles, you will most definitely be flooded with information and commentary on the latest and greatest attack. There is always some new, sophisticated threat out in the wild that disrupts business and steals sensitive information. But what usually gets lost in the hyperbole of the latest threat is the fact that oftentimes we lose sight of the security fundamentals.

So to start, we must re-examine our security policies. Why? Because a security policy is only as good as the paper it is written on. What is a good security policy? How do you measure its impact and evolve the policy as needs change?

Any policy, security or otherwise, that is not enforced, evaluated and refined over time is one that will most likely become outdated because the fact is that change is the norm in today’s IT and business environment. And with change (whether in the policy, whether in staff turnover, etc.) you better have good documentation or else good luck to ya. Good documentation includes the reason for the change, who requested and approved the change and date/time stamp – otherwise you will have too many resources spending too much time troubleshooting something that could’ve taken one person a matter of minutes. In the meantime, business is disrupted and/or critical systems and information are put at risk.

Ok so back to “what is a good security policy?” The answer to this will vary by organization in terms of the details, but conceptually a good policy must:

Have buy-in from key stakeholders – business and IT management and end users
Be enforceable – go back to the first line of this post. If it’s not enforceable it’s worthless. Don’t waste your time.
Be monitored over its lifecycle. To be clear, when talking about enforcing, managing and monitoring security policies I’m including all of the pertinent underlying info (e.g. rules and objects in a firewall, user or application permissions for accessing databases or files, etc.)

Very easy to say all of the above (these are common “best practices”), but how can we make this a reality?

Speaking more specifically about network security policies, look no further than the multitude of stats out there that show the majority of firewall breaches are caused by misconfigurations, and that gaps in change management processes create what I’d call unforced errors. We’re just hitting the ball into the net – it’s our own fault!

Enter the world of network security policy automation. Instead of manually going through hundreds, if not thousands of firewall rules, many of which are outdated and introduce unnecessary risk, you can reduce the complexity of firewall policy management through automation. Then you can get back to “what is the purpose of this policy?” to ensure the security, compliance and productivity of your business.

Please share any of your tips for ensuring good security policies or horror stories about policies gone bad.

Wednesday, January 25, 2012

World Economic Forum: Shaping New Risk Models

By Tara Savage, Senior Marketing Manager, BT Global Services

Today’s business, economic, government and social climates are driven by data. Sharing information is fundamental to how states and businesses address the world’s most pressing challenges. And, while data connect us, it is also the source of many risks that threaten the success of these collaborative efforts.

How should world leaders and CEOs assess and manage this risk?

Ray Stanton, BT’s Vice President of Professional Services, and one of the session co-leaders at the World Economic Forum inDavos-Klosters,Switzerland, on ‘Risk in a Hyperconnected World’. Ray will draw on his many years of experience and expertise in the field, as well as on feedback form ISF 2011 to present on issues that will loom large on the agenda of global security leaders in 2012.

Wednesday, January 18, 2012

Playing Games

By John Amer, Principal, BT Assure – Global Capability

BT is a corporate member of the Institute of Information Security Professionals (IISP), and I’ve been a member for the last five or so years. One of the key IISP events for me is its TopGun program.

TopGun brings together two teams:

Blue – the corporate defenders of a fictitious company; and
Red – a rag tag bunch of miscreants who, despite turning up in suits and holding down jobs in large corporations, consultancies or government departments, assume the roles of malcontents, in the majority of cases, with relative ease.

The most recent TopGun started pretty much like any other. The blue team sat round a table, introduced themselves and started to digest the information presented to them. The red team, housed in a different room, rolled up their sleeves and started causing mischief.

There is a third group in TopGun: the control team. Control is what I do, keeping the story alive, slowing down or speeding up the proceedings by intervention and limited sharing of information between the two teams. As control started letting the blue team know what was happening to them, they were initially in denial. Attacking before they were ready was cheating! It took a while on this occasion for the message to sink in, but eventually the defenders started to fight back. They implemented a full array of controls to counter what was happening and issues they anticipated could happen. The controls covered the range of people, process and technology. A good mix, pretty much what you’d hope the average corporation would put together.

At the end, we judged the defenders to have won the day. The reason? After the slow start, they collaborated across virtual departments, they prioritized and multitasked, dealing with both the immediate and long-term priorities of their business. In short, they were a cohesive unit that dealt with the priorities of their business.

TopGun is make-believe, but the behavior of people, their knowledge, mistakes and assumptions are real. That is what makes the day for me. It’s always a surprise to see the low blows the attackers use that pay no respect to the niceties of fair play. It’s a pleasure, when it happens, to see the defenders adapt and change to deal with the reality of the world around them.

In the real world do you prioritize your security projects against the needs of the business? Do you manage to effectively collaborate across the business both internally and externally with your partners? Do you manage to deal with the full impact of security including business reputation? Do you manage to deal with the surprises? Do you play games to understand how you would react in real life?

Security, really good security, is as much about the people involved as it is the technology used. Understanding your organization and the behavior of your people is essential to good security.

The IISP is the Institute of Information Security Professionals. It was formed in 2005 with the objective of raising professionalism in Information Security. BT is a corporate member of the IISP and many employees are individual members.

Monday, January 16, 2012

Guest Post: The Growing State of Network Insecurity and What to Do About It

By Sam Erdheim, AlgoSec

Amongst all of the security trend data that came out near the end of 2011, one stat from the Ponemon Institute that highlighted a growing state of insecurity in the network jumped out at me. Specifically, 66 percent of IT security professionals surveyed stated that network security is not more secure than the previous year. This trend has been creeping up from the 50 percent-ish level to now two-thirds. With all of the technological advances we’ve made, why do we feel like we’re falling behind?

Changing threat landscape and the rise of APTs. This has been discussed ad nausea, so I won’t kick this dead horse much longer. But, the point here is that the “bad guys” continue to innovate more quickly, and we will never win a game of cat and mouse. We need to be proactive in our efforts and always balance those security efforts against impact to the business (every business has its own risk posture).
While increased mobility, virtualization, the cloud and next generation firewalls are all impressive technological advances, they all introduce new — or extend — complexities in the network. If not managed properly, these can open up security gaps for attackers to exploit. Putting this into something more tangible… Gartner states that 95 percent of firewall breaches are due to firewall misconfigurations, not firewall flaws. If a traditional, stateful firewall can have a thousand or more tangled rules, then you multiply that by 10, 20, 50, 100 firewalls and the math starts to get ugly. Add in the complexity of more granular policies with next-gen firewalls, and that’s a mathematical problem for only those true numbers geeks.

The increased sophistication of threats and the rising complexity of the network lead me to the discussion of “back to basics.” It’s not sexy, but it works. Too often we set and forget. In a blog I wrote for my employer, AlgoSec, called Trends Shmends, I highlighted how we have become obsessed with the latest and greatest, and in turn oftentimes overlook network security fundamentals.

To be more specific, firewall management is tough. And too many organizations are relying upon overburdened IT teams to manually deal with it via disjointed and ad hoc processes. Spreadsheet audits. Overwhelming numbers of rules per firewall, many of which are redundant or unnecessary or overly permissive. Manual change management processes to address a regular dosage of requests that leave proper testing, validation and documentation wanting… What’s the ultimate impact? Misconfigurations in your network, which lead to risky scenarios. And, potentially, business disruptions due to change management processes that do not instill confidence. Coming out of the holiday season, many organizations were in a holiday network freeze as any change, even if extremely beneficial, could potentially bring down the network. While many want to keep things as is (if network availability is up now, don’t mess with it), I would argue this is an opportunity to improve processes and security – and ultimately business continuity.

So where to focus? When it comes to your network keep in mind business risk with regards to every decision you make, from firewall management to asset management. And make sure this is continuous, not a point in time. Keep up with your documentation and controls. And leverage automation where possible. All of this will enable you to reduce human error, tighten up configurations and focus on additional initiatives to better secure the business. The next shiny object may be more exciting, but our first step should be to go back to basics.

Wednesday, January 11, 2012

Guest Post: “Ladies, Please Remove Your High-Heeled Shoes”

By Dave Martin, Senior Manager, Cyber Security Logica Business Consulting

How often have we heard these words as we sit on a plane listening to the safety and evacuation procedures while waiting for take-off? The safety briefing then goes on to say, “…as they may tear the evacuation slide”; so, now you know what to do and why to you need to do it.

This short instruction is a simple illustration of what we want to achieve when we deliver a security awareness training program. We want people to know what to do and why we want them to do it.

It is also interesting to see what happens when a message isn’t sold to your audience. For example, in January 2009 when a US Airways aircraft ‘landed’ on the Hudson River, at least one passenger was reported as having insisted on taking their hand luggage with them during the evacuation. Why was that? Maybe they thought that their luggage was very important or, more probably, it hadn’t been explained that taking luggage with you during an emergency evacuation could delay the exit and, ultimately, could have cost lives.

But the bottom line is that people who thrive in stressful situations and lead others to safety are, in general, the ones who have been trained and conditioned. Why are flight attendants more likely than passengers to survive a plane crash? Because they’ve been trained so that procedure becomes second nature and execution becomes a reflex. The same is true for those who have served in the military – they tend to have a much higher chance of surviving a dangerous, stressful, or otherwise life threatening situation when compared against the average person. My thought on this is that the military trains people to make quick decisions; to rapidly formulate a plan; and then execute it. In practice, this means they tend to quickly spot a tricky situation and to start to react; rather than dithering and waiting to ‘see what happens’. Practice it would seem doesn’t make perfection, but it does make for competence.

So what does all this mean for us in security and business continuity and what lessons can we learn? It’s not rocket science.

Firstly, when you write any security or business instructions, don’t just tell people what to do, explain to them why they need to do it.
Secondly, training individuals and teams to handle security and business continuity incidents will pay dividends when the time comes to handle a real situation.
Finally, help people to recognise untoward situations, maybe by giving them very clear guidelines, so that they can react promptly and accurately.

Follow these three guidelines and your procedures and plans will almost certainly be better.

…and finally, why should only ladies be asked to remove their high heeled shoes?

Wednesday, January 4, 2012

BYOD: Why Bring Your Own Device Doesn’t Spell Disaster for Your Network’s Security

by Tara Savage, Senior Marketing Manager, BT Global Services

This holiday season was brought to you by the letters B.Y.O and D. Those four letters spell a major shift in the technology world, one which is going to have a big impact on businesses this month.

It goes without saying that the number one holiday gift this year will be tablet computers and smart phones and that the vast majority of people will want to bring their new device to work with them when they come back to work. In other words, they’ll be bringing their own devices through your business’s front door and wanting to log on to the corporate network.

Before panic sets in at the thought of hundreds of unsecured devices wreaking havoc on your well managed network, take a step back and have a look at the big picture.

BT’s Ray Stanton and Jeff Schmidt have been talking to the media about why the panic over BYOD is much ado about nothing and that the benefits of enabling workers to use mobile devices far outweighs the risks that are commonly associated with them.

From Jeff’s perspective tablets enable worker productivity and enhance customer satisfaction. As long as strong authentication is enabled and device-wipe capability is part of the tablet’s set up, data is likely more secure than if it was sitting on a desk-top computer in an office park.

In a recent article on searchsecurity.com Ray pointed out that securing mobile devices is very similar to securing lap tops, something that companies have been doing successfully for many years now. He says: “[i]f the policy is to allow tablet use, then introduce the same security policies and enforcement as you would on a laptop computer”. It’s irrelevant if it is your own device. If users are accessing corporate data, the rules revert to the corporate policies, irrespective of what they have accessed it from.”

Ray points out that the other keys to success are user education to make sure employees are aware of policies and understand both why they are in place and how to comply with them. Ray is particularly impressed with Good Technology from Good Dynamics which have some excellent platforms for multi-end user environments to manage and secure mobile devices.

And, as Martin Brown, another of BT’s security experts has said in his Twelve Tips for Christmas: “Make sure you enable a password set-up immediately and run security updates until there are no more flashing icons. Just because it’s new doesn’t mean it’s secure!”

Thursday, December 29, 2011

Integration of Information Security Vital to Organizations’ Business Success

By Tara Savage, Senior Marketing Manager, BT Global Services

Despite acknowledging that IT security is a priority item for business, information security is still not well integrated with the rest of the business. To prevent exposure, IT security must focus on security intelligence to win the attention and trust of executive leadership.

At our recent BT Engage IT event, we heard from security experts that integration of information security into organizations is critical. They shared their perspectives about how lack of integration can expose organizations to higher levels of risk and can actually inhibit business.

Panel member Mark Brown, CISO of SAB Miller, told BT Engage IT customers that he has used intelligence about the threat horizon to bridge the gap between IT security and business.

Security intelligence, said Brown, is all about getting on the front foot; but to do this security professionals need to take a long-term view and regularly review their security strategy in the light of intelligence gathered from security threat horizon reports and other sources.

“Too many CISOs have a whack-a-mole mentality. But they have lost the battle if they fail to look at what is potentially coming down the road,” he said.

To learn more about what these experts shared during the event click here. The BT Engage event was also reported on by Warwick Ashford at Computer Weekly.

Tuesday, December 20, 2011

Squirrel Superhighway

By Dr. Robert Ghanea-Hercock, Chief Researcher, BT Security Research Practice

From my home office window I can see a number of old Ash trees lining the nearby main road. Last year the power company changed the power cables and replaced the four old and thin overhead power lines with a new twisted single multi-wire line. What they did not realize was that they were also creating a brilliant squirrel superhighway the entire length of the road! The new line is just the right thickness for a squirrel to run along, tree to tree, they absolutely love it.

Ok, back to cyber security. As engineers and business planners we frequently design and roll out major technical systems without considering what alternative uses they may have. The recent proposals for a new UKsmart metering/grid system is just one example. Prof. Ross Anderson in Cambridge has rightly pointed out that it could also have alternative malicious uses.

Globally, ISPs and net providers are frenetically rolling out higher speed connections to the end user by the million. This is nice; I could use faster home broadband right now. But the cost is that it is, and will be used as, a more powerful attack vector by every naughty individual on the planet. Gigabit Botnet armies running on quad-core home supercomputers will be a challenge. If you are a network security professional thinking it’s bad enough now, hang on, the future is about to arrive.

The issue is, that when creating a new technology, it will function within a pre-existing social and technological eco-system. Within such a system every agent is seeking to optimise their own utility and will repurpose any resource to meet their own needs. And people are going to be forced to diversify their income in the immediate economic crisis.

Many years ago my father was once stopped in the street by the police for carrying an offensive weapon in public. He had a large flat bladed screwdriver in his pocket, the pocket of his overalls, just having walked out of a Sheffieldsteel works, after a long 12 hour shift. The in context the toolwas perfectly harmless, but the police officers inference of intent was not. Similarly, ISPs see copper cables in the ground as a communication medium, but to the UK underclass it’s just a big open cashpoint! This week saw the first instance I know off where hackers destroyed a US water pumping system by hacking in to the networked controller and switching it off and on repeatedly. We need to get a lot more creative when pen-testing new systems. Ideally, we should offer the design to a group of teenagers and ask them what they could use it for. Offer them suitable incentives, (e.g. iPads or skateboards), for every creative alternative use they think up. Actually, iPods are another nice example; one of the first alternative uses was to run a sniper range calculation app created by the US army, which is much more ethical than Podslurping!

Moral of the story, tools have many uses. And many things can be used as tools; people included.

Wednesday, December 14, 2011

Cryptography and Tattoos

By Dr. Robert Ghanea-Hercock, Chief Researcher, BT Security Research Practice

Wouldn’t it be nice if data could be secure? Long before computer experts were invented the military have been obsessed with improving communication. The earliest use of the electric telegraph was probably in theCrimeawar in 1854. The following account by a Captain Robert Locker is a fascinating insight into this. Despite the abysmal conditions in the Crimea, either freezing cold or oppressively hot weather, the ground was often too hard for the cable plough to cut a trench, so the troops had to dig it by hand with spades.

“Rations were of the skimpiest: I was often reduced to bread and biscuit, with a raw onion to follow, although we could sometimes buy very good coffee. It’s a wonder we had the strength to haul the cable drum onto the cart, let alone lay it! And we had to keep on the alert all the time. There could be sudden attacks by the Russians, or raids by the thieving Turks who pinched the copper wire to use as clothes lines.” (Bridge & Pegg)

Isn’t it ironic that we now suffer from copper cable theft from hoodies, to feed global demand for the stuff?

Once the cable was laid and linked to other submarine and overland cables that linked the commanders toLondon, the very first message was successfully delivered only to be found useless, as the General in charge had lost the cipher needed to decode it! First problem, good crypto needs careful key management. This leads us quite nicely into the topic of cryptography and communications security.

Since the days of ancientGreece, and probably far earlier, people have wanted two things: firstly, the ability to communicate over great distances and secondly to do so securely. My favourite technique was the practice of tattooing, or writing a message on the shaved head of a slave, waiting for the hair to re-grow and then sending the messenger to the intended recipient, without the carrier having any apparent message to be captured by the enemy along the way. Of course this method does take time and the poor slave could always be ‘persuaded’ to divulge the fact that such a message existed.

People have invariably broken ‘unbreakable’ codes, it is just a question of time and resources. The advent of strong computational ciphers can make breaking a code very difficult, but rarely impossible. As ever, intelligence agencies, and other criminals, simply look for the weakest link in the process someone used to encipher a message. (Usually the requisite passphrase written on a sticky note attached to the computer monitor.) A friend of mine in the pen-testing business always photographed the car number plates of his target organisation first, as these were a great seed for passphrase cracking.

The good news is that strong cryptographic solutions are permeating the IT domain in accessible ways via cheap encrypted hard drives and by being built into modern OS. This is critical as human beings will only utilise the technology fully when the cost in effort is near zero. Unfortunately, the bad guys are already using the very strongest ciphers to hide their own business processes, as the cost is near zero.

Finally, we are also entering an age when even tattoos have smart circuitry embedded in them. It will be fascinating to soon hear law enforcement officials telling young women, “We will have to look at your tattoos!”

Ref. Bridge, Maureen, and Pegg, John, Call to Arms, Focus publishing, 2001.