Insecure by design

We have a fundamental flaw with security. We like to argue that we need to have people that can think as the attacker to be successful as a defender, but this cannot be further from the truth.

Yes, as Sun Tzu stated, it is well suited to the field to know one’s self as well as one’s enemy, but this means we need to start to understand each in their own way. This is flaws and all.

Security is a function of the system and organisation it is designed to defend and it is always an economic function (even in the military). There are no absolutes and what is “cool” is rarely the main concern. As much as malcode such as Flame captures the news, it is of far lower concern then the simple issues constantly confronting us.

Again and again we hear tails of APTs, Stuxnet and more in the News. We as security “professionals” help and aid in the propagation of this myth. The truth is that it is the boring mundane things that really make the true difference.

Patching, White-listing of applications and other simple and mostly overlooked controls are of far more use than the majority of cool toys being pushed on us.

• Yes, these are far sexier than patching and effective policy controls.
• Yes, awareness can be boring.
• Yes, educating people is an endless process.

That stated, these are things that really make a difference.

That stated; these are things that really make a difference.

When “we” as an industry finally start to look at and address the real issues, then and only then will we start to make headway. Only then will we manage to gain a foothold against a rising tide of crimeware and attacks.

For all of the news of new attacks, of zero-days and more, it still remains the systems that have not been patched, the applications that we have allowed off a white-list and poor practice that cause most compromises and breaches.

When we think of critical infrastructure attacks, it is the simply wrong belief that these systems are OK as they are and that these do not need to be patched that leaves them vulnerable. It is the failure to have basic controls and updates, not the growth of new forms of attack that places these systems at risk.

I was told the other day that “old attacks” do not matter and that these could never be used to attack anything. This is the problem with this industry. Old attacks work. New attacks cost money. APT and zero-days are expensive to both create and deploy. They are the proverbial nuclear weapons. Once they are used, they are depleted. They may be used, but the use is extremely controlled and limited. For each of these, there are thousands of not millions of conventional attacks. This is attacks using old vulnerabilities.

• When we as security professionals start to understand that security in business is about business, we will start to make headway.
• When we start to understand that there is no absolute level of security, we may start to win battles.
• When we start to see all security as an economic calculation based on risk, some of which are accepted and not all of which can be fixed, we will start to create secure systems.

But whilst we leave the basics of security for that which is “cool”, fun and trending, we have left the path to creating secure systems and left ourselves open to attack.

Security is not about creating perfection, it is about creating resilient systems that can survive a certain level of attack. Aim for perfection and aim to always lose.

Awareness tips: Use Caution When Handling Visitors

Not everyone not currently working in your organization is going to be a bonafide visitor and more, not all of them will be employees. Even when people are validly at your organization, the need for awareness and caution does not stop.

It is easy to disclose information to competitors who could be visiting for valid reasons.

As such, you should always use caution when disclosing information in front of any visitor. If you see others not being cautious, it is best to note and report this behaviour.

This includes:

• former employees of your company;
• Sales people and organization clients.
• refer any questions from the media (reporters) to the appropriate people in organization;
• when asked to complete a survey or questionnaire ask your supervisor first if it is all right;

If you receive phone calls from vendors or employment agencies, take the individual's name and number and pass this on to the appropriate people. Do not give these people a copy of organization telephone book. This would allow them to make calls which others in organization may not welcome.

When speaking on the telephone, you could easily be fooled into thinking you are talking to an individual with a real need for some facts. Be careful not to give out valuable information to the wrong person. Here are some points to remember:

Verify the identity of the caller. If you cannot do this by asking some key questions, obtain their phone number and tell them you will call back. Refer the matter to your supervisor or manager.

• verify the caller's need to know the requested information;
• be careful not to give out unnecessary information;
• Be aware of who is in the area that could overhear your conversation.
Always remember, information security is not just about firewalls and software. It starts with people and ends with them as well.

Security Breaches

The following is a small process and statement designed to be issued to general staff. Basically awareness is a key component of any successful security program and having users know when and how to report security breaches is critical to the continued secure operations of a site.

Some breaches such as stealing, willful damage and breaking statutory regulations are considered criminal offences. Copying of proprietary software is also a criminal offence as has been shown in some well-documented cases where companies and individuals have been taken to court by the BSA.

• Other breaches of security may not be criminal offences but could embarrass organization.
• Breaches of security could result in suspension or even dismissal.
• Breaches of security whether they are deliberate or accidental can affect all of us at organization.

The handling of security breaches is very important and the following points should be considered:

Responsibility

It is the responsibility of all users to report any suspected breaches of security to the management and the security function of an organization. This is of particular importance if you suspect the breach may have occurred under the improper use of your own USERID. If you have experienced a compromise, you need to be upfront about it or you could be in trouble later.

Notification

Do not discuss suspected breaches with anyone other than your immediate manager and corporate Security and control even though you may be tempted. This is for your own protection and to guard against any possible recriminations should the suspicion prove to be proven or unfounded. This point cannot be overemphasized.

Investigation

Do not attempt to solve the problem or pursue any further investigations yourself. This is the responsibility of user management and Internal Audit with assistance from IT.

Any suspected reported breach will be treated with the utmost confidence and will precede no further if proved to be unfounded.

Details to be reported

When reporting a suspected security breach, there are things you should include in the report.

• USERID and owner name, location, section, department of the person reporting the breach,
• Name and USERID of the person suspected of committing the breach (if available and known),
• Details including systems time and possible evidence i.e.: logs, transaction reports etc.
• Outcome or possible outcome of the breach. This is the consequences as you know them.

Retain any documentation relating to the breach, copy it and forward it to your security contact. If possible the documentation should be delivered in person.

Accidental Breaches

Accidental breaches should be communicated to your immediate management and the security group immediately to relieve any unwarranted suspicion and to save valuable time in tracing the source of the breach.

In Security related operations, People Are Important Too

Most organizations generally state that they recognize that the employees are its most important asset. That said, they often do little to enforce this statement.

The safety and security of the employees should be paramount to the management. This also refers to information and data security and the protection of systems used by those people.

There are many ways in which an organization can seek to ensure the security and safety of its employees. This can be achieved by various security, health and safety programs.

Security whether it is physical or logical is important both for you and the company you are with and the policies and procedures exist to protect both organization and yourself. The role you have to play in the well being of organization should not be underestimated, as you are the key to its success.

There are many ways in which you can assist in Good Security Practices such as:
•    protecting Information In Your Work Area (clear desk etc.);
•    password and USERID Controls;
•    software Use;
•    good Backup Procedures;
•    using organization Computers At Home;
•    disposal Of Sensitive Information;
•    reporting Problems

Awareness is key.

Scope, Goals, and Objectives of Awareness Training

The first stage of developing an awareness-training workshop requires an understanding of the challenges faced by the organization. An awareness of the risk issues facing an organization is essential to develop action plans to address the challenges that they face.

Goals are set for all stages of the program. There should be goals for security awareness, security training, education, and maybe even certification within the organization. ISO 17799 (and hence ISO 2700x) has a mandatory requirement for periodic training in information security awareness. The scope and goals of this program, and thus the objectives need to take into account this mandate.

The goal of this program is to “raise the bar” of awareness and knowledge of information security concerns across the entire organization.

The primary objective of this program is to create and then maintain an appropriate level of protection for all the information resources within the organization by the dissemination of information to all corners of the organization. It is crucial that the awareness of information security processes, controls and responsibilities be improved and constantly maintained. Individual objectives need to be set on a business unit and a departmental level as well.

Training requirements for the implementation of any security program within an organization include the development of an information security awareness program as well as training and education programs. The scope of this process encompasses all staff within the organization with access to IT information assets. This ranges from employees up to executive management and all levels in between.

Figure 1 - Plan Do Check Act (PDCA) process

This process does not end at awareness training alone, but includes the necessary education and training requirements of staff within the organization. The continuing development of individuals within the organization, their education within their roles (especially within IT itself) and the topic of certification are all within the scope of this program.

The continued success of the organization's overall information security process depends on all members of an organization and requires that all members understand the security requirements.

Security Awareness

What is needed to ensure the success of a security awareness program.

This process, as defined in the NIST [1]  documentation consists of the following stages;
1.    Developing an IT policy that reflects business needs tempered by known risks;
2.    informing users on the key security responsibilities, as documented in the security policy and procedures; and
3.    Establishing processes for monitoring and reviewing the program.

It is crucial that the senior management and executives of an organization lead by example.

All users within the organization must be aware of the need for security and of their responsibilities in order for any security program to be successful.

It is crucial to understand that awareness is not training or education. Rather, awareness is the first stage in developing a culture of security within the organization. Security awareness allows people to understand their role within the organization from an information security perspective. Awareness helps people realize the need for further training and education.

In planning the development of awareness, training and education programs it is essential to first understand that each of these are a separate stage that builds upon the next. Initially security awareness sessions help users improve their behavior from an information security perspective. Awareness sessions allow users to become knowledgeable in their responsibilities as they are taught correct practice within the organization. Development of awareness across all users helps improve accountability, one of the key tenements of creating a secure environment.

It is important that employees are trained to understand their roles and responsibilities from an information security perspective in order to show that a standard of due care in protecting the organization’s information security assets has been implemented.

No staff member may be expected to conform to the organization’s policies standards and procedures until they have been informed adequately. As a result, these users pose a risk to the security of the information assets belonging to the organization. Security awareness program helps users understand their responsibilities, and allow the users to address the need for a security within their role.

Awareness starts as the first stage of an information security awareness, training, and education program. It by no means ends at this stage. Awareness is a continuing process that should be used to reinforce the training and education stages of the program.

Awareness is a continuing process to alter the user’s behavior and attitudes.

[1] NIST (National Institute of Standards and Technology) Special Publication 800-50

Statistics and R. A Free Course

Week 1 has started to be loaded. There are more files to load, but the issues with UDemy I had are solved it seems and we are underway.

If you want to have a free course in statistics and programming in R, come along.

The link address is: http://www.udemy.com/statistics-and-r-for-beginners/

Planning Scope

Planning the scope of any security engagement audit needs to be a collaborative effort. It is essential to involve not only the security team but also management and the system or process owner. Additionally, technical experts and other interested parties may also need to be involved.

The purpose of the security engagement will help us define the scope. That is “the why” of the project. Generally it is necessary to start with the purpose of the project and refine this during the research phase as additional information comes to light. Working from the purpose of the security project (such as the need to become compliant to a regulatory standard such as the PCI-DSS for payment card processing) research will lead to a definition of the systems that need to be checked, the timeframe and the standards that need to be met.

With the purpose and research together, scope can be planned with various milestones and completion stages. The goal of the scoping exercise is to try and get a basic scope plan together before taking it to management. There are likely to be changes when the scope has been initially given to management of these will be rectified based on agreement. On the other hand, obtaining agreement on scope before doing additional research which leads to a change in scope and subsequent management re-approval has the consequence of making the security consultant, auditor or security team look incompetent.

Figure 1 An Audit is a Project

Always ensure that you have researched and fully documented your scope before taking it to management for approval.

As any security engagement is a project, this should ideally include a Gantt chart with the scope.

This addition makes it look like you have put more effort into the planning. Management and stakeholders appreciate this stage even when the project does not follow the predefined path as it does demonstrate that you have made the effort to research the project.

It is generally unlikely that management will scrutinize the Gantt chart in any detail, but the simple fact that you have included it makes it more likely that the scope will be accepted as it demonstrates forethought.

Remember, whether you are doing a penetration test, a security review or even implementing a new defensive system, security is a project. It is only once these systems have become incorporated into the daily operations that they become an operational concern and this is not a function of audit or review.