Security and online privacy

An excellent illustration of the kind of information we're publishing online about ourselves...

Remember: nothing you publish online is really secret, be smart.

Patching, patching, and patching again

Some time ago I listed some of the critical security patches which became available in February. It was indeed a very busy month, but nothing exceptional. Patching is a very important activity whcih can become overwhelming of it is not done properly. It is second (application patching) and third (OS patching) on the Strategies to Mitigate Targeted Cyber Intrusions published by the Australian's DoD Intelligence and Security team. The first item on the list is application whitelisting.

Patching is not only about the OS. Secunia found that 86% of vulnerabilities in Windows are coming from non-Microsoft products. So Windows Updates are not sufficient.

Steps

Patching is something which should be done as soon as possible. But it does not mean it should be rushed. The typical steps are:

• Evaluate the criticality of the patch: Critical security vulnerabilities exploitable remotely without user intervention and giving full admin control should not be treated the same as a patch which corrects a typo in the help document.  
• Evaluate whether the vulnerability could be exploited in your environment: If it's a flaw in the JVM but you (wisely) removed the Java plugin from your browser then this should give you some time. If it's a critical security problem in the very specific version of Apache you're running on public facing servers then you should probably have a serious look into it, and rapidly.
• Evaluate the risk this vulnerability represents to the assets your want to protect: Would give access to confidential information? Could critical services be impacted, destroyed? Or is it a less important secondary service which would be impacted?
• Evaluate the mitigation measures you may have or could put in place: If the attacker tries to infect workstations via a known set of servers maybe you can block these IPs at the border. Maybe your IPS already has the signatures to prevent a specific attack to succeed.
• Evaluate the impact of applying the patch: Some patches are easy to test and install, some require a restart of the service, a reboot of the server, or have an impact on functionalities. Your environment will also determine how easy and rapidly you can test and deploy a patch: Do you have a test environment which functionally mirrors your production environment? What could break with this patch? Do you have high availability in place so you can easily deploy a patch on one node, test, and rollback if necessary? How easy is it to rollback?
• Deploy the patch: Once you know you have evaluated that the risk of not-patching is higher than the risk of patching then you should deploy the patch as rapidly as you can. Do you have the appropriate tools to deploy patches? Do you have a patching window in place? Do you have the change control process in place?
• Monitor the environment: Control your monitoring tools to see the impact on your environment (you have monitoring tools and a good baseline, right?) Do you see an impact on the load? Do you see more errors in the logs? More crashes?

Advice

• Make sure you have a well documented process in place: Checklists and sign-offs.
• Try to have a test environment which mirror functionally your production environment so you can test patches effectively.
• Have redundancy wherever you can afford, it makes patching safer and much easier.
• Have the right tools to ensure you are fully patched, it's easy to miss a critical patch and stay exposed for weeks or months. Secunia or others are doing a pretty good job (their Personal Software Inspector is free for home use).
• Use auto-update functions where possible: Firefox and Chrome both come with very good and transparent auto-update features, with very limited impact and risk for the environment.
• Patch regularly, even non-critical patches: you may end up to have to install a whole lot of non-critical patches as a prerequisite to install a critical one. And you don't want to do this overnight...
• Always use security-in-depth: It is not always possible to patch immediately or a patch may not even be available for a known vulnerability (Secunia estimates that on average 20% of vulnerabilities still don't have a patch available after 30 days). If you have done your job right you should often have ways to mitigate the risk a vulnerability creates: Firewall, IPS, disabled unused services, etc.

How fast can you deploy a critical patch in your environment? On key systems applying a patch overnight is excellent, 48 hours is very good, a few days becomes risky, and more is often not good enough. As always measure the time to deploy a patch and try to improve the slower parts of the process.

Happy patching!

What gets measured gets done

The original saying may have been "If you can't measure it, you can't manage it" or "If you can measure it, you can manage it", and its origin in not clear. But the core idea stays:

1. Measure where you are today
2. Decide where you want to be tomorrow
3. Work towards that goal
4. Got back to 1

Measuring helps you understand:

• where you are
• which direction you're going
• how far you are from your destination

Not measuring is a bit like finding yourself in the middle of the desert without water, knowing there is an oasis somewhere, but not knowing where, with no map or compass (no GPS either, sorry). Your chances of survival are pretty limited...

In security measuring and managing is called risk management:

1. Measure your current risk profile (threats, vulnerabilities, assets)
2. Decide the acceptable risk level (assets value)
3. Implement mitigations based on priorities (risk reduction, cost)
4. Go back to 1

Trying to understand where you are today is a very important first step. Many organisation think they are safe because they believe they have not been compromised so far. Security experts have probably all heard something in the lines of: 

nothing happened so far, so why would it be a problem now?

If you don't have antivirus, if you don't look at your logs, if you don't have an IDS, how would you know you have been infected in the first place? You may think you are safe when in fact you've been compromised long time ago. HP estimates that it takes 416 days on average to detect a breach, and that 94% of breaches are found by a third party! The potential loss of money (IP, trust of clients...) is very high.

The second part of the question is about the "why is it a problem now?" and it quite easy: Because the internet is becoming more dangerous. Attackers are smarter, better equipped, better organized and more motivated: The majority of attacks now are done for profit, political or financial. In its latest quarterly report F-Secure found that almost 60% of mobile threats are motivated by money. A clear trend can be seen over the years.

Source: F-Secure

So measure, audit, control!

On your next day to work go to see you cyber security team, and ask them to see what is measured in your company:

• Do you have the right tools to do the job?
• Firewall between the different network zones, on all servers and workstations
• Antivirus on the gateways, all servers and all workstations
• Hardened devices, whitelisting of applications
• IDS/IPS on the network and on the hosts
• Configuration management to monitor changes in the environment
• Data Loss Prevention mechanisms
• Central collection of all logs (OS, AV, apps, network...) to avoid losing traces of attack
• Do you have the process to find and correct problems?
• Regular review of the collected logs, possibly automatic (SIEM)
• Rapid deployment of security patches
• Regular pentests from inside and outside the network
• Strong SDLC which help deal with security aspects from idea to launch to decommission of a solution
• How well is this working?
• How many security patches have not been applied? For what reason?
• What are the trends of detection and mitigation of attacks (IPS/IDS/Firewall) and other nasties (antivirus, whitelisting)?
• How many data loss have you been able to detect/prevent?

Don't be afraid to ask for evidence, numbers, independent audit reports. Whether you are the CxO, the business owner , the Security Manager, the Ops Manager or the System Owner "I did not know" or "nobody told me" are not acceptable answers.

Measure it and manage it!

Busy month for Ops teams!

This month has seen Ops teams needing to install long list of critical updates coming from Microsoft, Adobe and Java on a very regular basis:

• 01/02/2013 : Java SE 7 Update 14 and Java SE 6 Update 39 (50 security fixes)
• 07/02/2013 : APSB13-04 Security updates available for Adobe Flash Player
• 12/02/2013 : APSB13-05 Security updates available for Adobe Flash Player
• 12/02/2013 : APSB13-06 Security updates available for Adobe Shockwave Player
• 12/02/2013 : ms13-feb Microsoft Security Bulletin Summary for February 2013 (57 security fixes)
• 13/02/2013 : APSA13-02 Security advisory available for Adobe Reader and Acrobat
• 19/02/2013 : Java SE 7 Update 15 and Java SE 6 Update 41 (5 security fixes)
• 20/02/2013 : APSB13-07 Security updates available for Adobe Reader and Acrobat
• 26/02/2013 : APSB13-08 Security updates available for Adobe Flash Player

And a Polish security firm found yet other vulnerabilities in Java which have not been patched yet!

My recommendations about this are:

• Limit the execution of Java applets to a limited list trusted websites only, or better to disable Java applets altogether
• Auto-update as much as you can on the client side: Java, Flash, Chrome, Firefox, etc.
• Push Microsoft update very rapidly on workstations, preferably immediatly: The risk (likelihood and impact) of something breaking is lower than the cost of cleaning up the environment/reputation after a breach

Cloud services, hosting providers and in-house data centres are all the same

Cloud computing comes to NERSC (Photo credit: Lawrence Berkeley National Laboratory)

What have Amazon Web Services, Google Gmail, and IBM data centre in Auckland in common? They all failed and became inaccessible at one point or another. Just as many others.

Can we really rely on cloud services? Are they solid enough?
Yes, they are, provided you have done a good risk analysis, understand what your company is getting and mitigated the risks accordingly. Cloud services or hosting providers are just like in-house hosting:

• Both can fail and become inaccessible
• Both can get attacked and broken into

In all cases you need to ask yourself the same questions:

• Confidentiality
• How can I prevent unauthorized access to the information?
• Attackers will try to get access to your data regardless of where it is hosted.
• Integrity
• How can I ensure the data is not being tampered with?
• Voluntary or involuntary modification of your data can occur in your data centre just as it could in the cloud
• Availability
• How can I guarantee a level of availability which is in line with the business needs?
• Your physical or virtual servers can go down, the application can fail, the network can crash, the SAN can fail, your ISP can go down, just like your power or you cloud provider.

Regardless of the option you prefer you'll have choices to make, risks to take or to mitigate, and your environment may suffer. Just make sure you evaluate the CIA of your solution carefully, that the business understands the current risk position and that your have a Business Continuity Plan in place.

Global State of Information Security Survey 2013

The Global State of Information
Security Survey

Every year PwC, CIO magazine, and CSO magazine publish the result of a survey of thousands of CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from a 100+ countries all over the world. It helps gathering information on the current trends, perceptions and overall state of the IT security from a top management perspective.

Attackers have become better and more aggressive: more attacks, more sophisticated, with bigger impacts, more nation-state controlled attacks... In the era of the cloud, social media, mobile and BYOD cyber security is certainly being heavily impacted. The exposure has increased and it has certainly been noted by this report as well: "The bad guys appear to be in the lead". All is not dark, there are some good news, but we must keep improving.

Assessment and culture

The report finds that good self-assessments continue: It's necessary for companies to understand and verify the risk they are taking. Also most respondents believe their organizations have instilled effective information security behaviors into organizational culture. Almost 50% of new projects see information security being taken into account either at project inception, or during the analysis and design phase. This is a good number, but more education is required, still. Finally most respondents (71%) say their information security activities are effective: This number used to be higher, this may be the result of better self-assessments which allow actual risks to be discovered.

In an post about the survey on CIO's website Colin Slater, partner at PwC says that "we still got a real lack of planning, it came up last year. It came out again this year". This is sad, because Information Security is both cheaper and more effective if it's initiated early in the project process, and supported by strong culture and leadership. “You need to have a strategy that defines what are the outcomes you want,” says Slater.

Capabilities and training

Between the economic climate, the pressure the do more with less and the pace of change of technology it's difficult to keep security on top of the agenda. 

The cloud, social media, BYOD are all trend which can have a severe impact on security. More controls would be necessary when the budget for security stagnates or is being compressed. The report is clear: The economic environment ranks first among the multiple factors shaping security budgets,with information security concerns lying far down the list.
The use of malicious code detection tools went from 83% to 71% in one year. IDS, rogue device detection, vulnerability scanning and other tools usage went done use when down by about 10% each. Sound security practices as well, with less backup, DR and BCP, review of users and access, application security, logging and monitoring, physical security. The authors draw an interesting parallel:

That’s like playing a championship game with amateur sports equipment.

Training and eduction is also being impacted. This is a worry as well as employees are still a major vector for data loss, either intentionally or not.

Seeing a diminution of the capacity to prevent cyber security breaches is a concern as we're facing both a larger exposure and more professional attackers. We could see an increase of successful attacks in the future.

Recommendations

The reports comes with some recommendations for businesses willing to lower their exposure and increase security:

1. Implement a comprehensive risk-assessment strategy and align security investments with identified risks
2. Understand their organization’s information, who wants it, and what tactics adversaries might use to get it
3. Understand that information security requirements—and, indeed, overall strategies for doing business—have reached a turning point
4. Embrace a new way of thinking in which information security is both a means to protect data and an opportunity to create value to the business

The first two are revolving around the same concept:

What gets measured gets done.

You need to know where your business is at, what are the threats, the risks, the current problems, in order to effectively and efficiently protect it. “What is important to the business? Then you can make decisions on what level of investment you need to protect it. If it is subjective, you are never going to get a clear view of your basic building blocks,” says Slater. What gets measured gets done better, should I add.

The third one reflects what I've mentioned in the introduction: Attackers are becoming more professional, sometimes with entire nation-state supporting them. The defence of company assets also needs to become even more professional.

Finally the fourth recommendation mentions the creation of value to the business. I can't see how security could create value. But security can certainly save money. Investments in security is similar to contracting an insurance: You can protect the company from the impact of daily risks. The difficulty is to decide which level of policy is right for you. You can estimate the ROI of you security, and you should.

Internal threats

 Some rights reserved
by Jordan Bracco

Threats to computer systems can come from outside or inside the corporate network. And whilst most of the measures tends to focus on external threats the behaviour of employees, intentional or not, represents a major risk as well.

Employees

Symantec recently published a study (What's Yours is Mine: How Employees are Putting Your Intellectual Property at Risk) showing that a majority of employees are copying corporate data in and out of the network, either on personal devices and cloud-based storage like Google Drive or Dropbox. The finding of the study are as follows:

• Employees are moving IP outside the company in all directions
• When employees change jobs, sensitive business documents often travel with them
• Employees are not aware they are putting themselves and their companies at risk
• They attribute ownership of IP to the person who created it
• Organizations are failing to create a culture of security

This creates many potential leakage points. 

Solutions

Symantec recommend three mitigation measures:

• Education and awareness
• Enforcement of NDAs
• Implementation of monitoring technologies

I would also add that the access to sensitive information should be on a need-to-know basis.

These are all passive solutions. I would suggest a few active solutions as well:

• Control the usage of USB ports, from company approved USB keys only, which come with a usage policy (education), to a flat-out no-USB-storage policy
• Use IRM solutions to protect confidential files 

Active solutions often come with a operational cost, and these need to be compared against the cost of a leak. They may not be worth their cost to protect not sensitive data, but may prove cheap compared fo the loss of critical IP or classified information. Some countries make it a requirement for some levels of classification.

There are more ways the data can go out of a company's network because of employees.

Operational mistakes

There has been many example in the past of administrator doing mistakes which exposed data to the outside world. Yale University recently exposed the social security numbers of 43'000 of its students when they made them accessible via an unprotected FTP server. Another example is MSD (Ministry of Social Development) in New Zealand which allowed access to the whole ministry's network via publicly accessible kiosks. Some pretty important stuff got found there, like information about Care & Protection homes, fraud investigation, debt collection and various admin password in clear text...

Solutions

Mistakes can happen. Here again education and awareness is really important, as well as the implementation of monitoring technologies. Another concept is really important here: Defence-in-depth. In MSD case above several layers of protections were missing:

• Network: Publicly accessible kiosks should not have been able to access the Ministry's network
• Shares: The Ministry's shares should not have been accessible by the user used by the kiosks
• Folders: The access to the content of such sensitive folders should be limited to specific groups only
• Files: Finally an IRM would have helped protecting these sensitive files

For the same reason we use multiple-tier architecture, forbidding direct access to databases and other data repositories to users. The database will control the user has access. The application will control have access. The network will control that the user has access. This way if one protection layer fails we always have additional measures to ensure the data is safe, 

Attackers

Attackers can try to access data in many different ways. The closer the entry point is from the information they want, the easier. The firewalls and other border network security may be strong, but an attacker can use other ways to get in: Social engineering, phishing, malware, etc. There are many 0day exploits out there, and companies are often slow to patch their systems. A smartly worded e-mail will catch a lot of people off guard. A USB key inserted in a computer on a false pretext can easily infect a network if the workstation is poorly protected.

Solutions

As for the other cases education is paramount. Companies could test their employees by sending phishing e-mails for education purposes. Someone clicking on the link would have to go through an eduction program again.

• Protect the information at the information layer, as close as possible from the data. So even if an attacker gets access to you internal network it's not a free-for-all access
• Ensure antivirus on desktops and servers in always recent and the signatures are up-to-date
• Monitor failed connection attempts, as once inside an attacker may try to brute-force his way in more protected areas
• Make sure you have IDS/IPS inside the network as well, not just at the border
• Finally review the logs! It's useless to have a fancy alarm system if you set it on silent.