We often are asked to think outside of the box. Are organisations innovative enough when it comes to the employment market when there is a shortage in skilled security experts? And what do I mean by 'your brain is not in your suit'? Let me explain.
In my last blog I raised the spectre of hacking humans brains following the recent disclosure that Facebook has been experimenting (sorry researching) affects of positive versus negative feeds from friends.
Let me tell you a story, the story of information security.
Human factors have always been the bane of security professionals, and social engineering is also high on the list of factors requiring mitigation measures and controls. Yet their very nature makes them highly variable – humans will always work out circumvention to a control if it makes their lives easier.
Organisations often view security as a burden and not as an enabler. In doing so they are losing to their competition. It is like playing Russian roulette and the first one who gets hit will lose for sure, while some others might follow or get out of the game early enough.
Whether you attribute this quote to Rita Mae Brown, or Albert Einstein, it’s out there and it sums up a lot of security practices: “Insanity: doing the same thing over and over again and expecting different results."
Having worked in and around information security for more than 20 years, I think I’m in a good position to make observations about the industry.
There is a buzz in Australia, post Amazon’s Web Services Summit, around a few cloud related concepts. I will try and distill.
At the recent CSO Perspectives Roadshow I was on a panel with the esteemed David Lacey, he suggested just like Asimov's laws for robotics we need some clear maxims for the security and privacy management of big data.
Enex TestLab’s various divisions cut across a large number of industry sectors, perhaps more so than most organisations. From my perspective, we deal with an impressive number of organisations and individuals within those industries. Heading this organisation, therefore, requires me to wear a number of different hats in any given day. But the one common denominator is the humans that we need to interact with.
So a trader at UBS lost 2.3 billion dollars. To put that in perspective that is $2.3B of cold hard liquid cash that is gone gone gone. UBS announced plans in August to lay off 3500 employees to reduce future expenditure over the next three years by a similar amount (around $2.2B USD). A cynic would ask if there were any risk and compliance personnel headcount in that slash? The current gallows humor joke is that the CEO could have saved $2B by laying off one employee rather than 3500. There have been at least nine rogue trading scandals in recent memory. Of note are the following: • FIRST - Nick Leeson (827M Pounds) at Barings Bank - caused collapse of the bank • BREAKING 1 BILLION - Toshihide Iguchi ($1.1B) at Resona Holdings • BREAKING 2 BILLION - Yasuo Hamanaka ($2.3B) at Sumitomo • BIGGEST - Jérôme Kerviel €4.9B) at Société Générale • LATEST - Kweku Adoboli $2.3B at UBS Now before you start trying to drum up some support for your information security endeavors by quoting $2.3B as a potential saving, let's have a look at how information security can and can't help with the issue of fraud. Firstly the traders were all trusted authorised employees doing what they were employed to do and using systems they were authorised to access, performing activities that were expected. They just escaped their shackles and took larger risks than they were authorised to by finding holes in internal control practices. From my meager research undertaken it appears that timing of activities to evade monitoring practices was common in many of these instances, very similar to "check kiting" or "ponzi schemes". Good questions to ask if you had the chance of these institutions would be: • Did any internal control reports detect any irregularities previous to the major incident? • Was this their first transgression? • Were they formally counseled in the past? • Was this gambling outside of their daily limit with or without the tacit approval of management? • What was the risk management culture like within the organisation? Let's talk about some traditional information security controls that we could potentially apply to this problem and how they can and can't help us: Application Security Controls Application authentication wouldn't have helped, as the traders were authorised users of the trading applications. Role based access control/implementation of segregation of duties/dual auuthorisation potentially could have helped if front office and back office functions were in the same application. Front office (those rabid trader/gamblers) and back office (confirmation/settlement/accounting/risk management/compliance) functions are required to be independent. Often these systems are not a single integrated application but a number of applications that are interconnected. Infrastructure Security Controls Anti-Malware, HIPS and NIPS damn well wouldn't have worked! There's no signature definition for "employee has gone NUTS today!" A Security Event and Information Management solution definitely wouldn't have helped as the transactions were valid "authorised" application level transactions not platform or network logs or IDS alerts. If you think you can help with this issue as an information security professional, maybe you should adjust your expectations. Ask yourself these questions; • Do I understand complex financial instruments? • Do I understand business processes for trading and how timing and changes in the order of a series of complex activities can subvert internal controls? • Am I a financial application architect or developer or do I have the influence to persuade a vendor to make changes to an application? How can you help? As an information security professional in a financial institution potentially consider some of the following activities, which may actually help: • Develop friendly relationships with your fraud team and internal audit team • Help your organisation inventory and risk assess applications and supporting systems. What are the most critical applications and supporting systems? • Help introduce the concepts of threat modeling and attack trees to your fraud and audit teams. It may help them in designing controls if they start to think like their prey! • Lobby for the implementation of effective internal controls within trading/treasury applications, this includes: ◦ requirements for controls ◦ documentation of how the controls are to be implemented and monitored. These could include restrictions on daily limits for traders, dual authorisation for high vale trades in the front office and back office real time monitoring and even pattern matching for individuals activities. ◦ testing of controls to make sure they are effectively configured and monitored • Lobby for fraud monitoring applications and resources for the fraud team • Lobby for cultural change and employee assistance programs • Conduct security awareness training, especially focus on the dangers and implications on the individual of sharing passwords/smart cards and the concepts of role based access control/segregation of duties. • Schedule application security and infrastructure security testing of critical applications. It may help if once the internal controls are implemented that they can't be bypassed with a web proxy and some parameter manipulation. As always I welcome your feedback and encourage you to share your experiences!
When was the last time that you read an article by a hacker in the mainstream media that talks about what enables them to do the things that they do? And what, in their opinion, would make their life harder? I can’t think of too many over the years. All the articles are generally written by “generalist” specialists, who know very little about the “hacker” mindset, trying to tell you what the “hacker” mind is thinking and how the bad hackers will get you. I would do it myself, however I am surrounded by people whose technical skills just blow my mind, by what I see them achieve. Our clients love it; well that depends on the definition in context. So here’s something a bit left field. I’m writing this after speaking with one of our team - one of the most brilliant technical security people I have ever met. Handball to them – this is their perspective, their opinion and how and they see it: I have never been a CSO, CIO, CEO or in any IT Management role. I’m considered a “hacker”! I call myself that too. But before you picture me in a dark trench coat, I do have a Masters in IT with Honours. I chose to do what I do because I love it. I leave the business side of things to others, for now, who want to rise up the management tree and do what they want to do for their own reasons. At the moment, that’s not for me. There’s so much work to be done at the ground level of information security where I want to make a difference, and to be honest, it’s far more interesting – by a long way! One day, maybe I’ll do the management stuff, but for now it’s not for me. As such, I won’t profess to understanding all the management issues many of you reading this have. This article is my take on what I see from the work that I do and from my experiences with working with people and companies in IT and IT security at all levels, including clients, friends, ex-coworkers, across five different countries and for enterprises of all sizes from global investment banks through startup businesses and across many industry sectors. My view of the business world differs in my opinion to that view of IT management. While I acknowledge it's always easy to give an opinion when you don't have to face the fight within an organisation, the realities are how I see them. I can only comment on what I see and I cannot embellish it to make the reader feel better. Every time we commence a new project, our team generally does not need to be primed for a great security challenge. Sadly, and this is a serious thing to consider, what we think and discuss is how quickly we going to own this application, system, company. It’s a sorry state of affairs to expect this. Our office is in a state of genuine WTF when we actually encounter an application, system or company that is really secured and we cannot do anything to. Albeit within a defined scope of technical testing – and I add that, because we also know that we can change that “good” result with a bit of Red Cell … a number of phone calls can change that situation quickly but read the last blog from Drazen on that. As a white-hat “hacker”, companies make it easy for me to look good. I am in a position to tell you what would make my job harder. So here we go; its not rocket science, and I don’t profess to covering it all here. But, if you do want to make life harder for those with nefarious intent, do this; 1. Avoid password re-use for administrators. (I love this and defaults even better … makes my life easier to get a good result from the hacker perspective). 2. Know what you have on your network and “control” with good security policy. Run something that detects new hardware on your network. (Probably the most effective security I have seen – honestly). I have lost track of the number of times a client has told us we have “x” number of Internet facing systems, only for me to find three time ”x” number of systems. If that is the case, how can one be secure? Also, only one MAC address authorized per switch port. You don’t need expensive security appliances. Just some hard work and few good Network/System Admins. Listen to your Network/System Admins (They generally know their stuff). 3. Monitor your internal network to detect weird behavior and unexpected requests. I don’t mean pay for “heuristic” systems that profess to doing it for you. They don’t, they’re rubbish! Look at the claims by security vendors and ask yourself why they’ve been saying this for 10 years but I can still own your network? Your Network Admins should know your network. They should be allowed and supported with time and resources to monitor logs of the systems they manage. They will tell you. Support them, but put the pressure on them to do it. Outsourced perimeter management providers don’t care. Their SLA’s claim that they do, but they don’t, and we’ve rarely, to the point where we cannot recall when, been stopped by them. You could save yourself significant amounts by avoiding such services and going back to basics. Build secure systems, patch them and monitor the logs/traffic, its straight forward. 4. Monitor external DNS to detect new website/hostname exposed on Internet by your company. Who does this now? 5. Let your System/Network Admins use their magic. Let them develop scripting language systems that do things to help with your security. Computers exist to compute large amounts of information quickly - nothing more annoying than wasting hours to do something that can be done with a 5 minute script. Even worse, buying something that your own team can script up relatively quickly. 6. Win small fights - one at a time. Don't try to change all the security in one big fight. Just accept that it takes time and move from one change to another. Start simple: move from FTP to SFTP, move from telnet to SSH, but be committed. It will make a difference. Even small changes like this can make a difference to being owned by an opportunistic script kiddie. 7. Don't buy expensive boxes just because you think, or have been told, they will make you secure. We’ll either by-pass that box, or own the box. Either way, you’ve prospectively wasted your money and the end result from my perspective is the same. I own you. As has been said before, you could use that money for a corporate Ferrari for team moral instead, better use of the money. Your security is rarely better from these product. Save the money to hire people with skills instead of getting magic boxes that do little or nothing. We find it amusing that in 2011 we can own 90%+ of systems that we approach first time, yet these companies all have packet filtering routers, FWs, IDS/IPS and WAFs. Isn’t that so obvious. 8. Use open source. Most of the tools you need can be found in open source software - and let your skilled people use their skills to make it work for you. 9. Go to conferences like; Defcon, Ruxcon, Kiwicon, CCC, etc – where you will learn from industry “hackers” and see what is really happening. Why waste your time at conferences lead by big name keynote speakers who will only dribble on about what you already know? Go there if you must to network but you could use the time better. 10. As a CSO, you MUST be involved with all “critical” projects like new SOE build for laptops, servers and workstations. I call these “critical” - others may not. They may look at it from the bigger picture – that 20,000ft level. What a silly view. At the end of the day, it all comes down to the basics – work from there. 11. Spend time with your Windows team, Unix team, Network team to understand their work and to gather ideas on how to improve security. They know their systems more than you do and should be happy to give you advice if they see that you're interested in their work. Don't forget to give them credits once you managed to make some security progress. 12. Don't believe in magic. Improving technical security takes times and hard work – focus on the basics. Did I mention not to buy stuff because a vendor promised magic? 13. Get at least one good security person per team for; Network, Unix, Windows. Same for QA team and dev team. They are out there – find them. 14. And, back to magic. Don't buy security software or hardware like WAFs and IDS/IPS unless you have a full time person to work on them. We by-pass them all the time to own your systems and this demonstrate money is wasted on them. They will however make a difference though if you dedicate the time to correctly implementing and using them properly. So now you’ve read this. As I said, it’s not rocket science. If you want to make life harder as a “hacker”, you can see that it’s not really that hard if you want to make the effort and you are serious. They may still get you with a really cool 0day but that could take time. In the meantime, one can be easily put off by having good basic security controls and practices in place and go for a softer target.
There has lately been a tendency to ignore cyber-predicaments until they evolve into historic or catastrophic events. Geopolitical and national interests determine whether a proactive cyber-defence lesson is learnt from the others’ experience or these issues are still dealt subtly. Delaying appropriate action, or ignoring these issues for too long or even by ignoring for a little while, can now result in unmanageable crisis, significant loss of data, and not to mention the time and financial investments. Some of my sources had predicted early in 2012 about series of cyber-attacks that will hit countries in the Middle East in a row. Much to my surprise, yes, the attacks began with a massive one which was not even close to what the expert predictions were or what I had imagined to be. 30000+ computers were infected, restored, and billions of dollars was spent by Saudi Aramco in recovery of the systems - no loss of sensitive data or harm to their critical infrastructure and oil & gas exploration claimed the company although the brand damage was devastating. I may be the millionth person speaking about this as this incident is now very well known in all corners of the world (doing circles I must say). Still bragging about this? Remember what the experts had predicted “Series of attacks”. There have been other attacks in the region that also made the headlines like the Qatar’s RasGas, Saudi Arabian Ministry of Interior, the UAE based Ras-Al Khaima Bank (RAK Bank), the Omani based Bank of Muscat and more. Alright, let’s stop here and try to re-think the motives of region’s recent cyber attacks. Despite predictions and several warnings, there have been considerably high impact cyber-attacks; couple on the Oil & Gas giants let’s say for “undisclosed reasons”. Another on a National security force almost clearly for political reasons or must I say a classic example of Hacktivism? And a few more on banks most obviously for financial gains. Although the alarm for regional imperative for cyber security rang a while ago, why was the defence let down? Was there any defence in the first place? Arguably yes, but I’m being very ambivalent here as it depends on the scale of defence and their capability to combat these cyber-attacks. Remember the case of Estonia, one of the world’s largest co-ordinated (state-sponsored) cyber-attacks where nobody knew what was coming their way, but when it did, it was far more than just being too late. One of the most common means of cyber attack “Distributed Denial of Service (DDoS)” undermined the entire nation. Why this example? Imagine what attacks like these can look like on a regional level with every second country in the region being attacked day-in and day-out. While people like us keep referring to history and make direct comments on cyber-security, the respective Governments have not been able to retort which clarifies the uncertainty of their cyber-defence capabilities. It was time for collective cyber-defence - first at the enterprise level where the public and private sector companies strengthened their cyber threat/attack detection and prevention capabilities and then at the national level with the Government creating an integrated system or model for real time threat or attack information reporting and sharing. And finally, at the regional level with countries collaborating to address mutual concerns.
Has anything changed? So little to change? Well maybe a bit... -------------------------------------------------
Nigel is Director of the Centre for Internet Safety, University of Canberra and for nearly five years was the Team Leader investigations at the Australian High Tech Crime Centre. He has published two books on the international dimension of cyber crime and lectures widely at Australian academic institutions. Follow Nigel on twitter @nphair
Security Evangelist, AVG (AU/NZ)
Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions. He operates more in the area of information security governance these days, despite his urges still stay a bit technical. Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time. Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab. He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years. Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling
Patrick Clawson serves as Chairman and CEO of Lumension, where he is responsible for leading the company's overall strategic direction to drive revenue growth and profitability as well as overseeing the day to day operations. Clawson brings more than 20 years of software industry experience and has a successful track record of running high tech companies.
Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA. He is a long standing committee member of the Australian Information Security Association (AISA), Melbourne branch, and is also a member of the Information Systems Audit and Control Association (ISACA). Enex TestLab can be found at http://www.testlab.com.au blog at http://enextestlab.blogspot.com and can be found on twitter as @enextestlab.
Stilgherrian is a freelance journalist, writer and broadcaster with more than a little hands-on experience in information security, usually based in Sydney, Australia. He studied computing science and linguistics at the University of Adelaide and has been using the internet ever since it's been possible in Australia. He has hand-rolled his own firewall rulesets under Linux and advised commercial clients on improving their network security. Yes, his name is just one word. No, it's not a pseudonym. Stilgherrian is also a prolific user of Twitter. You can follow him at http://twitter.com/stilgherrian @stilgherrian -- but be warned. He uses bad language.
Drazen Drazic is the managing director of Securus Global, a leading Information Security consulting organisation specialising in application and network security, penetration testing and product testing for international security vendors. He is engaged as a consultant across most industry sectors on Information Security policy and strategy. In earlier times, he has headed up Information Security for a global investment bank and Big-Four professional services firm, been a regional IT director and has spent years promoting and talking about information security. Twitter: @ddrazic
"Independent Security Consultant Jarrod Loidl is an independent information security consultant with over seven years industry experience. He has worked in a number of different verticals such as education, gaming, advertising, financial services, professional services, not-for-profit and healthcare. His specialities are security management, risk and architecture and penetration testing. Though most of his experience lies in management end of security, he's trying to get back to his roots and stay in the technical game. He is an active member of the Australia Information Security Association (AISA) and ISACA and has presented at both the local Melbourne AISA and OWASP chapters. He is an avid, life long learner. His qualifications include a Bachelors degree in Computing, CISSP, CRISC, CISM, SABSA Certified Architect (SCF), Certified Penetration Tester (CPT) and very slowly chipping away at obtaining a Masters in Business Administration."