Infosec Pro

It's Not Unhackable, But Twitter Makes a Start

2013-05-24T10:17:00.000+01:00

This week Twitter introduced a new two-factor authentication process to verify account logins. This comes on the back on some pretty big Twitter account hacks in recent months. Now, whilst you can argue that it is not Twitter (or any other service providers) responsibility for you to keep your account details secure, they potentially do have a duty to some extent to make increased security an option if an end user does want to use it.

A typical end user isn't particularly interested in security. Yes, they don't want hacking, yes, they don't want to have their bank details stolen, or their Facebook timeline polluted with nasties, but a typical end user won't actively take extra steps to avoid that from happening.

The concept of strong passwords is pretty much standard these days. At least 8 characters, an uppercase letter, a number and / or a special character too. End users have a list of passwords in their minds that fit the criteria. Unfortunately these passwords are probably being recycled across every site that requires a 'complex' password, perhaps incrementing the number at the end every time it expires.

The use of secondary verification, become familiar for typical web users, when Facebook verification was introduced a year or two back. If you login to Facebook from an unknown device or network location, you are asked to go through an additional set of verification steps. This could include security question responses (knowledge based authentication), mobile verification or the most interesting in my mind, confirming you know the people in selected photos from your albums. Again this is a form of KBA, but without the need to set up or remember arcane questions about your first pet or primary school.

To set up Twitter's additional verification isn't particularly complicated. A couple of minutes setting up a phone to use as the registered verification device and a few test text messages and you're done. Albeit the mobile anti-virus scanner on my phone flagged the responding text message from Twitter as 'suspicious' made me smile.

But will this extra step prevent hacks? The simple answer is no, well yes in some cases, but maybe in others! Basically there is no simple answer. Of course it makes cold hacking a lot more difficult, due to having to break something someone knows (the password) alongside breaking the physical something someone has (the phone). However, what happens if you lose your phone? I for one do most of my tweeting from a smartphone as many others do to. For a single end user that could pose an issue as both the Twitter client will undoubtedly have a cached password and obviously the physical phone is able to receive the text message for verification.

However, in corporate PR scenarios a large client may require a team of 3,4 or more executives managing the Twitter account. Twitter is alive 24x7 and no one individual could manage that for a large consumer client. This therefore results in multiple machines and potentially multiple clients. Whilst those clients can be authorised, the security risk is spread as you have multiple access vectors for malware, accidental misuse, malicious misuse and so on. So whilst Twitter has upped its game on the backend, end users still have a duty with regards managing who has access to the account in general and how those users are managed and vetted.

If nothing else, the introduction of an additional authentication factor increases the information security awareness for the typical end user and starts to make security a much more common step when using services and websites. The important step next, for Twitter and others, is to make sure there is a larger security 'reward' for those who do engage in the extra steps.

By Simon Moffatt

Forget Firewalls, Identity Is The Perimeter

2013-05-16T08:53:00.000+01:00

"It is pointless having a bullet proof double-locked front door, if you have no glass in your windows". I'm not sure who actually said that (if anyone..), but the analogy is pretty accurate. Many organisations have relied heavily in the past, on perimeter based security. That could be the network perimeter or the individual PC or server perimeter. As long as the private network was segregated from the public via a firewall, the information security manager's job was done. Roll on 15 years and things are somewhat more complex.

"Identity as the perimeter" has been discussed a few times over the last year or so and I'm not claiming it as a strap line - albeit it is a good one at that. But why is it suddenly becoming more important?

The Extended Enterprise - Mobile, BYOD, Consumer

Organizations of all sizes are no longer central places of work, with siloed business units, headed up by managers in glass-walled offices. Remote working is no longer limited to cool startups or the creative industries. Desktop PC's are now in decline, with tablets and smartphones able to do the majority of work related use cases. Many organisations now have complex supply chains, leveraging partners, sub-partners, clients and consumers. Outsourced services and applications now make up a large percentage of an organization's delivery management process, with these services often allowing authentication and user management controls outside of the standard corporate LDAP.

The increased use of BYOD, mobile workforces and increased outsourced and consumer lead service interaction, requires a much more integrated and agile view of an identity, but also requires CISO's, to view data protection and segregation in a much more user centric approach.

There Is No Network Separation - Everything is Connected

Everything is connected. You can receive corporate email on your smartphone over a network carrier paid for privately. Remote backup and file sync solutions allow sensitive files to be stored off site without the knowledge of a DLP solution. There is no longer a 'corporate' network with strong demarcation lines. Whilst this has obvious user benefits and efficiency gains, it has opened up new areas for security management. The one thing which is staying relatively static is the that of the identity driving this change. I don't mean the role and concept of identity is static. Quite the opposite, but identities are still the driving force between application interactions, network traffic analysis, DLP techniques, firewall management and so on. Each transaction should be linked in some way to an identity. This identity could be well masked through alias upon alias, but there are fewer and fewer chances for a truly anonymous computer interaction.

Extend the Enterprise or the Stretch The Cloud?

These identities are developing in multiple directions. The traditional corporate view of an identity originating from an authoritative source such as HR and flowing via provisioning systems to a target directory or database is still present. Complex workflows and RBAC projects will keep many a consultant in work for years to come. But with the onset of the extended enterprise, the increased use of social and cloud based identity brokers and platforms (Google, Facebook et al), there is a need for fusion. The ability for organisations to extend to the 'cloud' and the for the internet based services and brokers to able to reach out to traditionally standalone organizations with their new apps and services securely, whilst still making the user experience convenient. But where to start? Traditional enterprise identity and access management solutions are often too static and unable to scale to internet style proportions. Internet focused identity has been about single sign on, federation and authentication via social platforms. Organizations need to be able to manage interactions with 3rd party service providers from a centralised, potentially policy driven, authentication and authorization perspective. It's pointless disabling a contractor's internal LDAP account if they still have an active Saleforce or Dropbox account when they've left.

Compliance doesn't just fade away in cloud and internet based scenarios. There are still stringent controls that need to be adhered to, in order for an organization's identity management platform to be both convenient and effective.

By Simon Moffatt

Infosecurity Europe 2013: Round Up

2013-04-26T10:26:00.002+01:00

This week saw London bathed in glorious spring like sunshine, just as the 3 day annual Infosecurity Europe conference took place at Earls Court. Over 330 vendors, 190 press representatives and 12,000 attendees converged to make a interesting and thought provoking look at information security in 2013.

The keynote panel discussions focused on best practices as identified by experiences CISO's and security managers, with the general theme of education, awareness and training being top priorities, for organisations wishing to develop a sustainable and adaptive security posture. Budget management is also a tough nut to crack, but it is becoming clear that technical point solutions don't always deliver what is required and properly training security practitioners, coupled with cross department accountability make for a more cost effective approach.

Advanced Persistent Threats, cyber attacks and SCADA based vulnerabilities were all up for hot discussion, by both vendors and attendees alike.

See below for a detailed write up of some of the keynote sessions.

Hall Of Fame Inducts Shlomo Kramer & Mikko Hypponen
Keynote Panel: Smarter Security Spending
Technical Strategy: Defining APT
Keynote Panel: Battling Cyber Crime
Keynote Panel: Embedding Security Into The Business
Technical Strategy: SCADA The Next Threat
Analyst Panel: Future Risks

Infosecurity Europe 2014 will run from April 29th to May 1st 2014

By Simon Moffatt

Infosecurity Europe 2013: Smarter Security Spending

2013-04-25T14:33:00.001+01:00

Information security should be focused on "moving from the 'T' in IT, to the 'I' in IT' according to panel moderator Martin Kuppinger from KuppingerCole Analysts. Information security has often been focused on technical related controls, with point solutions based on software and hardware being deployed, in the hope that a 'silver' bullet style cure is found for all attacks, breaches and internal issues. This is an unsustainable model, from both a cost and effort perspective, but what areas provide a good return on security investment? An expert panel in the keynote theatre at day 3 of Infosecurity Europe, aimed to find out.

The People, In People, Process & Technology

Michelle Tolmay, from retailer ASOS, commented that the people, in the people, process and technology triad, is increasingly more important that simply installing and configuring technology. Dragan Pendic, from drinks manufacturer Diageo, also described how building the information security business case, requires focus on the 'right people' within the organisation. As budgets are finite, all spending needs to be fully justified and explained in business language to key business stakeholders. Dragan articulated, that whilst the majority of the security budget is ring fenced for legal and regulatory compliance, any remaining funds are spent wisely, focused on identifying security stakeholders with the correct role and responsibilities in order to the make existing and new security technology work smarter.

Education, Training & Awareness

Graham McKay, of DC Thomson, described, that whilst risk should be decided by the business, countermeasures should be implemented by the IT and security teams, with a key focus on sustainable education. He argued point solutions are nearly always breachable at some point in time, and that employee training and awareness is a much more effective and sustainable way to protect information.

Cal Judge from Oxfam explained that for training to be effective, it needs to take a personable and story based approach, trying strongly to avoid the dry, theoretical policy lead content. Michelle also added, that by making examples of the security implications employees face in real life, helps to articulate what measures need to be implementated in the work place.

Accountability -v- Commerciality

In any organisation, there is a clear trade off between business effectiveness and security implementation. Graham described that an organisation will never be 100% secure, as commerciality will always take hold. Whilst technology obviously has a major role to play, learning the full technical limitations, integration steps and implementation paths are key to fully maximising a return on investment commented Pendic. Often technology is not implemented to the maximum of it's capability, resulting in cheaper alternatives being overlooked or not evaluated. Cal Judge promoted the use of vulnerability scanning of existing technology as an effective spend, arguing that this can help to simulate what an external attacker would look for, from an internal and external asset perspective.

Michelle Tolmay added that overly restrictive policies are actually counterproductive and costly, resulting in employees taking shortcuts and workarounds that will ultimately put the business at risk. She also commented that relationships are the underlying success factor for effective infosec spending. Relationships between internal employees across departments and external relationships between the organisation, audit teams and external regulators all play a key part in understanding how to fuel infosec project spending.

By Simon Moffatt

Infosecurity Europe 2013: Defining APT

2013-04-25T11:04:00.000+01:00

Targeted and complex malicious software has seen a significant increase in infection rates since 2007 according to Fireeye's Alex Lanstein. "Since the US Air Force used the APT label to describe specifically Chinese origin attacks, multiple variations, from different geographies are now common place".

Malware Occurrence & Complexity On The Rise

The occurrence and complexity of malicious software has lead to numerous significant breaches. Powerful state sponsored and organised crime lead groups, have developed powerful automated ways of generating sophisticated, hard to identify, track and block, malware payloads. Many payloads are now masked as basic everyday application files such as PDF's, Word and Excel documents and images, whilst underneath, harbour well crafted executables, that can seamlessly connect to multiple remote command and control servers. These command and control servers are often accessed through intermediary instruction sets, distributed via well known domains such as Twitter, Yahoo and Wordpress blog sites, that wont look suspicious to organisational outbound traffic analysis tools. The instruction sets are often encrypted, or at least masked as base64, to prevent detection.

Sophisticated Social Framing

As anti-virus and signature based scanning tools become more accurate, malware designers are leveraging the human factor as a means of entry into an organisations network. By identifying key employees via social media tools such as LinkedIn and Twitter, malware payloads are delivered directly to an individual via spear-phishing techniques. Basic social framing such as good-news stories or studies looking for work placements or advice are typical according to Lanstein.

Automation

Many of the payloads being delivered are being manufactured using small utilities to help create a 'factory' of malware operators who can quickly craft a malicious document or image in minutes. These payloads are created specifically for individual organisational targets, with subtle differences and nuances, in order to look realistic.

The Human Element Behind APT

The human element is not to be overestimated in the entire APT food chain. Whilst the payloads are technical in nature and command and control centres allow for hundrads if not thousands of remote bots , human decision making, framing and social engineering are playing a large part in overcoming first line defences. As technical protection gets better, the human factor at both the malware operator and target level becomes ever more important, with increased awareness and training a key tool in malware defence.

By Simon Moffatt

Infosecurity Europe 2013: Battling Cyber Crime Keynote

2013-04-24T23:01:00.001+01:00

Cybercrime, either for financial gain or hacktivist tendencies is on the rise. The US and UK governments have invested significant sums in the last 12 months on new defence measures and research centres. The sci-fi talk of 'cyber war' is becoming an increasing reality, but what are the new attack vectors and what can be done to defend against them?

Changing Priorities, Changing Targets

Arnie Bates from Scotia Gas Networks described that freely available tools, are now commonplace and can help a potential cyber attacker, to initiate distribute denial of service (DDOS) attacks simply and easily, without complex development skills, that would have been required only a few years ago. The simplicity of attack initiation, has lead to 'simple' attacks resulting in more sophisticated impact, as highlighted by Misha Glenny, Writer and Broadcaster, who pointed to the recent attack on the Associated Press' Twitter account. The attack itself seemed simple, but the resulting impact on the NYSE was tangible.

Hacktivism -v- Financial Reward

DS Charlie McMurdie from the MET Police's cyber crime unit, articulated the need to identify the true motive for each cyber crime attack. The majority of attacks being reported, derive from a financial motive. Whilst hacktivism is still an important protest tool, the greater complexity and rise in attacks is based on a monetary reward, either directly through theft or via indirect theft of identity credentials, that in turn lead to a cash reward for a successful attacker. From a government perspective, Adrian Price from the UK's MoD, described how state level espionage is still a major concern, as it has been for decades, but now the attack vectors have simply moved online. And whilst state level attacks could ultimately lead to government involvement and ultimately war and loss of life, national defence related attacks still fall under the protest category, if a government's political and foreign policy is openly objected to.

Defence Via Shared Intelligence

Whilst DS McMurdie described there isn't a "signal bullet to defend against" when it comes to cyber attacks, there equally isn't a silver bullet that will provide ultimate protection. Private sector organisations still need to promote cyber awareness and education to generate a more cross-departmental approach to defence. At the national and critical infrastructure level, shared intelligence initiatives will help provide a more adaptable and responsive defense mechanism.

By Simon Moffatt

Infosecurity Europe 2013: Embedding Security into the Business

2013-04-24T17:47:00.001+01:00

A strong keynote panel discussed the best practices for embedding security into the business, and how the changing perceptions of information security are helping to place it as a key enabler to business growth.

Infosec Is The Oil Of The Car

Brian Brackenborough from Channel 4, best described information security as being "the oil in the car engine". It's an integral part of the car's mobility, but shouldn't always be seen as the brakes, which can be construed by the business as being restrictive and limiting. James McKinlay, from Manchester Airports Group, added that information security needs to move away from just being network and infrastructure focused and start to engage other business departments, such as HR, legal and other supply chain operators.

The panel agreed that information security needs to better engage all areas of the non-technical business landscape, in order to be fully effective.

Business Focused Language

Many information security decisions are made on risk management and how best to reduce risk, whilst staying profitable and not endangering user experience. A key area of focus, is the use of a common business focused language when describing risk, the benefits of reduction and the controls involved in the implication. According to James, organisations need to "reduce the gap between the business and infosec teams view of risk, and standardise on the risk management frameworks being used".

Education & Awareness

Geoff Harris from ISSA promoted the argument of better security awareness, as being a major security enabler. He described how a basic 'stick' model of making offenders of basic infosec controls, buy doughnuts for the team, worked effectively, when used to reduce things like unlocked laptops. James also pointed to "targeted and adaptive education and training" as being of great importance. Different departments, have different goals, focuses and users, all which require specific training when it comes to keeping information assets secure.

All in all, the panel agreed, that better communication with regards to information security policy implementation and better gathering of business feedback when it comes to information security policy creation, are all essential.

By Simon Moffatt

Infosecurity Europe 2013: SCADA The Next Threat

2013-04-24T14:09:00.000+01:00

Physical and industrial control systems are now all around us, in the form of smart grid electrical meters, traffic light control systems and even basic proximity door access control panels. These basic computer systems can hold a vast array of sensitive data, with fully connected network access, central processing units and execution layers. Many however lack the basic security management expected of such powerful systems. Many 'don't get a quarter of the security governance an average corporate server' gets according to Greg Jones, of Digital Assurance.

Characteristics and Rise In Use
Micro computers with closed control systems have been in use for a number of years in industrial environments, where they are used to collect processing data or execute measurement or timing instructions. Their popularity in mainstream use has increased, with the likes of TV set-top top boxes and games consoles following a similar design. These more commercially focused devices however, often have stronger security due to their makers wanting to protect revenue streams, say Jones.

Lack of Security Management
Many of the control type systems in use, aren't manufactured or managed with security in mind. Performance, durability and throughput are often of greater importance, with basic security controls such as secure storage, administrative lockdown and network connectivity all potential hotspots.

Protection Gaps
The main security focus of many smaller control devices, is around physical protection. Devices such as traffic light systems or metering boxes, are generally well equipped to stave off vandalism and physical breaches, but much less so from a logical and access control perspective.

Data is often stored unencrypted, with limited validation being performed on any data collection and input channels. This can open up issues with regards to data integrity, especially in the field of electrical meter reading. This will certainly become of greater significance, as it is forecast that by 2020, 80% of European electricity supplier customers, will be using a smart-style.

By Simon Moffatt

Infosecurity Europe 2013: Analyst Panel Keynote: Future Risks

2013-04-23T20:37:00.001+01:00

At the end of day 1, of the Infosec Europe conference, on a wonderfully warm Spring afternoon at Earls Court, saw the keynote theatre host an interesting panel discussion focusing on future risks. Andrew Rose from Forrester, Wendy Nather from the 451 Research group and Bob Tarzey from Quocirca provided some interesting sound bites for what future threats may look like.

Hacktivism versus Financial Reward
All panelists acknowledged that hacktivism has been a major concern for the last few years, with Andrew pointing out that attacks are now becoming more damaging and malicious. Bob produced a nice soundbite of "terrorists don't build guns they buy them", highlighting the fact that hacktivists can easily leverage available tools to perform sophisticated and complex attacks, without necessarily spending time and effort developing bespoke tools. Wendy pointed out that attacks driven by financial reward have somewhat different attack patterns and targets, with new avenues such as mobile, smart grids and CCTV devices being identified as potential revenue streams for malicious operators.

Financial reward is still a major driver for many attacks, with new approaches likely to include mobile devices, to leverage potential salami style SMS attacks. Intellectual Property theft is still a major obstacle at both a nation state and organisational level.

Extended Enterprises
Andrew commented on the increasing complexity many organisations now face from a structural perspective. Increased outsourcing, supply chain distribution and 3rd party data exchanges, make defensive planning difficult. Bob also pointed out that the complexity of supply chain logistics have made smaller organisations, traditionally thought to be more immune to larger scale attacks, are now more likely to be breached, simply due to the impact it may have on their business partners.

Insider Threat and Privileged Account Management
Trusted employees can be still be a major headache from a security perspective. Non-intentional activity such as losing laptops, responding to malicious links and being the victim of spear-phishing attacks, were all highlighted as being the result of poor security awareness, or a lack of effective security policy. Bob argued that privileged account management should be a high priority, with many external attacks utilising root, administrator and service accounts with their escalated permissions.

Data Chemistry and Context Aware Analysis
Whilst there is no 'silver bullet' to help prevent against the known knowns and unknown unknowns, the use of security analytics can go some way to help detect and ultimately prevent future attacks. Wendy used the term 'data chemistry' to emphasise the use of the right data and the right query to help provide greater detail and insight to traditional SIEM and log gathering technologies. Bob promoted the use of greater profiling and context aware analysis of existing log and event data, to further highlight exceptions and their relevance, especially from a network activity perspective. Andrew also commented that information asset classification, whilst a well known approach to risk management, is still a key component in developing effective defence policies.

By Simon Moffatt

Infosecurity Europe 2013: Hall of Fame Shlomo Kramer & Mikko Hypponen

2013-04-23T09:39:00.001+01:00

London, 23^rd April 2013 - For the last 5 years the medal of honour of the information security world has been presented to speakers of high renown with the ‘Hall of Fame’ at Infosecurity Europe. Voted for by fellow industry professionals the recipients of this most prestigious honour stand at the vanguard of the technological age and this year both Shlomo Kramer and Mikko Hypponen will be presented with the honour on Wednesday 24 Apr 2013 at 10:00 - 11:00 in the Keynote Theatre at Infosecurity Europe, Earl’s Court, London.

Shlomo Kramer is the CEO and a founder of Imperva (NYSE:IMPV), prior to that he co-founded Check Point Software Technologies Ltd. in 1993 (NASDAQ:CHKP). Kramer has participated as an early investor and board member in a number of security and enterprise software companies including Palo Alto Networks (NYSE:PANW), Trusteer, WatchDox, Lacoon Security, TopSpin Security, SkyFence, Worklight, Incapsula and SumoLogic.

Shlomo Kramer commented “I am delighted to have been chosen by Infosecurity for the “hall of fame” in 2013 – it’s a great honour to be recognised for the work that I have done in the IT security industry as a founder of companies such as Check Point and Imperva. I love nothing more than creating and fostering successful enterprise IT- focused businesses and will continue to put my energy into combating the ever increasing onslaught from the cyber-criminal world.”

Mikko Hypponen is the Chief Research Officer of F-Secure in Finland. He has been working with computer security for over 20 years and has fought the biggest virus outbreaks in the net. He's also a columnist for the New York Times, Wired, CNN and BBC. His TED Talk on computer security has been seen by over a million people and has been translated to over 35 languages. Mr. Hypponen sits in the advisory boards of the ISF and the Lifeboat foundation.

"I've worked in the industry for 22 years and haven't had a boring day yet. I'm honoured to be inducted to the hall of fame", commented Mikko Hypponen. "The enemy is changing all the time so we must keep up."

Previous speakers have included some of the world’s leading thinkers in information security including Professor Fred Piper, Professor Howard Schmidt, Bruce Schneier, Whitfield Diffie, Paul Dorey, Dan Kaminsky, Phil Zimmerman, Lord Erroll, Eugene Kaspersky, Charlie McMurdie, Stephen Bonner and Ed Gibson. To view all previous speakers, along with a short biography, you can visit the Infosecurity website: http://www.infosec.co.uk/Education-Programme/fame/

The 2013 Hall of Fame will be conducted in the Keynote theatre where both Shlomo and Mikko Hypponen will join Professor Fred Piper in a panel chaired by Raj Samani from the CSA which will address other industry professionals in what always proves to be a compelling and exhilarating event.
The speakers inducted into the Hall of Fame have met the following criteria:

Be an internationally recognised and respected Information Security practitioner or advocate
Have made a clear and long-term contribution to the advancement of Information Security
Have provided intellectual or practical input that has shifted the advancement of Information Security
Be an engaging and revolutionary thought leader in Information Security

The Hall of Fame has proven to be the highlight of previous shows and this year is no different. Setting the standard for other industry professionals and defining contemporary issues, the Hall of Fame speakers aim to challenge conventional thought with a mix of pragmatism and provocation. It really is the must see event of the year.

Microsoft Security Intelligence Report Volume 14

2013-04-19T12:15:00.000+01:00

Yesterday, Microsoft released volume 14 of its Security Intelligence Report (SIRv14) which included new threat intelligence from over a billion systems worldwide. The report was focused on the 3rd and 4th quarters of 2012.

One of the most interesting threat trends to surface in the enterprise environment was the decline in network worms and rise of web-based attacks. The report found:

· The proportion of Conficker and Autorun threats reported by enterprise computers each decreased by 37% from 2011 to 2H12.

· In the second half of 2012, 7 out of the top 10 threats affecting enterprises were associated with malicious or compromised websites.

· Enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in 4Q12.

· One specific iFrame redirection family called IframeRef, increased fivefold in the fourth quarter of 2012 to become the number one malicious technique encountered by enterprises worldwide.

· IframeRef was detected nearly 3.3 million times in the fourth quarter of 2012.

The report also takes a close look at the dangers of not using up-to-date antivirus software in an article titled “Measuring the Benefits of Real-time Security Software.” New research showed that, on average, computers without AV protection were five and a half times more likely to be infected.

The study also found that 2.5 out of 10, or an estimated 270 million computers worldwide were not protected by up-to-date antivirus software.

Whilst many of the findings surrounding real-time protection seem pretty obvious, the numbers are pretty startling. As security is often best implemented using a strength-in-depth, or rings approach, anti-virus or real time malware detection seems to be taking a back seat. For mobile devices, or devices based on Linux this can become a significant issue, especially if those devices carry email destined for Microsoft based machines.

By Simon Moffatt

Who Has Access -v- Who Has Accessed

2013-04-15T11:30:00.002+01:00

The certification and attestation part of identity management is clearly focused on the 'who has access to what?' question. But access review compliance is really identifying failings further up stream in the identity management architecture. Reviewing previously created users, or previously created authorization policies and finding excessive permissions or misaligned policies, shows failings with the access decommissioning process or business to authorization mapping process.

The Basic Pillars of Identity & Access Management

Compliance By Design

The creation and removal of account data from target systems falls under a provisioning component. This layer is generally focused on connectivity infrastructure to directories and databases, either using agents or native protocol connectors. The tasks, for want of a better word, are driven either by static rules or business logic, generally encompassing approval workflows. The actual details and structure of what needs to be created or removed is often generated elsewhere - perhaps via roles, or end user requests, or authoritative data feeds. The provisioning layer helps fulfill what system level accounts and permissions need creating. This could be described as compliance by design and would be seen as a panacea deployment, with quite a pro-active approach to security, based on approval before creation.

Compliance By Control

The second area could be the authorization component. Once an account exists within a target system, there is a consumption phase, where an application or system uses that account and associated permissions to manage authorization. The 'what that user can do' part. This may occur internally, or more commonly, leverage an external authorization engine, with a policy decision point and policy enforcement point style architecture. Here there is a reliance on the definition of authorization policies that can control what the user can do. These policies may include some context data such as what the use is trying to access, the time of day, IP address and perhaps some business data around who the user is - department, location and so on. These authorization 'policies' could be as simply as the read, write, execute permission bits set within a Unix system (the policy here is really quite implicit and static), or something more complex that has been crafted manually or automatically and specific to a particular system, area and organisation. I'd describe this phase as compliance by control, where the approval emphasis is on the authorization policy.

Compliance By Review

At both the account level and authorization level, there is generally some sort of periodic review. This review could be for internal or external compliance, or to simply help align business requirements with the underlying access control fulfillment layer. This historically would be the 'who has access to what?' part. This would be quite an important - not to mention costly from a time and money perspective - component for disconnected identity management infrastructures. This normally requires a centralization of identity data, that has been created and hopefully approved at some point in the past. The review is to help identify access misalignment, data irregularities or controls that no longer fulfill the business requirements. This review process is often marred by data analysis problems, complexity, a lack of understanding with regards to who should perform reviews, or perhaps a lack of clarity surrounding what should be certified or what should be revoked.

SIEM, Activities and Who Has Accessed What?

One of the recent expansions of the access review process has been to marry together security information and event monitoring (SIEM) data with the identity and access management extracts. Being able to see what an individual has actually done with their access, can help to determine whether they actually still need certain permissions. For example, if a line manager is presented with a team member's directory access which contains 20 groups, it could be very difficult to decide which of those 20 groups are actually required for that individual to fulfill their job. If, on the other hand, you can quickly see that out of the 20 groups, twelve were not used within the last 12 months, that is a good indicator that they are no longer required on a day to day basis and should be removed.

There is clearly a big difference between what the user can access and what they actually have accessed. Getting this view, requires quite low level activity logging within a system, as well as the ability to collect, correlate, store and ultimately analyse that data. SIEM systems do this well, with many now linking to profiling and identity warehouse technologies to help create this meta-warehouse. This is another movement to the generally accepted view of 'big data'. Whilst this central warehouse is now very possible, the end result, is still only really trying to speed up the process of finding failures further up the identity food chain.

Movement to Identity 'Intelligence'

I've talked about the concept of 'identity intelligence' a few times in the past. There is a lot of talk about moving from big data to big intelligence and security analytics is jumping on this band wagon too. But in reality, intelligence in this sense is really just helping to identify the failings faster. This isn't a bad thing, but ultimately it's not particularly sustainable or actual going to push the architecture forward to help 'cure' the identified failures. It's still quite reactive. A more proactive approach is to apply 'intelligence' at every component of the identity food chain to help make identity management more agile, responsive and aligned to business requirements. I'm not advocating what those steps should be, but it will encompass an approach and mindset more than just a set of tools and rest heavily on a graph based view of identity.

By analyzing the 'who has accessed' part of the identity food chain, we can gain yet more insight in to who and what should be created and approved, within the directories and databases that under pin internal and web based user stores. Ultimately this may make the access review component redundant once and for all.

By Simon Moffatt

Protect Data Not Devices?

2013-04-04T21:04:00.001+01:00

"Protect Data Not Devices", seems quite an intriguing proposition given the increased number of smart phone devices in circulation and the issues that Bring Your Own Device (BYOD) seems to be causing, for heads of security up and down the land. But here is my thinking. The term 'devices' now covers a multitude of areas. Desktop PC's of course (do they still exist?!), laptops and net books, smart phones and not-so-smart phones, are all the tools of the trade, for accessing the services and data you own, or want to consume, either for work or for pleasure. The flip side of that is the servers, mainframes, SAN's, NAS's and cloud based infrastructures that store and process data. The consistent factor is obviously the data that is being stored and managed, either in-house or via outsourced services.

Smarter the Device, The More Reliant We Become

This is a pretty obvious statement and doesn't just apply to phones. As washing machines became more efficient and dishwashers became cheaper and more energy saving, we migrated in droves, allowing our time to be spent on other essential tasks. The same is true for data accessing devices. As phones morphed in to micro desktop PC's, we now rely on them for email, internet access, gaming, social media, photography and so on. Some people even use this thing called the telephone on them. Crazy. As the features and complexity ramp up, we no longer need another device for listening to music, taking pictures or accessing Facebook. Convenience and service provision increases, as does the single-point-of-failure syndrome and our reliance on them being available 99.999% of the time, up to date and online.

Smarter the Device, The Less Important It Becomes

Now this next bit seems a bit of a paradox. As the devices becomes smarter, greater emphasis is placed on the data and services those devices access. For example. A fancy Facebook client is pretty useless if only 100 people use Facebook. A portable camera is just that, unless you have a social outlet for which to distribute the images. The smartness of the devices themselves, is actually driven by the services and data they need to access. Smartphones today come with a healthy array of encryption features, remote backup, remote data syncing for things like contacts, pictures and music, as well device syncing software like Dropbox. How much data is actually specifically related to the device? In theory nothing. Zip. Lose your phone and everything can be flashed back down in a few minutes, assuming it was set up correctly. Want to replace a specific model and brand with a model of equivalent specification from a different vendor? Yep you can do that too, as long as you can cope with a different badge on the box. Feature differentiation is becoming smaller, as the technology becomes more complex.

Data Access versus Data Storage

As more and more services become out sourced (or to use the buzz of being moved to the 'cloud'), the storage part becomes less of a worry for the consumer. The consumer could easily be an individual or an organisation. Backup, syncing, availability, encryption and access management all fall to the responsibility of the outsourced data custodian. Via astute terms and conditions and service level agreements, the consumer shifts responsibility across to the data custodian and service provider.

The process of accessing that data then starts to fall partly on the consumer. How devices connect to a network, how users authenticate to a device and so on, all fall to the device custodian. Access traffic encryption will generally require a combination of efforts from both parties. For example, the data custodian will manage SSL certificates on their side, whilst the consumer has a part to play too.

So to slightly contradict my earlier point (!), this is where the device is really the egress point to the data access channel, and so therefore requires important security controls to access the device. The device itself is still only really a channel to the data at the other end, but once an individual (or piece of software, malicious or not) has access to a device, they then in turn can potentially open access channels to outsourced data. The device access is what should be protected, not necessarily the tin itself.

As devices become smarter and service providers more complex, that egress point moves substantially away from the old private organisational LAN or equivalent. The egress point is the device regardless of location on a fixed or flexible network.

Data will become the ultimate prize not necessarily the devices that are used to access it.

By Simon Moffatt

Passwords And Why They're Going Nowhere

2013-03-28T12:51:00.000Z

Passwords have been the bane of security implementers ever since they were introduced, yet still they are present on nearly every app, website and system in use today. Very few web based subscription sites use anything resembling two-factor authentication, such as one-time-passwords or secure tokens. Internal systems run by larger organisations implement additional security for things like VPN access and remote working, which generally means a secure token.

Convenience Trumps Security

Restricting access to sensitive information is part of our social make up. It doesn't really have anything to do with computers. It just so happens for the last 30 years, they're the medium we use to access and protect that information. Passwords came before the user identity and were simply a cheap (cost and time) method of preventing access to those without the 'knowledge'. Auditing and better user management approaches resulted in individual identities, coupled with individual passwords, providing an additional layer of security. All sounds great. What's the problem then? ~~Firstly users aren't really interested in the security aspect.~~ Firstly, users aren't interested in the implementation of the security aspect. They want the stuff secure, they don't care how that is done, or perhaps more importantly, don't realise the role they play in the security life cycle. A user writing down the password on a post-it is a classic complaint of a sysadmin. But the user is simply focused on convenience and performing their non-security related revenue generating business role at work, or accessing a personal site at home.

Are There Alternatives & Do We Need Them?

The simple answer is yes, there are alternatives and in some circumstances, yes we do need them. There are certainly aspects of password management that can help with security, if alternatives or additional approaches can't be used or aren't available. Password storage should go down the 'hash don't encrypt' avenue, with some basic password complexity requirements in place. Albeit making those requirements too severe often results in the writing down on a post-it issue...

Practical alternatives seem to be few and far between (albeit feel free to correct me on this). By practical I'm referring to both cost (time and monetary) and usability (good type-I and type-II error rates, convenient). So biometrics have been around a while. Stuff like iris and finger print scanning as well as facial recognition. All three are pretty popular at most large-scale international airports, mainly as the high investment levels can be justified. But what about things like web applications? Any use of biometric technology at this level would require quite a bit of outlay for new capture technology and quite possibly introduces privacy issues surrounding how that physical information is stored or processed (albeit hashs of the appropriate data would probably be used).

There are also things like one-time-passwords, especially using mobile phones instead of tokens. But is the extra effort in deployment and training, enough to warrant the outlay and potential user backlash? This would clearly boil down to a risk assessment of the information being protected, which the end user could probably not articulate.

Why We Still Use Them...

Passwords aren't going anywhere for a long time. For several reasons. Firstly it's cheap. Secondly it's well known by developers, frameworks, libraries, but most importantly the end user. Even a total IT avoider, is aware of the concept of a password. If that awareness changes, there is suddenly an extra barrier-to-entry for your new service, application or website to be successful. No one wants that.

Thirdly, there are several 'bolt on' approaches to using a username and password combination. Thinking of things like step-up authentication and knowledge based authentication. If a site or resource within a site is deemed to require additional security, further measures can be taken that don't necessarily require a brand new approach to authentication, if a certain risk threshold is breached.

As familiarity with password management matures, even the most non-technical of end users, will become used to using passphrases, complex passwords, unique passwords per applications and so on. As such, developers will become more familiar with password hashing and salting, data splitting and further storage protection. Whilst all are perhaps sticking plaster approaches, the password will be around for a long time to come.

By Simon Moffatt

Optimized Role Based Access Control

2013-03-21T11:55:00.001Z

RBAC. It's been around a while. Pretty much since access control systems were embedded in to distributed operating systems. It often appears in many different forms, especially at an individual system level, in the form of groups, or role based services, access rules and so on. Ultimately, the main focus is the grouping of people and their permissions, in order to accelerate and simplify user account management.

Enterprise RBAC
Enterprise role management has become quite a mature sub-component of identity and access management in the last few years. Specialist vendors developed singularly focused products, that acted as extensions to the provisioning tooling. These products developed features such as role mining, role approval management, segregation of duties analysis, role request management and so on. Their general feature set was that of an 'offline' identity analytics database, that could help identify how users and their permissions could be grouped together, either based on business and functional groupings or system level similarities. Once the roles had been created, they would then be consumed either by a provisioning layer, or via an access request interface. The underlying premise, being that access request management would be simplified due to business friendly representations of the underlying permissions and the account creation and fulfillment process would be accelerated.

The Issues & Implementation Failures
The process of developing an RBAC model was often beset with several problems. IAM encompasses numerous business motives and touch points - which is why many still argue identity management is a business enabler more than a security topic - and developing roles across multiple business units and systems is time consuming and complex. A strong and detailed understanding of the underlying business functions, teams, job titles and processes is required, as well the ability to perform analysis of the required permissions for each functional grouping. Whilst this process is certainly mature and well documented, implementation is still an effort laden task, requiring multiple iterations and sign off, before an optimal model can be released. Once a model is then available for use, it requires continual adaption as systems alter, teams change, job titles get created and so on. Another major issue with RBAC implementation, is the often mistaken view, that all users and all system permissions must be included in such an approach. Like any analytic model, exceptions will exist and they will need managing as such, not necessarily be forced into the RBAC approach.

Speeding up Role Creation
Role creation is often accomplished using mining or engineering tools. These tools take offline data such as human resources and business functional mappings, as well as system account and permissions data. Using that data, the process is to identify groupings at the business level (known as top down mining) as well as identifying similarities at the permissions level (known as bottom up mining). Both processes tend to be iterative in nature, as the results are often inconsistent, with difficulties surrounding agreement on user to functional mapping and of function to permissions mapping.

One of the key ways of speeding up this process, is to use what is known as 'silent migration'. This approach allows roles to be created and used without change to the users underlying permissions set. This instantly removes the need for continual approval and iteration in the initial creation step. The silent migration consists of initially mapping users into their functional grouping. For example, job title, team, department and so on. The second step is to analyse the system permissions for users in each functional grouping only. Any permissions identified across all users in the grouping are applied to the role. No more, no less. With it, no changes are therefor made to the users permissions. This process is simply performing an intersection or each users' permissions.

Focus on the Exceptions
Once the users of each functional grouping have had their permissions migrated into the role, it's now important to identify any user associated permissions that are left over. These can simply be known as exceptions, or permissions of high risk. They're high risk, as they are only assigned to specific individuals and not the group. This association could well be valid - a line manager for example may have different permissions - but as a first pass, they should be reviewed first. To identify which are exceptions, a simple subtraction can be done between the users current permissions (as identified by their target system extract) and the permissions associated with their functional grouping. Anything left needs reviewing.

This approach can also help with the acceleration of access review strategies. Instead of looking to review every user, every permission and every functional grouping, simply analyse anything which is anomalous, either via peer comparison or functional grouping.

RBAC is a complex approach, but can provide value in many access review and access request use cases. It just isn't a catch all, or perhaps approach for every system and user. Specific application using a more simplified approach can reap rewards.

By Simon Moffatt

Insurance For Information Security

2013-03-18T06:58:00.000Z

We can get insurance for virtually anything these days. Cars obviously (albeit if that wasn't law, how many would pay for it?). Ourselves. Pets. Eyes. Teeth. Holidays. You name it and The Meerkat can sort it out. The market for insurance is highly complex, with econometrics playing a large part in determining the potential risk levels of individual insurance consumers. The insurance underwriters, like any other capitalist organisation, are primarily concerned with making a profit. They won't provide insurance to those they deem a probable risk and charge higher premiums to those that are a possible risk. Insurance for the consumer is to cover loss against an unexpected even. The risks of that unexpected even occurring will obviously change. Flying to Spain on holiday increases the risk of having a plane crash. Getting old increases the risk of falling and breaking your hip. But a lot of the time, the unexpected risk is just that: unexpected.

Unexpected in the Infosec World
The unexpected is all around IT in general. Power outages. Component failures. Bugs. It keeps ops and devops teams in constant work. Cyber attacks and data loss are probably the biggest head line grabbing events of the unexpected kind at the moment, from a purely security perspective. An organisation will of course not know when an attack will happen, even if the odds of such an attack are pretty low. Data loss too, can occur at so many different levels (lost laptop, malware, IP theft...), that the chances of not losing data are probably higher than the event itself.

Risk Management
Of course some unexpected behaviour is expected and provisions are put in place. Remote support is purchased. Consultancy is purchased. External advice is sort. Risk management plays a huge part in the planning of any large organisation with risk transfer, mitigation and acceptance all viable alternatives to going alone and being impacted by a breach or disruptive event. It's interesting to observe the varying risk responses to particular situations. Whilst a risk assessment will pick out the level of response (or if a risk reduction response is actually required at all), the individual response decisions seems to be quite inconsistent. For example. Perimeter security is seen as a zero tolerance area. Nothing bad can come into the private LAN. Hence firewalls, next generation firewalls, intrusion detection systems and so on are now incredibly advanced with yearly iterations of new features and detection capabilities. The risk response is aiming for removal. Incident response with regards to hacking or data theft on the other hand, is often handled via risk transfer at best or limited risk reduction at worst. That's like taking insurance out to recover the car in the event of a crash, but having to pay for your own health care to cover your injuries.

Insurance in Different Guises
Obviously there is no such thing as information security insurance per-se. It exists in truth with a complex mix of risk management responses, tooling, external consultancy, transferred decision making and so on.

Perhaps as organisations continue to look to the outsourcing of services, applications and complex IT support and return focus to their key business goals, insurance may become more apparent in the traditional sense within an information security landscape.

By Simon Moffatt

Identity In The Modern Enterprise

2013-03-11T11:58:00.000Z

I was on a webinar last week by the highly articulate Eve Maler from Forrester, where the discussion was around the future of identity and access management. Everyone has an opinion on the future of everything, and IAM is certainly no different. The view of IAM 1.0 (enterprise provisioning) and IAM 2.0 (federated identity, 'cloud' services and so) is continually evolving and it's pretty clear that identity management now has a greater role to play for many organisations, as they look to embrace things like increased mobility and out sourced service driven applications.

Enterprise Evolution - Mobility
Everything evolves. OK, so apparently alligators haven't changed that much in 37 million years, but most things, especially in business, evolve to the point of least resistance, or more importantly to the point of greater return on investment. From a simple technology perspective, many organisations have grown to embrace the use of things like increased mobility. What does that mean? Well, I'm referring to things like remote working, 'tele-working' (unless of course you work for Yahoo), always-on smartphone access and an increased use of personal devices (BYOD). Mobility can help reduce the standard fixed costs of running an organisation (at both the start-up and enterprise level), by not having to worry about physical office locations for example. By getting employees to cut out the daily commute, organisations are also squeezing out extra output, either physically by getting more hours, or through greater innovation due to more relaxed and less-restricted employee working patterns.

Enterprise Evolution - Services over Applications
Another major area in the enterprise evolution process, is the increased sign up to services or outsourced applications. Applications historically have either been developed in house, or licensed from 3rd party software vendors (either large or small). These applications had their data stored locally (by local, I just mean within the confines of the corporate LAN) and were delivered either via web interfaces or thick clients. Authentication and authorisation was managed, if not internally to the application, certainly internal to organisations, via corporate LDAP directories and relational databases.

We're now seeing nearly every possible combination of applications, made available as subscription based services. Freemium business models. One month trials. Pay as you go. Multi-tenant delivery and even just the same application you previously licensed, but hosted by someone else. From a business perspective everyone's a winner: faster implementation; cheaper costs; risk free payments; zero development or installation costs. Barriers to entry for new businesses also fade away, as you can be up and running with CRM, accountancy, collaboration, document storage and communications services within minutes. Either free, or costing peanuts with simple credit-card signup. But has this go to do with identity?

How Identity Can Play a Part
Identity has a huge part to play in this evolutionary process. All of these new methods of working, still require the basic principles of authentication, authorisation and accountability. Regardless of whether you access the CRM system from your iPhone via 3G or public wi-fi, or via a desktop PC on the corporate LAN, an identity holds together the context of who should access what and why. Technological solutions will obviously fill the void for the basic connectivity and integration tasks. I'm thinking of things like web SSO, mobile application provisioning and sign in and 3rd party sign up. This increased level of complexity from both a user and application perspective, requires an increased level of complexity on the management of identities too. Complexity doesn't necessarily mean difficult however, it just requires a greater understanding of the challenges and pit falls that lie ahead for organisations looking to embrace greater flexibility and returns on investment.

Instead of identity becoming the bolt on, or audit after thought, it becomes central to enabling organisations to leverage things like service driven applications, 3rd party identity providers and mobile working.

By Simon Moffatt

Information Security: Time for a Different Approach

2013-03-06T10:56:00.000Z

This last few weeks have seen, yet again, some pretty significant hacks (namely the Evernote hack). Large amounts of user data, including passwords, were released into the wild. The situation could have been worse in the Evernote case, but at least the passwords were salted and hashed. Evernote's response, has been to perform a mass password reset on it's user base, in a proactive damage limitation style exercise and no doubt several internal streams of investigation will be looking for the who, what and why behind the attack.

Security is Reactive
I've blogged on the topic of reactionary security on a few occasions recently ("Protection Without Detection", "Preventative -v- Detective Security") and it seems the approach is still pretty much the default (Or perhaps security is only really questioned and tested after an event?). There are of course, lots of 'pro-active' components to security. Hashing a password could be seen as one for example, but many of these activities are often small tactical steps at the implementation level, not the strategic level. Audit is obviously detective, with an audit response proactive in some sense, but really only proactive to get you back to the status-quo of reactive. Big data for security, ("Security Analytics: Hype or Huge?", "Big Security Data to Big Security Intelligence") is another example in my mind or purely reactive security. The big data promise is based entirely on scale and speed. Scale obviously (the word big might help there), with regards to aggregating and correlating multiple data sources and speed, for trying to develop queries and analytic steps to identify root causes, patterns and so on. Longer term, the results of the big data analytical steps could of course be proactive in nature.

A Different Approach
In my mind a different approach is needed. I'm not advocating what that approach should be, but the panacea would of course be to get security so embedded, it seamlessly integrates with revenue generating business focused practices within an organisation. The gap between security and convenience, needs to be minimized to as close to zero as possible. Security really needs moving up the organisational food chain, away from the bigger, faster, shiny implementation level approach, which will constantly chase (and lose) an attackers tail, to be a default stance with all business related policy decisions. This is difficult of course, but in the longer term will help move away from a reactionary standpoint to something resembling security by default.

@SimonMoffatt

The Blurring of the Business Identity

2013-02-25T19:17:00.000Z

The concept of a well defined business identity is blurring and this is causing a complex reaction in the area of identity and access management. Internal, enterprise class identity and access management (IAM) has been long defined, as the managing of user access as defined by approval workflows, authoritative source integration and well defined system connectivity.

Historical Business Structures
Historical business identity management has been defined by several well defined structures and assumptions. An organisational workforce that was managed by an IAM programme, was often permanent, static and assigned into a set business function or department. This helped define multiple aspects of the IAM approach, from the way access request approvals were developed (default of line manager as first line of approval), to how roles based access control implementations were started (use of business units or job titles to define functional groupings for example). IAM is complex enough, but these assumptions helped to at least create a level of stability and framing. IAM was seen as an internal process, focused solely within the perimeter of the 'corporate' network. Corporate is this sense is indeed quoted, as the boundary between public and private internal networks are becoming increasingly ill-defined.

Changing Information Flows
If IAM can be viewed as data and not just a security concern, any change to the data or information flows within an organisation, will have a profound impact on the flow of IAM data too. One of the key assumptions of IAM is that of the underlying business structures. They are often used for implementation roll out prioritization, application on-boarding prioritization, workflow approval design, data owner and approver identification and service accountability. This works fine if you have highly-cohesive and loosely coupled business functions such as 'finance', 'design' and 'component packaging'. However, many organisations are now facing numerous and rapidly evolving changes to their business information lines. It's no longer common for just the 'finance' team to own data relating customer transactions. Flows of data are often temporary too, or perhaps only existing in order to fulfill part of a particular process or primary flow. Organisational structures are littered with 'dotted-lines' reports and overarching project teams, that require temporary access, or access to out sourced applications and services.

Technical Challenges
The introduction of a continued raft of out sourced services and applications (Salesforce.com, Dropbox etc) adds another layer to the complexity, of not only information in general, but IAM information and it's implementation. Accounts need to be created on external directories, with areas such as federation and SSO helping to make 'cloud' based applications become closer to the organisations core. However, those those technical challenges often give way to larger process and management issues too. Issues surrounding ownership, process re-design and accountability need to be accounted for and require effective business buy-in and understanding.

Bring Your Own Device (BYOD) brings another dimension. The data control issues are widely described, but there is an IAM issue here too. How do you manage application provisioning on those devices, and the accounts required to either federate into them or natively authenticate and gain authorisation?

The Answer?
Well like most things, there isn't a quick, technical answer to this evolving area. IAM has long been about business focus and not just security technology. Successful IAM is about enabling the business to do the things they do they best, namely make revenue. Nothing from a technical or operational perspective should interfere with that main aim. As businesses evolve ever more rapidly to utilize out sourced services, 'cloud' based applications and an increasingly reliance on federation and partnerships, IAM must evolve and help to manage the blurring of information flows and structures that underpin the businesses main functions.

@SimonMoffatt

Mandiant Lifts The Lid on APT

2013-02-20T16:54:00.000Z

The claim that China is the root of all evil when it comes to cyber attacks, increased a notch yesterday, when security software specialists Mandiant, released a damning report claiming a sophisticated team of hackers, with suspected connections to the People’s Liberation Army (PLA) and China Communist Party (CCP), had systematically hacked over 140 organisations over a 7 year period.

Why Release The Report?

There have been numerous attempts over the last few years to pin every single cyber-attack onto a group or individual, originating from a Chinese network. Some justified, some not so, but it’s an easy target to pin things against. Many of the claims however, have lacked the detailed technical and circumstantial foundation, to back up the claims and move towards either active defence or proactive prosecution. The Mandiant report – and I really recommend reading it in full to appreciate the level of detail that has been generated – really looks to point the finger, but this time, with a credible amount of detail. The obvious outcome of being so detailed is that the attackers now have a place of reference, from which they can now mobilise further obfuscation techniques. However, the report provides several powerful assets such as address and domain information, as well as malware hashes. This is all useful material in the fight against further attacks.

How Bad Is It?

The detail is eye watering. 141 victims attacked over a 7 year period, with terabytes of data is not a nice read, whatever the contents. The startling fact was simply the scale of the operations upholding the attacks. Not only were the attacks persistent, but the infrastructure required to allow such complex and sustained attacks to take place, covered an estimated 1000 servers with hundreds, if not thousands of operators and control staff. The victim data was equally interesting, with several of the top sectors attacked, being on the industry list for the China 5 year strategic emerging industries plan. This starts to bring questions surrounding ethics, morality, intellectual protection and competitive behaviour too. The data points to a strategic industrial programme to steal and use legal, process, leadership and technical information on a vast scale.

What Happens Now…

The report will no doubt create a lot of split opinion in both the infosec community and also the surrounding political avenues too. The report points to industrial theft on a grand scale. The links to the PLA and CCP are not to be made on a whim and there will be a political response no doubt. From an effective defence perspective, where does it leave us? Well the report contains the practical information that many secops teams can effectively utilise for blacklists and malware identification. The longer term impact may well be unknown at present. The team behind APT1 will obviously apply counter measures, altering their approach and attack vectors. Mandiant themselves may well be at risk of hacking as a result if they were not already.

I think ultimately it goes some way to crystallise the view that long term effective attacks via the internet are common place, sophisticated and long term. They provide an effective way for industrial secrets to be stolen and used, regardless of the levels of software and process protection organisations use.

@SimonMoffatt

The Drivers For Identity Intelligence

2013-02-16T10:42:00.001Z

From the main view of Identity & Access Management 1.0 (I hate the versioning, but I mean the focus on internal enterprise account management as opposed to the newer brand of directory based federated identity management, commonly being called IAM 2.0...), identities have been modeled within a few basic areas.

The 3 Levels of Compliance
'Compliance by Review' (access certification or the checking of accounts and the associated permissions within target systems), 'Compliance by Control' (rules, decision points and other 'checking' actions to maintain a status-quo of policy control) and 'Compliance by Design' (automatic association of entitlements via roles based on the context of the user), probably cover most of the identity management technology available today.

I want to discuss some of the changes and uses of the first area, namely access review. This periodic process, is often used to verify that currently assigned, previously approved permissions are still fit for purpose and match either the business function and risk, or audit and compliance requirements. The two requirements are really the carrot and stick of permissions management. From an operational perspective, automating the access review process has lead to the numerous certification products on the market, that allow for the centralized viewing of account data, neatly correlated to HR feeds, to produce business friendly representations of what needs to be reviewed and by whom.

The Failings of Access Review
The major failing of many access review campaigns is often associated with information overflow, or the lack of context surrounding the information presented for review. For example: asking a non-technical manager to approve complex RACF permissions or Active Directory group names will result in check box compliance, as the manager will be unsure which permissions should be removed. Glossary definitions and incremental style certifications then start to reduce the burden and volume of information made available. Whilst these are nice features, they're really just emphasizing the weakness in this area.

Use Your Intelligence
A commonly heard head teacher berate, is the 'use your brains' or 'use your intelligence' theme when it comes to managing easily distracted or unthinking pupils. The intelligence is often present by default, but not naturally used. The same can be said of access review. To make the review process effective - and by effective I mean actually giving business value, not just complying to a policy - we need to think more about the value of doing it. Instead of focusing on every application and every account and every permission, lets apply some context, meaning and risk to each piece of data. Do you really need to verify every application, or just the ones that contain highly sensitive financial or client data? Do you really need to verify every user account or just the ones associated with users in the team that processes the data. Do you really need to certify every permission, or just the ones that are high risk, or perhaps vary based on the common baseline for that team or role?

Manage Exceptions and Let Average Manage Itself
By focusing on the exceptions, you can instantly remove 80% of the workload, from both an automation and business activities perspective. The exceptions are the items that don't map to the underlying pattern of a particular team, or perhaps have a higher impact or approval requirement. By focusing in this way, you not only lessen the administrative burden, but help to distribute the accountability in to succinct divisions of labour, neatly partitioned and self-contained. If 80% of user permissions in a particular team are identical, capture those permissions into a role, approve that one singular role, then focus the attention on the exceptional entitlements. Ownership of the role, it's contents and applicability, can then be removed from the view of the line manager in a nice demarcation of accountability, resulting in a more streamlined access review process.

Whenever I see a process being re-engineered with neat 'features' or add-ons, I think the time has come to start re-evaluating what is actually happening in the entire process. Improvements in anything are great, but sometimes they are just masking an underlying failure

@SimonMoffatt

Twitter Hack: What It Taught Us

2013-02-04T09:55:00.000Z

Last week Twitter announced that it had been the victim of a hack, that resulted in 250,000 users having their details compromised. Pretty big news. The password details were at least salted, but a 1/4 of a million records is a damaging amount of data to lose. Twitter responded by resetting the passwords of those impacted and revoking session tokens.

Not A Case Of If, But When

The attack again goes to highlight, that cyber attack activity is omnipresent. Regardless of how large the organisational defense mechanism (and you could argue, that the larger the beast, the more prized the kill, but more on that later), it is fair to say that you will be hacked at some point. A remote attacker only needs to be successful once. Just once, out of the thousands of blocked, tracked and identified attacks that occur every hour. Certainly if you're a CISO or infosec manager at a 'large' organisation (regardless of whether it's actively a web service company or not), from a risk and expectations management perspective, it will be beneficial for the organisations long term defense planning, to assume an attack will happen, if it already hasn't. This can help to focus resource on remediation and cleanup activities, to minimize an attack impact from both a data loss angle and also a public relations and brand damage perspective.

Target Definition - If You're Popular, Watch Out

How do you know if you'll be a target? I've talked extensively over the last few months regarding cyber attacks from both an organisational and consumer perspective and the simple start to that series of articles, was that "...any device that connects to the internet is now a potential target..". Quite a basic statement but ultimately far reaching. The 'success' of many cyber attacks is generally being driven by the complexity of how the attack has developed. It is no longer good enough to simply identify a bug on an un-patched system. As good as hackers are, anti-virus, intrusion prevention systems, client and perimeter firewalls, application white listing and kernel level security provide a strong resistance to most basic attacks. Twitter themselves acknowledged that the attack on them "..was not the work of amateurs.." and that they "..do not believe it was an isolated incident.."

The complexity of the Twitter attack, would make you think that the 250,000 accounts that were compromised where not targeted directly, and more would have been lifted if the attack was not stopped. It seems the main driver is simply the fact that Twitter is a massively popular site, with headline grabbing strength. Why are Windows XP and Android malware infections so high? Regardless of underlying technical flaws, it's simply because they are well used. A cyber attack will always gravitate to the path of least resistance, or at least greatest exploit-ability, which will always come from the sheer volume of exposure. Be that number of potential machines to infect, or number of users to expose.

Response & Handling

The underlying technical details of the Twitter attack are yet to be understood, so it's difficult to provide a rational assessment on how well the response was handled. If you separate the attack detection component for a second, the response was to reset passwords (thus rendering the captured password data, worthless), notify those impacted via email and revoke user tokens (albeit not for clients using the OAuth protocol). All pretty standard stuff. From a PR perspective the Twitter blog posted the basic details. I think the public relations aspect is again probably the area that many organisations seem to neglect in times of crisis. This is fairly understandable, but organisations the size of Twitter must realize that they will make significant waves in the headline news and this needs to be managed from a technical, community and media relations perspective.

@SimonMoffatt

Identity Management: Data or Security?

2013-01-31T09:45:00.000Z

I was having a discussion this week with a colleague, regarding identity management transformation projects and how organisations get from the often deep quagmire of complexity, low re-usability and low project success, to something resembling an effective identity and access management (IAM) environment. Most projects start off with a detailed analytics phase, outlining the current 'as-is' state, before identifying the 'to-be' (or not to be) framework. The difference is wrapped up in a gap analysis package, with work streams that help to implement fixes to the identified gaps. Simples right?

IAM Complexity

IAM is renowned for being complex, costly and effort consuming from a project implementation perspective. Why? The biggest difference to for example, large IT transformation projects (thinking enterprise desktop refresh, operating system roll-outs, network changes and so on), is that IAM tends to have stake holders from many different aspects of the business. A new desktop refresh will be ultimately decided by technicians. Business approvers will help govern things like roll out plans and high level use cases, but not the low level implementation decisions. IAM is somewhat different. It impacts not only technical administration of managed resources, but also business processes for things like access requests, new joiners, team changes and so on.

IAM Becomes A Security Issue When It Doesn't Work

IAM is often seen as part of the security architecture framework. This makes total sense. The management of subjects and their access to data objects is all well understood, with loads of different access control mechanisms to choose from (MAC, ABAC, RBAC etc). However, IAM should really be seen more as a business enabler. I always like to pitch IAM as the interface between non-technical business users and the underlying IT systems they need in order to do their jobs. 10-15 years ago, when IAM started to become a major agenda, it was all about directories, (meta, virtual, physical, partial, synced, any more terms..?) and technical integration. "Developing a new app? Whack some groups in an LDAP for your authentication and authorization and you're done". The next step was to develop another layer that could connect multiple directories and databases together and perform multiple account creations (and hopefully removals) simultaneously. Today IAM is more than just technical integration and provisioning speed. It's more about aligning with business processes, organisational team requirements, roles based access control, reporting, compliance and attestation. All of these functional areas have use cases that touch business users more than technical users. However, if those IAM services fail (access misuse, insider threat, hacked privilege account) a security incident occurs.

Think of IAM As Building Data Routes

During the continued discussion with my colleague, he brought up the notion that IAM is really just about data management. The movement of data between silos, in order to get it to it's destination in the most effective and efficient path. IAM data could originate from an authoritative source such as an HR database, before ultimately being transformed into a system account within an LDAP or database. The transformation process will require business understanding (what will the account look like, which roles, permissions, what approvals are required etc) but none-the-less a new piece of data will be created, which requires classification, auditing and reporting. Just the same as a file on a share. By breaking down the entire IAM elephant into bite sized chunks of data creation, transformation and output, you can start to make the implementation process a lot more effective, with re-usable chunks of process and project machinery.

Like with any large scale project, it's often the smallest footprints that make the biggest impact. In the case of IAM, taking small, but smart data management style steps, could be the most effective.

@SimonMoffatt

Sony ICO Fine: Damage Was Already Done

2013-01-24T12:05:00.000Z

This week tech and games giant Sony, was hit with a nifty £250k fine from the UK's Information Commissioners Office (ICO). This was in response to Sony being hacked back in April 2011, in a situation which exposed millions of customer records - including credit card details - for users of the Play Station Network (PSN). The ICO stated that Sony failed to act in accordance with the Data Protection Act, for which as a data controller, it must do, to certain standards of information protection.

The incident itself proved to be a logistical and PR nightmare, costing Sony an estimated $171m in lost revenue, legal and fix up costs. Whilst the fine by the ICO is insignificant to the actual cost of the damage done nearly two years ago, it acts as a timely reminder that every significant data breach by a data controller, will be investigated, with any irregularity identified, and appropriate accountability applied.

The ICO has the ability to fine organisations up to half a million pounds for data controller irregularities, which may seem like small change to the likes of corporate giants such as Sony. However, the ICO has a broad range of users to keep in check, from public sector, education and health care providers, right through to start-ups and corporate machines, where £500k is not insignificant.

The use of the ICO as a security enabler in this case obviously did little, as the breach occurred and the aftermath needed thorough investigation. However, the damage to the Sony brand, customer dissatisfaction and the internal security recovery costs would not have been unknown. All three could and should have been used as a bare metal driver for implementing the appropriate information security steps, such as patching, auditing and management of database security best practises.

Whilst information security is seen as a nice to have, it inevitably has budget restraints to work against, with business justification a constant balancing act to manage. As areas such as information security metrics and security-RoI measures are used to help justify the tangible gains from a succinct information security policy, it is often the intangible damage that can occur from breaches and data loss which is higher.

Whilst intangible costs such as brand damage, confidence levels and user satisfaction are often hard to quantify, that isn't to say they shouldn't be taken into account when analyzing appropriate risk mitigation strategies.

The case with Sony, painfully highlights the financial and brand damage costs a significant data breach can have, which should act as a powerful use case for organisations looking to either reduce or avoid implementing up to date and robust information security practises when it comes to personal or credit card information.

@SimonMoffatt

Security Analytics: Hype or Huge?

2013-01-18T13:54:00.000Z

"Big Data" has been around for a while and many organisations are forging ahead with Hadoop deployments or looking at NoSQL database models such as the opensource MongoDB, to allow for the processing of vast logistical, marketing or consumer lead data sources. Infosec is no stranger to a big approach to data gathering and analytics. SIEM (security information and event monitoring) solutions have long since been focused on centralizing vast amounts of application and network device log data in order to provide a fast repository where known signatures can applied.

Big & Fast

The SIEM vendor product differentiation approach, has often been focused on capacity and speed. Nitro (McAfee's SIEM product) prides itself on it's supremely fast Ada written database. HP's ArcSight product is all about device and platform integration and scalability. The use of SIEM is symptomatic to the use of IT in general - the focus on automation of existing problems, via integration and centralization. The drivers behind these are pretty simple - there is a cost benefit and tangible Return on Investment of automating something in the long term (staff can swap out to more complex, value driven projects, there's a faster turn around of existing problems) whereas centralization, often provides simpler infrastructures to support, maintain and optimize.

The Knowns, Unknowns and Known Unknowns of Security

I don't want to take too much inspiration from George Bush's confusing path of known unknowns, but there is a valid point, that when it comes to protection in any aspect of life, knowing what you're protecting and more importantly, who, or what you are setting protection from, is incredibly important. SIEM products are incredibly useful at helping to find known issues. For example, if a login attempt fails 3 times on a particular application, or the ability to identify traffic going a blacklisted IP address. All characteristics have a known set of values, which help to build up a query. This can develop into a catalog of known queries (aka signatures) which can be applied your dataset. The larger the dataset, the more bad stuff you hope to capture. This is where the three S's of SIEM come in - the sphere, scope and speed of analysis. Deployments want huge datasets, connected to numerous differing sources of information, with the ability to very quickly run a known signature against the data in order to find a match. The focus is on a real-time (or near time) analysis using a helicopter-in a approach. Can this approach be extended further? A pure big-data style approach for security? How can we start to use that vast data set to look for the unknowns?

Benefits to Security

The first area which seems to be gaining popularity is the marrying of SIEM activity data to identity and access management (IAM) data. IAM knows about an individuals identity (who, where and possibly why) as well as that identity's capabilities (who, has access to what?), but IAM doesn't know what that user has actually been doing with their access. SIEM on the other hand, knows exactly what has been going (even with out any signature analytics) but doesn't necessarily know by whom. Start to map activity user id's or IP addresses to real identities stored in an IAM solution and you suddenly have a much wider scope of analysis, and also a lot more context around what you're analyzing. This can help with attempting to map out the 'unknowns' such as fraud and internal and external malicious attacks.

Unknown Use-Cases

Managing the known attacks is probably an easier place to start with. This would involve understanding what metrics or signatures an organisation whats to focus on. Again, this would be driven by a basic asset classification and risk management process. What do I need protecting and what scenarios would result in those assets being threatened? The approach from a security-analytics perspective, is to not be focused on technical silo's. Try to see security originating and terminating across a range of business and technical objects. If a malicious destination IP address is found in a TCP packet picked up via the firewall logs in the SIEM environment, that packet has originated somewhere. What internal host device maps to the source IP address? What operating system is the host device? What common vulnerabilities does that device have? Who is using that device? What is their employee-id, job title or role? Are they a contractor or permanent member of staff? Which systems are the using? Within those systems, what access do they have, was that access approved and what data are they exposed to and so on? Suddenly the picture can be more complex, but also more insightful, especially when attempting to identify the true root cause.

This complex chain of correlated "security big data", can be used in a manner of ways from post-incident analysis and trend analytics as well as for the mapping of internal data to external threat intelligence.

Big data is here to stay and security analytics just needs to figure out the best way to use it.

@SimonMoffatt