This year’s AusCERT is a big gig for the team at earthwave, with Andrew Bycroft presenting BYOD -Bring Your Own Disaster to the main conference on day 2 and having been reprogrammed, will be making controversial and incisive comments at the ZDNet BYO Disaster panel session on day 2.
Simon Ractliffe will be hosting the Executive Program on Tuesday 14th and will also be presenting Effective Boardroom Conversations to highlight tried and tested approaches to securing the appropriate budgets and activity required to secure critical assets from denial of service, theft and misuse. The Executive Program brings “world-renowned cyber security experts together with the heads of major Australian organisations, to discuss the management issues of information security, run through hypothetical scenarios, and plan strategies for tackling the overall security of your IT environment”
This year the team attending AusCERT will be bigger than ever, and we will be leaping in to AusCERT 2012 Star Wars theme by giving away five R2-D2 Droids to delegates that visit the IDG stand and complete our brief security survey.
If you read last week’s blog post, then you would have watched the video showing one of the many ways in which data can be accidentally leaked to persons who are not privy to it. That led us to the first step to solving the data loss problem which is acknowledging that there really is a problem.
CIOs often cringe when having to embrace the topic of Data Loss Prevention (DLP) with their not so IT minded colleagues considering it is a very dry topic, but then I recently stumbled across a way to make it fun, thanks to a presentation I saw at a recent AISA branch meeting that starts with a humorous video.
Begin by watching the video, then continue reading.
So now that you’ve watched the video and are ready to tackle the topic of data loss with your colleagues, let’s begin with the first of the five steps to resolving the data loss problem:
Step 1: acknowledge that data loss is occurring with minimal effort
Most of us think of data loss as the bad guys getting in to steal sensitive data such as was the case with the PSN hack in 2011, but more often than not it starts with those within an organisation – the so called trsuted user who has the privilege to access the data and either has malicious intent to steal that data or accidentally disseminates the data as we just saw in the video above. The sooner organisations acknolwedge that loss can occur from within the organisation the faster the data loss problem can be resolved.
For the remaining 4 steps to resolving the data loss problem, stay tuned for next week’s blog post
Remember back in the mid 1990’s? There was the concept of the honey pot to catch the bad guys with their sticky fingers in places they were not supposed to be. Of course we then progressed to the honey net, which was a collection or should I say a swarm, of honey pots. The idea was a good one, but was seldom used just because of the extra resources required.
Then about a decade ago the honey pot returned but in a slightly different form – this time unadvertised honey pot mail boxes were set up across the globe by a number of anti-spam vendors with the notion that anyone who deposited mail into one of those mail boxes would be labelled a spammer.
Now, fast forward a decade and a half and the honey pot is set to make a return, but again its form will be slightly different. This time, in fact, it will appear minus the pot. Imagine taking honey and smearing it throughout your network, servers and other infrastructure. Instead of having dedicated servers or networks of servers which looked a little too enticing for their own good and scared away intruders, now the idea has evolved to one in which we will have a fake salary spreadsheet or fake customer database or a fake copy of product blueprints amongst the legitimate data, and then my personal favourite – a fake employee. You can create fake employment contracts, phone numbers, profiles and titles, email accounts, user accounts, files and LinkedIn profiles. Anyone who then tries to establish a connection to or access data residing within one of these fake resources is clearly up to no good. By placing fake resources in amongst the legitimate resources, this will make it less obvious that it is in fact a trap to catch out those characters with less than honourable intentions will also help detect insider threats. The utilisation of existing resources to spread the honey around will remove the objections of time and effort associated with building traditional honey pots or honey nets.
So how can you use a little honey in your arsenal of threat detection?
Firstly you need to look at what assets would be appealing to anyone within your organisation or your biggest competitors and then create a falsified version of those assets. You would then need to make those assets readily available in the places people would expect these to be. This is achieved by applying privileges or access controls that are weaker than usual, but not so weak that its screams out “honey”. Do not weaken the access control to your legitimate assets, however. You would then need logging or alerting set up to trigger when one of the falsified assets was accessed.
This is likely to be one of the simplest ways to know whether the bad guys are in amongst your network and as we have commented before in a previous blog post – it is ok to let people in the door, don’t let them near the crown jewels… but you could let them have the cheap replica.
Just in closing because it is breakfast time… spread a bit of honey around your network, whilst I spread a bit of honey on my toast.
Although we have talked about the Titanic before and used it as an analogy to explain the importance of protection, detection and response, there are some other valuable lessons to be shared. The disaster that occurred a century ago, in April 1912 also provides vital clues to help with selecting a security service provider.
Confidentiality, Integrity and Availability… if you are in the security industry you know that security is defined as having the CIA triad firmly covered. Isn’t it odd though that some security vendors replace the “I” in “Integrity” with “I need to make a sale to hit targets” and then the dollars start appearing before the eyes? Don’t let this dissuade you from purchasing security products though as these will be an important piece of the security solution puzzle. Instead keep your ears tuned and exercise extreme caution if you find a security vendor who has compromised on their integrity and starts letting one or more of the following casually slip into the conversation, and if in doubt seek the guidance of an experienced security service provider who can help you separate the fact from the fiction:
It was inevitable… and only a matter of time before those fancy high tech gadgets that people used for playing games, messaging friends and calling loved ones became the ultimate “on the go” productivity tool – the smartphone. When the premise of coupling the awesome technology with the process of cost cutting emerged then it really was a no brainer for your organisation to allow staff to buy their own smartphone of choice and bring it to work. Now you have most likely progressed yet another step by allowing employees to bring in their own tablet PCs too. Continue reading »
It was just two years ago that you would commonly see executives proudly tapping out an email on their BlackBerry smartphones. In four years’ time there will be over a billion smartphones sold and only 25% of these are estimated to be BlackBerry devices. Then add to this the increasing demand for tablet devices and it will soon be the case that the number of mobile devices on the planet grows catches up to the number of humans on the planet.
I just had a meeting with the Finance Manager and Security Manager of a State government agency and I recommend that if you are responsible for providing security or signing off requests for security budget in your organisation it will be well worth your time to read about my experience.
I was attempting to better understand their business, assets, risks, likely threats and their potential impact so one of the questions I asked the Finance Manager was “What is your ability to detect and respond to threats before your assets are compromised?”.
When a recent customer asked how he would justify security spending and demonstrate security ROI, I answered his question with another question. “When you last purchased your home alarm system did you first stop to calculate its ROI?” I don’t think so. So security is a lot like buying that alarm system. These expenditures don’t have a P&L associated with them. It is simply about risk management. You can’t expect to turn your security department into a profit and loss entity. It’s just not going to happen. However, there are more creative means to communicate with business leaders using analogies and basic English combined with graphical representation of your assets and risks mapped against the impact and likelihood of threats against those assets.
