This year’s AusCERT is a big gig for the team at earthwave, with Andrew Bycroft presenting BYOD -Bring Your Own Disaster to the main conference on day 2 and having been reprogrammed, will be making controversial and incisive comments at the ZDNet BYO Disaster panel session on day 2.

Simon Ractliffe will be hosting the Executive Program on Tuesday 14th and will also be presenting Effective Boardroom Conversations to highlight tried and tested approaches to securing the appropriate budgets and activity required to secure critical assets from denial of service, theft and misuse.  The Executive Program brings “world-renowned cyber security experts together with the heads of major Australian organisations, to discuss the management issues of information security, run through hypothetical scenarios, and plan strategies for tackling the overall security of your IT environment”

This year the team attending AusCERT will be bigger than ever, and we will be leaping in to AusCERT 2012 Star Wars theme by giving away five R2-D2 Droids to delegates that visit the IDG stand and complete our brief security survey.

For more information visit http://conference.auscert.org.au/conf2012/index.html or contact earthwave’s Rachel Cooke on +612 8437 9922.

If you read last week’s blog post, then you would have watched the video showing one of the many ways in which data can be accidentally leaked to persons who are not privy to it. That led us to the first step to solving the data loss problem which is acknowledging that there really is a problem.

Now here is the next step:

Step 2: Classify the data using the CATSAD principle

That pouty pussy above should help you remember the acronym CATSAD which is used to determine where data is at in its lifecycle and to be able to classify it:

• Creation
  • When was the data created?
  • Why was the data created?
  • Who is the custodian of that data?
• Application
  • What is the purpose of the data?
  • What application was used to create the data?
  • Who will access the data?
• Transport
  • To whom can the data be sent?
  • On what media can the data be transported?
  • Does the data need to be encrypted?
• Storage
  • Where does the data live when not in transit?
  • For how long does the data need to be stored?
  • Does the data need to be encrypted?
• Archival
  • When does the data need to be archived and to where?
  • For how long does the data need to be archived?
  • Does the data need to be encrypted?
• Destruction
  • For how long is the data useful?
  • Can the data be deleted?
  • Does any of the media carrying the data need to be physically destroyed?

Looking at the amount of effort required at each stage of the lifecycle and where the data is in its lifecycle, it becomes much easier to classify the data and assign it a:

• Criticality: what impact would this have if lost or breached?
• Sensitivity: who would be impacted if lost or breached?
• Value: what is the data worth to your organisation and what is it worth outside of your organisation?

Classification of data only works when all the data has been classified. If you are struggling to identify all of your data then a risk assessment will be necessary.

Next week we’ll look at the third step of solving the data loss problem.

Begin by watching the video, then continue reading.

So now that you’ve watched the video and are ready to tackle the topic of data loss with your colleagues, let’s begin with the first of the five steps to resolving the data loss problem:

Step 1: acknowledge that data loss is occurring with minimal effort

Most of us think of data loss as the bad guys getting in to steal sensitive data such as was the case with the PSN hack in 2011, but more often than not it starts with those within an organisation – the so called trsuted user who has the privilege to access the data and either has malicious intent to steal that data or accidentally disseminates the data as we just saw in the video above.  The sooner organisations acknolwedge that loss can occur from within the organisation the faster the data loss problem can be resolved.

For the remaining 4 steps to resolving the data loss problem, stay tuned for next week’s blog post

Remember back in the mid 1990’s? There was the concept of the honey pot to catch the bad guys with their sticky fingers in places they were not supposed to be. Of course we then progressed to the honey net, which was a collection or should I say a swarm, of honey pots. The idea was a good one, but was seldom used just because of the extra resources required.

Then about a decade ago the honey pot returned but in a slightly different form – this time unadvertised honey pot mail boxes were set up across the globe by a number of anti-spam vendors with the notion that anyone who deposited mail into one of those mail boxes would be labelled a spammer.

Now, fast forward a decade and a half and the honey pot is set to make a return, but again its form will be slightly different. This time, in fact, it will appear minus the pot. Imagine taking honey and smearing it throughout your network, servers and other infrastructure. Instead of having dedicated servers or networks of servers which looked a little too enticing for their own good and scared away intruders, now the idea has evolved to one in which we will have a fake salary spreadsheet or fake customer database or a fake copy of product blueprints amongst the legitimate data, and then my personal favourite – a fake employee. You can create fake employment contracts, phone numbers, profiles and titles, email accounts, user accounts, files and LinkedIn profiles. Anyone who then tries to establish a connection to or access data residing within one of these fake resources is clearly up to no good. By placing fake resources in amongst the legitimate resources, this will make it less obvious that it is in fact a trap to catch out those characters with less than honourable intentions will also help detect insider threats. The utilisation of existing resources to spread the honey around will remove the objections of time and effort associated with building traditional honey pots or honey nets.

So how can you use a little honey in your arsenal of threat detection?

Firstly you need to look at what assets would be appealing to anyone within your organisation or your biggest competitors and then create a falsified version of those assets. You would then need to make those assets readily available in the places people would expect these to be. This is achieved by applying privileges or access controls that are weaker than usual, but not so weak that its screams out “honey”. Do not weaken the access control to your legitimate assets, however. You would then need logging or alerting set up to trigger when one of the falsified assets was accessed.

This is likely to be one of the simplest ways to know whether the bad guys are in amongst your network and as we have commented before in a previous blog post – it is ok to let people in the door, don’t let them near the crown jewels… but you could let them have the cheap replica.

Just in closing because it is breakfast time… spread a bit of honey around your network, whilst I spread a bit of honey on my toast.

Bigger is not always better

Although we have talked about the Titanic before and used it as an analogy to explain the importance of protection, detection and response, there are some other valuable lessons to be shared. The disaster that occurred a century ago, in April 1912 also provides vital clues to help with selecting a security service provider.

Titanic was the most luxurious, richly appointed ship you could find a century ago.

The following three lessons will help you select the best security service provider you can find today.

• “Big” and “stable” are often considered synonymous, but we know that is not always the case. Titanic, the largest ship of its time appeared to be the ultimate object of stability as it steamed across the Atlantic Ocean. Unstoppable because of its sheer size, yet somehow still vulnerable – not just due to poorly constructed iron rivets which became brittle at sub zero temperatures but because the bigger it was the harder it was to manoeuvre and adapt to changes in course. Large security service providers also lack the ability to quickly adapt to changes in course, and let’s face it, the security market is constantly changing. Sometimes you need to think small in order to get big results. earthwave is able to tailor services specifically to meet its customers’ needs. Selecting a large security service provider because big is confused with stable, could result in your organisation sinking.
• Titanic’s lookouts were not equipped with binoculars. The end result, as we know, is that the iceberg was not seen early enough. Vision was severely impaired due to a lack of necessary tools, and many security service providers also have impaired vision. At best, they see simple and well known threats  but don’t have the knowledge or tools to discern more stealthy attacks, multi stage attacks or the suspicious activity that could be a zero day threat.  Visibility is key to being able to identify threats well ahead of disaster. Greater intelligence improves visibility of what lies ahead and allows proactive decisions to change course. earthwave’s Threat Intelligence Alliance is an example of how gathering multiple streams of intelligence provides the greatest visibility at times when it is needed. Putting your faith in a security service provider without the necessary tools will make for an icy relationship ahead when a breach occurs.
• One of the sagas which contributed to so many lives being lost on that fateful night was the lack of training provided to the crew to handle unexpected events. As a result there were lifeboats sent adrift with only a handful of passengers when the boats were stress tested and proven to be able to withstand a capacity of more than 60 adults each. A poorly trained security service provider will also struggle outside the realm of normal conditions, which will result in more assets perishing when a full scale attack is launched. A good security services provider will not only have well trained staff but those with the experience to remain calm and methodical when addressing an unexpected event. Sometimes, despite all precautions, maritime disasters happen; sometimes, despite the right people, processes and technology in place, security threats actually result in breaches and clearly, the comfort factor is greatest with the security service provider who has the plans, skills and expertise to respond and limit the loss. earthwave’s watch, response and forensics teams, collectively, have several centuries of experience. A poorly trained security service provider may be just fine, until you need to keep your head above water when the unavoidable breaches occur.

Just as the Titanic never had a second chance to complete its voyage across the Atlantic Ocean, you will also be denied a second chance if selecting a security services provider that does not offer agility, visibility and considerable experience.

Confidentiality, Integrity and Availability… if you are in the security industry you know that security is defined as having the CIA triad firmly covered. Isn’t it odd though that some security vendors replace the “I” in “Integrity” with “I need to make a sale to hit targets” and then the dollars start appearing before the eyes? Don’t let this dissuade you from purchasing security products though as these will be an important piece of the security solution puzzle. Instead keep your ears tuned and exercise extreme caution if you find a security vendor who has compromised on their integrity and starts letting one or more of the following casually slip into the conversation, and if in doubt seek the guidance of an experienced security service provider who can help you separate the fact from the fiction:

1.       This product will solve all of your security problems.

Wishful thinking! There are no magic potions or silver bullets. Even multi-function products such as Unified Treat Management (UTM) that can do a lot in a single package, still can not solve every security problem. You will always need a combination of multiple pieces of technology; multiple processes – such as security and usage policies; and people – skilled and experienced, of course, for a complete security solution, despite what you may hear.

2.       We have more signatures than anyone else.

This may be true and it may be followed up by the vendor with “more is better”, however, regardless of whether it is virus signatures, IPS signatures or even application signatures which are now common on next generation firewall and IPS type products, ask your vendor how many of those signatures are useful. Chances are they will claim all of them to be useful, but you know better. Ask yourself: how useful to you is a virus signature for a virus that has not been in the wild for 10 years or an application signature for Internet Explorer version 4 when your organisation has standardised on Internet Explorer version 8? It is always better to make a judgement on the quality of signatures rather than the quantity.

3.       Our products have come out on top in an independent review.

Elements of truth could be at play here. After all, a review not done by the vendor themselves is independent. But of course there are caveats. Did the vendor influence the review at all? Paying a third party to give you a glowing review is not exactly unbiased. Also look beyond the vendor and also consider the integrity of the reviewer. How thorough was the review? Was the product itself reviewed or just the product datasheet? Do not look for independent third party reviews, but independent and unbiased third party reviews.

4.       Nobody else has this great feature.

Whilst this may be true, chances are that another vendor is just a few moments away from being able to provide that feature. Also you should be asking whether that so called unique feature is actually useful. Having a product with all the features is still only as good as the features you will actually use. A better approach is to count the benefits to you rather than the features available.

5.       That feature is on the roadmap.

I think this is the typical response when a vendor’s product does not have a specific feature that could be a prospect is enquiring about. This is certainly great if it is true, but I think more often than not, unless that feature is being requested by multiple clients in multiple industries and in multiple countries and can yield the vendor a large number of additional sales then chances are it may never become a standard feature. It may remain on a roadmap forever. If the vendor can’t commit to a delivery schedule for that feature then don’t be so sure that the product will include the feature anytime soon.

6.       Our product is Next Generation.

It must be good if it is Next Generation. The problem with this is it is just a label that can be slapped on any minor product revision. A true Next Generation product is one that has a fundamental departure from the normal way of thinking and normal way of working to produce a superior result.

7.       Our solution is in the cloud.

Like Next Generation, Cloud is another buzz word that vendors will throw around to impress. Be careful because it could mean anything from a single piece of oversubscribed technology hosted in a dark and dingy corner of a second rate data centre to a full blown true cloud with redundant solutions across multiple data centres. The latter holds a lot more appeal.

8.       It is so simple to deploy.

Have you ever heard a vendor tell you that their product is so complex; it will involve a huge learning curve and a year to deploy? No, of course not, but in some cases this may actually be the truth. Complexity is often hidden behind the words – powerful, flexible and scalable. Also, don’t assume that training will solve the problem. Training gives you expertise, but not experience. The two are worlds apart.

9.       We have 100% accuracy.

Such a bold claim! We’re all human; not one of us is perfect, which means if we leave ourselves with no room for error, we will surely fail. Never trust anyone who claims to always be right. 100% accuracy would be nice to have but over the longer term will not be achievable. Look for more realistic service levels such as 99.9 or 99.99% and for the extremely confident perhaps 99.999%.

10.   It’s on the datasheet.

Speeds, feeds, and all sorts of technical goodies are there on the datasheets, but there are two problems. Firstly, the data sheets are often created by marketing experts who do not speak the same language as the technical and development experts giving rise to information on datasheets often being misconstrued. The second problem is that the performance metrics on data sheets are often based on tests in a lab environment. This means that 10Gbps number was probably created with small packets of data going downhill with the wind behind them. Always seek clarification of the datasheet specifications in order to avoid a case of overpromise and under deliver.

Always challenge the vendor in any of these circumstances for clarity and integrity before you purchase, and seek guidance from trusted third party experts, if ever in doubt… otherwise your confidentiality, integrity and availability may include a costly product which does not deliver on its promises.

It was inevitable… and only a matter of time before those fancy high tech gadgets that people used for playing games, messaging friends and calling loved ones became the ultimate “on the go” productivity tool – the smartphone. When the premise of coupling the awesome technology with the process of cost cutting emerged then it really was a no brainer for your organisation to allow staff to buy their own smartphone of choice and bring it to work. Now you have most likely progressed yet another step by allowing employees to bring in their own tablet PCs too.

In a world where results seem to be measured by how productive you are and how connected you are BYOD ticks all the boxes, paving way for the perfect business culture, but there is a downside to a high productive connected workplace forged by BYOD – it can also bring headaches in the form of blurred lines around custody of data, understanding of security issues and ownership of security issues. These headaches have serious ramifications for any organisation that has adopted or is about to adopt a BYOD approach.

Whichever way a BYOD user interfaces with a mobile device or uses that device to connect with other devices or people there are potential security issues at bay brought about by “connection” features such as:

• WiFi: although not a new technology; most mobile technologies implement 802.11 WiFi and should have the same policies applied as any other WiFi capable corporate owned device.
• Bluetooth: this may be a short range communication service but it is also short on security. Data loss via Bluetooth is common unless adequate authentication and access control strategies are put into play.
• 3G/4G: this should be one of the greatest nightmares for an organisation because not only can data escape over high speed data communciatiosn networks, there is no ability to control it when it leaves your organisation’s data network and traverses the telecommunications carrier data network.
• SMS/MMS: texting is popular and though limited in size, data loss and spam are nevertheless real threats.
• Email: once again this is not a new threat medium but it will broaden the scope of email security to include anti spam and data loss prevention for mobile email capable devices
• Web: Though the real estate for viewing web pages is diminished on a smartphone, security threats don’t care about that. As browsers become more feature rich and web sites become more mobile friendly threats will ensue.
• IM: mobile devices now make it easier to use IM for texting or chatting at any hour of the day meaning that data loss could happen at any hour of the day
• Social Media: it amazes me what finds its way onto social media. In between the cat being desexed and  enjoying a Barossa Valley red last night could be a posting of sensitive information
• Applications: how many of those apps may have hidden Trojans which are leaking information back to their creators?
• Memory cards: smaller in size but greater in capacity these offer lots of space to leak sensitive information or introduce new threats from home networks where security is lacking
• Camera: photos and videos are easier than ever to shoot on mobile devices nowadays and hold huge potential for capture of sensitive information with the possibility of data loss.
• QR codes: those funky square bar code like images that have found their way onto business cards; bill boards and loyalty cards from trendy cafes offer the potential to inject malicious code or steal data from a mobile device.
• Voice: last, but not least, there is always the old school way of calling someone and disseminating top secret information.

How many of these does your organisation have a handle on? Will you really save money by allowing staff to supply their own technology? If your organisation has adopted BYOD for smartphones and tablets without considering the above security issues, then suffice to say your organisation just got a little dumber.

It was just two years ago that you would commonly see executives proudly tapping out an email on their BlackBerry smartphones. In four years’ time there will be over a billion smartphones sold and only 25% of these are estimated to be BlackBerry devices. Then add to this the increasing demand for tablet devices and it will soon be the case that the number of mobile devices on the planet grows catches up to the number of humans on the planet.

In 2012 for the first time in history, Information security is being redefined as the number of mobile devices owned by corporates is being eclipsed by the number of mobile devices owned by employees.

This leaves us with two interesting and potentially challenging questions to answer:

1. What is the impact on corporate security as mobile devices not designed with corporate security in mind become dominant?
2. What is the impact on corporate security as ownership of mobile devices moves from the corporate to the employee?

BlackBerry has faced tough competition from the likes of Apple and Google, and not to be defeated, Microsoft has recently launched its Windows phone helping breathe new life into the once dominant mobile phone manufacturer, Nokia. Long gone are the days of a single operating system across all devices in an organisation. This means that there is a growing number of devices and operating systems to support which are built around features, functionality and applications. Four years ago there was no AppStore – now there have been more than 15 billion app downlaods from Apple’s AppStore alone and as you may have guessed these apps have most likely been written with very little regard to security.

Apps are everywhere and so are devices and the data that is created or stored on these devices. This means security needs to be everywhere. Corporate security has traditionally remained within the confines of an organisation but now needs to follow the corporate data that lives on mobile devices.

Throw into the ring the fact that the devices and many of the applications on those devices may belong to the employee of organisations which support Bring Your Own Device (BYOD) policies and the responsibility of who maintains and secures the devices and apps becomes fuzzy. If you thought that was a big headache, get ready for a migraine when you, as an Information Security specialist in your organisation get into quandaries about who owns the data, how to control which apps may be used on corporate networks and how to stop corporate data being stored in non-secure public clouds offered by mobile devices vendors. Could BYOD simply be more trouble than it is worth?

If that sounds like a real headache to you then I suggest stocking up on pain relief, because throughout the remainder of this decade the role of information security will be redefined from deciding whether to trust employees to deciding whether to trust employees, devices, applications and data.

I just had a meeting with the Finance Manager and Security Manager of a State government agency and I recommend that if you are responsible for providing security or signing off requests for security budget in your organisation it will be well worth your time to read about my experience.

I was attempting to better understand their business, assets, risks, likely threats and their potential impact so one of the questions I asked the Finance Manager was “What is your ability to detect and respond to threats before your assets are compromised?”.

The Security Manager jumped in and said “We have got all that covered. “I asked “Can you please elaborate?”

She said “Well we have an Intrusion Prevention system, we log everything and we use a Security Information and Event Management tool amongst other things.”

At this point I knew I had work to do to help them understand the reality of their situation.

“If you don’t mind I would like to run through a few basic scenarios and see if you’re able to detect and respond against them.” I said. She said “Go ahead”.

1)  “If I was to drop 20 USB’s around your office and car park with the file name “StateGovernmentSalaries.exe” how many of your staff would pick it up, stick it in their PC and click on the file?”

She said “Probably all of them.” During our risk assessments the best case we have had is about 65%; meaning, in all other cases more than 65% of people plugged it in to their PC and clicked on the file which is programmed to connect back to the CIO’s office and identify who logged on and from which PC.  This could easily be laced with modern malware.

2) “If a workstation or a server in your environment was remotely being controlled, would you know?” She said ‘No.” – the earthwave Security Operations Centre identifies 4-6 such incidents per client on average per month. In many of these cases data is going off-shore through the Firewall and IPS using common Firewall ports.  It all looks like normal traffic.

3) “If your Email or Network Administrator was reading your email or that of the CEO and other board members every night would you know?” the Finance Manager looked at the Security Manager.

She shook her head from side to side.

4) “If someone was logged on locally to the network using your login but you hadn’t even come to work yet, would you know?” Again she said “No.” I said, “How about if you were logged on twice, once from home and once locally? How could you be in two places at the same time?” She said “No.”

5) “If your staff or other managers were taking work home and saving it on the home shared computer in the My Documents folder would you know? Furthermore, would you know if that folder was being shared on a peer to peer file sharing network by one of the kids and consequently this information was able to be leaked on to the Internet? She said “No.”

6) “How about if one of your staff was about to leave and had been sending out their CV, copying sensitive files to USB, printing documents after 6pm, emailing or FTP’ing files out of the company, etc?”

She said “No.”

Finally I said, “Let me now use a basic technical example. If someone conducted reconnaissance on your DNS server (which was logged in the DNS server logs), followed by a port scan against your network perimeter (which was logged by the Firewall) and then they launched some well-known exploit against your Web or SQL server (which triggers an IPS alert). In such an example what is your ability to detect and respond to such a threat?” She said “None.”

By now the Finance Manager had enough and turned to the Security Manager and said “You really don’t have much covered at all do you?”

I said “The FBI, CIA, NSA, RSA, Sony, and the Pentagon, with all of their might and resources were all breached this year and some more than once. Do you really think you have it all covered better than them?” She said “No.”

To my surprise at this point, the Finance Manager turned to her and said “I want you to listen to them and buy what they’re selling because you don’t seem to know what you’re talking about.” She said “Yes.”

He was obviously annoyed to express himself in that way but the thought that went through my head was “I wish all customers were this easy to convert.”