Skip to main content

Posts

Showing posts from January, 2012

Interview Series - Jo Stewart-Rattray VP of ISACA

As part of the Infosec Professional interview series, we are lucky enough to have grabbed some time with Jo Stewart-Rattray, Director of Information Security at RSM Bird Cameron and International Vice President of the Information Systems Audit & Control Association.

Ed: Hi Jo and thank you for agreeing to the interview.  How has information security changed in the last 3 years (perceptions, threats, protection etc) ?
Jo:  Information security is ever evolving; however, the last three years have seen an acceleration in the speed of events. There have been a greater number of attacks, in some cases on iconic brands. The rise of social media has given organisations new internal issues to consider, together with the move to the cloud and the potential jurisdictional issues that come with such a move.

What do you think are the main threats facing organisations in 2012? Jo: Use of cloud providers, and indeed other providers, without proper due diligence and without appropriate service lev…

Truth About Insider Threats

The 'insider' is the dude in the office.  He (or she) probably works in IT and looks and acts like a regular employee.  They are however, probably a bigger risk to the organisations corporate information than a hacker on the public internet.

An insider is generally seen as a trusted user of the network.  They have legitimate accounts and access on the corporate LAN to access, copy, modify and delete data without issue.  So why are they are threat?  We can define threat to be the potential exploitation of a vulnerability.  The vulnerability in this case could be the trust, means and motive of an employee to perform a potentially malicious act against the organisations data and infrastructure.  The motive and intent part is optional to an extent, as a malicious act may not necessarily be intentional, but could simply be erroneous or ignorance related.  For example the opening of a malware link.

Intent
Intent is a complex issue to discuss.  I think in the narrow sense they may be …

Successful Privileged Account Management

Privileged Account Management is a major concern to large organisations trying to control the ever growing threat of the insider.  Privileged accounts generally relate to super user accounts such as root on Unix, or Administrator within Windows, as well as service accounts and accounts used for account administration tasks.  These elevated users have greater object access including circumventing audit and accounting processes.

The Risks
The biggest risk associated with PAM is that these accounts are often built into the underlying infrastructure, created at installation time.  The non-practical option is often to disable as many of the high permission accounts as possible without impacting service.  The second biggest risk with privileged accounts is that many are used programatically, hard-coded into scripts and code.  This can make finding the password a lot easier.  These accounts will often have permissions covering account CRUD activities, audit configuration and other meta-data r…

Increased Connectivity - The Good, Bad & Ugly

Connectivity is on the rise by all accounts.  Interoperability is where it's act.  Languages, protocols, operating systems, identities, on-line profiles, devices, smart-phones, tablets, you name it, if connectivity isn't a feature it's not getting a look in.

If you look at pre-internet times (yes hard I know) device and data interconnectivity was seen as an important use case, but only implementable if deemed absolutely necessary.  As tooling and applications now allow data passage with a few clicks, the network of connected devices becomes enormous.

Whilst this brings many end user benefits it can also bring with it management issues, data loss prevention concerns and data proliferation where perhaps it shouldn't.

Increased Connectivity is Great Right?
The main area of increase recently has been the rise of the smart-phone.  Devices that now contain powerful processors, large portable micro-card storage and run operating systems with the same level of complexity of a d…

Virtualisation - More or Less Secure?

"Everything is virtual,  Nothing is real!".  Sounds like a songwriters lambast against modern day society.  It's not.  Virtualisation in a computing sense has been around a while and is here to stay.  From the virtualisation of physical machines, applications and network infrastructure, being virtual seems like an IT managers idea of heaven: less physical kit = less power = less cash = everyone's happy right?  Maybe...

Virtualisation at the server level is probably the most popular deployment.  By this I refer to the likes of VMWare or Microsoft Hyper-V which creates a hypervisor that sits on the physical tin and basically splices, isolates and distributes the physical components into virtual mini-machines.  These mini-machines can be individual servers running a plethora of different operating systems all using the same underlying physical machine. Neat eh?  Provisioning and de-provisioning a new server takes seconds.  Fault tolerance across applications, servers an…

No-Tech Hacking - Identifying Unprotected Assets

When you think of hacking or start looking at ethical hacking and counter measures, the focus is on the highly technical.  Encryption hacking.  Packet sniffing and session hijacking.  Web site hacking.  SQL  injection and so on.  All require a fair bit of basic infrastructure, networking and coding experience.

Whilst there are many off-the-shelf tools, utils and scripts that makes the hacker (and ethnical hackers) job easier, being non-technical is a huge hindrance.

However as a security manager or engineer, protecting information and IT assets shouldn't just be about the cool tech.  It should also on the "no-tech" as well.  By "no-tech", I'm simply referring to areas of information protection that require basic process, training and awareness.

For example, servers should only run the services they are designed for and each server should have a modular cohesive function associated with it.  This is pretty standard config management by removing the complexi…

The Rise of Social Engineering

Defence in Depth.  Rings of Security.  Multi-layered protection.  All well known terms when it comes to protecting information assets.  Information can generally be accessed in two ways:  via a network or straight from the disk.  Organisations pay great attention to policies and controls that help protect information both in transit and in situ.  Take a basic network example:

Company has a firewall configured separating public and private network trafficAn Intrusion Detection System is also present to detect traffic anomaliesRADIUS access is managed using two-factor authentication, with tokensWithin the private network VLAN's are configured to separate logical business areasPhysical wired patching is managed and restricted using MAC address tablesWireless Access Points have obfuscated SSID's and complex passwords, with enhanced 256 bit encryptionPhysical machines are managed by group policy with regular patching, local firewalls and anti-virus configuredAccess to local machines…

Take Your Head Out the Sand - (You WILL be Hacked Eventually)

Do it now please.  Stop ignoring the fact.  Stop living with your head in the sand, the 'it won't to happen to us' syndrome.  It will.  Sooner rather than later your corporate network, your information assets, your company Intellectual Property, the brand that has taken half a century to create and protect, they (or if you're lucky only one) of them will be hacked in the future.  The likelihood of it not happening is actually quite small, so you might as well start preparing for when the attack will happen and develop a plan for an effective response and recovery.

2011 saw the terms cyberwars, APT and malware command and control all become pretty much house hold terms.  Organisations with any sort of web based presence (how many don't?) continually went through vulnerability scanning exercises, patching roll-outs and IDS testing in an attempt to provide external auditors, board members and shareholders with some sort of assurance that the IS teams were in control o…