Infocrime Summit 2012 - London Keynote Review

This week saw the Spring Infocrime Summit at the Thistle Marble Arch in London.  With a great range of speakers and some fantastic Spring sunshine, it was a great 2 day event.

With the last event only in November, it was good to see a range of varied speaks and industry representatives have their opinion on a range of information security issues.

Jim Griffiths from Yodel make an interesting presentation referring to the curse of ‘Security Theatre’ often being applied by many organisations. The term was initial coined by information security leader Bruce Schneier, when referring to security counter measures that don’t actually reduce the threat per-se, but simply increase the feeling of being secure. In today’s complex threat landscape and with many organisations facing a finite security budget, it could often be a short term solution to a long term threat.

Jamie Cowper of Verocode, spent some time discussing the often overlooked aspect of 3rd party library usage and open source application management. Whilst many development programmes – both internal and external – reference open source libraries from a range of languages, many organisations often overlook the fact that they often contain numerous vulnerabilities that need identifying, managing and ultimately remediating.

Well re-knowned speaker Neira Jones, Head of Payment Security at Barclaycard, spent time to reference the recently published Verizon Data Breach Investigations Report. With 855 incidents covering 174million compromised records, 2011 was a busy year. Whilst BYOD has become a popular focus, it was startling to reference that 94% of all compromised data didn’t occur from mobile devices or laptops, but via servers. Whilst ‘hacktivism’ was seemingly a large cause for concern, many hacktivist or external attacks rely heavily or pre-existing user accounts often held by trusted employees.

Alan Cottom from Stonesoft introduced the newer concept of AET – Advanced Evasion Techniques. Whilst not to be confused with APT – Advanced Persistent Threat – AET, is more focused on the transport and conduit method a threat will use in order to infiltrate theprivate network. AET’s are becoming more advanced as they attempt to circumvent late generation firewalls, IDS and IPS systems to delivery a threatening payload on to the trusted network, with great emphasis on perimeter threat reduction and analysis.

David Shore from Pfizer gave a fascinating insight into the world of fake prescription drug manufacture and how Pfizer are leveraging new approaches to identify and track suppliers of fake goods as well as educating the entire supply chain on how to avoid potential counterfeights. Dave Evans from the UK Information Commissioners Office, provided an update on some of the recent changes to the DPA and how organisations are implementing ways to protect the privacy of personally held information.

Overall it was a great summit, with some interesting talks and great client networking. It seems whilst 2011 was the year of the hacktivist and external cyber criminal, many organisations simply want better intelligence when it comes to threat management from both an internal and external perspective, reducing the noise whilst being able to focus every reducing resource to the areas of the highest risk.

(Simon Moffatt)

Are You Going to the 'Security Theatre'?

'Security Theatre' was a term coined by Bruce Scheiner in his book Beyond Fear and basically describes a situation, where a security countermeasure offers little or no protection from a real threat, but is simply applied in order to increase the feeling of being secure.

The term has generally been applied to many of the counter-terrorism scenario's we now face during our daily lives.  An example could include the sight of armed guards at airports (when really they're carrying unloaded guns) or the stop and search mentally of police forces (when in fact very few people are charged from this).

However, this approach is often being used by organisations in an attempt to secure corporate information assets.  Let me take for example, the Sarbanes Oxley Act of 2002, which saw many financial services organisations hurriedly implement new teams to manage the access review and control processes for their SOX 'critical' application estate.  Budgets became skewed and if any project or programme had a SOX related requirement, it was certainly handled with a lot more haste and attention than one with out.  Whilst SOX is a US federal law, there is a stringent requirement to comply, otherwise face the consequences.

SOX ten years on, has generally been merged into the 'business as usual' approach to information security, with the requirements wrapped up in the operational and risk management catalogue.  Whilst finite budget is spent on one aspect of information security, it can't be spent twice and is therefore is unavailable for other emerging threats, legacy risks and other general BAU activities.

Whilst SOX was the 'buzz' of say 8-10 years ago, 2012 will probably be focused on BYOD, cyberthreat, APT and 'hacktivism'.  Whilst each in their own right are credible threats, affecting each organisation in a different way, an information security policy cannot secure against every potential new or emerging threat simultaneously.  The cost would be prohibitive.

This can often leave information security departments in a situation where they are propelled to develop a countermeasure of some level, in order to either satisfy internal board level pressure or simply look as if they're acting in a controlled and responsible manner.

The theatrical countermeasures could simply be procedural changes, but they are often highly visible in order to represent an increased 'feeling' of security.  For example - all intranet connections must use an HTTPS connection with perhaps a self-minted certificate.  It 'looks' secure.  End users who are unaware of the complexities of IT and information security, see the padlock within their browser and make a connection with the thought of security.  The process is in effect potentially fruitless, if for example, the web server is not hardened, or shared passwords are being used to access or maintain it.  But the required result, is the 'feeling' of being secure.

IT and information security departments are often seen as a cost centre to the organisation - they cost money but don't generate revenue.  Whilst this is a short term and inaccurate view, many smaller and medium sized organisations are often constrained by this approach.

Whilst 'security theatre' can at times have the desired affect, a true information security approach must be based on a continually changing risk framework for the organisation, to help identify where the true threats and vulnerabilities lie.  This can then help align counter measures, that are not only cost effective, but truly help improve information asset protection and not just act as the sometimes welcomed 'placebo effect'.

(Simon Moffatt)

Cash The Real Cyber Driver

2011 saw a marked increase in the number of external web based cyber attacks.  Whilst the likes of wikileaks and Anonymous were driven mainly through ideals away from cash, I believe the main driver for complex command and control cyber attacks is indeed monetary.

As consumerization becomes internet driven and everything from smartphones, fridges and home appliances become connected, the attack vectors for a malicious user become larger.  There are more things to aim at and quite possibly they are less well protected.  As more people become switched on to decent speed broadband, more shopping, banking and general data transfer will occur online.

This, in addition to the general enterprise and SCADA style attacks that over the last 15 years continue develop in sophistication, the cyber criminal has a multitude of angles to attack from.

Aside from the hackitivism claims of recent months, the main driver for the cyber criminal is cash.  Whilst low level benign phishing attacks are now responsibly easy to spot and avoid, even for the occasional internet user, advanced command and control style attacks will become less easy to spot, prevent and avoid.

Organised crime is just that - highly organised.  This can lead to attacks that are sophisticated, operating at varies different levels of food chain from hardware (thinking smartphones), social engineering (fraud, deception) through to malicious software planted, installed and distributed on to users' machines, often originating from multiple proxied sources, spread across many different control centres.  Not only does the increased level of sophistication become more different to track and identify, it also increases the potential rewards for the criminals behind it.

As users and organisations become increasingly dependent on the internet and the continually connected landscape to perform their job and partake in general everyday activities, the increase in cyber attacks for a direct monetary reward I believe will increase.

Today it is quite common for your landline to be rung by an auto-dialer which is basically performing a reverse-the-charges call.  The result, if not subtly prevented by the 1 second of dial tone before the dialer connects to a real person is noticed, will result in a charge for the person being called.

This basic style of attack is now quite common in many smartphone apps which result in the mobile device either sending an SMS or dialing out to a foreign location resulting in a monetary transfer unknown to the victim.

As the rewards become higher, the sophistication of online monetary driven attacks will increase, with iterative development and continual morphing and enhancement.

(Simon Moffatt)

Would You Pay For Privacy?

The protection of personal information is an important aspect of anybody's life.  Most people have a feeling of their 'personal space' when they're in a crowed public place such as the metro or bar and like to create an invisible barrier between themselves and others.

This personal space is often extended to the non-physical aspects of our life too, such as our contact information.  Many telephone directories give the option to be 'ex-directory', with screening options also available.  Electoral role information can also be masked, removing the opportunity for sales and marketing spam being aimed at individuals.

Most of these claims for additional privacy are not uncommon and are accepted as a standard way of protecting the personal attributes of an individual.

Today, most personal information for an individual, can be gained on line from doing some basic searches.  Certainly things like name, address and telephone number will be pretty widely available after a few minutes of search engine interrogation.  Dependent on how much of an on-line presence an individual has, additional details such as education history, current employer, email address, date of birth and even partner/spouse details could also be found, mainly due to the sharing nature of social networking.

In the last two years there have been numerous privacy rows surrounding the likes of Google and Facebook as they continually change the small print surrounding what they can (and will do) with your personal information.  Is it a right that by default personal information will be kept private, or at least there are options for you to keep it private?

If you're signing up for any new service, you generally have the opportunity to view the privacy agreement and the general terms and conditions of use.  These agreements will generally describe in pretty granular detail what will happen to any personal data.

Should privacy be 'turned on' by default and 'turned off' by selection and is the right to protect your own personal information an implicit right?   Perhaps focusing on social networking is unfair, as in it's nature, social networking is about information sharing.  The second point when discussing privacy regarding social networking, is that in general, social networking sites are free, or at least offer a freemium model for example like LinkedIn.  If the levels of privacy configuration are not in agreement with your own model, you can simply stop using the service right?

It's interesting to see if that offering a paid for service alters the perception towards privacy and risk?  If for example a service implicitly guarantees privacy of information but has a cost associated with it, would that alter the users demand for greater privacy?  Is there a cost associated with protecting your information?

A slightly unrelated example is to look at the anti-virus market.  It's worth several  billion dollars annually, with specific products for laptops, servers, smart phones and so on.  In this context, people are willing to pay substantial amounts of cash to protect their objects and implicitly their information.

It will be interesting to see if in the coming years as information proliferation and 'big data' become omnipresent and the digitial nature culture brings us permanently connected to the internet, whether specific privacy protection is a viable requirement for many people and if they're prepared to pay a price for it.

(Simon Moffatt)

Interview Series - David Emm Snr Researcher at Kaspersky Lab

The next instalment in the interview series, sees a great interview with David Emm, Senior Security Researcher as Kaspersky Lab.

Ed:  Hi David, thanks for your time today with Infosec Professional.  How has information security changed in the last three years?
David:  I believe there have been several key changes.

First, the traditional ‘work place’ is disappearing. So the task of securing data has become harder for businesses, as staff increasingly conduct business ‘on the go’: at home, at the airport, in the hotel – or anywhere else they can get a wireless signal. It’s not so much that the traditional network perimeter has disappeared. Rather it has become fragmented – and moves around as employees do. This has increased the points of exposure to malware and hackers. Second, we’re seeing a related development – the growing use of smartphones at work. IT departments now have to manage a heterogeneous mix of endpoint devices. This problem is compounded because many people use the same smartphone for business and personal use. So loss of data may be bad news not just for an individual, but for the business too.

The nature of the threat from malware is changing too. For the last eight years, the threat landscape has been dominated by speculative attacks designed to steal financial data that gives access to victims’ bank accounts. During the last two years we’ve seen a growing amount of targeted attacks. Cybercriminals are selecting a specific target and are focusing on compromising this victim – to steal corporate information, to discredit an organisation or to make a political point. Paradoxically, in tandem with this targeting, we’ve seen a trend towards ‘steal everything’, not just bank data. Cybercriminals are trawling through the vast amount of data individuals post online and are sifting through it for information that can help them set up a targeted attack on a business or other organisation.

The growing volume and sophistication of threats in the last few years means that it’s no longer viable to rely solely on signature-based defences. Kaspersky Lab processes more than 70,000 unique malware samples daily. This onslaught can be dealt with effectively only by using a blend of proactive technologies – including heuristics, sandboxing, whitelisting, behavioural analysis and cloud-based systems that can respond to new threats in real-time.

Ed: What do you think are the main threats facing organisations in 2012?
David:  I don’t believe the speculative attacks outlined above will disappear any time soon. They represent the low-hanging fruit for cyber-criminals – like the activities of pickpockets in city centres around the world. However, it’s clear that, in relative terms, the weight of targeted attacks is growing. And the well-publicised attacks of the last 12 months or so have demonstrated that no organisation – or type of organisation – is immune to attack. For eight years illegal profits have dominated the scene. But it’s abundantly clear that cyber-crime now has a variety of motives. This should hardly be a surprise, given that the Internet is simply a reflection of life in general. And the more that we do online, the bigger the target for all types of cyber-criminal.

Ed:  Are organizations ready to deal with those threats and what can they do to protect themselves?
David:  In a general sense, security remains the same. The starting-point for securing any system, is to consider the potential risks and develop a strategy for mitigating those risks.  But for a security policy to be effective it must be measurable and must be reviewed regularly to ensure that it is still fit for purpose. With regard to the trends outlined above, there are clearly two distinct areas of security. The first is to secure corporate systems from outside attack – to prevent intrusions, Denial of Service attacks, misuse of systems, etc. The second is to secure the data held on the system. Given today’s working practices, this can only mean ‘follow-me’ security, i.e. protecting the data held on all endpoints, including mobile devices. After all, its one thing for an intruder to break in, but you also need to ensure that if this happens, they don’t escape with valuable data [e.g. third-party data, customer passwords, etc.]. This means not just defending against malware, but encrypting data and securing against data leakage from the inside.

I think one thing that is sadly often neglected is the human factor in security. Social engineering or manipulating of human behaviour is the starting-point for most attacks. So it’s essential to put in place a security education programme designed to foster a security mindset among staff. It’s not about *training* marketers, sales people, etc. to become security professionals. Rather it’s about helping them to realise the potential dangers to themselves and the organisation. Unfortunately, where such education exists, it’s often placed in the hands of security personnel [the obvious choice, of course], whereas we need to also engage HR, marketing and legal teams.

Ed:  Mobile phone use is increasing and smart phones are becoming more sophisticated – virtually mobile laptops in your pocket. Will we see mobiles becoming the main anti-virus attack vector and what can businesses and individuals do to protect their mobile data?
David:  It will take some time for mobile phones to become as big a target as desktop and laptop computers. Right now the volume of malware aimed at smart-phones is a trickle compared to the torrent of malware targeting people who use Windows. However, it’s growing fast – already there exist more than 9,000 mobile malware modifications. Mobile malware has been around for several years now. However, it’s only in the last 18 months that it has become a serious tool in the hands of cybercriminals. There are several reasons for this.

  1. The use of smart-phones has increased.
  2. Internet access from a smarphone is cheaper than ever before.
  3. They now hold valuable personal data, e.g. bank data, social network logins, etc.
  4. The same devices are often used at work too, so they also hold corporate data.

We see a mix of mobile malware. This includes SMS Trojans that silently send messages to premium-rate, or international numbers. It also includes banking Trojans and Trojans that steal social network logins and other data. However, the problem of data loss, from lost or stolen devices, is also important.

Part of the problem is perception. While smartphones are really powerful computers, they are perceived by most people as *phones*. This isn’t surprising. After all, historically this is what they were. And we still refer to them as phones, albeit using the prefix ‘smart’. As a result, it’s not immediately apparent that there’s a security dimension to using a smartphone, unlike traditional computers.

It’s important that we all make use of security apps to protect the ‘computer in your pocket’. This includes anti-malware protection, but also encryption, blocking of unwanted numbers and remote wiping of lost/stolen devices.

For businesses specifically, the key problem lies in managing security on smart-phones alongside other endpoint devices used in the enterprise. This feature should be considered a key component when evaluating security solutions for corporate smart-phones.

Ed:  If you were a newly appointed CISO in a large corporation, what would be the first item you would want to complete ASAP?

David:  That’s a difficult question, since the security of any organisation really needs to be looked at as a whole. However, going back to something I discussed above, I think I would want to review the organisation’s approach to its human assets. The focus of IT security is, understandably, on securing computer systems and digital assets. Consider, for example, the attention paid to applying security patches to software. However, given the attention paid by cybercriminals to exploiting human vulnerabilities, I believe we ignore our human resources at our peril. ‘Patching’ humans is much less straightforward than patching computer systems [though even this can be a serious challenge]. But it’s essential. There are several aspects to address. First, remember that we’re dealing with humans. They learn in different ways, respond to different stimuli, etc. So a ‘binary’ approach may not work – we should consider all the techniques we use to engage with customers when dealing with staff. Second, there’s no quick fix. It’s an ongoing process and, like creosote on a garden fence, it must be re-applied to be effective. Third, we’re much more likely to succeed, and get staff buy-in to corporate security, if we tap into people’s self-interest.

Ed:  Thanks David, for some fantastic explanations and insights to some complex questions.

RSA 2012 San Francisco - Keynote Review

So this week has seen the RSA Conference band wagon hit the track to San Francisco, with some interesting key notes and also a perhaps surprise inclusion of Tony Blair, as the token none-techy-heavy-weight making a few remarks on the closing Friday.

Looking at the main keynotes, the main underlying theme seems to have been one of connectedness and an ever changing threat landscape   Is this connectivity good or bad?  Social networking and BYOD obviously play a part in the that changing landscape, but also the internal supply chain interconnectedness has changed rapidly too, causing issues around things like federation, cross pollution of data and access.

Arthur Coveillo (EVP at RSA) delivered a pretty standard talk focusing on trust in an inter-connected world.  Phrasing Mick Jagger with you "can't always get what you want", he commented that while the internet is trust worthy 'enough', it is natural to see increased attacks on resources and services that become more popular.  Information is the digital currency in 2012 and the internet is the bed rock for all we do.  From shopping and health care, to food ordering and professional services, the internet has a hand in it all.  A key mention again, was the concept of 'intelligence', by focusing on layered horizontal security solutions as opposed to silo'd point fixes.

Enrique Salem (CEO Symantec) performed a well commented and interesting talk on the 'digital native'.  The 'digital native' can generally be described as being born in the late 80's / early 90's (generation Z) and is known for digital multitasking, or to phrase Salem, running with 'continuous partial attention'.  The focus on being always connected is not new, but the native doesn't generally see themselves as being 'connected' to anything at all.  Instead, the internet is omnipresent with all devices, services and information flow being continually on, with the consumer in the centre.  Not being connected is akin to someone losing their wallet or house keys, rendering them useless and unable to contribute.  A big danger point is the blurring between the work and non-work landscape.  This seemingly not only applies to things like data, email and the like, but also the digital native's own personal identity, which is perhaps more subtle and dangerous.

Christopher Young (SVP Cisco) delivered a pretty textbook view with network security the key to all threat management.  An unsurprising talk, he argued that corporate security policy doesn't map to the real world demand for information and services resulting in a much too restrictive work environment.  These restrictions to work life, often lead to security breaches, as employees look to more direct and efficient ways to manage and access information in order to perform their jobs.  He argued that using the network as the main entry point to view, track and stop security threats was a general line from a network vendor.  Again the theme of 'intelligence' seemed to appear, getting more points as the buzz word of the conference.

Philippe Courtot (CEO Qualys) delivered a somewhat video heavy talk (with lots of car videos!) with the view that current security approaches in 2012 are often disjointed.  He argued that the use of automation should be used more to help identify threats, track, scan and ultimately close vulnerabilities.  He gave a good example of how many organisations are still using SSL 2.0 with it's typically 'broken' components, first identified as being defective over 17 years ago.  By using intelligence from their customer base helps to identify newer threats and security trends in order to provide protection.

Stuart McClure (CTO McAfee) gave an insightful view on 'securing the un-securable'.  He came up with the oxymoron of things that are described as 'unbreakable' are generally the first things that are hacked.  He described how 2011 saw the concept of 'why would we be hacked?' become redundant, with many organisations and industries, being breached when previously seen as safe havens.  The engaging talk went on to try and focus the understanding of threat management as a complex taxonomy of many different actors, targets and motivations.  He preceded with a great live demo (who does live demo's these days?) showing the potential threat associated with wireless insulin distributors for diabetes sufferers.  He reiterated the need for multi-layered protection at all levels, with a focus on white-listing

An interesting talk by a guy I've heard on the grapevine for some time, was by Sal Khan of the Khan Foundation.  The energetic Khan gave a thoroughly fascinating and inspirational talk on how the Khan Foundation (a free on-line educational resource programme driven by videos) went from a quick idea to help his family, into a multi-million hit site with backing from Google and the Bill Gates Foundation.
A sharp and funny talk covered the evolution of the start-up and how innovation is the key to all things great with collaboration being a major part of that.

(Maybe it's time to hit up the cross company collaboration and innovation to help solve a few of these major issues we face?)

Friday saw Hugh Thomson (Chief Security Strategist, People Security) host an interview session with two pretty interesting guest.  If you can overcome Thomson's particularly unique presenting style, the talks with Dan Gardner and Dr Frank Luntz are pretty enlightening.  The main theme was on decision making, or more importantly influenced decision making, which is becoming more popular within the social networking and search engine spheres.  Gardner focused on anchoring, which is often used to seed a thought process before an actual decision needs to be made.  Basically, you end up being sub-consciously influenced by advertising or messaging prior to being exposed to the decision point. 

Luntz (with his political commentary jokes) was interesting and provided some key insights into how words and spin can alter perceptions and likeability.  From a political standpoint, he argued that successful  politicians were often good communicators (Obama, Clinton, Blair etc) with the ability to touch not only on the intellectual level, but on an emotional level too.  He translated this approach to a general social engineering scenario, with successful attacks often focused on something personal, with a call to action often implicitly coming from something or someone you trust.  From a security software perspective, he identified that good messaging was key to successful take up.  Software should be articulate in describing the consumer problem (the "I got it" scenario) and the negative outcome if the threat is not fixed.  He warned that vendors shouldn't over stake the threat by treating it like 'Armageddon', but instead focus on how the vendor can 'protect' and give piece of mind, instead of just fixing a particular security issue.

From the general opinion, it seems many of the keynotes were not received with great enthusiasm from those expecting innovative or far-out views.  This can probably be attributed to 2011 being a particularly unpredictable year with many threats, hacks and vulnerabilities hitting organisations and institutions in a different way.  2012 is probably going to be the year of a safe pair of hands whilst many vendors attempt to re-evaluate their offerings in the face of an ever increasing and ultimately faster evolving threat landscape.

(Simon Moffatt)