Feed on

’Follow the money’ is a very useful phrase when working with financial institutions. It´s a rather common misperception that there are money everywhere in a bank. Most data that flows is mainly different kind of confirmation or personal data that is not connected the highly regulated transaction flows. In one end of the money flow sit the ATMs. The networks nowadays are highly controlled and it is a struggle to get to control a trojan you managed to install on an ATM. So how do you manage that then? You of course use a credit card. ?
A specially crafted credit card lets you open up the management window and do whatever you need to do with the Trojan, like looking at statistics, delete logs etc. Some interesting pictures and a story how it works could be read here

I have returned to the problems with not testing the business systems during a pen-test. ‘They are way too critical for us to take the risk of a test. Beside they are way too complex for a hacker to understand.’ When has that ever stopped a hacker?

During an architectural review a few years back I showed that a security setup up with zones was faulty. They had put the servers in one zone and the clients in another. The way the thoughts went was that the servers contained all the critical data and that the client could only access the server after logging onto it. I described how I, with a trojan, could get full access to their SAP system and register myself as a valid consultant and that I should have full access to all their buildings.

Interesting enough it took quite a few hours of explaining before they understood that with a client you could access the server and that it wasn´t about sorting through a database and try to insert the right data into it but using the standard flow in their SAP-installation.

Funny enough Trojans have started to appear that targets SAP.

I have worked with incident investigations for many years and developed a skill to estimate costs of a breach quite some accuracy. One of the hardest to pinpoint is how many customers that actually would at least think of taking their patronage somewhere else. This report puts figures on the possible loss. Taking all figures you could expect that somewhere around 35% of our customers in the consumer market would think of actually switching to a competitor.

This means that after a breach customer loyalty pays of and whatever you do you must take action to make sure you won´t lose your customers.

Remember the days of Melissa and Love letter? When you were breached it very visible and very clear to everyone in the office. Those days are over since long. Nowadays you may not even know that you have a breach and the only way to find it is using different surveillance tools to find anomalies in your traffic or in the users’ behaviours. At Darkreading I found an interesting article with 15 top indicators of a breach. While not all indicators are possible to implement for the small business some sure are easy to implement or easy to purchase as a surveillance service.

Unusual outbound traffic may be a first indicator that something is leaving your network. Large files going outbound in FTP or in HTTPS traffic may indicate something is not right. If your company´s normal network traffic is consisting of small files leaving via email you may have a problem. Getting a surveillance service up and running may be a good investment if you lack in other types of security or if you haven’t got the resources to have a full blown security department with 24/7 monitoring of network traffic.

I have always been a great advocate for context based sign-in and with the proper monitoring and tools you could easily find out when someone is behaving out of the normal. If you would to monitor my behaviour it would be typically normal for me to logon at 3 AM but very seldom at 6 PM. So if I were to logon that time either something out-of-bounds has happened or someone is doing something with my account, especially if the login came from a country I haven´t been in before.

Unexpected patching is another interesting indicator. Patching is good, patching often is better, patching out-of-bounds is worst. Even if you should have short patching cycles patching should not occur without your knowledge. A surveillance application that logs system changes is a very useful tool here.

Get your security services up and running today and you´ll be a lot safer! ?

When I dig down into the bits and tin (Yes, I still do that on a regular basis as I strongly believe that you can´t be a good security architect without knowing both processes and technology as best as in humanly possible) one thing that my clients often are lacking is an In-case-of-a-breach-documentation (INCOAB-doc for short). What is this? It is mainly a collection of information regarding what may have possibly been lost with access to the system. It is not only a list of information objects and their possible value but also based on the different access levels that may have been reached, from read access in database to full system access.

This document makes it far easier to select the appropriate level of action to minimize downtime or to blow the whistle to close all systems until the breach is handled.

What on earth is AML Security architecture? I sometimes get the question how you create a security architecture for AML (Anti Money Laundering) and I´ll try to answer it here.

A loose definition is that AML is a set of regulation dictating that you have to make sure your financial institution does not take part in laundering money from criminal acts, transfer money to terrorist organisations or in general not get involved in transferring money for criminal use.

So how does an AML Security architecture look like? First of all, it is quite complex and is not easily described in a short text but to start with it involves HR, IT and the executive board together with sections of compliance, auditors and the reporting office.

It all starts with a thorough risk analysis where exposure and threats are identified together with the possible actors and the markets your institution operates in. A special care is taken to identify the specific risks in your services and products. In special where large sums of cash is deposited and where there is a lower need of identification. All places where a lesser degree of identification is needed needs to be investigated in specific.

From there you make a quantification of the risks, make customer risk ratings based on clients geography, business structure, sources of funds, business types, products utilised and other identified risk factors.

Having the risk analysis concluded you identify the current security mechanisms in both technology and processes. You break up the risks into micro risks that could be mitigated with conceptual security mechanism. Taking the business process into account you insert the mechanisms where needed to mitigate the identified risks. This leads to a security architecture implementation program or in this case an AML program.

Sitting at a local coffee shop discussing security architecture with a client is sometimes hilarious and sometimes very intriguing. Today I had two meetings regarding possible assignments for creating a security architecture. Both my clients are well aware of what security architecture is and what you need to do to create one but in one of the cases their management has no clue at all. In my first meeting we discussed how to create a security architecture to manage both their PCI DSS and legal requirements. During our meeting his CEO calls and tells him that he had found a free product that scans the whole network and produce a view of all systems and security mechanisms. If you give it full administrative access they even have a free service for managing the systems.

Do I need to say that we both did a unison face palm and redrew our project to include a risk analysis and education for the top management?

My other meeting was a lot more intriguing as the management is far more involved. Not only did they understand that we needed to conduct a risk analysis to get an understanding of the risks we need to mitigate, they also understood the connection to BCM and client satisfaction. In the end I was asked to propose a security architecture project to make their outsourcing services PCI DSS compliant and ‘Secure by default’. Most importantly is why the management formulated this assignment. Because they saw a clear cost cutting possibility by streamlining security services and at the same time minimise the down-cost due changes by unaligned security changes.

As you may have noticed you can´t register as a new user on my blog. This is due to a large wave of spam attacks. I hope this to end in a few weeks so that I could open up for automatic registration again. Until then please drop a mail to crowmoor a t crowmoor dot se and I´ll make sure to register you.

All those having a smart phone raise your hands! I´m one of those and I thought I had a rather good grasp of the smart phone security, the do´s and don´ts etc. but apparently I was mistaken. Do you know there is a second operating system running on your smart phone that has a large number of bugs and vulnerabilities, low to none patch management and was written during the 90´s when security was ‘optional’?

I just read an article where the second OS is outlined with a number of ways to exploit it outlined. It is not for the ordinary hacker but setting up a fraudulent base station is possible and with that they have total control of your smart phone.

So when you investigate your smart phone security you thought you were covered when you installed an anti-malware, encrypted your files and used https for web browsing or fetching your mails. Everything was covered and suddenly…a new threat emerges that been there since the 90´s that no one ever told you about.

Is this something to worry about? All risk are to worry about but as long as you are not communicating trade secrets, proposals, issues of national security or other stuff that could interest someone else you are home free. But it sure brings trust into the equation. You trust the phone developer to produce a secure phone or at least patch it to an acceptable level but do you demand this from your base station supplier? When you create the Trusted Computing Base take real care that you have included those that your trustees trust.

If you are a proud owner of a D-link your best bet today is to hide in a dark place in shame. At least if you trusted D-Link to make a solid and secure product that is also cheap to purchase. Reading the link it is pretty obvious that D-link wanted to provide a simple auto update functionality for its customers but sadly failed miserably. With the external management interface enabled you have let your D-Link totally open for external control due to Joels backdoor.

So, in order to create a low-cost product, D-Link obviously has cut down on security testing. This sadly goes for most within IT. If it is cheap chances are that there are a number of security vulnerabilities and bugs.

Older Posts »