Feed on

Now and then I enjoy reading war stories, especially when they have a more personal touch. I´m no cryptologist so understanding the math behind breaking a crypto is not my cup of tea but when they point out a flaw I laugh as much as everyone else.

This is a rather fun description on how Bitcrypt malwares crypto turned out to be flawed and possible to break to the relief of a father that got all his photos of his kid encrypted.

Just a short post this time. Are you interested in exploit kits and not sure which one to get? Take a look at this page and find out…or just stay informed on the patches you need to mitigate.

You may have heard the term ‘targeted attacks’. This is simply an attack that has pinpointed a specific company or person as a target and most possibly uses APT to get to it. Intellectual property has been a prime target for years but during the last year national disputes, diplomatic espionage and full blown military conflict has popped up. This mean that beside that those organisations needs to stay secure the tools used to attack those targets will eventually move down to be used in more standard attacks giving the attacker the upper edge. In the end this means that not investing enough in security will wear you down and start cost you money in recovery costs or worse cost you your company. A more detailed report is here

’Follow the money’ is a very useful phrase when working with financial institutions. It´s a rather common misperception that there are money everywhere in a bank. Most data that flows is mainly different kind of confirmation or personal data that is not connected the highly regulated transaction flows. In one end of the money flow sit the ATMs. The networks nowadays are highly controlled and it is a struggle to get to control a trojan you managed to install on an ATM. So how do you manage that then? You of course use a credit card. ?
A specially crafted credit card lets you open up the management window and do whatever you need to do with the Trojan, like looking at statistics, delete logs etc. Some interesting pictures and a story how it works could be read here

I have returned to the problems with not testing the business systems during a pen-test. ‘They are way too critical for us to take the risk of a test. Beside they are way too complex for a hacker to understand.’ When has that ever stopped a hacker?

During an architectural review a few years back I showed that a security setup up with zones was faulty. They had put the servers in one zone and the clients in another. The way the thoughts went was that the servers contained all the critical data and that the client could only access the server after logging onto it. I described how I, with a trojan, could get full access to their SAP system and register myself as a valid consultant and that I should have full access to all their buildings.

Interesting enough it took quite a few hours of explaining before they understood that with a client you could access the server and that it wasn´t about sorting through a database and try to insert the right data into it but using the standard flow in their SAP-installation.

Funny enough Trojans have started to appear that targets SAP.

I have worked with incident investigations for many years and developed a skill to estimate costs of a breach quite some accuracy. One of the hardest to pinpoint is how many customers that actually would at least think of taking their patronage somewhere else. This report puts figures on the possible loss. Taking all figures you could expect that somewhere around 35% of our customers in the consumer market would think of actually switching to a competitor.

This means that after a breach customer loyalty pays of and whatever you do you must take action to make sure you won´t lose your customers.

Remember the days of Melissa and Love letter? When you were breached it very visible and very clear to everyone in the office. Those days are over since long. Nowadays you may not even know that you have a breach and the only way to find it is using different surveillance tools to find anomalies in your traffic or in the users’ behaviours. At Darkreading I found an interesting article with 15 top indicators of a breach. While not all indicators are possible to implement for the small business some sure are easy to implement or easy to purchase as a surveillance service.

Unusual outbound traffic may be a first indicator that something is leaving your network. Large files going outbound in FTP or in HTTPS traffic may indicate something is not right. If your company´s normal network traffic is consisting of small files leaving via email you may have a problem. Getting a surveillance service up and running may be a good investment if you lack in other types of security or if you haven’t got the resources to have a full blown security department with 24/7 monitoring of network traffic.

I have always been a great advocate for context based sign-in and with the proper monitoring and tools you could easily find out when someone is behaving out of the normal. If you would to monitor my behaviour it would be typically normal for me to logon at 3 AM but very seldom at 6 PM. So if I were to logon that time either something out-of-bounds has happened or someone is doing something with my account, especially if the login came from a country I haven´t been in before.

Unexpected patching is another interesting indicator. Patching is good, patching often is better, patching out-of-bounds is worst. Even if you should have short patching cycles patching should not occur without your knowledge. A surveillance application that logs system changes is a very useful tool here.

Get your security services up and running today and you´ll be a lot safer! ?

When I dig down into the bits and tin (Yes, I still do that on a regular basis as I strongly believe that you can´t be a good security architect without knowing both processes and technology as best as in humanly possible) one thing that my clients often are lacking is an In-case-of-a-breach-documentation (INCOAB-doc for short). What is this? It is mainly a collection of information regarding what may have possibly been lost with access to the system. It is not only a list of information objects and their possible value but also based on the different access levels that may have been reached, from read access in database to full system access.

This document makes it far easier to select the appropriate level of action to minimize downtime or to blow the whistle to close all systems until the breach is handled.

What on earth is AML Security architecture? I sometimes get the question how you create a security architecture for AML (Anti Money Laundering) and I´ll try to answer it here.

A loose definition is that AML is a set of regulation dictating that you have to make sure your financial institution does not take part in laundering money from criminal acts, transfer money to terrorist organisations or in general not get involved in transferring money for criminal use.

So how does an AML Security architecture look like? First of all, it is quite complex and is not easily described in a short text but to start with it involves HR, IT and the executive board together with sections of compliance, auditors and the reporting office.

It all starts with a thorough risk analysis where exposure and threats are identified together with the possible actors and the markets your institution operates in. A special care is taken to identify the specific risks in your services and products. In special where large sums of cash is deposited and where there is a lower need of identification. All places where a lesser degree of identification is needed needs to be investigated in specific.

From there you make a quantification of the risks, make customer risk ratings based on clients geography, business structure, sources of funds, business types, products utilised and other identified risk factors.

Having the risk analysis concluded you identify the current security mechanisms in both technology and processes. You break up the risks into micro risks that could be mitigated with conceptual security mechanism. Taking the business process into account you insert the mechanisms where needed to mitigate the identified risks. This leads to a security architecture implementation program or in this case an AML program.

Sitting at a local coffee shop discussing security architecture with a client is sometimes hilarious and sometimes very intriguing. Today I had two meetings regarding possible assignments for creating a security architecture. Both my clients are well aware of what security architecture is and what you need to do to create one but in one of the cases their management has no clue at all. In my first meeting we discussed how to create a security architecture to manage both their PCI DSS and legal requirements. During our meeting his CEO calls and tells him that he had found a free product that scans the whole network and produce a view of all systems and security mechanisms. If you give it full administrative access they even have a free service for managing the systems.

Do I need to say that we both did a unison face palm and redrew our project to include a risk analysis and education for the top management?

My other meeting was a lot more intriguing as the management is far more involved. Not only did they understand that we needed to conduct a risk analysis to get an understanding of the risks we need to mitigate, they also understood the connection to BCM and client satisfaction. In the end I was asked to propose a security architecture project to make their outsourcing services PCI DSS compliant and ‘Secure by default’. Most importantly is why the management formulated this assignment. Because they saw a clear cost cutting possibility by streamlining security services and at the same time minimise the down-cost due changes by unaligned security changes.

Older Posts »