crowmoor.se

I conduct several risk and vulnerability analysis every month. One part of the deliveries I make is a calculation of the financial impact in case of a breach. This is always a challenge but quite often I manage to get a fairly good figure. The hidden costs of a breach is quite often more of a challenge. On such hidden cost is the loss of productivity of the affected unit. Sometimes it is just as simple as the IT-department needing to work overtime but in case of a system down situation where your ERP is encrypted and needs to recover from a backup and all work made since the latest backup needs to be done again the loss is quite heavier.

I seldom work with brand damage as this is hard to measure in the first place and it all depends on how you handle the information to the public. However, it is a lot easier to start calculating the costs for the loss of a system, as a breach needs to be investigated and that will result in downtime.

If you ever been out pentesting you probably have encountered ‘Don´t test our ERP! It is too critical for us.’ Where is the failed logic in that?

Looking at growing ERPs like Microsoft Dynamics AX they have a standard security model that fulfils most of the standard security needs. But let’s say you are a growing company with some very bright ideas. As ERPs tends to incorporate more and more, your whole business model may be lost in case of a breach. How about losing not only your full customer database but also your partner database, research, loans etc.?

Yes, it’s a bit about technology like encryption and access control but it is way more about how you understand what information you put in and what is possible to get out. Let’s take a small hypothetical example. You are a highly ethical company designing clothes where the designs are sent to Pakistan for manufacturing. You visit the plants every three months and conduct interviews to check if the fulfil your ethical demands. In a few cases you find that they are employing underage girls in the production so you mark ‘using child labour’ in your questionnaire and they get three months to solve the situation.

After a week after entering the information you have a breach and someone have accessed your ERP and find your questionnaires. They sell the information to the press and the following days you spend all your time minimising the damage instead of focusing on doing what’s good for your business. Information is powerful so make sure you understand how to protect it.

If you think that internet fraud, hacking and so forth has gone done because Anonymous has been crippled and that NSA has 100% control of who does what on internet you need to think again.

To be able to commit cybercrime you need a computer, internet access and a set of tools. In short this means that anyone could start committing crime and with the use of proxies or anonymisers, lack of logging or other investigative tools and a shortage of low-cost fast investigators we are bound to have a few 100 million wannabe hackers wreaking havoc everywhere.

It is quite interesting to read the summary of the research from PwC that shows that cybercrime is on the rise.

What does this mean? When cybercrime tools becomes a commodity that you could download for a few bucks those with the lowest security baseline, that is a bit slow to patch or configure will fall prey to the one-dollar-cybercrime. Who will you be?

Is there any company of size that hasn´t got an ERP system today (Enterprise Resource Planning)? During my many years working in the field of security I have seen and participated in many analysis, checks, test, investigations and whatnots and in many cases we were instructed to not touch the ERP. It was way to mission critical for them. This is a HUGE indicator that security is not taken seriously. But it gets worse!

I suppose you have read about encrypting medical databases in Australia? With the move to ERP in many companies and with the integration of many systems into the ERP a simple restore of the database in often not even possible.

Adding those up and you suddenly have a volatile situation. You have a mission critical system that you are not allowed to secure. If this is not an invitation to a criminal to break in and encrypt your database for ransom it is at least a save-the-date for a later event.

Security architecture is sometimes just a number of words glued together with some pictures or to be more explicit the power of security architecture lies in the visualisation of fully defined words.

Some words that commonly need both definition and explanations are: Threat, Vulnerability and Risk.

Threat:
1. An expression of an intention to inflict pain, injury, evil, or punishment.
2. An indication of impending danger or harm.
3. One that is regarded as a possible danger; a menace.

Vulnerability:
1. Susceptible to physical or emotional injury.
2. Susceptible to attack
3. Open to censure or criticism; assailable.

Risk:
1. The possibility of suffering harm or loss; danger.
2. A factor, thing, element, or course involving uncertain danger; a hazard.

Sadly it is very common that those words are interchanged leading to misunderstandings and therefor mistakes.

In short a threat could arise if someone or something intentionally or unintentionally could harm you. A vulnerability means that a threat has a chance to succeed in inflicting harm. Calculating this chance is to calculate the risk. A risk is dependent on an identified attacker and a vulnerability. If there is a threat but no vulnerability there is no risk.

In conjunction a vulnerability analysis and a risk analysis are two different things. Finding vulnerabilities is not the same thing as calculating the possibility of it happening. The latter is a risk analysis.

Have you got it straight now? 🙂

One of the good things of growing up is that you now and then are allowed to visit a pharmacy and get prescription drugs…or should it be considered a bad thing? In any case I noticed that the username and password for the computer was posted on a note on the screen, same username and password btw. I also noted that when the clerk needed to authorise an action on the screen she leant forward and let a barcode scanner read a barcode she had on a card. Being the person I am I silently awaited her to finalise my order and during the meantime I played with my phone…or more exact struggled to get a good picture of the barcode. I managed to do that and when she was done I innocently asked how secure the system was if anyone wanted to enter the system and view the information. She bragged a bit of the security measures their department had taken to ensure the security of the system. I nodded and showed her the picture I´ve taken of both the username/password and the barcode. “Could we just test it, just for fun?”, I asked. She just nodded and as expected the barcode logged me into the system. I, of course, deleted the pictures but it shows that security systems that once were regarded as safe with the evolvement of new technology are rendered unsafe.

Being a diver since a few years I tend to take my own personal security quite seriously. Out-of-air at 20 m is not a pleasant experience, I´ve heard. One of the things I enjoy doing when diving is taking photos. This summer I bought a new underwater house for my compact and as I take security of my possessions seriously as well I decided to take the house for a test run without the camera, just to make sure it didn’t leak. Any diver more experienced than me can stop laughing now. Of course it all went wrong! No, it didn´t leak but instead of having a slightly negative buoyancy it instead was distinct positive making it hit me in my face, being in the way and all in all making the dive just a terrible experience.

So, what did I do wrong? I didn´t take the weight of the camera into account making the test, even if successful, a bad experience. Did my test succeed? Yes and no. The test as defined in my test case was successful but my confidence in the product became much lower.

When implementing security services you implement a safe guard that you need to trust. Whenever you need to test things first, make sure to include as much as possible so that confidence in the product is kept even during tests.

Not being an expert in the inner details of SCADA systems I still encounter them in different assignments. As many know SCADA systems are certified to carry out a specific task with a specific configuration that you seldom or never could change. This makes the task of protecting SCADA a tough one as the ordinary changes is not possible to conduct. Most of the time, however, the SCADA systems is not publicly or internally accessible and hence the problem is far less severe. Still we humans are lazy, why go out to a computer when we could connect to it remotely, and so the problems start to multiply.

Is it possible to create a security architecture that is able to manage this in a connected mobile world? I´ll have to say yes to this question. It is not that you will be able to manage your SCADA system through you mobile device but at least you will be able to manage it remotely.

The cornerstones for sound security architecture for SCADA systems are compartmentalisation, dual authentication at borders, administrators’ access only and frequent upgrades, if possible).

Everyone that´s been around for some time in this industry has Melissa and Love letter fresh in mind. How many similar outbreaks have you had the last years? I expect you to say none. Does this mean that there are no malware running around anymore? Of course not. There are even more today than there used to be. But the goal of malware today is not to get a widespread infection anymore but to get hold of vital information or to kidnap your infrastructure for others to use.

During my last four years in the business I have encountered a large botnet running in a large financial institution, they had the most ultimate security (they thought); I identified a large scale espionage operation in the manufacturing business where they had full access to the research department; I identified the source of a performance problem to be a large scale DDOS directed towards my client.

Threats today are sneakier in nature and are aimed either towards company that has something to steal (money or inventions) or something to kidnap (databases). This means that you need to update your risk-list and actually allow yourself to be seen as a target. Following You3 you exist and therefor are a target, you have something in common with a group and therefor are a target or you are you and therefor are a target. Identifying which target you are will help you determine the protection you need and if you have something unique or something hard to copy without the drawings you sure are a prime target.

A lot of public and financial services in Sweden utilise e-identity for authentication of users. In a newspaper in Sweden today there was an article (in Swedish) about a new way of committing fraud using this. In short fraudsters have managed to acquire an e-identity by applying for a bank account, possibly using false ID. After getting the account they have waited at their victims home grabbing the mail in the unlocked mailbox after the mailman arrived and got all the information needed to create an e-identity (fx BankID) and applied for loans in the victim’s name.

The article sadly focuses on the wrong vulnerabilities. There are two major vulnerabilities here: the banks (possible) lack of identification of the customer or at least less stringent identification; the second one is as old as the post office: your unlocked and unmonitored mailbox. A lot of the frauds currently going on in Sweden depends on this specific vulnerability.

How should you mitigate this? Get a lockable mailbox or have your mail sent to the post office for later collection. Very easy and saves you a lot of hassle!