crowmoor.se

Sometimes you are just amazed what is happening in the world of security. Almost everyone is aware of that when you put a device on internet it is scanned within a matter of minutes. A group of researchers wrote a paper about an experiment where they used unprotected devises on internet as bots to scan other devices. If they chose an aggressive approach they could scan whole of IPv4 of internet in about an hour!

This means that the need for security scanners to make sure you are protected has increased a lot. As many devices are published over internet the vulnerabilities need to be found quickly. So get a tool and get ready for some patching and don´t forget to change the default login, ok?

ATMs are wonderful machines! You insert a plastic card and it returns your card and a bunch on money. As they today are pressure sensitive you could also access internet and play games on it as shown in this video. About two years ago I was involved in creating a PCI DSS compliant security architecture for a rather big ATM structure. Sadly Angry Birds was not part of that architecture. 😉

On a more serious note the video points in a clear direction; without a security architecture secure templates becomes a lot harder to create and without those you are in the hands of the whims of the one responsible for the security at the ATM. But at least you can throw a few angry birds in their direction. 😉

The average time to spot a breach is 210 days. That is a terrible high number as the damage to an organisation probably is a lot higher. A hacker having 210 days to walk around inside the digital vaults in any company surely opens up for tremendous losses of information and assets. One of the main reasons that admins don´t identify a breach is the logging. Some companies have complex log gathering systems that collect logs from all servers but still fail to identify a breach.

Why is that?

Most commonly this is due to two major reasons: No risk analysis based logging and lack of secure coding practise.

Collecting all logs and not knowing what to look for means that you spend a lot of time chasing red herrings while the hacker walks around undisturbed. Once in my career I penetrated a company, registered myself as a trusted visitor, took my laptop including my tools, walked to the CIOs office and said: ‘Let´s see if the security staffs are alert!’ I fired away a large scanning and after a minute the CSO was on the phone more or less yelling: ‘We have a hacker in our network!’ ‘The CIO calmly replied: Yes, he breached us a week ago, printed a pass and is currently in my office making fun of you.’ Needless to say there where huge changes in how the approached security after that.

Lack of secure coding practices means that not only are you opening up for direct attacks; you also have no clue what is happening inside your application as nothing is logged.

One of the first rules of security is to have knowledge of what is happening.

During my life as a security specialist I have encountered several situations, one trickier than the other. One of those is security competence or to be more specific: How could a company keep their security staff?

The security market is rather immature and there is a big need everywhere for experienced personnel. As a hired CSO or CIO I have helped many companies to recruit staff just to see them leave one year after, not because they don’t like the work but because they need more challenges. Gladly most companies rather seldom experiences any attacks or incidents making the standard work day rather dull. As a security consultant you see more and experience more and after a while people tends to look for the challenges outside the company walls.

One way to manage this is either to have a mix of sec consultants and own staff where part of the consultants work is to challenge the own staff with new problems making the work a lot more interesting. Another method is to work closely with another company and let the staff rotate.

Keeping the staff happy is the prime concern in any service based company.

One of the more common questions I get is if their security is enough. In conjunction with that I get a perfectly matched risk analysis and a bunch of defined security mechanisms. Still, my answer quite often is: No, sadly it isn´t.

It is quite easy to create good security for a single entity but creating an overall working security strategy is something else. As many of you certainly know security architecture is my gambit (yes, I used to be a rather good chess player when I was young). Sound security architecture will give you more than a nice view of your security landscape; it will give you some degree of control of where you have assets that needs protection, where those assets normally move and a dashboard of your current security situation.

The trick is, as always, to gather all those security islands you have in your environment and get them to work as part of bigger machinery. First step is to identify them, second to eliminate or replace them and third to move everything together into an easy administration system.

Sounds easy enough for you?

Well, add Jericho 2.0 on top of this and sprinkle with a global market and mobile workforce and you have a bigger, but solvable challenge.

I found a Swedish article today regarding how easy it is to put someone in personal bankruptcy in Sweden. As you may know Sweden is an open country where information is easy to find. To file an application for personal bankruptcy the only thing you need is to personally leave a birth certificate to the court and file the application. There is no need for any type of ID Card. As you probably understand the consequences are quite devastating for the affected individual. The birth certificate is very easy to order from the Tax authorities and then you only need access to the victims mailbox and you are set to wreak havoc.

So the problem here is twofold: First that you don´t need to show ID with this type of application and second the trust in a mailbox as I have written about before.

Taking a step back we see a clash between a new electronic society where acts of terror against the individual is common and the old paper based society where you trusted a person’s signature. You could as well apply Jericho 2.0 principles here and looking at the authentication at the perimeter. Are you authenticated for life at birth with your birth certificate or do you need to re-authenticate every time you want access to information?

It may come to a bit of a chock for you but internet is hostile! Yes, just put an unprotected server out there and it will be scanned within minutes and hacked quite soon afterwards. Still, this does not stop Barracuda Networks to include unprotected backdoors into their hardware. Using the account ‘product’ it was possible to logon to any appliance as long as you are within a specific IP-range. Sadly, not all of those IPs are owned by Barracuda Networks allowing third parties to have the ability to login to all appliances that is accessible on internet. Adding the risk of IP-spoofing and you are into a world of pain. Barracuda Networks currently recommends all customers to update the Security Definitions or disable remote support. Still. My recommendation would be to question the security services from Barracuda Networks. If they think a specific IP-range is a good security mechanism they lack basic security skills.

There is an interesting story going around the news in Sweden today. A train was stolen by a young janitor. She drove it rather fast into a house. No one was hurt and now the security routines are to be updated. It puts a finger right on a rather important spot in the field of security: Why would one attack us?

Who in Sweden would ever come up with the idea to steal a train? There is no way you could get away with it, you can´t sell it, take it home or in any other way use it. So why would anyone attack you? I´m rather certain that this train theft will show that she either was under influence of drugs or that is just a case of joyriding that went terribly wrong and here is also the reason why you could be attacked: You exist and have something that could be attacked just because it exists. It is so easy to download a hacking kit and start running scripts and if you don’t use secure coding, patch management etc. you could become a target for a script kiddie just as the janitor stole the train. Most attacks are an effect of a random encounter on the web, still the attack could be as devastating as smashing a train into a house!

—EDIT—
Just recently the investigation showed that the janitor had accidently started the train due to the fact that several security mechanisms where bypassed. Still the original story is interesting even if it in this case was an accident.

Just two months ago I pointed out that ransomware will be a bigger threat in the year to come. Quite soon afterwards a minor medical clinic was hit with a ransomware having their patient database encrypted. The hackers demanded only $4 000 for the password. A fairly low sum but it would most possible trigger a pay-out instead of demanding a larger sum that would trigger the clinic to try to break the encryption instead. With many small organisations less than adequate security we will most definitely see a greater number of such incidents in the year to come.

For South Carolina’s Department of Revenue it at least is worth far more than the $100 000 they wanted to pay for a CISO. The position was vacant for 11 month and during that time they were breached for a total cost of $12 000 000. That would be the salary for the CISO for 10 years or at least 5 years if they would pay wages compared to the private sector. One thing noted in the article is that the cost to mitigate the breach problem would be only $25 000.

It is fairly common that a risk analysis is not conducted and because of that there is no cost/incident calculated. With this in mind it is fairly obvious that it is hard for any manager to justify the cost for security personnel and investments in tools to keep hackers at bay.

I´m not a big fan of large security investments in the first place, sadly there are so many that don´t understand what security they need and make investments that is just a waste of time and money. One example I have is a client that was in the starting blocks for a 100 MSEK IAM-investment. After consulting me, since the CISO thought the cost was a bit too high, we calculated that with the same security level the investment could be brought done to 35 MSEK instead. After two years the follow-up showed that the result had been 37 MSEK. That’s 63 MSEK to spend on other improvements instead. Economically sound security! 🙂