crowmoor.se

I just reviewed a risk analysis conducted at one of my clients. One thing that struck me was that this must have been conducted by some accountant with security skills. The risk analysis is adequate and fulfils the goals set but the analysis in itself is a number exercise way beyond the useful. Numbers upon numbers upon numbers, multiplied and multiplied, colour coded and twisted again to some up with a RAG (Red, Amber, Green)…and nothing how to solve the problems! There are comments on mitigations but those are so very high level that they are not useful at all.

I´m to some extent 😉 a sucker for security architecture but to my experience when delivering similar reports the analysis where I point out security architecture components are the ones that actually delivers a value to the client, on both management and techie level.

One of my favourite sites to visit is DatalossDB. Just recently a new loss was posted. This time it was Yahoo who lost 453 493 email addresses and passwords. The total cost, as calculated by Ponemon Institute, is $27 209 520! This makes a cost of $60 per record. That figure is used as a general figure on how much a breach of personal data costs per record. So any company with 1M customers could face costs for $60M in case of a breach. Changes the perception of that security is not allowed to cost, doesn’t it?

If you are working within the business you probably have heard of Flame, a type of highly complex targeted malware, active in Middle East. With Flame emerging we now have three examples of very complex malware that are able to circumvent many standard security mechanisms. No matter the origin their existence show that there is a market for targeted malware and that the current malware inevitable will be more and more specialised with a need for more advanced security mechanisms.

Whitelisting has been tried many times but still is a bit cumbersome to handle. Adding to that the emerging policies of ‘Bring your own device’, i.e. the loss of control of the hardware for the IT department.

So what types of protections would be useful against Flame? As it is a very complex malware with many different attack vectors a full lockdown would be advised with no allowed access to any USB device or network. 😉 However, this is most of the time unpractical and a middle way would be adviced. Whitelisting the network traffic is one way to go and it is a rather easy to administer for the IT department. Also blocking the autorun for CD/DVDs and USB is a good option. As one rather common attack vector is internet using a browser through a terminal server instead of using the local browser protects your local device from getting infected. And of course host based firewalls on all clients with no allowed access beside management servers and authentication servers.
This is just the first steps but will still take you a long way towards better security.

SwaggSec just released a new hack bragging about hacking China TeleCom and Warner Bros. In the end of the text they have added a torrent containing information about admin accounts and stuff.

What’s interesting with this particular hack is merely that SwaggSec encourage you to log on to the hacked servers and do as much damage as you like. Meaning that if you are breached you could now look forward of having hundreds of more or less skilled persons to log on and do damage to your network. Just compare with how much importance you put in keeping people outside of your server room. Now you could have a whole bunch of teenagers wreaking havoc with your databases.

So you are a level 4 merchant and think PCI DSS is nothing you need to worry about? Think again! Lately attacks have moved from the bigger targets to smaller L3 and L4 merchants, mainly because they haven´t focused on security to the same extent as a larger organisation has. This means that even if they need to hit 50 targets to get a decent amount of credit cards the work involved is often just a fraction compared what is needed for a bigger target. Furthermore the credit cards have a longer time to live as a L4 merchant seldom has the capability to either detect or investigate a breach.

And to be clear about it: All PCI DSS requirement apply, even if you are a L4. It is just how you prove it that differs.

Many of us have seen and implemented different kind of security solutions. Some very cheap and others…more costly. One thing I teach all my colleagues, using Security Analysis Framework, is how to calculate the most economically viable solution for our client. It may seem to be rather easily using Return Of Security Investment (ROSI), but it is interesting to see how business understanding affects the cost. During one assignment I showed the methods for the QSA. They did the calculations and ended up with a cost of €12M. The report was sound and good but didn´t take into account the possibility for structural changes at the client. So I took another approach and ended up with a project cost of €4M mostly because I started to question if a new system would be a better approach and in the same time outsource a function within marketing.

So security and compliance is not only about understanding the standard, it is about putting it into the context of the client and find the best fit. Something a security expert seldom can do but something a security architect with large business acumen could. 🙂

A known and mostly accepted axiom in security is that the people doing something should not verify and accredit the same. This is to make sure that a solution is not flawed or intentionally sabotaged. This process holds true in many cases but as it turned out this is not always true for the market of compliance. Take PCI DSS compliance scheme. It is mandated by the card brands, enforced by the banks and verified by the QSA. Nothing wrong here! The merchants have to make sure that they are compliant and do whatever they need to do. Here comes the shady part. How should they know what to do? They ask someone who knows…the QSAs. So here we are in a situation that a QSA could suggest, implement AND verify a solution!

I´m fully aware that many companies are good and hold the security standard high but there are also quite a few that isn´t. Many of my clients sadly bear witness of that.

Now and then I´m engaged to conduct computer forensics as part of a sensitive and rough investigation. Even if the primary purpose is to find evidence (or prove innocence) you will inevitable get to know the owner of the computer.

I sometimes get involved in fraud investigations, CSA (child sex abuse) or intellectual property theft where proving the crime is a rather simple process. Still I need to read hundreds of e-mails, look at thousands of photos and in general take a really long peek into a person’s life. When discussing with my fellow investigators most of them tell me that ‘getting to know’ a person that we prove to be criminal sometimes is the hardest part. Along with CSA you could find pictures of family vacations, loving mails from their spouse or just in general get to know the relationships the person have with all friends. It takes its toll on you to still be able to focus on the investigation knowing that your report will destroy the person’s life.

Sometimes it is even worse to conduct computer forensics when you have to investigate a colleague’s computer. I know that it could be expensive to hire a professional investigator but sometimes it is worth the cost. You need to be able to live with yourself.

If you have been with me the last years you probably know that I´m no fan of probability when it comes to risk analysis. Following this I invented a workshop methodology named Micro Risks a few years back. During the last weeks I have merged this with Bruce Schneier´s Attack Trees and put together a methodology to visualise risk and to measure risks based on the impact.

The strength of using this methodology is that you get a quantifiable way of measure the effectiveness of your security mechanism. This could be done either by making sure that all steps in your attack tree are blocked or by measuring how many steps a single mechanism actually blocks. Both of them are usable to provide a measure of effectiveness.

A word of warning! Those figures should ONLY be used as a way to select between different mechanisms that blocks the same steps, not as a way to select to block certain steps but not others.

You may probably have heard of You3 analysis model before. It used to be just a nice graphical tool for presentation of risks but the last two weeks I have spent some time to actually create an analysis model where the outcome is something very similar to the presentation model.

Using it as a way of describing risks is all well and good but using it to analyse risks and map security mechanisms and impact is something completely new. A common flaw in security is the lack of understanding when a security mechanism actually is active and when it is not. A simple example is hard drive encryption that is active only when the computer is turned off. So if you run a 24/7 business why would you then invest in such a mechanism?

It all falls back to the risk analysis and the understanding of who the culprits are (internal or external). Mapping the actors towards You3 helps you have a sound discussion with any type of security vendor and actually make sure that your money is spent on effective tools rather than something you already have paid for twice.