crowmoor.se

I was just recognized as the 38th best security specialist in Sweden. The list is a recognition of competence, willingness to share your knowledge and your ability to make it visible for the public.

Computer forensics is quite fun sometimes and unbelievable boring most of the time. Facing a new problem is of course always interesting and I got the possibility to conduct an investigation on some cloud resources. If it would have been a cloud located in Sweden it would have been a simple matter of travelling to the datacentre, mirror whatever server there were included in the system and start working. This time however it was a SAAS (Software as a service solution) meaning that I had no access to the data centre and no possibility to access the servers. Quite a task to conduct an investigation without access to the system?

In this case, however, the question was who had access the information and from where. The case was regarding a breach of security in a document repository used for handling proposals. The company in question had decided to move all documents used in bidding processes as the frequently used sub-contractors in their work and needed to give them access to the documents in a controlled fashion and of course, their Business Prevention Unit, also named Security Department, refused to give anyone external access to the system.

So what could I do? I could get administrative access to my client’s document store and to the logs. Said and done. Within a few hours I knew what user accounts had access what documents. I also got hold of the IP addresses used for accessing the site. So with some work with RIPE I was able to find that one account was used by the competitor in question and that was enough to be able to move forward into a civil suit.

So, all in all, working with forensics in a SAAS means that you have to give trust into the logging systems and the identity systems and rely on other open sources like RIPE to move forward. The process is a bit more cumbersome and the legal issues are a lot more problematic. As a professional investigator for a private company it is easier for me to conduct the investigation. Working as a police will be a lot harder in the future.

IAM implementations of different kinds go on at many of my clients and one question I often get is how to handle logging and administrators from an IAM perspective. From the identity point you have one user – one identity. From the security point you have separation of duties and lowest possible access. If you use one user – one identity you will have users conducting the daily work with way to high access rights.

The obvious answer is to have ordinary users and administrative users. But how to you connect this to the one user – one identity concept? The answers is of course: You don´t. You will have to allow a separation here. The importance is to have differentiation between our user access system and you identity system. In the latter you need to have the possibility to register several users against one identity. Sounds easy? Well, it is easy as long as you are willing to understand the purpose of security: to protect; instead of believing it has a purpose in itself. Security is only there because there is something to protect. Not because you need security.

Quite often I am engaged in projects involving creating an information classification. Many times this is seen as security work. However, this is not the case. Information classification is only an economic construct. By classifying information you make it easier to decide what kind of security and which security mechanisms you need.

What is then the effect of looking at information classification as a security concept? Many times it means that the company stops at that. They implement a classification on documents, systems and so on but still utilize the same security mechanisms at before with the addition of classification tag.

What you need to do is to map your security mechanisms into your security architecture and generic security mechanism. Estimate the value of what you want to protect. Set baselines for the different classifications and implement the right level of security for the right classification. By doing this you get a better working security that will not be too costly. Utilize ROSI (Return Of Security Investment) for this and you are home free.

Some of you may have noticed that my blog was hacked twice during February. The first hack was someone entering links for some obscure medical shop in all postings. The second hack was a simple defacing. You could say that it should be embarrassing to be hacked and that me as a security expert should be totally safe. 😉

However, as you are perfectly aware of, security erodes over time and a constant vigilance is needed. This however is true only if the things you have are valuable enough. In my case the value lies only in my postings. There is no confidentiality near them as they are published. Integrity is however an issue and availability even more.

I have further looked at the risks and applied the risk triangle making sure that I understand the likelihood of a threat agent actually posing a threat to me. In my case the probability is extremely low that someone would hack me just to hack me. However, an automated attack may make me a possible target. And this was of course the case these times.

The first hack affected the integrity of my posts and was rather easily thwarted by restoring a backup. That however took a few days before my hosting company was able to do that. During that time I probably suffered a reputation loss. The reason for the hack was mainly a vulnerability in WordPress that I hadn´t patched as I do not check my blog daily. This will now be mitigated by subscribing to the update service making sure that my blog is patched immediately. This is a change I need to do because my blog is now on the radar for automated attacks.

The second hack was however impossible for me to stop as it was aimed at the webserver itself and used a weak password in some others website. From there it was possible to exchange the index files on all sites pointing the visitors to a default picture. I have suggested for my hosting company a possibility to sandbox the websites making sure that not the whole server is wreaked if it would happen again. Furthermore I will strengthen the ACL´s on the index files to make sure an automated attack fails.

All in all, the blog is up running again, I didn´t lose any information, and I got the possibility to discuss this topic. And I have updated my risk analysis making sure that I at least get to patch WordPress quickly. 🙂

Working as a security architect means that I sometimes need to explain what I work with. I many times get the question: ‘Do you make architectures for security technology like IAM and Firewalls?’ The answer is always ‘Yes but…’ So the real question is: ‘What is “but…”?’

To be able to create a security architecture you need to understand what security really is. Security is only a property on everything meaning that whenever you create a functional architecture like a network or new process you have to make sure that you manage security. Simple as that? No.
What is security when it comes to architecture? Security is all about managing risks and those risks could be managed in different ways with different results and costs but all of them do mitigate the risk. So before you start to create your functional architecture you need to conduct a risk analysis making sure to understand what the risks are. Then you could apply security in your architecture. But…

How much security? Well, that is for me to know and you to learn. ? You have to do an asset valuation to understand the value of the things you are protecting; be it the total value of the company or just a number or credit cards stored on a server. When you know the value you know how much security you need.

And that is all? Almost. You may probably come up with different solutions in the different aspect areas: Business, Information, Information System or Technical Infrastructure. Being able to select either one means that you need to understand the effectiveness of your security mechanisms and the costs of implementing them. Using ROSI (Return Of Security Investment) as an KPI means that you have a tool that helps you select the best security architecture for your client.

Security experts are an interesting breed. Ask them about the effectiveness of obscurity and they will give you a long tale of why it doesn´t work. Ask them about the theory of encryption system and they will tell you that you should always assume that the attacker knows everything. Ask them about their own security and they will fall silent as a rock. It is hidden behind secrecy, covered with confidential marks and the general principle is “Security by obscurity”.

So why it that security by obscurity always is practiced? Why are security people so secretive and always hides in shadows? There is of course not an easy answer to this but there are a few things that could partly explain it: Lack of own knowledge and slow processes.

Not being in total control of your security setup means that there is always a possibility for attack ways you didn´t know of. The biggest threat is as always the complexity but I want to challenge that assumption. Security is not complex. If it is, you have done it all wrong. Yes, it may be that you have a thousand systems you need to secure. But the models you should use should all be the same, the processes should be the same. Patching one system or patch a thousand is all the same. Same thing goes for network security. You may have a complex firewall concept including hundreds of firewall but the process of managing them is the same. One or hundred.

If you have done your risk analysis correctly you will inevitable understand what would be the fastest way to mitigate a threat. Sure it takes a longer time to patch thousand servers but you won´t have a thousand servers that are all in peril just because there is a new vulnerability.
In the end believing in security by obscurity will only work against you because you have no incitement to actually learn to work faster or improve your way of thinking. It is easier to just add another firewall. 😉

Even I go on vacations sometimes. This year I was away diving and as any diver I take good care of my gear meaning that I carry my regulator in my hand luggage to make sure it arrives fully functional. I do have to trust my life with it.

However, carrying it through security check is always a challenge especially if you encounter personnel with no knowledge of diving gear. To cut the story short I was asked to dismantle my regulator as it obviously was filled with illegal substances as I could not breathe through it when requested. As all divers know, you shouldn´t be able to breathe through it when it´s not connected to a tank. Gladly the security guard´s manager was a diver and let me through with a perfectly functional regulator.

Taking a step back to the corporate world we are met with a humongous complexity and in that mesh working with security means that you need to everything about everything. Failing in understanding means that you will be met with disrespect and viewed upon as a road block and something that needs to be handled instead of being seen as an important contributor to the company.

The biggest question is of course how you address this task as it is few that have the capability to know everything. The answer is of course security architecture and patterns. However, security architecture is so much more than just understanding the infrastructure solutions that could solve a problem. It is way more important to understand and be able to work with changes in the way the company work (processes), change information in itself and to understand how to make changes in the automation of a process. When you clearly have identified the problem it is so much easier to apply the right pattern to the right part of the architecture.

Grasping this and still try to learn as much you can about different topics will help you to evolve security to become a game changer within your organization. Effective use of a team with broad knowledge will help you achieve this much easier. And most importantly, you will not be the one harassing an innocent diver with your lack of knowledge and understanding.

I recently finished a study at a client that has a lot of electrical engineers. It was very interesting how they always tried to solve all problems with the tools at hand, mainly electrical components and power switches.

The question was how to secure access to a workstation. Their solution was to cut the power to the keyboard and mouse when the desktop was not in use, still allowing the screen to be unlocked. My suggestion to lock the screen was viewed upon as unsafe as all computers could be hacked. After some arguments we put each others to a test. They should hack my solution and I their’s.

I won, but I had to admit that I cheated just a little bit. I activated speechrecognition on both computers. 😉

Just my way of showing that you have to take everything into account. That’s why you always should hire a team of security consultants. If they are any good they should have a methodology for working as a team and provide you with better results.

Most of you are aware of how to solve security problems. One that is harder to solve is how to handle a security department that don’t works for the company’s good. It is very easy to blame that specific guy but what if it is the system that is wrong?

I recently read ‘The Lucifer effect, How good people turn evil’. A very disturbing and upsetting book I must say. The theme of the book is a lot more disturbing than a security guy saying no to everything but looking at the processes impost of the times his guy hides behind processes and referes to the other staff as ‘Users'” ‘Endloosers’ or similar. The dehumanization paves the road for intrusive security functions that won’t support the business.

So mind your wordings and read the book. You will find out disturbing things of yourselves but in the end you may have gotten some understanding.