Monthly Archives: July 2014

Why IT security programs fail

 31 July 2014

If it is about IT security, business people have every confidence in the ability of IT departments that they do the right and important things. To be honest, sometimes I have the feeling, that they do not want to be involved in this security stuff.

‘Just let the nerds add some new high sophisticated technology – and all will end well.’ But, please without any impact on our daily work and to low additional costs.

This ‘not involved here’ syndrome is the main reason why information security programs fail. And, combined with blind trust in technology, things could end worse.

Some weeks ago I read a remarkable statement in post ‘Security Think Tank: Consider security Training before high-end technology’ by Mike Gillespie:

Encryption is not the solution to security, it is part of the solution and always has been. So an employee who does not realise that their device is encrypted basically when it is switched off, may still have very poor security habits, such as leaving a laptop logged on with the lid down, thinking the data is secure because it is magically encrypted.

If Mike Gillespie had one more Dollar to spent in IT, I bet, he would invest this Dollar into security awareness Training.

We need change!

We need Change!

To ensure sustainability, it is very important to get people involved in these IT security topics. As Benjamin Franklin once said: ‘Tell me and I forget. Teach me and I may remember. Involve me and I learn’. Thus, to increase the likelihood of success, IT security programs should always be embedded in a change process.

But Management buy-in comes first! Why?

To stay in the market, with a well respected brand and competitive products, is definitely part of every company’s business strategy. IT is just an enabler for business strategy. IT supports the business groups in protecting the important digital assets and the intellectual property of a company.

Therefore, IT cannot be the driver for a security program. Business must take the initiative and start and manage the program to ensure sustainable change in IT security awareness and behaviour. If a C-level manager could be won as program sponsor, it is very likely that the program’s targets are met.

It’s all about leadership! And Change.

NMH survival strategy

26 July 2014

Business people are quick in demanding the highest IT security standards, but when it comes to the implementation, the security measures should not have any impact on their daily business.

What impact is a just about acceptable? The answer to this question depends on many factors. Moreover, there is no universally applicable answer to this question.

Last week this question came up in a discussion about the impact of protection measures on scientists. My answer was: Lets try the NMH (No Medium High) impact approach.

No impact

Start with protection measures that have no impact on daily work. Many technical measures and few organizational measures could be implemented in the background, in the best case without a downtime.

Present your approach and the measures to the business groups. Show that there is no impact on their daily work. I bet, everyone will welcome this approach. And, if it works, everyone will trust you and you will feel like a super hero.

Medium impact

In the next step develop measures with low or medium impact on daily work. It is very important that this is done in close collaboration with the business groups. This measures are mostly organizational measures or small changes of the way of working, e.g. waiving of USB sticks, encryption of emails if sensitive information is exchanged, or the set up of a data handling policy.

Offer at least equal or better and easy to use alternatives. Agree with the business groups in the set of measures that should be implemented, in the schedule and the remaining risk as well. Make clear that the business groups have to cover the remaining risk! Implement the changes in close cooperation with the business groups.

High impact

Finally, discuss measures that have a high impact on the way of working, e.g. strong passwords, two factor authentication to systems which are used for access to core business data or classification and tagging of data.

If there are legal requirements to implement those measures, that’s a more easy job. Anyway, you have to make the advantages clear! Finally , the business groups have to agree in the set of measures which should be implemented. In the worst case, they take the remaining risk and reject any proposals for high impact measures. If there are no legal requirements that’s ok.

From my point of view with the NMH approach you will get a high level of security without infuriating the business groups too much!

Become a superhero!

A trusted device on a trusted network? A dangerous illusion!

24 July 2014

Some days ago I attended a webinar about Cyber security. While discussing the challenges of BYOD someone stated:

‘In a hyper connected world thousands of trusted devices connect to your trusted company network.’

In my opinion, trusted devices in a trusted network are a contradiction in itself.

Let me clarify this by an example from daily life.

The moment you are connecting with your company owned laptop across the internet to your company network, you lost the game. Even if you use a VNP tunnel to secure the network connection, your laptop is in a potentially insecure state, since likely infected with malware.

Back in the company network this computers state remains insecure because your malware detection system may not detect the malware. Therefore your company network is compromised as well.

That reminds me of the blockbuster ‘Independence Day’ from 1996. The aliens allowed a fighter jet, that was lost fifty years ago, to dock at the mothership. A trusted device in a trusted network! It was the first and last mistake in their life.

The good news are: This laptop is under your control. You are able to reinstall it with a hopefully not compromised golden image.

But in the hyper connected world of the Internet of Things (IoT) and BYOD most of the devices are not under your control. Moreover, they are in a completely undefined security state, with outdated and unpatched operating systems and applications and insecure SSL certificates for communications. Just a giant black security hole!

To master the challenges of  IoT and BYOD, we have to develop completely new concepts for securing  devices, applications and the communication between the devices and the company network. Trust no one!

In the meanwhile we have to do our best to create awareness for the new threats, and to secure the data in the company network.

By the way, the aliens would have done well to destroy the fighter jet!

The neverending local administrative rights story

19 July 2014

Last week I discussed IT security related topics with the computational biology systems group. It’s hard to believe, but most of the scientist work with Linux, most of the time with a bare bash (Bourne-again shell).

What surprised me was that no scientist works with permanent super user rights. Everyone works with a standard user account, but has the option to switch context with SUDO if necessary. Very impressive!

‘Way of working’ is an essential part of every security strategy. Sometimes large security gains could be achieved with small changes to the way of working, at a fraction of the cost of technology based measures.

With Windows users I have endless discussions about the pros and cons of working with permanent administrative rights. There are good reasons for working this way, but as a result, we create a security hole from the size of a barn door that may compromise all other security measures.

On 26 April 2014 Microsoft informed in ‘Microsoft Security Advisory 2963983’ about a critical vulnerability in Internet explorer. In ‘Security Bulletin MS14-021 – Critical’,  published on 1 May 2014, we find some details about the vulnerability and the best reason to end this discussion once and for all:

‘An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.’

Bingo!

Waiving permanent administrative rights must not have serious disadvantages for user productivity. Microsoft implemented a technology similar to SUOD with Windows Vista.

Windows User Account Control (UAC) allows standard users to execute functions where administrative rights are required. If this is the case, UAC prompts for administrative privileges before executing the command.

The solution in just 3 steps:

  1. Communicate the new policy and new way of working to users with local admin rights
  2. Create a local account Useridloc and add account Useridloc to local administrators group
  3. Remove account Userid from the local administrators Group

When UAC requests administrative privileges the user inputs the credentials of Useridloc.

Please note: Since users can re-assign themselves to the local administrators group please audit compliance with the policy.

By the way, if Useridloc is used with runas (the windows command for SUDO), commands could be executed directly with administrative rights.

Welcome back to the comfort zone!

Howto secure business critical data? – The admin challenge or {U} ∩ {A} = ∅

17 July 2014

Unfortunately, sometimes administrative privileges are required for operation of the systems and services inside the Core Data Services Network (CDSN). This is very annoying because administrators are always an inherent risk. To be honest, I look forward to the day when servers could be operated without any system privileges.

Until then, we must try to reduce the risk through consequent application of the Separation of Duties (SoD) principle. Let’s do some basic set theory first.

Let {U} be the set of all employees in the company, {D} ⊂{U} the set of all employees with authorized access to the core data and {A} ⊂{U} the set of all IT Administrators in the company.

The Separation of Duties (SoD) principle requires:

 {U} ∩ {A} = ∅

This translates into the following basic principle:

Employees with authorized access to core business data must never have the privileges for administration of systems and services in the entire company network.

Could a data manager have privileged access with a special account? This question was asked in a meeting some days ago. Although there may be good reasons to do this, the answer is No. Never! Employees with authorized access to data must never have privileged access, no matter what account is used.

Note bene: The SoD principle should be applied to all services at all system, application and infrastructure levels. Let me clarify this by the means of two examples:

  1. Data managers should never have the privileges for account or database administration because this would allow them to grant privileges to themselves.
  2. Terminal service administrators must never have the privileges to configure the firewalls between the CDSN and the company network. This would allow them to authorize other computer for access to the CDSN.

Simple, but effective.

Bromium – The Dawn Of A New Era In Corporate Cyber Threats?

14 July 2014

The Dawn Of A New Era In Corporate Cyber Threats? | A Collection of Bromides on Infrastructure.

Although the picture reminds me of some scenes of Terminator II, Bill Gardner does not announce the imminent end of the world. In this blog post he just creates awareness for a new kind of attacks with may have dramatic impact on businesses.

Fortunately, today’s attackers focus on new market businesses. The impact of a data theft, e.g. loss of reputation or annoyed customers, is costly and exasperating for companies, but not life-threatening. Destruction of data and of backups, as in the case of Code Spaces, might lead in the worst case to loss of business and disastrous effect on customers.

But the expansion of malicious activities to old market businesses, like chemical and pharmaceutical plants or basic infrastructure like national gas or power supply systems, could have  a catastrophic impact on businesses, environment and people.

In addition, a third type of damage, integrity loss, caused by tampering of data, makes things really worse, because this kind of damage is very hard, and often only after several years, to discover.

We urgently need to prepare for the “Maximum Credible Accident!

For a good starting point see Mark Brown’s article “Where should a CISO look for cyber security answers – hardware, software or wetware?”.

Don’t Panic – All will end well!

SearchSecurity: Multifactor authentication key to cloud security success

12 July 2014

Multifactor authentication key to cloud security success

In this great post Brandon Blevins provides a brief summary about the Code Spaces attack, the progression of the attack and the catastrophic consequences for the company and the customers. Moreover, he makes clear that Multi Factor Authentication is an essential requirement for running a successful business in the cloud. With Two- or Multi Factor Authentication in place this attack would not have been possible.

The attack pattern in the Code Spaces case differs only slightly from the patterns in the eBay, Target, and Office attacks. In all cases the attackers used stolen credentials of employees for unauthorized access to the company network and the data.

One Euro Cent Coin

From my point of view, Two or Multi Factor Authentication (MFA) would have prevented most of the published data breaches, irrespective of whether the services are hosted on premise or in the cloud.

Multi Factor Authentication is worth every Cent!

The main difference between the attacks exists in the amount of the damage, in the eBay case data theft and loss of reputation, irreversible destruction and discontinuation of Business in the Code Spaces case.

But a third, more important type of damage must be considered:

Integrity loss, caused by tampering of data.

Small changes to software products, to the formulation of drugs, or a bill of material could lead in the worst case to a catastrophic impact on people, businesses and the environment.

How often does this happen, without you ever noticing?  At this very moment? And, are you able to recognize such integrity losses to prevent larger damage?

We should ask ourselves these worrying questions. The statement “I always call it the Wal-Mart-Target competition … to see who can get to the lowest price and still provide good service. Security is what gets lost” gains a new meaning from the integrity point of view.

I would strongly recommend, that all businesses, in particular in the manufacturing industries and in the pharma sector, should decide about implementing MFA to prevent damage caused by integrity loss.

That will make our world a somewhat safer place.