Tag Archives: Risk management

Vastly improve your IT security in 2 easy steps?

1 April 2017

Keep your software patched and defend against social engineering, and you will win the battle against the bad guys. Let me be clear: From my point of view this is simply not enough. Nevertheless, Roger A. Grimes’ post “Vastly improve your IT security in 2 easy steps” published on March 21, 2017 at InfoWorld is really worth reading, in particular the section about patching.

The key to diminishing this risk is to identify the right software to patch and do it really, really well. The risk reducers I respect know the difference between the largest unpatched program in their environment and the unpatched program mostly likely to be exploited in their environment. A security expert knows there is usually a gulf between the two.

In particular in the production domain, where patching has always to be delayed to the next scheduled maintenance, this is a very important hint.

The big question is: How can we identify the right software on the right and important systems? Without an up-to-date asset directory with the relevant details about cyber security this is a very complex and expensive matter.

But even with an up-to-date asset directory this remains a complex task.

Rockwell/Allen Bradley Systems directly connected to the Internet

Rockwell/Allen Bradley Systems directly connected to the Internet in North America

For example, the likelihood of a cyber-attack on an Industrial Control System (ICS), which is directly connected to the internet, is many times higher than the likelihood of an attack on an ICS which is completely isolated in a security zone within the production network. The first ICS is definitely one of those systems Roger Grimes has in mind, the latter can be ignored.

But the likelihood of a cyber-attack is only half the story. For example, in functional safety the risk is the combination of the probability that a hazard will lead to an accident and the likely severity of the accident if it occurs. Thus, from this point of view, even the first ICS may be uncritical unless it is not used for controlling a critical infrastructure.

To identify the right and important systems is the hard task. It requires an up-to-date asset inventory and a smart risk management process. The plain patching process is just a piece of cake.

Have a good weekend.

Security falls often by the wayside if availability is a priority

16 May 2015

When we talk about information security we often forget printing. We add labels like ‘Confidential’ or ‘Top secret’ to documents to make it clear to everyone that these documents contain the company’s crown jewels. But when it comes to printing the printouts stay in the printer output bin, sometimes for days and accessible for everyone.

Fortunately most printer vendors developed secure print systems to support the users in the secure handling of information. In a secure print system documents are not output immediately when printed by the user. Instead, they are cached by the print service and output only after request by the user.

Before the user can request a printout he has to sign-in to the printer with his username and password. Since it is very annoying to sign in for every printout users can register their ID cards or special printing cards to speed up the output process. For fallback, e.g. if the user forgot his ID card, sign in with username and password is possible.

Secure Printing Threat Model

Secure Printing Threat Model. Click to enlarge.

If a user requests a printout, he places his ID card on the card reader attached to the printer. The built-in Authentication Manager (AM) sends an [1] Authentication Request to the Authentication and Authorization Manager (AAM). The AAM checks against the Active Directory whether the user is valid [2] and against the ID-Card Database [3] whether the ID-Card is valid and registered. Upon successful authentication the AM notifies [4] the Print Manager (PM). The PM on the printer retrieves a list of the user’s prints jobs from the Print Service and prints the selected jobs or all.

This works perfect. And since every document is cached by the print service and send only on request to the printer the users can request printouts on every printer attached to the secure printing system.

Unfortunately documents cannot be output when the network connection to i.e. the Authentication and Authorization Manager is not available. And this is a real disaster!

To boost availability the secure print system suppliers introduced the local credential cache [7]. After successful sign in to the printing system the user’s credentials and badge number [6] is cached in the printer. If the connection to the AAM service is down, the system authenticates the user against the locally cached credentials. Great!

But with the local credential cache the suppliers built-in a weakness into the system. If a terminated user could disturb the network connection to the AAM he could use the secure printing system with the credentials stored on the printer.

To securely terminate an employee you need to disable his ID card and his active directory account immediately. This will make sure that he can no longer access the secure printing system.

In addition you shall clear the user’s credentials from every printer he used for secure printing to make sure that he cannot access the secure print system in the case of a system failure.

At this time at the latest, risk evaluation makes sense. Under normal conditions it is very unlikely that an employee without administrative privileges could disturb the connection to the AAM. Thus the risk is low that an employee without administrative privileges can exploit this weakness.

But it is necessary to check the workflows for terminating employees. Since an employee can reach the secure print system by login with his username and password it is very important to disable the account immediately. This will prevent unauthorized access.

If you already introduced a secure printing system I would strongly recommend to restart the risk evaluation process for your printing system and to check the processes for terminating employees.

Don’t panic…

… and have a good weekend.

Risk management keeps the attack surface on an acceptable level

20 November 2014

In post ‘Experts: Cyber risk management requires teamwork, preparation’ Sharon Shea reports about the 2014 Advanced Cyber Security Center conference.

“‘You are not going to eliminate the risk of attacks, you are going to manage the risk’ said Michael Chertoff, former secretary of the U.S. Department of Homeland Security and executive chairman and co-founder of the Chertoff Group, during his keynote presentation at the 2014 Advanced Cyber Security Center conference.”

Well said, I fully agree. The four ways to treat risks are to transfer, eliminate, accept, or mitigate them.

To eliminate a risk is more of academic value. Eliminating the risk means eliminating the function, thus, in the worst case, eliminating the business.

The fifth option, ignore, is not acceptable for an enterprise because the hours until you are out of business could be counted on the fingers of one hand.

Risk management always starts with identifying and evaluating the risk. This is the responsibility of the business groups, with support of IT. Once you have evaluated the risk you could start managing it. Managing the risk means to bring the risk to an acceptable level, e. g. by applying mitigation measures or accepting it.

For risk evaluation it’s very important to treat attacks by malicious insiders with the same probability as attacks at servers on the perimeter of your network. If this assumption is taken into account during risk evaluation you will come to a balanced approach.

The concept of the attack surface is perfectly suited to make this clear. Even a single, not hardened, server operated inside your network increases the attack surface of your IT system dramatically because it could be used by an attacker as a gateway into your system.

Risk management should always keep the overall attack surface of a company on an acceptable level.

Minimize your attack surface, and have a good day.