Home » Principles
Category Archives: Principles
Cyber Insurance
There are three ways of managing IT security risks in a Risk Treatment Plan.
- Accept the Risk – a positive decision to accept a risk to the business as being something you are comfortable with.
- Mitigate the Risk – put a control in place to reduce the risk.
- Transfer the Risk – move the cost of the event happening to someone else.
Transferring the Risk is commonly done by Insurance, although there are other methods of Risk Transfer.
Cyber Liability Insurance Cover (CLIC) is often overlooked as an option to help a company survive a critical loss of data or a major security incident. The market and take-up of such insurance is variable. In the US, some form of CLIC is often a regulatory requirement, so take up is high. However in the UK where there is no requirement for a business to be able to survive such an event take up is very low (approximately 1% of UK companies have some form of CLIC).
While some form of Insurance is invaluable to aid a business during a disaster, be it flooding, the loss of a critical member of staff, or a massive business crippling data loss; the devil is, as always in the detail.
I have worked with several large organisations in reviewing their compliance with the expectations of their insurers and have two key lessons:
- The Cyber Insurance Market is relatively recent and has little historical record to generate risk profiles against, additionally, the market is relatively small at the moment giving a low spread for insurers to work against. This has a direct impact on Premiums.
- The Cyber Insurance Policies place obligations on the policy holder to have a good level of security management and protections in place. In many places, this obligation is not complied with – leading to the possible non-payout of the insurance contract.
Insurance services are adapting to this with schemes to reduce Insurance Premiums based on the results of security audits – both to inform the Insurer of the risks they are running and to give the policy holder assurance of the validity of the policy.
Appropriate Risk
What does it take to make a Ship secure?
- It depends on the type of cargo it will be carrying and the areas it is going to be sailing in.
- It depends on the level of risk that the owners, and the insurers, are willing to accept.
The armour used on a battleship may not be appropriate for a ship carrying grain in coastal waters. Rounding Cape Horn requires a higher free-board than going upstream on the Thames.
Understand what the ship is for what threats it faces. Then you can make it secure.
- Part will be the design and the equipment fitted.
- Part will be the teaching people how to use the equipment.
- Part will be checking that all is being operated as planned.
So:
Ask of the IT department if the Security Controls being applied are appropriate to the risks the Business faces:
- Or are they just armour plating the rowing boat because “Armour Plate is best practice”?
- Are they just adding technology because they find it interesting? and are they actually training people to keep the business secure?
- And how do they know it is all working as intended? and what did they intend to achieve?
Use of Threat Intelligence
I have just read Max Hasting’s book, The Secret War; Spies, Codes and Guerrillas 1939-1945. It contains a key message on the use of Intelligence: It often isn’t used.
If you don’t use the information then the cost of obtaining it is waste.
When protecting a Organisation there are two sources of information about what the “opponent” is up to:
- Threat Analysis. Threat Landscaping, and similar studies that identify what may happen to you.
- Security Event Logs that identify what is happening and has happened to you.
What Max Hastings, and others, identified is during WWII information was often not believed because it conflicted with an existing mindset, or there was no ability to act on it.
For example,
- The Japanese Intelligence services identified in 1942 that the key threat was from the USA, however the Japanese High Command were obsessed with the threat from Russia until 1944 and ignored their warnings.
- The Germans had good information on Allied intentions in late 1944 and 1945, but did not have the capacity to exploit that knowledge.
In an Organisation which is looking to deploy information gathering tools – commissioning a Threat Landscape report, or purchasing an Security Information Event Management (SIEM) system – should consider what they are going to do with the information and how they can best benefit from their expenditure on it. It may be culturally challenging to do so.
Availability First
Availability means that Correct Data is available when required.
Correct Data requires Integrity of the data to confirm that only Authorised people have changed it.
Authorisation requires the Authenticated individuals.
Authentication requires a Shared Confidential secret.
While Compliance with regulatory standards is a cost to the business, the Availability of information will often be of critical importance to a business.
Availability can be used to drive any Information Assurance activities.
Internet of Things: Confidence not Confidentiality
The Network of Autonomous Devices is forming; small things talking to each other, making decisions based on their exchanged information about how to manage the world around us.
Attacks are now being seen against these networks, both by researchers and by those with malice aforethought. In addition to using the devices to undertake tradition computer based activities, such as Denial of Service launching, many of these attacks have had an end objective: To take control of machinery.
Much has been said about security within cars, where attacks are performed by, for example, presenting fake throttle data to the engine management unit, or pretending to be the vehicle’s wheel rotation sensor to get the ABS controller to release the brakes – because if it believes that the wheels are skidding it will do what it is designed to do.
An attack against a building can be imagined where wireless temperature sensors are blocked and spoofed to mis-inform the HVAC system, which in turn will render the building unreasonably hot, or cold, making it unusable to a business. Or overheating a datacenter shutting it down. A disruption and cost to a business.
The opportunities for spoofing information to create a change are endless.
The The Internet of Things requires there to be confidence in the information being used.
- Are you confident that the device you are getting the information from is actually what it claims to be. Is it really the front left wheel rotation sensor on this car? or is it something else pretending to be?
- Are you confident that the information it is sending has not been tampered with? Is the temperature received from that sensor is sending really what it is sending?
- What do you do if you mistrust the device? What assumptions do you make? How do you re-establish trust with that device? How do you report it? and will who is being informed react to it correctly?
Yes, Confidentially is important, the data you are sending may be personally identifiable. However, the Integrity of the data, the Confidence you can have in it, is crucial.
Storing Passwords
Simple: Don’t store passwords.
If a plain text, or badly encrypted, password database is leaked, either by an attacker, or inadvertently by an employee or user, then all users are compromised.
The purpose of a password is to confirm that the user who registered with the system some time ago is the same person wishing to use the system now.
- When a user registers they submit a password. Process the password with a non-reversible calculation and store the result.
- When a user tries to log in, process that password using the same non-reversible calculation.
- If the originally stored result and the log in attempt match, the original passwords must have matched.
There are complexities in this process, and errors in logic or mathematics can fatally weaken this approach . Therefore a developer should not develop their own system, but use a published library solution.
There are three fundamental concepts in processing these passwords. Each is designed to make life difficult for an attacker trying to reverse the calculation, or pre-calculate all the possible outputs.
- Salting: The process of adding a system specific piece of data (the Salt) to the password. This makes the result of the password calculation different on different systems, a breach on one does not compromise all.
- Stretching: Increasing the length of a password. A user may only have a 12 character password, but stretching it with a suitable Salt increases the effective complexity of the password. This calculation is designed (by repetition) to take a long time to slow down an attacker, reducing the number of password calculations he can test per second.
- Hashing: A non-reversible function that takes a stretched password and turns it into a value that can be safely stored. Cryptographic Hash functions are normally designed to be very quick to perform as they are used to validate documents, cryptographic certificates and so forth, hence the stretching phase is required to slow an attacker down.
The process of handling passwords, and other vital data, is a specialism. It is worth obtaining assistance in the design of such systems.
Cloud Security
The Cloud is Someone else’s Computer: a Service accessed over the Internet, but technically still a client accessing data held on a shared server. The only differences are in the commercial arrangements, and in the sharing of the service by different unrelated customers with potentially different expectations.
The ownership of the data, and their responsibilities do not change.
Cloud Security Standards
While the principles of ISO27001 apply to any security management regime, there are several specific areas of concern as the information that is the responsibility of customer is now being held and processed in its entirety by a third party supplier outside of the customer’s normal security arrangements.
There is no single recommended security framework specifically for the management of cloud services, however the principles of ISO27001:2013 (and 2005 before it) along with the best practice in ISO27002 and ISO27017, form a sound basis for approaching all information security including Cloud Service provision.
Ideally, the Cloud Service provider should have some form of independent accreditation or certification of their service by a third party that has audited their security arrangements. The scope of this certification should be checked to ensure it covers the service being offered.
Certification will be against one of the pre-existing standards, such as ISO27001, or against one of the emerging standards such as that being developed by the Cloud Security Alliance. Where card and payment details are being handled, then compliance to PCI-DSS v3 would be expected as well.
As a quick reference, the UK Government’s Guidance is to be recommended.
Why Confidentiality, Integrity, Availability?
Security Standards, such as ISO27001, talk about protecting the Confidentiality, Integrity and Availability of information.
- Loss of Confidentiality is embarrassing, can damage a business’s reputation, result in regulatory fines, and can have legal consequences to the directors.
- Loss of data Integrity means you no longer trust what the business is doing or saying: incorrect orders, false wage payments to non-existent employees, abusive PR from a hacked Twitter account or Website.
- Loss of data availability means you have no information to act on. No customers, no orders, no finances.
These are all Business Issues, not fundamentally technical issues.
