Home » Posts tagged 'Risks'

Tag Archives: Risks

Cultural Differences

28 February, 2017 / Leave a comment

I have had the honour of working with the US Secret Service in the past, a role that involved moments of tension, good humour, a fair bit of coffee drinking, and some very intelligent conversations.

One related to the difference of approach to Protection work based on the cultural background of the host country. For a Presidential Visit, the USSS work with the local security teams to agree how the President will be protected – this is a balance between the expectations of the USSS and the local knowledge of the hosts. For example what is ideal in the US may be problematic for the host country and a better alternative suggested.

Most of this is a pragmatic conversation between experts, however culturally there may be fundamental differences that lead to certain responses.

  • In some countries, if a VIP is attacked they will be moved away from the threat.
  • In other countries, if the VIP is attacked they will defended at the scene.

Culturally, running away may not be seen as acceptable and to expect it may therefore meet with resistance. The planned response may not be followed.

The existence of these cultural differences also applies within companies, especially multinationals or companies formed by mergers, where different teams have different cultures that may in the event of an emergency clash with the preplanned corporate responses. In the worst cases, you can find that not only are reacting to an attacker but also your own side.

Running exercises to identify the issues is important, as is clearly defining expectations and roles in handling an incident.

Silver Cyber Security Commander is probably one of the greatest job titles I’ve ever had.

The President’s Phone

2 February, 2017 / Leave a comment

It appears that President Trump remains committed to his elderly Android phone. This has caused a flurry of speculation on the risks of doing so. There was a similar debate about President Obama retaining his Blackberry when he took office.

This was a subject I discussed with the US Secret Service during one Obama’s State Visits; and sensibly there are limits on what can be said publicly, so I will avoid going into specifics.

So, what are the Risks here?

  • Access to sensitive information on an unencrypted device? Physical access to the device allowing access to data at rest, or account credentials – usernames and passwords. Unlikely, the device is in the jacket pocket of the US President – there are adequate physical controls. This was viewed as adequately managed.
  • Remote access to data? This is a more significant risk. If it is a stock devices, running an old version of Android there are unpatched vulnerabilities that allow an attacker to obtain information from the device. At Rest storage encryption doesn’t help here. This remains a risk, and is a good reason for retiring the device. Especially given that obtaining credentials for e-mail and Twitter accounts could be a extremely usedful for an attacker. It is quite possible that this would both as a result of a targeted attack on President Trump or an untargeted attack that just sweeps up all credentials from any device they can find.
  • Evesdropping? Again these are attacks against vulnerable, unpatched, devices, and they are available to foreign intelligence services. These attacks enable the device to become a sophisticated bug in any room. Such an attack would be of great interest to foreign governments in giving access to sensitive and non-public discussions. This is going to be a highly targeted attack by highly capable attackers and a significant security threat.
  • Location tracking. A mobile phone of any nature has to talk to a network to operate, and that, as well as any compromise of a smartphone to get it to report location. This can be used to understand where it is at any time, and any pattern of movement. It is extremely valuable information that can support both a direct attack on an individual, and to obtain information on who they meet and regular patterns of behaviour. Location can leak by many paths, data in images, social media posts, and is frequently overlooked. This location tracking threat is a critical concern to the physical protection of a VIP.

So, if your Risk Assessment indicates risks that you are unable to accept as part of your business, what controls can be used?

Require a device with patched software and applications that are still under support. Your employee may like their old Galaxy S3, but is their using is a risk to your business? It is at this point that BYOD meets security and should be addressed in the mobile working policy (“BYOD, but not any device”) – unless you are confident in securing and supporting every mobile phone made in the last fifteen years.

The use of an always on VPN, bringing all data traffic back to a point where it can be monitored for abnormal or unusual behaviour. Not all data can be monitored, unless you wish to compromise TLS connections, and users may (quite rightly) object to that on devices they also conduct personal business on. Monitoring, and acting on, unusual connections and activities is normally sufficient.

Periodic audit of the device to identify any unusual or unauthorised software or apps. Either using software continually running on the device, or by periodically inspecting the device with tools.

Controls over where devices are not allowed. If there are particularly sensitive areas in a business, or sensitive conversations, then ban devices. Provide small lockers to allow users to store them outside of the area.

Advice, guidance and training for users. And record when it has been delivered.

Remote disabling or wiping of the device.

Remote application execution: VDI for mobiles, or deliver all information through TLS browser sessions without requiring apps and data storage on the device.

The only control normally beyond the reach of a business is to use a private, closed, network with technologies to prevent RF or network based user tracking. But you would only use that in the most critical of cases…

Appropriate Risk

14 November, 2016 / Leave a comment

What does it take to make a Ship secure?

  • It depends on the type of cargo it will be carrying and the areas it is going to be sailing in.
  • It depends on the level of risk that the owners, and the insurers, are willing to accept.

The armour used on a battleship may not be appropriate for a ship carrying grain in coastal waters. Rounding Cape Horn requires a higher free-board than going upstream on the Thames.

Understand what the ship is for what threats it faces. Then you can make it secure.

  • Part will be the design and the equipment fitted.
  • Part will be the teaching people how to use the equipment.
  • Part will be checking that all is being operated as planned.

So:

Ask of the IT department if the Security Controls being applied are appropriate to the risks the Business faces:

  • Or are they just armour plating the rowing boat because “Armour Plate is best practice”?
  • Are they just adding technology because they find it interesting? and are they actually training people to keep the business secure?
  • And how do they know it is all working as intended? and what did they intend to achieve?

There is a reason to protect information

12 October, 2016 / Leave a comment

This article in the Guardian caught my eye.

Two months after a visit by Chinese officials, a company in Scotland with an innovative Wave Power design was burgled. Several Laptops were stolen. The burglars went straight to the company offices on the second floor of the building, bypassing companies on the lower floors.

A couple of years later, a Chinese company with close ties to the Chinese government, started making very similar Wave Power devices.

The Scottish company is now out of business.

So, assuming that there was nefarious activity here – and that is not proven, just a series of odd coincidences – what can we learn?

Information Security is not just about protecting personal or financial information. It is also important for commercial reasons: the designs, software and business model that a company has is the heart of what the company is actually worth.

There is a cost for the loss of that information. It is not unreasonable to spend an appropriate amount of money securing that information. How much depends on the capability of any threat, and on the risk appetite of the company.

Could the information have been realistically protected against the theft of it on a laptop? Probably, thought we do not know what precautions this company had in place. Realistically, a good hard drive encryption system, tied to the TPM that is in modern Laptops, would have defeated most attackers. Good physical security, alarms, and CCTV. Lock the laptops away when the office is unoccupied. General good security hygiene.

Commercial espionage does happen.

Evolution of Cyber Attacks

4 October, 2016 / Leave a comment

There is a common view that malware is something that allows an attacker access to your computer so he can steal your data. Remote Access Trojans delivered the contaminated attachment for example, are a typical example.

The attacker then profits by selling your data to others who exploit it. However, this involves trusting a larger number of people and increases the risks to the attacker of being caught. It also involves a lot of additional work, blending details from many attacks to hide where the data was taken from, and who took it.

Ultimately, criminal activity is driven by a desire to make money. And to survive to be able to enjoy your gains.

There has been a well publicised rise in ransomware where the malware encrypts files or disables a system and money is required by the attacker to release them. This is a result of the attackers wishing to remove the risk from the monetisation of their successful compromise of a system. They are reducing the number of people needed to realise the profit, and exploiting the anonymity of Bitcoin to remain hidden

The consequences of the two types of Malware on a businesses that are unprepared for them are different. The former is an attack against confidentiality, ransomware attacks availability.

Both are Security Incidents, and both are in part mitigated by anti-malware systems, but the method of surviving the attack is different.

Confidentiality losses can be reduced by the appropriate use of encryption, ensuring that if data is compromised there is another layer of defence in place.
Availability losses can be mitigated by a suitable business continuity plan to ensure business can still operate in the absence of whatever technology is being held to ransom. It just has to last long enough for affected items to be repaired or replaced, and data recovered from backups. And keep the backups off-line, finding they have also been encrypted will not improve matters.

The likelihood of both can also be reduced by user education: Be aware of Phishing Attacks, report odd events. The impact is reduced by Incident Response planning.

At the moment, ransomware is commonly attacking traditional IT systems and more recently mobile phones and other devices. In the future ransomware will be deployed against smart connected things.

Pay One Bitcoin to get your Roomba back out from under the sofa.

Financial Services Information loss report

19 September, 2016 / Leave a comment

Bitglass have released their latest report into Information Breaches. It addresses the current ways in which information is being compromised. These reports are useful as they provide input into developing both the risk models for companies, and in selecting appropriate security controls to manage those risks.

Some of the results are unsurprising:

  • The trend of an increasing amount of data being subject to an unauthorised release is continuing.
  • Most organisations have had an incident.
  • Many organisations have had multiple incidents, often repeats of the same problem.
  • Attackers aim for where the money is.

The interesting part is in how information is released.

Since 2006:

  • A third of incidents were directly a result of human action, evenly split between accidental and malicious action.
  • A quarter of incidents related to lost or stolen devices; laptops, company phones, USB sticks, private phones and so forth.
  • A fifth of incidents were caused by external attacks against the IT systems, this includes phishing attacks where the initial compromise is inadvertently aided by someone inside the company.
  • The rest was a mix of mislaid paperwork, payment card fraud and a worryingly large amount of “we don’t know what happened”.

In the US, where the study was done, the average cost of a lost record (one person’s details) was $260. This is about 20% higher than the typical non-financial cost/record impact. One key reason for this is the increasing impact of regulatory fines – PCI-DSS penalties alone can reach half-a-million dollars per incident.

So:

  • Information Security is a People issue, not solely an IT issue. Appropriate and relevant awareness among individuals handling the information is critical.
  • Methods should be in place to ensure that data on devices that can be lost or stolen is adequately protected.

Risk Registers

12 September, 2016 / Leave a comment

Something like this always appears on a Security Risk Register from the IT department:
“High Risk: The USB ports on the Servers are not locked down.”
And the security team in the IT Department sit and shake their heads and wonder why The Business doesn’t seem to understand how important IT security is. They’ve said it there: High Risk. Probably in an Excel Spreadsheet cell with a bright red background.

This isn’t a Risk to the Business. Something like “A journalist could obtain our list of sensitive clients, which would be extremely embarrassing and lead to loss of our client base and thus income” is a Business Risk. There is an understandable Threat (A Journalist) a target (List of Sensitive Clients), there is an outcome that threat succeeding they can understand (Loss of Clients leading to a loss of business), and you can understand how keen and capable that threat source is (can Journalist hack? can they persuade someone to give them information? How interested are they likely to be?) and that gives you a measure of how probable it is that that Risk will be realised and become an issue.

Now you have a realistic risk the Business can understand, and importantly might want to do something about. Then you can look at what you could do to Control that Risk. In this case, that could be such things as “Check employee backgrounds when we recruit them to jobs with access to the List of Sensitive Clients”, “Educate Users not to plug strange USB devices into computers”, may be even: “Lock the USB ports”.

Then “the USB ports aren’t locked” becomes a Risk Control that is not currently effective, meaning that the Business Risk of “A journalist obtaining our Sensitive Client List” isn’t being controlled to the full expectation of the business. There are still other good controls, such as employees knowing not to plug stuff in, but there is a chink in the armour. Then you can now tell a story that the business will understand, and they might well want to act on it. That one Control may actually be used to mitigate a whole range of Business Risks, in which case it not being effective would be a larger concern.

Of course, you could just fill the USB Ports with a two part epoxy…

Simon Barton