Security Standards are important

Security Standards are vital to our society

That’s why Alex Webling has accepted a nomination to join the Australian Standards Committee for Security Standards and to join the Australian Delegation to ISO TC292, Morioka, Japan in March 2015.

We congratulate Alex on this recognition of his security knowledge and expertise particularly  in the areas of enterprise security and resilience and his work in the Australasian Council of Security Professionals and its successor, Security Professionals Australasia.

The Technical Committee will have the following provisional title and scope:

Title: Security

Scope: Standardization in the field of security, including but not limited to generate security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, homeland security.
Excluded: Sector specific security projects developed in other relevant ISO committees and standards developed in ISO/TC 262 and ISO/PC 278.
The committee temporary structure covers the following areas;

ISO/TC 223/WG 1 – Framework standard on societal security management
ISO/TC 223/WG 2 – Terminology
ISO/TC 223/WG 3 – Emergency management
ISO/TC 223/WG 4 – Resilience and continuity
ISO/TC 223/WG 6 – Mass evacuation
ISO/TC 223/AHG – Professional development
ISO/TC 223/AHG – Information exchange
ISO/TC 223/AHG – Continuity management
ISO/TC 223/AHG – Revision of ISO 22320
ISO/TC 223 TF – Task force on strategic dialogue
ISO/TC 223/AHG 4 – Communication group
ISO/TC 223 DCCG, Developing countries contact group
ISO/TC 247/WG 1 – MSS for security assurance
ISO/TC 247/WG 2 – Terminology
ISO/TC 247/WG 3 – Guidelines for interoperable object and related authentication systems to deter
counterfeiting and illicit trade
ISO/TC 247/WG 4 – Product Fraud Countermeasures and Controls
ISO/TC 247/WG 5 – Document Fraud Countermeasures and Controls
ISO/PC 284/WG 1 – Management system for private security operations – Requirements with guidance

—-
 Security Standards ISOWe also wish to thank IAPPANZ and Attorney-General’s Department for supporting Alex’s nomination.

The state of ICT Security

State of ICT Security – Attackers take over SCADA controlled steelworks furnace and caused massive damage

The threat to online assets from attackers remains critical according to a report just released on the State of ICT security by the German Government.

Cloud Computing, mobile systems and big data are providing enormous economic prosperity, but have on the other hand opened up large attack surface for organisations.

The German Federal Department for Safety in Information Technology  has just released its annual “State of ICT Security” report for 2014. The German Government’s version of the bit of NSA that helps government and businesses protect themselves online is called the BSI. They are highly skilled and well respected.

As is usual for a government report it is turgid. However there is some really interesting stuff hidden in the morass.  I’ve picked out some of the gems and translated them here.

Complexity is killing information security

The report emphasises that complexity is exposing organisations to attack. Of particular concern is that Internet of Things (Systeme und Dinge) is now moving from the stage where it is mostly about observation of the environment to changing the environment.

Importantly, particularly in light of the Snowden expose, this report is not coming from either the US or UK and so gives a secondary source to some of what those governments are saying.

There are over 250 million individual varieties of Windows malware around now

Other observations which confirm what you may have seen in other places

  1. Spam continues to grow exponentially
  2. Malware is still growing and at least a million devices are being infected annually in Germany. The BSI estimates that the number of different types of Windows malware is at a staggering 250 million. This is up from around 180 million in 2013!
  3. The number of infected sites delivering ‘driveby exploits’ is growing substantially.
  4. Botnets are being used to steal identity information. There are more than one million devices under the control of botnets in Germany.
  5. Phishing continues to yield results for cyber criminals

Advanced Persistent Threats – an increasing threat for government and industry

Germany is constantly being cyber-attacked by foreign intelligence services. The BSI has installed improved sensor technology in the government’s networks following the revelations that came from Edward Snowden in 2013/14. There are a number of methodologies which the BSI has identified. This tallies quite well with some of the things Bruce Schneier has written recently about these issues

  • Strategic enlightenment – whereby the intelligence service identifies connections between various users to gain an intelligence picture
  • Attacks on key individuals – attacking system administrators for key systems to gain access.
  • Influencing Standards – By weakening standards, , the allegation has been that NSA individuals have influenced the NIST standards development process.
  • Manipulation of IT hardware and software – Well they would do that wouldn’t they.

The BSI notes that trusted insiders are being used to enable some attacks by intelligence services, criminals and activists.

This table is reasonably easy to read, even if you don’t understand German. It shows the prognosis (prognose) for threats over the coming year.

Schwachstellen = vulnerabilities
Schadprogramme = malware
Identitaetsdiebstahl = ID theft

Cyber threat prognosis

Casestudies

The report goes through a number of cases where the BSI was called to assist businesses. Here are two that are of particular concern.

Steelworks compromise causes massive damage to furnace.

One of the most concerning was a targeted APT attack on a German steelworks which ended in the attackers gaining access to the business systems and through them to the production network (including SCADA). The effect was that the attackers gained control of a steel furnace and this caused massive damages to the plant.

Dragonfly attacks a dozen companies

The Dragonfly hacker group attacked a number of companies’ SCADA systems and installed the malware ‘Havex’. This was used to gather information about the systems. No damage was done, because the compromise was detected and removed before the hackers had completed the observation and intelligence gathering phase.

Conclusion

It’s worth remembering that there are many other countries dealing with the cyber threat around the world. Germany has always been one of the leading non-UK CAN, US, AUS, NZ countries and it is interesting to see how they view the landscape.

You can download the original Document from the BSI – Bundesamt fuer Sicherheit in der Informationstechnik – in German “Die Lage der IT-Sicherheit in Deutschland 2014″  https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2014.pdf?__blob=publicationFile

Sydney Siege

The siege in a chocolate shop in Sydney’s CBD ended early this morning AEST. Three people died, including one purported to be the gunman Haron Monis.

There will necessarily be intense scrutiny on the forces used to resolve a violent event. However, it is important to remember that they do not happen in isolation.

The factors that lead us to these events are always complex and often have geo-political, sociological and psychological underpinnings.  In this case, the gunman, was a convicted criminal and seems to have latched on to the idea of violent jihad to justify his own failings. 

This is the time for cool heads. It is far more effective and efficient to invest in efforts which counter radicalism before it descends into violence. To that end, we should remember the quiet work of those who enfranchise the disenfranchised and seek to strengthen social cohesion.

It is these people, who make our way of life so great.  

Governments at all levels must lead in these efforts. Politicians must remember, whatever their political colour, that radicalism  is a complex societal issue, not a sound bite. Else we descend into barbarism.

As a society, we must remember that the work of all members of the civil society needs to be focussed on countering radicalism.

This event received so much coverage precisely because it is uncommon in Australia

Just remember that the reason this event received so much coverage in the media is precisely because it is so rare. And of course, it was across the road from the HQ of one of the big Australian TV channels.

Yet, at the same time across the world, six people died, one was wounded, and the gunman escaped in a shooting in Philadelphia. In that case, it seems that the gunman is a mentally disturbed ex soldier.

Yet, although it was reported, multiple shootings are depressingly common in the US. They are even more common in parts of Africa, and often the reports don’t even make it beyond the local news.

It all comes back to risk and societal resilience, because when citizens are allowed to panic, governments start using extreme measures in our names. Professionalism in risk and security is about understanding the difference between perception and reality and taking an evidence based approach to dealing with the issues.

More information

http://www.abc.net.au/news/2014-12-15/sydney-siege-hostages-cafe-martin-place-police-operation/5967232

http://www.nbcphiladelphia.com/news/local/Lansdale-Shooting-285800521.html

http://www.nytimes.com/2014/12/15/us/politics/cheney-senate-report-on-torture.html?_r=0

http://link.springer.com/search?facet-author=%22Roy+Gardner%22

Privacy and Social Login – wins first prize

Privacy and Social Login article wins award

“Privacy and Social Login” an article published in the International Association of Privacy Professionals Australia New Zealand May 2014 edition of “Privacy Unbound” and here won the first prize for article for this year .

The IAPP announced at the 2014 IAPP Privacy Summit “Privacy at Play” held at the Westin on 17 November in Sydney that Alex Webling had won the 2014 award for best article published in the association’s journal “Privacy Unbound”.

The iappANZ is the pre-eminent forum for privacy professionals in Australia and New Zealand. We are affiliated with the International Association of Privacy Professionals (IAPP) which is the largest privacy body at the global level with a membership approaching 20,000. We work with public and private entities across all industry sectors in Australia and New Zealand as well as the Privacy Commissioners in both countries.

The iappANZ Privacy Unbound Journal provides practical thought leadership and case studies along with a popular Q&A with the Australian and New Zealand Privacy Commissioners to keep members in touch with regulators. iappANZ also provides a Weekly and Daily Digest for regular privacy news updates.

UPDATE 23/12/14

The article, along with a profile of Alex Webling was republished in the IAPP December 2014 edition - http://www.iappanz.org/IAPP/eflash/November_December_edition_59_Privacy_Unbound.pdf

Trusted Insider cont.

Trusted Insider continued

Part 2 of 2 talking about the trusted Insider and how organisations can address the problems at an organisational level

In part 1 of this we talked about who are the trusted insiders, why organisations are concerned and what the motivations of the trusted insider are. Part1 is here – http://www.resilienceoutcomes.com/identity/trusted-insider/

In this part, we talk about some approaches to the trusted insider problem.

Organisations are asking “How can we stop employees becoming the next Edward Snowden?”

I think we should question is why aren’t there more people like Edward Snowden? I think it is worth noting that the NSA is huge with an unconfirmed staff count in the order of 30,000-40,000. One or even ten ‘rogue insiders’ is as a percentage very small – even though the damage to the USA and its allies has been very significant.

Organisations, including intelligence organisations, develop very rigorous and reliable procedures to ensure that people who shouldn’t be trusted don’t join their organisations. Good recruitment practices which exclude people who won’t fit and don’t let people become insiders in the first place are the best defence. However, one of the hardest issues to manage is to deal with people who gradually become disgruntled after they’ve been working in an organisation for a while.

Of course, organisations can use infosec procedures such as internal surveillance mechanisms and information compartmentalisation. These can reduce the consequences wrought by trusted insiders. However these mechanisms can inhibit the rest of the employee body from working at their full potential. It also can affect staff morale if not carefully marketed. Interestingly SIG attendees were told that the Attorney-General’s Department was considering the possibility of a continuous disclosure regime for security clearances which would in real or near real time provide information to security officials about whether employees were undertaking activities which might raise eyebrows.

A Sharing economy model?

Considering an organisational ‘sharing economy’ model when considering the trusted insider threat might help. The employee/employer relationship is one of mutual benefit. It can be also one of mutual harm.

http://pixabay.com/

Employees work for their organisation and their identity becomes entwined in the reputation and identity of that organisation. As mentioned previously, the trusted insider that does the wrong thing by their organisation does so for a number of reasons. The most dangerous reason has always been those who are motivated not by money or greed, but by a grievance or revenge.

If we extrapolate using the NSA/Snowden example…. The NSA has built up an impressive reputation over many years for technical excellence. But maybe some of its employees believed the propaganda of their employer. More importantly, it would seem that NSA’s management failed to completely disabuse their employees of the fact that intelligence agencies live in a grey world and do things that are morally grey. Consequently people working inside the NSA seem to have been surprised when they found that some of the things it was doing were dark. Unfortunately for the NSA, brilliant people became disillusioned and turned against it.

This explanation is probably not the whole answer. However a couple of thoughts arise both of which may help to prevent future events:

  • is it possible to develop an internal organisational market for the reputation of the organisation?
  • A meaningful alternative chain of reporting to vent frustrations is vital.

A market of organisational reputation

Many private and public organisations organisations spend significant sums to monitor their public relations posture. There is benefit in understanding what the organisation thinks about itself as well.  An anonymous reporting mechanism can allow an organisation to get some information about whether it is ‘on the nose’. Such data might also be combined with metrics such as the number of relevant social media postings.

http://pixabay.com/

An alternative chain of reporting

Both USA and Australia now have whistle-blower mechanisms for their intelligence services. In Australia, the Inspector-General of Intelligence and Security performs this role.

Many organisations both in the private and public sector could consider the benefits of taking on aspects of this system. It obviously doesn’t work perfectly, but it certainly contributes to the protection of the intelligence agencies from trusted insiders.

Mr Snowden has claimed that “he had raised alarms at multiple levels about the NSA’s broad collection of phone, email and Internet connections.” However, this is disputed by the USA. Whatever the truth of the matter, it seems that Snowden felt he wasn’t being listened to. So maybe the take-home from this aspect is that the ‘alternate chain’ of reporting needs to have big teeth to make changes where there are real problems identified. Balancing natural justice against the consequences of a breach is incredibly important. Not only for the individual concerned, but for the organisation itself, because you know people in organisations gossip about each other!

http://pixabay.com/

This is of course a governance issue, and this makes it very tricky to get right – this is where Resilience Outcomes Australia can help your organisation, because resilience and longevity of organisations is what we do.

Further reading:

Managing the insider threat to your business – a personnel security handbook (PDF) from the Australian Attorney-General’s Department is a good place to start.

Australian IGIS – Inspector-General of Intelligence and Security – the reports are worth having a look at.

USA Department of Defense Whistleblower Program is part of the Office of the Inspector General of the US Department of Defense. One of the sub-programmes it runs is specifically for the US Intelligence Community.

http://pixabay.com/

The trusted insider

The trusted insider.

Helping organisations protect themselves against trusted insiders

I attended the Security in Government (SIG) conference in Canberra earlier this month. I am somewhat biased, but I think that SIG is probably the best annual security related gathering in Australia.

If you compare it to a lot of international gatherings SIG certainly holds its own. Although, the US and German conferences in particular have glitz and size, the quality of the discussion and the more intimate nature is refreshing. SIG, as you may have guessed is primarily targeted at government, but there are good lessons for all organisations to be had there. Ok, enough of the fanboy …

The 2014 SIG theme was the ‘trusted insider’. Whilst the discussions were often very good, I wondered whether there are additional approaches to reducing the problem of the trusted insider. These approaches focus more on the relationship between employees and their organisations.

http://pixabay.com/

Who are the trusted insiders?

A trusted insider is somebody who uses their privileged access to cause harm to their employer or their interests. I’ll be a bit controversial here and note that, whether these people are traitors, spies or whistle-blowers depends somewhat on perspective. In any case these people evoke strong almost visceral emotions in many people.

Why are organisations so concerned about the trusted insider?

Despite fears about rogue hackers attacking organisations from the outside, the trusted insider is still considered the biggest threat to an organisation. In Australia and overseas, trusted insiders ‘going rogue’ have caused the significant damage to national security, government agencies and private organisations. The harm done can be from loss of secrets, money or even life.

Secrets: The most glaring examples in the information security space have probably come out of the USA in recent times. People like Edward Snowden and Chelsea (Bradley) Manning spring to mind in the national security sphere. However, some Swiss banks have also been stung by Bradley Birkenfield whom some in those establishments might call a trusted insider and the US tax agency would call a whistle-blower!

http://pixabay.com/

Money: Fraud is probably the most significant threat to private organisations from trusted insiders, particularly those in the finance and insurance industry. Sometimes the size of an event can be enormous, such as when $2billion was lost in 2011 through ‘unauthorised transactions’ in a Swiss bank.

http://pixabay.com/

Life and property: Whilst we often focus on loss of information confidentiality, trusted insiders were also responsible for assassinating the Indian Prime Minister Indira Gandhi in the 1980s and shooting fellow soldiers in the USA and Afghanistan in the last decade. There have also been a number of cases of ‘issue motivated’ insiders harming organisations by damaging plant and equipment.

http://pixabay.com/

What motivates the trusted insider?  C.R.I.M.E.S.

The motivations of trusted insiders are varied, however they broadly fit under the standard drivers of criminal behaviour as described by the mnemonic ‘crimes’.

Coercion – being forced, blackmailed or intimated

Revenge – for a real or perceived wrong, it could be about disaffection and or a grudge

Ideology – radicalisation or advancement of an ideology /religious objective

Money – for cash, profit, dosh, moolah – whatever you call it, and/or

Exhilaration or Ego– for the excitement or because they think that they are in someway cleverer than their compatriots –  Christopher Cook seemed driven by the excitement..
The USA’s “worst intelligence disaster” was Robert Hanssen, who might be described as an egomaniac.

Sex and personal relationships. The combination of sex and coercion is a lethal one.

Of course, some are also mentally fragile and may not have a motivation that is exactly clear to others.

End of part 1

In the coming part, we talk about some approaches to the trusted insider problem.

Speaking at the ASIS Asia-Pacific Security Forum

ASIS Asia-Pacific Security Forum

Alex will be speaking at the ASIS Asia-Pacific Security Forum being held in Singapore 7-9 December 2014.

http://www.gratisography.com

Credit:www.gratisography.com

Alex will be talking about:

Resilience in an Information Centric World.

The best indicators of the future are the events of the past, yet the past is not an absolute indicator or future events. Outlier events are becoming more common and threatening the existence of organisations – Is enterprise risk management to be thrown out?

The vast majority of organisations that have ever existed are not around today. Of the top 25 companies on the US Fortune 500 in 1961, only six remained there in 2011.

The few that survive broadly did so for two reasons, which Alex Webling, Treasurer of the Australasian Council of Security Professionals will discuss with examples at ASIS Asia Pacific 2014 in Singapore.

I think we all understand that small businesses come and go, but this lesson is true for large organisations as well.Research carried out on fortune 500 companies in the USA showed that the average rate of turnover of large organisations is accelerating.  The turnover has reduced from around 35 years in 1965 to around 15 years in 1995.

Alex has talked about this topic before and will be expanding on his observations and research with conference participants about how they might assist their organisational longevity.

We hope to see you in Singapore.

The website for the conference is here and you can register here