Security Standards are important

Security Standards are vital to our society

That’s why Alex Webling has accepted a nomination to join the Australian Standards Committee for Security Standards and to join the Australian Delegation to ISO TC292, Morioka, Japan in March 2015.

We congratulate Alex on this recognition of his security knowledge and expertise particularly  in the areas of enterprise security and resilience and his work in the Australasian Council of Security Professionals and its successor, Security Professionals Australasia.

The Technical Committee will have the following provisional title and scope:

Title: Security

Scope: Standardization in the field of security, including but not limited to generate security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, homeland security.
Excluded: Sector specific security projects developed in other relevant ISO committees and standards developed in ISO/TC 262 and ISO/PC 278.
The committee temporary structure covers the following areas;

ISO/TC 223/WG 1 – Framework standard on societal security management
ISO/TC 223/WG 2 – Terminology
ISO/TC 223/WG 3 – Emergency management
ISO/TC 223/WG 4 – Resilience and continuity
ISO/TC 223/WG 6 – Mass evacuation
ISO/TC 223/AHG – Professional development
ISO/TC 223/AHG – Information exchange
ISO/TC 223/AHG – Continuity management
ISO/TC 223/AHG – Revision of ISO 22320
ISO/TC 223 TF – Task force on strategic dialogue
ISO/TC 223/AHG 4 – Communication group
ISO/TC 223 DCCG, Developing countries contact group
ISO/TC 247/WG 1 – MSS for security assurance
ISO/TC 247/WG 2 – Terminology
ISO/TC 247/WG 3 – Guidelines for interoperable object and related authentication systems to deter
counterfeiting and illicit trade
ISO/TC 247/WG 4 – Product Fraud Countermeasures and Controls
ISO/TC 247/WG 5 – Document Fraud Countermeasures and Controls
ISO/PC 284/WG 1 – Management system for private security operations – Requirements with guidance

—-
 Security Standards ISOWe also wish to thank IAPPANZ and Attorney-General’s Department for supporting Alex’s nomination.

The state of ICT Security

State of ICT Security – Attackers take over SCADA controlled steelworks furnace and caused massive damage

The threat to online assets from attackers remains critical according to a report just released on the State of ICT security by the German Government.

Cloud Computing, mobile systems and big data are providing enormous economic prosperity, but have on the other hand opened up large attack surface for organisations.

The German Federal Department for Safety in Information Technology  has just released its annual “State of ICT Security” report for 2014. The German Government’s version of the bit of NSA that helps government and businesses protect themselves online is called the BSI. They are highly skilled and well respected.

As is usual for a government report it is turgid. However there is some really interesting stuff hidden in the morass.  I’ve picked out some of the gems and translated them here.

Complexity is killing information security

The report emphasises that complexity is exposing organisations to attack. Of particular concern is that Internet of Things (Systeme und Dinge) is now moving from the stage where it is mostly about observation of the environment to changing the environment.

Importantly, particularly in light of the Snowden expose, this report is not coming from either the US or UK and so gives a secondary source to some of what those governments are saying.

There are over 250 million individual varieties of Windows malware around now

Other observations which confirm what you may have seen in other places

  1. Spam continues to grow exponentially
  2. Malware is still growing and at least a million devices are being infected annually in Germany. The BSI estimates that the number of different types of Windows malware is at a staggering 250 million. This is up from around 180 million in 2013!
  3. The number of infected sites delivering ‘driveby exploits’ is growing substantially.
  4. Botnets are being used to steal identity information. There are more than one million devices under the control of botnets in Germany.
  5. Phishing continues to yield results for cyber criminals

Advanced Persistent Threats – an increasing threat for government and industry

Germany is constantly being cyber-attacked by foreign intelligence services. The BSI has installed improved sensor technology in the government’s networks following the revelations that came from Edward Snowden in 2013/14. There are a number of methodologies which the BSI has identified. This tallies quite well with some of the things Bruce Schneier has written recently about these issues

  • Strategic enlightenment – whereby the intelligence service identifies connections between various users to gain an intelligence picture
  • Attacks on key individuals – attacking system administrators for key systems to gain access.
  • Influencing Standards – By weakening standards, , the allegation has been that NSA individuals have influenced the NIST standards development process.
  • Manipulation of IT hardware and software – Well they would do that wouldn’t they.

The BSI notes that trusted insiders are being used to enable some attacks by intelligence services, criminals and activists.

This table is reasonably easy to read, even if you don’t understand German. It shows the prognosis (prognose) for threats over the coming year.

Schwachstellen = vulnerabilities
Schadprogramme = malware
Identitaetsdiebstahl = ID theft

Cyber threat prognosis

Casestudies

The report goes through a number of cases where the BSI was called to assist businesses. Here are two that are of particular concern.

Steelworks compromise causes massive damage to furnace.

One of the most concerning was a targeted APT attack on a German steelworks which ended in the attackers gaining access to the business systems and through them to the production network (including SCADA). The effect was that the attackers gained control of a steel furnace and this caused massive damages to the plant.

Dragonfly attacks a dozen companies

The Dragonfly hacker group attacked a number of companies’ SCADA systems and installed the malware ‘Havex’. This was used to gather information about the systems. No damage was done, because the compromise was detected and removed before the hackers had completed the observation and intelligence gathering phase.

Conclusion

It’s worth remembering that there are many other countries dealing with the cyber threat around the world. Germany has always been one of the leading non-UK CAN, US, AUS, NZ countries and it is interesting to see how they view the landscape.

You can download the original Document from the BSI – Bundesamt fuer Sicherheit in der Informationstechnik – in German “Die Lage der IT-Sicherheit in Deutschland 2014”  https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2014.pdf?__blob=publicationFile

Information Security and Resilience at ASIS QLD

Information Security and Resilience presentation to ASIS QLD Chapter

I gave a presentation to the ASIS QLD Chapter yesterday morning.

Apart from a couple of minutes spruiking the Australasian Council of Security Professionals, I spent my time talking about the intersection between Information Security and Resilience. You can download a copy of the presentation PDF via this link – ASIS QLD JUNE – infosec and resilience

If you’re interested, here are a few links related to the presentation.

I have written previously about resilience and information security. You might like to revisit these links on cybersecurity or here.

Alex talks about information security and resilience

 

PRESENTATION ASIS QLD JUNE – infosec and resilience

Link to  ASIS QLD 

Over-classification restricts information sharing

Over-classification in government continues to restrict information sharing according to a report by the US Department of Defense Inspector General.

Balance in Information Security

I’ve written previously about over-classification and why it needs to be actively countered in large organisations in the private sector and more importantly government. Getting the balance right in information security is critical to mission success.

There are a few key findings from the Inspector General’s report which will be no surprise for anybody who’s worked in a classified environment. The review sampled emails and documents classified by the US Defense Department and found:

  • 100% of the emails reviewed were incorrectly classified or marked
  • Around 70% of the sample material (documents/ files)  had ‘classification discrepancies’

I’d like to say its better in Australia, but I’m not confident. What is more interesting from a security perspective is the over-classification of material. The report states

“we do not believe that those instances concealed violations of law, inefficiency, or administrative error; prevented embarrassment to a person, organization, or agency; restrained competition; or prevented or delayed the release of information not requiring protection in the interest of national security.”

Well they would say that wouldn’t they. But leaving my cynic’s hat off for the moment… Ok one passing comment – there is a difference between the organisational approach which tries not to conceal and the approach of individuals or groups within an organisation.

Unfortunately, the report doesn’t make very many recommendations that will bring about change. In typical public servant speak, it says

We recommend that the Under Secretary of Defense for Intelligence and for Acquisition, Technology, and Logistics carry out the recommendations outlined in this report and continue to leverage the new Defense Security Enterprise, especially with regard to ensuring that Original Classification Authorities are fully engaged and accountable.

In any case, the report does acknowledge that

over-classification could unnecessarily restrict information sharing.

Hooray! Admittedly, a bit softer than I would like, but still important.

In this information age where as the Snowden revelations keep showing us,  the US and allies have access to huge swathes of information, but they can’t use it effectively to defend themselves or their allies.

The answer to this problem is not gathering more information! The 9/11 Report and scores of others keep telling us that we have the information in our databases, but we don’t use it effectively.

I’m not sure what the best analogy is here, maybe its a person who’s brain is not connected to their muscles properly. They can see and hear everything, but they rarely succeed in reacting to any of these stimuli. The problem with this analogy is that somebody with locked in syndrome desperately wants to make his limbs move. I’m not  sure this is the case with intelligence agencies and sharing information.

This does seem to be the curse of too much information and not enough brainpower to analyse it and use it properly. Especially when you are looking for the terrorist needle in a haystack. Over-classification is a key issue in the fight against fast evolving terrorist organisations.

Another perspective can be found over at Secrecy News – “DoD Inspector General Report on Over-classification misses the mark“.

More about the USA Department of Defense Inspector General

Alex Webling was the head of protective security in the Australian Attorney-General’s Department.

Privacy in an information age – Does it exist?

The Four Corners program that aired tonight “In Google We Trust”  was interesting if a little alarmist as these things sometimes are. But it did make some good points about privacy in the information age.

  • There was an interesting piece of information about the NSW Police licence plate tracking technology which has been installed on about 200 police vehicles and has contributed to a database of several million pictures of cars, numberplates and associated metadata.
    • Whilst the  NSW Police were willing to explain what the technology did, they were unwilling to explain how it was being used or what protections were placed on the data.
  • Comments by Danny O’Brien from the Electronic Frontier Foundation emphasising  that data held for non-US citizens by US corporations has none of the protections that one might otherwise expect, despite the protestations of Google, Microsoft, Apple and others.
    • The assertion that Australian authorities might be using this to circumvent Australian laws by getting the US authorities to ‘retrieve’ Australians’ data and hand it over to Australian authorities.
  •  Revelations that a broad number of agencies including Australia Post and the RSPCA (yes the dog and cat people)  were able to access Australians’ metadata with no legal oversight and little administrative control.
  • The poignant comment by one of the commentators that when information becomes available, people find a way of using it before actually thinking whether they should. This was followed by the question of whether in a democracy the government should know as much about you as it can, or whether there should be limits?

As an aside, it would seem that the US has been telling fibs when it said that the NSA PRISM system was just used to catch terrorists and that there was no economic espionage undertaken. The Brazilians are  rightfully annoyed after the latest Snowden leaks reported in the Wall Street Journal show that the NSA targeted the Brazilian national oil company Petrobas.  The article states

 In the past, the U.S. has harshly criticized Chinese hackers, for example, for allegedly engaging in industrial espionage. But the new allegations at the very least showed the NSA using corporate targets for training purposes. One of the slides presented on the show listed three reasons for spying—one was “economic.”

A case of pot calling the kettle black I wonder?

 

privacy in the information age

 

NSA/GCHQ built vulnerabilities into encryption?

Have the NSA and GCHQ been building vulnerabilities into commercial encryption products?

If this is true, another argument for open source software has been made. Articles in the New York Times and the Guardian  alleged that  the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” .

The problem with this approach is that the NSA and GCHQ have two roles and it would seem that they have failed to balance them. This is the question of intelligence equities. These organisations are charged to reveal the secrets of their enemies, but also to protect the information of their countries. By building back doors into software and hardware being sold to unsuspecting customers, they are doing what they have accused the Chinese of doing.

Moreover the fact that these backdoor vulnerabilities exist, mean that others can find and use them, not just NSA and GCHQ but also other cyber criminals.

It is the ultimate hubris to think that NSA and GCHQ are the only ones capable of discovering and exploiting these vulnerabilities. “If you want to keep a secret, you must also hide it from yourself.”  George Orwell1984 . No organisation as large as the NSA can do this forever.

The USA tried under President Clinton to make all manufacturers insert a hardware ‘clipper’ chip  into their devices, but the backlash was such that the US government withdrew support for the idea. What this information is telling us is that the NSA didn’t give up and found alternative means to realise the  concept.

The only logical conclusion from this revelation is that the signals intelligence agencies are unable to both reveal the enemies’ secrets and protect those of their citizens at the same time. They should be split. The information assurance role should come under the control of the trade, infrastructure and industry portfolios.

 

You can find the NYT article here – http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all 

You can find the Guardian article here – http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Cyber-Security doesn’t stop at the virtual perimeter

News that the New York Times was hacked by the Syrian Electronic Army  is interesting not because of the fact that NYT was hacked by the hacking group, but by the method of gaining access.

According to this article, information security at the NYT fell over because they forgot that cyber-security doesn’t stop at the perimeter. It would seem that MelbourneIT , an Australian hosting company for both Twitter and NYT was breached. This then allowed the Syrian Electronic Army to gain access to the DNS records of domains owned by Twitter and NYT which they then proceeded to change.

A number of quick conclusions

  1. This was a well planned attack almost certainly took some time to conceive, research and operationalise.
  2. You should assume your organisation will be hacked. Work out how to detect the breach and recover quickly.
  3. Cyber-security is an evolutionary struggle between those who wish to break systems and those who wish to stop systems being broken. Quite often its the same people eg NSA
  4. 80-90% of the differences between good cyber-security and great cyber-security are not in the IT, they are in the organisational approach and culture.
  5. In this hack, a variety of methods seem to have been used, including phishing and attacking the DNS servers via privilege escalation.
  6. Cyber-security requires expertise in managing information, risk and developing resilient organisational frameworks, something often forgotten.
  7. Everybody is your neighbour on the Internet, the good guys and the bad.
  8.  Cyber-security practitioners need to consider the risks to high-value systems that they are protecting from connected suppliers and customers.
  9. This requires cyber-security practitioners who are good people influencers, because the vulnerabilities tend to be at human interfaces.

Further technical details have been posted here.

http://www.flickr.com/photos/alextorrenegra/
New York Times – by ATorrenegra

 

Contact Resilience Outcomes to discuss how we can help your organisation become more resilient at [email protected]

 

 

Getting cyber security on the company board agenda

Making strategic decisions about cyber security, or any sort of security needs to be done a the board level. It is difficult to get company boards to focus on strategic issues, despite the fact that this is what they are theoretically meant to do. Companies are busy places and there are always minute issues that take time from board meetings. In some companies, the culture is such that managers avoid their responsibility by sending decisions to the board, again robbing the board of valuable time.

The Centre for the Protection of National Infrastructure, a UK Government organisation, has released a short document aimed at helping security managers get cyber security onto the corporate agenda. CPNI makes the somewhat obvious point that getting buy-in from a company board is crucial to the successful outcome of a cyber security implementation project.

Although the CPNI paper doesn’t spell it out quite this way, the key is to show in a concise manner why security is of importance to them and the company they are responsible for. Generally the key issues fall into three categories.

  1. Financial – the loss due to another entity (government, business, criminal) gaining commercially sensitive information. The effect of this can be short term where a negotiation is damaged or longer term where valuable intellectual property is lost.
  2. Legal – many organisations are subject to regulatory requirements to protect information that they hold on behalf of clients, stakeholders and staff. In Australia, the Australian Privacy Principles come into force in March 2014. Most private sector organisations will be required to adhere to them. Financial and professional organisations have been required to meet similar requirements for a number of years.
  3. Reputational – High profile privacy breaches have affected a number of large companies. Companies such as Sony, Heartland and RSA have suffered huge breaches which cost them millions of dollars to clean up and resulted in significant lost business. In some cases, they have resulted in tightened regulation which in turn increased the cost of doing business.
rsa fob
RSA key generator
Playstation breach - Sony contrite
Playstation breach – Sony contrite

 

 

 

 

 

 

 

 

Things to remember

  • most if not all board members will not have a good understanding of the Internet or information security (Tech companies are the exception of course).
  • boards are generally made up of people who are very clever and need you to acknowledge it – presentations need to be logical but also require little subject specific knowledge.
  • If you are the expert, you need to have the answer when one board member starts talking about “his daughter’s computer” or the spam she “gets on the company email” that she doesn’t get at home – this is where a well briefed chair is important
  • the best briefings work when board members are given details of current, real world examples of similar companies’ misfortunes. You can bet that Microsoft looked very hard at the Sony hack at the board level and that CA examined the breach of RSA tokens carefully!
  • Sometimes an outside expert needs to be brought in to tell the board what the security cell already knows. It is a funny quirk of human nature that we sometimes don’t give enough respect to the people in our own organisation.

That’s where you can call on us to help you get your message across. We have experience talking to boards and senior executives from government, councils, banks and companies including those in the DISP.

The CPNI paper is here http://www.cpni.gov.uk/documents/publications/2013/2013009-influencing_company_boards.pdf?epslanguage=en-gb

Australia’s CERT also publishes advisories which are useful (disclosure – Alex Webling was the founding director of Govcert.au) https://www.cert.gov.au/advisories

 

 

Information Security for health practitioners

Is it possible for health practitioners to  achieve information security?  Maybe a better question is  “How can health professionals balance privacy, information security and accessibility in an online world?” Or even, should the medical profession be bothered with keeping private and sensitive information secure?

Over the last few months, I’ve been working with a number of health practitioners to help them improve their information security. Much of this has been done with a view to the introduction of electronic health records.

I sympathise with hospital administrators, doctors and nurses. They don’t have a lot of time to think about security and privacy. However, the fact is that they have to do better.

monash university - surgery clinic 2012

Criminals follow the money

According to the Australian Institute of Health and Welfare, the health system costs just under 10% of Australia’s GDP (AUD121.4 billion in 2009/10 according to the AIHW) . In the US, it is around 18% (USD2.6 trillion in 2010 according to the CDC).  With this much money involved in the health system, it is a fat series of targets for cyber attack and fraud.

Terrorist vector? Probably not.

The Department of Homeland Security has even gone so far as to suggest that the health system could be targeted by terrorists and activists in the USA. I am not convinced by this or similar suggestions as the no1 aim of terrorists remains to create terror. Terrorists understand this and seek targets and methods along those lines. It matters less how few people a terrorist kills. It is more important for the terrorists that they have an audience that can clearly see a hard link between cause (terrorist attack) and effect (death, destruction etc). The  murder of a single UK soldier in May 2013 by allegedly Al-Qaeda inspired terrorists with machetes has created significant community angst, not only in the UK where it occurred  but in Australia, Canada and the USA. Yet, it is likely that more people died on that same day on the roads in London. My point is this, that if terrorists discovered some way of causing significant death or maiming from medical equipment, I do not doubt that they would use it. However, it is likely that the effect on the collective public consciousness would not be as great as the machete attack mentioned above.

However, we must accept that it is possible, if not altogether probable. One identified flaw is the chronic inability of many health systems to patch their software and applications.

One high consequence scenario involves hackers attacking defibrillators and insulin delivery systems remotely. I think this comes into the unlikely but possible category. Shodan, was used by a hacker to access the controls of a blood glucose monitor connected to the Internet by WiFi.

Whilst we can probably discount to some extent the terrorist threat, I can imagine the attraction of such attacks as assassination vectors or for the installation of ‘ransomware‘. Thus the high consequence threat from foreign governments and organised crime can’t be as easily discounted.

Beyond the extreme, privacy compromise and fraud

Beyond these extreme events, there is the possibility that patient or staff privacy can be compromised by weak information security. Dr Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, talking about the US health system has been quoted . “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”…. Unfortunately, it is not possible to hide one’s health under the mattress!

I experienced this personally about a week ago when my daughter’s optometrist sent through the results of her recent eye test, only it wasn’t. The attachment data was for somebody I had never met.

We have a tendency to compare the worst case scenario of e-health privacy with the best case scenario of the current system. We all know that it isn’t the case as my example above shows.

Good information security will also help protect healthcare organisations from fraud. Fraud is estimated to be a USD60 Billion impost on US hospitals. Methods that are being used by fraudsters include

  • Diversion of fee revenue
  • Diversion of controlled items (eg drugs)
  • Collusion with suppliers; and
  • Diversion of accounts receivable.

The same methods are being used in medical practices, albeit on a smaller scale.

What to do

A holistic approach is needed. We have worked with a number of medical practices to implement the key elements of the information security standard ISO 27000. This ensures that the practice has a risk based approach which mitigates threats based on real world experience of consequence and likelihood. Working with practice owners and stakeholders, we determine tolerance to information risk and work with them to implement controls which make sense and meet any regulatory requirements.

If you think this is something your organisation needs, please contact us at [email protected]

Information Declassification – A way for governments to save money and improve their information security

In the digital world it is very easy to create data, very difficult to get rid of it

Like us all, government agencies are creating huge amounts of information. Lots of it is classified either to protect privacy or for national security. This is what should happen, classification is an important aspect of information security.

What is data classification?

It is the process of assigning a business impact level to a piece of data or a system. This then governs how many resources are directly devoted to their protection. By classifying documents and systems an organisation makes risk managed decisions on how information is protected.

Graphic by Mark Smiciklas
Graphic by Mark Smiciklas, Flickr.com/photos/intersectionconsulting

Digital data wants to be free and it is expensive to ensure confidentiality if you also want to maintain data integrity and availability.

However over-classification of information can be as bad for an organisation as under classification. This is particularly true of large government organisations.

In addition, Government agencies tend to be risk averse places anyway – which on balance is a good thing!

So how could governments shift the classification balance, improve security and improve efficiency in agencies?

The problem is that the person who classifies data or systems does not have to pay for the cost of their actions in classifying. In fact, the individual avoids personal risk if a  piece of data is over-classified. However their agency has to wear the added expense.

Gentle readers, we have a problem of incentive imbalance!

Suppose it costs $100 to store a Secret document for its lifetime and $10 to store an everyday unclassified document. If governments placed a nominal value on document creation relative to the whole of life costs, it might be possible to stem the tide of increasing amounts of classified data.

If under this scheme a government employee wishes to create a secret classified document, they would need to find $100 in their budget to do so. In this case the employee might consider producing an unclassified document or one that was slightly classified. I argue that this market based approach to declassification would have far more effect than more rules.

A plan for implementation

So how might the plan be implemented in the tight fiscal environment that government agencies currently face, even though it is likely to save money long term?

  1. Survey government agencies to see how many classified pieces of data they produce each year by type. eg, there might be 500 top secret data pieces and 1000 secret.
  2. Assign a dollar value to each document according to the level of protection it receives. This bit would require a bit of research or possibly a pilot scheme.
  3. Based on the previous year’s classified information output, each agency is given a declassification budget. It might be considered that as this task was one that the agency should have been doing previously, that there is no requirement for central funding.
  4. Require each agency to report the numbers of classified data produced.
  5. Agencies that produced too many classified documents would need to pay the treasury a fine equivalent to the cost of storing the extra documents in archives.
  6. Agencies that produced fewer pieces of data than the previous year would receive a windfall.

That’s it in a nutshell. As governments produce more data, they will need to store it. Balancing the incentives to overclassify and underclassify data will help ensure that information is properly protected.

I’d love to hear your ideas, please make a comment

Alex