Steve Lamb's Blog

Ron's comment asking "if it's all about risk why do we call it Information Risk Management" has certainly made me think...

It's all very well for "security thinkers" to tell you all about all kinds of weird and wonderful threats to your information and "security vendors" to tell you that their "UberAntiDoodarThreatNeutraliser" will rid you of them but where should you start? What practical steps can you take now to improve your security posture?

Whatever it is that makes you money the chances are that it relies upon decisions being made based on information. The mandate of Information Security of course is to ensure that accurate information is available as quickly as possible. As I typed the last line I nearly included "...to the right people" but of course that's part of the role of Information Security :-)

What information is valuable to your business? Many people question whether their business has information worth stealing. I've often heard "we just make widgets, we're not a bank or government, who'd bother attacking us?"

WHAT ARE INFORMATION ASSETS?

WHO you sell WHAT to and HOW much you charge is likely to be of interest to your competitors and those who may wish to enter the market. The names of the highly skilled people in your company are likely to be of interest to those who may wish to recruit them to work for a rival company.

The designs of existing products and plans for future products represent high value information assets.

Believe it or not both your old designs and any fault tracking databases including help desk calls can also be highly sought after information assets that could be used by a rival to help them avoid the same mistakes as you.

All of the items listed above represent possible information assets. You need to consider the impact of such information falling into the wrong hands and use this to write (or update) your information security policy which should define WHAT SHOULD HAPPEN and identify security controls to mitigate the threats of exposure. You also need to consider the impact of information assets not being available and write (or update) your business continuity plan accordingly.

Of course there are an ever growing number of legal requirements that you'll also have to comply to including HIPPA, SOX and possibly SB1386 each of which require you to implement effective corporate governance.

HOW DOES RISK PLAY A PART?

Our security policy should state the ways in which information SHOULD flow into and out of our organisation. The policy should include statements specifying the security controls to be used to mitigate the RISK of information exposure. Clearly it's only worth expending a certain amount of effort (time and / or money) to protect an asset relative to it's value and the risk of it being exposed. Keeping on top of the likely threats at a point in time and the level of effectiveness of current controls relative to the threats (and the current value of the assets) is what information security is all about.

I'll drill into each of these areas in further blog posts.

Full details of this month's security update can be found here.

It's a significant update as it includes updates to address nine critical vulnerabilities and three important vulnerabilities. Ten of the vulnerabilities are for Microsoft Windows, two are for Microsoft Office. It's interesting to note that the severity of the vulnerbility is greater for older versions of Microsoft Office.

The Microsoft Security Response Centre (MSRC) have posted an interesting entry about August's security update.

I was recently asked for suggestions to give to Chief Information Officers to improve their security posture.

My suggestions were as follows - I'd love to hear your comments to see what you'd suggest:

Here are my five tips for CIOs:

• Challenge everything. Those that work in technology often lack the “big picture” view hence forget to consider “how will this help the business” when purchasing, implementing and building solutions. Specifically in the area of information security you need to ensure they understand “what threat am I trying to mitigate by taking this course of action?”
• Clear communication is paramount. At the end of the day the people that USE your information systems are the ones that need to make the important decisions over what information should be shared with whom. Empower EVERYONE to both make security decisions and accept the responsibility that goes with them.
• Few Information Security Policies make any sense. Effective policies are clear, concise and are communicated to everyone who they apply to. Policies should be reviewed frequently BY A REPRESENTATIVE group of the people they apply to. Everyone should be empowered to challenge “stupid” policy statements.
• Security is often viewed as purely the enclave of specialists. This is not true. Effective security requires EVERYONE to buy in to accepting their responsibilities.
• There are no easy answers. Security is not easy. Nor is it impossible. It’s merely another risk decision. It requires a mandate from on high and must be positioned as enabling the business to do more with less risk.

The authors of the podcast (Rich and Dave) share their eclectic style and some rather specialist "music". It's an active and well respected user group that meets frequently and shares practical advice in a lively manner.

It seems weird promoting a podcast that features myself though the chaps asked me to share it with a wider audience and I've supported their user group meetings and was impressed by how much valuable information was shared between their members.

There's an interesting podcast (of approx 20 mins duration) hosted by Bill Hilf where Tim O'Reilly discusses where OpenSource is going and how Open Access to data is of principle importance. Tim talks about how the best applications are those that get better the more people us them - search engines, WIKIs and reviews on trading sites are good examples.

He quotes one of Robert Scoble's earliest posts whilst @ Microsoft where he mentioned a local restaurant that he liked and observed that it's website didn't show in a search engine query (Google I believe) - he said that by the following day it would show due to his readers visiting the site and thereby raising the site's profile in the search engine.

Interesting indeed.

Microsoft are hosting an entire track giving technical insight and encouraging feedback at the Blackhat conference. For those of you who (like me) aren't able to go to Las Vegas for the conference it's worth watching out for both webcasts and the events in Europe and Asia.

There's more information available on eweek and also on the new Windows Vista Security blog.Austin Wilson (Director of Product Management for Windows Vista Security) will be there an he's keen to receive feedback as he explains in his post about external security assessment which reads like a who's who of reputable penetration testing companies.

The TechJournal discusses both Blackhat and Bluehat

I think it's rather interesting that Dan Larkin from the FBI is presenting the keynote given that this conference started out as a gathering of people who were intent on finding the limits of both system and application security.

It's been a long time coming but finally TechNet Plus subscriber downloads provides online access to the latest CTP builds of Microsoft Infrastructure products including Windows Vista and 2007 Office System.

I know that many of you have been frustrated (see comments to this post) that MSDN subscribers were the only ones able to download the ISOs but now we're using the same engine hence TechNet Plus subscribers will have access to the same builds.

In addition to the CTPs subscribers also have access to the monthly TechNet DVDs via download.

It was brilliant to see over four hundred people taking part in the UK's largest LINUX User Group get together. As you'd imaging there was plenty of debating the finer points of all areas of Open Source development and applications.

LUGRadio was billed to me as being the community version of LINUX World - no suits, no vendors pushing products, just straight talking techies. I think that's a fair description.

The "Four Large Gents" (Beard, Angry, Bald plus the one I've forgotten the name of!) made the event both entertaining and together with their helpers (the crew - all volunteers) ensured a smooth running event.

I spoke about embracing the Security Development Lifecycle (SDL) together with techniques for securely integrating both Microsoft and LINUX systems. I've shared my slides with Jono (Beard) who informs me that they'll be available for download shortly from the LUGRadio site.

There are plenty of pictures up on Flickr including the following one (thanks to PortSeven for this one):

I particularly liked the "Low Tech WIKI" (image thanks to Laszlok)

It was wierd being the only representative of a Commercial Software House and I did start my talk by asking whether anyone had any fruit or veg with them - thankfully everyone was really friendly.

Something that was particularly good was that the questions posed by the audience during the live Q&A were very techical and well informed - it's much more fun than when people pull their punches.

The excellent Port25 blog is a great place to find out much more about how to get the most from a mixed Microsoft and LINUX environment.

In addition to my earlier post detailing how to get Aero Glass working I've found that making a change to the BIOS on my machine has ensured that I can now reliably use an external monitor and also project.

The setting in question specifies whether the computer should attempt to automatically detect the presence of an external display or not. My system (a Toshiba M4) defaulted to "automatic" detection - this was the root cause of me not being able to project. I changed the setting to "always output" and hey presto I've been able to reliably project / drive a monitor ever since 

I'm using a couple of laptops - one is nearly three years old and for some bizarre reason only the "M" and "N" keys are loosing the symbols printed on the key. I could understand if the vowels were wearing out.

Someone helpfully suggested that I probably type "M" for "Microsoft" pretty frequently but in that case surely "O" would be even worse.

I've heard of more and more people who are finding that they're wearing out laptop keyboards and power supplies as often they're powerful enough even though they're several years old.

Of course the increased use of virtual machines for testing purposes on laptops does tend to demand additional power but for general purpose use it seems that rarely is the latest and greatest hardware required.

Following Eileen's lead I've decided to post my mobile phone number on my blog. Bearing in mind that I disclose it to anyone who asks and I'd like to be contactable by anyone who's interested in the sames things as I am it seems like a good idea.

I just hope I don't receive a barrage of text spam as a result.

If you'd like to get in touch then feel free to call me on +44 7812 980621.

Note: I've updated the "News" section on the left hand side of my blog skin to include my telephone number

Netcraft have reported cases of banking sites being compromised even though they use two factor authentication. The scam is pretty straight forward as it's low tech and relies upon mis-directing the user rather than exploiting a vulnerability on the target bank server or a flaw in the two factor authentication system.

This is a classic Phishing attack as the user is fooled into browsing to the malicious web site, they enter their credentials into what appears to them as the valid site and gain access to the real online bank system. The crux of the problem is that the user hasn't validated the identity of the "banking site" and therefore the malicious site is able to harvest their credentials including the one time passphrase and PIN used in the two factor authentication.

Of course the way it's designed to work is that a web server certificate is used by the real site to assert it's identity to the browser - all being well then the padlock icon (or similar depending upon the browser) will be displayed. This all falls apart in this case though as some users don't look for the padlock and those that do don't check it's properties. This is hardly surprising as the information pertaining to the validity of the web server certificate is geeky in the extreme and it's easy to obtain a valid cert for a slightly different URL and fool many users to go there.

Internet Explorer 7's Phishing filter is designed to alert users when they attempt to visit know malicious websites. The user experience is simple yet effective - the address bar changes colour from clear (the default) to yellow, green or red depending upon the severity of the danger posed by the site. A plain English text description accompanies the address bar to provide more information.

The image below shows the Phishing filter in action - to reproduce this for yourself simply browse to the Woodgrove bank phishing demonstration site:

According to the SANS diary a popular database vendor announced 65 security vulnerabilites yesterday. That seems a great deal for a product that was billed as being "unbreakable".

Let's be clear - all software (of any size) has vulnerabilities - accepting this and being as transparent as possible about remediation steps is important IMHO.

It's very frustrating that in this case it's necessary to possess sign-in credentials to be able to find out any meaningful details of the vulnerabilites in question.

Apparently a support contact (identifier) of some kind is required to be able to even view any kind of information pertaining to the security exposure.

There are some further details available @ the excellent third party vulnerability tracking site Secunia

To browse the technical details of the security vulnerabilites reported for Microsoft products look here 

There are a couple of privilege escalation vulnerabilities that have recently been posted on the SANS Internet Storm Centre site. If you run LINUX it's worth taking a look as in theory these may cause you pain regardless of your distro and package choices.

I don't claim to be a LINUX guru though I take reports to respected sources as worthy of closer inspection. If you know more about the impact / painless mitigation steps then please share them.

Thanks to the "LINUX Security site" for raising awareness of these issues.