Attack Mitigation – Assume the worst

I have recently been catching up on what was happening at the RSA conference from San Francisco this year and what some of the key security trends are.  One thing that has jumped out is the move from ‘we can protect you’ to you are or will be hacked so what can we do to mitigate the damage and catch the malicious individual or group.

This has been coming for a few years with the increasing use of cyber-warfare by governments and the military, and the emergence of APT (Advanced Persistent Threat) where well funded criminal gangs will expend a lot of time, money and skill to gain long term and potentially subtle footholds in company systems.  These factors, along with all the ‘standard’, existing threats and continued successes of social engineering attacks such as Phishing have lead many security leaders to suggest that you have likely already experienced a breach and you will, not may, experience breaches in the future.

This is backed up by research from the Ponemon institute that suggests 70-80% of organisations have experienced a data breach within the last 20 months.

So in addition to the standard perimeter and control type solutions there are now vendors and consultancy firms offering solutions to limit the damage that occurs when these preventative measures fail, and at the same time capture as much information as possible to aid in the tracking down and capture of the attacker(s).

This is an interesting wake up call for both the security industry and all companies – the protective measures we have relied upon for years work, but they are far from infallible and will fail when face with a concerted effort or a duped user who already has system access.

A couple of interesting references covering this in more depth;

Dark Reading – http://www.darkreading.com/advanced-threats/167901091/security/news/232602708/security-s-new-reality-assume-the-worst.html

Bruce Schneier – http://www.schneier.com/blog/archives/2012/04/attack_mitigati.html

The Dark Reading article is particularly interesting, and it’s well worth reading both sections.

Remember – your company’s systems will be breached.. What will you have in place to minimise the damage and assist in preventing the attackers from doing the same to more organisations?

K

Malware everywhere, even on Apples..

Various sources have been reporting on the recent Java hole that enabled malicious individuals to infect upwards of 600,000 Apple Macs that were running the latest, fully patched version of the O/S.

This Java vulnerability was actually known about sometime last year and has been patched on other systems.  Apple in it’s continued, and frankly misguided, belief that it’s systems are safe and don’t need protection like anti-virus software chose not to patch the hole until 100s of thousands of it’s customers had been infected.

The reality is that all consumer computer systems have vulnerabilities and it should be the expected duty of vendors to patch these as quickly as possible to protect their customers and their privacy.

We have all knocked companies like Microsoft for the amount of vulnerabilities and attacks that have occurred against their software, but the reality is that over the last few years Microsoft has made huge progress in producing more secure software, patching in a very timely manner, providing free tools like anti-virus, and working with law enforcement to bring down criminal bot nets.

Apple has avoided many exploits being created as it has historically been such a niche player.  Why create an exploit for a few machines when you can create one for orders of magnitude more?  As Apple has become more successful and there has been an increased uptake of it’s products in office it has become a more interesting and valuable target for criminals to try and exploit any vulnerabilities.

It is time for Apple to pull it’s socks up from a security stand point, and to become both more proactive and transparent in how it deals with issues and helps protect it’s customers.

For us users of any operating system it’s yet another reminder that we should keep our systems patched and run software to protect us from viruses etc.  Oh and not to trust vendors when then tell us their systems are safe and don’t need further protection.

Some detail and commentary on this issue can be found here at the links below;

http://nakedsecurity.sophos.com/2012/04/04/apple-patches-java-hole-that-was-being-used-to-compromise-mac-users/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=a6d16b7680-naked%252Bsecurity

http://news.cnet.com/8301-13579_3-57410476-37/apples-security-code-of-silence-a-big-problem/?part=rss&subj=news&tag=2547-1_3-0-20&tag=nl.e703

K

Firefox to use Google secure search by default

Now that the Google secure search offering has matured in terms of scale and performance Firefox is moving to use Google secure search as it’s default search provider.

From a privacy / security perspective this is great news as it makes it much more difficult for people to view your searches / search terms.  As always, the solution is not foolproof and Google breaks the ‘security’ for paid advertiser links etc.  However this is a good step in the right direction for improving security / privacy and specifically search security / privacy online.

More details can be found here;

http://searchengineland.com/firefox-to-use-google-secure-search-by-default-116231

If you want to use Google secure search yourself, just replace http with https in the address bar when you use Google search.

K

TSA’s good catches of 2011 or Terrorists can’t use ziplock bags

As an interesting follow up to my previous post ‘real security – safety vs. liberty’ that can be found here;

http://kevinfielder.wordpress.com/2011/01/03/real-security-safety-vs-liberty/

I came across the TSA (Transportation Security Administration) blog posting on their 10 best good catches of 2011.  Now bear in mind this is their own blog, not an independent news report so can be expected to paint them in the best possible light..;

http://blog.tsa.gov/2012/01/tsa-top-10-good-catches-of-2011.html

So mostly forgetful / stupid passengers, the odd criminal and 1 person who took C4 through one airport and only got caught on the return flight.

You will notice ZERO terrorists or terrorist plots foiled.  We are beholden to more and more checks that in fact do nothing to catch or prevent terrorism.  When will the voice of reason prevail over checks that appear ill conceived and only get enacted as poorly thought knee jerk reactions to previous issues.

The chairman of BA has echoed similar sentiments as quoted in this Daily Telegraph report;

http://www.telegraph.co.uk/travel/travelnews/8089096/Airport-security-checks-are-completely-redundant-BA-chairman-says.html

To further back up my opinions on how ridiculous many of these new checks are, I recently flew from Luton to Dublin.  On my out I duly had my clear plastic bag of toiletries, all less than 100ml, and a total of well under 1 litre.  No problem I thought, I am well prepared.  However my bag was a clear tie-handle bag.  I was stopped and told they have to be in a resalable zip-lock type bag.

How this will reduce terrorism I do not know?  As per the title, has recent research proven that those inclined to blow up or take control of aeroplanes struggle with zip-lock, but can tie handles together?

The problem with all of this is that we as the people who are not actually being served or protected by these extra checks cannot question or challenge them – if you argue or protest you can’t fly, simple as that.  It’s about time someone saved us all time, and airports money by reviewing exactly what checks are sensible and needed.

K

Hackers outwit on-line banking security

If you ever doubted either the inventiveness of criminals, or the need for taking sensible security precautions this story should be a wake up call;

http://www.bbc.co.uk/news/technology-16812064

Hackers have developed ‘Man in the Browser’ attacks that potentially allow them to circumvent even the relatively new 2-factor chip and pin security many banks now implement.  These attacks also have the potential to at least temporarily evade protection such as AV software and any blacklists as they will redirect to new sites that are not yet known by security firms.

In short stay vigilant, keep your computer(s) protected and up to date, and always use security software such as anti virus etc.  And as documented by Bruce Schneier several years ago we need to look at authenticating each transaction.

K

Trust requires transparency

I came across this excellent post via Bruce Schneier’s blog;

http://newschoolsecurity.com/2012/02/dear-verisign-trust-requires-transparency/

The post highlights that while Verisign has publicly claimed that they have dealt with the recent breach of their systems and that the Domain Name System (DNS) has not been compromised, they are still very light on details of what actually happened and how the DNS system was protected and has in fact not been compromised.

The point of the post is that for us to truly trust them and the systems the own and run again they must be open and transparent.

This is an excellent point and one well worth remembering.  While it may appear that the most secretive systems or organisations may be the most secure, actually it is likely we can place the most trust in those that are most open where we can clearly see and verify the security of their systems and processes.

Read the post and Verisign’s statement and make up your mind on whether you think you would be more ready to trust them if they were more open and transparent.

Be secure, open and trustworthy..

K

Project suggestions..

So I am currently working on what my MSc project should cover.  As the overall title of the MSc is Distributed Systems and Networks the project should likely incorporate some sort of networked / distributed system.  Given my continued interest in IT Security and the fact one of my favourite modules was actually titled ‘Distributed Systems Security’ I’d also like to incorporate a strong security focus into the project as well.
As I am also working on some cloud security related work for the Cloud Security Alliance I am thinking something ‘cloud’ related would be good as this would bring together aspects of security, obviously distributed systems along with being a very current topic.
The purpose of this post is to garner ideas and suggestions for project content and/or possible titles as I am struggling a little to decide the best and most interesting / useful option.  Likely especially relevant to the guys I am working with on CSA projects, but obviously open to anyone – what areas would you like to see further research in, where could my MSc project and value and insight?
Please feel free to post here or email me with any ideas and suggestions. Many of you have my email, however if you need it; it’s on my LinkedIn profile.  I’ll keep this blog updated with my topic decision and also link to the project once it is complete.
Thanks for your interest – looks like this is going to be an interesting and busy year!
K