ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Archive for April, 2010

Survey: Cloud Computing Risks Outweigh Reward

Wednesday, April 28th, 2010


You may have read this recent survey conducted by ISACA or the article about the survey posted on CNET April 7 or the more recent article about access and authentication headaches for cloud computing published by SC Magazine April 9.

The message is clear: Remote users watch out for security and privacy threats!  Of course there is absolutely nothing new about this message.  But then again, there is very little that is new about cloud computing.  Only its name.

Forty years ago cloud computing had other names: service bureau computing, remote computing, mainframe service providers, to name a few.  Fast forward and we have similar shared services more widely accessible by orders of magnitude because of ubiquitous Internet availability and the flexibility of IP addressing.  So the concept of a remote service provider has changed not in the least; one person in their basement running a great application on an NT server with worldwide Internet access is an example of cloud computing.

The security and privacy vulnerabilities are commensurately more serious than legacy service bureau operations with remote access provided typically by dedicated lines. (Anybody know or remember what dedicated lines are?)

The ISAC survey does pose the financial rewards vs. the potential downside costs of risk, with a nifty Risk / Reward Barometer visual.  To read the article please see www.ere-security.ca RSS feed, April 7.  The idea of doing a risk analysis and BIA on any critical service is nothing new in the security business and, of course,  these tools should be used when considering the use of cloud computing.

Further, in my opinion, using a cloud computing resource is much the same as outsourcing an IT service.  Any conscientious purchaser of outsourced services should consider, review, and have in writing as part of an SLA, many issues surrounding IT security compliance monitoring, enforcement, and a mechanism for recovering financial losses due to breach of the outsourcing agreement.

For more ideas about how to deal with an IT services outsourcer, please see:  www.ere-security.com , IT Security White Papers, Risk Analysis, “IT Security Costs: Outsource vs. Self Deploy”

But I digress.

The fundamental business needs for enforcing access privileges and stringent authentication do not change whether the IT services in question are in-house or in a cloud, as pointed out in the SC Magazine article.  By the way, you can see the article at: www.ere-security.ca RSS, April 9.

The issue of who is doing the access and authentication processes is critical to its control.  I personally prefer the client retain control, and provide access to employees or users via a proxy service, again under the control of the client.  The authenticated users should then be provided VPN access to the cloud based service provider.

However, this is all for not if the security framework of the cloud service provider is not up to snuff, and essentially circumvents all the good works of access control and authentication done by the client.  Which brings us right back to the point about the degree of security agreed to and provided by the cloud service provider.

The bottom line here is: The catchphrase cloud computing is new but all its old security headaches aren’t!

Have a secure week.

Regards, Ron Lepofsky, CISSP

President,

ERE Information Security and Compliance Auditors

www.ere-security.ca

Tags: , , ,
Posted in Internet Security | 4 Comments »

Securing the Smart Grid

Wednesday, April 21st, 2010


Am I reading an oxymoron in this title?  Or what!

In a recent article in CNET news, Elinor Mills investigates potential new security vulnerabilities by adding smart metering onto our legacy North American electricity distribution architecture.

First of all North America has not fully implemented a smart electricity architecture or “Grid”.  A smart grid would not have allowed the type of cascading meltdown that occurred in August 2003, and as far as I know that grid has not been sufficiently modified as to be considered ubiquitously smart.  Has anyone got a different perspective on the status of the grid upgrade?  For a look at this article please click to: http://www.ere-security.ca/index.php , RSS feed, April 9, 2010.

The issue with adding smart meters with IP addresses does not compromise the security of the rest of the smart grid, in my humble opinion.  This would be more of an issue if many key devices on the grid had IP addresses and were managed accordingly.  But again, a smart IP grid is not there yet.

The CNET article goes on to explore the possibility of the smart meter’s being compromised and the countermeasures being implemented by various vendors.  I’ve even read some articles identifying concerns that smart meters are possibly an entry point into a household’s network for hacking purposes.  This sounds like dark magic to me, especially if the smart meter is in no way connected to the household’s network.  The bottom line, I believe, is that smart meters in and of themselves do not present a security threat or a vulnerability to the grid.

However…….

Opening the control technology used by electrical distribution networks to a wider network certainly does pose a plethora of threats to the control technology and, therefore,  to the entire control network.

The electrical distribution industry has standardized on SCADA control technology, and SCADA networks are sacrosanct.  They control and monitor actual electrical equipment, and errors can result in death, damage to equipment, and power outages.  So opening a SCADA control network to encompass smart meters expands access points exponentially.  For more information please see http://www.ere-security.ca/SCADA_CIP.html

The problem then becomes securing the vastly greater scope of network against all the usual security suspects.  The utility industry relies on a security standard called NERC CIP  http://www.ere-security.ca/NERC_CIP_Compliance_Audit.html

In our experience as security and NERC CIP compliance auditors, we’ve seen nightmare scenarios regarding the unauthorized access  vulnerabilities just on SCADA networks.  I don’t want to give anybody any ideas, so I’m not going to be any more specific here.   But you get the idea.  If it is difficult as is to keep SCADA networks secure, imagine expanding the scope of access to the network by hundreds of thousands of locations.

My idea is that a smart grid is one with superbly controlled access and authentication.  Access and authentication controls of course are composed of: logical controls, physical security, and people behavior.  So some smart meters are the least of the worries for ensuring the availability and dependability of a smart grid.

Have a secure week.

Regards, Ron Lepofsky, CISSP

President,

ERE Information Security and Compliance Auditors

www.ere-security.ca

Tags: , , , ,
Posted in Information Security | 5 Comments »

Dark Side of Cyberspace

Wednesday, April 14th, 2010

The Toronto Star ran an informative article last week about spying on the Internet, particularly using easily accessible tools like Google, blogs and social networking sites.  The article delves into cyber-spy rings like Shadows and GhostNets and mentions the upcoming global cyber security summit to be hosted by the University of Toronto this fall.  You can see the article on the ERE RSS news feed at www.ere-security.ca .

The article is compelling but the message should not be news to any computer user today.  I’m not sure why anybody would be surprised that private information is stolen on the Internet after vast amounts of publicity on Identity Theft and about cyber-fraud.

So the important question is: Are you vulnerable to cyber –spying or to identity theft?

With regard to cyber-spying, the obvious question is: do you have any sensitive defense or political information worth stealing?  If the answer is “no” then we can all assume you are not being targeted by a spy-ring.

With regard to identity theft and cyber-fraud, some important questions about your computer are:

Do you update your anti-virus and anti-malware software daily?

Do you patch your operating system as soon as important security patches are available?

Do you patch your web browser with security patches as soon as they are available?

Do you avoid updating software tools such as Adobe Acrobat until the updates have been proven to not introduce security vulnerabilities?

Do you run a sweep of your computer work station with an anti-virus and anti-malware tool once a week?

Do you run a web site safety evaluation tool?

If the answer is “no” to any of the above, you probably have security weaknesses.  If you answer “no” to more than one question, you definitely want to consider improving your security procedures.

What about the answers to these questions about your cyber-behavior:

Do you open emails from sources you do not recognize?

Do you open attachments from friendly sources, without screening the attachment for malware prior to opening?

Do you visit unfamiliar web sites without first validating their safety?

Do you post on blogs or social networking sites any personal information including photographs?

Do you provide your home phone number to strangers?

Do you identify the names of your family members to strangers?

If you answer “yes” to any of these questions, you are probably jeopardizing the security and privacy of information on your workstation.   If you answer “yes” to any of the last three questions, you may be putting your family members or yourself in harm’s way.

What about your cyber-housekeeping habits, such as:

Do you regularly change the password to your workstation?

Do you have a strong password for your workstation?

Do you encrypt personal information and passwords?

Do you leave unencrypted personal or sensitive information on external media?

Do you dispose of used disks and computer technology without destroying the media and memory hardware?

Do you dispose of scanner and photocopier technology without destroying the media and memory hardware?

Answering “yes” to any of the above, as you’ve already figured out, is not good for your cyber-health.

So the big question is: Do you want to greatly improve your personal cyber-security?  If yes, by now you probably have a few new specific action items to execute.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditors

www.ere-security.ca

Tags: , , , , , , , ,
Posted in Information Security | No Comments »

Whats the news with iPad Email Scams?

Wednesday, April 7th, 2010

During the Easter weekend you may have seen scams in the form of spam about the newly released iPad.

The Better Business Bureau released a bulletin warning the public to be wary of bogus offers, such as:

  • Claims you can become a tester or researcher and get an iPad for free.
  • Requesting product testers for the iPad. The email points to a website Testitandkeepit.com which claims they are looking for people to test the iPad for a couple months, as compensation you get to keep the iPad. The biggest red flag with this offer is you have to provide your email address and password in order to “tell your friends.”
  • Researchers Wanted-Get an iPad Early and Keep it” was designed to trick people into signing up for a cell phone subscription service that cost $10 a month.

The sad part about this scenario is that Internet users still need to be warned about email fraud.  By Internet users I refer to both the unsophisticated and the well educated who should know better.  If you don’t know better, for more information about the BBB bulletin, please see the related article on the ERE RSS news feed at www.ere-security.ca.

Isn’t it ironic that potential purchasers of leading edge technology like the iPad would also be susceptible to low brow high tech fraud?

We all know better than to open spam and to be very prudent when opening emails from unknown sources.  This, of course, is email security policy 101.  Everyone should know better than to divulge any passwords.  While we are on the subject relating to the iPad scam, everyone should remember to:

  • Never use the same password for your computer logon, email, social networking ATM.
  • Change your passwords at least once per year.  I know this is painful.
  • Never “loan” your password to anyone.  Ever.
  • Always check the digital certificate on an e-commerce transaction site.  You can do this by looking at the RSS certificate and then researching the certificate provider.
  • Think before going to a web site offering something for free.  Perhaps get a tool that attempts to triage sites by risk.  This sound hypocritical, but I found an excellent “free” tool at Mcafee at  http://www.siteadvisor.com/

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditors

www.ere-security.ca

Tags: , , , ,
Posted in Information Security | 2 Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button