ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Archive for May, 2010

Irrefutably Identifying Ourselves

Wednesday, May 26th, 2010


A deluge of compliance requirements have inundated organizations, which obligate information security officers to protect; sensitive personal and corporate data from theft; critical data from theft and corruption; medical and health data from theft, surveillance, and destruction.

Fundamental to these security and privacy imperatives is the ability of an organization to restrict control of access to only those individuals with the need and permission to see and change the data in question.  Access should be predicated upon the ability to conclusively and positively identify an individual or entity requesting access to data, while being able to deny access to everyone and to everything else.

In my May 4 blog, Forensic Identification Using Skin Bacteria, I discussed this idea.  This may or may not come to pass in the future, but it did emphasize the on-going, if somewhat imaginative research, in user identification.  A more down to earth and currently available means of verifying identity is two-factor authentication or 2FA.

2FA has been around for a long time and has undergone major improvements.  Now the banking industry has adopted it for the magnetic cards we use for credit and debit transactions – a pin number – which is something we know.  Smart cards provide the ability to deny or permit the use of any transaction based upon the electronic identification of a card. The card is generically known as a token or something we have that is unique to us.

2FA is critical for some organizational applications and many organizations have the technical capability and financial resources to implement two-factor or even strong authentication.

However, in my opinion, the issue of 2FA is particularly important for individuals doing remote access to their business or personal computers, the reason being that individuals may not have the technical expertise or financial resources to ensure their remote communication sessions are indeed secure.

For example, I see many laptop users at public hot-spots hammering away, presumably over WiFi .  (Or why else would they be at a hot-spot?)  We know those networks are not secure and, therefore, the users are subject to any number of man-in-the-middle and covert surveillance attacks.

Users may think their sessions are safe as the WiFi access service announces that once a user has paid for the service, their sessions will be encrypted.  However, the log-on portion of the payment transaction is wide open!

Or even worse.  Many users implement all manner of RDP remote connections to their systems.  I have seen numerable instances where identification and authentication by single password is done in the open.  Even though the RDP session may be implemented via an unusual port number, there is still the possibility of  monitoring the port activity and gaining access to the authentication data.

This problem is exacerbated by using the same user name and password for both an RDP session and for system login.

In my opinion, the bottom line is that all users of remote communication should implement some form of two-factor authentication, especially when using any or a combination of RDP, VPN, Bluetooth, WiFi, and wireless broadband.

My guiding principle for remote communication is that if I perform an unencrypted remote login to a system, then everybody on the Internet just saw my authentication credentials.

Have a secure week.

Ron Lepofsky,   CISSP,  B.A.SC. (mech eng)

President,

ERE Information Security and Privacy Auditors

http://www.ere-security.ca

Tags: , , , , ,
Posted in Internet Security | 1 Comment »

YOUNG PEOPLE SUSCEPTIBLE TO PHISHING

Wednesday, May 19th, 2010


A recent study at Carnegie Mellon University found the 18 – 25 year old population is most susceptible to spear phishing attacks and fraud.  This sounds counterintuitive as this group is assumed to be particularly computer literate.  Even more on point, the test group were university students and staff members.  For more information please see the article in the RSS feed at www.ere-security.ca entitled “Younger Users Reveal Risky Details”, May 4, 2010.

So what can we learn from this study?

Everybody needs to be trained about phishing by “experience”.  The article discusses a tool to simulate attacks and the target web site explains how the simulated attack could have resulted in fraud and how to guard against phishing.

I believe this sort of solution could be effective if sponsored and paid for by an institution that has a vested interest in the cyber security of its user base.  Corporations, educational institutions including grade schools, and government agencies could all benefit from this type of cyber education by experience, particularly if the web site kept statistics about those entrapped and determined the level of success of the service over time.

However, spear phishing can still be effective in situations involving coincidence of timing, where the victim is expecting a transaction to occur and coincidentally receives a fraudulent email about that subject.  For instance, someone expecting a delivery, email receipt, confirmation of a transaction, may have an irresistable urge to open a phishing email that seems relevant to their transaction.

In these situations it is important to:

  1. Ensure an anti-virus and anti-malware program first screens these announcement emails.
  2. The user verify that any attached URL is bone fide, by first searching for the legitimate URL and then comparing with the URL in the announcement email.
  3. Never include any additional personal information requested by an announcement email.
  4. Do not open unexpected or unknown attachments in email.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSPERE Information Security and Privacy Compliance Auditors. www.ere-security.ca

Tags: , , ,
Posted in Internet Security | 1 Comment »

NEW YORK STOCK EXCHANGE MELTDOWN

Wednesday, May 12th, 2010


The New York Stock Exchange meltdown last Thursday gives a whole new meaning to “security vulnerability.”  Imagine that supposedly technical errors in a transaction processing system could cascade into a disaster that affected literally the entire world.

According to the article in the Washington Post by Zachary Goldfarb and Jia Lynn Yang, the Exchange officials are quoted as saying the reason for the meltdown was “…probably caused by technical problems and could take weeks or months given the millions of trades being examined.”  To see the article in full please visit www.ere-security.ca RSS feed May 10, 2010 or http://www.washingtonpost.com/wp-dyn/content/article/2010/05/07/AR2010050705087.html?sid=ST2010050705108

In my opinion, no matter what the New York Stock Exchange officials deem to be the perceived causes of the meltdown, two basic security practices need to be implemented in order to mitigate the chance of a repeat performance.

The first suggestion is really just plain common sense.  Since it appears the Exchange is susceptible to anomalous transactions, where the requested sell price of an instrument is unreasonably below the current sell price, security policy needs to be implemented and enforced to have such transaction requests investigated by human beings prior to execution.

This type of inspection falls well within the realm of standard security practices for complex transaction processing systems, or for that matter, even the simplest web based on-line purchasing systems.  In both the realms of the simple and the complex, it is customary to check data being input for “sanity” or for being credible.

The second suggestion is that anyone who is capable of entering requests for transactions into the Exchange transaction processing system, such as stock broker representatives, should undergo a regular background security appraisal for susceptibility to being induced to enter sell orders which are not deemed as credible.

Again this is Security 101, and organizations who deal with sensitive or critical data understand the need to do background checks on employees, both during the hiring process and periodically thereafter. Organizations with expertise in Information Security, such as ISACA, www.isaca.org, incorporate background checking into their cornerstone security policy document, COBIT.  More information about COBIT may be found at www.isaca.org/cobit .

The Washington Post article goes on to explain the possible causation of last Thursday’s problem that caused the Exchange to temporarily drop by nearly1000 points in less than one hour, as “Computer programs designed to make lightning-fast decisions, based on complex mathematical rules, or algorithms, about what to buy and sell made massive trades without human input.” and “… electronic trading hubs had inconsistent rules about when to stop a sudden plunge in stock prices.”

While the debate continues about whether or not stock exchanges should slow down or interfere with automated trading, the root cause of the problem will still continue to exist:  invalid sell requests.   Automated trading may cause the observed cascade effect, but is not a root cause of the problem.

Indeed it would be productive for the Exchange to also address the second problem of resolving rule inconsistencies relating to automated trading.  Again, ensuring software rules are consistent and compatible is a basic IT Security, whether designing rules for transaction processing systems or for firewalls.

While rule consistency is a laudable goal, it still will not address the root cause of the unnecessary plunge problem.

This plunge problem makes me think of an inverse “Terminator” situation.  In the Terminator technology, “had malicious intent towards humanity”.  I can imagine the NYSE transaction technology thinking…… “These guys want me to do what?”

Have a secure week.

Ron Lepofsky, CISSP, B.A. SC. (mechanical engineering)

www.ere-security.ca

Tags: , , , , , , ,
Posted in Information Security | 2 Comments »

Forensic Identification Using Skin Bacteria

Tuesday, May 4th, 2010


Intriguing, no?  The Gordon Washington University School of Medicine has observed that bacteria left on keyboards and computer mice is highly unique to its depositors, and can be collected and identified up to two weeks after it is left on the device.  If you would like to see more about this article please visit:  www.ere-security.ca , RSS feed, March 29, 2010.

This certainly provides another identification tool with regard to tagging unauthorized access and use of equipment and to tying an individual to an act of accessing electronics.

I’m not sure if it is legal to request a finger swab and if this new type of evidence could even be presented in court, but hey, DNA evidence had to begin its legal career at some point.

It is not that far removed from contact biometrics such as fingerprint readers and palm readers.  And these are not far removed from contact with “something you have” such as an identification swipe card.  Since we are already on the slippery slope of allowing contact with one’s personal identification device or hand parts, perhaps identification by personal bacteria is not that unreasonable.

Identifying who may have used a mouse or keyboard does not help a forensic investigation relating to remote unauthorized accesses.  Users still make the same old mistakes with regard to preservation of forensic evidence when they become suspicious about a potential cyber attack.

Not to demean bacteria in any way, but users should and can implement the following procedures when they would like assistance in verifying that an intrusion has been committed on their system:

  1. Immediately telephone the IT security department and clearly identify their observations of concern, what they were doing on their workstation at the time, and the exact time / date.
  2. Do not continue to interact with their workstation and with any other applications / systems with which their workstation is interacting.
  3. Do not turn off their workstation.
  4. Do not attempt to run any diagnostics on their workstation.
  5. Do not send emails from their workstation.

The investigating forensics team should:

  1. Isolate the workstation and other systems associated with the potential incident.
  2. Not turn off the power to any of these systems.
  3. Make an image of the state of each system, make a copy of the disk contents, and especially make a copy of the logs of all relevant systems.
  4. Then begin their forensic investigation

Of course many forensic situations could have been mitigated at the preventative stage by computer users / bacteria hosts following simple security best practices.  But that is an ongoing conversation.

Have a secure week.

Regards, Ron Lepofsky, CISSP

President,

ERE Information Security and Compliance Auditors

www.ere-security.ca

Tags: , , , ,
Posted in Security Postings | 5 Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button