Stuart King's Security and Risk Management Blog

We can't write secure code

Fri, 16 May 2008 03:00:00 +0000

David Lacey makes the important point that writing secure software is "not just about cutting secure code or developing better testing tools. We need to get things right much earlier in the development process." It's a subject I've been harping on about for some time, with many references to excellent resources such as OWASP, and great leaders on the subject such as Mark Curphey. Over the last few years I've heard many solutions proposed to fix the problem of insecure software, ranging from sacking the developers to improving the software development lifecycle so that security requirements are stated from outset and followed through into production and beyond. The evidence is that none of it works. OK, the folk at Microsoft, for example, will say that security is now embedded in their culture, and they've certainly generated a nice new stream of revenue for themselves out of all the books, tools and journals on the subject. But they are still releasing security patches with a frequency and schedule that the I wish the rail company I use each day could achieve with their trains. And other vendors are coming up with clangers at an alarming rate. For example, this latest one from leading CMS vendor RedDot. An SQL Injection vulnerability in an enterprise level CMS system - what were they playing at with their quality control?! So, here's the thing. We can't write secure code. It's true. Can you show me any decent commercial, consumer focused product (that people actually want to use - not just techies who haven't seen daylight in 12 years and live on a diet of digestive biscuits) that is secure from the off as soon as it's exposed to the Internet and where 12 months later it hasn't required a patch of some sort? Systems are simply too complicated with too many lines of code for anyone to expect that they can be released without containing bugs and security holes. That doesn't mean that we shouldn't try, it just means that we should take a different approach. That approach, in my opinion, is to take a leaf out of the new edition of the PCI standards and stick a ruddy great application firewall in front of everything. That doesn't make the code secure, it's a sticking plaster over a wound. But - to continue the analogy - a plaster stops the bleeding, prevents germs getting in, and while it's not a cure, it's good enough. I'm not knocking OWASP et al. It's the first resource I recommend developers go to and will remain so. Just that the business expects more functionality, cheaper costs, more complexity, better performance, and a more rapid deployment for its products. Chucking in security with all that lot is like rubbing your belly and patting your head at the same time, while riding a motorbike. So, let's make it easy on ourselves. Application firewalls!

Earthquakes and Cyclones

Thu, 15 May 2008 15:37:35 +0000

50,000 killed in China, 120,000 killed in Burma. It puts a hard day at the office into perspective.

Passwords, crocodiles, and air disasters

Thu, 15 May 2008 04:45:00 +0000

What do air disasters and password policies have in common? They were both the subject of anecdotes at last nights IISP lecture on "Security awareness - promoting long term behavioural change" presented by Martin Smith of The Security Company. Martin was making the point that everybody in an organisation is a stakeholder in information security, and that most businesses are rubbish at getting the right messages across. A copy of the employee handbook, a leaflet and a poster saying "Be Secure" with a picture of a padlock on it do not make for an effective and meaningful security awareness program. The point was that we need to emphasise messages in terms the business understands. For example, if you lose a pound then that's one pound profit gone which probably took ten pounds revenue to generate. Therefore you need to make another ten pounds to make that same pound profit back. In fact, you need to make twenty pounds because the first ten now only covers your original loss. Make sense? The password anecdote related to an organisation that fired somebody because he intentionally shared his password with a colleague to, apparently, facilitate a business related task. I can't vouch for all the facts but certainly strict and dogged adherence to policy is not always effective. Beat employees up with too big a stick and you're likely to end up with lots of disgruntled employees who care little for your security regime. The air disaster was an example of how lots of seemingly unimportant events (lots of little chickens) came together and resulted in a mid-air collision (the crocodile). At any point prior to the incident, somebody should have either raised issues or adjusted their behaviour. Human factors caused the disaster, not technology. An all to real example highlighting the fact that not one single recent data breach has been because of a technology failure. It's human factors each and every time.

Impact Factory

Wed, 14 May 2008 07:00:00 +0000

I spent yesterday in the company of Jo Ellen Gryzyb and Doug Osbourne of Impact Factory on their excellent presentation skills course. The course was a revelation: rather than being a critique of any bad habits, the course focuses on existing strengths and provides a number of tools for making best use of them. I know that the next time I stand up in front of an audience I'll be able to talk with a lot more confidence and to far greater effect.

Good presentation skills are an important and valuable asset. Selling the benefits of an information security program or project can be challenging so it's good to be armed with a good set of techniques for getting across the right messages regardless of audience or the amount of time available.

Data Loss Epidemic

Tue, 13 May 2008 04:30:00 +0000

Most UK companies are losing data every month a survey has found. The majority of UK businesses, 79 per cent, are losing data at least once per month, according to the survey of 250 senior IT staff at businesses larger than 1,000 staff.. Read the rest of the article here. The results of such surveys are great marketing for companies such as CA with their portfolio of threat management tools. I suppose the question is how you define "losing data." One record or a thousand records? Do you want to count every lost USB stick and mobile phone? Perhaps you should if they are likely to contain private data. Most of the problem is that we don't know where all our data is. There's no neat perimeter - it's everywhere from in your pocket to the third party company that does your mailshots. Personally I'd prefer to not play on scare stories and wild statistics. There's a change of attitude required. We're not going to solve data security problems with technology alone and it's not simply an IT problem. It's culture, training, awareness, and technology. We need people to start asking how to protect data rather than waiting to be told.

HSBC lose a server

Mon, 12 May 2008 04:00:00 +0000

Another reported theft of a server containing customer data . This time from the HSBC bank in Hong Kong. "The bank said it had lost track of the server during renovation work at a Kwun Tong district branch in east Kowloon on April 26. Police are investigating and say the server was stolen. " Read all about it here and there's more here. This is a really careless way to lose data. I thought it might be fun to read the bank's own statement on data security.

Security is our top priority. The Hongkong and Shanghai Banking Corporation Limited ('the Bank') will strive at all times to ensure that your personal data will be protected against unauthorised or accidental access, processing or erasure. We maintain this commitment to data security by implementing appropriate physical, electronic and managerial measures to safeguard and secure your personal data.

Each visit I make to a business unit, one of the first things on my agenda is a visit to the server room where I'll check everything from the access log to the temperature of the air conditioning. Spend all you want on boxes of tricks to stop the hackers getting in, but forget to lock the door to the servers and it's game over. Risks increase if your office is within a building shared with numerous other businesses such as the case with this branch of HSBC in Hong Kong. I recall one particular far eastern office I visited not too long ago. The main door to the server room was locked fast and the IT manager took delight in demonstrating how secure the room was. Walking around inside the server room I noticed another door. "Where does that one lead to?" I asked. "Outside" was the response. "Is it secured?" was my next question. "Yes" the manager replied, "the sticky tape holds it shut."

Insider Threats: the biggest Information Security risk

Sat, 10 May 2008 11:00:00 +0000

It's a fact that most crimes are committed by people known to their victims. Similarly, businesses are most at risk from former and current employees. Most commonly when thinking about information security we consider how to prevent intrusion into our business from the outside. The facts and statistics tell a different story. 62% of large businesses in the UK (source: DTI/PWC Insider Threat Report 2006) have dealt with a security incident instigated by a current or former employee. I've been writing up some of my research into insider threats in the form of a paper describing the risks posed to a fictional multinational company, Acme Widgets plc. You can download the paper for free here. If you'd like to leave me feedback or would like more information about insider threats, write to the email address within the digital signature at the end of the document. If you'd like to make a donation in return for downloading the paper, please give to Children in Need.

Laptop encryption

Fri, 09 May 2008 01:00:00 +0000

How much confidential business data has been compromised over the years as a result of the theft of laptop computers? It's a good question if you ask me because we're all under pressure to ensure that mobile computing devices employ encryption to ensure that appropriate risks are mitigated in the event of them being lost or stolen. Such pressure mounts when we also see organisations being fined when laptops go missing. For instance The Nationwide Building Society got hit last year for nearly £1m when a device that was taken from an employees home "contained confidential customer information and may have put millions at risk of identity theft." Full story here. Chances are that this was a nothing more than a random burglary committed by thieves who probably don't even have opposing thumbs capable of opening the lid. So, the chances of them being able to get any data out of it are slim. Most likely is that the drive was formatted by the new owner after it was sold for a quid and that it's now being used by a local education authority somewhere, in west Africa. As also stated on this blog, the "majority of laptop thefts are not targeted, they're just carried out by someone who sees the laptop as a portable asset that can be easily resold." But, let's suppose that the theft could have been targeted, and somebody could specifically have been after the data. A real enough scenario for some organisations. Encryption certainly mitigates the risk up to a point. However, if such effort is going into capturing a device then you can bet that some forethought would also be going into obtaining the relevant keys. For a good example, remember the case where car thieves cut off the index finger of the owner of a Mercedes in order to get around the biometric security. Where there are motivated, capable, and dangerous adversaries, operating for profit, then is your personal safety worth holding out on the password to your laptop? In my mind, a much better solution is to keep confidential data off mobile devices in the first place. But let's come back to the original point and question: How much confidential business data has been compromised over the years as a result of the theft of laptop computers? I don't know and it doesn't matter because if your laptops get stolen, and if they contain confidential or personal data, and if you have not used encryption, then you're stuffed because if the Press don't get you then the regulators will, and when encryption is so cheap and easy to implement these days then you've just been neglegent. So, in fact the biggest risks to your business may well be from the negative perception and the resulting fines and damage to your reputation than from the probability of the data being compromised and used. That is good enough reason even if you, like me, don't rate highly the risk of data actually being compromised in this way. So now all you have to do is choose your encryption product. And that's another story....

Peter Gabriel Web Server Stolen

Wed, 07 May 2008 09:00:00 +0000

Reported on Slashdot today is the news that Peter Gabriel's web server has been solen from the data center where it was being hosted. I have my own thoughts on a possible motive; mostly related to some of the dreadful noise he's produced over the past 30 years. Physical security has been a previous topic of this blog (see entry from 10 Dec 2007). 1. Don't make assumptions about third party security controls. Check them for yourself. 2. Make sure your incident response plans include actions to take in the event of critical equipment being stolen. Some good guidance on physical security for small businesses here on GetSafeOnline. Some further related information here.

Microsoft Senior PC - not just for the elderly

Tue, 06 May 2008 15:00:00 +0000

My mother-in-law is, to give her some credit, an intelligent lady. However, faced with an upgrade from Windows XP to Vista and IE7 from IE6 and you have a situation akin to explaining quadratic equations to a two year old. Both circumstances will result in heavy objects being thrown around in frustration. So, the idea of Microsoft to provide a range of "Senior PC packages" is, in my mind, borderline genius and something I wish I had thought of first. Computer Weekly mock the idea in this weeks magazine, something I think is very unfair given that I'm sure some of their editorial team are getting on a bit and would probably be able to make good use of the built-in prescription software... If home computing can be made as easy as taking the PC out of the box, plugging it in and turning it on (not a word from the Mac users please - I know you've been able to do this for years) then that's to be encouraged for everyone, not just the elderly. And if it stops the "support" calls from my mother-in-law then that's priceless!