Category Archives: InfoSec

Don’t Let Non-IT Employees Do Pen Testing

  May 10, 2012 - 10:39 am |
Leave a comment

An article in SC Magazine caught my eye today. It was on using social engineering techniques to reinforce the importance of security to employees. Article: SC Congress Canada: “Social engineer back” employees

“This could be interesting….” I thought to myself. And it was… And I was right there with them until I read this:

“…challenges with prizes, such as being the first employee to walk over to a co-worker’s unlocked computer to send an email from their account without them knowing.”

Seriously?

So let me get this straight. John Proctor of CGI Group is advocating that employees perform pen testing on each other and for gaining unauthorized access to email.

Again… Seriously?

It should be a violation of security policy, and perhaps state, federal and industry regulations (depending on the industry and the data), for an employee to leave a computer unattended. It is a vulnerability that can be exploited – obviously, not a good thing. In fact, I’ll go so far as to stay it’s a stupid and lazy thing for someone to do.

But…

…To tell untrained employees to exploit vulnerabilities?

…To take that step from identification of a vulnerability to an actual data breach, if the employee does not have the same access as the victim? Or worse, what if they accidentally (or maliciously) send sensitive data outside the company?

That’s negligent at best and criminal at worst.

I’ve got an idea… Let’s leave pen testing to the professionals and not encourage employees to hack into coworkers’ computers, ok?

Active Authentication

  April 18, 2012 - 12:17 pm |
Leave a comment

biometric eye compositeDARPA is looking at a new way of authentication that does not rely on passwords, tokens, or standard biometrics. Active authentication hopes to be able to identify and perform continuous real-time authentication on individuals based on patterns of behavior identifiable by software-based biometrics. They refer to these patterns of behavior as a “cognitive fingerprint.”

Typing and mouse use habits could be used to form this fingerprint and that seems pretty straight forward. I’ve got some typing quirks that would probably make my high school typing teacher apoplectic, like never using the right shift, alt or control keys. I’ve also got my own quirky ways of using the mouse. I also like certain applications open in certain locations on my screen, and probably have a dozen more computing habits that could be monitored by software that would have a reasonable chance of identifying me as me.

But (there’s always a “but”)… I’m wary of anything that relies on physical biometrics, even if they are behavioral, due to issues with accessibility. Some medical conditions create physical limitations that are not consistent from one day to the next. People with arthritis or who have suffered from a stroke may have good days and bad days – sometimes the digital dexterity is there, sometimes it’s not.

They also may look, according to the program site, at “how the user crafts written language in an e-mail or document.” I’d be very interested in seeing how this one fares in empirical testing. I don’t know about you, but my writing style adapts to my audience. Voice (active or passive), vocabulary, reading comprehension level… it all changes.

I must say, though, that I’m looking forward to what they come up with. Passwords can be guessed, cracked, or beaten out of us, tokens can be stolen, and the Mythbusters were able to fool fingerprint scanners with some special effects tricks.

I wonder how it will fare against identical twins….or method actors.

101: Risk Management Basics – Risk Response Options

  October 25, 2011 - 11:39 am |
Leave a comment

Risk management is the process of identifying, analyzing, prioritizing and responding to risks. There are five standard risk response options:

Avoidance

Risk may be avoided by eliminating the cause of the risk, such as eliminating business processes or shutting down systems that can’t be secured. Avoidance is used when organizations are unwilling to accept, transfer, mitigate, or deter the risk. While certainly the most effective way of reducing risk, it is not always practical.

Transference

The burden of risk (i.e., the loss) can be transferred to another entity. Most often, this is done by purchasing insurance, but outsourcing can also be a way of transferring risk. When outsourcing, it is important to remember that you can transfer the burden of risk, but not legal responsibility. Transference is sometimes referred to as risk sharing.

Examples of IT-Related Insurance:

  • Computer Crime – covers loss of property, including monetary and intellectual property incurred due to computer crime.
  • Software Design Errors and Omissions – professional liability coverage covering loss due to design errors.
  • Property – covers loss of property (i.e., buildings and contents, including computing equipment) due to theft, fire, or other covered events.

Acceptance

Prior to acceptance of the risk, the organization must acknowledge and understand the impact (i.e., consequences). This may be the appropriate response when the cost of mitigation is greater than the loss incurred. Each organization has a level of risk it is willing to accept, referred to as risk appetite or risk tolerance. It is important to note that some risks cannot be accepted due to law or regulation (e.g., HIPAA, GLBA, FISMA).

Risk response options other than avoidance usually result in some risk remaining. The organization is typically forced to accept this residual risk.

Mitigation

Risk mitigation involves applying controls that limits impact (consequences) or reduces likelihood. Examples include applying security patches and hotfixes and installing/updating anti-malware software. Risk analysis must be performed to ensure that the cost of the mitigation does not exceed the impact from loss.

Deterrence

Risk can be deterred by applying controls that discourage threats from occurring. Examples of controls include security policies and procedures, physical security controls and accountability controls such as individual user accounts and audit logs.

Both deterrent and mitigation techniques are needed to reduce overall risk.

101: Threat Assessment vs Vulnerability Assessment

  October 20, 2011 - 9:19 pm |
Leave a comment

Threat assessments and vulnerability assessments are both integral parts of the risk assessment process. Together, they are used to prioritize targets based on the greatest risk, so the organization will know where to focus its efforts with regard to security controls and risk mitigation.

Threat Assessments

A threat assessment consists of a threat definition and a subsequent analysis. Threat definition is basically a three-step process.

Step 1: Identify Adversaries

Adversaries are generally characterized into categories such as insiders, outsiders or outsiders with the assistance of insiders

Within each category, adversaries can be further broken down into classes such as terrorists, criminals, activists, and hackers (outsiders). If individual adversaries have been identified, these should be included as well.

Step 2: Characterize the Adversaries

Characterization involves identifying the motivations, goals, tactics and capabilities of adversaries. This information can be gathered from intelligence sources including past incidents, crime studies, government reports, and other published literature.

Step 3: Evaluate Targets from the Perspective of the Adversary

Targets, such as assets, are then evaluated from the perspective of the adversary in order to determine the likelihood and possible actions (e.g., theft, sabotage, collusion) that could be taken. After the threats are defined, they can then be analyzed in order to determine the likelihood and impact of adversary actions against particular targets.

Vulnerability Assessments

A vulnerability assessment uses information from the threat assessment, so it cannot be conducted until the threat assessment has been completed. A vulnerability assessment is also a three step process:

Step 1: Identify and evaluate the potential actions of an adversary against a target

Scenarios can be used in order to describe the potential actions that can be taken against a facility or individual targets within the facility, or assets can simply be listed and evaluated.

Step 2: Identify and evaluate the existing security measures

Each security control applied to a target should be identified and evaluated for effectiveness. This can be a daunting task for the first assessment.

Step 3: Identify and analyze the potential vulnerabilities discovered in steps 1 and 2

Worksheets play a major role in vulnerability assessments. Items on the worksheet are rated from Very Low (1) to Very High (5) in order to perform a more quantitative analysis on the data. Rated items include the severity of the consequences, the threat level, the attractiveness of the asset, and the severity of the vulnerability. New countermeasures can be recommended at this point, based on the vulnerabilities discovered in step 3.

101: Types of Security Controls

  October 9, 2011 - 9:37 am |
Leave a comment

Risk can be mitigated or deterred by the application of security controls. Security controls can generally be categorized as technical, management or operational.

Technical Controls
Technical controls are designed to secure networks, IT systems and data. Examples include:

  • Security software
  • Logical security controls
  • System architecture
  • Perimeter controls
  • Security appliances

Management Controls
These are high-level guidelines, standards and policies that align with the organization’s goals and provide a framework for operational procedures.

Operational Controls
These documented processes and procedures are used to reduce vulnerabilities in business functions. They are based on management controls and designed using technical controls.