The Security Viewpoint - News and opinion on information security, data breaches, and compliance

The Security Viewpoint:

 

News and opinion on information security, data breaches, and compliance


Journey to the cloud: three perspectives

Given the phone hacking scandal, it’s unusual to find News Corp and the Metropolitan Police in the same room these days, but it happened this week when representatives from both organisations, plus one from the BBC, shared a platform to discuss their plans for the cloud.

The three people were on a panel at the Hosting & Cloud Transformation Summit in London, organised by 451 Research, and all of them have big plans for moving much of their computing into some kind of cloud platform.

By far the most advanced was News Corp, which has already shifted around 30% of its systems into the cloud; and that figure could rise to 80%,  according to Ian McDonald, the company’s head of infrastructure and cloud (a job title like that is a big clue to the organisation’s direction of travel). He said the company has adopted Google Mail, Google Apps, Salesforce and the Remedy cloud-based service-desk application, and also uses Amazon’s infrastructure as a service (IaaS) offering. Users loved the new model, he said, because it had replaced some creaky old applications and Exchange servers that had been constantly breaking down.

The only thing holding back faster progress is the need to wring some value out of a major hardware refresh thast took place three years ago. Once that investment has been written off, he said, many more applications and systems can move into the cloud.

The BBC’s strategic infrastructure manager John Beaver was far less gung-ho about the subject, although he is currently looking at where the cloud could be used effectively. He said the corporation has developed a process to assess the sensitivity of any data that might be put on to a cloud service, mainly because BBC correspondents have secret sources they have to protect. He was worried, he said, that the US authorities would be able to force US-owned cloud service operators to disclose such information under the terms of the Patriot Act. He also felt that many of the BBC’s legacy applications would be hard to switch into the cloud.

The Met Police are also at an early stage of investigation, but they do have a head of strategic cloud, Roger Saint, and he thinks that up to 60% of the force’s applications could end up in some form of cloud, either full public cloud or  a community-based service hosted in the UK. He said the cloud offers “a once in a lifetime opportunity” to make some radical changes, and to break down the siloed applications of the past.

The force’s current managed IT contract comes up for renewal in December 2015, he said, and he wants to be in a position to make full use of the new IT provision model after that date. However, the business case for moving to the cloud is still waiting to be approved.

All three panellists agreed that any cloud usage has to be done with care and with the full knowledge that it can break down at any time. News Corp’s McDonald said “you have to work on the basis that anything can fail”. He said that the company regularly experienced disk failures and file corruption when using Amazon’s infrastructure as a service offering. “You still have to make back-ups,” he said. Although he said the Amazon service was great, and improving, it still had “an ugly underlying design, you can imagine a lot of it being held together with duck tape.”

Everyone also agreed on the need to encrypt data held in the cloud, and insisted that security remains the reponsibiltiy of the client. “Your security depends on how you design your services,” said McDonald, “But you must always expect and plan for the worst.”

Finally, all three called for better standardisation across services, so that companies can mix and match services from different providers. The Met’s Roger Saint said the force has been in talks with around 80 potential providers over six months, and running workshops on the various areas of risk. “We would need an ecosystem of vendors with an interoperable platform,” he said.

All three agreed the market is still a long way from being able to provide that yet.

Take care when spinning up new machines in the cloud

Infrastructure as a service (IaaS) is a very appealing concept. Instead of buying, installing, running and maintaining all your own IT equipment, you log into an IaaS service, give them your credit card number, and turn on as much computer power as you need for the job in hand. When the job’s finished, you just close the session and pay for what you’ve used.

But what exactly are you getting when you spin up a few servers in the cloud, and what happens to all that hardware when you’ve finished with it?

These were questions that interested researchers last year at the London-based pentesting company Context Information Security. They wanted to assess the security of servers generated on the fly by cloud service providers (CSPs), and they chose four major providers to test.

Not wanting to do anything underhand, the Context researchers contacted each of the companies and agreed terms for carrying out tests. Now, you would hope the providers would say something like “Do any test you like, because our systems are robust and we trust our own security.” But no, the CSPs placed a number of constraints on the researchers: they were not allowed to conduct any form of DDoS attack or hypervisor breakout attack. And they were also prevented from conducting any kind of test that would disrupt other customers of the service.

Undeterred, the researchers went ahead with all four providers, and even with the tight constraints under which they were working, they made some alarming discoveries. Virtual machines often lacked the latest patches, making them intrinsically insecure, and in some cases, it was possible for virtual machines to address disk space in other neighbouring VMs belonging to other clients of the CSP. Only one of the four provided a virtual firewall to manage traffic in and out of the VM.

None of the providers offered encrypted disk operation by default; none provided anti-virus; and all nodes supplied had default system passwords. Two of the four providers were found to have a fundamental flaw in their implementation of hard disk separation, which allowed the researchers to access other nodes’ data from their own virtual disks. 

In one case, a new virtual machine created by one of the services contained information left over from the last customer to occupy that disk space. Michael Jordon, CTO for Context, described the information as “serious and significant unexpected content.” He can’t say more than that at the moment, because of a legal restraining order put on him one of the providers which is clearly worried about the damage it could do to their business.

It’s worth mentioning that the original research was carried out more than a year ago, and the detailed findings were published in a white paper in March 2011 [  http://www.contextis.com/research/white-papers/assessing-cloud-node-security ], but Context did not name the suppliers. Like any responsible security company, it reported the problems back to the providers and gave them six months to fix them. After six months, not much had changed and so Context agreed not to publish the names for yet another six months.

Which brings us up to early March 2012, when Context was planning to speak for the first time about the issues raised, and crucially, to give the names of those involved. At the last minute, one of the CSPs sent their top management and legal teams over from the US to negotiate with Context, and they managed to get a stay of execution on full disclosure till April 24.

The March presentation went ahead as planned, but with a lot of the slides blacked out. It revealed that two of the providers were Amazon and Gigenet, who obviously had no problem about the publicity, but the names of the other two will go public soon, provided no other legal sanctions are applied.

So what are the lessons to be learned from the exercise?

* If the IaaS providers are not 100% sure of their security, then you need to be equally sceptical. Assume that any virtual machine that you spin up will need to be hardened and properly patched before use. Treat it like any other Internet-facing server, and make it secure.

* Think about encrypting all data (at least all sensitive data) that sits on these machines. That way, if the information is not properly deleted and is seen by the next customer to occupy the disk space, it won’t cause a problem. In addition, any neighbouring VM that manages to peer into your system will just see encrypted files.

So does this mean we should avoid IaaS? Of course not. The economic benefits are far too enticing for the solution to be resisted. And for many companies struggling to maintain and back-up their own in-house systems, a hosted service will probably deliver an improvement in overall security.

But customers still need to be very aware of what they are buying. A recent survey by the Computer Trade Industry Association (CompTIA) found that 61% of UK businesses described themselves as moderate to heavy users of cloud services, and yet only 24% said they conducted thorough security reviews of their suppliers, and 24% said they carried out few or no checks at all, and trusted their providers to be secure.

That high level of trust, it seems, could be sadly misplaced.

 

It’s so easy to breach the Data Protection Act

The latest case [ http://www.ico.gov.uk/news/latest_news/2012/university-published-personal-data-in-online-training-manual-01032012.aspx ] to appear on the website of the Information Commissioners Office (ICO) shows just how easy it can be to break the law.

Last year. someone at Durham University decided to upload some training manuals on the University’s website, and included some screenshots for illustrative purposes. Unfortunately, the person used live data from the screens holding the personal details of real people,  rather than coming up with fictitious names.

Furthermore it took a few months before anyone noticed the error, at which time the University duly reported the incident to the ICO.  By doing so, it has avoided incurring a fine, but has had to made a public undertaking on the ICO website that it will mend its ways and change its procedures.

The undertaking details the events, but also highlights the fact that only 20% of the staff at the University had received any training in the handling of personal data. Apparently, departmental representatives had received training, and it was assumed that they would go back and spread their word amongst their colleagues. No record was kept of that happening, and clearly it did not happen in some cases.

The University has therefore now undertaken to ensure that all staff who handle personal data have the appropriate training - and importantly, it will monitor and record the fact that staff members have been trained. Documentation, we should remember, is a major part of any compliance regime.

The big lesson for any other organisation handling personal data is:

* Protect the data

* Train staff to protect the data

* Keep a log to show you’ve trained staff to protect the data

So what do I need to be a CISO?

Here’s a test. You decide your company’s security defences strengthening, and you need to get budget approval for a new security incident and event management system, which as we know, it quite expensive.

Which of these two proposals most closely matches what you would say to the board?:

1. I need to deploy SIEM because it will enable log correlation and we will be able to manage intrusion prevention and facilitate cyber forensics and automation of processes.

2. One hour of downtime to the XX server equates to £XX in lost revenue and a X% increase in customer complaints. Expected failure of the server for the next quarter is estimated to be x hours due to downtime and clean-upwork. If we can automate the process, we can mitigate risk, cut downtime by X% and clean-up expenses by X%. The proposed investment is £X, providing a return on investment within x months.

Hopefully, you all chose the second one.
My example is based on one given recently by Neira Jones, head payment security for Barclaycard, who was talking about the new role of the CISO in modern business. In her view, the new CISO needs to be a very different animal from even just five years ago, and the requirements look pretty demanding.

She characterised the differences as follows (yesterday’s CISO comes first, followed by the new CISO):

Subject matter expert / Trusted Adviser

Analyst / facilitator and leader

Technical risk expert / risk manager

Individual contributor / integrative business thinker

Chief InfoSec Officer/ Chief InfoSec & Risk Officer

Administrator / strategist

Manager / visionary

Insular / Evangelist and educator

Focus on risk of loss / take risks to meet business objectives
So how do you think you match up? Jones said she could count on the fingers of one hand the people that currently fit the description, which by anyone’s reckoning, is pretty ambitious.

If, however, you feel that your own skill set might need a bit of, let’s say, repolishing, do not despair.

Following Jones on to the podium at the same conference sprang Professor Kevin Jones of the City University in London, who is soon to launch the first Professional Master’s course in Information Security & Risk. Aimed at people with a good tehcnical grounding and experience, the course is the first (he says) to focus on all the soft and fluffy stuff that the modern CISO now needs to know about in order to be heard, listened to, and to win influence in the board room.

The course starts in September, and Jones (Kevin, that is) expects maybe a dozen people to partake in the first year. It consists of eight modules over two years, and the annual cost is £7,500. It will be taught part-time, with students working in peer groups, incorporating some evenings and weekends in order to allow them all to carry on with their careers.

Professor Jones says the idea is to equip students with the skills to present the “the big picture” of security, focusing on how to present risk and cost assessments, and without getting bogged down in technical details.

Can you afford not to enrol?

Privacy policies are no simple matter

There’s a lot of talk about privacy in the security world, and we all tend to think we know what we mean by it.

But a new study [ http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf ]  carried out by the European Commission shows that even within the borders of Europe, attitudes to privacy vary sharply between countries.

Running to 330 pages, the report is a major piece of work, and drills down into the way different nations treat their privacy on the Internet, and who they think should be responsible for it. For example, the Spaniards, more than any other nation, believe the state should enforce the protection of their information on social networking sites, while very few Irish take that view.

But what is private information? Attitutudes vary according to age, social class, and of course between countries. The British, for instance, have a reputation for secrecy about their financial affairs, but it turns out the Danes, the Dutch and the Irish come top when it come to keeping financial data personal. The Poles, by contrast, seem much more relaxed about people knowing how much they earn, and yet when it comes to disclosing their home address or their name, they guard that information more than any other nation.

When it comes to medical history, you’d expect every country to score highly, but no. The Irish, again, come out top for protecting medical records, while Poland comes bottom.

Poland’s next-door neighbour Germany is often cited as the country with the most comprehensive privacy laws, and indeed it scores quite highly across the board. But while the Germans do not top the list when it comes to medical or financial data, they appear to care much more than any other country about protecting their photographs, their mobile phone number, work history, friends’ names, tastes and opinions, and even their hobbies.

The figures make fascinating reading, and it is clear that many countries’ attitudes to privacy are shaped by their history. The Poles lived under Nazi oppression followed by Soviet rule for many years, so it’s little wonder that they put so much value on their name and address as personal information. But history doesn’t explain everything - the British score higher than average in every single category of information, and not far behind Poland when it comes to protecting their home address. That could be because of the high level of Internet usage, and therefore a higher level of security awareness.

However, the report found that the more people understood how to manage their information and data on the Internet, the more likely they were to take control and apply privacy settings, for instance, in social networking sites. People who didn’t apply privacy settings, it turned out, often had no idea they could do so, or they just trusted the site to look after them.

Ignorance continues to be the greatest barrier to security, and education continues to be the best way to let people protect the information they choose to value.

SAML is the answer to cloud security woes

There was a big turnout for the session on cloud security on the opening day of the RSA Europe 2011 conference held in London this week. The subject is clearly on a lot of people’s minds.
One of the biggest challenges in the cloud is strong authentication of users, a subject that has long preoccupied one of the panellists, Paul Simmonds, a founding member of the Jericho Forum, and a former CISO at ICI and Astra Zeneca. He began by issuing a question to the audience, “How many of you use SAML assertions?”

Just two hesitant hands rose up from the large crowd.

“Who knows what SAML assertions are?”  A couple more hands  went up.

SAML - the Security Assertion Markup Language - is a basic building block of single sign-on, and a means of allowing a user to sign on to multiple systems without needing to remember a load of different passwords. And Simmonds is a very strong advocate of the standard, and is keen to promote it to cloud service providers.

The prime reason is that we are already drowning in passwords. As he says,  whether collaborating in the cloud or directly with third parties, companies need to be able rely on strong identities. And SAML assertions provide a standard approach to making it happen.

His advice to all was to start by using SAML for internal systems to provide users with SSO. “Astra Zeneca was one of the most well integrated of organisations I know for SSO, but we still had a lot of corporate systems that required different IDs,” he said. “If you can’t manage this issue internally, you won’t manage it out in the cloud.”

So his big message for all the audience, when they returned to their offices, was to ask why they were not using SAML already. By adopting the standard internally, corporate systems would work more securely, he said, and companies will also be better prepared to move systems out to the cloud.

“If cloud suppliers have a groundswell of demand for SAML support, they will provide it, and it will help deliver a single strong identity,” Simmonds said.  Salesforce offers it now, and so do Google Apps, so there seems to be a momentum building that will continue if customers demand it.

Other tips from the session:

* Avoid vendor lock-in. Check you can get your data out if you hit problems with the cloud service supplier. ” The first rule of outsourcing is to have an exit strategy,” said Simmonds.

* Check the Cloud Security Alliance’s new Security, Trust & Assurance Registry (STAR). The CSA is building a global registry of vendors to gather basic infomration about them. This will allow customers to check what they do. Panellist Chris Hoff, chief architect at Juniper Networks, said it was a pragmatic approach to the problem. “We are trying to get them all to sign up, and it means that customers can demand to see their STAR registry listing,” he said.

Fancy working for MI5?

There was a time when the secret services recruited their spies almost exclusively from Cambridge University, but in these more enlightened days, they just put an ad in the papers like any other employer.

This last weekend, several papers carried a full page advertisement from MI5 - which didn’t give much detail but invited readers to go to www.mi5.gov.org/careers for more information.

Unsurprisingly, it turns out there are plenty of roles vacant at the moment for information security specialists - ranging from penetration testers to network forensics specialists and security architects.

Regular viewers of “Spooks” on BBC TV will know exactly what’s required, or course. As the job ad says “Ours is a fast-paced environment, so you must be flexible and able to adapt to ever changing priorities, including working out of hours at short notice when required.”

Salaries aren’t bad either for some roles - as an infrastructure or application architect, you might earn £80,000. However,  a lowly network forensices analyst might have to start on £27,250 - on the same rate as a carpenter (yes, they’re looking for carpenters too), except that the carpenter gets paid for any overtime.

If you’re tempted to apply, however, don’t tell the world, no matter how much you might be tempted. As the ad makes clear “Discretion is vital. You should not discuss your application, other than with your partner or a close family member.” Also applications can take up to six months to process, so don’t hand in your notice quite yet.

Making the most of SSL - at last

Twitter’s decision to allow users to opt for HTTPS as their preferred connection protocol marks an important step forward for users, and for their awareness of security. Granted, you do have to hunt through the ‘account settings’ to make it happen, but once done it ensures that users doing their Twittering over a public WiFi network, for example, cannot have their messages and their accounts hijacked by attackers using tools such as Firesheep.

Facebook also offers the same option, if you know where to look for it, and has also been beefing up the help and advice it gives to users (if they choose to look). Its latest offering is a PDF guide to security, which, although aimed primarily at children, parents and educators, should become standard issue to any employee working in an office where Facebook is allowed. The guide is downloadable here

But this also raises another point about the use of SSL. We tend to think that it just works, like the plumbing, but it ain’t necessarily so, according to research carried out by the people at Qualys, better known for its vulnerability management services.

The company’s director of engineering Ivan Ristic has created a test that enables him (or you, if you go to his website at www.ssllabs.com) to test the configuration of any website on the planet that is using SSL. You just go to the SSL Labs website, type in the domain name of the site you want to test, and within a minute or so it will give you a rundown on how well it is configured. Try it with your own site, or your online retailer or bank.

Anyway, Ristic decided to carry out a big test. Using the Alexa service to identify the most popular million websites in the world, he identified which of them used SSL. This gave him around 300,000 sites to aim at.

So he pointed his tool at them and ran the test, rating them on a scale of A (for secure) down to E. Only 32% of the sites scored an A, while the rest demonstrated serious flaws that made them in some way vulnerable.

Some were just running SSL version 2, which is old and insecure, and probably came packaged with their web server.  Around 60% were configured to allow weak encryption, making them less secure. The same proportion did not encrypt usernames and passwords, thereby making them open to a man-in-the-middle attack.

The only way to solve the problem is to enforce 100% SSL at the protocol level,” he says. Which is why moves by Facebook, Twitter and Google (which is also promoting secure communication with Google+) are a step in the right direction, at least.

Ristic says he is trying get the message more widely known. “We are reaching out to library developers to make sure they ship their libraries with secure features,” he says. “We are also talking to vendors of web servers to configure SSL properly by default. If we act now, in two or three years’ time most distributions will be secure by default. Users should not need to be security professionals to go about their daily duties.”

“Imagine” a world of cloud

Long-haul flights can lead to all kinds of desperate activity to kill the time. In the case of Mark Settle, CIO for BMC Software, it resulted in a song (sung to the tune of John Lennon’s Imagine) all about the wonders of cloud computing. Here it is for your personal delectation:

Imagine there’s no raised floor

It’s easy if you try

No server racks around us

Above us only sky

Imagine all the meetings

That never have to be……

Imagine there’s no SAN farm

It isn’t hard to do

Nothing to kill or die for

And no operators too

Imagine all the employees

Doing their jobs in peace

You may say that I’m a dreamer

But I’m not the only one

I hope someday you’ll join us

And we’ll surf the cloud as one

Imagine no fixed assets

I wonder if you can

No greedy users or insatiable developers

A brotherhood of man

Imagine all the servers

Working for the world……

You may say I’m a dreamer

But I’m not the only one

I hope someday you’ll join us

When our employees can work as one

Our advice to Mark: Take a good book next time

 

 

 

Hacktivists back in fashion - and giving you a free pentest

For the last five years, everyone in security has been agreed on one thing: hacking is no longer script kiddies showing off to each other like they used to in ye olden days. No, the modern hacker wants to slip unnoticed on to your system, steal your most precious information, and then slip out without you even noticing.

Well, up to a point, Lord Copper. Although that may be true for most modern hacking, there is a resurgence of the attention-seeking hacker, the kind who wants the admiration of his peers (it’s usually a him) and the oxygen of publicity. We’ve seen it with Anonymous, and we also saw it with the Lulzsec group, who famously managed to penetrate networks with ease before retiring after their 50-day rule of terror earlier this year.
The latest embodiment of the trend is a newish website called www.rankmyhack.com, where these guys can parade their exploits and show how clever they are. The site welcomes visitors with the words: ““Welcome to RankMyHack.Com. The worlds [Sic]  first elite hacker ranking system. Submit proof of your website hacks in exchange for Ranking Points that earn you a place on the leaderboard of legends. The bigger the site, the bigger the points. Then use your points to duel with other hackers and protect your legacy in one on one digital combat. So have you got what it takes to be the best?”

I love that “leaderboard of legends” stuff. It should really get the socially-challenged geeks staying up late into the night on their little exploits in order to win their Ranking points. The allure of fame, recognition, and often a spurious mission to be doing something socially motivated (hackers are also threatening to act in support of the recent street rioters of the UK) can be a powerful magnet for some of these people who sadly have not yet found a more positive use for their talents.

And talented they certainly are. The fact that they have found it so easy to crack sites that should have been properly defended, should act as a prod to make us all raise our game. In fact, if there is a silver lining to this black cloud, the RankMyHack mob will be putting a lot of websites to the test that should really be better protected. If it takes a public shaming to get them to improve their security, then they only have themselves to blame for not acting earlier.