Wednesday 30 July 2014

Happy 5th Birthday

I started this blog five years ago to keep track of issues and workarounds I was seeing when I working with specific security solutions.  As my role has changed, so has the content, it's moved from a "Notes from the field" to a more "Security Social Commentary" blog.

Although it started as a technical blog, it was always important to me to keep it clear.  When it was fixing an issue, I should be able to explain both the issue and the fix.  As I move forward to look at the latest news about compromises and breaches, I've tried to keep it simple by explaining the issue and how it can be fixed or avoided.

So Happy 5th Birthday blog.andytang.com!

Monday 28 July 2014

Hacking humans...

There is undoubtedly more news coverage on security breaches or hacks into some well-known companies.  When large retail chains like Target in the States, or massive online websites like eBay get breached, the concerns about losing data and the impact on the consumer is massive.

Technology will protect us…

There are many technical solutions that can protect organisations, from traditional security solutions such as anti-virus software, web filtering solutions, email filtering solutions, firewalls, intrusion detection and prevention, encryption, secure authentication and endpoint lockdown solutions.  There are new technologies, which use sandboxing technologies, behavioural analytics, data analysis tools, and next generation technologies refining and enhancing the traditional security solutions.

With all these solutions in place, it would be difficult to believe that organisations are still being breached, but yet most of these technologies are in and running in these organisations.  These systems are not infallible as a number of technical solutions were subject to a major security flaw, when the Heartbleed bug was highlighted.

Legislation will protect us…

There are many legislations when looking at Information Security, but although many are there to protect information, such as the Data Protection Act, Freedom of Information Act, Privacy and Electronic Communications Regulations, Computer Misuse Act, Terrorism Act, Official Secrets Act, Malicious Communications Act and even the new Data Retention and Investigatory Powers Bill.

Although these acts look after the information of the individual, an organisation or what the people can see, these are not safeguards to protecting organisations.  These legislations would have done little or nothing to prevent the breaches that typically occur.  

ISO 27001 and ISO 9001 are framework standards which can help safeguard the data through good practices, as can the PCI standard, but again organisations can adhere to these standards and still face the organisation being compromised.

Our people will protect us…

It is commonly joked within IT departments that "the problem is between the chair and the keyboard", implying that users are the weakest links.  It's not surprising as social engineering and more targeted attacks have the "look and feel" of legitimate communication.  When a large security organisation like RSA is breached it brings into question the users education.  In this situation, the spear phishing (specifically directed email) attack was launched and captured by the organisation's email SPAM filter.  The technology had worked, but the release of an important looking email and clicking on it, gave way to a breach that reportedly cost RSA $66 Million.

It is also believed that only 11 malicious spear phishing emails were received, all of which were caught by the SPAM filter, but it only took one person to instigate this PR nightmare.

User Education

It is often said that all compromises have used elevated privileges, which means the threats are targeting individuals because they have specific administrative rights or access to specific system.  Do not overlook the importance of user education and awareness.

The technology may to there capture some of the security threats, and legislations to help safeguard practices, but vigilant and well trained users will help organisations more.


Wednesday 16 July 2014

Data, data, data...

There are many terms thrown around about data, such as big data, data privacy, data protection, data compliancy and data security.

Generating more and more data


The volume of data gathered is ever increasing, whether it’s in the commercial world or our personal world.  As ways of generating data increases thorough social networking, photos get larger through greater megapixels, the number of internet connected devices we carry increase from zero to three or more, as media such as books, magazines and music become digital, we can readily see why there has been phenomenal growth in data generation. 

With the many streams of data we generate and have access to, the challenges of collecting, manipulating, aggregating this data become all too apparent, and these are the challenges of big data. 

Keeping it private


With all this data, there should be concerns with who sees it.  Ensuring the necessary controls are in place can be difficult, whether it’s who sees our photographs on a social media site, or when data leaves a controlled environment and into uncontrolled public cloud storage facilities.

Most people don’t want their personal information made public.  This may be home addresses, email addresses, telephone numbers, passport numbers, etc.  This is the sort of information most people would like to keep private.

Keeping data where only the right people, can see the right information, but ensuring the privacy of that data is maintained, are the challenges of data privacy and data protection.

Law enforcement


There must be laws in place to protect information.  There are a number of legislations to protect us, along with industry bodies policing certain industry verticals.  If these legislations or compliance bodies are ignored or contravened, then fines or dismissal can be the penalty.

Using the legal system or industry bodies to monitor and police the data, could be considered data compliancy.

Technical Enforcement


There are many technical solutions that can help protect the data, whether it’s by encryption, password protection, two factor authentication access, VLANs, data segmentation, database security solutions, data leakage prevention solutions, etc. 

These solutions are just that.  It is more important to understand the challenges and issues, before jumping in with a technical solution.

CIA?


Working in Information Security, many people will refer to the CIA triad.  This is where Confidentiality, Integrity and Availability are considered the cornerstones and core principles of Information Security. 

The considerations will all data, are:

Confidentiality – Define and enforce the appropriate access controls to the data
Integrity – Ensure the data has not been manipulated from when it was captured
Availability – Ensure the data is accessible when it is required

Emergency Data Laws in the UK


Currently in the UK, emergency data laws are being rushed in.  The reasons for needing to capture this data is important for national security.  The concerns are speed with which legislation has been passed, as with many IT projects, when they are rushed, they either go over budget, or elements are overlooked. 

There is vast amount of data that will need to be collected, aggregated, stored and interrogated.  There will also be a need to protect the various databases holding this data, and the need to encrypt this data, so if it were to leave this environment, it would be unusable.

This data will need to be made available, so there will be a need to keep this data in multiple locations, but also ensuring the data that has been captured has not been manipulated maintain the data integrity.

The biggest concern should be confidentially.  There have been many reports of lost data, inappropriate access to data, but the rise in the reports of hacking leading to the exfiltration of data from government sources.


Data is important in our lives, but let’s ensure that our data is protected correctly, whether it's held by a social networking site or by the government.