Probably not a serious breach, but definitely a serious failure

Leave a comment

The Twitterverse, online and traditional media worlds were if not alight then certainly smouldering with the news of a security breach as a result of pictures being published showing the Prince in a normal day at the office. At first I couldn’t work out why the press was saying that username and passwords were at risk, especially as the main photograph showed the Prince at a computer screen. Surely passwords are always obscured at a login prompt? Even the MOD can’t have such bespoke systems that they clearly show passwords on a screen? I even Tweeted that surely this must have been, therefore, a Post It fail rather than technology fail. Thankfully there were further Tweets and further analysis of the situation, and it was the Naked Software blog that finally made sense of it all.

Unbelievably it was a Post It fail… or at least a piece of A4 taped to the wall fail. 

My personal analysis of this may be a little different from most infosec professionals, in that what was exposed was probably not that serious. A username and password was effectively leaked for what was probably an unclassified part of the MOD network (or whatever the correct terminology is). This physical network is probably behind fences and locks and soldiers with guns (or heaven forbid, the MOD Police), and probably didn’t even have anything interesting on it. I do of course think those in charge were right to change the password and username though, as that is obviously  sensible precaution, but after that point, so what?

That said, what i think this does highlight is a dreadful failure of the security “attitude test” by the personnel and leadership of that base. How on earth it could have been deemed as acceptable to have a username and password, of any description, taped to a wall, no matter how secure the environment, is beyond me. Firstly, this means that a generic account is in use, a fundamental no-no in anyone’s book, but also it indicates that it is acceptable to do other things born of convenience. Share files on a USB between here and home – no problems! Carry printed flight rosters and contact details in your manilla envelope out of the base – of course! The mere act of allowing this to happen means there are already shoddy security practises at work in this base and their head of security should investigate immediately (and be slightly ashamed. As an aside I was also surprised at the Prince to be honest; here is someone who must have had security training to the nth degree given his position, and he is stood, smiling, right next to the picture.

It reminds me of why I make such a big deal of using lock leads in the office. The actual risk of having a laptop stolen from your own office in the middle of the day is fairly low (overnight the risk rises of course, but we don’t leave laptops out overnight do we?!). I often cite the example of a fire alarm and subsequent evacuation, and laptops being removed/stolen by the last person on the floor, but again, this is an unlikely event. my main driver for the lock lead is because the very physical act of attaching your laptop to a lock lead first thing in the morning is a strong reminder of the need for security, and puts that person into a more security aware frame of mind. If they take their laptop into a meeting room, again the act of unlocking it is a reminder again. I have argued before that security awareness training does not interact with people often enough to influence their behaviour in any measurable way, but if we can encourage the use of lock leads throughout the organisation much of the battle is won.

Really, if the MOD gets this wrong, what hope is there for the rest of us?

 

 

CSARN Organisational Resilience Conference

Leave a comment

I was able to attend the City Security And Risk Network (CSARN) conference on organisational resilience today. It was a very well put together one day event with speakers from a broad range of companies and backgrounds such as the Police Force as well as military and traditional consultancies.

The key focus of the day though was of course on elements of organisational resilience such as incident and crisis management, the terrorist threat, global travel planning and the associated risks (in this case played against a backdrop of maintaining operations during the Arab Spring) and of course business continuity management. The speakers were knowledgable, and approachable during breaks for further questions. Justin Crump did a cracking job of maintaining order throughout the day and ensuring the audience was engaging well with the speakers.

Halfway through the day there was a panel discussion focussed on “building and embedding effective cyber security structures”, and I was pleasantly surprised to have been asked last week to be on the panel itself. (Cue jokes for how far down the list they had to go before they got to me etc…). Also on the panel with me was Geordie Stewart (who I am also speaking with at RSA and Paul Simmonds (Co-editor, Cloud Security Alliance “Guidance” v3 Co-founder & Board of Management, Jericho Forum Former CISO, AstraZeneca). I felt it came across as a very well balanced discussion, with some very insightful and focussed questions from the audience. I had been primed that the audience was not that well versed in all things “cyber”, but that didn’t really come across which made for a very enjoyable and engaging discussion.

We covered topics such as sources of cybercrime (state sponsored, organised crime and so called chaotic actors), what our thoughts were on the biggest threats coming out of the “cyber” threat and what we could be doing better at international levels. When each asked what the single take away from the discussion, mine was a rather glib, if valid, “plan for failure”; another strong take away to my mind was “get the basics right, everything else comes second”. Again, it sounds glib and from the school of the bleeding obvious, but over complicating any challenge is so easily done.

If I had one piece of critical feedback (well, two actually) it was that towards the end the presentations seemed to move into blatant sales pitches; now I understand sponsors need to get a return on their sponsorship, but it was the wrong forum to my mind for sales pitches. Secondly, I wouldn’t do something like this again on a Friday; it felt like half the audience had left come 2 o’clock, which can’t have helped the afternoon speakers at all!

I thoroughly enjoyed myself though, have some great key takeaways specifically for my business continuity planning, and I hope have planted the seeds of being able to return again in the future as a solo speaker!

My thanks to Acumin and CSARN for giving me the opportunity to be on their panel, especially alongside two people whom I admire in the industry.

May I Ask YOU A Question Or Two…?

1 Comment

The iPhone5 launch is very exciting for many people, and I have to admit myself included. Whatever your opinion of that particular can of worms, one thing is for sure, and that is many people will be parting with a lot of money in the next week or two in order to get hold of the latest piece of geek chic.

When there is a likelihood of a money changing hands, scammers and criminals will never be far behind.

I took a phone call (from a UK 0845 number) on my mobile phone on Saturday from someone claiming to be from O2, with an offer to get the new iPhone5 on the day of release without having to queue for hours at my local O2 store. They would even honour the lower retail store price compared to the order online price; on my tariff that meant £70 for the handset rather than £100 because I was a good customer (which I am). What an offer!

Without thinking, I confirmed the first line of my address… and then thought “Oh crap, shouldn’t have done that”; I got a bit carried away. They had called me, not the other way around, I really had no idea who they were!

Cast your mind back a few years ago, and there was a semi legal scam whereby people would take calls from “a representative from <insert mobile provider here>”. They would entice the individual with early upgrades and a new phone, get the verbal agreement, and then shift the contract to a new, third party provider. The downside was that this provider had many hidden charges and an average £25 bill would become £125 overnight partnered with a legally binding contract. This was soon clamped down upon, but this example starting to ring through my mind!

It was at this point that I had verbally agreed that I wanted the new iPhone delivered to my door on a new and cheaper contract this coming Friday… Oh dear God, Have I just committed professional suicide here?!

I turned on my professional brain, and then asked the person at the end if she really was from O2, and obviously she replied “yes!”. So I asked her if she would mind if I asked her a few security questions “of course not, I would do the same!”. i logged onto my O2 account and asked her for my account number, last bill amount and how long I had been a customer. She had all of the information to hand, I was happy, and I am now looking forward to a new phone on Friday (either that or this blog will be closed down on Saturday!).

It did occur to me however that I felt a little awkward asking these questions. How many other people in a similar position, offered an enticing deal would do the same thing? And how often would someone be ripped off as a result. We receive phone calls all the time from our service providers, and very often just asking for innocent information or making sure you are happy with their current deal, but sometimes the first question they ask is a “security” question to confirm you are the correct person. This normal procedure is easily hijacked by social engineers who could over the course of a few months gather a vast amount of information just from phoning you and asking you outright!

Has anybody else experienced this kind of thing? Have you missed some great deals because you missed the opportunity to grab it because you were too suspicious or have you thrown caution to wind only to regret it later, if only for a short period of time? How cautious do we need to be in these circumstances?

One thing I learnt however is that in the middle of a conversation, it is very easy to forget who called who; remembering that if you answer the call you haven’t confirmed their identity and therefore need to ask some security questions of your own is probably  the best way of keeping you out of trouble!

Where is Outlook for iPad?

Leave a comment

The prevalence of the “Bring Your Own Device” (BYOD) concept as an acceptable, if little rushed, approach to empowering employees at work has resulted in many different types of devices being used in the workplace now. Arguably, these are split into two camps, Android & iOS (I don’t believe Windows Mobile has made many inroads into the enterprise… yet… watch this space as their new devices come off the production line).

The prevalence of Exchange Servers in the enterprise is also arguable, but in my own experience it is the number one mail server around, and with it of course comes Outlook. On the whole, I love Outlook; it has a few quirks (especially on the Mac) but by bringing together my email, calendar, contacts and notes into a tightly integrated package, which in turn integrates with my enterprise email/messaging/scheduling platform means it is probably the number one application I use.

Why then has Microsoft not capitalised on these two facts and marketed Outlook for mobile devices with the promise of integration, functionality and security? There are apps on the various app stores that claim to offer Outlook style experiences, but the feedback on these speaks for itself.

I can’t say I would care much for Word, Excel & Powerpoint on my tablet that much, I tend not to edit or annotate these documents on these devices much anyway. But Outlook would change how I interact with work over my iPad, but only if they implement it properly!

Given one of the core tenets of Outlook is to integrate email, contacts, calendar and notes from the enterprise, I strongly believe it should NOT integrate with the same apps on the device. By this I mean its database should be entirely separate, and ideally, encrypted to retain a certain degree of security. Because of this separate installation, the application itself can handle all of the ActiveSync profiling (e.g. encryption, password protection, password retries, remote wipe and the such like) that on existing devices causes an infinite amount of pain. Having had personal experience of rolling out a one size fits all ActiveSync profile to thousands of of BYOD devices with different hardware and firmware because they are by definition “personal” devices, I know too well of the amount of noise, frustration and lost hours this brings to the end user.

Of course, this kind of application, sold on the app stores for £10GBP/$15USD, could also be purchased by the individual owner and expensed (or not, see your expense policy) and is the one, and only, barrier the enterprise puts up to mobile BYOD adoption. Have the latest Outlook for iOS? Then gorge yourself on your work email to your hearts content! The enterprise has full control over the data, including rules of what can be forwarded, printed etc because it does not integrate with the devices native apps, and if the employee leaves or is fired, then ZAP! on the next connection and authentication the data is gone.

This approach may put companies like Good out of business, or may even drive them to greater innovation (where do you think I got the idea for the above anyway?!), but my experience of bolting on third party products onto Exchange has never been “good” anyway.

In my limited experience I know there must be some pretty major road blocks to this, otherwise why haven’t they done it already? If you are more educated in this area than me then please do comment and let me know your perspective. in the meantime, I shall dream of my iPad/Outlook nirvana and the increased amount of sleep I will get overnight not worrying about all that data flying around on peoples personal devices.

“An Anatomy…” at the BCS

Leave a comment

A short post to give the Wiltshire branch of the BCS a pointer to the slides from the presentation I gave last week on Tuesday 24th July in Swindon. It was an excellent evening, although I suspect the turnout was somewhat diminished by the weather!

The audience also included members of the IET which bought a very interesting slant to the questions at the end. I have also exchanged a few views with folks over Linkedin as well, and if you are still awaiting a response from me please bear with me!

The one thing that did however fail was the video recording of the talk; unfortunately it gave out halfway. I was going to edit the footage anyway and then perhaps link to an alternative recording of the same talk, but I have taken the decision not to as it is a messy compromise to try and stitch two different talks together to get the entire content in one place. As a result I have decided to simply link to a previous recording, specifically the BsidesLondon one I gave in April.

So, thank you Geoff Hunt for having me along to speak to the Wiltshire branch of the BCS (where I am also a largely absent member of the committee!) and especially thank you to the folks in the audience for your interest and your questions. If any of you do happen to have any more questions, please don’t hesitate to ask them in here, via email or Twitter. Any feedback is also of course very much welcomed.

The video can be found here, and the slides can be found here (note that the presentation is originally in keynote format, the PPT export may look slightly different).