The Information Security Vacuum

By Michael Gianarakis, Senior Security Consultant

Originally published: http://eightbit.io/post/56489111073/the-information-security-vacuum

Many penetration testers and information security consultants complain when a client just accepts the risk of an issue or doesn’t provide adequate support to the security team. I often hear “ the business doesn’t get security” and that “security risk is a business risk, they should pay more attention”.Unfortunately, what I don’t see is penetration testers and security consultants actively trying to understand business in order to truly understand, and more importantly, articulate the security risk. I’m not talking about “the business” of a client but rather business in general. In fact I often encounter disdain for the very notion of devoting any time or thought to understanding business and risk concepts. Continue reading

Security Risk or Feature Request – Software due diligence – who controls your reputation?

If you can think of a business process nowadays, there’s probably either an outsourced service or off the shelf piece of software that will perform it for you. As part of any outsourcing arrangement, due diligence will be performed. However, what happens when you buy a piece of software?

If an organisation suffers a data breach thanks to an outsourcing partner not living up to their part of the bargain, there’s always the potential to mitigate reputational damage through plausible deniability. However, when you install and manage a piece of software, whatever happens is all your fault, so what can you do to make sure that software vendors take your reputation as seriously as you do?

Security Testing – In an ideal world, software would undergo a rigorous testing regime. Back in the real world though, software will usually undergo an element of functional testing with security testing either being an afterthought or the end user’s problem. Before you buy software that your trusting with your reputation, ask the vendor for their most recent security testing results. If they try to make it your problem, look elsewhere. If they are an open approach (CANVAS LMS is a good example here), stick with that vendor and don’t let them go.

Remediation Process – Ask the vendor for their documented process for actioning vulnerability reports. If the vendor shows your a full process documenting risk assessment and communication procedures including a liberal sprinkling of response timelines, give them a tick in the box for this one. If they give you a blank look, their competitors may want to help you.

Do your own testing – So, if you’ve found the unicorn that is a vendor taking information security seriously, why would you want to do your own testing? Penetration testing arranged by a vendor will often take place in a sterile environment that doesn’t necessarily resemble the real world. A real world configuration may introduce previously undiscovered flaws.

Show me – The cynical part of me strongly believes that if a vendor smells a sale, they’ll. tell you whatever you want to hear, so don’t take them at their word, have them show you that they take the security of your customers’ data seriously.

Performing due diligence is just as important for COTS that could have an impact n your sensitive data as it is for an outsourcing partner. Above all else, if you find a vendor who uses the term “Feature Request” instead of the more commonly used “Urgent Security Fix” run away as quickly as you can – they’re not taking security of your information as seriously as you are!

Bang for Bucks Security – 7 Reasons why Businesses are Insecure (Drazen Drazic CEO)

If we had to pick what the most frequently asked question is that we get asked by CEOs, CIOs, CSOs and other senior IT Management, it would be; what is the quickest way to find out what security risks and exposures their company has. We all know that it’s not that simple but to be fair, it’s a good question if you are starting from a base of nothing.

But you can’t get an decent answer to such a question unless you have decided that you are serious about protecting your information assets. Unless you have these “basics” in place.

Back in 2007 I wrote the post “The 7 Reasons why Businesses are Insecure” on Beast or Buddha. (http://beastorbuddha.com/2007/11/10/the-7-reasons-why-businesses-are-insecure/index.html)

I have rehashed today, as pertinent and timely as ever as it comes to attention this month in our newsletter “Bang for Bucks Security”.

______________________
Bang for Bucks Security

I won’t start by saying that implementing a strong framework is going to solve all business IT security problems. It won’t, but with one, at least you have one big advantage over now – you have a better picture and understanding of where your problems may lie and you’re less likely to be taken by surprise.

At present, most organisations have little understanding of the risks they face – where they are exposed, what they are exposed to and how these exposures could impact the business! So what are the problems?
1. Management and Governance – If the CEO and Senior Officers of the business do not ultimately own the responsibility and accountability for the security of the business, then it just does not get the appropriate attention. When we do “State of Security” reviews for our clients, we pretty much have 90% of our report written after the first hour if we find this layer of the framework not in place. ie; you can be guaranteed that if there is not an effective and ongoing management and governance layer in place, overall security within the organisation is weak. Matt Jonkman in a previous interviews with me  iexplains it well;

“Security is the CEO’s problem. The security engineers are the tools the CEO should be employing. CEOs should be directly involved in the risk decisions far more than I see on average. They need to know not exactly what technically is going on, but exactly what risk is being introduced or mitigated. It’s security 101. They should be involved from the ground all the way to incident response. It is NOT the security engineer’s decision whether to spend money to mitigate a risk based on what the impact might be. It’s the CEO that should know what that impact would mean in dollars, and how many dollars are available to be expended. I think these things are far too often delegated from officers of a company to managers without the proper oversight and long term involvement.”

2. Environment Awareness – It never ceases to amaze me how many organisations will promote being secure and having strong IT security practices and controls in place, yet not have a clear understanding of their environment. How can you say you are secure if you don’t know what it is that you supposedly protect? Most organisations have little idea about what they own – ie; IP address ranges, networks, systems and applications. Few have assigned data and system owners to all parts of the environment.

3. Policies and Standards – Most companies now have security policies and standards but are they of much value? If you don’t have an effective management and governance layer in place to own, manage, maintain and enforce good practice and if you have gaps in awareness of what makes up the corporate environment, how good are they?

4. Policy Compliance and Awareness – Policies and standards are all good and well but if you’re not doing what you say you should be doing, the security program is useless. Stating the obvious I know, but this is the story more often than not from our experience.

5 . Assurance Program – Few organisations “test” to confirm they are doing what they say they should be doing. ie; testing the effectiveness of the above mentioned layers of the framework. An ongoing assurance program helps to identify issues arising from the deployment of new technologies and problems from weak practices in existing technologies. Few organisations do:

1. Ongoing environmental scoping – mapping and keeping up to date records of what their environment is.
2. Ongoing vulnerability assessment and management – a proactive VA program helps identify issues before they become a problem.
3. Regular security testing of key systems and applications, including penetration testing and application reviews.
4. Security review of new systems before they go into testing and production. 90% of newly deployed web applications in our experience have critical security issues yet organisations still trust that their developers understand security and don’t test….scary!
5. Review of the their policies and standards – are they relevant, up to date and cover the scope of the complete business environment?
6. Review of the effectiveness of the compliance program(s). Testing to see if what the organisation says should be done is being done.

6. Incident Management and Response – If any of the above fails and an incident occurs. (Assuming the organisation knows an incident has actually taken place, and take the tip, most companies have no idea unless it’s one that has walked right up to them and slapped them in the face). Most organisations have little or nothing in the way of documented and tested response plans. (Lets add DR to this also). How can an organisation quickly and effectively respond to something if there is no plan?

7. Strategy and Performance Assessment – In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date. Few organisations take a holistic view when assessing the effectiveness of their IT security strategy. I know “metrics” and performance assessment in the IT security industry has been debated since day 1, but lets not confuse systems and detection metrics, as a couple of examples, with “strategy” level review.

An IT Security strategy should encompass a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help; define the strategy framework, communicate the strategy (by specifying performance measures), track performance (by collecting valuable information pertinent to the phase of strategy), increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself. In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum;

1. Articulation of the Security Strategy.
2. Translating Strategy into Desired Outcomes.
3. Devising Metrics.
4. Linking Metrics to Leading and Lagging Indicators.
5. Calculating Current and Target Performance.
(based on work done by Rayport and Jaworski, eCommerce)

The 7 layers above form the Strategic Security Management Framework (SSMF). It’s a framework we developed some time ago to assess the effectiveness of IT Security practices in an organisation. It’s a framework that we still use today. It’s a framework that many of our clients now adopt.

By nature of doing business electronically, an organisation cannot remain secure without a proactive plan / strategy that takes a holistic and enterprise view of the risks the organisation faces.

A strategic framework is vital in the field of security management because it provides a structure to help analyse the complex requirements and highlights the dimensions of importance. An effective strategic security management framework is vital in describing the business’ short and long term plans to; secure its environment, what its goals are, how it plans to achieve those goals and how it will continue to achieve new goals required to keep pace with evolving security challenges. It should be linked to other strategies within the business such as relevant components of the overall corporate strategy and the IT strategy and functional strategies that will evolve from the security strategy itself.

As I said, managing security around a framework will not in itself solve all the problems but it is the start. Without one, organisations will continue to flounder around a bunch of disjointed practices, rarely relating to other practices and with little context to the overall objectives of securing a whole business environment.

This is where busineses are failing today.

Regulation and Compliance – It’s all relative and what you are used to…

This old Beast or Buddha post from 2009, our CEO, Drazen Drazic looked at regulation and compliance. It’s worth reviewing again and seeing where we stand in 2013 as the Government starts to follow the likes of the US now in terms of assessing whether more regulation and compliance is needed.

http://beastorbuddha.com/2009/04/14/regulating-it-security-practices-pci-dss-tough-it-could-be-worse-or-betterdepends-how-you-look-at-it/index.html

We welcome your thoughts and comments….

Continue reading

Looking at Good Application Security – It’s Not Just about Penetration Testing

(An updated article from article Tek-Tips, originally published in 2010: http://tek-tips.nethawk.net/looking-at-what-makes-good-application-security-knowledge/)

In 2013, there is still a growing reliance on penetration testing to identify all the flaws in the security of systems and applications. This is a flawed approach. While penetration testing is important and we believe a must-do for all new systems and applications being rolled out, if this is all you are doing, you really need to assess your whole security framework and systems development lifecycle. Penetration testing is just an assurance assessment – just one component of how an application should be reviewed/audited/tested by companies. Continue reading

EOFY Wrap Up – Mobile Application Security Maturity an Adoption

Recently we looked back over the past financial year to assess the distribution of  work and we thought we should share the outcome.

Penetration Testing and Compliance across the board is on the rise which is not surprising and there has been a considerable increase in the proportion of penetration tests and security assessments undertaken for new mobile applications.

Not particularly surprising considering how mobility uptake has been changing consumer behaviour and how increasingly businesses need to look at mobile devices as a integral market channel not just a side interest.  http://community.securusglobal.com/2013/03/18/mobility-drives-changing-consumer-behaviour-gartner-study

Certainly we do not see this abating any time soon. Positively, we have also seen a greater increase in the awareness of mobile security threats and need to proactively assess and address these early in the SLCD by Business, IT and Security Groups. This is going to become critical as mobile applications continue to collect and process more sensitive personal and financial information and devices begin to introduce new technologies such as RFID scanners and chips for mobile payments.

A new financial year is traditionally the time that businesses hurriedly wrap up projects and initiate new ones. It is a point where it is a timely reminder to consider the level of proactive security assessment when assessing new technologies, service providers and projects.

Here is some information published on the topic in the last few months. If you have any particular issues or requirements please give us a call. We can help with Mobile Security Testing, Developer Training and PCI DSS PA DSS assessments.

Intercepting iPhone and IPAD SSL Certificates.

HTTPS In Abrupt

Preparing for EFTPOS NFC Mobile Payments

The Real Cost of Insecure Software

Security as a competitive advantage

Mobile technology growth prompted by flexible working

http://community.securusglobal.com/2013/02/11/ftc-publishes-mobile-privacy-disclosures-report/

Mandatory Data Breach Notification

With the discussion again starting about Australia’s position on Mandatory Data Breach Disclosure (http://bit.ly/1avVg7H), we presented the following to the government in 2012 when RFC was opened in regards to this potential legislation. What are your thoughts?

—————————————————-

The following are our [Securus Global] thoughts on Mandatory Data Breach Notification, in response to the Discussion Paper: Australian Privacy Breach Notification (Oct, 2012).

Organisations most likely to be affected by the introduction of such laws also tend to already have better information security and privacy policies in place.

Where we are coming from: If you have good practices and controls in place, you’re probably also more likely to detect a breach and would, under these new laws, have to openly disclose. (Fair enough).

Continue reading

[Data Breach List] Telstra – May 2013

Oops: Google search reveals private Telstra customer data.

By Ben Grubb, Sydney Morning Herald, May 16, 2013

The personal information of thousands of Telstra customers has been found online using a Google search.

Lee Gaywood, 31, of Chelsea Heights in Victoria, contacted Fairfax Media about the information being freely accessible to anyone online after conducting a specific Google search that turned up Telstra spreadsheets.

The owner of marketing business SMS Broadcast, Mr Gaywood said he found the data when he was searching Google for telco carrier access codes, which he needs to know for his SMS service to work.

Data discovered included customer names, telephone numbers and in some cases home and business addresses.

‘The Real Cost of Insecure Software’

In 2008, our CEO, Drazen Drazic spoke with David Rice, the author of “Geekonomics: The Real Cost of Insecure Software”. <http://www.geekonomicsbook.com/> ” . It was one of the most read posts on Beast or Buddha at the time. It’s interesting in 2013 to revisit this talk they had and see what, if anything has changed.

http://beastorbuddha.com/2008/07/29/talking-with-david-rice-insecure-software-implications-regulation-vendors-making-change-and-other-things/index.html