Thursday 27 May 2010

New awareness module on incident management

We have just released June's security awareness module about managing information security incidents a few days early to give customers the option to run the materials from June 1st, if they wish.

Information security incidents are security incidents affecting the ccnfidentiality, integrity and/or availability of information assets - IT systems, IT services, data and other forms of information. Despite our best endeavors, it is inevitable that information security incidents will occur from time to time even if we have implemented the very best preventive security controls money can buy. Paradoxically, highly secure organizations are arguably in greater need of professional incident management processes than those with weaker security controls since they have fewer incidents to ‘practice’ on, and those that occur tend to be both unanticipated and serious.

The new awareness module describes the processes necessary to investigate, resolve and learn from all sorts of information security incidents, using incidents reported in the news to emphasize the variety of incidents and approaches. We share good practices from ITIL and standards such as ISO/IEC 27002 and NIST SP800-61.

The awareness materials emphasize the need to identify and respond to incidents promptly and efficiently in order to contain and resolve them with minimal impacts on the organization. Without a suitable management process in place, incidents may take longer to be recognized and resolved, hence additional unnecessary and avoidable losses may be incurred. Furthermore, learning the hard lessons from incidents, plus softer lessons from near-misses, improves the organization's security controls: this is an important part of the process often neglected by those with immature incident management or information security programs.

For ordinary employees, the awareness presentations, procedures, guidelines etc. stress the need to report information security incidents and near misses to the appropriate contact point (typically the IT Help Desk or Service Desk) as soon as practicable, and explain what happens next. We want everyone to be crystal clear about what they are expected to do.

We provide a template business case for managers, explaining the business value of an Incident Management Team and structured Incident Management Process. We'd like management to appreciate the business value of a professional approach to incident management, plus the personal value in terms of reduced stress.

IT professionals are also appraised of the reasons for managing information security incidents more professionally, and given pragmatic hints on what this actually means for them, and for the organization.

Just fell out of the trees?

Just in case anyone really did just fall out of the trees, be aware that the following email is most definitely a SCAM to capture login credentials for email systems:

Your mailbox has exceeded the storage limit which is 20GB as set by your administrator, you are currently running on 20.9GB, you may not be able to send or receive new mail until you re-validate your mailbox. To re-validate your mailbox please; Fill the below details:
First Name:
Last Name:
Email Address:
Username:
Password:
Confirm Password:
Mail to: ...

The scammer's dubious English possibly indicates he's either a non-native English speaker, or recently fell from the trees, possibly both.

Five notorious identity thefts

A blogger's list of five well-known identity theft cases reminds me about them but also identifies something I hadn't heard of:

One of the bigger types of theft as you can see is utilities fraud (18% of all ID thefts). That is one that most people may not even think about. Essentially, this results from people using a child’s clean credit to get their power, water, gas, cable, or phone services turned back on. They are desperate for these services and will go to any lengths sometimes to make sure they get them (including ID theft).

Googling some key phrases from that blog brought me to another site that published a bunch of statistics on identity theft, mostly prior to 2009. Their identity theft risk self-assessment form is a simplistic but quick way to find out how at-risk you are.

Wednesday 26 May 2010

Wake up call for phishing victims

Organizations used as phishing lures, or whose websites have been hacked to become phishing sites, have been redirecting potential phishing victims to an educational page on the APWG (Anti Phishing Working Group) website, in the hope that some of them will realize the error of their ways and may perhaps be a little more cautious in future.

Mind you, a fake online banking balance page showing their bank accounts well into the red might be a more effective wake-up call for some ...

Tuesday 25 May 2010

Fined for not using the specific words "security awareness"

The Chelan County Public Utility Department has been fined $13,000 for three alleged violations of the NERC information security standards, but reading the news story at Wenatchee World reveals that one of those three was 'failure to use the specific words “security awareness” in documents showing that certain personnel have received ongoing training in “sound security practices.”' Failure to use the specific words "security awareness"?!?! If that's the truth of it, I might agree with PUD officials' claim that this amounts to a "difference of opinion with auditors over how to interpret federal standards". However, I wonder whether the true nature of the alleged non-compliance was perhaps a little more serious - like perhaps the PUD came up with some internal memos or whatever, claiming that they substantiated their security awareness program whereas in fact they were not really intended or used for that specific purpose. I'm only guessing here but I've seen situations very similar to this where auditor's findings have been challenged on the literal wording, without necessarily addressing the issue at stake. We're left uncertain whether the PUD actually had an effective security awareness program, but anyway I hope the fine was enough of a prompt to make them value security awareness.

Rgds,
Gary

Friday 21 May 2010

Gilding the lilly

Hearing about someone who allegedly falsified background details to get into Harvard reminds us to check resumes or CVs of those who apply for powerful, trusted positions.

Visualization of security metrics

I've been pondering information security metrics for some years now, primarily from the angle of figuring out what might be the "few good metrics" actually worth measuring whilst avoiding pitfalls such as reporting stuff that is simply easy to count or measure. I can't say I've truly bottomed-out that line of thought but I'm moving on to consider the issues around reporting metrics, particularly the concept of "visualization". I've been prompted to look into this by a visually appealing representation of the number of US men anticipated to die this year as a result of various causes. The graphic stimulates viewers to explore the numbers, comparing and contrasting figures ... but that's about it. It's left entirely to the viewers to draw their own conclusions. Many will not bother. But does the eye-candy graphic achieve its purpose better than simple lists or tables of mortality figures? Oh yes! It's stimulating instead of boring.

Kaplan and Norton's original balanced scorecard expressed an organization's key metrics in four quadrants. If we were to design an information security balanced scorecard, how many sectors would it have and what metrics would they report? The answer to these questions come down to the issue of how to structure the statistics. Several common options are immediately obvious:
- People, Process, Technology
- Preventive, Detective, Corrective
- Confidentiality, Integrity, Availability
- Threats, Vulnerabilities, Impacts
- Past, Present, Future
... so it's looking like three is the magic number, perhaps a stacked set of 3-way pie charts or Venn diagrams, one layer for each of these structures? Suddenly in my mind's eye I see a multidimensional image that's probably far too complex in practice. Utility, readability and maintainability are all important parameters for the visualization, as well as visual appeal. So, it's back to the drawing board for me.

At this glacial pace, I'll have figured out how to measure, report and use information security metrics in, oh, about five years. Hopefully.

Thursday 20 May 2010

An unwise challenge

From Wired:

Apparently, when you publish your Social Security number prominently on your website and billboards, people take it as an invitation to steal your identity. LifeLock CEO Todd Davis, whose number is displayed in the company's ubiquitous advertisements, has by now learned that lesson. He's been a victim of identity theft at least 13 times, according to the Phoenix New Times.

Remember kids, don't play with fire and don't run with scissors.

Wednesday 19 May 2010

$17m scammed by identity thief

An Orange County real estate broker has been found guilty of using stolen identities to buy 35 properties and intentionally defaulting on the loans to steal more than $17 million. A Superior Court jury found Kathy Chen guilty Tuesday of 136 felony counts, including conspiracy, grand theft, forgery and identity theft. Chen faces 111 years in prison when she is sentenced in July.

News cutting from Mercury News

No honor among thieves

The Miami Herald reports that when police stopped a vehicle with (presumably) false plates, they (allegedly) found the occupants in possession of numerous stolen electronic benefits transfer cards in the names of prisoners. They had been using them to withdraw benefits payments/food stamps. It's not entirely clear from the article how the "names and personal information of inmates found on websites" were actually used to apply for the cards, but it certainly points to a failure of the corresponding identification and authentication controls.

Makes a change from abusing the identities of the dead I suppose.

All the best,
Gary

P2P: Prevent To Protect

In February, the US Federal Trade Commission, no less, sent letters to almost 100 organizations advising them that personal information had been "shared" on peer-to-peer file-sharing networks. This is not the first time P2P software has been blamed for disclosing sensitive information and other information security incidents, and I'm sure it won't be the last. I wonder what those 100 organizations did about it?

Come to that, what about the millions of other organizations that missed out on their FTC notices, oh and not forgetting the millions of individual home users using LimeWire, BearShare, Kazaa and dozens of other peer-to-peer file sharing networks?

“It sounds preposterous, but sensitive information leaking out unintentionally like this is amazingly common,” says Eric Johnson, director of digital strategies at Dartmouth’s Tuck School of Business. “Look at the file sharing networks and you’ll find people exposing things all the time.” In fact, data leakage via P2P networks has become so commonplace that there are cybercrime gangs who specialize in continually searching P2P sites for sensitive work documents. FTC investigators easily found health-related information, financial records, drivers’ license and social security numbers accessible on P2P networks — “the kind of information that could lead to identity theft,” says Leibowitz.

So how would you recommend people to limit their P2P risks? Here are some suggestions from US-CERT.

What the awareness audience hears

Hear roughly what technical IT security awareness content, presented by IT security people, sounds like to the average employee here.

Finding the right people to write and deliver security awareness messages is not quite as easy as you might think.

Monday 17 May 2010

The value of awareness

A short news item about a woman who spotted a phishing letter ably demonstrates the value of security awareness. If she had not known to watch out for the warning signs, she may well have fallen for the scam.

Red flag day coming up fast

From June 1st, more US organizations will have to comply with "red flag rules" which are nothing to do with Communism, semaphores or that man walking in front of a horseless carriage but were introduced by the Fair and Accurate Credit Transactions Act (FACTA) in 2003 in order to reduce America's identity theft epidemic. The red flags essentially involve financial institutions reporting suspicious activities and transactions to the authorities, in much the same way as money laundering laws and regulations. Banks are already required to comply but other US financial organizations have just a few short days to polish off their controls.

Be prepared to pull out your driver's license on your next visit to the dentist. And don't be surprised if a retailer asks for a birth date or mother's maiden name if it's giving you credit for your big-ticket purchase. They're just following federal rules to protect consumers from identity theft. Beginning next month, a wide range of businesses — auto dealers, cell phone companies, real estate agents, mortgage brokers, utilities and health care providers — must start complying with "Red Flag Rules." The rules are meant to stop fraud before it happens by requiring certain businesses to look for signs that customers might be imposters and, if there are signs that they are, to take action.

Friday 14 May 2010

Corporate identity theft

Computerworld tells us that someone has been trying to flog counterfeit Cisco-branded network equipment to the US Marines:
U.S. agencies targeting the sale of counterfeit networking hardware have gotten 30 felony convictions, including a man attempting to sell fake networking equipment to the U.S. Marine Corps, and seized $143 million worth of fake Cisco hardware, the U.S. Department of Justice said on Thursday ... There was a 75 percent decrease in seizures of counterfeit network hardware at U.S. borders from 2008 to 2009, CBP said ... On Thursday, Ehab Ashoor, 49, a Saudi citizen residing in Sugarland, Texas, was sentenced in the U.S. District Court for the Southern District of Texas to just over four years in prison and ordered to pay $119,400 in restitution to Cisco Systems. On Jan. 22, a jury found Ashoor guilty of charges related to trafficking in counterfeit Cisco products, the DOJ said.

It seems to me the counterfeiters have stolen Cisco's name, trademarks and brands, which in may ways are its identitity, so would you agree that counterfeiting is "corporate identity theft" or am I stretching the analogy too thin?

Is no-one saphe?


WASHINGTON, May 10, 2010 - U.S. Strategic Command officials are urging renewed vigilance against Internet-based identity theft after detecting a widespread 'phishing' expedition against servicemembers.

Phishing is a term used to describe deceiving people into divulging personal information such as passwords or account numbers over the Internet.

Beginning as early as May 2009 and lasting as late as March 2010, numerous fraudulent e-mails were sent to financial customers of USAA and Navy Federal Credit Union, Stratcom officials said in a recent news release.

The e-mails, which appear to originate from USAA and the credit union, ask the recipient to provide or verify personal information such as name and rank, account numbers, date of birth, mother's maiden name, address and phone numbers, online account user name and password, credit card numbers, personal identification numbers for automated tellers, and Social Security numbers.

...

Stratcom officials offered these suggestions to keep your personal information safe:

-- Always protect your personal identification and be cautious whom you provide it to, especially by phone or Internet;

-- Be suspicious of any unsolicited e-mail, pop-up, website or phone call in which you are asked to provide personal information;

-- Cross-reference information with the official sites, looking for the 'https' secure connection.

-- Do not click on any link provided in a suspicious e-mail, and take caution in opening e-mail attachments or downloading files, regardless of who sends them;

-- Keep your personal computer's anti-virus, anti-spyware, firewall and other security software running and up to date;

-- Regularly review your bank statements for suspicious activity.

That throwaway phrase "lasting as late as March 2010" amused me. Perhaps the USAA and Navy Federal Credit Union have figured out a way to block all phish, but somehow I doubt it. The phishing threat is ever present, and getting more sneaky by the day.

Call me paranoid but ...

... is it acceptable for Google not only to drive around the country collecting photographic information about its citizens, but also to sniff their WiFi router SSIDs?

Sure, broadcasting your SSID on a wireless network does put the information in the public domain, but at the same time it is limited to the local area, with a few hundred metres normally. Of course 'some kid with an iPod' could wander by and capture your SSID - so what? But of course most kids with iPods have better things to do than snoop on the entire population. And if the data collection has been done both serruptitiously and systematically by Google, alarm bells really should start ringing. Don't forget that Google also collects information about the searches people are making. It doesn't take a genius to see the potential for them mining their database for all sorts of juicy derived information about individuals. And in the US (where Google comes from), the very concept of personal privacy is funadamentally different to most of the rest of the world. In the US, whoever holds personal data effectively owns it and can do pretty much what they like with it, whereas in the civilized world, 'data subjects' own and have some semblance of control over personal data about themselves.

Facebook furore

There has been a rash of complaints about Facebook's privacy policies and practices over the past few days, creating enough of a stir to draw in even the mighty BBC as well as the mainstream press. The crux of the matter is that Facebook, like other social networking sites, encourages people to post personal information about themselves and their friends, contacts, relatives and acquaintances: establishing links to other people is the 'networking' part of social networking. Short of some form of virtual diode, those links are bidirectional, in other words if you link to me, then someone can probably retrace that link from me back to you.

Publishing personal links and other personal information in any online forum is not considered A Good Idea from the privacy and identity theft perspective. This includes publishing personal information about other people, not just yourself. Therefore, we are all at risk from inappropriate publication of our personal details by our naive friends, contacts, relatives and acquaintances on social networking sites, or indeed on any other public forum.

This means you may need to make the effort to educate your friends, contacts, relatives and acquaintances about your privacy rights and their privacy obligations. Let them know in no uncertain terms if you do not want them to violate your privacy. The Facebook furore demonstrates just how important this is. Even if you don't personally use Facebook and similar social networking sites (such as LinkeDin) yourself, take a moment to search them for your details and prepare to be shocked at how much information about you might already be Out There, thanks to your friends, contacts, relatives and acquaintances writing about you, tagging photos of you, mentioning you in their banale diaries or whatever. Because identity thieves may already be doing that ...

Wednesday 12 May 2010

Self-phishing not risk-free

Unusual story in PC World about the unanticipated consequences of sending a fabricated phishing story to employees as an awareness-raising exercise:

Security testers at the Guam Air Force base's 36th Communications Squadron had to send out a clarification notice on Monday after an in-house test -- called an operational readiness exercise (ORE) in Air Force parlance -- of how airmen would respond to a phishing e-mail worked out a little too well.

The e-mail said that crews were going to start filming "Transformers 3" on Guam and invited airmen to fill out applications on a Web site if they wanted to work the shoot. The Web site then asked them for sensitive information.

This type of in-house phishing exercise is a routine occurrence in the military and in major corporations, and is generally seen as a good way of promoting security awareness. But in Andersen's case, the information in the phishing e-mail started leaking to the civilian world.


As with penetration testing, contingency exercises and so on, it's important to consider the risks of the test/exercise. This particular one may well have achieved its aim of making everyone more aware of phishing, but at what cost?

Updated 12th May 2010
A few enterprising companies are exploiting the market by turning phish-spotting into an online game. If you genuinely think your employees will enjoy playing cartoon games, go ahead. I know a few six-year-olds who would turn their noses up at the cheap Disney-style graphics (complete with fish wearing spectacles). [Hint for the uninitiated: information security awareness, training and educational activities are, in the main, ADULT learning activities. Please don't demean your grown up employees by implying that they are pre-schoolers.]

Monday 10 May 2010

ATM crime & how to avoid it

ENISA published this paper (plus corrections to some of the reported annual loss figures) last September, describing the many ways that crime is being committed using ATM (Automatic Teller Machines - hole-in-the-wall cash machines to you and me). Techniques for stealing credentials range from hi-tech approaches using card skimmers and false-front ATMs (even completely bogus ATMs have been used) to lo-tech shoulder surfing and distraction robbery. If nothing else, print off their "golden rules to reduce ATM crime" (pages 24 & 25 of the report) and speak to your friends and family members about the simple recommendations to reduce your personal risks. I've just looked up my bank's emergency/lost-or-stolen card numbers and popped them into my mobile phone, for instance.

Brian Krebs recently blogged about ATM skimmers. I find various readers' comments on Brian's blog somewhat perplexing: some claim that chip-n-PIN is "too expensive" for the US, not least because chip-n-PIN is flawed. As long as this kind of bizarre head-in-the-sand denial persists, card crime will surely continue to increase from an estimated US$350,000 per day in the US alone (the US Secret Service's 2008 estimate). That's US$128m per year!

Thursday 6 May 2010

Thieving from the tax man

A group of sophisticated identity thieves managed to steal more than $4 million by filing bogus tax returns using the names and Social Security numbers of other people, many of them deceased, according to a 74-count indictment unsealed in Arizona Thursday.

Why weren't you in court today?

This may be a few years old but there's a pretty good chance scams like this are still working nicely.

The phone rings, you pick it up, and the caller identifies himself as an officer of the court. He says you failed to report for jury duty and that a warrant is out for your arrest. You say you never received a notice. To clear it up, the caller says he'll need some information for "verification purposes"-your birth date, social security number, maybe even a credit card number. This is when you should hang up the phone. It's a scam.

The FBI advisory on this recommends "Never give out personal information when you receive an unsolicited phone call".

I have occasionally received unsolicited calls from my bank. After the briefest of introductions, they normally ask me for my credentials in order to continue discussing whatever it is. It still perplexes me that they get all shirty with me when I insist on being given their credentials first - after all, it's them who called me. How do I know who's really on the line?

Snopes.com suggests a good idea: have the [alleged] bank person read out your details and agree or disagree with them. I doubt any decent bank would do this, and yet they are asking us to read out our details to them over the same phone line. Double standards? You bet.

Fraudaid victim advice site

Fraud Aid, Inc. is a California Public Benefit Corporation and 501(c)(3) nonprofit organization founded to provide free support and guidance to fraud victims and their families worldwide; to provide fraud awareness, prevention and recognition education in a manner easily understood by all; and to support law enforcement at all levels in their effort to deter fraud and bring its perpetrators to justice.


Their website may be a bit of an explosion in a bit factory but there's certainly no shortage of advice for those who find themselves victims of identity theft or drawn in to myriad other scams.

Wednesday 5 May 2010

ENISA report on Mobile Identity Management

A 35-page ENISA document on Mobile Identity Management covers a lot of ground, starting from some 'use cases' describing typical situations in which, for example, a person's identity needs to be authenticated while they are on the move. The well-written and referenced paper goes on to describe the risks such as identity theft and eavesdropping, and then approaches for aspects such as federated identity management:

Identity federation can be defined as the set of agreements, standards and technologies that enable a group of service providers to recognise user identifiers and entitlements from other service providers within a federated domain. These agreements include policy and technology standards, resulting in a single virtual identity domain. Federation refers to mechanisms for cross-domain authorization, while provisioning refers to the provisioning of users from authoritative systems to subsidiary systems. In addition to federation, provisioning may be necessary in the backend systems. The automatic registration initiated by an authoritative system is provisioning.

The paper briefly reviews applicable (European) laws and concludes with a series of recommendations for those designing identity management systems.

All in all, an excellent primer for security architects and CISOs with an interest in this area - which means all of them, surely?

Using stolen corporate IDs to steal personal IDs

Stealing personal financial information is evidently not so hard if one has the usernames and passwords used to access commercial accounts at the credit checking bureaux. Said bureaux claim to have sharepened up their act after tens of thousands of credit records had been stolen and presumably exploited for identity theft using a former employee's credentials.

It appears there is a conflict between the need to make the credit checking process as easy and quick as possible (for example when someone in a retail store requests credit to buy a car, furniture or expensive electronics) while at the same time protecting the identities of the individuals being checked.

Interview with an identity thief

A short interview with an identity thief makes some interesting points. It explains the way this gang obtained false credentials, duped retail stores into selling them goods and then fenced the goods to generate cash. The fraudster being interviewed is described as an innocuous looking old man:

Upon initially meeting Grandpa, my "police radar" failed to go off because by all physical accounts, Grandpa appeared to be unassuming and anything but your stereotypical criminal. Having dealt with criminals of all shapes and sizes and knowing better than to discriminate in such a fashion, a 5'10" lanky and elderly bald white male, dressed in a white t-shirt, sweatpants, and sandals, just translated to me as an elderly harmless man.

This kind of brazen fraud naturally relies upon fooling even fairly alert checkout staff, and in large stores with multiple checkouts, the fraudster often has the choice of who to dupe.