Background checking the background checkers

If your organization conducts background checks on candidates prior to employing them into roles involving access to highly classified information, or when promoting employees to more responsible and trusted positions (good on yer!), your security probably depends heavily on those checks and hence on the checkers.  Given the risks inherent in the process, you should definitely ensure that the process controls are adequate.

For example, if you outsource your background checks, is the outsourcer competent and diligent?  Do you need to check up on them?  If so, how, and how often, should you check?  Who, within your organization, is accountable for the quality of the checks and for any security incidents that result if the checks prove inadequate?

I'm asking these questions because it has been known for background checkers to falsify evidence of the checks they are supposed to have conducted.  Incidents of this nature are hard to uncover, expensive to investigate and resolve, and worse still can lead to extremely serious incidents downstream if improperly cleared people are handling classified information inappropriately.

Information protection awareness module

Our security awareness topic for July is "information protection", a deliberately nonsspecific title covering a wide-range of subjects such as: 

• ownership and accountability for information assets;
• classification and 
• baseline security.

Queensland Government security audit

Writing in the Courier Mail, journalist Mike O'Connor takes a particularly cynical view of  the Auditor-General's latest official report into information systems governance and security at the Queensland Government:

"IF YOU ran a business that spent $1.5 billon a year on information technology systems that contained highly sensitive, confidential data, then you would very likely take care that you were getting your money's worth.  You might also ensure the best-practice security systems were in place and that your staff knew what to do and how to do it.  The Queensland Government, however, takes a more relaxed approach to the value it gets for its $1.5 billion, one best characterised by those two delightful Australian synonyms for incompetence and ineptitude, "She'll be right'' and "No worries''."

 The audit report identified issues such as:

• Weaknesses in the overall governance of IT;
  
  
• No clear business owners for whole-of-government IT programmes;
  
  
• Persistent weaknesses in network security (despite this having been raised in previous audits);
  
  
• Out of date or untested IT DR plans, with some agencies having not even identified their critical business processes as yet and particular concerns around the shared IT infrastructure. 

The inter-departmental issues are disappointing given the strategy announced in 2009 "to achieve efficiencies by enabling the Queensland Government to perform successfully as a single enterprise".  At one point, the report says:

"The CEO Leadership Team Services Sub-committee was assigned the responsibility for being accountable for the delivery of benefits and outcomes of the Toward Q2 through ICT strategy and projects. This responsibility was communicated to Cabinet through a progress report on the portfolio. However, the terms of reference for the CEO Leadership Team Services Sub-committee did not reflect this role.  ... Between December 2009 and December 2010, 13 meetings of the Services Sub-committee were held but no material decisions relating to the Toward Q2 through ICT portfolio were made by the Sub-committee during that time. The Services Sub-committee did not have the necessary powers to exercise effective governance over the portfolio such as changing the progress or discontinuing initiatives in response to an assessment of their capacity to deliver benefits to the operations of the Queensland Government."

If you are familiar with the BBC satire (documentary!) "Yes, Minister", it's not hard to imagine the internal politics associated with driving, and particularly funding, cross-governmental security initiatives in this cost-cutting environment.

Epsilon and ISO27k

A report by Jeanette Fitzgerald, Epsilon Data Management's General Counsel, to the U.S. House of Representatives' Committee on Commerce, Manufacturing, and Trade outlines the sequence of events involved in the Epsilon data breach on March 30th that compromised names and email addresses on the mailing lists of about 50 Epsilon clients. 

Epsilon's business is to provide the infrastructure enabling massive email marketing campaigns for its clients.  While that may sound to some rather like legitimized spamming, Epsilon refers to it as "permission-based marketing" since recipients supposedly opt-in to the campaigns (albeit perhaps by failing to deselect the relevant option hidden deep in some marketing materials or during an inquiry or sales transaction) and have the ability to opt-out later.  The hackers and scammers now in possession of the stolen personal information are unlikely to respect opt-in or opt-outs however.  There have been gloomy predictions of spear phishing attacks over the coming weeks and months, perhaps using the branding of the 50 client companies - or indeed of Epsilon itself - to ensnare potentially vulnerable customers on the client mailing lists.

I find it interesting that the ISO27k standards featured heavily in their report.  Epsilon's management, clearly under pressure to account for the security breach, must feel that their adoption of ISO27k demonstrates sound security or information governance.  According to the report, Epsilon's Information Security Management System been certified compliant with ISO/IEC 27001 for about 5 years, and they have implemented the generally-accepted good security practices recommended by ISO/IEC 27002, the code of practice standard.

This begs the obvious question "How come the good security practices promoted by the ISO27k standards didn't prevent the breach?" ... from which, in turn, some might infer that ISO27k is worthless.

A similar issue cropped up this week on CISSPForum, an email reflector for CISSPs and other information security professionals.  In the context of an ongoing discussion about security awareness, a colleague told us:

At a conference the speaker made the statement "If awareness was going to work, it would have worked by now."

... the implication being clearly that awareness is so broken that it's just not worth doing. 

There's a logical fallacy in both cases.  The may not have been perfect controls, but without ISO27k and without security awareness (which happens to be one of the ISO27k-recommended controls), the Epsilon incident might have been far worse. 

After the fact, there is actually some evidence of the value of both the ISO27k security controls and the management system.  That Epsilon responded so rapidly to the incident, notifying their clients in short order and liaising with the authorities, forensics experts and others indicates that their security incident response and management activities, at least, worked smoothly and efficiently.  Senior management was engaged, and must have been sufficiently aware of the significance of the incident to react appropriately.  It was phrased thus in the report:

"In identifying the recent attack on Epsilon’s systems, the company’s security program detected unauthorized download activity and invoked Epsilon’s security incident response program. This led to an immediate move to investigate and remediate the unauthorized entry and to put in place additional safeguards based on the company’s findings."

Further details about the incident response were provided in the report, albeit in summary.  This does not read to me like the typical uncoordinated/panic reactions that we sometimes see elsewhere, although to be fair this is a formal, public report to a committee.  The internal incident investigation findings might have told a different picture!

The 'if it was going to work, it would have worked by now' statement [I refuse legitimize it by calling it an argument] could apply to many different things, such as information security as a whole, or anti-corruption laws, or CFC bans, or restrictions on whaling.  The fact is that, in each case, we can't tell for certain what would have happened if we had not acted.  However, before we did whatever it was, we presumably weighed-up our options and thought it appropriate to go ahead.  Afterwards, there may be some evidence to suggest that we did the right thing but it tends to be anecdotal or circumstantial, and so remains open to the challenge that it would probably have happened anyway.  Short of conducting scientific trials under controlled conditions, the factual evidence is bound to be limited and disputable. Such is the nature of risk management.

Messaging under repressive regimes

The New York Times has reported on a state-funded US program to help 'dissidents' establish covert wireless networks and Internet connections without relying on the government-controlled facilities.

There are significant risks with such a venture, including the political issue of being seen to support subversion and destabilization of foreign governments:

"Mrs. Clinton has made Internet freedom into a signature cause. But the State Department has carefully framed its support as promoting free speech and human rights for their own sake, not as a policy aimed at destabilizing autocratic governments. That distinction is difficult to maintain, said Clay Shirky, an assistant professor at New York University who studies the Internet and social media. “You can’t say, ‘All we want is for people to speak their minds, not bring down autocratic regimes’ — they’re the same thing,” Mr. Shirky said."

Another risk concerns the creation of 'dual use technology' that can equally be used by 'dissidents', criminals, terrorists and other 'subversives' operating within the US or elsewhere. Tech-savvy criminals surely know by now that regular Internet connections, landline phones, cellphones, radios, computers etc. can be monitored and controlled by the government, police, military forces and/or security services, particularly in the developed world where the authorities have the technical capabilities, resources and (in some cases at least) the legal right and will to snoop on citizens. The US project risks giving them ideas on how to establish parallel covert comms, networking and messaging capabilities, other than the more obvious use of encryption.

As to whether 'dissidents' would be wise to accept and use a briefcase full of electronics and software supplied by the US and reported by the New York Times, well that's for them to figure out. I would just mention, though, that even gift horses may conceal surprises.

£40k emails

Emailing confidential personal data to the wrong addressees cost Surrey County Council a fine from the Information Commissioner's Office of £40k ... for each of the three times it happened in less than a year.

Somewhat belatedly, the council said:

"Measures have already been taken to reduce the risk of sensitive personal data being wrongly addressed and extra training on handling data securely has been given."

If only they had done that before the first incident!

Tackling social engineering attacks with technology

Spear-phishing email attacks are a serious concern, a risk that is probably increasing. The attacks work by fooling victims into doing something inapppropriate/unwise, such as visiting a dodgy website or opening a dodgy attachment. 'Fooling victims' is the crux of it, and email is just one of many possible ways of perpetrating the fraud. The 'spear' part of the name refers to messages that narrowly target specific individuals, using information about them or their interests to hook them.

The most obvious way to tackle the spear phishing threat is to explain it, help potential victims limit the amount of potential lure material they release, recognize when they are being speared, and show them how to respond. Security awareness in other words. It's what we do. Anti-malware is another part of the defense, along with various other security controls to limit the damage after a victim is fooled.

And now, if you have $130-150k to spare, you can even buy an "appliance" to detect and block spear phishing emails.

Golly.  How much awareness could one buy for $130-150k?  It had better be good!

Creative ways to tackle spam

A research project at UCal has determined that just three credit card processors are responsible for processing most credit card purchases responding to a sizable sample of spam advertisements, suggesting the possibility of persuading them to block purchases associated with spam campaigns.

While I like their creative approach to this intractable problem, I can see some issues with the proposal.  First someone would need to identify the transactions corresponding to spams, differentiating them from transactions for the same or similar goods that are not the result of spamming.  Secondly, they would need to persuade the processors to block the transactions, presumably cutting their fee income in the process.  Thirdly, the spammers seem likely to respond to such an attack, for example by diversifying their card processing, so it would turn into a cat-n-mouse chase.

That aside, the article includes some interesting spam stats:

"Spam has proved notoriously difficult to defeat over the years, despite sophisticated filtering technologies and legal investigations and convictions. Seven years after the famous prediction by Bill Gates, then chairman of Microsoft, that spam would be eradicated in just two years, about 90 percent of all e-mail is spam. An earlier study undertaken by the scientists showed that a single commercial spam e-mail campaign generated three messages for every person on the planet. That same study revealed that to sell $100 worth of Viagra, a spam provider needed to send 12.5 million messages."

... so that's 125,000 spam messages per dollar of consequential Viagra sales.  Assuming the spammers make 50% profit (which I suspect is an overestimate), they would need to send a quarter of a million spams to earn every dollar of profit.  If it cost them just 4 micro-dollars to send a spam (for example if email was 'taxed' or charged like the post, and the spammers were somehow forced to pay up - a significant assumption), they would not earn a thing.

Spear phishing awareness

"Targeted emails that tempt a user to click a hyperlink are among the most prevalent methods of infecting computers with malware or of stealing information," Top Layer's Paquette told TechNewsWorld.

Spear phishing is all over the infosec news at the moment, with Google disclosing spear phishing attacks against Gmail users, and then various infosec/antivirus companies following up with stories about phishing attacks on other webmail users.

The truth is that spear phishing has been around for several years, and it is known to be effective using all forms of email and in fact other messaging systems, not just webmail: the common factor is that the recipient is a human being.  How they get the message is irrelevant.  Even a note on the windshield would work.  The really worrying part is that some of the attacks are almost certainly so stealthy that victims don't even know they have been hit.  Colour me paranoid ("You're a paranoid infosec freak, Gary!!") but my default response to any contact from strangers, and even out-of-character contacts from my friends and acquaintances, is to doubt their motives.  I hope my cynicism doesn't upset too many genuine contacts, but personally I'd rather put a few on edge than blithely accept everything that plops into my inboxes.  And yet still I worry that I might have fallen for a scam.

ISO27k gap analysis

Thanks to contributions by generous members of the ISO27k Forum, today we published an Excel file containing two spreadsheets: one concerns the gap between the organization's security management practices and those formally specified in ISO/IEC 27001.  The other concerns which of the information security controls recommended by ISO/IEC 27002 management deems relevant to the organization's risks. For anyone designing and implementing an ISO27k-compliant Information Security Management System, both aspects are of interest.

Both spreadsheets incorporate simple unweighted counts of the number of items in each category (i.e. management system requirements fully, partially or not implemented, and information security controls fully, partially or not applicable).  Despite being so simplistic, these are surprisingly useful metrics for ISO27k implementation projects. 

The Excel file is part of the free ISO27k Toolkit.  Enjoy!

Giving employees an uphill battle

A blog piece by David Lineman emphasizes the importance of having explicit corporate policies regarding private/personal use of corporate IT facilities.  David outlines three cases in which employees claimed that their emails were private, even though they were using the company systems and network.  His conclusion is straightforward enough:

"All of these cases have happened within the last year, and they are likely to continue. The message for employers is clear: You must have acceptable use policies that cover internet and email, including the use of personal email accounts. In every case, employees had an uphill battle when there were policies in place."

I would add two things. 

Firstly, email is not the only issue here - as well as using the corporate email systems for personal reasons, employees often use the ICT facilities to access their webmail, and for SMS/TXT, IM, ICQ and other forms of person-to-person messaging.  Our model policy on person-to-person messaging (one of the items provided in the latest bunch of awareness materials) includes a policy axiom stating that 'Corporate person-to-person messaging facilities are provided for legitimate operational and administrative purposes in connection with the organization’s business.  All messages processed by or traversing the corporate IT systems and networks are considered to be the organization’s property.'  It goes on to expand on that and another axiom.

Secondly, 'having a policy' is not necessarily enough: employees also need to know about and ideally understand and comply with it - which is where the rest of the awareness module comes into play.