Showing posts with label Malware. Show all posts
Showing posts with label Malware. Show all posts

Wednesday 27 March 2024

Pragmatic ISMS implementation guide (free!)

Early this morning (very early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017.

Overall, the meeting was very productive in that we got through a long list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points.

In summary:
  • 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001, 27002 and 27005:

    • These changes are mostly minor aside from the new section 6.3 on ISMS changes.

Thursday 25 May 2023

Novel insider threat

A post on LinkeDin this morning led me to a news piece about an IT professional's attempt to divert/steal his employer's payoffs for a ransomware infection, back in 2018.

According to the article, his attempt ultimately failed, largely due to his inept and naive execution ... but I have not come across this particular insider threat before. It was a new one on me, a man-in-the-middle attack layered on top of the ransomware.

Monday 18 July 2022

Skyscraper of cards


Having put it off for far too long, I'm belatedly trying to catch up with some standards work in the area of Root of Trust, which for me meant starting with the basics, studying simple introductory articles about RoT.

As far as I can tell so far, RoT is a concept -  the logical basis, the foundation on which secure IT systems are built.

'Secure IT systems' covers a huge range. At the high end are those used for national security and defence purposes, plus safety- and business-critical systems facing enormous risks (substantial threats and impacts). At the low end are systems where the threats are mostly accidental and the impacts negligible - perhaps mildly annoying. Not being able to tell precisely how many steps you've taken today, or being unable to read this blog, is hardly going to stop the Earth spinning on its axis. In fact' mildly' may be overstating it.

'Systems' may be servers, desktops, portables and wearables, plus IoT things and all manner of embedded devices - such as the computers in any modern car or plane controlling the engine, fuel, comms, passenger entertainment, navigation and more, or the smart controller for a pacemaker

Trust me, you don't want your emotionally disturbed ex-partner gaining anonymous remote control of your brakes, altimeter or pacemaker.

In  terms of the layers, we the people using IT are tottering precariously on the top of a house of cards. We interact with application software, interacting with the operating system and, via drivers and microcode, the underlying hardware. A 'secure system' is a load of software running on a bunch of hardware, where the software has been designed to distrust the users and administrators, other software and the hardware, all the way down to, typically, a Hardware Security Module, Trusted Platform Module or similar dedicated security device, subsystem or chip. Ironically in relation to RoT, distrust is the default, particularly for the lower layers unless/until they have been authenticated - but there's the rub: towards the bottom of the stack, how can low-level software be sure it is interacting with and authenticating the anticipated security hardware if all it can do is send and receive signals or messages? Likewise, how can the module be sure it is interacting with the appropriate low-level software? What prevents a naughty bit of software acting as a middleman between the two, faking the expected commands and manipulating the responses in order to subvert the authentication controls? What prevents a nerdy hacker connecting logic and scope probes to the module's ports in order to monitor and maybe inject signals - or just noise to see how well the system copes? How about a well-appointed team of crooks faking a bank ATM's crypto-module, or a cluster of spooks figuring out the nuclear missile abort codes?

Physically securing the hardware is a start, such that if someone tries to - say - open ('decapsulate') the TPM chip to analyse the silicon wafer under an electron microscope in the hope of finding some secret key coded within, the chip somehow destroys itself in the process - perhaps also the warhead for good measure. 

Other hardware/electronic controls can make it virtually impossible for hardware hackers to mount side-channel attacks, painstakingly monitoring and manipulating the module's power supply and ambient temperature in an attempt to reveal its inner secrets.

Cryptography is the primary control, coupled with appropriate use of authentication and encryption processes in both hardware and software (e.g.'microcode' physically built-in to the TPM chip's crypto-processor), plus other inscrutable controls (e.g. rate-limiting brute force attacks and, ultimately again, sacrificing itself, taking its secrets with it).

Developing, producing and testing secure systems is tough, even with access to low-level debugging mechanisms such as JTAG ports and insider-knowledge about the design. There must be a temptation to install hard-coded backdoors (cheat codes), despite the possibility of 'some idiot' further down the line failing to disable them before products start shipping. There is surely a fascination with attempting to locate and open the backdoors without tripping the tripwires that spring open the trapdoors to oblivion.

OK, so now imagine all of that in relation to cloud computing, where 'the system' is not just a physical computer but a fairly loose and dynamic assembly of virtual systems running on servers who-knows-where under the control of who-know-who sharing the global Internet who-knows-how. 

Having added several extra floors to our house of cards, what could possibly go wrong? 

That's what ISO/IEC 27070:2021 addresses. 

At least, I think so. My head hurts. I may be coming down with vertigo.

Wednesday 13 April 2022

Domotics - a can-o-worms


This morning, I’ve been browsing and thinking about ISO/IEC 27403, a draft ISO27k standard on the infosec and privacy aspects of “domotics” i.e. IoT things at home.

 

Compared to a [reasonably well controlled] corporate situation, there are numerous ‘challenges’ (risks) in the home setting e.g.:

  • Limited information security awareness and competence by most people. IoT things are generally just black-boxes.
  • Ad hoc assemblages of networked IT systems - including things worn/carried about the person (residents and visitors) and work things, not just things physically installed about the home (e.g. smart heating controls, door locks and cat feeders).
  • Things are not [always] designed for adequate security or privacy since other requirements (such as low price and ease of use) generally take precedence. Finite processing and storage capacities, plus limited user interfaces, hamper/constrain their security capabilities.
  • Lack of processes for managing security and privacy systematically at home. If anything, activities tend to be ad hoc/informal and reactive rather than proactive.
  • Informality: the home is a relatively unstructured, unmanaged environment compared to the typical corporate situation. Few domotics users even consider designing a complete system, although certain aspects or subsystems may be intentionally designed or at least assembled for particular purposes (e.g. entertainment).
  • Dynamics and diversity: people, devices and services plus the associated challenges and risks, are varied and changeable. The home is a fairly fluid environment anyway, and innovation is driving the tech at quite a pace.
  • Limited ability to control who may be present in/near the home and hence may be interacting with IoT devices e.g. adult residents plus children, owners, visitors, installers, maintenance people, neighbours, intruders ...  Physically securing things against accidental or malicious interaction is difficult, while networking compounds the issue.
  • Limited ability to manage and control IoT device and service supply chains, as well as the installation, configuration, use, monitoring  and maintenance of devices and services, with little if any coordination among the parties.

Good luck to anyone seriously attempting to secure their own home, or for corporations concerned about securing their employees including home workers (execs and plebs) and an increasingly mobile and tooled-up workforce. 

For instance, I have only a rough idea of what IoT things are in my home, some of which are not mine and are not under my control. Security configuration is, at best, an ad hoc activity when (some) things turn up. Security monitoring and management (e.g. patching) are almost nonexistent, in practice. Being an infosec professional and geek, I do my level best to contain and protect work-related and personal info but it is hard going in such an open, dynamic and potentially hostile environment. “Zero trust” just about sums it up.

The practical limitations, in turn, open the door to all manner of mischief and misfortune.  It’s a veritable can-o-worms I tell you.

Monday 6 July 2020

Of APTs and RPTs



Do you recall when APTs were A Thing? Advanced Persistent Threats were exemplified by Stuxnet, a species of malware that was stealthy enough to penetrate the defences of an Iranian nuclear fuel processing plant ten years ago, persistent enough to undermine numerous layers of control, and sophisticated enough to over-speed and wreck the centrifuges without alerting the plant operators until the damage was done.  

We seldom hear of weapons-grade APTs these days, suggesting they are no longer newsworthy or effective. Maybe they have gone the way of the trebuchet or musket ... but I believe it's much more likely that APTs have become even more sophisticated, stealthier and more damaging now than ever before, especially given the ascendance of IoT, IIoT and 'cyber-physical systems'. Now, Things are A Thing.

Meanwhile, we are frequently constantly assaulted by ordinary, conventional, old-school malware - Retarded Persistent Threats as it were.

In contrast to APTs, RPTs are relatively crude and commonplace - more blunderbuss than sniper's rifle but every bit as devastating at close range. Despite becoming increasingly sophisticated and capable, they are presumably well behind APTs, especially given governmental investments in cyber capabilities as part of national defence spending.

RPTs 'persist' in the sense that they steadfastly refuse to go away. Bog-standard malware has dogged computer systems, networks and users since the 1980s. It has grown in prevalence at least as fast as IT, and in some ways it has driven advances in IT. The few percent of system resources needed to run today's antivirus packages and firewalls would surely have brought systems from previous decades to their little silicon knees.

Whereas most RPT incidents are, well, incidental in relation to our global society, they threaten the very large number of vulnerable systems, individuals and organisations out there. It has become painfully obvious during COVID-19 that vanishingly few organisations stand alone, immune to the global repercussions. We are all entangled in, and highly dependent upon, a global mesh of information, goods and services. Just as a single COVID case causes knock-on effects, an RPT incident creates ripples.

We're lucky that, so far, neither real-world nor cyber-world viruses have tipped us over the edge, triggering the zombie apocalypse that preppers fear. With their additional stealth and firepower, APTs may one day push things a byte too far - and then what? Perhaps those preppers aren't so loco as they may seem. Perhaps it's not such a crazy idea to build and secure our virtual bunkers to protect the information we'll need when zombies emerge from the forest. I guess I should carve this blog piece onto a rock, an information archival medium proven to last thousands of years. I wonder if these strange hieroglyphics will mean anything when the rock is dug up? 

Come to that, I wonder if they mean anything now! Are these merely the incoherent ramblings of a paranoid infosec geek, or have I struck a chord? Comments are welcome. Chisel away.

Wednesday 17 June 2020

Phishing evolution

The Interweb drums have been beating out news of an upsurge in phishing attacks over the past month or so. I’ve certainly had more than the normal number of things along these lines lately:

  
As usual, these are relatively crude and (for most reasonably alert people) easy to spot thanks to the obvious spelling and grammatical errors, often using spurious technobabble and urgency as well as the fake branding and sender email address in an attempt to trick victims. The ‘blocked emails’ and ‘storage limit’ memes are popular in my spam box right now, suggesting that these are basic phishing-as-a-service or phishing-kit products being used by idiots to lure, hook, land and gut other idiots. They are, however, using my first name in place of “Dear subscriber” or “Hello, how are you doing?” that we used to see, implying the use of mailmerge-type content customisation with databases of email addresses and other info on potential victims*.

Moving up the scale, some current phishing attempts are more sophisticated, more convincing. Sometimes it's just a lucky coincidence e.g. when the lure glints alluringly because it just happens to mention something I am currently doing - for example if I am dealing with American Express over a credit card issue, a scattergun phisher based around the Amex branding has a better than average chance of hooking me at that point. COVID is an obvious lure right now, along with associated collateral and concerns such as face masks, sanitiser, death rates, lockdown, WFH and so forth (lots of potential there for the more creative phishers).

Sometimes I notice spear phishing where the phishers appear to have done a bit of research, crafting the lure, personalising it around something about me and my activities, interests, social groups etc. ... and here the problem gets really interesting. 

Being a professionally-paranoid infosec geek, I wonder/worry about phishers sneaking under my radar, slipping quietly past my twitching whiskers. What am I missing? Have I been hooked already? Am I dangling on the line?

From a classical information risk perspective:
  • The threats are out there, ranging from numerous but crude scatter-gunners through the pistol-touting mid-range phishers up to the snipers and beyond, heading into the realm of organised crime and espionage; 

  • The vulnerabilities flow from the interconnectedness of modern life, coupled with the naivete and socio-biology that goes with being human; 

  • The personal impacts of me being phished are limited although I am more concerned about the business and third party impacts e.g. someone phishing me as a stepping stone, a means to compromise other more valuable targets in my social and professional networks.
As the phishing tools and techniques grow ever more sophisticated, our controls must keep pace but, frankly, I've seen little progress over the past decade. We're still largely reliant on anti-spam, anti-virus and vigilance. There have been advances in the technologies behind email sender authentication and message integrity, no end of 'awareness campaigns' plus a few reputation- or group-based phisher detection and response approaches. Overall, though, I have the strong feeling that we're losing ground to the baddies in respect of preventive controls, placing greater emphasis on the need for incident detection, containment, response and recovery, plus resilience. 

And judging by the continuing  slew of ransomware incidents in the headlines, we're failing in that department too. 

Bugger

It's time to review what I'm doing to protect myself, my business, family and friends against being phished. How about you? If, for instance, I had encouraged you to download a free phishing response pack or explore the realities of Business Email Compromise what are the chances you'd simply have clicked one or other of those links to take a look, without even glancing at the URLs? 

Just sayin'

Take care out there. Prevention trumps cure. Go wash your hands.

* PS  The mailmerge-type technique is obvious when it fails, leading to inept phishing emails like this: 
"I would like to discuss the possibility of your company with email address: %E-mail_address% partaking in government bulk supply contracts to Iraq over 2 year period."

Friday 20 March 2020

March 20 - COVID-19 PIG update

Here's today's update to my COVID-19 information risk Probability Impact Graphic:


I've slightly shifted and revised the wording of some of the risks but there's nothing really new (as far as I know anyway). 

Reports of panic buying from the UK and US are concerning, given the possible escalation to social disorder and looting … but hopefully sanity will soon return, aided by the authorities promoting “social distancing” and “self-isolation”. Meanwhile, I hope those of you responsible for physically securing corporate premises have appropriate security arrangements in place. Remotely monitored alarms and CCTV are all very well, but what if the guards that would be expected to do their rounds and respond to an incident are off sick or isolated at home? Do you have contingency arrangements for physical security?

‘Sanity’ is a fragile condition: there is clearly a lot of anxiety, stress and tension around, due to the sudden social changes, fear about the infectious disease etc., which is my rationale for including ‘mental health issues’ in the middle of the PIG. There is some genuinely good news in the medical world concerning progress on coronavirus testing, antiviral drugs and vaccines, although it’s hard to spot among the large volume of dubious information and rumours sloshing around on social media (another information risk on the PIG). 

There’s even some good news for infosec pro’s. COVID-19 is a golden opportunity for those of us with an interest in security awareness and business continuity. Essentially, we are in the midst of a dramatic case study. I encourage you to think about the information risk and security aspects of this, and perhaps make little notes as reminders of the lessons to be learnt when the storm blows over. 

Here's one of mine. Toilet roll shortages are a handy leading indicator of panic buying and perhaps more substantial physical security threats ahead i.e. a predictive physical security metric. 

For some reason buried deep in the human psyche, a perceived shortage of toilet rolls and other “essentials” precedes, perhaps even triggers the cascading social disorder that we are now experiencing … so this is a gentle reminder to maintain stocks of “essentials” even in good times. Here in NZ, we are urged to maintain our earthquake kits ready for major incidents that can happen without warning. Having a sensible stock of toilet rolls, water, pasta, soup, soap etc. in the kit reduces the pressure to join the plague of locusts clearing the supermarket shelves, and frees us up for other things – not least, being able to think straight and focus on what matters: helping ourselves, our families, friends and colleagues get through this. 

I'm doing my best to maintain a sense of perspective, keeping a balanced, level-headed view of what's going on and spreading what I hope is sensible and helpful information right here.

Yet more good news: so far, the IT and comms services have held up quite well through the crisis, aside from the odd collaborative working wobble … although those ‘increased cyber risks working from home’ shown on the PIG remain a concern. I expect there will be incidents involving malware, hacking and social engineering due to weaknesses in the preventive controls, while incident detection and recovery may also be challenging. In your organization, are you on top of all of this? Do you have reliable VPNs, network security monitoring, antivirus controls, patching and backups all sewn-up for your off-site workforce using corporate kit or BYOD? Do you have the appropriate policies and procedures in place, including incident responses? What about the IT workers we rely upon to keep everything running smoothly: how are they bearing up under the strain?

Saturday 14 March 2020

March 14 - COVID-19 information risk update

Further to yesterday's assessment of the information risks associated with the coronavirus pandemic and the discussion arising, here are a few more aspects.

An increased number of knowledge workers are now working from home, some of them for the first time. What equipment and services are they using? What are the information risks and security arrangements? Who knows? Larger organizations tend to have in place suitable policies plus structured, systematic approaches towards home and other off-site working, with controls such as management authorization, remote security management of end user devices (corporate or BYOD), VPNs, network security monitoring, network backups, automated patching, antivirus etc. Hopefully they have all scaled easily to cope with the changing proportions of off-siters. Medium and especially small organizations, however, may be less well prepared ... and all of them are likely to be feeling the strain of changed working practices and social interaction. The managers, supervisors, network security pro's and others who are meant to be keeping an eye on all this are also more likely to be working off-site, relying more on automation and information through the systems. 

That smells like a green or borderline amber information risk to me, redder for those ill-prepared SMEs maybe, or for larger organizations that for some reason were not on top of this already. Given that managers and execs generally have been working off-site for years, they really have no excuse for failing to identify, evaluate and treat the associated information risks. If they now deserve to be called to account, so be it. 

Which reminds me, another bit of good news is that organizations are running and hopefully proving the adequacy of their business continuity arrangements, including the resilience aspects of keeping the information flowing more or less normally. This is better than the normal business continuity exercise in that everyone is participating (like it or not!) ... but as to whether everyone is coping well, we shall see. Some supply chains/networks are clearly under stress (toilet rolls, for instance!), and others probably too. If they fail due to inadequate resilience, the consequences may ripple outwards, meaning that some organizations will also get to use and prove their contingency arrangements. 

There are some more green/amber information risks in there, judging largely by what we see today i.e. nothing significantly amiss so far, no dramatic failures or industry collapses (except perhaps for the financial industry - a red risk already on the chart). 

Oh and there's more good news: most of the population now knows the basics of personal hygiene such as covering their sneezes and washing their hands. These aren't totally effective controls, but they are better than nothing [the scientist in my head made me say that]. Hopefully we will find that human behaviours have changed as a result of coronavirus, thanks to information about modes of transmission, with benefits for other infectious diseases. There are information risks in this area but nothing worth bringing up here and now. 

That's enough for today. It's Saturday morning here in NZ and I have Things To Do. Maybe over the weekend I'll update the PIG. Maybe not. 

Friday 31 January 2020

Just-in-time security awareness


This afternoon, we completed, proofread and published a security awareness module on malware, a few short hours before our (self imposed!) end-of-month deadline. 

The atmosphere in the office has grown increasingly tense this week as the deadline loomed. Early in January we took the decision to use the Travelex ransomware incident as a very topical (live!) case study for the module, and as such we were hostage to their timeline. By sheer chance, the main Travelex websites were up and running again this very morning, neatly tying off the month's events.

Comparing and contrasting the Sony and Travelex ransomware incidents has been fascinating: they each handled the situations in their own way, and yet there are common themes - for instance they were both forced to fend off an inquisitive (hostile!) pack of journalists. Travelex also made effective use of social media, and completed the main part of their recovery roughly twice as fast as Sony, so things have moved on in the five years since Sony Pictures Entertainment were all over the headlines with salacious gossip about film stars and wild speculation about North Korean cybertage.

Meanwhile, down here in rural NZ, our 4G wireless broadband Internet connection has been playing up something rotten. It's not good at the best of times but has been notably unreliable this week until, with perfect timing, the connection dropped out entirely as I was uploading the completed awareness module to our server. You probably know that we're a micro-company. I am the network technician, the IT Department in fact. Also the Procurement, Finance, Production, Marketing and Customer Services Departments, and yes I even make the tea. I'm not doing this totally alone, quite, but we rely on third party suppliers for various essential services, such as our comms. This week I could really have done with some technical help to get the broadband connection fixed while finishing the awareness materials, but as it was I found myself lashing-up a temporary Internet connection just to deliver the module at the most stressful time of the month.
On top of that, strong winds brought down trees across the track ... and guess who is the Chainsaw Operative part of the Grounds Maintenance Department!

Such is life. Business continuity is a challenge even for a microbusiness in sleepy NZ. But, like Travelex, we made it through and live to fight another day.

Over the next few days I'll catch my breath and crack on with a long to-do list, including (I hope!) a more durable fix for the broadband, plus preparations for the next and final monthly awareness module. Although I know I'll miss the challenge, I'm really looking forward to leaping off this monthly treadmill, like an exhausted mouse. Hey, pass the cheese ...

Wednesday 29 January 2020

Taking it to the wire

Today since before 5am I've been slaving away over a hot keyboard in a steamy hot office on a flaming hot topic: malware awareness. 

As you may have noticed here on the blog, all month long I've been systematically tracking the ongoing Travelex incident, observing from a safe distance the unsightly aftermath of another ugly malware - and business continuity - incident unfolding before our very eyes.

With our end-of-month delivery deadline looming large, it's time to draw out the lessons from the case study and weave the whole episode into a compelling tale for February's awareness module - well, three closely-related tales in fact since as always we're catering for the differing perspectives, concerns and information needs of our customers' staff, management and professional audiences. 

What have we learnt this month? 

What has happened, and why? 

What do we think might/should have been going on behind the scenes, out of the glare of the media spotlight? What were the dilemmas facing Travelex's management and IT people?

How might things have played out if the incident had been handled differently?

And, most importantly of all, what are our carry-outs, our take-home learning points and the Things We Ought to be Doing? Taking the whole sorry episode into account, what does it mean for us, our organization, right now?

You'll find a few clues to the answers in the blog ... but for the full nine yards you'll need to hang on just a few short days until the awareness module is completed and published. 

Or of course you can invest something like 250 hours of your own time researching, writing and weaving your own set of security awareness and training content on this highly topical topic. Provided you can match or exceed the quality of our content, you'll be "quids in" if your salary and costs are below two measly dollars per hour!

Mutter mutter moan moan slave labour.

"Oh we need security awareness and training" they say. "Our people are the weakest links!" they exclaim. "Woe is me!  What am I to do?"  

I'm almost too modest to answer ... but not quite that daft.

Tuesday 28 January 2020

Woe betide ...

.... any organization unfortunate enough to suffer a privacy breach today, of all days, being "Data Privacy Day". 

In the unlikely event that there are no new ones today, recent newsworthy breaches are liable to be trawled up and paraded across the media, again. 

I've been writing about preparing to deal with malware incidents all this month. Managing or controlling the publicity aspects is trickier than it may appear. Sony pulled a master stroke in getting its legal team to threaten action against journalists who continued to exploit the tittle-tattle disclosed in the Sony Pictures Entertainment breach five years ago - but that's not a universally applicable approach. Travelex did well to get basic, static web pages published quickly, plus a talking-heads video explanation/apology by the CEO ... but ask their retail customers whether they feel 'informed', while the promised restoration of services is patently taking longer than anyone (except perhaps the cybercrims behind the attack) wants.

Blend in the compliance aspects as well for good measure. I suspect British Airways and Marriott International, for instance, would have much preferred to take their corporal punishment under GDPR in private, rather than baring their bottoms on News At Ten.

There's a fine line between their being directly blamed for causing the incidents, and being blamed for failing to prevent them - a line which Public Relations teams might do well to consider. The real culprits here are the cunning VXers, hackers and cybercrims, rather than their targets. Defending all points at once is undoubtedly much tougher than exploiting one or more vulnerabilities. It's not a fair fight! Too bad: that's how it is ... but maybe it wouldn't hurt to explain that.

By the way, the issues multiply when you take into account the wide range of people and organizations who want to know and/or should be kept informed. Take employees, for instance: when the screens go dark in any IT-enabled organization, workers are left wandering and wondering. What can management say to explain the situation and reassure people? How can they even get their calming messages out if the comms are down? Same thing with suppliers, customers, partners, owners and authorities. This is where preparing for serious malware incidents makes good business sense. It sure beats leaving them all wandering and wondering!

(Some) IT, comms and information services are bound to degrade in and following an incident, but it takes deliberate effort to ensure they degrade gracefully, with dignity, rather than collapsing into a blubbering, smouldering heap.

Meanwhile, deep down in the engine room, are the IT pros frantically running in circles tearing their remaining hair out, or systematically following a tried and tested process for halting the incident, maintaining resilient services, restoring others and gathering the forensic evidence that might one day be necessary to prosecute the offenders? Again, preparation is key, especially when "time is of the essence" (which is always!).

If the lights go out before anyone has thought to get a torch, good luck with your fumbling.