June 24th, 2009 by peter.bassill

An interesting occurrence this morning. A person whom I am aware off was recently made redundant so making the best of Gardening leave as she could, she started looking for new employment. She managed to find employment very quickly much to the distaste of her previous employer who made threatening noises of contacting her new employer. As annoying as this is and being a side topic, I wonder how well this would stack up in an employment court? Anyone out here any ideas?

So, the crux of the problem. The previous employer used the cached credentials on her PC to access her Linkedin account and change the password, claiming to her that they did it to protect their business. The way I see it a criminal offense has occured and here  is why:

In accessing the Linkedin account without consent and changing the password without  consent, the following occurs

A person is guilty of an offence if –
a)     He causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secure;
b)     The access he intends to secure or to enable to be secured, is unathorised; and
c)      He knows at the time when he causes the computer to perform the function that that is the case.

So, it would be viable to say that an offense of illegal access has occurred under the Computer Misuse Act 1990.

An offense of Obtaining or Enabling Access:

Access will be secured to a program or data when the user, by causing the computer to operate in any manner:
a)     Alters or erases the program or data;
b)     Copies or moves it to any storage medium other that that in which it is held or to a difference location in the storage medium in which it is held;
c)      Uses it; or
d)     Has it output from the computer in which is it held (whether by having it displayed or in any other manner)*
*(Section 17(1) of the Computer Misuse Act 1990)

So is it safe to say that an offense occurred here too?

So let us talk about unauthorized access.

Access is held to be unauthorised when the user:

a)     Is not him or herself entitled to control access of the kind in question to the program or data; and
b)     He or she does not have the consent to access of the kind in question to program or data from any person who is so entitled.
*(Section 17(5) of the Computer Misuse Act 1990)

So what to do? According to the law, a criminal act has occured but what are the chances of the Police acting on this? Time will tell

All credit goes to for information goes to -  <information technology law> Fifth Edition – Ian J. Lloyd. A brilliant book, a must have for any ISO and well worth the investment.

May 9th, 2009 by peter.bassill

Over the past months I have often been asked by people where can they get those hard to find forensics tools for windows? As such, I have now uploaded my FORTOOLS directory as a zip file. All tools within this zip are freely available but you will find many of them will be slightly out of date. To download the collection, click here.

April 30th, 2009 by peter.bassill

Rather unsurprisingly I lost out on the award to Stephen Bonner. While I am not surprised in any way, I am still elated to have been a finalist.

My previous entry about the awards is here.

April 30th, 2009 by peter.bassill

Finally, it is over for another year. InfoSecurity Europe 2009 draws to a close and you can almost hear all the vendors passing out from exhaustion. There were many very good things about this years show:

The location for InfoSecurity Europe was excellent, a much improved choice over last year. Being in Earls Court gave much needed room to the event with walk ways between the stands that could accomodate the throngs of onlookers for talks.  The whole event had a much brighter and airier feel to it and the sound was calmer. This was especially true of the keynote theatre, where you could not hear the noise from the main floor.

All the main vendors were there again although I got the feeling that a number of them were not to happy with their neighbours. One vendor I did feel for was ESCS, who were opposite SecureTest. Is there any Penetration Testing house out there that can rival Ken Munro in the sheer excellence of the presentations? PaloAlto should be famous for their take on mobile advertising. A number of very attractive ladies hailing from the Welsh side of our great island who were surprisingly friendly and very happy to chat for a while before wanting off with their Firewall Is Dead plackards.

The award for the best stand, if there ever was one, should without a doubt have gone to Trend Micro. At first glance it was more a blinkenlight project than a vendor stand and proved that they had the imagination to do something more different this year. While on the subject of Trend Micro, they are doing some very good work around the way AV works, and the approach of a distributed cloud based signature program  seems to be very well thought through. I will certainly be trying it out to see if, as they claim, the AV agent has a significantly reduced footprint on the system.

But what happened to the famous freebies from the show? Best gadget going for free was a secure USB device with hardware encryption. Very nice, but there was not many of them. A certain sign of the economic environment we are living in presently was the lack of giveaways which I feel added to the show.

There is only one thing I think should be added to the show, that in my opinion would improve it no end. The ability to watch the keynotes and the other seminars from archieves on the website. May next year?

April 27th, 2009 by peter.bassill

One of the hot topics of many Information Security Officers and indeed almost all the vendors within the IT security industry at present is Data Loss Prevention. For many ISO’s and IT Directors, not a week will pass without a vendor calling to talk about and sell a DLP solution that is hailed as a solution of controlling data egress points. From the solutions I have tested, I can say that they do what they say on the packaging but in this economic climate when boards are mandating decreased budgets and businesses drive for lower operational costs, is there another way of achieving a similar result without large capital outlay?

Good increases in data management can be achieved through a good information security awareness program. A good awareness program can make significant strives to decrease accidental loss of data, which is by far the commonest cause of data breaches, and then use technical solutions to assist and compliment the work of the awareness program. Awareness programs take time to set up and need buy in from the very top of the business. These key executives are usually very happy and eager to help; they see both the benefit to the security of the business alongside the benefits of lower operating.

For example, the use of portable media has caused many businesses a large headache and has lead to a number of high profile data breaches. By educating your staff on the virtues of good data management around portable devices and ensuring a good understanding of classification labels and how to protect data within certain classifications, staff have shown they are capable of adequately protecting data and correctly using portable media devices. This is not to say that you should not compliment the training by issuing only encrypted portable devices and implanting controls to control data being written to non encrypted devices. In fact, by carrying out this complementing action, albeit in a reduced and more targeted scope, you are further reinforcing the training and displaying to the workforce that you are taking the matter seriously.

By viewing technology as an assistant to good information security practises rather than the primary enabler to information security you are better placed to view the options open to the business, taking a broader spectrum view of your business practises allows you to better understand where information security gains can be achieved easily and where gains will take longer to realise. An excellent area within the realm of information security where the people element returned excellent gains was in penetration testing. By engaging different business unit members in internal penetration testing it is possible to identify where processes are not working leading to potential security issues. Using this method of penetration testing in conjunction with traditional external testing you get a fuller and more rounded view of your overall security stance and will greatly help in identifying the many egress routes that data could potentially take out of the business.

Of course, a good security awareness program will not help safeguard against those rouge employees that want to take the data with them. This is where there is no replacement for the technical countermeasure but with an awareness program in place employees will be aware of what will happen if they are found to have take data and the HR departments will have an easier time of dealing with these employees when you can prove they are fully aware of the policies and have taken part in the awareness training.