Life, policies and disclaimers

February 4th, 2010 by peter.bassill

Required Disclaimer – All views expressed within this site are the views of the author only and are in no way representative of the employers of the author.

This post is really just a review post for my HR team.

More posts shortly.

Does increased Cloud Computing = Increased Intrusion risk?

January 21st, 2010 by peter.bassill

Andrew W Morse, Founder, Digital Tsunami “Communications Evolution” recently asked the question; “With the increased complexity of polymorphic malware and the increased use of social platforms, do you have concerns for increased network intrusion via ever-increasing corporate cloud computing?” on Linkedin. It gave a fair amount to think about so I thought I would share my opinions with you all.

What a great question, thank you for asking it. Ok, do you have more or less security by renting a 1U server from a server farm in a datacenter? Do you have more or less security when rather than rent that server from a server farm you physically house it in your datacenter? There are a number of players out there in the market that would have you beleive that a server in the “cloud” is vulnerable to attack but the truth is that any server with a connection to a public facing network is going to be attacked at some point in time.

From my point of view, the biggest security concern is one I am not hearing about much and that is the disk. Say you rent a cloud server with 100gig and you then use this for some data processing and once you have finished, you close down your server and remove it from the system. That disk is still there.

In my opinion, it would be possible to rent a single cloud server and get this up and running. Once done, add a few cloud disks to it and run standard forensics recovery tools over the disks you have provisioned from the pool. What are the odds of successfully recovering someone’s information? During my research on this, 80% of disks I provisions I successfully recovered a previsous tenants data from.

Still worried about network intrusion? Have your admins build and secure your cloud servers properly and maintain a good patching program alongside good security practises for access control.

Worried about a disk recovery attack? Encyrpt your data in the cloud and then carry out a DoD standard 7 pass wipe of your data areas prior to deprovisioning your server.

Known Knowns and Auditors

January 13th, 2010 by peter.bassill

Disclaimer: All views expressed in this posting are mine and mine alone and do not represent those of my employers.

I recently heard the excellent phrase “Fear the Auditor more than the Attacker” (check out the podcast as csoonline.com) and it led me to some thinking. Do we really fear the auditor more than the attacker?

In an age where regulation and compliance rule almost everything we do in Information Security, have we lost sight of what our job really is? Surely we are here to protect the brand and the image of the businesses we work for, ensuring the continual cycle of business without interruption. Listening to the podcast, there was a lot of things I agreed with and a fair amount I disagreed with.

Today, it was sited, we have reached a completely unacceptable and unsustainable level of cost and complexity which is driven mainly from the frequency of constant and turbulent change within environments. There are five main drivers for change;

  • threat evolution in the attacker space
  • compliance & regulatory markets
  • technology changes
  • economic changes
  • business needs

What interested me here is the order in which the speaker listed the drivers for change were listed. While I agree with the drivers, many organisations would almost reverse the list to;

  • compliance & regulatory markets
  • economic changes
  • threat evolution in the attacker space
  • business needs
  • technology changes

While I would see the list as

  • threat evolution in the attacker space
  • business needs
  • economic changes
  • technology changes
  • compliance & regulatory markets

While I agree that in many organisations, the main stay for change should be to keep up with the threat evolution from the attacker space, more and more time and valuable budget is being spent on ensuring tick box compliance is maintained, observing that the level required is the minimum for compliance. Again, I see compliance as the foundation level for good security, not a ceiling. Compliance is something to be used as a baseline, something to be surpassed, exceeded.  Compliance and regulation is a party to supporting the need for change, but it is not the reason for change. Change should occur to make the business better, to re-enforce the businesses underlying operation and to ensure it remains safe.

Last year, it was suggested, Information Security had around 4% of the IT budget while now being more around 13%. This is something I would rather take with some more context. Is it that the budget for Information Security has indeed increased or is it (more likely) that the budget for Information Security has remained the same while the overall IT budget had decreased? More and more I am seeing businesses sweat thier assets more aggressivley, looking for ways to use what already exists in a more productive way rather than bringing in new technologies to achieve what could be done with assets already in place. It was suggested that this change in budgeting has led to a view of “if it is mandated I will spend it, if its not I wont”. This then leads to an abandonment of the more logical risk led approach and the adoption of bad risk management.

So who is watching the attackers? Within the PCI-DSS standard, there is a requirement for centralised log management and daily log reviews. Many organisations, quite rightly, use automated tools such as Splunk or RSA Envision to carry out these daily log review functions, but who is looking at the output? In the ideal world, a human but in the real world are these outputs there purely for the auditor? After all, the auditor is a known known, something we know how to handle. The attacker is the known unknown, we know we know very little about them and that makes it harder to secure budget for mitigation. Would you be able to get budget to fix something you know is going to happen and can prove it? Or do you work in an organisation so dynamic and leading in its security that it allows budget to fix something you know is going to happen on day but can not prove it will happen anytime soon?

The podcast gave me a lot of things to think about and two of the best quotes I have heard to date:

Fear the Auditor more than the Attacker!

Security is reactionary, what we are up against is dynamic!

Security Visualization

January 12th, 2010 by peter.bassill

Having spent some time during the evening creating a script to map the attackers from the logs within Splunk, the end result was a moderate success.

Attacker Map

Combining some perl and GeoIP.dat

 Making a bit more use of this, suppose I had a list of countries who were not supposed to be accessing my systems. Having an image such as the one below makes log analysis a lot easier.

  • Comments Off
  • Posted in fun

Nessus 4.2

January 11th, 2010 by peter.bassill

Having just migrated my current Nessus server up to the latest thread on 4.2.0, I must say I am impressed. A very neat and slick web front end making it a much more user friendly solution.

« Previous Entries