Tuesday, March 17, 2009
Where to start with IT Security
Source Taken from The Register
Episode 1 In a short series of webcasts The Register's expert panel will be tackling the current state of the security market.
Over the course of the next few weeks the experts will be looking into a variety of topics, from treating the main risks to the importance of an evolving security solution, and what 2009 has in store.
Starting today, Episode 1 asks what are the most important questions to be treated by anyone considering IT security, and how to go about approaching it. The panel will also look into how IT security can be treated as a business issue, and offer advice on the potential quick wins to be had, all in just 20 minutes.
Providing you with their expertise throughout are Jon Clay, Core Technology Marketing Manager from Trend Micro and Tony Lock, Programme Director at Freeform Dynamics.
This webcast is absolutely free and no registration is required, simply head on over here and press play. ®
Episode 1 In a short series of webcasts The Register's expert panel will be tackling the current state of the security market.
Over the course of the next few weeks the experts will be looking into a variety of topics, from treating the main risks to the importance of an evolving security solution, and what 2009 has in store.
Starting today, Episode 1 asks what are the most important questions to be treated by anyone considering IT security, and how to go about approaching it. The panel will also look into how IT security can be treated as a business issue, and offer advice on the potential quick wins to be had, all in just 20 minutes.
Providing you with their expertise throughout are Jon Clay, Core Technology Marketing Manager from Trend Micro and Tony Lock, Programme Director at Freeform Dynamics.
This webcast is absolutely free and no registration is required, simply head on over here and press play. ®
Labels: IT Security
Tuesday, March 10, 2009
Securing the corporation
Source Taken from The Register
In the past couple of articles we have considered why security is important and what are the threats faced, both internal and external. Most, if not all organisations will be doing something about IT security, so it isn’t going to be awfully useful to launch into a treatise on how everybody should be implementing IT security. It is perhaps worth revisiting some of the key elements of ‘security done right’, however, so we can consider what’s getting in the way.
At the heart of all good security practice lies risk management, a discipline shared with such areas as business continuity planning and Health and Safety practice. Done right, risk management considers business risks first and foremost – indeed it would be fair to say that business risks are the only ones that matter (or to put it another way, if your organisation is unlikely to suffer as a result of a given threat, it’s not really going to be worth dealing with).
It’s important to note of course that risks can be both technical and non-technical. Of course we have the ongoing dangers of theft or other malicious intent, which need to be protected through physical, technical and policy means. However many other risks may exist in the course of normal, day-to-day operations. Consider mobile phones for example, or instant messaging, home working or managing subcontractors. Each of these has a technical aspect – a phone could contain confidential contact lists for example, or home working could result in un-vetted individuals (i.e. the kids) running unauthorised software. But even in these cases it is important to consider any risks from a business perspective – what would be the impact of losing such a contact list, or of a child playing games?
Risk, then, needs to cover all areas, not just the more obvious ones. From this, eminently sensible starting point it is worth bringing up the topic of security standards, or in particular ISO 27001 (BS7799). Essentially, what the standard expresses is that to do security right, you first need a security management system that defines how security is to be done in your organisation; then, you need to actually do what it is you said you would do, one element of which is to re-assess the risks and review the measures in place on a regular basis.
It is hard to imagine how security best practice could be expressed more pragmatically or practically than the one-two-three of identifying the risks, deciding what to do about them and then doing it. We do know however that many organisations are operating security in a sub-optimal manner. There is even evidence that organisations are actively avoiding working through these things, for fear of what they might find. This is the equivalent of driving down a busy road with a blindfold on, for fear of what one might see.
In a more proactive world, in which the business risks are well understood, IT security measures can then go some way towards mitigating them. We spell this out in such terms because as we have already mentioned, IT security is about all of people, process and technology. It is here however that we hit the second challenge – that of applying solutions to securing the organisation, which take into account threats to the business coming from both outside and inside the organisation.
In principle, IT security measures ‘should’ be considered, designed and implemented in a holistic manner. From a technical perspective as well, security ‘should’ be considered across the architecture – the term ‘defence in depth’ is used to describe how the IT environment can be considered as a series of nested zones, each of which can be secured according to its own needs and with its own boundaries.
In practice however, while many organisations may indeed take their security responsibilities seriously, few achieve a level of security that could be called optimal. There are many reasons for this, the main one of which is that, bluntly, security is extremely hard to get right. It is a fine aspiration indeed to define and deploy a hardened security environment – but many (if not all) security measures can also have a detrimental effect on the business itself – indeed, too much security can be a business risk.
It is perhaps unsurprising then, that the security measures in place tend towards those which are easier to define and deploy. We can see evidence for this in the chart below, which shows what security products organisations have already implemented, or are planning on implementing.
As can be seen from the chart, there are essentially three ‘bands’ of security measures. The top band we could refer to as point products – antivirus, VPN and the like, which are already implemented by the majority of organisations. Languishing at the bottom are those security technologies we could consider as ‘architectural’ – for example, security event management and behavioural analysis technologies.
So, what’s the answer – are the majority of organisations destined to have willing hearts but weak bodies when it comes to implementing IT security? The answer is probably yes – unless either legislation or accepted corporate behaviour take a leap forward.
Ultimately however it is the risks, and how well they are mitigated, that should define whether or not an organisation has got things right. To take a specific example, an organisation may or may not have implemented an intrusion detection system (IDS). Far more important however is the knowledge of what information should be considered as confidential and to whom, and whether it is adequately protected against all the risks it may face.
In security, then, risk management offers both a start and end point. It is perhaps ironic that kicking off a risk management exercise, or a re-assessment of the risk register, need not be an onerous task – particularly if the 80:20 rule is applied appropriately. Indeed, not doing this is perhaps the biggest risk of all.
In the past couple of articles we have considered why security is important and what are the threats faced, both internal and external. Most, if not all organisations will be doing something about IT security, so it isn’t going to be awfully useful to launch into a treatise on how everybody should be implementing IT security. It is perhaps worth revisiting some of the key elements of ‘security done right’, however, so we can consider what’s getting in the way.
At the heart of all good security practice lies risk management, a discipline shared with such areas as business continuity planning and Health and Safety practice. Done right, risk management considers business risks first and foremost – indeed it would be fair to say that business risks are the only ones that matter (or to put it another way, if your organisation is unlikely to suffer as a result of a given threat, it’s not really going to be worth dealing with).
It’s important to note of course that risks can be both technical and non-technical. Of course we have the ongoing dangers of theft or other malicious intent, which need to be protected through physical, technical and policy means. However many other risks may exist in the course of normal, day-to-day operations. Consider mobile phones for example, or instant messaging, home working or managing subcontractors. Each of these has a technical aspect – a phone could contain confidential contact lists for example, or home working could result in un-vetted individuals (i.e. the kids) running unauthorised software. But even in these cases it is important to consider any risks from a business perspective – what would be the impact of losing such a contact list, or of a child playing games?
Risk, then, needs to cover all areas, not just the more obvious ones. From this, eminently sensible starting point it is worth bringing up the topic of security standards, or in particular ISO 27001 (BS7799). Essentially, what the standard expresses is that to do security right, you first need a security management system that defines how security is to be done in your organisation; then, you need to actually do what it is you said you would do, one element of which is to re-assess the risks and review the measures in place on a regular basis.
It is hard to imagine how security best practice could be expressed more pragmatically or practically than the one-two-three of identifying the risks, deciding what to do about them and then doing it. We do know however that many organisations are operating security in a sub-optimal manner. There is even evidence that organisations are actively avoiding working through these things, for fear of what they might find. This is the equivalent of driving down a busy road with a blindfold on, for fear of what one might see.
In a more proactive world, in which the business risks are well understood, IT security measures can then go some way towards mitigating them. We spell this out in such terms because as we have already mentioned, IT security is about all of people, process and technology. It is here however that we hit the second challenge – that of applying solutions to securing the organisation, which take into account threats to the business coming from both outside and inside the organisation.
In principle, IT security measures ‘should’ be considered, designed and implemented in a holistic manner. From a technical perspective as well, security ‘should’ be considered across the architecture – the term ‘defence in depth’ is used to describe how the IT environment can be considered as a series of nested zones, each of which can be secured according to its own needs and with its own boundaries.
In practice however, while many organisations may indeed take their security responsibilities seriously, few achieve a level of security that could be called optimal. There are many reasons for this, the main one of which is that, bluntly, security is extremely hard to get right. It is a fine aspiration indeed to define and deploy a hardened security environment – but many (if not all) security measures can also have a detrimental effect on the business itself – indeed, too much security can be a business risk.
It is perhaps unsurprising then, that the security measures in place tend towards those which are easier to define and deploy. We can see evidence for this in the chart below, which shows what security products organisations have already implemented, or are planning on implementing.
As can be seen from the chart, there are essentially three ‘bands’ of security measures. The top band we could refer to as point products – antivirus, VPN and the like, which are already implemented by the majority of organisations. Languishing at the bottom are those security technologies we could consider as ‘architectural’ – for example, security event management and behavioural analysis technologies.
So, what’s the answer – are the majority of organisations destined to have willing hearts but weak bodies when it comes to implementing IT security? The answer is probably yes – unless either legislation or accepted corporate behaviour take a leap forward.
Ultimately however it is the risks, and how well they are mitigated, that should define whether or not an organisation has got things right. To take a specific example, an organisation may or may not have implemented an intrusion detection system (IDS). Far more important however is the knowledge of what information should be considered as confidential and to whom, and whether it is adequately protected against all the risks it may face.
In security, then, risk management offers both a start and end point. It is perhaps ironic that kicking off a risk management exercise, or a re-assessment of the risk register, need not be an onerous task – particularly if the 80:20 rule is applied appropriately. Indeed, not doing this is perhaps the biggest risk of all.
Tweet hackers reopen Twitter vuln
Source Taken from The Register
Twitter's tit-for-tat struggle against clickjackers continues.
Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability.
The latest attack comes from UK-based web developer Tom Graham, who discovered that the fix Twitter rolled out wasn't applied to the mobile phone section of the site. By the time we stumbled on his findings, the exploit no longer worked. But security consultant Rafal Los sent us a minor modification that sufficiently pwned a dummy account we set up for testing purposes.
"The mobile site currently has no javascript on it at all, which is probably for a good reason as most mobile phones don't support it," Graham writes. "So it begs the question, how should Twitter prevent this click-jacking exploit?"
Click "Yes" Here ...
And this is what you get here
The proof-of-concept page presents the user with the question "Do you have a tiny face?" along with buttons to answer "yes" or "no." Choosing the affirmative while logged in to Twitter causes the account to publicly declare: "I have a tiny face, do you?" and then include a link to Graham's post.
The exploit is the latest reason to believe that clickjacking, on Twitter and elsewhere, is here to stay, at least until HTML specifications are rewritten. No doubt web developers will continue to come up with work-arounds, but hackers can just as quickly find new ways to exploit the vulnerability, it seems.
That's because clickjacking attacks a fundamental design of HTML itself. It's pulled off by hiding the target URL within a specially designed iframe that's concealed by a decoy page that contains submission buttons. Virtually every website and browser is susceptible to the technique.
Two weeks ago, Twitter was able to stifle the attacks by adding code to its site that changed its pages' location. That required the use of javascript that wasn't added to Twitter pages browsed by mobile users, presumably because they may have caused some older handsets not to work.
Readers of Graham's site already have zeroed in on a fix for the problem, but Los isn't sure it's foolproof. That's because it, too, is based on javascript, so it won't be effective against HTML-based attacks. Stay tuned. The clickjacking saga continues. ®
Twitter's tit-for-tat struggle against clickjackers continues.
Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability.
The latest attack comes from UK-based web developer Tom Graham, who discovered that the fix Twitter rolled out wasn't applied to the mobile phone section of the site. By the time we stumbled on his findings, the exploit no longer worked. But security consultant Rafal Los sent us a minor modification that sufficiently pwned a dummy account we set up for testing purposes.
"The mobile site currently has no javascript on it at all, which is probably for a good reason as most mobile phones don't support it," Graham writes. "So it begs the question, how should Twitter prevent this click-jacking exploit?"
Click "Yes" Here ...
And this is what you get here
The proof-of-concept page presents the user with the question "Do you have a tiny face?" along with buttons to answer "yes" or "no." Choosing the affirmative while logged in to Twitter causes the account to publicly declare: "I have a tiny face, do you?" and then include a link to Graham's post.
The exploit is the latest reason to believe that clickjacking, on Twitter and elsewhere, is here to stay, at least until HTML specifications are rewritten. No doubt web developers will continue to come up with work-arounds, but hackers can just as quickly find new ways to exploit the vulnerability, it seems.
That's because clickjacking attacks a fundamental design of HTML itself. It's pulled off by hiding the target URL within a specially designed iframe that's concealed by a decoy page that contains submission buttons. Virtually every website and browser is susceptible to the technique.
Two weeks ago, Twitter was able to stifle the attacks by adding code to its site that changed its pages' location. That required the use of javascript that wasn't added to Twitter pages browsed by mobile users, presumably because they may have caused some older handsets not to work.
Readers of Graham's site already have zeroed in on a fix for the problem, but Los isn't sure it's foolproof. That's because it, too, is based on javascript, so it won't be effective against HTML-based attacks. Stay tuned. The clickjacking saga continues. ®
