Having attended a number of conferences this year the big talking point has been without any doubt the area of "cloud computing".  Every vendor seems to be selling some solution based on the cloud computing premise.  Business people are getting excited about "cloud computing" because they see it as a means to unshackle themselves from their corporate IT systems which they deem to be out of line with their requirements.  While CIOs are looking at "cloud computing" as a means to stretch their budgets further.

But the more I hear about this topic the more confusion and misinformation I am finding.  One example was at this year's Infosecurity Europe event.  I was standing beside a vendor stand who provided a filtered email service.  I overheard the sales person attempting numerous times to explain to a visitor to the stand how the service worked.  However, after numerous attempts to explain how diverting email through their service would filter out spam and viruses the visitor to the stand was still no wiser.  In desperation the sales person simply said "Actually, we use the cloud to clean your email".  This brought a smile to the visitor's face and resulted in the vendor getting an order.

As an Irishman I see too many clouds in our summer skies that eventually bring rain.  So clouds to me are not necessarily a good thing, they block out the sun and can bring rain.  Rain in small doses is to be welcomed but as we have seen recently too much cloud brings too much rain with disastrous results.  So it is not to be unexpected that I treat the whole cloud computing issue with a touch of skepticism.  The above example being one that highlights said skepticism.  So my worry is that we have a rush of people putting data and services in the cloud without really understanding what the issues are and indeed how to ensure the security of those systems. 

I agree that cloud computing can bring many benefits and efficiencies, but I argue that we need to ensure security issues are thought out at the beginning rather than at the end.  Have we not learnt from past experiences with other technologies that adding security as an after thought often ends up costing us a lot more than we first thought?

I am happy to see that a number of excellent publications are now available to help you move to the cloud in a secure fashion;

• ENISA has published their report on Cloud Security.  I have quickly read it and as usual ENISA provide some very useful guidance.  In particular it being published by ENISA it covers a lot of the issues relevent to organisations within the EU.
• Another useful resource is the Guidance for Critical Areas of Focus in Cloud Computing published by the Cloud Security Alliance.
• ISACA has also published their whitepaper  Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives.

If you are looking into moving any of your services or data into the cloud then I recommend you read the above papers and for additional insight into the complex world of cloud computing the Cloud Computer Security and Rational Suvivability blogs are excellent resources.

Weather wise it has been an interesting few weeks to say the least.  We have had major snow falls and icy weather not seen for many years.  As a child I remember the joy when snow would fall heavily enough for the schools to close and we ended up with free time on our hands thanks to a “snow day”.

So it was interesting to see how businesses were impacted by the weather recently and by the grown up version of “snow day”.  While some of these businesses did not close their doors, I know of many of were impact when staff who decided to work from home rather than face the chaotic traffic resulting from snow and ice on the road.  Quite a few meetings were cancelled as people could/would not travel to attend.

This made me wonder how many companies have their Business Continuity Plans updated to include how to deal with adverse weather conditions impacting on their staff not being able to get to work or to attend meetings with clients?  Most companies I have audited regarding their Business Continuity Management System seem to focus solely on the IT aspect of their company and what would happen if a disaster were to make those systems unavailable.  Very few include in the Business Continuity Plans what to do if key staff are suddenly unavailable, be that from adverse weather conditions or a pandemic such as the H1N1 flu virus.

So why not take a look at your own organisation and try and figure out what would you need to have in place should some of your key staff be unable to get to their place of work?  Some key questions to ponder;

• How many concurrent remote users can your VPN support?
• If a large number of staff were to try to work from home on the same day would the VPN be able to cope with the traffic?
• Should you have a VIP VPN that can only be used by senior staff?
• Do your staff have work laptops or PCs to work on remotely?  If not how will you secure date they may hold on their own personal machines while working from home?
• Can staff use alternative mean to meet with clients such as online conferences or conference call facilities?
• Is your support desk prepared for the increased number of calls that they will get from remote workers who may not have tried to connect remotely for a while?
• Does your support desk have appropriate tools to diagnose VPN issues and problems or indeed to remotely take over a PC to help troubleshoot it?
• Will you have people on your support desk to support your users or will they too be victims of the snow day?

When it comes to Business Continuity planning you need to look beyond the availability of the systems and think of the impact different circumstances can have on them.  You should look closely at the ISO 27001 Information Security or the BS 25999 Business Continuity Standard to ensure that you have taken a structured and business focuses approach to your business continuity planning.

Lets not make a snow day a no business day.

My apologies to any of you who study the classics for my mangling of the bard's famous line, but I wanted to chip in on the ongoing debate sparked by the recent 0-day vulnerability discovered in Microsoft Internet Explorer and apparently used to recently hack into Google's system.  Both the German and Frenchgovernments urged their citizens to stop using Internet Explorer and switch to another browser.  While the Australian CERT's, AusCERT, reaction was in total contrast and state the calls to move from Internet Explorer were "overblown".  As I write this post Microsoft are releasing the patch for this vulnerability outside of their normal patch cycle.  

Since the Internet Explorer vulnerability came to light, and especially since the French and German governments' recommendations to use another browser instead of Internet Explorer, I have been asked by numerous clients on what they should do.  Now that the patch has come out those same customers are now asking should they roll this patch out now or go through a testing and release cycle to ensure the patch won't cause any adverse damage.

Software patches, be they from Microsoft or other vendors, brings with them many inherent risks that we need to consider before rolling them out onto production systems.  Will the patch introduce new problems as well as fixing the ones identified? Will it impact on other applications and systems?  If we patch we may have system problems, if we don’t we may have a security breach.  Not the easiest of choices for an IT or Information Security professional to have to make.

This is not the first time that we have been faced with this type of choice and nor will it be the last.  There will be new and serious vulnerabilities discovered in the software that we use so you should have a process in place to help manage that problem.  I recommend the following outline as a basic plan to deal with these type of issues;

• Only you and your organisation understand and know your systems and the risks posed against them.  Therefore before making any decision, you need to conduct a full risk assessment.  Take into account the type of organisation you are and the type of data you hold and also the other mitigation factors that you may have in place already.
• Based on that risk assessment, a concise and factual presentation should be made to senior management within the business with the options to address the issue laid out clearly, together with the potential downside to each solution.
• Whatever solution is decided upon needs to be agreed to and signed off by senior management.
• An incident response team should be set up in order to (a) respond to any side effects from the selected plan of action or (b) in the event your systems are compromised in spite of the steps taken.
• Remember as part of the plan to ensure that all your backups have been running successfully and more importantly that you can restore them!
• Have key contact details for all relevant personnel in the event of a major problem with your systems, including contacts in third parties such as ISPs, partner companies, extranet contacts etc.
• Communicate clearly with the user population explaining why the patch is being deployed (or not) and to report any unusual behaviour.
• Ensure that all Anti-Virus signatures and software are up to date.
• Ensure all Intrusion Detection/Prevention Systems’ signatures are up to date.
• Consider how best to deal with remote PCs and laptops that may not be connected to your corporate network.
• Make sure your perimeter firewall is configured properly and that where possible personal firewalls are installed on desktops and more importantly on servers.
• Ensure that all users are made aware of the threat and that the advice not to click on links or attachments in unexpected emails is reinforced.
• Conduct regular vulnerability assessments against your systems to ensure that you have patched all key devices.

With regards to this latest patch by Microsoft you should take into serious consideration that if Microsoft thinks the risk is so great that it warrants an out of band patch then equally you need to decide how soon, not if, you roll it out to your systems.

One of the challenges we face as information security professionals is ensuring that the applications and systems that we use in our organisations are secure.  While we can manage the security of applications developed internally (you do have a secure development program in place don't you?), it can be harder to determine the security of any applications or systems that we may outsource to or purchase from a third party. 

With this in mind here are some questions you should consider asking those third parties when you engage with them as part of your risk assessment of their solution.  You may not get all the answers you want and indeed some of the responses you get may not make comfortable reading, but at least you will have a better understanding on what you are dealing with and the business can then decide if the benefits to be gained from the vendor's solution justify the potential risks.

• How do you know your software is secure and that it won’t introduce vulnerabilities into my network and systems? What you are looking for here are details on whether or not security is embedded in the development life cycle for the solution.  The earlier it is in that cycle the better.  You are also looking to see what testing practises they use to ensure the product is secure and what integration testing they have done. 
• During the software development life-cycle when do you review security? You would expect a vendor that takes security seriously to have security reviews of their product at each stage of the development life-cycle and not simply at the end. 
• What methodologies do you use for testing the security of your products? A vendor that is serious about its products will have a structured methodology to test their product. 
• Do you use automated tools for security testing your code or code review? Ideally the vendor should be using both methods to catch any security bugs in their software.
• What training do your development and testing teams receive in relation to application security? A vendor serious about security will ensure that all members of these teams will have taken specific training courses in relation to application security.  Simply attending a coding course and hoping that security is part of the curriculum is not sufficient. 
• Do you have a dedicated team to assess and respond to security vulnerabilities in your products? If a vendor does have such a team in place they are acknowledging that no-one can produce a 100% secure product but at least they have put the resources together to ensure any bugs or issues found will be addressed in a structured way. 
• What is your vulnerability management process? This is related to the above point and if the vendor has this process in place you can have some confidence that they will address vulnerabilities found in their products. 
• How do you inform customers of security vulnerabilities? What you would expect here is that the vendor has a process in place to ensure its customers are made aware in a responsible manner of potential security vulnerabilities in their product.  As a customer you would not expect to hear about a major vulnerability in a product from the press rather than the vendor. 
• What is your patch management process? Once a patch has been identified for a particular vulnerability how will that patch be sent out to customers and how can I as a customer distribute that patch?  Will I need to do it manually or is there an automated process to receive and/or distribute that patch.
• For automatic update services how does the vendor ensure it is secure and malicious code cannot be injected into that process? The vendor should have appropriate measures in place to ensure their distribution servers are not compromised by third parties and there no unuathorised code can be injected into the update process.  Also the client should be configured to only receive updates from certain sites via a secured and authenticated connection.
• What security standards does your product adhere to? You should only engage with vendors who use open and peer reviewed security standards for their products. 

Also, you should look at the Secure Software Contract Annex developed by the OWASP project and look at including that as part of your tender document or contract.

Following on from my previous post Selecting a Secure Development Partner a number of people asked me what they should do with regards to systems that are developed in-house.  This scenario provides its own unique challenges, not least is the fact that you are probably going to have change many years of habits and ingrained processes.  There is of course the old chestnut that "all systems we develop are internal and therefore no-one will be able to hack them".  

I have found by engaging with key members of the development team and highlighting the areas of concern from a security point of view you can quickly get a few advocates to help promote more secure development practises.  Another way to bring people on board is to host a series of talks, maybe hosting a lunch seminar in one of the developer's conference rooms, to discuss how attackers are now more and more leveraging insecure applications to gain access to data and other sensitive information.

Highlighting the problems is only have the battle though, you also need to present a number of solutions that your developers can apply.  Here are some excellent resources that I have found useful;

General Guidance

• CERT Secure Coding Standards
• Microsoft Security Development Lifecycle
• Build Security In
• SafeCode

Specific Guidance

• Top 10 Secure Coding Practices
• Fundamental Practices for Secure Software Development
• SANS TOP 25 Most Dangerous Programming Errors
• Framework for Secure Application Design and Development
• OWASP Code Review Project
• Secure Coding Principles (produced by Realex Payments)
• The CERT Sun Microsystems Secure Coding Standard for Java

It is often cited that the three main pillars of information security are technology, processes and people.  However, too often I see computer security professionals concentrate most of their efforts on the technology element, hope that a quick search on the Internet will throw up some sample policies and processes that can be amended for their use and leave the people element to the users' own best judgement. 

Like a three legged stool where one leg is longer than the others eventually that stool will break or fall over.  Invariably after suffering a security breach the computer security professionals scratch their head wondering what went wrong and how did the attacker circumvent their defences?  Looking into the root cause of the breach often reveals it was not a direct attack on the security technology which enabled the attacker to access the systems, but rather, it was an end user who clicked on a link in an email, copied that sensitive file onto an unencrypted USB key to work on at home or was duped in some way to bypass the security controls.

While many information security professionals still focus on security technologies, attackers are no longer wasting their time trying to break through those technical defences and instead are concentrating on fooling users into bypassing the security controls.  The 2009 CSI Computer Crime and Security Survey highlights that despite criminals moving to target end users the vast majority of organisations still do not invest properly in the area of security awareness training.  According to the survey 43.4% of all respondents spent less than 1% of their information security budget on security awareness training with 55% saying they were not investing adequately in the area.  The same survey highlights 25% of respondents admitted that 60% of financial losses came from breaches by insiders with 16.1% stating that 81 to 100% of all losses came from accidental breaches.  In addition, the always excellent Verizon 2009 Data Breach Investigations Report also highlights that 20% of breaches that Verizon investigated were caused by insiders.

It is about time that we focus our attention on educating the users of our systems on how to identify and report potential attacks against our systems by providing engaging and informative security awareness training.  There are many excellent resources available on the Internet that can help you design, implement and manage a successful security awareness program.  To help you along your way I would strongly recommend the freely available resources available from NIST and ENISA.

The first challenge in developing your information security awareness program will be to get senior management buy-in and ENISA has produced an excellent guide on "Obtaining support and funding from senior management while planning an awareness initiative".  Once you have senior management report you can use the following resources to design and build your awareness program;

• NIST's SP-800-50 Building an Information Technology Security Awareness and Training Program
• The new users’ guide: how to raise information security awareness
• Training material for small and medium enterprises
• Information security tips for employees
• Information security awareness in financial organisations - Guidelines and case studies
• ENISA’s ten security awareness good practices
• Social engineering: Exploiting the weakest links   

A friend rang me today to discuss how she and her husband had become the victim of an apparent keylogger attack resulting in large amounts of money taken from their bank account.  Thankfully once they reported the suspicious activity to their bank their funds were recovered and the bank are now investigating the case themselves.  She wanted to ask me what extra steps they should take to ensure that the criminals could not do any more damage to them.  I talked her through how to monitor their credit rating for suspicious activity and whether or not they should get their credit cards reissued.

Once that was finished I turned the conversation to how the keylogger got onto the PC in the first place.  I was trying to ascertain how much protection was on her home PC, whether or not the anti-virus software was up to date, was the PC software patched and so on.  It was after a few minutes into the conversation she asked me why I was so interested in her home PC?  I said “because I want to ensure it is clean of any malware and that the criminals don’t access your online accounts again with their keylogger software”.

The focus of the conversation changed quickly when she told me “Oh we don’t use our home PC for anything serious like online banking, we use my husband’s work PC for that because we know his company’s IT department will make sure the anti-virus and other security software is kept up to date”.  Knowing that her husband was very senior in quite a large company I quickly asked “Have you contacted your husband’s company IT department to alert them that one of their PCs could have keylogging software installed on it?”  The answer was a no, “we never thought we should as it was only our own bank accounts we were worried about.  We did not think that sensitive company information could be at risk”.

Of course we quickly ended the call so they could contact her husband’s company and let their incident response procedures kick in to deal with any potential exposure.  But thinking about the phone call, there are some important lessons to learn;

• As an incident responder never assume anything.  I fell into that trap thinking it was a normal home PC that had been compromised and not a corporate PC.
• Has your company got policies and procedures in place outlining what staff can and cannot do with company PCs?  Or indeed policies regarding staff working on company data on their own home PCs.
• Do your IT processes and procedures include supporting home workers in the event their systems become compromised?
• How robust are your incident response processes, procedures and tools to remotely deal with a potential security incident?  Especially when the PC in question belongs to a member of senior management.
• How robust are your security systems in updating and securing PCs and laptops that may only connect to the corporate network from time to time?
• Have you got controls in place to ensure that only the data staff need to work on is on their PC?  Remember even if you have encrypted the hard drive on the PC, once the user has logged on and decrypted the disk they, and any keyloggers on that system, now have access to all that data.
• Have you considered forcing staff to only access sensitive data via a secure VPN or thin clients?
• Most importantly are your staff trained and aware enough to identify potential threats to your company’s information assets should they experience suspicious behaviour on their personal systems, such as online banking, they may access from their work PC ?

One of the most common issues I come across when helping clients develop their information security program is a lack of proper risk analysis.  While many have implemented controls based on common practises, those controls may not be the best suited to protect the information assets concerned.  Furthermore many find it difficult to persuade senior management to invest in more information security controls. 

Conducting a risk analysis allows you to identify the most appropriate security controls for your environment.  Indeed many industry standards, such as the ISO 27001:2005 Information Security Standard, are based on a risk management framework.  In addition, as senior management are used to dealing in risk in all areas of the business, presenting your argument in the terms of risk will greatly assist you when seeking their budgetary approval.

This change of approach can be quite a challenge for many information security professionals who by their nature prefer to deal with bits and bytes rather than business terminology.  However, fear not, there are a number of excellent resources available to help you understand and manage your information security risk program.

• Firstly Microsoft have their Security Risk Management Guide which is available to download. Together with Microsoft's Security Assessment Tool Microsoft provides you with a good starting point.
• The National Institute of Standards and Technology based in the US provides an excellent resource in their Risk Management Framework
• Finally the European Network and Information Security Agency (ENISA) provide an excellent Risk Management resource which reviews the various risk management methodologies and tools that are available.

So next time you need to secure a system or a network why not take the time to refer to some of the resources above to ensure you are selecting the controls based on a solid risk assessment rather than following industry best practises.

One would think that after all these years we would be able to contain the threat posed to our systems and data by computer viruses.  But the rise of botnets as tools to be used by organised online criminal gangs has seen computer viruses more tenacious and difficult to deal with than ever before.  The impact in recent years of computer viruses such as Conficker and Zeus demonstrate how tough it can be to eradicate these viruses.

In order to help deal with the threat posed by computer viruses I will run a series of blog posts over the coming weeks providing guidance and best practise recommendations on how to deal with a computer virus within your organisation.

Over the coming blog posts we will look at the key steps in eradicating a computer virus, trojan or infection by other types of malicious software on your network.  The stages that we will examine will include;

• Preparation
• Detection & Confirmation
• Containment
• Removal & Recovery
• Response
• Review and Revise

If you have any tips or hints that you have found useful please feel free to provide information on them in the comments below and I will include them where I can.