Friday, 29 June 2007

Finally got CCSP!

Wahoo! I just passed the final exam on the Cisco Certified Security Professional (CCSP) track. It was the final of 5 exams which I have taken over the pass 3 years, and to be honest I'm glad to have finished them, as it allows me to focus a little more on Information Security Management and the process side of things.

At least I get a well earned break from reading those thick Sybex books!

Friday, 22 June 2007

Home WiFi Jamming

To conclude a trilogy of WiFi Security blogs this week, I’m going to touch on an accidental home encounter I had with WiFi signal jamming. As we become ever more WiFi enabled, particularly in the UK, where there has been a bit of WiFi explosion of late, with whole areas of cities becoming WiFi enabled. There is little doubt in my mind that we will become more and more dependant on WiFi networks. Anyone who has read any formal IT Security book will know about the CIA Triad, Confidentially, Integrity and Availability, well security wise this post is going to be about Availability, i.e. jamming the WiFi signal. Now you might think WiFi jamming sounds a bit far fetched and that it would require a lot of expensive equipment and expertise, but as I accidently discovered recently, it does not have to be.

A couple of weeks ago I finally gave in and bought my kids a Nintendo Wii, well I figure it keeps them physically active while playing the video games, which sounds like a fair trade off to me. Anyway I placed the Wii under the main household TV and then tried to connect the Wii up to my home WiFi network, which would allow the Wii to receive software updates, weather forecasts and even browse the web through the Wii’s Opera web browser, however I soon discovered the Wii wouldn’t connect to the WiFi network.

So after an or so hour of troubleshooting, by temporary stripping down all my WiFi security, and then actually plugging the WiFi Router in downstairs as close as possible to the Wii’s location, I discovered the Wii could only pick up my WiFi network signal from a maximum distance of 10 centimetres! Even then the bandwidth (network speeds) appeared to be far too slow. Well I gave up with it for the day as the kids wanted to play Wii Sports. I just thought I had a dodgy WiFi card built into my Wii, but later that night I had an epiphany while watching Satellite TV upstairs in bed.

You see I have Satellite TV, which feeds into the main TV, however earlier this year I wanted the ability to watch all those lovely Satellite TV channels on the bedroom TV as well, so I bought a cheap "Technika" TV broadcasting solution from the local supermarket for £20 ($40), instead of paying over odds with the Satellite TV company for a second set top Sat Box. The equipment consisted of a broadcast unit which attached to the SCART OUT of the downstairs Satellite TV box, which sends TV pictures, Sound and even the remote control infra red signals to a receiver, which connects to a SCART IN on the bedroom TV. My epiphany was the theory that TV broadcast unit was somehow jamming the WiFi signal, especially considering the Wii and TV broadcast unit both resided under the main TV. So I switched off the TV broadcast unit and immediately the Wii connected to the internet.

The following day I did some experiments with my laptop, I noted with the TV broadcast unit switched on, in parts of the house it dropped the WiFi network signal strength by two thirds, while downstairs it wiped all connectivity to the WiFi network.

So it is possible to have effective WiFi jamming at a very cheap cost, I imagine with some customisation you could increase the range of the WiFi jamming and make it a mobile device.

I can think of numerous bad uses for WiFi jamming, especially using it as a decoy while performing other attacks, but perhaps one good use could be to enforce a no-WiFi policy, although you’d probably need to check the broadcasting laws first.

Tuesday, 19 June 2007

Are WiFi BotNets Possible?

Following from my blog about unsecured Home WiFi networks and just how widespread they are in "home user" land. I have been wondering whether it might be possible to create a kind of "WiFi BotNet".

Let’s say the attacker setup in a metropolitan area, constructed an antenna to boost the WiFi range of their device, allowing the attacker to scan and connect to any unsecured or low security WiFi networks over a significant range. Going from my own experience, there should be plenty of unsecured WiFi access points within a metro area. From this point I have two theories.

One trick could be to try and connect to several WiFi networks at the same time and create a kind of mini BotNet, perhaps by the attacker fashioning a network access point, this could provide major bandwidth and anonymity for the attacker. I need to investigate this theory further.

Or the other way, which I think could be easily possible, is to automate connecting to each unsecured WiFi network in turn, do bad stuff while connected, like send out Spam, then disconnect and move onto the next scanned unsecured WiFi access point. Again it would be almost impossible to trace back the attacker.

Monday, 18 June 2007

Badly Secured Home WiFi

It still amazes me just how many home users and small businesses out there are using unsecured home wireless networks. I visited a friend over the weekend to help out with a computer related issue, I booted my laptop up, enabled my WiFi card, and I immediately picked up several WiFi access points, of which two had no encryption, no passcode required! One of the SSIDs was even called "NetGear". I also picked up a small business WiFi network called "WEP", oh dear, lol.

It's frightening what some home WiFi users are leaving themselves exposed to. Anyone in the vicinity could easily use their WiFi connection to visit "dodgy and illegal websites”, should this activity be discovered by the authorities, who will track them down through via the ISP, it will be on the WiFi owner’s door which the police will be knocking. It also begs the question if someone wanted to "get away" with visiting dodgy websites, by deliberately leaving open their WiFi connection and playing the fool, could that be a legal "get out" clause? Who knows when it comes to computer crime laws, which is well behind the times in the UK, in a population approaching 60 Million, there is on average of less than 10 people a year being prosecuted under the Computer Misuse Act, with computer related crime tending to end up under either theft or fraud charges and convictions.

So just how are these unsecured WiFi networks originating, as these days most ISPs are providing WiFi routers with the ISP configuration with WPA encryption preloaded as standard. Well it comes from the days when all the ISPs provided, was a standard DSL router/modem, home users would themselves trundle down to their local PC Supermarket (*cough* rip off *cough*), and buy a WiFi Router from the ever NOT so knowledgeable shop assistant. They would just chuck the WiFi Router in at home and just be ever so pleased to eventually get it working with their DSL provider and home devices. So they either over look security completely or probably didn't know enough about it or even how to go about configuring it.

Perhaps manufactures should enable security by default on their products (some may do now). As a Cisco Security guy, I know the Cisco line is to disable all security features by default on their Routers, Cisco take the stance it’s the end user's responsibility to secure the product for use. However I must admit I don't know what the default settings are like on the Cisco LinkSys range of products these days, which is aimed at home market.

Whether or not manufacturers are providing enough security as default on their WiFi products is just half the puzzle, as I think it's more about getting the message "home" to those "home users" - forgive the pun.

Wednesday, 13 June 2007

Who's the IT Security Expert?

So I'm the author of the ITSecurityExpert blog, but what's my background?

Well I'm based in the UK, so although I sing from the same hymn sheet as my US counterparts security wise, there are sometimes little twists with my view points. For instance in the UK we are governed by the Data Protection Act law, and there’s those pesky European laws to consider. Although I must stress I’m a Security Professional from a “techie” background rather than a background of “Law” or there I say it, “Quality”.

I've been in IT Security for over 15 years, to be honest at first I didn't realise I was doing IT Security, but looking back I certainly was. In the nineties I spent several years designing, building and implementing locked down (secured) Servers, Workstations and networks, which I installed onto Royal Navy battleships and submarines for a third party company. These IT systems didn't house anything exciting like weapon systems, just a boring engineering maintenance application. Still it was good fun going on board all those ships, as well as the social beer drinking side of things.

I have spent two years at a top UK Grammar (very posh) School, building a new secure Server room, physically separating the staff and pupil networks, and tracking down some quite clever pupil hackers etc. I have spent a few years running a European WAN for an American company, which kick started my Cisco side of my career, as I redesigned a secure WAN using Cisco Routers and Firewalls, by the way I’m a Cisco command line sort of guy rather than a web interface user. I recently spent 5 years at a blue chip document management company, which provided outsourced document management solutions, mainly to the financial sectors (i.e. household name banks). I started out designing, implementing secure solutions, but I soon ended up responsible for IT Security Management. Typical solutions were bank statement printing and credit card application document scanning. In fact it’s fair to say I learnt most of my security “know-how” by working with and having my sites and solutions security audited by a particular banking client, who consider themselves one of the world’s biggest banks with the best security (well they would say that).

Career highlights so far, well I once hit the European IT press for creating Europe’s first Satellite VPN in 2003. http://www.computerweekly.com/Articles/2003/09/26/197514/satellite-vpn-a-cheaper-way-to-fast-web-links.htm

I've had involvement in a real life major disaster recovery event, when in December 2005 the Buncefield Oil Depot in the UK exploded! It badly damaged my then employer’s primary solution site. The explosion was the largest explosion in peacetime Europe and it finished several businesses, however thanks partly to my IT system design, and my input within prior COB testing, the business was able to carry on providing solutions to it's clients (and their customers) unaffected, operating from a DR site.

Buncefield Explosion http://news.bbc.co.uk/1/hi/uk/4517962.stm http://www.computerworld.com.au/index.php?id=1048608389

At the moment I am employed by a large UK outsourcing company, I am responsible for securing several sites throughout the UK, including a hosted solution site which takes “a great deal” of online payments. So as well as the usual office level security, I’m dealing with PCI compliance, application development security and web application (web 2.0) security.

To go with my career security experience, I hold one or two certifications; to be honest I can be a bit of a cert junkie. I am a CISSP and I'm one exam short of my Cisco CSSP, which I plan to complete in the next couple of months. Cisco wise I hold Cisco Firewall Specialist, Cisco Information Security Specialists and the old CCNA, so I consider myself well versed with network level security. On the IT side I’m a Master CNE, and an MCP - I took the MCP exam as a bet, which I won.

As well as the technical side of Information Security, I tend to focus on educating the users, as I see them as the greatest security weakness of all. I have just started to produce a Podcast for home users to help them understand the basic security issues, so they can protect themselves at home. My podcasts aren’t meant for my fellow Security professionals, they cover stuff they should already know! Actually this is a good juncture to clear up the name, I regard myself as an IT Security Expert to the average Joe, I am certainly not pushing a status of "IT Security Expert – I know all!” to my fellow security bloggers, who in most cases are much further up the security tree than I, especially within those specialist security areas. Information Security covers a huge array of topics, I don’t think anyone can claim to be an “expert” across the board, and I certainly don’t.

Why blog? As I said in a previous blog, being in the Security business can be a lonely profession, especially if you work on your own, which I do most of the time. The Security Blogospheres to which I’m now a part makes an excellent forum for me to bounce my views and ideas with cutting edge security professionals, while providing an excellent place for me to develop and evolve my own security knowledge further. I also like to think I can contribute something back to the community. I believe in keeping an open mind, sharing ideas, respecting view points, not flaming and above all staying secure.

Finally I just like to thank Martin McKeay (Cobia) and at Alan Shimel (Still Secure) for allowing me to be a part of the Security Blogospheres, respectively the “Security Roundtable” and “Security Blogger’s Network”.

http://networks.feedburner.com/Security-Bloggers-Network
http://www.mckeay.net/
http://www.stillsecureafteralltheseyears.com/

Monday, 11 June 2007

Google Tops Security Bad Boys List

Surely Google can't be as bad as Microsoft, Apple and AOL when comes to Web Data Security? Well according to a new report by Privacy International (PI) they are the worst!

I have previously blogged about my own love - hate relationship with Google, with my own "hate" due to Google's somewhat questionable approach to recording and holding user search information. But at the moment Google appear to be getting bashed in the press every week with anti-privacy stories. I can't really say how much creditability PI or the PI report's rating system has, as clearly PI will have their own agenda, but the Google points they raise are interesting reading, as are the points on the other big internet heavyweights. Definitely good stuff for me to take into consideration when I am thinking and advising about web security within my working environment.

Follow the link below for the full PI report.
http://www.privacyinternational.org/issues/internet/interimrankings.pdf

Wednesday, 6 June 2007

PCI Encryption Practice Flawed due to the Banks?

I’m no PCI assessor, but I am involved in helping a business reach PCI DSS compliance. On the encryption front, the PCI standard requires cardholder data to be stored in an approval PCI encrypted format on the backend database. In addition to this, PCI has a big focus with the database encryption key management, ensuring the private key is not known in full by a single person etc. I don’t have any issues with this despite good key management being a real pain to implement, it all makes good security sense, but here’s my observation and big issue with the PCI encryption requirements.

When the merchant sends the cardholder data to the bank for the card payments to be processed, the cardholder data is exported from the database unencrypted and sent to the bank in an unencrypted format, sure it’s over a point-to-point private connection, but wasn’t whole PCI point to prevent the cardholder data from being readable on the database Server? The bank payment process is a requirement of the bank, who can only accept the card payment in an unencrypted format. I see a potential threat from an inside attacker to capture significant clear text cardholder data by intercepting this payment process.

I don’t whether this is already a commonly known PCI issue, or just an issue with UK banks, or whether it's just with a specific “big named” UK bank, but when I addressed a professional PCI auditor with this concern, he didn’t give much of response and just stated it wasn’t the first time he’d been asked about it.

For me, it appears to be a significant hole with the PCI encryption practice, especially as the database encryption is what most PCI auditors appear to care about the most, PCI auditors just love to go on (and on) about “Key Management”. It certainly would be interesting if this was a general problem with the banks, who sit in their ivory towers carrying significant weight on the PCI board and setting out the PCI standards, but when it comes down to them actually spending the money on improving cardholder security themselves, they just aren’t doing it, hardly a balanced and fair approach, is it?

Monday, 4 June 2007

Cheap yet Effective Information Security

Many Information Security study books will tell you about the holy Security Trinity of Confidentially, Integrity and Availability, the so called CIA Triad, which is all fair and well. But I live by another holy Security Trinity, Policies, Users and Technology.

The most important area is, and will always be, with User Security Awareness. However, you cannot sort the Users out until you have your Information Security Policies in order, so your first stop has to be tackling the policy paper work first, and then to ensure you get that all important senior management backing.

Clearly Technology plays a very important role within the trinity, but unlike Policies and User awareness, technology has by far the highest the budget costs. You will always have to fork out for the basic security systems like firewalls, swipe card systems, Anti Virus systems and the rest of it. However depending on your business and some of the risk mitigation, a lot of the expensive “additional” security technologies out there, may not be a necessity if you have the right security policies and the user awareness in place. Within most businesses I find the security technology basics are usually all in place, but badly managed and maintained, which points to fixing the Policies and the Users. You can splash out on all the latest security technology in the world, but if you have not got your system administrators and user base on board with security awareness, then it’s just going to be a waste of money.

Take the technology of NAC for example, great for controlling who is allowed to plug into your network, however if don’t have the budget and the risk acceptance requirements, for example a small office site, creating a policy to provide cover on who is allowed and not allowed (visitors) to plug into the network, and then educating the users so the policy is enforced, can be just as effective as investing and deploying NAC technology. I would go on to argue by educating the users and putting the security responsiblity on them, rather than relying blindly on NAC technology, helps instil greater security awareness with the users. It’s all horses for courses, within larger enterprise environments, you cannot make do without a lot of additional security technology to manage security and risk, however you will still find security educating the administrators (the Users) is key. The classic I see is when administrators have weakened the expensive security technology, just to make life easier, again due to poor user security awareness.

The most important aspect with User Security Awareness programmes is to ensure it is not just a one off event, but a sustained programme. I often say to users, Information is the business’s key asset, it is not my responsibility to secure the information, but to help you (the user) secure the information, thereby giving information security responsibility to the user. It’s key to get users on your side and not hostile against you or the security policies. Users must have “bought in” into any security policies you have or introduce, otherwise they won’t be worth the paper they are written on. I use several techniques to achieve user security awareness, one I find particularly effective, is when I teach users how to be secure at home, I find they bring their home security responsibility and awareness into the work place. Perhaps I will go through some of my other effective user security awareness techniques in another blog post.

To sum up, by tackling your Security Policies and User Security Awareness, you can make a lot of quick wins and security improvements without any capital cost. Technology plays just as vital role too, but don’t just rely on technology to remedy your security risks, have an approach which covers all three areas of Policies, Users and Technology, and make sure you review all three areas regularly.

You can find some good Security Awareness documentation at US Homeland Security - http://www.ussecurityawareness.org/highres/security-awareness.html

Friday, 1 June 2007

The Lonley Life of Security Management

Interested in a Career in Information Security? As well as having a good foundation of Information Security knowledge, courage of your convictions, a basic common sense and a ton of enthusiasm, there's one other aspect to consider before making the career plunge.

The role of an Information Security Manager / Officer, especially in a small to medium sized company where you are a one man security department, can be a lonely role. Sure one aspect is do have involvement with every department and person within the organisation, but let me explain why:

1. It's great to think you'll always get management backing, and if you end up working for a decently security focused (or concerned) organisation, in general you will, it’s very important you have this backing if you are to be successful in security management. However there will be always some managers that will disagree with your security stance, risk evaluations and recommendations, sometimes they don't like to be told what to do or it's going to cost them some of their budget. So you'll probably have lock horns and get management to your way of thinking, or at the very least get them to accept ownership of the risk if they don't. On some occasions it can get very political, but without decent senior management backing you just aren't going to get very far in the role. So you can expect your popularity with management not to be to clever, even when they are on board, you are causing them hurt and budget costs. Remember in general business managers are risk takers by nature and most don't really ever value information security until there's an actual incident, which is a sign it's too late. Most of the security management role is fairly invisible to management, trying to ensure incidents don't occur in the first place.

2. Nobody likes change, especially when it adds to people's work load. So as you go about tweaking and introducing those all important security policies and practices, even if you fully explain it all to the users and they accept the need, you'll won't be over popular, it's a human nature thing.

3. As a Security professional concerned for an organisation, there will be times as you walk through the offices or conduct audits, you'll pickup on user related security issues, like leaving PC desktops unlocked and print outs of confidential documents left on unattended desks etc, and you will have to "slap wrists", to ensure users continue to conform with the companies policies. You can't afford to be over nice otherwise the security policies won't be worth the paper they are written on. Remember you are reliant of users to enforce most of your security, they are the weakest area. When dealing with end users, I always try to be positive as possible, adding humour and explaining the risks, however there will be times when you have to deal with serious security breaches, which can lead to HR disciplinary action etc. So you just have to accept that most users will look upon you like you look upon car parking ticket warden.

I suppose all managers need to be "thick skinned", and most Security Managers understand this aspect, but if you are coming from a techie "fun loving team" background into Information Security management, as most are, it's something to think about.