Tuesday 21 August 2007

The Dangers of Shadow IT

In case you are not aware of the term “Shadow IT”, it basically refers to those users within the corporate user base, who pretty much do their own thing IT wise within the corporate environment. Think about it, gone are the days where the vast majority of corporate help desk calls revolved around user related help like “How do I create a table in Word?”, “How do I do formula in Excel” etc. Why? Because users are more technical savvy these days, especially within younger users, who have grown up with PCs and the Internet all their lives, they tend to solve their own IT problems instead of bother the help desk. If your organisation doesn’t have a good security culture, you’ll find these sorts of users can be up to all sorts of tricks, such as installing their own applications, using unauthorised hardware like USB hard drives, installing network hardware like Switches and Hub, and God forbid wireless access points, as well as using the Internet for all sorts of things which was never envisaged by the business, such as web 2.0 stuff like social network sites.

I mention this topic as a friend of mine was telling me how he re-routed his Internet access away from the corporate provided remote access via a proxy server, to directly from a “self purchased” ADSL router within an a small office site, which he and colleagues had setup without any input from the IT Dept. He said the IT Department still think they are using VPN Client access over 3G cards. Another who works within an IT Department, was just telling me the other week that he come across several users running self purchased and self installed copies of the Windows Vista operating system on their laptops, even though his company were still standardised on Windows XP, and had no plans to move until next year.

It is fairly clear Shadow IT poses many dangers to corporate information security, as a security professional I know it can be extremely difficult to turn around a Shadow IT culture. However if are an IT Manager or Security Manager, it is an absolute must to get a handle on all IT systems and their usage within your corporate environment. Also it is equally important not to forget those users and devices which access the corporate network remotely.

So how would I go about correcting a Shadow IT culture? Well first of all ensure there are (or if not write) company policies to specifically cover all areas affected by Shadow IT such as, employees are not being permitted to install any IT hardware without expressed permission from the IT dept, failure to comply is a disciplinary matter etc. Next is to ensure your polices are enforced, I would first recommend giving the users a chance to get the message, so educate them about the policies, why the polices are important and try to change the culture. Then follow up the user awareness training with IT audits and network scans, and start to clamp down. Finally look into using technology to control the IT infrastructure, this will can be a bit costly, but depending on the budget and staff IT expertise, it is pretty much possible to force control with just about anything IT wise, from preventing users from installing applications, to the use of unauthorised USB devices, to the control of specific devices allowed on the corporate network (NAC).

I should warn you that it may not be as straight forwarded as I painted either, just think of the ultimate Shadow IT act, which affects just about every company on the planet, namely the use of USB memory sticks. You have users who buy or even get for free their own USB memory flash devices, and they just go ahead and use them within the corporate environment without the permission of IT or even their line managers, often copying corporate data and removing it from the environment. In most places the benefits USB memory devices provide against the control of their usage, is a political hot potato, especially when there are clear benefits to the business and their uncontrolled use has been acceptable for a number of years already. However I say you shouldn’t just sweep this issue under the carpet for another day, at the very least you should seek written sign off by someone senior within the business to accept the risk. However if you can persuade the business about the need to reduce the security risks of an uncontrolled USB culture and get the budget, you can go out and buy the specialist software to only allow approved devices and appropriate provide encryption.

Monday 20 August 2007

Expect The Best, Prepare For The Worst

I really have to start letting go of what I do for living when relaxing outside the work place, I just watched "The Bourne Ultimatum", I noted a safe was opened using supposedly secure but a single authentication method using only biometrics, in that it scanned a finger print and had voice recognition (no password). If it had only used dual factor authentication, perhaps with a passcode (i.e. something you know), then Jason Bourne might of found it a lot harder to get it open and steal the contents! Oh I got slightly annoyed that film's heroine said "the firewall" was blocking user level access rights to a file, if the Firewall was blocking she shouldn't of even got close to remote accessing the file in question in the first place, but hey that's hollywood, I really shouldn't be a kill joy.

The thing that stood out the most for me, was when the bad guy CIA director used the phase "Expect The Best, Prepare For The Worst" in regards to a situation, which sums up the stance I take and fellow security professionals take, especially when formulating an overall Information Security strategy within a business.

In fact checking back through my security presentations, I used the term "Expect the Best, but Plan for the Worst".

Still in all The Bourne Ulitmatum is a great film, which I really enjoyed, finally a "triquel" this summer that's good!

Sunday 12 August 2007

The World's Biggest DNA Database

In one of my earlier blog entries about the UK being the ultimate Big Brother state, I touched on the Police's national DNA Database. Well I recently discovered more than 715,000 DNA records were added to the UK national Police database last year, which brings the total number of DNA records to a staggering 4 Million records, making it the world's biggest DNA database.

So what if you are an upstanding UK citizen, do not be fooled into thinking that this DNA database isn’t of concern, as if any of your relatives have DNA on the Police system, then that DNA can lead the Police to your door. There have already been several high profile cases of the Police tracking down criminals through relatives DNA, the most notable was the Yorkshire ripper hoaxer, who was tracked using DNA evidence collected over 25 years ago.

Personally I like the idea of the Police having a national DNA database, as it helps to catch the bad guys and provides a deterrent, especially to serious crimes. Some of the interesting effects of DNA profiling have already seen British prisons overflowing, even though the crime rate has been steadily declining for years. Others say it is leading to lazy policing and lazy courtrooms, in that Police go straight for the DNA evidence rather than use traditional policing methods, with DNA evidence being enough to convict within the courtroom, when DNA evidence isn't fool proof.

It is very clear the UK Police have an agenda to get everyone within the UK on this database, and they recently made noises about wanting to collect DNA from speeding drivers and even litterbugs. If this sort of civil liberty infringement scares you, you might be very interested to learn since April 2004, any child aged ten or above who has been arrested (not convicted) in England or Wales, can have their DNA and fingerprints taken without parental consent, apparently over 100,000 innocent children's DNA is on the database permanently.

From my point of view, I am very interested in the security measures in place to protect data within the DNA database. I will try to dig further into how the Police are securing this clearly very sensitive database. But the Police being the Police, they should already have a good security culture, and due to the very sensitive nature of the database and that the last thing the Police would want is a security breach, as the negatitive publicity could put the brakes on getting everyone "in" the database, I suspect good security will be in place, well hopefully. To be honest I’d be worried if they were to start sharing the database with other bodies like research organisations and the NHS (Medical). And what if the state could tell by persons DNA profile, whether that person was more inclined to criminal activity, think “Minority Report”!

Friday 10 August 2007

UK Personal Internet Security Report

A UK government committee released an interesting report on Personal Internet Security.

Personal Internet Security Report

These government reports can be a bit hard to digest, but to quote directly the reports key recommendations.

“The current assumption that end-users should be responsible for security is inefficient and unrealistic” and then goes on to urge security responsibility to be taken by government and ISPs, and then calls for more laws and industry standards.

“The Government have insisted in evidence to this inquiry that the responsibility for personal Internet security ultimately rests with the individual. This is no longer realistic, and compounds the perception that the Internet is a lawless “wild west”"

I don’t quite agree with this report, sure I’m all for more laws and standards for businesses, but when it comes to home users, they should be educated more, rather than trying to apply the nanny state. Protecting people with technology and laws just isn’t going work against most internet attacks, which have social engineer aspects. I also find a home users just aren't aware of risks or security savvy, for example they will send bank account details and passport scans by regular Email, or post too much personal information of social networking sites, there's little laws or technologies can do to protect against that sort of user behaviour.

For me its an absolute MUST children are educated about the dangers of using the internet while at school, I think it should be mandatory. I am always happy to volunteer my own time to educate kids about Internet saftey, I find most adults don’t have the slightest clue what their kids are up to online.

UWB: Broadband Bluetooth

OFCOM (UK regulator) has given the go ahead for Ultra-Wideband (UWB) to be used within the UK, they have deregulating the required radio waves so a license is no longer required to use them. The next step is for Europe to agree the UWB standards which will take a few months, but I understand manufacturers are already developing UWB devices.

UWB uses part of the radio spectrum to transfer large amounts of data, such as media files, over short distances, so it's a kind of broadband Bluetooth. For example in the home UWB can be used for the wireless sending HD video data from a HD Camcorder to a HD TV, or MP3s could be streamed to wireless speakers . As you can imagine there are plenty of data transfer possibilities with this technology.

They say UWB will have a range of around 10 metres; however they said that about Bluetooth when that first came out. We'll have to wait and see the security aspects and security challenges this new technology will bring, but I imagine it will be same type of issues we see with WiFi and Bluetooth.

Friday 3 August 2007

Web 2.0 is Fundamentally Broken

"Web 2.0 is fundamentally broken," says Robert Graham, the CEO of Errata Security . "Using the tools it's easy to hijack other people's credentials. It's a fundamental flaw in Web 2.0". Well I have to say the evolution of Web 2.0 (web apps) is what scares me the most in terms of Information Security today.

At Black Hat 2007 Robert Graham of Errata Security demostrated how easy and quick it was to break into the most common Web 2.0 applications like GMail, HotMail, MySpace and FaceBook. Using Errata's soon to be released & freeware tools "Hamster" and "Ferret", Robert scanned the Black Hat wireless network during his presentation, sniffing out user's URLs until he found a user using GMail. After which he was able to very quickly open up that persons session and display the poor guys GMail inbox on the big screen, thanks to the Errata tools.

This hack works as the Errata application is able to grab the users cookie, from which authentication to the user's web session is gained. I can't speak for the other Web 2.0 services as I don't use them, but if you are a Google GMail user, I always advise to use "secure http" to access it, i.e. https://gmail.google.com, as that ensures all traffic between Google and your web browser is encrypted, including the cookie info, so will defeat this type of hack.

These hacking tools are suppose to be available to download as freeware at some point today, I'm will grab them and give them a try.