Friday, 29 November 2013

Cyber Broken Windows Theory

In 1982 a now famous paper by James Q. Wilson introduced the Broken Windows Theory.  Consider a building with a few broken windows.  If the windows are not repaired, the tendency is for vandals to break a few more windows.  Eventually, they may even break into the building, and if it's unoccupied, perhaps become squatters or light fires inside.

This theory has an uncanny parallel with current information security practices - poor security hygiene allows cyber-crime to flourish.  Consider a computer with a few unpatched vulnerabilities.  If the vulnerabilities are not patched, the tendency is for criminals to start exploiting them.  Eventually, they may even break into the computer, and if unprotected, perhaps add it to a botnet or just trash it.

By not patching our systems, we are not just victims of cybercrime, we are unwitting accomplices.

One unrepaired broken window is a signal that no one cares, and so is one unpatched computer.

Phil Kernick Chief Technology Officer


Friday, 22 November 2013

Trusting Security Standards

The elliptical curve cryptography algorithm starts by picking two points on a curve, and drawing a line through them until they intersect the curve again.  Recent hysterical discussion on the potential tampering of elliptical curve cryptography by the NSA starts in a very similar way: point 1 on the curve is that the NSA was involved in the definition of the fundamental constants of ECC; point 2 is that the NSA are snooping on the world.  However in this case the line is projected to infinity, and the assumption is that the NSA has intentionally weakened the algorithm.

Is it possible?  Sure.  Is it likely?  No.

The NSA, and all other similar government agencies throughout the world, have a dual role as both poacher and gamekeeper.  In Australia, the public mission of the Australian Signals Directorate is "Reveal Their Secrets – Protect Our Own".  The critical point is that balance between attack and defence.  Any security agency that intentionally weakened a cryptographic algorithm that was used to protect their own secrets, is fundamentally failing its mission.  These agencies are full of the smartest mathematical minds on the planet, and the idea that no other country will ever discover the backdoor is fanciful at best.

Remember that the NSA has influenced cryptographic algorithms in the past.  DES was proposed in 1975, and the NSA changed some of the ways that it worked.  No-one knew why until 1990, when the independent discovery of differential cryptanalysis showed that they had strengthened the algorithm against a then unknown attack.

Occam's razor says that among competing hypotheses, the hypothesis with the fewest assumptions should be selected.  Which in this case is that the same thing has happened with ECC and Dual-EC-DRBG that happened with DES.

There is ironically a side benefit to the NSA of all the tin-foil-hat musings.  People who worry about non-existent backdoors will start to move to less secure cryptosystems, which actually helps the NSA!

Phil Kernick Chief Technology Officer

Tuesday, 19 November 2013

CQR insights: Security Awareness Training Video’s

This year at CQR we were proud to launch a new service with the development of our Security Awareness Training Video’s. It is exciting to be the only company within Australia who can offer this method of information security training. The videos have been designed and developed using the knowledge from experts in their field who work here at CQR.

The video’s are designed to help all staff at organisations large or small to understand the importance and sensitivity of the information they handle and need to protect. The videos also provide the tools and tricks on how to be ‘Security Smart’.

It is a common misconception that staff already know how to protect their information not only within the office but at home and on the move. Too often this is not the case which can lead to go breaches occurring. Each video incorporates visual animation and human speech, with expert advice from our Information Security Guru who gives practical advice to assist in avoiding those simple mistakes.

There are 14 video’s available covering a spectrum of information security topics including Protecting your Digital Identity, Safe Internet Use, Workplace Security, BYOD and Social Media. They are each a maximum of two and half minutes in length and are available in a variety of presentation formats suitable for online delivery.  CQR will also provide a Q&A document for each video for staff training assessments.

For further information please check out our training section on our website and get in touch with us either through the website or by calling our office on 1300 277 001.

Sarah Taylor

Friday, 15 November 2013

Balkanization of the Internet

There have been a number of well-known information security personalities who have been publicly saying that the revelations the capabilities of national governments to undertake wholesale surveillance of the Internet will lead to its Balkanization.  If you believe the hype, the Internet will fragment and become less well connected as we all pull back in fear of everyone else's big brother.

I just don't believe it.  There are two really good reasons why this won't happen.

Firstly, all evidence suggests that we really don't mind about mass surveillance.  In 2006 the United Kingdom was described as being the most surveilled country among the West.  Since 2001 the USA has spent untold billions conducting illegal electronic surveillance on its own citizens, as well as doing its best to have a live packet capture of the entire Internet.  In a Western democracy, if we don't like what the government is doing, we can vote them out.  Not only have we not voted them out, we have year-on-year given them even more power.

This is not to say that these are good things, nor that one day we might say that enough is enough and reel the power back in, but it isn't going to happen in 2014, and may not happen for another generation.

Secondly, the Internet really is trans-national, and outside the control of any one country.  It was originally designed by the technical elite, without any consideration of governance.  It is now run primarily for the benefit of the business elite, who don't want governance as it may get in the way of their business models.  Any attempt to Balkanize the Internet, or set up controlling choke points will be worked around using both technical and business controls.  It is far too late to be trying to set up Internet borders and passport security.

This on the other hand is generally a good thing.  All the repressive regimes on the planet have done everything they can to limit Internet access, and they have universally failed.  The smarter ones have moved back to surveillance rather than control.

Within the next year or so, I strongly predict that the Internet will go through a phase-change from default clear-text to default encrypted, and the state security agencies will wring their hands and weep into their budgets.  But the rest of us will get on with our lives and use the Internet for what it was designed - porn and funny cats.

Phil Kernick Chief Technology Officer

Tuesday, 12 November 2013

CQR Achievements in 2013

The only constant in the Information Security industry is change, and that has been no different for us.  Looking back we can see that 2013 has been a really good year for CQR.  It’s impressive how far we have come and what we have learned.

This year we were Platinum sponsors at the Oceania CACS Conference in Adelaide, not only was there a great turn out, there were also a great number of informative presentations, workshops and opportunities to meet with other professionals within the industry.

Our Business Security team has doubled in size, and we now have a high level of skill and experience that we can offer to clients who understand that Information Security is more a business problem than a technology one.
This growth has allowed us to take the opportunity to refine some of our services to make them more appealing packages.  One way of doing this has been to develop an area of our ISMS (Information Security Management System) offerings, and so we have created the ISMS Jumpstart programme.  The core aim of the programme is to both define an appropriate scope and governance framework for organisations, and also to expose areas that need to be addressed to implement an ISMS.  It gives the implementation a ‘Jumpstart’ by developing an implementation plan and future roadmap.

We have also been working on improving the business value of our Onsite Security Specialists (OSS) service, which is designed to give organisations regular and recurring access to our pool of skilled information security specialists.  Whether it’s for one day per month or five days per week, our OSS service is helping organisations solve their information security challenges by having one of our specialists become one of their onsite team members.

Our most ambitious and exciting development this year is our portfolio of information security awareness videos covering a range of issues that confront organisations and their staff every day.  We are very proud of this service as we are the only company in Australia who can offer this type of training support.  The videos have been born from ideas developed within CQR and have been developed and produced with significant input from all areas the company.
Internally we have seen our personnel change, with new faces joining and some old faces moving on and even one of our alumni returning to us.  We are confident that our strong teams both in Australia and the UK, will continue to forge great relationships both inside the organisation and with our clients.

With our 10 year anniversary approaching and the updated certification of ISO27001 waiting for us in the New Year we are looking forward to the Christmas break and spending time with our families and friends and welcome the challenges of 2014.

You can find more information on everything we’ve achieved on our new website at or by following us on Twitter @CQR.

Sarah Taylor

Friday, 8 November 2013

Death Star Risk Assessment

We would like to thank Lord Vader and the executive team for the time and support they have given us in undertaking our risk assessment of the new Death Star weapons platform.  We understand that you have finished your initial development, and plan to go live in the very near future if the system tests codenamed Alderaan are successful.

We have considered the project risks in the areas of people, process and technology.

People risks.  The choice of armour for your troops appears to be more focussed on brand management than functionality.  Our assessment has found the following untreated risks:

(1) the armour does not protect against blaster fire; [risk moderate]
(2) the lack of identity badges increases the risk of social engineering attacks. [risk high]

Process risks.  There is little evidence that an effective management system has been deployed.  Our assessment has found the following untreated risks:

(1) management by force of personality and threat of death can be effective in small teams, but does not scale; [risk low]
(2) there are few documented processes for the management of the detention cells, trash compactor and other operational systems. [risk moderate]

Technology risks.  The specifications for the Death Star do not appear to effectively cover non-functional operational components.  Our assessment has found the following untreated risks:

(1) there is no technical security around the management interfaces to the weapons platform; [risk high]
(2) a small unshielded vent port has been detected that has full access to the central core. [risk high]

Our recommendation is that you correct each of these risks before going live, even if it delays the project.

Phil Kernick Chief Technology Officer

Tuesday, 5 November 2013

Oceania CACS Conference 2013

5 weeks ago CQR was the Platinum sponsor for the 2013 Oceania CACS conference which was held at the Adelaide Convention Centre from September 23rd to 25th

CQR’s General Manager and Chief Technology Officer, Phil Kernick was one of the keynote speakers and presented on the Anthropology of Information Security. (A copy of his presentation can be found on the ISACA Adelaide Chapter website). In typical Phil Kernick fashion he provided the conference delegates with some interesting parallels between the rise of civilisation and the evolution of information security. The presentation was thought provoking and this left the audience with a different interpretation of the field in which we work. At it’s core Information Security is not new, it’s just the technology that surrounds it has evolved.

Other CQR team members who presented included Evan Pearce who discoursed on mobile device security and David Simpson who facilitated a full day workshop on “Navigating your way effectively through the Information Security jungle.”

Non CQR presentations of note included those by Robert Stroud and Stuart Mort as well as Chris Brookes from the Australian Signals Directorate.  The presentation by Duncan Chessell, a three times conqueror of Mount Everest, was also very well received.

A highlight of the conference was the CIO/CSO forum moderated by Robert Stroud (CA Technologies) which included Phil Kernick, Andrew Mills (SA Government Office of the Chief Information Officer) and Stuart Mort (Oracle Global Information Security). Having some of the best Information Security professionals in the country on the same table to answer questions and discuss a number of interesting, challenging and topical Information Security subjects was a unique opportunity. Many of the topics and themes were later debated at tables during the conference dinner that evening.

Oceania CACS was attended by over 100 delegates from all over Australia and many from abroad. It provided an excellent networking opportunity for all delegates to speak with likeminded security and audit professionals. The event was also a significant milestone in the CQR calendar. With over 15 of it’s staff in attendance, CQR enjoyed many diverse conversations with delegates and industry peers alike. One lucky attendee also won an iPad mini donated by CQR in our business card draw.

Yvonne Sears (ISACA member and CQR employee) took a formal photography role providing us with photos of the sessions that took place over the 3 day event, a selection of them will be added following this blog update.

Sarah Taylor & Gary Kite Senior Security Specialist