Friday, 31 January 2014

Bitcoin Mining your Passwords

Many people have invested in high-end GPUs to perform Bitcoin mining.  But even with Bitcoins trading above US$1000, it's no longer cost-effective or plausible to find a new one.  So other than gaming, what can all this GPU power be directed at?  Password cracking is an obvious choice.

Almost exactly a year ago in my blog on Information Security Themes for 2013, I said:

"Passwords suck.  Passphrases are just long passwords, and they also suck.  Every two factor scheme out there really sucks – mostly because I have so many different tokens that I have to carry around depending on what I want access to."

And I was right.  In 2013 we've seen password dumps and cracking that make 2012 look trivial.  This problem is not getting better, and with all the excess GPU capacity, it's getting even easier for anyone and everyone to crack passwords.  There are certainly cryptographic solutions being developed, such is PBKDF2 (if you still trust RSA) to do key stretching, but they can't be retrofitted into existing systems, and the existing systems and all their juicy data will be around for a very long time.

So where are we at the beginning of 2014?  Same place we were last year, and my advice hasn't changed.  Instead of trying to authenticate the user, we need to instead authenticate the transaction.  And that is still a hard problem that our backward looking way of thinking makes even more difficult to address.

Thursday, 23 January 2014

CQR Insights: Organisation compliance with New Privacy Laws

From 12 March 2014, the Federal Government’s new privacy laws will introduce a new set of Australian Privacy Principles. The reforms introduce new enforcement powers and remedies for investigations that the Commissioner commences on their own initiative. The Commissioner will be able to make a determination, accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders which can range from $340,000 for individuals and up to $1.7 million for companies.   

Mandatory reporting of data breaches is not part of the new laws (yet) but clearly the new enforcement powers and remedies for investigations is putting everyone on notice as regards the protection of personal information.

How will the new the privacy laws impact your organisation?  Well it is really all about managing risk.

An article by  Alec Christie, partner at DLA Piper in The Australian suggests companies undertake a “mini privacy audit”.

I have put together a list of ten questions to ask yourself:

1.       Do you manage a register of risks relating to your  critical business systems  that store and use personal information?

2.       Do you have procedures for staff & contractor access control to these systems – granting, revoking and privilege levels?

3.       Do you know where personal data is stored?

4.       Do you have a procedure for the removal or de-identifying  personal data from databases and archive systems where this information is no longer required?

5.       Do you have change control procedures for  network, system and application changes which may impact business systems holding personal information?

6.       Does your organisation have an Information security policy and associated procedures?

7.       Does your organisation have a resource who is responsible for information security management?

8.       Do you have procedures for managing and applying operating system and application  patches and  upgrades?

9.       As highlighted in the Privacy Commissioner’s recent AAPT breach investigation (link below), do you have service level agreements in place with third party providers  regarding responsibilities for  protecting personal information and importantly a  means of monitoring compliance?

10.   Do you perform annual vulnerability assessments of internet  infrastructure and applications?

If you answered  yes to all of these questions then you are probably doing ok.

What help does CQR  offer for  the new privacy laws?

As part of our ISMS/ISO27001 business practice we have a  packaged program which runs over a 4-week timeframe where we work with a client to:

1.       Identify business systems that are in scope;

2.       Perform a gap analysis against existing information security procedures and processes;

3.       Highlight risks and maturity of controls in place;

4.       Rate the adequacy of existing procedures;

5.       Provide a draft implementation plan of  activities to effectively manage the risks associated with your information assets.

As part of our technical services CQR can perform vulnerability assessments of your internet facing  infrastructure and services.

AAPT’s data breach investigation which gives some insights into where things can go wrong.

If you would like further information on how CQR can assist with getting inline with the new privacy laws then contact CQR at or
Greg Starkey
Business Development Manager, Government & Commercial

Friday, 17 January 2014

Securing Cloud Services Part 3

Practical tips

Through our many risk assessments of cloud services there a few practical tips which you may find useful in selecting the right cloud services.

        I.        Do the risk assessment early. On a number of occasions a cloud service has advanced to pilot stage prior to a risk assessment. The assessment identifies some key risks which require remediation or mitigation. The result is either a severe impact on the rollout plan or the project is abandoned.

       II.        Data classification. Make sure the business understands the need to classify the data and/or business process to ensure the appropriate security controls are understood and implemented by the cloud provider

      III.        Service availability. Ensure the cloud provider’s service recovery plan aligns with business expectations. It might be nice that a cloud provider offers a fee credit for an outage but this may be irrelevant compared to a focus on service restoration within a time period.

     IV.        Incident management. The company’s information security policies and procedures define the responsibilities, actions and reporting requirements in the event of an incident. The shift to the Cloud sees a blurring of responsibilities between the company and the cloud provider.  The service level agreement needs to reflect a clear understanding of who is responsible for taking actions in relation to a security incident and the reporting protocols.

      V.        IaaS preferred providers.  Perform a risk assessment on a select group of IaaS providers. Initially this can be achieved by a self-assessment questionnaire, security review, or confirming their compliance to industry standards or a risk management framework. Once assessed, the company then has a baseline rating for providers to recommend to business units depending on the technical controls and mapping to data integrity, availability and confidentiality needs.

     VI.        Compliance requirements. The business unit considering a cloud deployment must clearly understand the company’s own security compliance requirements and risk appetite. This needs to be conveyed to the cloud provider so it can comply with the appropriate levels of risk assessments and audits.  There can be considerable reluctance on the part of the cloud provider after deployment for testing of the provider’s applications and infrastructure if this has not been agreed upfront.

    VII.        PaaS and SaaS services. Make sure data integrity, availability and confidentiality requirements are agreed. Where possible have these services deployed on one of the IaaS preferred suppliers platforms.

   VIII.        Impact of an Outage. The increased interdependence of cloud and on premises data should not be underestimated. The impact an incident or outage of a cloud service would have on the company’s overall operation needs to be quantified and reflected in the corporate risk register.

     IX.        Cloud assessment document. Develop a cloud computing security assessment document based on the ASD document “Cloud Computing Security Considerations” and apply appropriate risk ratings. This assessment document can be completed by potential cloud providers early in a project lifecycle to avoid any unnecessary waste of time or resources on a solution which is not going to match the company’s risk profile.

Greg Starkey
Business Development Manager, Government & Commercial

Thursday, 16 January 2014

Securing Cloud Services Part 2

Cloud Security Fundamentals

Numerous surveys have found CIOs citing “security” as their main concern in adopting cloud computing technology. The Cloud is seen as an environment that is outside of the CIOs control, and from the perspective of accountability and compliance this seems to represent a risk. Security and control go hand-in-hand, and few security-conscious CIOs would be willing to cede control over core business systems until the benefits far outweigh the risks.

To convince organisations that risks have been addressed cloud vendors need to provide to their clients details on their information security management program. A number of vendors have obtained ISO27001certification for their service offerings. Moving forward this is something that will no doubt become the benchmark for serious Cloud providers. Certification, of course, does not guarantee security but at least provides an independent verification that information is governed by an international standard.

Due diligence is the key for selecting a provider. Customers should demand transparency and ask tough questions regarding risk management and technical security controls. The vendor must be able to provide assurance that any information will be adequately protected and that technical controls and security processes are subjected to regular testing. The customer should dictate the level of assurance detail provided.

So what is a good starting point for an organisation considering cloud computing solutions?  A   very concise and plain speaking document is the Australian Government ASD guide “Cloud Computing Security Considerations”. It contains a practical checklist of security considerations to maintain availability and business functionality in the Cloud.

For more detailed guidance and implementing the appropriate information security controls, the Cloud Security Alliance website offers much valuable information to assist organisations make the right decisions.

There are some unique security considerations when it comes to cloud services which are not encountered when compared to an organisation’s on-premises operations. 

The key ones are:
·         The problem of multi-tenancy
Multi-tenancy is a term used to describe the shared use of a cloud computing resource by multiple customers.  An example of multi-tenancy might be a large database server running multiple secured databases for numerous users, or a virtual machine server running multiple instances of an operating system.

The issue with multi-tenancy in the Cloud is that a customer’s instance may be running on the same physical hardware as an attacker.  The attacker may be able to compromise shared physical resources or escape the virtual machine to execute arbitrary code on the physical host. Several VM escape vulnerabilities have been identified by security researchers. As more customers take up virtualized Cloud computing services, these technologies will come under increased hacker scrutiny and more vulnerabilities are likely to appear.

·         The chain of third parties
Cloud providers tend to work with a number of third parties. A hosted application may be on another cloud provider’s hosted infrastructure however your service level agreement is with the hosted application provider.  In the event of an incident affecting the infrastructure provider that results in loss of access to the application it may be unclear as to each provider’s responsibilities and commitments for service recovery. An organisation needs to identify with their frontline cloud provider any potential third parties involved in managing their data and ensure they answer the same key questions on information security.

·         Data security and backup
One of the first questions asked of cloud providers is - where on the global map is my data stored? The more important questions are around responsibilities for data security:

               I.        Is the provider responsible for data backups?

              II.        If a contract is terminated is there a provision for the cloud provider to       supply an export of the application data?

             III.       Does the organisation have the capability to meaningful use exported data?

             IV.       Is the provider obliged to report incidents & data breaches to the client?

Often Cloud service level agreements do not have much detail regarding backup arrangements, nor do they specify what would happen in the event of data loss or a security breach. The onus of risk for data security and backup is more than likely pushed back on the customer.

Below is an extract from a cloud provider service level agreement that CQR recently reviewed:

"Customer remains solely and fully responsible for any data, material or other content posted, hosted, stored… using the cloud provider Network or Services. Cloud provider has no responsibility for any data, material or other content created on or accessible using the cloud provider Network or Services”

·         The Virtual System Administrator
A company’s system administrator has clear responsibilities and functions for controlling user and data access. He or she abides by the company’s code of conduct and their job performance can be reviewed and subject to consequences in relation to negligent actions.  When the employee moves on the HR process kicks in to revoke their access and ensure any privileged account passwords are changed.

In the Cloud depending on the time of day and/or your location your services could be administered by one of perhaps three global teams or a provider’s helpdesk with dozens of privileged users. A request to change a user’s access or application rights may be done by email which is acted upon by one of these virtual administrators.
The level of risk these virtual administrators posed to the company needs to be understood. It is not unreasonable to request the cloud service to provide evidence of how they manage privileged user accounts in your environment and what are the processes to grant and revoke such privileges given inevitable staff changes.

Part 3 following tomorrow...

Greg Starkey
Business Development Manager, Government & Commercial

Tuesday, 14 January 2014

Securing Cloud Services Part 1

The use of the word “Cloud” to describe hosted IT services is somewhat of a misnomer. Even though its origin is from a diagram on paper it still conjures a vision of this floating entity over which you have no control and it may not be there in the morning.  However it is a very pervasive marketing term and has strong acceptance.   

Cloud is not so much a technology as a convergence of multiple streams of technology into a new service layer. It is categorised into three major service offerings which require different security considerations:

Infrastructure As A Service (IaaS) is the delivery of computer infrastructure (typically a platform virtualization environment) as a service. Rather than purchasing servers, software, data centre space or network equipment, clients instead buy those resources as a fully outsourced service. The service is typically billed on a utility computing basis and amount of resources consumed (and therefore the cost) will typically reflect the level of activity. Storage as a Service (remote backup) is often cited as a subset of IaaS.

Platform As A Service (PaaS) provides all of the facilities required to support the complete life cycle of building and delivering web applications and web services with no software downloads or installation for developers, IT managers or end-users.

Software As A Service (SaaS) is a model of software deployment whereby a provider licenses an application to customers for use as a service on demand. SaaS software vendors may host the application on their own web servers or download the application to the consumer device, disabling it after use or after the on-demand contract expires.

For SaaS and PaaS the primary security focus is around data integrity, availability and confidentiality whilst with IaaS the focus is on technical controls.

The Move to Cloud

Every day more organisations are moving their data into the Cloud, with increasing reliance on web applications and hosted services as core components of their business operations. 

More often than not the move to cloud services is driven by business divisions identifying a new solution they want now which is not dependant on internal IT resourcing or constraints. Unfortunately at times the value of the data or the issues around integration of cloud and on-premises data is overlooked. This can result in much post-implementation ad-hoc activities that can compromise data and system security.

Just as important the risks cannot be entirely outsourced. Servers go down, hardware fails, and networks lose connectivity. Underlying all these potential issues is the general risk of a business losing control over their own data and not being able to account for it if things go wrong.
Look out for Part 2...
Greg Starkey
Business Development Manager, Government & Commercial

Friday, 10 January 2014

Redirecting Your Physical Identity

One of my pet hates is when mail for other people is delivered to my personal post office box.  But something that isn't normally considered is how annoying it could be for the person who didn't get the mail in the first place?

I'll use a recent real example, and in this case the misdirected post was for yet another optometrist.  Seriously, what is it with optometrists and security failure?  It has never been more true that there are none so blind as those who will not see.

There are three different failure conditions, all with a cost and an impact.

#1  The sender doesn't know the receiver didn't get the message.  They are spending money posting paper that never gets delivered.

#2  The receiver doesn't know anything about the message at all.  They are paying for the message to be sent, but are getting no value from it.

#3  The sender has included enough information on the outside of the envelope to allow anyone who sees it to steal the identity of the receiver.  They've assumed that the communication is private and can't be intercepted.

It's #3 that is the most troubling.  The name, address, account number, contact details and a number of other pieces of interesting information were on the outside.  This is sufficient to be able to reset the password of the legitimate receiver at the organisation of the sender.  After that, identity theft becomes very easy.

We know that information is being snooped off our networks, but we forget that every piece of physical mail is scanned and photographed to allow automated delivery.  Those photos are metadata, and almost certainly end up with the security services.

It isn't enough to keep our identities secure online, we have to remember to keep them secure offline as well.

Phil Kernick @philkernick