Security Mantras

I have to explain security concepts quite a bit in my job and so I thought I’d share my thoughts with you all for some discussion.

 

I’m going to keep it brief and then update this blog with the feedback and comments shortly.

 

Mantra 1

There are two kinds of people – those who have been hacked and those that don’t know it yet.

I’m all for a bit of FUD, Fear, Uncertainty and Doubt. It is a good sales technique to be fair – but please, if you are going to use FUD, be accurate. The infosec is getting a bad rap for wild accusations so let’s keep it real. If you feel the need to use a FUD mantra – how about:

Do you want to be one of those companies that you get to read about who didn’t do anything and then got hacked.

 

Mantra 2

Monitor, Manage and Maintain

Bit of a personal favourite of mine – so for transparency reasons … yes, I am biased!

  • Monitor – you have to be looking out to see what is coming your way. Ensure you have adequate monitoring that is telling you of an impending attack. Of course the critical part of all this is to know your base line – what is normal ? Once you know this, then you can work out what could be going wrong.
  • Manage – if you don’t have someone looking after these things, it goes the way of the paperless office … it was a good idea once. There should be a sponsor … a person at the top of the tree who ensures that the top line buys in, then there should be a busy bee worker who is making sure ‘stuff’ happens.
  • Maintain – patch, upgrade – do what you need to to ensure you are always at the edge and not falling in to the hands of criminals who love to capitalise on out of date systems

 

Mantra 3

We have [VENDOR PRODUCT] so we’ll be OK

or

Buy our [VENDOR PRODUCT] and you will be secure

No, no, no, no. No piece of tin will keep you safe. I love this quote which explains this perfectly “It doesn’t matter how thick your suit of armour is, you can still get flu.” With humans, there is always a will and a way !

 

 

So there you go …. my starter for 10 …. what security mantras do you use to protect yourself or what mantras do you train others in ?

 

 

Advertisements

Things that each of us should do

This is for all of us … yes … I know you’re a leet hacker ‘n all, but c’mon, we all have to do this stuff.

So let’s start… right now

 

  1. Password re-use. Yep, don’t be that idiot ! Make each password different.
  2. Change your passwords every 90 days. That’s 4 times a year … Oh and while you’re at it … change your Pin numbers too. When did you last change your debit card pin number ?
  3. Someone elses Wi-Fi. If you didn’t set it up then don’t connect. There is nothing so critical in the world that means you have to connect insecurely.
  4. Get a shredder. A good one. Spend your money and get something that you know will keep you safe.
  5. Use the shredder. You bought it so use it ! then spread the paper about. If you have a pet you now have bedding / litter !
  6. Sharing is bad. Don’t share. If they take your USB pen drive away, did they recover anything. Your WiFi is yours .. don’t share.
  7. Challenge if you’re not sure. If your CEO isn’t wearing an iD badge … be nice but challenge people who might be using social engineering techniques.
  8. Windows Key L or Linux variant. Just remember the old days of meatspin. LOCK IT.
  9. Work is work. Don’t mix your work email / social media with your home life. Keep your digital identities separate.
  10. Have iD at all times. Appropriate, current and relevant. Be ready to challenge people who aren’t ready.
  11. Help your friends. They can be just an easy route back to you so help them be secure.
  12. Offer a free training course for colleagues on securing themselves. Start the wheels in motion.
  13. There is never a 13.
  14. Hack yourself. Yes, that’s right. I recommend looking yourself up to see how much data you are leaking. Then pen test yourself. is your home secure ?
  15. Alarm and alert. Not just house alarm, house locks, car alarm, immobiliser, alerts for you online –  use Google alerts for encrypted versions of your passwords, usernames, addresses.
  16. Have a business continuity plan for yourself. What would you do if …. ?

 

Well there you go … let me know in the comments below if you have any others you think should go on the list and we can develop it over time.

 

Keep Safe !

Are you unconsciously insecure ?

Maslow is a well-known psychologist and came out with many theories and observations that are still relevant and used today.

One of his more famous ones was around learning.

  • Unconscious incompetence – you don’t know what you don’t know
  • Conscious incompetence – you know what you don’t know
  • Conscious competence – you know what you know
  • Unconscious incompetence – you don’t know you know it (think natural gift)

This got me thinking … I come across so many companies that get things wrong and when you ask them about the incident, they had no idea about how this vulnerability or issue would apply to their security. So here is Coulson’s theory to security types with more than a slight nod to Maslow!

1) Unconscious insecurity

They don’t know that their actions are causing them insecurity.
Passwords that are weak
Passwords on notes on their desks
Using public wi-fi for secure traffic
Full data on social media
Unencrypted databases
Updating/patching not being completed

Sound familiar? Well of course, what is more tragic is that we can remove a massive bulk of people out of this area into a higher area with better education. This needs to start at school and continue.

2) Conscious insecurity

We knew about it but didn’t have budget
Yeah, it wasn’t in scope
We had it on our to-do list
I wondered what it was
It won’t happen to me

Again, a high proportion of people live here and generally it is a resource issue to fix. Budget is a big player but so is also understanding the risks. A good approach here is to map out a process. I need to do some banking. If you understood the risks of public wi-fi, you wouldn’t go near it. So you need to understand the risks and budget (time and money) for those risks.

3) Conscious security

So long as ‘x’ happens then we’re ok
Audit will pick that up
We have that tested
If I follow this guide then we update everything

Yeah, not so many people live here. It is a concerted effort at this point. If someone has been attacked previously, they tend to be more conscious of their security and therefore take steps to protect themselves.

4) Unconscious security

We do that
That is an automatic process
Yeah, updates happen
We’ve never failed an audit yet
I always do that

This is the nirvana we seek! Yep, if everyone was in this area then less incidents would happen. But there is a problem here too … How do they know they are effective? How do you ensure you are up to date? How do you check?

So there you have it, Coulson’s theory of security! Thank you Maslow.

Summary of types :

Unconscious insecurity – I didn’t know
Conscious insecurity – One day
Conscious security – I’m ticking the boxes
Unconscious insecurity – Pah, I laugh at your security

Summary of fixes :

Unconscious insecurity – Knowledge
Conscious insecurity – Understanding
Conscious security – Taking steps
Unconscious insecurity – Effectiveness

Which one are you ?

Something bugging me about the Twitter hack

There’s something strange,

in the media world.

Who you gonna call ?

Well no-one actually !

Twitter announced on Friday 1st Feb on its blog that it has been compromised and various details have been lifted from their servers.

OK – rewind – last time they were compromised (November 2012) we had full disclosure of the incident and yet with this recent blog we have nothing. Odd? I thought so too.

So, speculation time …

1. The Java Cover-up

With the Java 0-day mess at the moment, is this just some front for Twitter to get developers to stop using Java to connect to them… BEFORE… the actual incident happens ? It would make sense in some ways. Twitter cannot afford for the damage to brand and reputation if they were completely left open so if they were to post out a faked article with wishy-washy details about the incident in there, then it would not come to any shock to the industry when they announce in 3 weeks that they no longer support Java apps to connect to them.

Tie this in to the hacks against US Media at the same time and we find even less detail and allegedly they are all related… well how ?!

2. The numbers don’t add up

Let’s assume Twitter was hacked. Let’s pretend it was you who has compromised them… 200 million accounts to play with – you could be rich !! Just think of the value in the data. The spammers would rip your arms off for that kind of data. So why only take 250,000 accounts? Even Twitter admitted :

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later.

This week ….

shut it down in process moments later.

Which is it? A week or moments ?

3. Who Dunnit?

We know it’s not Anonymous this time – otherwise every script kiddy in the universe would be all over this. We also know that there is no value to organised crime – no financials can be gained. So who is responsible ? Tenuous claims to China ? why > There’s nothing in this hack to suggest that. If it was someone who’d struck lucky with an exploit, we’d have heard about it by now. This would be great kudos for the person/group involved. And yet … nothing. Twitter states :

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.

So Twitter knows it was not isolated and has hit others similarly (but didn’t link to the US Media as above). Who else has been attacked and who is this mystery shadowy non-amateur person/group that takes data and not for the kudos or lulz…

I know I just could be sceptical, but after just writing the corporate blog for Secarma on this, I just got a funny feeling that I’d somehow missed the point. Where’s the best place to hide something … in plain sight. So why not hide it in the Twitter blog.

I went back and re-read the Twitter blog.

Paragraph 1 – US Media and Java

Paragraph 2 – timeframes and no. of accounts

Paragraph 3 – what they have done

Paragraph 4 – password tips

Paragraph 5 – Java tips

Paragraph 6 – attacker

I just wonder … is this another nail in Java’s coffin or is this a real incident. There is nothing conclusive in this blog, no reveal … just nothing. As someone who reads a lot of this kind of article, it just feels like Twitter are playing a good game of poker here and are holding their face firm.

What do you think ?

Thanks

SPCoulson

Cybersecurity for Kids

How on earth do explain to my kids about staying safe online. Do I tell them about the nasty man who wants to see pictures ? Do I tell them about the naughty people hiding in the shadows that want my kids to open things for them so they can look at mummy and daddy’s computer ?

 

Where do you start ?

 

Well the first thing I have done is to create their own logins (with parental controls applied) so they are now masters of their own destiny. It is also easier for me to log their movements. They know this and understand that if they have any problems, they can trust me to be able to look into their situation.

So tip 1) Make them accountable

 

Next logging in – My eldest child is VERY possessive of their writing and so they deliberately made their password harder for their younger sibling to guess. Aged 7 using an 8 character password with upper and lower case, numbers and otherwise. Even my youngest child is using upper and lower case characters.

Tip 2) Complex passwords / pass-phrases

 

Once logged in, the parental controls help limit what they can/can’t browse. There are a multitude of these in the marketplace as well as those built-in to Microsoft Windows 7 / Live. Although it is only a basic step, it reduces the likelihood of them viewing content they shouldn’t be seeing. It is not infallible, but we are looking at reducing risk. Allow them some control though – again, it will help them to still have usability of the internet and therefore won’t try to circumvent any security.

Therefore tip 3) Use parental controls to reduce the risks of what your child will be viewing

 

If you want to know what your children are doing on the internet … sit with them ! Show an interest in their computer use, suggest other sites. Think of safe sites (BBC, National Geographical, NASA), research them first. Show them how to use Google and other search engines to find safe sites (SafeSearch on etc). A bit of time and effort at the start and you will be starting them off on the right foot.

Tip 4) Invest some of your own time to help protect your children

 

OK, so your kids are now logging on, able to use the computer. But how do you get them to keep this good practise. At some point you need to talk about the bad guys. For this, there are plenty of online resources to demonstrate the dangers without them actually falling foul. Also, consider discussing situations – what if you post X on a social media page – how will that look to teachers / potential employers etc. This will be an invaluable lesson and you need to think about how to do this. Think about talking to your child’s school for advice and perhaps. This will then give a common view and reduce confusion about right and wrong habits.

So tip 5) Educate them about the bad guys

 

What do you do if you if you suspect your child has done something on the internet that they shouldn’t ? The big question … well the first thing is to talk to them about it and explain what the outcomes may be. The primary discussion is about them removing content or otherwise you should not do it alone as they could rebel and upload more content. So if they understand why they should remove the content, it should help them in the future. Let’s face it, we all get it wrong  at some point, don’t chastise them, help them realise how they should behave.

Tip 6) Help them when they go wrong.

 

By no means is this list infallible, but at least it’s a start. I encourage you to comment and offer your own suggestions as to how you tell your children about being safe online.

 

Summary :

Tip 1) Make them accountable

Tip 2) Complex passwords / pass-phrases

Tip 3) Use parental controls to reduce the risks of what your child will be viewing

Tip 4) Invest some of your own time to help protect your children

Tip 5) Educate them about the bad guys

Tip 6) Help them when they go wrong.