Category Archives: Information

Online dating at the organisation’s expense – covered by your InfoSec policy

A few months after the sensational Ashley Madison data breach, another dating website has been breached. Members of Beautiful People have their personal details floating around on the internet.

Previously undisclosed intimate details such as sexual preferences and orientation will have a social impact on the unfaithful and close family members. Personal impact has serious consequences spanning beyond financial impact such as strained family relationships, reputational damage and adverse health consequences (eg: stress).

Organisational policy is there to ensure that staff behave in line with organisational expectations. Just as staff are not allowed to take bribes, turn up intoxicated to work, staff are expected to ensure that their behaviour online do not tarnish the organisation’s reputation. When allowing personal use of corporate systems organisations must consider the external impact of the staff member’s actions.

An organisation’s security policy must reflect the level of professionalism expected by senior management and importantly their customers. Policy, communication, education, transparency (and incident response/public relations) must be in place to protect all parties involved.

After all, staff that behave badly is a reflection on the organisation as a whole.

http://www.9news.com.au/national/2016/04/26/15/43/government-emails-caught-in-beautiful-people-hack

Canals, Law Firms and InfoSec – Lessons learned from the Mossack Fonseca data breach

Another day, another leak.

This time the victim of the leak is Mossack Fonseca, a Panama Law firm which has been exposed for facilitating shady tax arrangements. The size of the breach is enormous, the volume alone could displace what Panama is traditionally known for, the canal.

Naturally, findings from the breach would never see the light of day but speculation is always fun so…what could we learn from this breach?

1. Trust is king otherwise use identity management and access control

The locks in the canal serve to direct water to the right places.

No one knows if this was an inside job but one thing is certain, ‘John Doe’ who conducted the breach had the motivation to carry out the leak. If this was an inside job, this person would have had a lot of access within the organisation. Identity management, separation of duties and access control limit the amount of data any one individual has access to. In any organisation handling sensitive data, all of this is very important to limit the potential loss of data from a disgruntled employee.

2. Don’t forget physical access

A hole in the lock allows water to seep through where it’s not supposed to.

John Doe could have access to backups, tapes, systems, USB ports, you get the idea.

3. Are you looking – Egress points

If no one is inspecting the locks for leaks, how do you know if there is a problem?

Süddeutsche Zeitung, the newspaper organisation reporting the breach acquired about 2.6 terabytes of data. Let’s assume for a second that the person doing the leak was not an insider who stole mirrored drives from Mossack Fonseca servers or copied the data to a USB hard drive, how did the 2.6 terabytes of data get out?

If it was done remotely, that’s 2.6 terabytes over the wire. If you had a SOC/NOC in a law firm, one thing that you should be keeping an eye out for is mass exfiltration, out of hours transfers and any other anomalous activity. Sure, John Doe could have been drip feeding but with 2.6 TB of data, that would take an excruciatingly long time. If your NOC is not talking to your security team, well, that too is a problem.

4. Data loss protection is not a silver bullet

Just stopping blue coloured liquid will not stop leaks.

Süddeutsche Zeitung reports that the haul consisted of e-mails, pdf files, photo files, and excerpts of an internal Mossack Fonseca database. A quick review of the leaked documents shows that Mossack Fonseca was handling both structured and unstructured data. Documents derived from a predefined template eg: official company letterhead form structured data. Passports, share certificates and other documents that do not adhere to MF’s document management standards is classified as unstructured data. Documents could also be tagged specifically for DLP. DLP works by detecting structured or tagged documents ‘moved’ to an ‘unauthorised’ location where DLP would then block the movement or trigger an alert for further action.

Doing DLP right, MF would have to identify all critical/sensitive documents, tag or convert documents to a standard format before it could be picked up by DLP. This requires a lot of work and failure to do so means that data could slip right under the watchful eye of DLP. Not to mention that there are ways to circumvent DLP which, segways nicely into our final point.

5. Security is like an onion

A failure in one lock should not prevent the entire system from failing.

The hot topic of encryption makes another entrance. Encrypted data makes life hard for inspection based systems such as DLP and that’s assuming that inspection based systems can detect and decrypt the encryption in the first place. A tagged document could be encrypted in a password protected ZIP/RAR/<insert favourite exfiltration format here> and if you’re lucky, inspection based systems may only log the activity. In this scenario, you will need all of the above to reduce the risk of the data breach from occurring.

There may be other lessons learnt from this breach, feel free to share below.

Sources:
http://panamapapers.sueddeutsche.de/articles/56febff0a1bb8d3c3495adf4/
https://www.documentcloud.org/public/search/Source:%20%22Internal%20documents%20from%20Mossack%20Fonseca%20%28Panama%20Papers%29%22

I’m back

After a hiatus (being anti social), I’m back on social media.

I’m aiming to blog once a week on strategy, infosec, security awareness.

Also caved in to twitter: @IAm0xEd

I’m quite new to using twitter and its idiosyncrasies so bear with me. If you have any suggestions on who to follow, etc feel free to let me know (or follow me on twitter). Constructive feedback is always welcome.

The What, When, Where and Hows of security

What is security?

The objective of having security is to stop and/or limit the pain inflicted on the asset/organization.

Would a desperate car thief stop at the garage door to steal a rare car? Would a storm stop because it would cross international boundaries? Why would a determined person with malicious intent stop if they have a set goal in mind?

When do you know if you are secure?

If the asset is worth securing, how much time, effort, cash are you willing to put in to secure it? What are your threats?

You wouldn’t spend $50 to protect a jar of $3 biscuits against a 5 year old cookie monster. However, with a bit of innovation, it is quite possible to spend $1 to protect a jar of $3 biscuits simply by moving it out of sight.

Where is security placed?

Security must be a core part of what ever asset(s) you are protecting. It must be part of any project design/planning process. Security will cross over departments, systems, etc. Security is not down to one individual, it is a shared responsibility.

What would happen should a family member take down the cookie jar and place it in reach of a determined 5 year old cookie monster?

Is my Security implementation effective?

Security will be tested, if not by you it will be by that one determined individual.

Just like any test, you need to know what is it you’re trying to protect, what you need to be able to measure the effectiveness and the duration of the protection required.

Remember: Security HAS an expiry date! A security strategy must adapt and grow in accordance to the asset that it is protecting.

What good is a moat if your adversary has access to planes and helicopters?

How do I be ahead of the security game?

Innovation, before you can be innovative, you must have the appropriate tools at hand. Policies/Procedures/Information/Statistics/Metrics…

With that in mind, this blog will help anyone that is in charge of an asset that is worth protecting implement a well oiled security plan.

What is Well Oiled Security all about?

We’re here to improve your security maturity model, making it a well oiled machine.

Security…

  • is always evolving
  • is a risk minimization exercise
  • is a core part of the business
  • is transparent to business operations
  • is about accountability
  • involves everyone
  • is measurable
  • starts from the top and works its way down