Tag Archives: Risk

Australian Census

Australia’s #CensusFail, but is it really?

Full disclosure: I disagree with the amount of detail collected in the census and the way that the data will be shared. However, this post is not a post on privacy concerns, rather a post on common myths surrounding incident response and what can we learn from it.

Some (mis)information that has been going around on various sources (Twitter, news, etc) has prompted this post. As the situation is still unravelling, there is a lot of information here that has not been considered/discussed. So, I welcome any constructive discussion to fill in the gaps.

Background

9th of August 2016, the most important day for the Australian Bureau of Statistics (ABS): National census day. A day where massive amounts of data will be collected on individuals providing a snapshot of the nation. Various government bodies will use this valuable data to plan out major projects and allocate resources for the next decade. The data collected is quite rich and is of major value to many entities, both good and bad. The Australian population is about 23 million people and with the census ‘open’ for a short period of time, this big bang launch requires a lot of planning and carries a lot of risk. Kudos to the Australian government for leveraging technology on such a large scale.

The successful management of any teething issues is a sum of risk minimisation and incident response.

Challenge accepted: Knowing your adversary

As with all governments, there are adversaries: political activists, criminal syndicates and nation state actors just to name a few. Coupled with a motive and capability, a worthy adversary could mount a successful attack. United States Office of Personnel Management (OPM) is just an example of one successful attack involving a well prepared adversary.

Playing defence on this scale is not for the faint hearted so spare a thought for any (InfoSec) professional assisting with this mammoth project.

What happened?

In short, the Census suffered 4 DDOS attacks before the service was taken offline. The seriousness of the attack prompted the Australian Signals Directorate (ASD) to investigate.

Dispelling misinformation

The points below serve to dismiss or debate any misinformation seen to date.

Misinformation #1: Bandwidth exhaustion is not the only form of denial of service attack.

A Distributed Denial of service (DDOS) exist in many forms with the well-known being bandwidth consumption. One other type of DDOS is resource exhaustion, where finite system resources are consumed leading to the service failing, examples include and are not limited to, state based TCP stack attacks or memory or CPU based attacks. This form of DDOS does not require significant amount of bandwidth to be successful.

Hence, determining the presence of a DDOS through network based analysis alone is inconclusive.

Misinformation #2: Just because there is an ‘attack’ it doesn’t mean that the attack was successful.

Without knowing the underlying architecture of the system, it is very difficult to conclude what vulnerabilities were present that led to a successful denial of service.

Anyone that has worked with an IDS/IPS/etc will understand that an ‘attack’ is only successful when the attack is targeted against a specific vulnerability present in a particular system. The question of whether a vulnerability is present at the time of attack will not be known until a thorough investigation has been completed.

Any ‘intelligence service’ that lay claim that an ‘attack’ has occurred against an organisation can only be definitive once an ‘attack’ has been matched with the underlying vulnerability. With this in mind, without probes/detectors/etc within the victim organisation, no service cannot make this claim.

Misinformation #3: A DDOS is not a data breach however, it can be used to provide cover for one.

Risk minimisation is the best form of prevention any organisation could do before commissioning a system. It is impossible to protect against all possible scenarios, so enter the obligatory Sun Tzu quote,

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

In other words, knowing yourself and your adversary is very important to devise a comprehensive risk minimisation plan.

Incorporated into any worthy risk minimisation strategy is an incident response plan, commonly known as a ‘Plan B’. Plan B is to cater for the other things that could go wrong, unforeseen events or things that cannot be treated during risk minimisation such as natural disasters and data breaches. Knowing you have a worthy, determined adversary is one thing but knowing what they are capable of or what they will do, is another.

An incident response plan is both damage control and public relations rolled into one, with the main objective being restoring operations as soon as possible. History has shown that diversionary tactics is one way to consume human resources allowing attackers to proceed with their main objective, which could be a data breach. There are many references to diversionary tactics used, one of which is last year’s attack on TalkTalk.

It must be noted that only time will tell whether or not a data breach did take place which will be explained below.

Misinformation #4: ‘Cyber’ Attribution is extremely hard. A host used in an attack does not mean that the owner of that host is the attacker.

Pivoting is powerful technique where by an ‘attacker’ gains access to a host in order to progress through an attack. Used by penetration testers (“Red teams”) and attackers alike, pivoting could be used for several reasons such as, gaining access to a critical management server or to disguise an attack.

Pivoting to a host could also be used to throw off any investigation, the digital equivalent of framing someone else for some nefarious/questionable activity. A savvy attacker would incorporate some form of pivoting to cover or deflect attention away from themselves.

To compound the issue, obtaining evidence for attribution is met with many challenges: availability and quality of residual evidence, obtaining permission from the owner of the host to gain access, political/legal boundaries and so on.

The net result makes attribution very difficult.

Misinformation #5: Just because the entire story has not been released, it doesn’t mean that there is a cover up. A thorough investigation takes time.

The duration of an investigation is determined by the number of moving parts requiring analysis. Evidence could be destroyed, incomplete, falsified resulting in more time and resources to determine what occurred during an event. Complex systems require significant amount of time for investigators to gather evidence, analyse, correlate, test theories before presenting their findings to an audience especially one wanting heads to roll or determined to scrutinise the smallest of details.

An incomplete, bad or botched investigation could result in the loss of credibility for the investigator and the organisation, or worse still, could result in a law suit.

The pressure on investigators to obtain factual information is paramount and they would rather avoid any speculation until they are certain that their findings are rock solid.

As InfoSec professionals what could we do?

  • Avoid planting conspiracy theories and instead promote good/defend/assist the hard working investigators who are undergoing a lot of pressure.
  • Correct any false, misleading information with factual information
  • Learn from what has happened, use this as a case study and where appropriate, communicate to your superiors on what could be done so that the fallout form something like this could be minimised.
  • Investigators/incident responders: treat incoming information with a pinch of salt, gather conclusive evidence to support the theories.

Understandably, this is no means the end to this saga however it is definitely not the time to spread rumours or play the blame game.

Allow the incident responders, ABS, ASD and other investigators conduct what is necessary in order to form a conclusion based on fact rather than crucifying the innocent. To the Australian government, the public will demand transparency for what has happened, please put the blame game aside, let us all learn from what has happened. It is tax payer money so let us all be good sports, everyone deserves to know the truth (granted it will be 10 years before another census will happen again).

References (by no means comprehensive):
https://en.m.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach
http://www.abc.net.au/news/2016-08-10/australian-bureau-of-statistics-says-census-website-hacked/7712216
http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/culture-media-and-sport-committee/cyber-security-protection-of-personal-data-online/written/26312.pdf

Online dating at the organisation’s expense – covered by your InfoSec policy

A few months after the sensational Ashley Madison data breach, another dating website has been breached. Members of Beautiful People have their personal details floating around on the internet.

Previously undisclosed intimate details such as sexual preferences and orientation will have a social impact on the unfaithful and close family members. Personal impact has serious consequences spanning beyond financial impact such as strained family relationships, reputational damage and adverse health consequences (eg: stress).

Organisational policy is there to ensure that staff behave in line with organisational expectations. Just as staff are not allowed to take bribes, turn up intoxicated to work, staff are expected to ensure that their behaviour online do not tarnish the organisation’s reputation. When allowing personal use of corporate systems organisations must consider the external impact of the staff member’s actions.

An organisation’s security policy must reflect the level of professionalism expected by senior management and importantly their customers. Policy, communication, education, transparency (and incident response/public relations) must be in place to protect all parties involved.

After all, staff that behave badly is a reflection on the organisation as a whole.

http://www.9news.com.au/national/2016/04/26/15/43/government-emails-caught-in-beautiful-people-hack

You are the weakest link…attacking the weakest link on a global level

When protecting a high value target, a single point of failure could be a catalyst for a catastrophic breach.

When securing multinationals, consideration must be made for the smaller subsidiaries. They are connected to the corporate network and as any good pentester can tell you, pivoting is a powerful concept.

Smaller subsidiaries may not have the same level of physical, network, endpoint security. Some subsidiaries may face different level of threats: political, socio-economic, domestic instability.

A quick example is an UK multinational operating in Argentina, or Taiwanese company operating in China, could there be repercussions?

On the other end of the spectrum, subsidiaries may not have faced the same level/intensity of threats as their parent company. Psychologically, citizens maintain the perception that being in a safe backwater nation, the developed world threats are not of major concern.

It is important to note that security is a global effort, consider the threat level and adjust to it.

http://www.databreachtoday.eu/interviews/targeted-attacks-how-ready-japan-i-2820

When you’re contractually/legally required to do something, you better do it…

If you happen to be a company in the field of protecting personal information (PI), you would think that you’d take precautions. If your shop cannot do what it says on the tin, customers will flock to others that can.

Especially when you have a court order to do so.

Lifelock an ID Theft protection company received a court order in 2010, quoted by Wired:

Lifelock had been ordered to remedy that situation, but according to the complaint filed today, it has failed to do so.

Not ground breaking news but protecting information involves people, processes and technology. Encryption, password management, need to know, patching are all basic measures not followed.

http://www.wired.com/2015/07/lifelock-failed-one-job-protecting-data/

What makes for a well oiled security strategy

Summary:

  • CIOs/CISOs need to be able to determine and provide a unified communication strategy to other CxOs and staff outlining what needs to be protected, risks associated and how to mitigate these risks.
  • Security efficiency is achieved by integrating as much as possible as normal business functions.
  • To measure the effectiveness of any security program, it must be measurable
  • Scope, timing, statistics and integration is required.

As all good security conscious organisations, you have security policies, security software, procedures, etc is all well and good but how effective is it?

Coming from an incident response/project management background every task is quantified hence (aim), scope, timing and statistics/metrics are extremely important. Integration is to ensure that there is no disjoin between the business and security functions, this also avoids missing out/overlooking security tasks.

The CIO/CISO is steering the security ship, communicate to other C level executives and get their support to communicate to other staff.

Aim needs no introduction, for completeness, the aim is to protect the organisation’s assets by identifying risk against the assets and developing measurable strategies to ensure that the exposure is reduced in the shortest period of time.

  • To understand the impact of the situation and to reduce resource utilization in critical situations, scope is very important, what assets are you trying to save/protect? Prioritise what is critical to the business. This also has the added benefit of getting everyone on the same page by knowing that information staff handle should also be protected accordingly.
  • Timing is critical. Timing is used to test how long it takes before a threat is detected, to see how long it takes to break into a system, time to immobilise incident response teams, to neutralize any threat, determining resourcing consumption/availability, etc.
  • Statistics/metrics is used throughout to determine if a response has a positive effect, milestones are used to determine when to stop neutralising a threat and assist with the next course of action, mark how far a system has been compromised before detection, etc.
  • Finally, much of this should be integrated/embedded into the business ideally through an existing business function. Functions such as system life cycle management, asset management, incident reporting, etc.

If we relate this to a racing team we have the following:

  • Aim: to win the race
  • Scope: only dealing with cars and not trucks etc, prioritise on improving the performance of the car, provide constructive feedback to the driver, etc…also each discreet unit perform a well defined, unique task
  • Timing: it’s a race, quickest team wins, how long each component/process/team is taking
  • Statistics: How fast is fast? How do you know you’ve improved? Where can you improve?
  • Integration: This is what makes the team, every discreet unit works together with a common goal.

What is the end result:

  • business intelligence gained from this can be applied to other disciplines eg: strategy/planning, project management, forecasting/projections, etc thus delivering tangible benefits to the organization
  • business agility can be achieved as changes can be implemented quickly and effectively
  • risk assessment/planning
  • from a security point of view, security visibility will improve, anomalies would be easier to detect, posture is easier to assess, improved delivering simplicity when performing security functions

In the upcoming blogs, we discuss a working example where this can be integrated.

Security is a balance between offence and defence.

Summary:

  • How do you know that your defences are good if you don’t test them?
  • What lengths would your adversaries take to compromise your systems?
  • Adopt the same offensive mentality as your adversary in order to test your defences

You have your security strategy, you know (most of*) your threats/vulnerabilities, you implemented a top-down well oiled security program, policies, procedures, processes, technology, etc. You’re now safe…

Really…?

As mentioned in a previous blog, security must be tested either by you or by your threat.

The Mandiant Threat Landscape report shows that intruders can be on your network for 243 days before being detected. (1)

Let’s be ignorant and ask a few questions:

  1. How did they get through our defences?
  2. Why did it take so long for them to be detected?

etc…

Let’s assume that all the policies and technology is capable of keeping the adversary out, how would *you* know? Business is evolving, computational power is getting cheaper, inter connectivity is expanding, attack information is easily accessible and adversaries adapt. With all of that in mind, is your security program evolving?

This gap between the security program and the adversaries’ capabilities is the current risk to the organisation.

From the last blog, an assessment would have been made to find out an organisation’s assets and threats. As part of the threat analysis, some consideration would have been made to examine the likelihood and the capabilities of the threat.

Risk mitigation will consider the threat analysis then apply the appropriate risk treatment.

A lot of threats could be addressed by going through a ‘checklist’, this would be considered to be a ‘baseline’. However to stop a determined adversary, advanced threats, etc some innovation is required. As a penetration tester, you need to be innovative and think outside of the square to find ways to get in, this is where innovation is practised.

Back to answering question 1, To be a good security professional you have to think like *the* threat, adversary, a pen tester in order to minimise the risk of a threat from compromising your organisation.

As for the second question, it is obvious that the adversary was not detected at the time of entry and that raises other questions: how well oiled is your security program? Is it measurable? Were the right vulnerabilities addressed?

To answer this, you need to put your defensive hat on…

1. https://www.mandiant.com/threat-landscape/

Defining Security Scope: Another way of saying ‘know thy enemy’

You cannot protect what you can’t see

Summary:

  • Know your assets and threats based on industry, size, image, political, social factors, etc.
  • Conduct high level identification and assessment of the threats
  • Produce suitable mitigation strategies/countermeasures for the threats until the risk is at an agreed level by the business

Without knowing your assets and understanding the threats against your assets it is extremely  difficult if not impossible to protect your environment.

Identifying your assets will be discussed in a later blog. Let’s quickly discuss threats.

Each industry has its specific threats and they range from amateurish to well-funded nation states.

There are models available to help map out what threats your organisation could potentially face.

The areas to consider are:

  • Industry-Is it a high competition industry
  • Size-How large is the organisation?
  • Image-Does the company have a great dependency on its image/brand, what should happen if it were to be compromised?
  • Political-do political events affect the organisation?
  • Social-Is the organisation operating in an environment where social tensions work against the organisation?

etc..

Each area has a specific threat and depending on the threat, a suitable risk mitigation strategy should/must be considered, reviewed and implemented.

To put it into perspective, your corner store is probably not going to be targeted by a nation state.

However, a large/vocal pro-Western company may be a target of an anti pro-Western organisation, political affiliation, etc.

For each threat there is a countermeasure, mitigate, accept, insure, delegate, etc.

Once all of this has been considered, a scope can be defined to allow for the security team and affiliates to adhere to and follow.

By understanding the scope, it allows for any organisation to help understand and formulate an appropriate strategy to counter the threats.

Naturally, this will need to be reassessed on a regular basis (think diversification, acquisitions, etc) to ensure that the organisation is protected.