Art of Deception

I have just finished reading The Art of Intrusion’  by Kevin Mitnick and William M. Simon.  Some may remember the name Mitnick, he is probably one of the most famous hackers of all time.  In this book Mitnick and Simon present real life cases of computer hacking.  Whilst it is now ten years old, many of the stories told in the book are, sadly, still relevant today.  What took my attention was the statement at the very end of the book: pages 258 & 259 to be precise, which I hope Mr Mitnick and Mr Simon don’t mind me reproducing here:

And that seems like a powerful message to end with. If every computer user were to improve his or her passwords tonight — and not leave new passwords in some easy-to-find place — then tomorrow morning, we would suddenly find ourselves living in a much more secure world.

We hope that will be an action message for every reader of this book.”

I’m sure the book has had success, but how many people have taken note of that last paragraph and actioned it?  The message about passwords is forever being talked about.  Every year SplashData produce a list of the top passwords used worldwide. In 2015 the number 1 position was held by the password ‘123456’ closely followed in second position by ‘password’ and then ‘12345678’.  One of the first things hackers want, is to get hold of a password.  Once they have one of these, their task is much easier and it looks like the users of computers are not making this too difficult.

Passwords are a pain though.  I think I have over 70 now and trying to dream up new passwords for every site/system and then changing them regularly is even harder.  It is recommended that passwords are complex, between 8 and 12 characters and also contain special characters such as #^&? etc.. So personally, I am expected to remember:

  • 840 characters;
  • the associations of those characters to sites/systems;
  • the reminders that will help me remember my password!

And change them all regularly.  If I follow security recommendations of changing passwords every 90 days, that means annually I am having to remember 3,360 characters just in connection with my computer activity.  That’s hard and is probably the reason people reuse, write them down or have ridiculously simple ones. But until something more reliable comes along we are stuck with the dreaded things and we have to make the best of them.

When reading Mitnick’s final paragraph, I remembered the work that had recently been published by CESG in cooperation with CPNI – Password Guidance Simplifying your Approach.  In what seems to be a very well written and straightforward document they recommend, amongst other things, lightening the burden on users.  Specifically they state:

  • Users have a whole suite of passwords to manage, not just yours.
  • Only use passwords where they are really needed.
  • Use technical solutions to reduce the burden on users.
  • Allow users to securely record and store their passwords.
  • Only ask users to change their passwords on indication or suspicion of compromise.
  • Allow users to reset passwords easily, quickly and cheaply.
  • Do not allow password sharing.
  • Password management software can help users, but carries risks.

This seems sound practical advice.  So I would recommend that if tomorrow, every business looks at their password policy and revises it in line with the CESG advice then we could find ourselves living in a much more secure world.

Reducing the risk of the risk of this:

Password - Incorrect

Featured image by: Eric Schumuttenmaer


Now have I patched my wet ware?

Divers in Peaches
Picture by: Hans-Peter

No this blog is not about diving or any other type of sports where one might get wet.  Wet Ware is a rather unattractive name some security professionals give to the user of a computer system.  It is claimed that it is impossible to ‘patch’ Wet Ware which results in it being the most vulnerable part of most systems.

In my last blog, I suggested that not all cyber (I am growing to dislike this term) incidents can be prevented by technology.  There had been a recent incident at Lincoln County Council, which had been caused by a user opening a bad email and clicking the link it contained.  Patching our wet ware (last reference I promise) is actually becoming more important than ever.  It is not impossible, but it is not a small task.

In the PWC Information Security Breaches Survey 2015 It has been reported that 50% of the worst security breaches in the year were caused by inadvertent human error.  The numbers are rising as well.  There was a 58% increase in large companies and 31% increase in small companies of breaches as a result of human error.

Dealing with this is multifaceted:

  • The top of the organisation has to be seen to ‘do the right thing’.  If top management are ‘gun ho’ handling company information, then you can be sure the rest of the organisation will be.
  • Policies and procedures.  I know these are considered a pain.  But they don’t have to be, they can be short and only cover what is needed.  Policies and procedures are important they give employees a reference point.  I have very different standards in the management of my information to that of some of my customers, but their policies give me a point of reference to how I should behave.  Without that I may do my own thing.  What policies should a business consider?  That depends largely on the risks they feel they are mitigating but as a minimum the following could be considered:
    • Document control.  Where and how is information stored, who can access the stores? How long do you retain the information for your records?
    • Protective marking of information.  Ask yourself a question:  If I rang your company, spoke to a secretary, sounded knowledgeable and asked for some information would they know if I was allowed to see it?  A simple marking systems which indicates the level of sensitivity of the information would provide that guidance.  So if I rang and ask to see a document that was marked Company Eyes Only, they would instantly know that they could not send it outside of the organisation.
    • Joiners, Movers and Leavers actions.  What do you do with system access rights on each of these occasions?
    • Use of removable media like USB sticks, CDs or Cloud transfer services such as OneDrive, DropBox etc.  Once data leaves your system and enters one of these environments, what control do you have?
    • Bring you own device.  What devices of their own are you going to allow you employees to use for work related activity?  What are their responsibilities if they do use their own technology?  What are you going to do to prevent loss of data on that device etc.
  • Training. You have your policies and procedures and now you have to inform people what they are how to use them and why they are relevant.  In addition to training on the policies, I would also include training on responsible business use of the internet and especially social networking.

In the bullet points above, I have skimmed the surface of what organisations should consider to ensure their employees don’t become the weakest link in the Information Security Chain.  Combine this with general development and it will not become too onerous a task.  Certainly a lot less hassle than a breach, which the PWC report says now costs on average £40,000 – £250,000 for small companies and between £800,000 and £2.1m.  Ouch!



Now have I patched my wet ware?

Do I need a cyber-proof widgimewit?

Cyber Widget
Picture by Dan Zen

Cyber Security is not about technology.  Cyber Security is about managing a corporate risk and that means assessing it as a whole: People, Process and Technology and putting up the correct level of mitigation.  When I read about Cyber Security all I seem to see is technology that I need to buy to prevent bad people gaining access to my network, PC, Tablet or Phone.  Technology is one element and to my mind something the technologist should be left to once the risk is evaluated and understood.  Without understanding the risks it is easy to spend a fortune on the latest cyber-proof widgimewit which is actually unnecessary for your level of risk and isn’t doing much for you.

One area I see constantly neglected is staff training.  When I first started to work in an office, we were fairly good at managing and protecting our information.  We were trained on the filing system, and cabinets and offices were locked at the end of the day.  If a file was loaned, tracers were used and the office I worked in used a marking system so we know how much of various pieces of information we could share, which I understand was common practice in most large companies.  If you dare mess up the filing, not complete a tracer card or not enter a new document into the register you risked the wrath of the office manager.

With the use of electronic filing systems discipline seems to have gone out of the window, along with the training that went with it.  After all the technology will take care of it won’t it? No.  And these bright young people we employ will work it out from themselves won’t they? No.  The technology not only brings with it a potential for poor information management processes, it also brings additional information security headaches and they can’t all be solved with technology.  Take the recent example of Lincolnshire County Council.  Last week they experienced the dread of a Ransomeware attack.  A piece of malicious software that scrambles the data on computers rendering it useless.  For a fee the attackers claimed they would provide the key to unscramble the data.  It was reported that the council did not pay the ransom. That was the right thing to do, but they subsequently spent considerable time fixing the problem during which no IT was available and effectively, business was suspended.  This must have cost the Council, not only cash, but also damage to their reputation.  What caused the problem?  A link in an email was clicked by a member of staff and this triggered the malware.  I have to say,  there but for the grace of god go I.  Only this week I was nearly fooled by one of these emails, but the knowledge I have makes me a little more cautious and makes me always have a second read.  It is time that we re-instilled the discipline and training that we used to have around information. I am not saying that training would have prevented the particular incident in Lincoln, but it could have.

Do I need a cyber-proof widgimewit?