MALICIOUS THREATS

MALICIOUS THREATS CELL PHONE MALWARE - HISTORY & DANGERS

Computer Viruses, Trojans, and other related Malware, designed with the clear objective of circumventing some levels of security, in real time, have been with the computing community since the mid nineteen eighties. In fact in their conceptual form they were documented by Fred Cohen, who demonstrated their potentials on the UNIX Operating System, work which was further progressed by Ralph Burger who wrote Computer Viruses – a High Tech Disease.

In their early incarnations, viruses tended to be very low in their numbers in the wild, and were mostly concerned with infecting Files, or Operating System Boot Sectors on Intel PC's. In fact in the mid eighties, when the considered potential dangers were presented to CESG (UK Government) it was commented that they [viruses] were considered to be just a passing nuisance! However, it was not long before the virus proliferation numbers increased, impacting Business Operations with infections like Cascade, Coffee Shop, and Joshie. Interestingly enough, one of the very first viral outbreaks to impact the UK MOD (Ministry of Defence) was actually the Cascade Virus, which caused the letters presented on the screen to cascade down to the lower section of the VDU – rather annoying. Out of this state of emerging insecurity saw the growth of the Anti-Virus Industry, and organisations like Norton, Shphos, and Dr Solomon's emerging as computing household names, provisioning end user, and business anti-virus solutions. Then came the advent of the Computer Worm, with its wider spread impact, followed by Polymorphic (self modifying code), and then smarter encapsulated methods of delivery intended to avoid detection of the deployed Anti-Virus Solutions, all getting very Cat-and-Mouse.

In the early days of the spread of viruses however, the intent of the originator was largely to boast their creativity with some very overt action by say displaying a message on the computer screen, generating sound, or in the case of some smarter, and more interesting viruses, inviting the user to play a game – if they won, they got to keep their Operating Systems intact, and in a working condition – if they lost their operational system was no more.

Today however the creators of Viruses, Trojans, and Malware have grown to be very business focused, and no longer send out their wares with the intent of simply announcing their presence. The objective now is to infiltrate the local secure logic of the device, embed or connect into some other form adverse code, and then to perform actions such as stealing information, or to say utilise the local resources of the infected systems – say by using its local hard drive to store information, or to use its Internet Connection to attack another computer or organisation! And all without the knowledge of the user/owner.

Today, the Computer Virus, Trojans, and Malware are well known vectors of attack, and in most homes, and businesses one tends to find some form of defence in the form of Commercial, or Free Anti-Virus solutions deployed to provision as level of protection.

Like all trends they tend to increase with the advancement of time, and technology, and in the case of the Computer Virus, Trojans and other Adverse Logic (AKA Malware) this is no different.

SPAM

The early days of SPAM, and the posed threat was again a case of history repeating itself. Around 2005, I raised and alerted the potential security issue of a new protocol, and conduit to support delivery of adverse and malicious content with a number of Government, and Industry focused bodies. The reception of this early warning information was a replication of the early day virus threats – SPAM was at that time concluded to be an annoyance, and was tolerated as something that just had to be dealt with as a nuisance factor! As we now accept, SPAM today is a major conduit and delivery channel to support the delivery of adverse objects ranging from Malware, Trojan Horses, and is a viable tool for utilisation to support the Hacking, and Criminal, and Organised Crime to generate Millions in revenue on an annual basis!

CELL PHONE MALWARE

Go into any Cell Phone Retail Outlet to buy a modern Cell Phone, and it soon becomes very obvious that is much more that a simple device on which the owner can make calls. The average device is now populated with a smart e-mail client, Office Applications, Widgets, Tools, High Capacity Storage, Download Centre, Update Manager, WiFi, Bluetooth, and 802.x Wireless Connectivity., not to mention the always on (area allowing) 3G, and Edge Connectivity, and VoIP – and to put the icing on the cake, all topped off with an Internet Browser.

The upshot here is that our Cell Phone is no longer the simple device which which we called business contacts, friends, and family, but now represents a Micro Hand Held Computer with processing, storage, and smart capabilities that far exceed the early incarnations of the first Desktop Systems running on 68000, and 16-bit 8086 processors. Without doubt, devices running on the latest Symbian, and Android Operating Systems are very smart, and technologically intelligent, and capable devices.

Working in the capacity of Academic Research, the issue of Cell Phone Security, and Threats were raised by Nottingham Trent School of Computing and Informatics as far back as 2005. However that observations of next generation of risk were again discussed at Conference in 2007, and 2009, and these new vectors of insecurity, and exposure were again considered not realistic. In fact in 2007, whilst presenting at a Conference in the East Midlands, it was the wide and considered opinion of some well known researchers that e-Crime was actually on the decline – and opinion which I contended at that time.

Cabir: So where are the real threats today? One of the first programs originated to target the HHMC was Cabir. In this case it was a produced as proof-of-concept Malware carrying no intended payload to cause adverse impact or damage to the target host. However, Cabir was made available on the Internet, and within approximately eight weeks it had been released into the wild, and spread to a global audience! In fact if one cares to look today, Cabir is available for download from multiple locations for free download – for whatever purpose.

So just what are the current levels of threats in relation to the Cell Phone? Well in basic terms it is a manifestation of the early threats posed at the Desktop PC. For instance, as they have access to a wide range of connectivity protocols, and can access the web, they are open to potentially the same (or similar) vectors of threat that are encountered at the desktop. Whilst the take up may be slow for on-line Banking, I am nevertheless aware of people who do do it. When working in public places, or travelling on WiFi enabled Public Transport such devices may connect to, and remember previously connected networks – thus with such configurations in place, by simply being in range, the device will hand-shake, and connect without any intervention by the owner! Added to this set of risks, there is the potential to socially engineer a target user to send him of her a link like:

Hi – long time no see. It was great meeting you last year at that Conference. I was really impressed with your background, and know the link below will be of interest:

www.notawiselink.com

With a little smart research, it can be easy to work out some basic facts about interests, event attended, and with a simple bit of Crafting, the attacker may then send out the hook – what is at the end of connection is of course very much down to the intent, and imagination of the sender – but one thing is for sure, connection could be bad for both you logical, and financial health.

Within the last 12 month period the criminal, and hacker interest, and for that matter research into the area of Cell Phone centric Malware has intensified, and is now considered by a growing number to be the next, and new vector of attack on personal, and business use of mobile assets. Consider the prospect of going to where the money is – Cached and stored credentials, notes, contacts information and possibly some locally stored business information assets, and Corporate IPR intelligence, all of which have an intrinsic value. It could also be that there is the core objective to infiltrate, and circumvent Cell Phone Security to install some form of Trojan object to gather, or use the devices personal space, connectivity, or whatever else the attackers has in mind – don't forget, as with the aforementioned cases of Viruses, and SPAM, just because it is not a high volume threat today should not be interpreted as something that may be discounted. In fact, this is now far from the case, where organisations like McAfee have written papers on the subject, with other Anti Malware Researchers such as Symantec, and Kerpersky Labs now developing, and making available Anti-Malware solutions for some derivatives of the Smart Cell Phone, or should I say HHMC (Hand Held Micro Computer).

CCONCLUSION

As with the outlined history of viral, and malicious threats, they have started small, and grown exponentially over time to present the current day threat the every computer user, and business alike potentially encounter each and every day at both home, and at work. With the advent of Cell Phone Malware, whilst these threats are in their early days, given proven mobile infection have been demonstrated to present threat to the device, then it may be assumed that the Criminal Fraternity, Hackers, and the Malicious will start to maximise exploitation to their own interest and end. In fact, according to the well respected Mikko Hyppoonen (F-Secure) there are now well over 300 types of Malware that have been crested for the HHMC, including Trojans, Worms, Spyware, and Viruses.

Where Cell Phone Anti-Malware is concerned, granted they is in its early incarnations, nevertheless it may be again concluded that, dependent on the users quest to achieve security, and to provision a reduction of risk to their HHMC, they may choose such a solution to provision such increased assurance.

The overall conclusion is, whilst these threats are currently at their bleeding edge, they should be expected to grow, and thus for business, and the end user of any such HHMC, no matter their Operating System upon which they reside, it is highly recommended that they at least remain tuned into any emerging threats.

Patch Me UP

It has proven to be an interesting week where vulnerabilities are concerned - Google Chrome would still seem to be up there with the best of them with exposures which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system – not a good start to the browsing day on the Internet.

We also see a week in which the applications are again proving to need a little maintenance to keep the Home, and Business Assets Secure - Adobe Flash Player, Adobe Reader, Sun Java JDK, Mozilla Firefox, Foxit Reader, Opera Multiple, Internet Explorer, and Microsoft Windows (O/S).

What should all of this tell us – well, one thing is FACT, if the computing asset of choice is not maintained in a current, and patched condition, it just may be that it could suffer some form of compromise before to long – so tune in, and apply those patches.

The Age of the Smart Cell Phones

The Age of the Smart Cell Phones is upon us, and no matter be they based on the good old Apple brand, or based on the smart platform of Android, these new tiny hand held devices bring to the palm of your hand computing power, which once upon a time would not have been achievable by the lump of plastic sitting on your desk – called a Computer (PC).

Each of these new Smart Devices have capabilities to connect to the Internet, communicate via protocols, such as Bluetooth, Wi-Fi (802.11x), and in some cases Ir. These devices have on-board, very capable CPU processing power, and host the potential to store information in Solid State Memory up to 32GB – simply amazing.

And no doubt, the future of these devices will see them jump to the front of the corporate usage line, with increased usage to drive the business mission forward – hmmm, all very positive stuff.

But there is always a downside, and here we are talking about Security. First of all, there are hundreds, if not thousands of applications in the pipeline for the Android, and for anyone who has ever installed one such application, they will have notice they, on occasions, demand many services which could be exploited for some distant miscreant purpose. However, in most cases I have observed the users simply feel so encouraged by the newly offered functionality to be enabled in their hand, they do tend to agree to everything, and go on to install.

Smart Cell Phones are also subject to potential attacks by specialty crafted URL’s, and of course, given they are Internet savvy, are open to Malware, Phishing, and any other level of crafted exploit aimed at the palm of the hand.

So where do we go from here – well when using, or for that, allowing employees to leverage their own personal Smart Cell Phones to conduct your Corporate Business, it may be a good idea to consider your on-campus Corporate Security Policies, and extend it out to such out-of- band assets.

To conclude, I recall one event where a large Corporate was refreshing 10,000 cell phones. The instruction was, go to the Canteen and hand in your old device. By return, the user received his/her band new and shiny all singing, and all dancing smarter Cell Phone. However, during the process, it was noticed that the S word had not been considered (Security) - Guess what, over 80% of the recycled Cell Phones destined to leave the hands of Corporate Control contained Company Business, and Sensitive Data, Contact Lists, and even is two cases, the user’s Personal Banking Details, and Transactions – Small device admitted, but nevertheless, the potential impact from a breach is still considerable.

Expect to see the Smatter Cell Phone come into its own in the next 12 month, and by the same note, expect to see the interest of the hackers also increase to circumvent the aspect of security – these are after all, smart devices, operating on the very perimeter of the Operational Environment, and thus carry risk!

Illegal Flowers and Cyber Threats

To be at the leading edge with public observation can be both a painful and lonely place to be - but then if we only speak in repetitions about what to be known or safe, I doubt this approach would amount to any form of commercial or academic learning or progress.

It was approximately two years commenting on what many had been saying in private, relating to the involvement of China in Cyber Spying, and the mounting attacks against government targets.  What was even more interesting was, at that time was, many in higher law enforcement positions, or other public office, fully agreed with what had been stated. However, it was made very clear that, with the Olympics pending, the timing of any such statement imperfect!

The counter argument was, that whilst, admittedly there was no clear and conclusive evidence that any such actions were state sponsored by the Chinese Government, or for that, even condoned, thus the underpin of the assertion could be considered flawed – right! However, given that China (.cn) boasts a Cyber connected Firewalled environment, supported by an estimated 30,000 operatives who are empowered with monitoring, and high surveillance capabilities, which can detect even, the slightest whiff of cyber-dissent, then does this not beg the question as to how such hostile cyber-aggression could be accomplished without state detection!

Could it be that the perpetrators have knowledge of the internal security mechanisms deployed within the surveillance shroud of the Great Firewall, so thus may easily circumvent its controls and detection mechanisms?  Or could it be that such actions are fully, or partly sectioned, and sponsored by Government Agencies?

Lastly is it the case that, whilst such activities are not state sanctioned, or sponsored, they do enjoy some liberal blind-eye tactics which allow such unfettered cyber attacks to continue?

Research into this subject, aligned to harvested data obtained from commercial organisations, clear evidence and artifacts have been found to exist, which, by interpretation strongly infers that attempted cyber incursions and attacks had been mounted from the electronic soil of China.

In some cases, the particular attacks ran on a daily basis, targeting a number of large commercial organisations located in both the UK and the US. What was even more interesting about the vectors of attack was, in a number of cases, the time, size, and profile of the attacks were extant on each and every day – one could ask the question why? In a number of these identified cases, some organisations found they could technically tolerate the conditions, as they had not manifested in any apparent operational impact. 

Even more worrying, even though these probes were regular, they were not reported in to any agency, or authority!

Back in 2008, post the reported attacks against the UK, the US, and Germany, which were tagged Titan Rain, protests were made to the Chinese Government about these miscreant cyber focused activities. At that time, whilst not fully explicit, the inference was that some state owned accountability was associated to the encountered aggressive cyber attacks.

The concern is now, were we, or are we, at the tip of the cyber-iceberg, with the remainder seven-eighths staying out of view, suggesting we should expect to see more of these types of activities in the future? – many feel the conclusive answer is - Yes!

It is worrying that a new survey has found that whilst most business believe that they have comprehensive safeguards to protect data, they still run a high risk that every time an employee sends an email, connects to an unknown Internet resource, saves data to a USB stick, or posts messages on Twitter, or where data could be handed over to competitors or worse.

The recession is inevitably leading to job losses, a situation that was brought to focus in a recent survey by “Cyber-Ark” which found that 60% of workers in the City of London would be prepared to steal data from their employer if they thought their job was at risk and 40% had already downloaded data just in case.
Most worrying. .

History - 2008 - China has been accused of sponsoring cyber-terrorism

At the International Crime Science Conference in London in 2008 it was stated that the Chinese government was behind the 'Titan Rain' attacks on the US and the UK.

The attacks were identified as coming from servers in China, but the Chinese government has never officially been accused of being behind the assault.

"Up to last year (2007) people did not take it very seriously, and then there were state-sponsored Chinese groups and all sorts of groups attacking the UK and the US and getting into the infrastructure. That happened again earlier this year (2008)."  It was also stressed that, there was a problem with what could be state sponsored electronic terrorism - no matter how much collaboration you have internationally, if you have a state-sponsored terrorist coming out of China or Russia you are not going to get them.

Titan Rain is the name given by the US government to a coordinated series of attacks on US computer systems. Hackers gained access to many US computer networks, including those at Lockheed Martin and Nasa.

INTERNET RISK – THE ISSUE

Communities are at risk form Cyber Criminals, and Organised Crime, but the fact of the matter is, in the majority of cases the public are not aware of the vulnerable position they can be in when they use on-line resources (AKA the Internet) – say buying goods, services, using an I-Phone, setting up their Home based Wireless Internet Connection, or just opening an e-mail. Each action can and does carry risk!

For example are Internet users aware that approximately 95% of all e-mail in circulation is SPAM. Are users aware that simply opening an e-mail could lead to their on-line banking and credit card details being compromised by a Cyber Criminal!

The other questions are related to, after the fact security issues - if users do fall victim to an insecurity, would they be aware, and for that matter know where to go to resolve their exposure?

Wireless and Broadband connectivity has done much to support learning and education, and many young people now have computers in their bedrooms – but if they are connected to the Internet, do you know who these young users are talking to – and for that matter, do they?

Education & Awareness: The solution is User Security Education & Awareness. Out of work with the House of Lords, on the Security of the Internet Paper published in 2007, through to work with EURIM to support a number of vulnerable groups (both elders and the young), materialised into a Security for a Digital Britain Conference which was ran on 24^th September 2009 in Nottingham, and more local event of this type are needed.

It is not just about the end users, but organisations and businesses as well – in the last 12 months we have proven insecurity with the way organisations do business, and deploy their systems – ranging from showing businesses how it was possible to gain unfettered access to rear end information (some relating to the client accounts and passwords), loss of systems with customer data on (your information), exposure of on-line authorisation systems to gain unauthorised access to user accounts, through to finding holes in deployed systems which were hosting sensitive applications (which was subject to a Radio 4 Report in 2009).

Sorry for the repetition, but the answer to making a difference is to start to deploy some forms of Public Security Awareness & Education – as with smoking, if you buy a packet of cigarettes, they come with a health warning – maybe the same applies in the logical sense when one purchases a new computer, or other Internet enabled device.

Paper Waste

End of life information Assets in the form of paper, can, and do hold business critical, and sensitive data (information) relating to Internal Staff, as well as the Clients.

The bag of waste in the image below was dumped on the path outside of a London based Financial Outlet – two things were observed. One, the shredding actually contain complete characters, and secondly, the shredding are in a sequential form - thus reconstruction would not be an issue for anyone with a reasonable level of eyesight.

At  the end of the day, this would seem to be a case where Standards, and Policies had been applied, which dictated the requirement to shred Sensitive Waste – the shortfall here was of course not to accommodate the required level of shedder capability to assure that ease of reconstruction could not be achieved.

From a Past Blog Sent Jan 2010 - Cyber Threats

Its probably been said before that at the start of most New Years -  ‘never before has the interconnected world seemed be so exposed to new, smarter security exposures – but right now, looking back at the landscape of 2009, I feel most, with any form of vision, would tend to qualify this as a robust statement.

The cyber-battle to date has seen the majority of security operations pushing back against those we referred to as hackers.  However, what now joins the ranks of adversaries, adding to the complexity of defending the enterprise, and individual, is the onslaught of professional aggressors in the form of Organised Crime, Professional Spammers, and Scammers.

It may now also be politically acceptable to accept that very real risks exist from State Sponsored Cyber Attacks, and infiltrations – Remember Titan Rain! We may also now be close to acceptance that threats are posed by those who would seek to utilise technology in pursuit of Cyber Terror, attacking National and International Targets - of course we also have threats posed by anarchists, and politically motivated individuals through Hacktivism, and we are only just into 2010!

That all said, on the frontline Security Education, it was encouraging to see a Poster Campaign launched toward the end of 2009 with the backing of SOCA, and other Government Agencies, in the form of www.thinkjessica.com. This was seeking to educate the wider public as to the threats posed by Spam, and it’s very real potentials to hurt the public’s pocket.

The real cyber-battle exists at the end-point PC or Laptop. No matter the current level of anti-virus update – and let us be honest, anti-virus protection is only as good as what it knows about, and is no longer that panacea of all-encompassing protection it was once considered to be.

It is now a case of increased complexity at the end-point operating system, application, and multiples of software components and drivers which are co-hosted, each of which from time to time may be exposed to critical vulnerabilities exposing the end-user to some form of compromise.

So why in such a landscape of risk, and vulnerabilities can Cyber Criminals and Organised Crime flourish - do we see Government bodies helping them with their mission to circumvent security (Good news is as of October 2010 this in part, now in progress)?

After a full ten years dancing around the legal maypole, the EU finally won its case with Microsoft over the perceived dominance of the IE Browser. Now consumers will ostensibly have a choice of which browser they wish to use with their Windows operating system. However, this was also a new prime opportunity for security risks to flourish which may be left out of the current Patch and Fix equation.

Ironically, due to the arrival of a raft of new Web browsers, such as Opera and Google Chrome - Windows users have a choice of browsers regardless of whether the EU brokered peace with the Redmond-based software giant. In any case, most ordinary users would be unaware of the wide choice they have, but perhaps more worryingly, they may also unaware of the need to keep their browser software healthy, secure and updated.

Take Google Chrome - in its first incarnation it was released totally insecure, and upon installation and use, exposed the local system, and by inference, user, to the very real potential of ease of compromise and system incursion by a hacker, or criminal.

No matter how savvy the user may be, he/she must be aware of the need for to apply timely security fixes and patches. In fact consider the 2009 release of Google Chrome updates and the associated security fixes – 9 High Criticality, and 2 Moderate, most of which exposed the end-point PC to prospect of local unauthorised access.

For any hacker, or person with criminal intent, I guess they would see the past EU victory as most welcome to move their Cyber Crime business forward to be more productive, and will hopefully benefit them with an increase in their illicit revenue stream and thus are looking forward to a very crime ridden, prosperous, and opportunistic 2010 (which would now seem to be the case also).

So, some sensible advice would be, choose whatever browser you wish, but just consider the security implications, and ensure it is maintained in an up to date, and secure condition – as Microsoft, as the provider of the base operating, may no longer be assured to facilitate this as part of their on-board update service.

INFORMATION LEAKAGE

Information Leakage is possibly one of the most common, and misunderstood security risks faced today, and potentially one that impacts organisations every single day. This linked to Electronic Distance Information Gathering can, and does pose significant security risks to any Business, or Government Agencies alike.

Information Leakage and Gathering may be employed to determine much about the internal business model, and strategies – for example:

a)      Organisations connections

b)      Working practices

c)       Mobility of information assets

d)      Levels of sensitivity

e)      Personalities and contact information

f)       Infrastructure and Application Components

g)      Third Party Relationships

For instance, from information which may be located on the Internet, it may be possible to obtain a pen-picture of what an Organisation, or Agency looks like on the inside. Maybe some information made public under an FOI request, linked by inference of content to a more recent publication relating to the type, classification, and sensitivity of an Information Asset under process or retention within a particular area. Of course this is particularly of interest if such Information Assets are subject to UK Government Protective Marking.

It may be that a Department or Agency has a very low profile, and are nondescript, but nevertheless has connections with sensitive Government Agencies, Law Enforcement, or other such official body.

Lastly such leakage of Information titbits can provide an attacker with valuable information as to the type, and value of data that may be physically communicated, and thus this make the job of targeting a Business, Agency, or Organisation much easier.

With such collateral in the possession of the attacker, they may then turn to what other valuable information can be obtained about the Internal Employees, Associated Contractors, and any Third Parties who provision support.  Here opportunities exist to Socially Engineer any identified personalities, or to infiltrate one of the Third Parties who are supporting the potential target for long-arm infiltration – it has happened.

Last but not least. It may be that some external communications which have been published provide insight for the attackers to the internal electronic workings of the organisation – Servers, Operating Systems, VoIP, and Infrastructure Components that are deployed. Such information of which is valuable to underpin any form of future based electronic attack – it simply removes some of the early need for Footprinting, guessing, and leg work.

As an example consider multiples of Information Assets finding their way from the Intranet, to the Internet side of the organisations web space, providing access to around 230 individual documents, containing

a)      Organisation Charts

b)      Internal Contract e-mail, and telephones numbers

c)       Department Descriptions

d)      Agenda of Internal Security Committee Meetings (along with the outcomes)

e)      Budgets Information

f)       Documents which indicated Storage, and Process of High Values Government Protectively Marked Information Assets

Furthermore to add creditability to the published information, other FOI Information Assets which were made available on other Agency Sites, underpinning a conclusion as to the type of information that had been stored, and processed by this use – thus heightening the attractiveness of the target.

Add to this confirmation of on-going links to other more sensitive UK Government Services, and soon one realises they have a very high gain, and a very soft target!

Insecure Electronic Document: Publicly Shared documents containing invisible hidden content in the form of Metadata, and those unseen Track Changes which manifested in potentials of unintentional disclosure – all giving away additional snippets of information, or should we say Intelligence – in this case extracted from examples of the 230 farmed, downloaded documents!

So What!: In this age of internal tensions, with the associated risk of Terrorism, it should follow that such circumstances as the above would be of serious concern. However, when one links this to a time in which the National Security Stance is High, the expectation of a commensurate response should go without saying!

What such Information Leakage does provide an attacker is ease of identification of Soft Targets, which hold desired levels for information – it could be that, because of associations it is not necessarily the information that may be the target, but the actual facilities for plotting a Physical Attack – this where Information Leakage of this types does exist, can have very real potential to cause injury, and loss of life, and thus should be taken very seriously – Surprisingly this is not always the case!

Presentation is better than Cure: There are some very basic steps which may be applied to mitigate, or reduce the risk, and to accommodate high gain security to protect such soft targets, and they are as follows:

·         Ensure that any Information Assets which are published externally are appropriate

·         Control that may released, and published about your organisation

·         Consider the implicatations, inferences of any information that is published in relation to Partner, or other Sensitive Agencies

·         Agree  a Corporate Communications approach to manage ALL information releases

·         Have a process in place to periodically trawl the Internet looking for signs of Information Leakage

·         Have a process in place that removes Metadata from any documents prior to publication or external release

·         If the organisation publishes documents in PDF consider applying Security Settings, and Encrypting the content

Remember what may seem to be of little value in isolation, may be completely different ball game when assessed against other aggregated Information Assets obtained (AKA - Intelligence).

Above all remember, we are living in times where internal, and International  tensions are high, thus no matter the presumed lowly value of the snippet, in the bigger picture the implications could be serious to both information, and in the most extreme of cases life!

Cyber Forensics

Over 70% of UK Homes have a computer, with 93% + connected to always-on broadband, and with a backdrop of a fact, that with the majority of criminal and corporate cases, somewhere in the background a Computer, PDA, or Cell-Phone may be lurking – thus the case for Computer Forensics.

No matter SME, or Corporate, there is no doubt that, with the array available systems capabilities, free, and at cost tools, organisations with internal technological capabilities may maintain a technological  Computer Forensics Capability to respond to incidents, and any requirement for collection and analysis of artifacts.

This complex capability is in two parts, of which the technological aspect amount to the lesser of the two evils. The question is, if the results of a case, artifact(s), or applied processes, were subjected to test or challenge, seeking to validate the scientific approach, would they meet the expectations of evidentiary reliability? Where analysis has been conducted, would the processes meet the necessary quality expectations of the ISO/IEC 17025:2005, and ISO 9000? Lastly, would processes, procedures, and associated disciplines be robust enough to satisfactorily counter any challenge?

By its nature, Computer Forensics is heavily dependent of technical capabilities, tools, and snazzy technological prowess. However, this is a game of two halves, with the most critical components representing the applied rigour of process, applied disciplines, and documentation used to underpin such the activity. Any weakness, gap, or break in the chain could result in those impressive skills employed reacting to an incident being entirely wasted – for a Disk Image that has been obtained outside of a rigorous process may not be completely wasted effort, as it may be considered a high cost backup – but would it represent a reliable robust Forensic Artifact – possibly not!

To conclude, based on experience, and cases, it has been continually demonstrated that it is absolutely essential for a Computer Forensics Policy, and Operational First Responder Documentation Set to exist.  Agreed that to have in-house Forensic Tools, and Applications are a must, but the most important part of all is to apply rigour, then apply process, finishing off with, yes, you guessed PROCESS.

As improbable as it may seem . .

Living in an electronic age which is always open to abuse, there is an expectation that users, business, and government systems, infrastructures, and applications are secure – Right!

With the ordinary home user, the level of security they deploy will vary from nothing, to a fully-fledged and secure system, installed with up to date Patches, Malware Protection, and some levels of sensible Perimeter protection.

With the Corporate, and Government deployments however, one could make the assertion that they accommodate sensible, and , and pragmatic levels of security which will secure them, their partners, and above all their clients – and in the majority of cases, this is the mission most reputable organisations peruse to the best of their ability. Sadly, and as improbable as it may seem, the expectation of what security should look like in operational environment, is not always a reflection of reality.

One of the major flaws in the security profile of some deployments is, whilst the Corporate Policies may say System, Infrastructures, and Applications MUST be maintained in an up-to-date level of patch, there can be a gross lack of adherence to the application of Patches, and Security updates in real operational terms. Such shortfalls can range from isolated cases, through to environmental wide failings to apply the required level of security, to assure the environment is safe from the known vulnerabilities.

As an example, consider the hypothetical case in which a Global Business with a strong brand reputation running its business on an out of service e-mail system – would, or should this be a serious issue? Well first of all, if it is out of service, then it has also most likely fallen of the Security Patch, and Update lifecycle. Secondly, it will potentiality be hosting old, and well established Security Vulnerabilities and Exposures. Last but not least, in such a circumstance, the e-mail application may be a little flaky with current technologies, so, all-in-all, would not be a sound basis upon which to run our hypothetical business on.  

But what would this mean in real time security terms. Well first of all, given this is an e-mail system, it potentially affects the majority of Business Line operational assets at both mail client (Local) and Server (Remote) where such a potentially flawed application are providing the operational service – so it may also be hosting wide exploitation for the organisation. Secondly, as the mail client and application is out of date, it may gain more interest to hackers, and criminals, as they will be most likely are aware from the mail headers (Footprinting) that the version is out of date, and so its potential vulnerabilities and exploitation are much increased.

The real worry here is, if such slack practices were in place within a real world business, the question is, does this leave system, infrasturute, and applications open to abuse – and does it impact the Partners and Clients which higher levels of exposure

Last of all, one should consider the position of organisations with ISO27001 Certification, or those who are required to comply with the expectations of PCI-DSS – here they are presented with a challenge, with very few mitigations, or countermeasures, and as such the assumption of governance would tend to suggest, in such an insecure profile, this would be out of step with the requirements of security.

In a world of acknowledged Cyber Vulnerabilities, Threats, and regular hacking attempts, should it not be an expectation that business strive to service their perimeters, and assets to the best of their advantage? Is it not the case that not to do so in the face of such significant threats, and adversity, could be considered culpable of an offence? Above all is it not the expectation of every user who logs into an organisation, or has their personal data stored and/or processed within their Corporate Systems, that the level of security is maintained at its optimum – I believe this is, and should always be the case.