Main Navigation (Explore Website):
Nigel Stanley
Nigel Stanley is the IT Security Practice Leader for Bloor Research. In this blog Nigel will be commenting on the world of IT security and other areas of interest from time to time.
ICO Grows some Teeth
After years of being an enforcement also-ran the Information Commissioner's Office (ICO) is finally going to get some teeth to deal with those that contravene data protection principles—see the details here.
With the government now in agreement to beef up fines to £500,000, we may start to see those that look after our data take their jobs more seriously. Hopefully the next step will be a data breach notification law as well, so when our personal data is lost we have some come back. I'll watch this space with interest.
DDOS without the D. Are we doomed then?
I was recently sent a link by my friend Steve Gold highlighting the work of a hacker who goes by the name "Jester". Apparently this hacker has found a way of initiating a DDOS attack without relying on a distributed network of systems. Instead he uses a low spec Linux PC and an anomizer service that has unrestricted bandwidth.
My initial reaction was one of scepticism but apparently the "authorities" are taking this threat seriously. Check out the story here and see what you think.
Application Whitelisting - Worth a look?
I recently had an interview with Lumension chatting about whitelisting. Is it coming of age?
Application whitelisting, which is the notion of only allowing pre-determined applications to install and run on a network, is gaining a lot more mindshare from security teams than ever before. Once in place and properly configured, an IT estate protected in this way should be able to prevent unapproved software code or applications from being installed.
Of course, whitelisting is only one part of the information security mix.
Forgetting the world of automatic downloads and so on, one big question I always ask when discussing whitelisting to security people is, whether they see users trying to install unauthorised applications on their work systems. In most cases this doesn’t happen, due to workstation lockdown and techniques such as whitelisting, but when it does, it is interesting to understand the motives of the user in question. This applies especially if the user is trying to install an application to help with their job. If this is the case then we, as information security people, need to see how we can quickly facilitate what is probably a justifiable business need.
At this point I get right on my hobby horse—delivering business benefit is what we security people are all about. Too many people lose sight of this, and application whitelisting must be seen as an enabler for business benefit. I’ll get off my hobby horse now!
For the whole interview check out http://blog.lumension.com/?p=2425.
Are IT audits like an MOT test for a car?
Here in the UK, after the second world war, lots of people were driving cars which were in pretty bad repair - brakes were poor, lights were damaged and steering was often ropey. This lead to accidents and injuries that could have been prevented. In 1960 the Ministry of Transport introduced a compulsory test, now commonly called the MOT, on all vehicles over 10 years old in an effort to ban the most dangerous cars from the road. Over time the age of annual tests reduced to its current of 3 years and the breadth and depth of the MOT has now expanded to incorporate new technologies such as catalytic convertors.
Is the growth in IT related regulations and compliance requirements following a similar trajectory to the evolution of the MOT test?
All in all we now see far fewer “old bangers” on the road than at any time in the past and I wonder whether we will benefit in seeing fewer data breaches and security lapses as computer systems are put through regular audits or their MOT equivalent.
Of course the mistake many people make when buying a car is to assume that a current MOT certificate is proof that a vehicle is roadworthy. Of course it isn’t - all it means is that at the time of testing the car was able to pass the MOT test.
In a similar way a computer system may pass an audit but very rapidly collapse into a state of non-compliance due to mismanagement. Constant attention to audit and compliance is the only sensible way to manage these needs.
Who knows, with the development of decent compliance and regulations we may see less dangerous IT systems and fewer data loss accidents, crashes and mishaps.
It's food for thought.
Interested in application (code) security?
Recent European research gives a good idea of the state of secure application coding practices in Europe.
When I heard about BSIMM I let out a cheer-at long last a practical guide for those that want to do application security for real. Gary, Brian, and the gang behind this deserve a real pat on the back.
McAfee Names Dangerous Celebs
Anyone that has spent more than 3 seconds searching the Web would have realised that there is a lot of bad stuff out there, and by this I mean more than crappy websites and dubious information sources.
It appears that a lot of really bad stuff, including viruses, malware, spyware and other horridware is being snucked into articles and images featuring various celebrities. According to this report from McAfee http://newsroom.mcafee.com/article_display.cfm?article_id=3554, websites hosting celebrity photos and gossip are strewn with malicious code waiting to catch out the innocent browser.
So who is the most popular celeb that is being targeted to act as a malware host? Apparently someone called Jessica Biel.
Nope, I have no idea either.
For those with more home grown interests apparently Katie Price, AKA Jordan, is the UK's biggest malware target.
Can't think why.
Anyway, check out the report and see if you have more luck in identifying the malware toting celebs.
Expert loses laptop. Is no one immune?
According to this report an Australian navel officer attending a defence seminar in Bangkok had his laptop stolen from his hotel room.
Reportedly an expert in maritime communications and information systems the officer, "left his five-star Banyan Tree Hotel at 2am, travelling to the red light entertainment district of Nana Plaza in Sukhumvit Road. He returned to the hotel accompanied by a Thai person just before 3am."
Australian defence people are now worried in case our hero of the hour was targetted or may have been knobbled whilst he was tired and emotional.
Or maybe he was simply knobbled by the "Thai person."
On a serious note the laptop only contained "the lowest classification" of data. Even so, if the laptop was not encrypted it might make for interesting reading by a foreign intelligence agency. If sensitive data was stolen then the UK-USA Security Agreement, of which Australia is part of a 5 nation intelligence sharing network, would be further dented at a time when intelligence agencies are under increasing scrutiny.
Infosecurity Magazine Virtual Conference - A Naming and Shaming Fiesta!
Infosecurity magazine is holding its very first virtual conference on 24th September 2009. This is a one-day event about the latest information security trends and challenges.
I'll be covering a session called "Whoever said any publicity is good publicity? Data breaches: Who's been named and shamed in the past year?" It promises to be lively and entertaining, so if you have any headlines you'd like to see discussed drop me a line and I'll take a look.
Some NHS trusts have suffered badly due to poor malware management
An interesting piece of work here by the folks over at Channel 4, the last remaining outpost of reasonable TV news reporting in the UK since the demise of BBC news into a dumbed down, animated celebrity magazine.
Over the past financial year over 8,000 viruses have infected NHS computers resulting in cancelled appointments, diverted ambulances and a whole load of distress to patients. Hospitals affected range far and wide and include well known establishments such as the Royal London and Barts where Mytob ran amok in the back end of 2008. The most bizarre infection occurred at the West Middlesex Trust who allege that a Dictaphone became infected. Luckily the virus didn't spread any further than the aforementioned tape recorder but my mind does boggle.
Trusts do have a high degree of autonomy when it comes to managing desktop computers and, like everywhere, quality of IT staff varies. My biggest concern is the impact on patient care—an aspect often forgotten about by those embroiled in passing the blame.
Baitware gets better - we should all be vigilant
I am always rattling on about good end user education when it comes to IT security. Let's face it, with a well educated, aware and on the ball work force your chances of them introducing malware through social engineering or phishing attempts should be reduced.
The problem is that the quality of "baitware"—that is emailed documents that contain malware—is improving. F-Secure have an interesting selection of baitware on their site (http://www.f-secure.com/weblog/archives/00001715.html). The quality of the written prose is a lot better than usual and the business speak quite convincing. Most of these would be convincing to a lot of users, except the last example of a prize winning notification.
This just goes to show that we all need to be switched onto this threat and the days of sniggering at poorly written scam emails maybe drawing to a close.