The demise of information security

To content | To menu | To search

Thursday 19 January 2017

The good, the bad and the (un)known

Information Security or Cyber Security relies on a model which we applied for years, since the very early days. This model changed very little, comfort has set in and unfortunately we are in situation where we rely too much on it almost like an addiction which prevents us from thinking about something new and question it.

This applied model of security is one based on “known bad”. Its foundation is based on the idea that one is able to identify threats allowing a software or security tool to detect it, flag it and prevent the exploit. Techniques used for identification exists in many different flavors, it can be anything from a hash, indicator of compromise, vulnerability database, hash, URL or IP reputation etc… By nature it is a reactive approach, we need to discover the exploit first, and in the majority of the cases it means it has already made casualties. These first casualties are sacrificed for the majority of the users, unfortunately for them they might suffer severe damage whilst others are saved. Once discovered we update all tools in order to allow them to detect and eventually prevent the bad from happening.

   This is a global problem. We don't have a malware problem. We have an adversary problem. There are people being paid to try to get inside our systems 24/7. – Tony Cole

The technology evolution allows us to limit the zero day (A zero-day vulnerability is an undisclosed computer-software vulnerability that hackers can exploit to adversely affect computer programs, data, additional computers or a network, Source:Wikipedia) gap, fast detection of a zero day exploit by using sandbox techniques for example allows us to protect the environment quicker and reducing the attack time window. Unfortunately this approach has drawbacks, polymorphic malware modifies itself and makes sandboxing difficult. When your organization suffers a polymorphic malware attack it means that every malware looks differently and would require sandboxing in order to get proper detection.Though other solutions are present which look workable at least for malware detection.

However, targeted attacks have little benefit from this type of protection. If your organization is in the crosshair of hackers you might suffer a breach and detect at best 200 days later.

   Technological progress is like an axe in the hands of a pathological criminal.– Albert Einstein

Why does it fail to detect?

These hackers may use known malware but at the time they use it, it is likely to be unknown by any of the “known bad” tools. A few days/weeks later you detect a piece of malicious software. Your security tools and staff cleans it up and considers the job is done. It is extremely difficult to distinguish if this piece of software is part of well-crafted attack against your organization. In the meantime this hacker remains hidden in your environment and will use covert channels to communicate with your environment. These hackers might stay asleep for weeks, months or even longer. The variety of bad is far bigger than bringing into sight normal and good actions. When the “known bad” model was established it relied on a simple concept, the misfits are a minority. This is the case in our real lives, luckily. The bad has outnumbered the good therefore we might need to add something in the loop.

How to distinguish the wanted from the unwanted?

Many organizations are only looking outside. Many of us are clueless about the behavior of the network, systems, users, application etc… For the majority it is impossible to dig up some baselines that show how the remote users log in, who logs in from what location. Once we've a baseline on what can be considered normal or good behavior we can start proactive security. Whenever a deviation is detected the security team can investigate and if something serious is on the rise it can be stopped. Today we wait until havoc brakes out and we'll try to run after the facts. At best we can contain it and fix it at a later stage.

This model implies that your organization supports the idea that an attack will happen, a hacker will eventually gain access to your environment and try to steal, destroy or blackmail. The “known good” model requires you to learn about normal behavior since there is no fixed hash, signature or definition for normal behavior. And it will be different for each organization; it is even different within an organization since the accounting department probably has different working habits than the IT department.It is a tough row to hoe, it requires investment in time, staff and financially.

What it is not!

It is not the silver bullet and it doesn’t replace the “known bad” model. Both are complementary and combined with machine learning and artificial intelligence it will be a continuous improvement process to fine tune and understand “normal” and distinguish it from bad. Additionally we need to change our ideas on what we should log into SIEM and what not, which data is useful for correlation and which is not.

Wednesday 7 December 2016

Nos pensées sont tracées

My apologies for the French, but it sounds so much better...

Yes, you and I, we all are somehow traced by something or somebody. In most cases it will be something in the form of a gadget such as your smart phone, phablet, car, television, sport bracelet and many others. And of course we all drown ourselves in innocence stating we do not have any secrets to hide. Here is where it goes wrong. At some point we all have a secret, and if not privately perhaps for your professional work. The Internet of Things (IoT) is anything but keeping information private, its goal is to correlate all the received data into useful information. In order to visualise it and create an idea from it that can be exploited later on to make more money, get to know you better, know your habits, know you. They, anyone from government to commercial organization, like to know you. Our interconnected life makes it increasingly easy to gather all the information, your smartphone contains a lot of information on your whereabouts, your behaviour, who you call when, how long you call, what restaurants you like to visit etc... your car tells car makers how you drive, sportive, aggressive, polite, fast, slow and eventually also when and where. Your provider knows what you surf on, what you look for, who you talk to. Your television what you look at when, and in some cases even what movie you look at even when it is stored on a local harddisk, usb drive etc... It seems innocent, but it is not. The question is not if this data comes together, but when.

It might seem innocent, but together with your health which is now captured in many sport bracelets, motion meters, weight appliances etc... it could become a dangerous cocktail. Imagine you're overweighted, you rarely do sports, you drive fast with your car and you go 12 times a week to Jack in the Box or any other quality burger restaurant :). Your health insurer would love to know because you're triggering all the alerts that it is highly probable they have to pay one day. Either for regular healthcare or intensive care :)

We, consumers over the globe, need to think what we do and how we use technology and it seems technology is dictating us instead of the other way around.

Friday 25 November 2016

Privacy is not a currency

A few days ago when I attented a blockchain roundtable, someone said the currency of today is privacy. You pay with privacy the use of services such as Facebook, Gmail or anything other. I beg to disagree..

You don't pay with privacy, you irriversably give it up in order to continue with a service or tool you initially signed up for. If it were a currency, you could apply for a money back guarantee, but this is a technical nightmare today. When you look back at how Facebook evolved, it started as a private communication tool where you defined what to share in a group. This changed soon into a platform where by default a lot more of your data was made publically available. The erosion of privacy has sneaked upon us, without notice. Well, we were noticed we just did not read the 50 or more pages of a user agreement written in legal jibber jabber that only the best lawyers can decrypt.

You already have zero privacy. Get over it. – Scott G. McNealy CEO of Sun Microsystems Inc (1999)

Your Privacy or my service!

The problem is that the rules of today which you agree upon to use a service might be changed through the course of your experience with the service. And that might sound ok, but it is not. You're held hostage, you could opt out, but can you really? The downside would be that in the case of Facebook, you'll have to look for an alternative and convince all your contacts to do so. And those contacts need to do the same with their contacts, doesn't sound like a plan that will succeed. Either you stay or give up, since you do not have the possibility to disagree, and pay for example a small fee to leave things as you agreed upon initially.

Long live GDPR (General Data Protection Regulation)

I do think GDPR has some benefits, but looking at the practical and technical reality we live in it might become very difficult if not impossible to achieve it. You have the right to be forgotten, and you could ask Google to remove all referral links to content of you. But that will not delete the data. You can ask facebook to delete it, perhaps they will, perhaps they won't. And how can you remove a transaction in a blockchain solution? The basis is good, but users give consent to something they have difficulties to comprehend, and unfortunately I see little movement in that direction. Of course giving a user insight on the most intrusive privacy rules a service applies would be far too easy to integrate, wouldn't it?

What can you do?

Understand what happens if you put the intended message online, the picture you've taken, the vid etc... Understand that public area's such as LinkedIn, Facebook or any other are not made to share private information. Do not blindfully agree on an intrusive smartphone app that likes to read all your content. Keep your secrets, secret...

Wednesday 26 October 2016

Internet: out of service until further notice

For those active in cyber security the Friday Distributed Denial of Service attack on Dyn did not come as a surprise. Many of us use a statement; the question is not what if but when.

Dyn got attacked by a botnet of Internet of Things devices, IP cameras, webcams, etc... The majority of these devices have poor security features, that in combination with a default out of the box installation makes them prone for attack. And since IoT devices are in the majority of the cases always on, it means you can use or abuse them at any given moment in time.

(H)activist organisations expressed already multiple times to bring down the Internet. Though, the recent attacks KrebsOnSecurity, OVH or even BBC may well be from another botnet and perhaps not related. However, there is an ongoing trend, since 2016 the over 10 Gbps DDOS attacks are on the rise (according to Verisign report) combined with an increase on UDP flood, more specifically DNS traffic. The DNS root servers suffered attacks, and the most recent was not even a year ago. We hit the record earlier this year with a 665 Gbps and now it seems we've reached 1 Tbps, which many predicted to be possible after the 665 Gbps limit was reached.

Who is learning to break the internet and bring it on its knees?

The easy answer, the usual suspects. But I'd doubt it will be an easy answer...

How did we get here?

The tragedy of the commons is an economic theory of a situation within a shared-resource system where individual users acting independently according to their own self-interest behave contrary to the common good of all users by depleting that resource through their collective action. (wikipedia)

The Internet can be considered a shared-resource, and we use and act all according to our own self-interest. And since it is our own individual responsibility to keep our systems malware/botnet free, to reconfigure devices when we hook them up to the web, to keep them updated etc... And if we don't, we might damage the common good.

However, we've come at a stage where we hook up toasters with zero security on to the Internet. Those that make the chips (no pun intended) for these have no financial incentive to provide updates, their goal is to create a new one, release it and sell it. Those that manufacturer the cheap chips into a product as requested by the brand name have no responsibility to whatsoever with the updates. And the brand releasing the product makes at best an interface that you as a user can use. They do not care about the underlying technology. And at the end of the chain there is us, hooking them up to a network and create the weapon of the future. We can fly to the moon and back and bring people back at earth in all safety, but we fail to protect the Internet from a toaster...

Protection, will be at all layers, it is a shared responsibility, from the manufacturer to the end-user. From the back bone provider till the home user. And preferably at the beginning of the chain so that costs remain acceptable, integrating security at the end is in the majority of the cases more expensive.

Unfortunately, there is no simple answer, no simple solution, it requires cooperation and responsibility from each and everyone of us...

Monday 22 June 2015

The bad shape infosec is in...

Not a day goes by without a high profile attack, a new cyber espionage story or a government spying on its neighbor. If you think how hostile the Internet has become, one can ask if this is sustainable in the long run. Business, government, schools, society for that matter are addicted to the constant information stream and the ease of use that the Internet is.

If you conduct business over the Internet you know how ridiculously expensive it can become to get some form of digital protection. And even if you buy the latest anti-flu, the newest state of the art firewall or subscribe to a latest brew of managed security services that deliver you a Security Incident and Event Management, around the clock monitoring and management. You know that these are all tools designed based on knowledge of yesterday but they are facing the reality of tomorrow. We might argue that we're now able to detect it more efficiently but still it does not seem to help a lot in the defense part especially it does not seem to deter the miscreants in doing harm.

If I read ,with some skepticism, the news and information in regards to information security, I cannot think otherwise than that information/cyber security has never been in a worse shape than today. Of course we should not give up, we can loose a battle and still win the war at the end but how many casualties does it take before one realize that the applied strategy is far from successful. What if we are defending the wrong gates? Unfortunately we keep on repeating ourselves and strangely enough we expect to get a different result. We're doing exactly that what the great Einstein defined as insanity.

Imagine, we detect an incident and with some luck our monitoring picked it up and alerts all the staff required to analyze the evil, close down the covert channel created by some misfits and starting hunting them. According to some it can take up over 200 days before systems and or staff detect it, pardon? To what extent would that be protection? it is not even effective, let alone efficient since it does not do anything except some substantial amount of days later at best.

Perhaps we should diminish a risk based approach and consider many of the risks as certainties; how complicated that might sound... Maybe we should consider more to align with business requirements, easier said though...

Thursday 5 March 2015

Information Security Governance

Corporate governance and in more specific governance of enterprise IT are important factors in building solid companies that require agile strategies. Difficulties in alignment remain present as not every boardroom recognises the importance of its information technology infrastructure in place at the company. The rapid growth of emerging Internet technologies forced companies to address information security. In the early days companies looked at information security as a solely technical matter, different complex technologies that came with high expenses were available to mitigate risk factors related to the use of the Internet. In a second era, security management practices were integrated in the company structure. The objective of this function is mostly about setting a formal statement by means of policies, standards, procedures and guidelines in order to maintain an adequate level of security. It provides a structured way of organising the information security landscape and monitors the enterprise to keep it in compliance with the integrated policies. Such a formal statement expresses the importance on information security by the executive management and/or the board. Since information security governance is a relative new area it doesn't always receive the required attention such as business support, management support and eventually the necessary budgets to keep Mr Evil out. The reasons why information security is not receiving the required attention are plenty, but a main issue that it is failing to get on the agenda could be that the upper levels of an organisational structure do not receive the information required to get their attention, or that companies are risk taking instead of risk averse or it seems impossible to identify value for the business. Security is about avoiding something, where a new application is about adding functionality in order to increase efficiency, production etc… Unfortunately, security is still seen as a business disabler.

Continue reading...

Fair business

It comes as no surprise the economic climate is not at its best in some parts of the world. And the recent incidents regarding cyber security show that breaking into a company to steal important data, such as trade secrets, intellectual property, customer data etc... seems relatively easy since no day goes by without a high level case somewhere in the world. Well this week it was in Holland, ASML a major player in the chip market got hacked. According to their press release, it would be Chinese hackers from the government but they would not have been able to take anything of value and no confidential data was stolen. As a ASML states, because the time they got in and the time they got detected was pretty short. Why would a government steal from a private company? Many answers possible, but a simple one would be that the rat race is going on, if you have the technology of tomorrow today readily available your country will greatly benefit. And nothing is more expensive than investing in R&D, many ideas lead to nothing so costs are high without guarantee on a result. So as a company stakes are high, you could be number one or trail behind and file for bankruptcy. But is this a technology driven thing or not? We hear many times about another battle between the patent lovers such as Apple, IBM, Samsung etc... filing a complaint because one is using a patent of the other. Because ideas are stolen. Another volatile market is the food and beverage industry, however when Pepsi got the a recipe of Coca-Cola offered on a golden plate, they did something I wouldn't expect to happen in the tech industry. They alerted the police/FBI in order to take correct measures against the thieves. "Competition can sometimes be fierce, but also must be fair and legal," Pepsi spokesman Dave DeCecco said, and he is absolutely right. If you are the one with the best idea and the best solution you must be able to make money out of it to reinvest in even better R&D. If you just have to R&D and you do not get any ROI you do not have a sustainable model that help us evolve and make this place one day a better place.

Thursday 21 November 2013

keep cool

Do not panic

Wednesday 13 November 2013

Knowing-doing gap in information security

According to various surveys most companies have a security policy in place. And if you would ask top management they’ll confirm. This is good and we have noticed a steady progress since the last 10 years. But it appears not to solve the information security pains. In many cases we’re fighting with the tools from yesterday to defend ourselves against the threats of tomorrow. When we look back and took another step in security by integrating information security management in the companies many assumed that it would close the gap between what we know and what we do. But it seems the opposite, we’ve spend a great deal of time, money and resources to get that policy written, integrated and reported on. Unfortunately, it stopped at the written part. Many employees are not aware of its existence and if they are they can’t tell you what is in there.

Time for awareness? Perhaps. Awareness is not the silver bullet you’re waiting for. It probably solves some issues, but it does not guarantee that your policy is respected. We need controls to do that and some reporting by preference with transparency.

Thursday 24 October 2013

Smart traffic camera’s make dumb cops

Yesterday, 23/10/2013, we had a debate on television about the usage of smart camera’s by the police. Of course we should be positive about it since it is to increase the security of society. But is it only about security? We are fading the border between common sense of security and our liberty. The problem is rarely the technology but how we use it and for what purpose we’re deploying it.

Today the Belgian police has 2 different types of smart camera’s, the once that are static and can be found at the main roads when you enter a city. But these days they use in addition to the static ones, mobile devices. These are mounted on a unrecognisable police car. The controls it can perform vary but mostly it is used for detecting stolen cars, driving without insurance, driving without valid car inspection certificate etc… The information is passed in real-time, whenever the car passes the police vehicle they’ll get instantly information about this car and the owner. In the example shown during the show we noticed that somebody passed the police vehicle and an alert went off. Because this driver had been fined previously for driving under influence of alcohol. As you notice the system shown is capable of detecting irresponsible drivers. In this particular case the police starts chasing the car in order to check if this driver has been drinking.

Would this be problematic? Police will put efforts on people that are present in the system because of previous behaviour. The focus is lost which should be make roads safer this means also checking for other anomalies. Because you’re in the system, you will need to get halted by policy and they have to check officially that you’ve not been drinking at time to get out of the system. Otherwise the alarm bell keeps ringing. They suggest the system is updated on a regular basis, but nobody what this means. Is it once week, a year, month ?

In most cases the government uses the argument stating that they find back more stolen vehicles than previously, meaning pre-technology era. And that those vehicles are used for hold-ups and/or burglary but till now there is no evidence it is the case. And if we can find those stolen cars in a more efficient way by using this technology why not limiting the system to only check for stolen cars? How long will it take until criminals will use stolen cars from a neighbouring country to avoid the alarm bells?

How long will it take till this type of system will be used to use against us for any kind of control. We’re innocent until proven guilty, with these systems we’re guilty before proven innocent.

Benjamin Franklin said : “He who sacrifices freedom for security deserves neither.”

Tuesday 22 October 2013

Security Myths

Information security is for nerds Yes, you’re absolutely! We’re all nerds or techies locked in a cage and we can survive years without daylight and food. Of course we’re not nerds, we’re passionate just like you can or are in your job. It is not because we’re wearing not your type of clothes and we like computer games that we are estranged from the world. __ A good security solves all my security issues and keeps me safe__ Uhu, if you implement it though. Laws are useless if nobody enforces them. Make management accountable and you’ll go a block further down the security city. Be aware, choose your battles carefully because managers sting like a scorpion. __ I need 100% security before we can continue__ If you find the solution, take a patent and don’t tell anyone until it is approved. You’re rich! Unfortunately it doesn’t work like that, you cannot have 100% security. You can increase security to a tolerable level to conduct business.

Nobody is interested in my data or in attacking my small company Not only your present customers are interested in you, so are you direct competitors or some miscreant that like to get his hands on your data, computer, use your bandwidth or processing power. If it were the case nobody would attack a single home user yet they suffer the most from all the malware circling around your connection at home.

I do not need anti-virus protection, I never had a virus Great! Or not, how do you now if you have a virus if you do not have protection against it? Without anti-virus you’re lost in this digital jungle.

A BIOS password protects my computer Where should I start, NO, no and NO. BIOS passwords help against modifying a BIOS setting but it can be circumvented easily. If you like real protection, buy a solution that provides harddisk encryption, with two factor authentication and boot protection.

Tuesday 8 October 2013


In the early internet years information security was as good as non existing. The more important the Internet became in conducting business companies realised that adequate protection is a must. We had the 9/11 aftermath and security in general was a hot topic. But a reality shock crippled budgets and a long period of recession is amongst us today.

Today, I witness that there is no real information security budget in many companies. It is nearly a subset of the IT budget and the spending of it is rarely based on profound arguments rather than some decision that took place in a burst of panic. The gap between business and information security has only increased over the recent years, clever attacks launched with success and too complex solutions created an averse affect. We cannot convince business people with FUD nor with geek wisdom.

From the business perspective the knowing-doing gap is becoming immense, they cannot deny today that they haven’t been warned. In most cases they prefer increasing their risk appetite instead of their spending. It is time to make a U-turn and start thinking how to convince the board and the exec’s. In order to achieve it information security has to be uplifted to a governance strategy instead of solely relying on management practices. Security professionals must learn about business and speak business lingo, we need to get some useful metrics in order to have transparent reporting and we need to have an idea on operational costs as well as future spending required to keep the bad guys out. We are far from home on that part because since the beginning we’re the firemen that come for rescue, contain the spreading and limit the damage. Afterwards we go back to our office and we wait for the next to surface on our monitors.

We need to give business tools, to make them work in a secure fashion without losing flexibility and if possible enable new business. Instead of denying demands we should consider how we can authorize them without outspending the budget for the next years. Creativity is key and communication with our business peers a must.

Thursday 3 October 2013

Weak encryption

There is a lot of going on in the debate on the revelations made by Snowden about the NSA. And ok, they used wiretapping on almost the entire Internet. That is of course a big deal and should not be underestimated in the damage to freedom of speech and liberty. However I’ve a bigger issue with the weakening of encryption standards, including the behaviour or role of NIST. The rumour goes that the random number generation isn’t that random any more. Which to you sounds perhaps ok, but if you’re in the security field it doesn’t feel that ok.

Today, if you lock yourself out of your apartment you call a lock smith and he’ll get you back in. Most probably he’ll change the lock and give you a new pair of keys. Imagine that this guy could look at your door, watch some people going and going out of the building and be able to reproduce a key without receiving any additional information. Scary right? That is what NSA would be able to do according to the documents revealed. They can look to your VPN traffic, see what type of encryption you use and reproduce a key because the random number generator is predictable.

How can you lock your door now? Change door vendor and change lock technology could do the trick in some cases. And if that doesn’t help you might have to close the door with a brick wall and use an alternative entrance.

Wednesday 7 August 2013

That is what I meant

Failure to communicate. We all heard it, we explain something you get some jibber jabber back in the form of an unpronounced question. You correct the person and the reaction that hits you like a boomerang is That is what I meant

Well is it? Say it, loud and clear. Today we’ve a multitude of communication possibilities and sometimes I get the idea that our communication has never been so bad. We use email, IM, facebook and and others to communicate, talk, speak and express ourselves but it seems nobody understands us any more. Because our complex society learned us to be pragmatic, diplomatic and even dogmatic from time to time which makes the message go unnoticed in the overhead of unneeded words and information. There are 50 ways to say yes, I read on a blog, but there is only one way to say it clear, YES. There are maybe 1000 ways to say no, but nothing as clear as the power of NO.

Friday 12 July 2013

Ubuntu and cinnamon

A good combo though sometimes a pain to get it right. I recently reinstalled my laptop, now before the fruit company admirers and the mickeysoft experts start with, owh why did you need to reinstall your Linux. Well I reinstalled it because I was lazy in testing so I tested it directly in my distro instead of setting up a virtual environment.

I always use ubuntu LTS, at this moment in time that would be 12.04.2 and so I did. Afterwards I added cinnamon since gnome 3 deserve a punch in the face. Now, when I logged in into cinnamon I had what lots of people have, NO freakin’ desktop icons. I’m old school so I need them on there even if I rarely click on it. I think I tried every step I found on the web but no success. So here is what I did to get the crap working.

Open a terminal of choice, and do: sudo sed -i ‘s/NoDisplay=true/NoDisplay=false/g’ /etc/xdg/autostart/nautilus-autostart.desktop

sudo sed -i ‘s/NoDisplay=true/NoDisplay=false/g’ /etc/xdg/autostart/nemo-autostart.desktop Both commands will unhide the applications from the startup application list.

Then go to startup applications, in cinnamon that means you click on menu, preferences, startup applications. You’ll have 2 files entries or one Files entry and one Nemo entry. Deactivate the nemo one, do not delete it, you never know what the future brings.

Keep the nautilus one activated, in my case the name of it was Files. If you did not already do sudo apt-get install dconf-tools. And afterwards hit alt+f2 type, dconf-editor and go to org.gnome.desktop.applications.background and check show desktop icons.

Log out and back in or reboot and you should have those silly icons back.

Thursday 6 June 2013

The art of information security

Or is it a science?

To be honest, I don’t think security is a science. The unpredictable element of information security makes it difficult if not impossible to consider information security as a science. In science we try to simplify things to good or bad, one or zero, black or white and so on. Traditionally science try to explain situation by rational logic.

Information security is a lot of things but not rational logic, it is an unpredictable state and tools available have initially been created with some logic integrated and often times based on simple pattern checking. This approach seems to work for everything we know, unfortunately in the digital underworld they use something to with the lingo ” zero day exploit”. This is an unknown attack at least for the majority of people and security vendors. Another issue with the classification approach is that a packet can sometimes be good and sometimes bad. Any criminal can be considered as a good person as long as he does not get caught. Attacks can appear as good or legitimate traffic in your logs and it will go unnoticed. We focus to much on the things we do not authorize and not on what we trust. People on the inside of our network are considered safe but can we really trust every single employee in the company? No, we cannot but we do not have any alternative yet. We have distinguished the Internet from the LAN as the latter being good. It would be, in a perfect world but luckily for us in the information security industry the world isn’t that perfect.

Perhaps we should get some artistic level into security.