COMING THREATS Stay vigilant in the ever changing threat landscape

WINTER 2009/10 www.bcs.org/security

COMING THREATSStay vigilant in the ever changing threat landscape

06 SECURITY VS. QUANTUM COMPUTINGQuantum computers have the potential to radically change security strategies.

12 STATE SPONSORED ESPIONAGEIt isn’t just other companies who are trying to get hold of your business’s prize assets.

T H E M A G A Z I N E O F T H E B C S S E C U R I T Y F O R U M

UCL DEPARTMENT OF COMPUTER SCIENCE

INFORMATION SECURITY MScUCL’s MSc in Information Security is a specialist programme for computer science, electrical engineering and mathematics graduates who wish to focus on the security aspects of information technology. The programme is intended as a foundation to a rewarding career at the more advanced levels of information security.

Areas covered throughout the

programme include:

• Computer Security• Cryptography• Distributed Systems and Security• Operating Systems• People and Security

Plus option modules from our other

programmes, including:

• Software Engineering• Commutative Algebra• Image Processing• Communications and Networks• Human-Computer Interaction

Contact:

Andrew Marriott, Postgraduate AdministratorWEB www.cs.ucl.ac.uk/teaching/mscisecEMAIL [email protected] +44 (0)20 7679 7937

Winter 2009/10 ISNOW 03

04 ISSG PERSPECTIVEGareth Niblett, Chair of the BCS ISSG, gives his view on the coming threats for 2010.

06 SECURITY VS QUANTUMHow quantum computing will affect computer security

08 SECURING WEB 2.0In our web 2.0 world do we need security 2.0 as well?

10 DATA DESTINYData is a company’s prize asset and needs to be secure at all times.

12 STATE SPONSORED SPIESIt’s not just other companies who will try and get access to your information.

14 THREAT LANDSCAPEWhen it comes to staying safe you need to be aware of the ever changingthreat landscape.

16 LEGALImplications of the Data Protection Actfor data controllers in 2010.

18 OPINIONIn the future technology will be all about managing people.

EDITORIAL TEAMHenry Tucker EditorBrian Runciman Managing Editor

PRODUCTION TEAMFlorence Leroy Production ManagerMarc Arbuckle Graphic DesignerDavid Williams Graphic Design Assistant

AdvertisingE [email protected] +44 (0) 20 7074 7921

Keep in touchContributions are welcome for consideration.Please email: [email protected]

ISNOW is the quarterly magazine of BCS Security Forum, incorporating theInformation Security Specialist Group.It can also be viewed online at:www.bcs.org/isnow

The opinions expressed herein are notnecessarily those of BISL or the organisationsemploying the authors.© 2010 British Informatics Society Limited (BISL).Registered charity no. 292786.

Copying: Permission to copy for educationalpurposes only without fee all or part of thismaterial is granted provided that the copies arenot made or distributed for direct commercialadvantage; BISL copyright notice and the title ofthe publication and its date appear; and noticeis given that copying is by permission of BISL. To copy otherwise, or to republish, requiresspecific permission from the publicationsmanager at the address below and may require a fee.

Printed in the UK by Interprint, Swindon, Wiltshire.ISSN 1752-2455. Volume 4, Part 2.

The British Informatics Society LimitedFirst Floor, Block D, North Star House,North Star Avenue, Swindon, SN2 1FA, UK.T +44 (0)1793 417 424 F +44 (0)1793 417 444 www.bcs.org/contactIncorporated by Royal Charter 1984.

COMING THREATS

£24.95ISBN: 978-1-902505-90-9PUBLISHED: 2008 224pp

Lapses in information assurance canexpose your organisation to costlyand damaging repercussions. As managers become increasinglyresponsible for this area of data protection, this official ISEB textbook outlines the main principlesand considerations for securing bothcommercial and personal data.

INFORMATION SECURITYMANAGEMENT PRINCIPLESAn ISEB Certificate

ANDY TAYLOR (editor)

HOW SAFE IS

ORDER FROM TURPIN DISTRIBUTIONTEL: +44 (0)1767 604 951ALSO AVAILABLE IN ALL GOOD BOOKSHOPS AND ONLINE.

www.bcs.org/books

YOUR DATA?


The start of each new year brings thepromise of a bevy of unwelcome threats.Many will be variations on an existingtheme, some may rely on the growth of aparticular medium, and there could bean occasional new but predictable attackthat leads us to smack our foreheadsand wonder why we didn't see it coming.I'm no soothsayer, but I have a few ideas

of threat-related trends we may well seein the coming year: Business change -the global downturn, recession, comeuppance for greed and risk ignorance, or whatever you wish to call it,threatens business. This could bethrough redundancies, liquidation, jettisoning failing companies and mergers, all of which will bring significant business changes that have tobe managed securely, ensuring that critical business assets are properly protected. Cloud computing - bringingtogether all the benefits and pitfalls ofoutsourcing, off-shoring, virtualisation,co-location and rapid application development. Great when it works, butwhen it doesn't there may well be issuesof legal jurisdiction, enforcing contractand audit rights, forensic investigation,data migration and so on. Make sure thecloud doesn't become a basket to hold allyour eggs. Social networking - website,email and instant messaging wrapped upinto one. Already allowing ready personaland business information leakagethrough to providing a new platform formalware distribution and botnet command and control, the social networking

ISSG PERSPECTIVE

phenomenon offers unrivalled growth forinteraction, both good and bad, which islikely to continue unabated. I'm sure thisonly touches the tip of the iceberg, andwe may well see more large-scale politically motivated attacks, new vulnerabilities in core internet services,smartphones get hit hard, growth ininternet governance (read interference,control and surveillance) along with newways to avoid it. Happy New Year.

Gareth Niblett is chairman of theInformation Security Specialist Group(ISSG). www.bcs-issg.org.uk

Gareth Niblett says when it comes to threats we are only beginning to see the tip of the iceberg.

Information Risk Management andAssurance Specialist Group:www.bcs.org/groups/irma

BCS Security Portal:www.bcs.org/security

ISNOW online:www.bcs.org/forum/isnow

FURTHER INFORMATION

COMING THREATS

which are constantly updated and read by programs. Of course, in the quantumcase, states are much harder tomanipulate: (i) it is difficult to isolate andcontrol an individual particle from amongseveral, (ii) it is impossible to prevent anindividual particle from interacting withits environment. The first issue isbecause of what is known as quantumentanglement. The phenomenon ofdecoherence is the result of (ii), andtroubles experimentalists no end.Intuitively one might imagine this asbeing like noise so prominent that itdisturbs our ability to hear and preventsus from understanding a spokensentence. Combating this noise is verydifficult on the atomic scale, and thismakes it hard to keep a qubit ‘alive’ andfixed in a chosen quantum state. If thestate of a quantum computer is notstable, it is nigh impossible to perform a computation.

Developments in experimental physicsare expected to make it possible toaddress these issues on a large scale inthe next 10-20 years. Quantumalgorithms are procedures that could beimplemented on a quantum computer tosolve problems. Some quantumalgorithms have been discovered thathave significant advantages compared totheir classical counterparts, in particularPeter Shor’s factoring algorithm and Lov Grover’s inverse database search algorithm.

For example, to factor an integer Ninto a product of two primes, a quantumcomputer needs on average (log(N))3steps with Shor’s algorithm, while aclassical computer could, at best, do it ina number of steps exponential in N. So tofactor the number 300,000, a quantum

computer would only need 75 steps, whilea classical computer using the bestknown algorithm would need 2005 steps!It goes without saying that the ‘steps’ of aquantum computer would each takenanoseconds to execute.

Classical public key cryptosystemssuch as RSA rely for their security on thedifficulty of performing this computation,and in practice use extremely largenumbers; being able to perform factoringefficiently makes it easy to break suchsystems quickly.

For a good, readable introduction toquantum computing consider [Rieffel,Eleanor G. and Polak, Wolfgang. ‘AnIntroduction to Quantum Computing forNon-Physicists.’ [ACM ComputingSurveys 32(3), pp. 300-335].

How quantum key distribution worksQuantum cryptography, or quantum keydistribution more accurately, allows twoparties to establish a common secret (akey which can then be used in any

06 ISNOW Winter 2009/10

As we will see, quantum cryptographyrelies on the same fundamental phenomena as a quantum computer, but its security is independent of an attacker’s computational power and sois designed to be safe against such adevice. The security of many classicalcryptosystems such as RSA, on the otherhand, is threatened by the very idea of aquantum computer.

Note. We will use the term ‘classical’here to refer to computers, algorithmsand protocols that are used in traditionalcomputer science; this is in contrast totheir quantum counterparts.

Speculation or reality?First of all, let’s make one thing clear:quantum computers haven’t yet beenimplemented on a large scale. To build alarge quantum computer is the goal ofmany an experimental physicist, butwhile the capabilities of such a device arewell understood, theoretically, there aremany thorny issues that arise in realexperiments. A quantum computer consists of qubits, or quantum bits, whichneed to be controlled individually. Qubitsarise in nature in the states of atomic-scale particles, such as protons, neutrons, electrons, or even light particles(photons). In particular, a qubit has twodistinguished states (usually written |0>and |1>) and an infinity of other possiblestates, and these states correspond tothe values of particular physical properties,such as the angular momentum (or spin)of an electron or the polarisation of aphoton, at a given moment in time.

To make a quantum computer it isnecessary to manipulate qubitsindividually, in an analogous way to thebits in a classical computer register,

Quantum cryptography is all about achieving secure key distribution using the phenomena of quantum mechanics. It isnow an implemented technology, and promises to work even

when large scale quantum computers become widely available. Nick Papanikolaou tries to demystify quantum cryptography.

SECURITY

QUANTUM COMPUTERS

VERSUS

Winter 2009/10 ISNOW

private-key cryptosystem, such as theone-time pad) in such a way that aneavesdropper can (i) be detected and (ii)be thwarted.

Quantum key distribution is a way ofgenerating a key starting from a randombit sequence; the random sequence isencoded in a stream of qubits which aretransmitted over a channel (in practice,this might be photons being transmittedover an optical fibre). If an enemy tries tointercept the qubits in order to measurethem and extract the bit sequence, he orshe will inevitably cause a disturbance tothe qubits that will make the enemy’spresence manifest to the proper users ofthe channel. They can use some classicalprotocols (known as secret-keyreconciliation and privacy amplificationschemes) to correct errors caused duringtransmission and eliminate any valid keyinformation that the enemy may havegained in the process.

For an accessible introduction to thedetailed workings of quantum key

07

distribution, see (Papanikolaou, Nick. 'AnIntroduction to Quantum Cryptography.'ACM Crossroads 11.3, Spring 2004.)

Limitations and further considerationsThe security of quantum key distributionlies in two things: (i) the randomnessinherent in measuring quantum states (ii)the use of some clever, classical post-processing of the key. Mayers proved thatthe quantum key distribution protocolBB84 is unconditionally secure against allattacks permitted by quantum mechanics[Mayers, D. Unconditional security inquantum cryptography. Journal of theACM 48 (3) (May 2001), pp. 351-406].

Quantum key distribution protocols donot address the problem ofauthentication: there is no direct wayallowing the communicating parties tocheck they are indeed talking to eachother. The proposed solution is to use'Wegman-Carter tags', but for thesecurity result to be maintained theparties involved need to share some

information privately in advance ofquantum key distribution. This is alimitation, but for the time being it doesnot seem to be a substantial impedimentfor practical applications.

The key point to remember is thatquantum key distribution does not rely forits security on the difficulty of anycomputational problem; its security isprovided by fundamental properties ofnature as we understand them,specifically the way measurement works.

For business applications, quantumcryptography is not a substitute for PKI –while PKI may be threatened if largescale quantum computers materialise, to use quantum cryptography wouldmean generating new keys for everybusiness transaction or communication.How quantum cryptography can bedeployed for such applications is aninteresting question.

For further information please visit:www.bcs.org/security

COMING THREATS


Traditionally, potential security breaches,or vulnerabilities, target personal andbusiness information that is created andstored in certain web 2.0 applications,such as Google Docs and Mobile Me.Using sophisticated JavaScript programmes developed specifically tocapture data, hackers can redirect usersto a perfect copy of the site they areexpecting to see. Then, when login detailsare entered, they are unknowingly sent tothe attacker, providing them with the

Web 2.0, the second wave of web development and design, is thriving, and so too are applications that take advantage of thistechnology. Interactive sites like LinkedIn, Twitter and even company websites are becoming ever more popular, and yet, many IT departments are unprepared for the associated new andemerging threats. As more and more companies take to the webto conduct business, the opportunity for attack is significantlyincreased and organisations need to re-adjust their security practices for the web 2.0 world.

WEB SECURITY 2.0


information they need to access sensitive business information.

New attack methods are constantlybeing employed by the hackers, takingadvantage of technologies that arealready in place. With Facebook, forexample, third-parties can host their ownapplications on the site in the form ofgames or quizzes. The code needed to dothis is run independently of Facebook.Attackers continually try to bypass thesecurity systems in place on Facebook,

and gain access to information using thecode that is running on the browserthrough the third-party.

For the opportunistic hacker, evenfilling out forms online presents themwith the chance to obtain details.Although the site may be secure, the‘behind the scenes’ technology, whichcommunicates suggestions on possibleentries based on past information, can beintercepted and with it, data on theindividual or business.

Web exploitationThere is a difference though in the waythese attackers operate. Some choose toexploit web applications, like Twitter,which suffered an attack back in January2009, resulting in the accounts of highprofile members being hacked and offensive mock status updates uploaded.The other approach is where they exploitthe web browser. Here hackers pepperlarge numbers of websites withJavaScript which enables them to ultimately collect data on visitors to those sites. Rather than specific web applications being targeted, the browserinstead acts as the delivery mechanism,

where links can be used to either redirectusers to other ‘fake’ sites, or load damaging content from other destinations.

In the same way the methodology ofthese attacks changes, so too does themotivation of the hackers. In early webattacks, it was all about site defacementwhere the content would be edited, withmessages being incorporated or offensiveimages being added. This has nowchanged and the emphasis is onremaining undetected so that the siteowners will not know that security hasbeen compromised. JavaScript enableshackers to use these attacks for financialgain instead of to just be a nuisance. In 2007, the website of The DolphinStadium, home to America’s Super BowlXLI, was attacked and maliciousJavaScript installed on its front pageheader. The result of this was that akeylogger/backdoor file was downloadedon to the user’s computer, giving thehacker full access to it. The hack wentundetected until a security firm cameacross the site as part of a scanningeffort. While the stadium’s website waslikely targeted because it was topical and

popular at that point in time, the hackwas part of a larger effort that attackedover 25,000 websites.

Many people associate hacking withcredit card and bank fraud – but this isnot the case. All information holds somekind of value to someone. ID theft forexample is not just about being able tospend somebody else’s money, but caninstead be used to get set up creditaccounts with business suppliers or openup new premises, all at another’sexpense. Client and employee data couldalso hold value to some organisations.

While it seems that hackers areconstantly evolving and adapting to newtechnologies, like web 2.0, businessesare responding just as well. Individualemployees, as well as IT departments,are now aware of security risks and mostcompanies have policies in place aboutthe download of web-based applications.Patches, security alerts and updates arenow issued regularly from the vendorsand should be monitored anddownloaded when available.

In addition, there are a number of toolswhich can help to prevent such attacks -web application scanning in particular.

This is an automated process whichsearches for software vulnerabilities inwebsites by launching its own attacksand analysing the results. Using thisdata, it will provide a list of actions whichthe user should undertake in order toprevent hackers gaining access to theirsystems. This is especially useful forSMBs where web security is an issue, but there is not always the resource – interms of people and cost – to managethis on an ongoing basis.

Sourcecode scanning and continuous site monitoring are alsovaluable methods to protect againsthacking attacks.

Technology continues to advance at analarming rate – and with it those peoplewho are willing to exploit others forfinancial gain. By staying informed of thepotential risks and combining the triedand tested preventative methodologies, ITdepartments can ensure that they arewell-equipped to deal with the constantthreat of web 2.0 attacks.


09

COMING THREAT

ID theft for example is not just about being able tospend somebody else’s money, but can instead beused to get set up credit accounts with businesssuppliers or open up new premises,


New leakage vectors are continuallyemerging. Who would have conceived ofthe threat of social networking five yearsago? But are we doomed to repeat thedata breaches of the past few years orcan we change the destiny of our data?

Systems continue to create newopportunities for data leakage. Take, forinstance, Windows 7. There willundoubtedly be mass migration to thisnew operating system in 2010. But thesystem is highly complex andconfiguration errors will inevitably occur,giving rise to increased incidents even ifthe security of the operating system hasinherently improved. Other newtechnological advances, such as GoogleWave, promise to make the past as wellas the present versions of data availableto the user, making it even more complexto maintain the integrity of data.

Staying one step ahead in order toadvise others on threats is vital in thesecurity industry. But data protection issomething of a contradiction. Data needsto be accessible, that’s what makes itvaluable, so protecting it by restricting

access is highly problematic. Accessneeds to be discerning, determined byuser status, but still flexible enough tosupport access from a multitude of platforms.

Mobile computing is already with usand has made protecting data muchtougher. Customer contacts, companydocuments and email are all now carriedoutside the perimeter as a matter ofroutine yet remain inadequatelyprotected. Going into 2010, mobiledevices will continue to be the Achillesheel for many organisations. Althoughdata security for mobile handsets exists,it is currently way below that possible ona conventional PC, and proprietary issues remain.

We move into the year ahead on thecusp of new data storage and accesstechnologies such as cloud computing.Housing your data in the cloud makes alot of sense: it’s highly flexible (allowingaccess anywhere, anytime), cheaper thandedicating resource, and can provideeconomies of scale. However, as avirtualised infrastructure it is not secure

and never can be. It's precisely for thisreason that service providers often omitsecurity provisions from their servicelevel agreements (SLAs). In fact, theterms and conditions of many serviceproviders are so open that we would evengo as far as to say there is nothing tostop your data being passed on to thirdparties at a later stage.

We also expect to see the threat fromexternal forces increase. Criminals andforeign governments are now fullyexploiting the online world with malwareinfections designed to capture and relaysensitive data. A Whitehall report inJanuary 2009 stated that 'a number ofcountries are actively seeking UKinformation and material to advance theirown military, technological, political andeconomic programmes' and that 50 percent of malware now originates fromChina. Our prediction? Expect to see theinternet go down for a few days onceorganised cyber criminals target DNSand take it out.

Data losses will also continue to occurdespite the best efforts of industry

What does the future hold? Predicting the futurerequires vision but in the context of the now. It’s agiven that data is becoming an ever more valuableresource, which is now more mobile and thereforemore likely to be compromised. Richard Walters, CTO of Overtis, looks into protecting data.

DATA DESTINY


regulators. Whether you think it wise ornot, compliance drives security andsecurity product development, such asdatabase monitoring tools. However,compliance does not mean security.

By adhering to the requirements asolution can often overlook other keysecurity concerns.

Compliance red tapeIn some respects, we enter next year at a disadvantage in the fight against dataloss. It’s not just the red tape of compliance that is bogging the sectordown. Although organisations are beginning to accept that the threat fromoutside the perimeter is outweighed bythe threat of staff incompetence or roguebehaviour, few have reviewed their security to reflect this. So we’re still seeing a network-centric view of securitywith log management/SIM/SEM/SIEMproducts still used predominantly. Thisapproach fails to address the area ofmost activity: the endpoint. Over the nextyear or so, security products will begin toinclude the critical stream of activity that

originates at the endpoint. But until thenwhere the user is will remain the weakpart of the chain with the greatest potential for data loss.

However, there is hope. Budgetaryconstraints may at last forceorganisations to stop spending on lastline of defence gateway solutions. Theseare not only expensive but inaccurate anddo not handle encryption well or offerprotection to mobile devices outside ofthe corporate perimeter. Spend will bemore targeted and more considered. Arecent survey by IDC found that 57 percent of the 400 organisations polledintend to invest in data loss prevention(DLP) software in 2010. DLP has theability to detect, monitor and protect dataas it is being used, transferred or instorage. Using deep content inspection,this technology combines elements ofdigital rights management (DRM), end-to-end encryption and endpoint control totrack critical data. The organisation isaware of how data is being manipulatedand, if necessary, can take action toprevent a leak.

Methods of remote access are alsodiversifying, with terminal servicespredicted to take-off. Third party remoteaccess by vendors and partners oraccess by remote call centre staff can becatered for securely using terminalservices. And terminal servers will alsobe used more frequently to secure dataand provide access to it internally.

Opportunities for data loss willundoubtedly increase in the future. Yetthe means to keep them in check is withus today. If you’re moving to SOA/cloudcomputing, don’t rely on them for yoursecurity. There really is no substitute forlocal back-up. Authenticate your usersusing the best multi-factor authenticationyou can afford. And invaluable but oftenbadly implemented, end-to-endencryption is a must and can now beperformed using a simple desktop virtualvault application. Three simple steps thatcould ensure data is destined to bebreach free.

For further information please contact:[email protected]

11

COMING THREAT


Governments have been involved in theact of spying for many generations. Asthe threat landscape has changed, thepurpose of information monitoring, gathering and analysis has changed inresponse. Many governments monitortraffic flowing around their networkinfrastructures to combat terrorism, thetrade in narcotics, money laundering,paedophilia and other such crimes.

But such monitoring is not alwaysabout combatting crime. The UK and USmedia recently reported on a number ofcases of state sponsored espionage,whereby governments target companyinformation to obtain commercialsecrets to give their businesses acompetitive advantage. Cyber-basedespionage offers a relatively cheap, quickand easy method to obtain informationthat can be used to help their companiesremain competitive.

This type of activity appears to beparticularly prevalent in countries wherethe biggest companies are state-owned,or have close links to the state. They mayreceive intelligence collected by the localintelligence services, and are also able toundertake commercial espionage fortheir own benefit. The UK governmenttakes this threat very seriously and hasrecently released a 'cyber securitystrategy', which creates a cyber securityoffice responsible to the Cabinet officeand a Cyber Security Operations Centre(CSOC) based at GCHQ. Similarinitiatives have been carried out in theUS to protect commercial businessesagainst attack.

Cyber based espionage is far morewidespread than most westerncommercial organisations are preparedto acknowledge or accept.

TargetsThe state will focus upon informationthat can benefit their economic development, reduce their externaldependencies or improve their globalstanding in the world markets or politicalarenas. Ultimately if they can producecompetitive products that have massappeal and are price attractive to local orinternational markets, then there is goodreason to pursue information for competitive advantage.

The market sectors of greatestinterest tend to involve:

• energy – oil, gas, coal, electricity and renewables;

• natural resources – minerals, aggregates etc;

• financial – capital investments, banking, insurance etc;

• medicines – drugs, techniques, analytical equipment etc;

It may sound like the plot of the next James Bond film, but actuallystate-sponsored espionage is something all companies should beaware of, say Ian McGurk and Ralph O’Brien from Control Risks.

STATE SPONSOREDESPIONAGE


• agrochemicals – fertilisers and genetically modified crops etc;

• technologies – computing, software, automotive etc;

• communications – telephony, satellite, mobile phones etc;

• fashions and brands.

Typically, they target two types of information. They will be looking to gather intellectual property relating toproduct designs, technical specificationsor manufacturing techniques and highvalue financial information such as pricing, contract terms or acquisition targets. Organisations need to be particularly careful protecting data relating to significant events, for examplein the run-up to product launches ormergers or acquisitions.

In most cases the target information isdetermined as part of a selective processof identifying the key people, projects andteams or relevant partner organisationsand supporting services (legal,accounting, audit, IT outsource).

Extensive research work is performedto establish their roles, business, family,sports, social and sexual preferences andbehaviour patterns for the purposes ofsocial engineering by using acombination of search engines, socialnetworking sites, blogs, professionalbodies, the electoral register and so on.

Outsider attackFor organisations that do not operatepart of their business in ‘high risk areas’,the greatest threat comes from electroniccomputer-based exploits.

In addition to the insider attack cyber espionage is often associated with uniquely created Trojans. Crafted Trojans are referred to as Zero Daybecause they are unique, and, becausethey have not been seen before, theycannot be recognised by conventionalanti-malware products.

Once the Trojans have been created,information that has been obtained aboutkey players and their interests, hobbiesand preferences (social or business) canthen be used to influence an unknowingvictim to plant the crafted Trojan. Othermethods of introduction include a freegiveaway, such as the well reported casesof USB sticks and digital cameras, whichcan deliver the Trojan when innocentlyconnected to the target’s computer.

Insider attackElectronic attack can be facilitated by, ormay be dependent on, the assistance ofan individual with access to a target’s ITsystems, especially where the target isoperating within a state that sponsorsespionage activities. The insider may be

employed by a supplier organisation orservice provider, rather than directly bythe target organisation. The individualcould be in a position to:

• download and remove sensitive material;• plant malicious software or attach

malicious hardware;• access parts of the system, but

abuse this to gain wider access.

Increasing the number of connections tothe internet, public networks and connected local offices also extends newopportunities to the malicious insider.

Insiders may deliberately infiltrate anorganisation to mount an attack, butoften existing employees are targeted assources of information or potential saboteurs. Motivations may includenationalistic, ideological and ethical concerns, but could also come from poorcareer prospects, employment troubles,perceived unfair treatment, boredom,blackmail, or, simply, a whim or desire tocause trouble. Pressure may also comefrom an employee’s friends or family,loyalty to whom may be greater than to

their employer.Staff can also unwittingly assist

outsiders through careless securitypractices, for example, displayingpasswords by a computer, or succumbingto a phishing attack. Leaks can also beaccidental - unguarded talk, leavingsensitive material unattended or failureto observe a clear-desk policy. In ourexperience the greatest informationbreaches are more often caused byaccidental error, rather than a maliciousattack.At greater risk are organisationswith activities located within a countrywho undertakes espionage activities.When an organisation has a part of itsoperation in such a state and theirbusiness activities are of interest to thestate, then their business information isalmost certainly compromised.

DefenceControl Risks’ experience is that manyorganisations receive assurances from

their in-house experts that their sensitiveinformation and their computer networks are fully protected and that theycould not be exploited. In most cases thisis a false assurance. Also, many burytheir heads in the sand and then wonderwhy they are uncompetitive in majordeals or why competitors are able tointroduce the same or similar technologies or fashion items availableahead or closely following launch.

Whilst encryption is a normal defencein electronic transfers of information, thisis rarely a defence against a state-sponsored attack. The laws of the countrythey are operating in often state thatorganisations must register and apply forpermission in order to utilise encryptionproducts. The application will oftenrequire that the organisation will need toprovide the encryption keys to thegovernment and they will be restricted tothe use of certified products. Vendors arerequired to provide the source code forthe product to enable testing andvalidation by the government body inorder to achieve the certification.

Technical surveillance countermeasures or bug sweeps are commonlyused as part of an organisation’s securityprocesses for countering cyberespionage. However, it is often the casethat in the states where cyber espionageposes the greatest problem, there are thetightest levels of regulation and licensingfor companies carrying out the sweeps,which could restrict their effectiveness.

Far more effective are training andawareness, normal security principles ofseparation, segregation and air gapsbetween offices and networks, especiallyin countries where cyber espionageactivities are anticipated. Reviewing whatdata may be at risk and where it is held isthe first step. Beginning to activelymonitor for suspicious activity andensuring that staff follow common sensesecurity practices is a key starting pointto defend against state-sponsored attack.


13

COMING THREATS


How comfortable do your employees feelwhen surfing the web? According to thelatest data from Webroot's ThreatResearch Centre, one in every 12 websites today should be blocked forinappropriate content. However, blockingthat content may not be as straightforward as you think.

Back in the good old days, virusesarrived via floppy disk or email, usingweaknesses in mechanisms such asWord macros. As long as you avoidedputting unknown disks in your machineand didn't open attachments that youdidn't trust, you were relatively safe. Butthings have changed in recent years,thanks to the increasing sophistication ofwebsites and the browsers that access them.

New tacticsThe evolution of ubiquitous JavaScript,alongside increased functionality in

browsers, has led to the proliferation of'drive-by downloads', which directlyattack a computer via its browser as soonas the user visits the site. These attackshave become a significant threat, drivenlargely by the commercialisation of malicious software.

In the late 1980s, when viruses beganto appear, they were little more thanexercises in intellect and ego. Misfitprogrammers wrote them todemonstrate their prowess, andoccasionally inserted nasty payloads thatdeleted data.

In the last decade, criminals havecaught on to the profit potential inherentin malicious software, which is nowprogrammed to send spam, stealpasswords, and in some cases even carryout fraudulent banking transactions thattransfer money from the victims'accounts to those of the perpetrators.

Consequently, the stakes have been

raised, and now the goal is to infect asmany machines as possible in a bid toreap the maximum illegal profit. Thecreation of 'botnets' (hordes of infectedmachines that can be remotely controlledto do the criminals' bidding) has beenwell documented.

Many people visit sites offering porn,pirated software and speciouspharmaceuticals, and online crooks canmake a healthy profit from infectingthese visitors alone. However, the realmoney is to be made from the vastsuperset of internet users that payregular visits to the likes ofBusinessWeek, the New York Times,specialist news sites like CNET, and eventhe sites of popular music stars such asPaul McCartney. All of these sites havebeen compromised by criminals andmade to deliver drive-by downloads thatinfected victims' computers. But how?

In this ever changing world in which we live, Mark Tickle, Managing Director, EMEA, of Webroot says you can never let your guard down when it comes to keeping your company secure.

KEEPING UP WITH THE THREAT LANDSCAPE


How to infect a siteThere are various ways to infect a site.One of the most prevalent employs thestructured query language (SQL), whichis the basic database access languageused by the majority of websites.

Many sites fail to validate user inputproperly, which would involve blockingSQL commands entered into web formsand URL parameters. Sites that allowthese commands through risk havingSQL injected directly into user input,which can be used to alter the content ofthe database. As many sites now usedatabases to store the HTML- andJavaScript-based code that they displayto browsers, this enables criminals tochange that code, and use it tomanipulate the browser.

One commonly-used SQL injectiontechnique involves the insertion of anIFRAME tag into the page, which causesthe browser to visit another server

surreptitiously. This server usesJavaScript to examine the type ofoperating system and browser accessing it, and delivers a tailored set of malware designed to exploit thatspecific configuration.

Another infection involves artificiallystuffing an already-infected site withwords and phrases reflecting popularcurrent events (such as 'Patrick Swayzedeath'). These sites then rise to the top of search engine results delivered tousers and lead them to visit thecompromised sites.

At the very least, they can be offeredrogue anti-virus software, which plays ontheir insecurities by telling them thattheir machine has been infected, andoffering to sell them useless anti-virussoftware to fix the problem.

SQL vulnerabilities are so ubiquitousthat some malware writers have evenbegun sending commands to infected

victims' machines, forcing them to targetwebsites automatically with SQL injectionattacks. This essentially creates an armyof unwitting SQL hackers. The codersbehind the Asprox malware haveorchestrated multiple SQL injectionattacks this way, most recently in earlyOctober 2009.

Another technique, used summer 2009 to infect up to 40,000 websites,involves using already exploitedcomputers to infect even more websites.The malware searches the victim'scomputer for FTP passwords.

FTP is commonly used to updatewebsites, and the malware feeds theseback to the criminals so they can use thecredentials to access the relevant sitesand alter the content.

Other attacks on web applicationsinclude cross-site scripting, whichenables criminals to plant maliciousURLs on vulnerable websites, and doeverything from stealing cookies toexecuting arbitrary JavaScript.

Cross-site request forgeries (CSRF)use malicious code inserted on a webpage to force a visiting browser toexecute commands on another site, towhich the user has alreadyauthenticated. For example, if someonewas legitimately logged into eBay whenthey visited a malicious site, then a CSRF attacker could access theiraccount. These types of attacks are being increasingly used on socialnetworking sites.

What’s the answer?Organisations wishing to mitigate suchattacks should take a variety of measures. Ensuring that all applicationand operating system software is regularly updated will help to protect systems against known attacks. Using amalware filter, especially one that performs behavioural analysis on incoming code, will help to catch anymalicious JavaScript being sent toemployees' browsers. Finally, gatewayprotection that references a continuallyupdated list of known malicious domainsand IP addresses can help to preventbrowsers from visiting compromisedareas of the net.

The key here is defence in depth, whichis the idea of applying multiple levels ofprotection. This can help to counter ablended threat that uses multiple attackvectors. Only by matching onlinecriminals in their ingenuity can we hopeto protect our systems. On today'sinternet, organisations cannot afford toleave anything to chance.


15

COMING THREATS


The Data Protection Act 1998 (DPA)imposes wide obligations on businessesand public bodies in the UK who areresponsible for processing personaldata. 2010 will be a year of increasedpowers and, as a result, tighter regulation of data controllers.

Firstly, the Information Commissionerhad been afforded enhanced powersunder the Criminal Justice andImmigration Act 2008 (CJIA). The CJIAintroduced the possibility of custodialsentences for persons convicted ofoffences relating to unlawfully obtaining,buying and selling personal information(or procuring any such act). TheInformation Commissioner’s Office (ICO)is currently monitoring the incidence ofthese events. The government isproposing to set the maximum penaltyfor such an offence at 12 months’imprisonment and a fine up to thestatutory maximum on summaryconviction, and an unlimited fine and twoyears’ imprisonment on indictment.

Secondly, the CJIA introduced a powerfor the Information Commissioner to fineorganisations for serious breaches of theeight key data protection principles in theDPA where a breach is the result ofdeliberate or reckless behaviour. TheMinistry of Justice (MOJ) hasrecommended that the ICO should beable to fine data controllers up to£500,000 for such breaches.

Following the government-commissioned review of the handling ofpersonal information by both the privateand public sectors in 2008, the Coronersand Justice Bill was published inJanuary 2009. The Bill has been debatedby both the House of Commons and theHouse of Lords and is shortly due to bepassed back and forth between the twoHouses and each amendment isdebated. Subject to any amendmentsprior to Royal Assent, the key effects ofthis Act, once introduced, will be:

The Information Commissioner’spowers for inspecting a data controller’scompliance with the data protectionprinciples using an information noticewill be strengthened. Under suchinformation notices, a data controller willbe required to provide specifiedinformation at a specified time and

place, in a set period and in a specifiedform. There will, however, be restrictionsadded on the use of any informationobtained under the extended power toensure protection of the principle againstself-incrimination.

In addition, the Bill allows datacontrollers to volunteer for a 'goodpractice assessment' by the ICO, to auditits data compliance. To encourage theuptake of such assessments, a datacontroller will be exempt from theimposition of any civil monetary penaltiesby the ICO for any breaches identifiedduring such an assessment. However,should serious breaches be identified, anenforcement notice could still be issuedto the data controller.

The ICO has called for a power toinspect the processing of personal datawithout the need for the relevantorganisation’s consent or a warrant. The Bill does not provide this power, butdoes propose broader inspection powersfor the Information Commissioner torequire any person on a premises toprovide an explanation of any documentor material found on the premises and torequire such persons to provideinformation that is reasonably required to determine whether there has been any contravention of the data protection principles.

The criminal offence of obstructing, orfailing to assist, a person executing awarrant under the DPA is extended toinclude deliberately or recklessly makingfalse statements in response to the newpowers to require information. This right,however, will only apply to publicauthorities and the ICO has called for theright under the Bill to be extended toprivate businesses, and for therequirement for consent or a warrantbefore inspection to be removed.

The Information Commissioner wouldalso obtain a further right to serve agovernment department or a designatedpublic authority with an assessmentnotice to enable him to establishcompliance with the data protectionprinciples. The recipient of such a noticewould be required to permit theCommissioner to enter any specifiedpremises, to inspect and examinedocuments, information, equipment and

LEGAL

material and to observe the processing of any personal data that takes place onthe premises.

The ICO’s Annual Report 2008/9 haskey themes of transparency,accountability and the ICO taking centrestage. The report stated that previouslyorganisations marginalised dataprotection and compliance was deemed alow priority but it is now a prominent partof news headlines and features higher onpolitical agendas. An increase inprosecutions of data controllers for failingto notify on the ICO’s register; forunlawful obtaining and/or disclosure ofpersonal data; and in other enforcementaction for security breaches andbreaches of the direct marketingrequirements under the Privacy andElectronic Communications Regulations2003, indicate that the effect of non-compliance is likely to increase in 2010.

DATA PROTECTION AND THE ICO:INCREASE REGULATION IN 2010Charlotte Walker-Osborn, Partner, and Laura Friend, TraineeSolicitor, Technology Group, Eversheds LLP, consider how theregulation of data protection is evolving in 2010.

© Copyright 2009 EvershedsPlease note that the informationprovided above is for generalinformation purposes only andshould not be relied upon as adetailed legal source.


BOOK REVIEWSData Protection Pocket Guide2nd edition Nicola McKilligan andNaomi PowellBSIISBN 978-0-580-67561-4£30.00

The Data ProtectionAct (DPA) 1998 has been in force forsome years but until recently, therehasn’t been an equivalent data protection standard or readableguidance notes to help organisations enact the DPA principles. This year has seen thepublication of BS10012:2009 andthis pocket guide complements it. Itis a second edition book with manynew topics included since its firstappearance and it contains copiousreferences to the DPA as well asBS10012. It is unusual to find a reference book that is readable aswell as being informative and this isboth - it has been updated to reflectrecent changes in the DPA and contains many interesting, but briefcase studies in each of its 16 chapters to undermine the adviceprovided. The case studies are bothtopical and relevant - for example,the construction industry blacklistdatabase is included.

What I also learnt from thispocket guide is that subject accessrequests for disclosure of personaldata don’t have to reference the DPAitself, which isn’t widely known andcould help the individual. I alsodiscovered more about the work ofmarketing preference services andmarketing regulations covering theuse of email, SMS and MMS on justtwo pages than from anywhere else.

The chapter covering transfer ofdata overseas is interesting and ofrelevance to anyone contemplatingoutsourcing or moving theirbusiness operations to a countryoutside the European EconomicArea. Guidance is also provided onthe collection and processing ofinformation from social networkingsites and the control of cookieswhen browsing websites.

Overall, this is an excellent bookthat provides all you need to knowto comply with the DPA andBS10012.

Peter Wheatcroft FBCS CITP

BOOK OFTHE MONTH

9.5/10

Practical IntrusionAnalysis: Prevention andDetection for theTwenty-First CenturyRyan Trost Addison-WesleyISBN 9780596527488£30.99

The author, along with other securityexperts, covers a range of topics, someof which reflect on the state of the art innetwork security, including network vulnerability analysis and geospatialintrusion detection techniques.

The first three chapters offer anintroduction to the general area ofintrusion detection, which is useful forthose who are new to the area.

I found the section on capturing thetracer of exploit packets very useful. Thisis followed by writing a signature andthen tuning it for performance.

Chapters 6 to 9 look at network flowdata, web application firewalls, wirelessIDS and physical security aspects. Whilea lot of this is covered in many otherbooks, some of the readers may findtopics on wireless security of interest.

Chapter 10 is the hidden gem in thisbook: it focuses on the use ofgeographical information systems (GIS)for the purposes of network security. Thechapter is a thorough introduction to thetopic and covers a huge number ofrelevant GIS concepts in detail.

The chapter ends in a case studywhere the readers are offered a step-by-step approach at how a professionalattack can be detected. Chapter 11covers the visualisation techniques tohelp with reporting and detection for IDS.I found these two chapters to be of most interest.

Undoubtedly, this book is put togetherwith network security professionals inmind. It is a huge book and my worry isthat many parts of it will not beaccessible or relevant to many readers.Such a diverse scope of topics, with someentirely irrelevant to practical intrusiondetection (such as Chapter 12 on returnon investment for security), makes onewonder who the author had in mind forhis audience. As such, I wouldrecommend this book only to those with a specific interest in some of thetopics covered.

Siraj A. Shaikh, MBCS CITP

6/10

Mobile Security - A Pocket GuideSteven FurnellIT Governance PublishingISBN 9781849280204£19.95

Considering its provenance, this book is surprisingly easy toread and presented in a digestible series ofseven chapters. Eachchapter concludes with a short bullet listof ‘Takeaways’, whichcould be used as thebasis for the discussion and development of mobile security policies in your business workplace.

The opening chapter identifies therange and increasing capabilities ofmobile devices, including laptops, PDAs,mobile phones, media players andremovable storage. The introductorydiscussion compares the benefits ofmobility to the business against the new range of risks opened up by mobile technology.

Moving on to ‘Surviving Outside’, the

author looks at the benefits associatedwith the freedom to roam outside thesafety of the workplace, and thefundamental consequences of theexposure to loss or theft.

Consideration is then given to theissues around connectivity, such as Wi-Fiand Bluetooth, where security dependsmore particularly on the user’s discretion.

The author then explores theimportance of giving access to the rightperson and pays attention to thechallenges posed by the currentdominance of passwords and PINs. Thechapter on ‘Safeguarding your Data’considers that the true value of mobiledevices comes from the data that theyhold or that can be accessed throughthem; and looks at potential threats.

The penultimate chapter of the bookconsiders the attacks that specificallytarget mobile devices and makes thepoint that although worms and viruseshave yet to appear in volume on currentmobile devices (laptops excepted), we arelikely to see mobile platforms affected inthe future.

Overall this is an excellent primer intothe issues surrounding mobile securitythrowing light on emerging issues.

George Williams, MBCS CITP MIMC

9/10


It’s that time of the year when we try tocrystal-gaze into the coming year. In thefinancial columns the journalists arehung out to dry on their previous guesses as to what was going to happenin the current year, but us, IT governance,security and assurance specialists usually get away scot-free because weare smart enough not to try to predictthe unknowable.

However, as this is December 2009and the editor has requested, asked, naydemanded that as an assurance provider(auditor in real speak) I must providesaid prediction, I will attempt to fulfil myduty. I have previously written that 'wecan control the technology prettyabsolutely, but we can only manage thepeople' and that is my prediction for2010. We will continue to tie down thetechnology and we will expand its abilityto protect us from wayward humanity bypreventing attacks while enhancing itsmonitoring capability to detect misuse ofthe technology. The mantra of'confidentiality, integrity and availability'will be expanded to embrace'compliance'.

IT governanceCompliance not just with statutory andregulatory requirements, but also withinternational standards and best practice.Organisations are now approaching mewith requests as to how they canenhance their IT governance, whereasuntil very recently I was hammering ontheir doors trying to obtain admittance.Why this change in behaviour? First,there is growing recognition that it ishumans that are the risky component

and as they can only be managed, youneed to have a suitable governancestructure that recognises and managesthe key risks. Trust is no longer an optionas a control mechanism. Somethingstronger has to be put in its place, whichbrings me to the main international standards for IT.

ISO 38500 for IT governance, ISO 20000for service delivery, ISO 27000 forinformation security and ISO 9126 forsoftware quality. Wrap these up with ISO9000 for quality assurance and you have apretty bullet-proof IT function. If you thenadopt best operational practices fromControl Objectives for IT (CobiT) and valuefor money concepts from Val IT, you canprove your governance maturity to anyonewho asks. These two products from theInformation Systems Audit and ControlAssociation (SACA) and the ITGovernance Institute (ITGI) respectivelyprovide a wealth of information on thecontrol and management of IT and itsassociated people. Security is a sub-setof governance and I visualise the securityprofessionals embracing the governanceconcept as a way of both expanding theirpower base and protecting their rearends. The use of metrics to show thattheir protection and monitoringmechanisms are both effective andproviding value for money will become astandard part of their toolset. After all,Sir Robert Peel said that the measure ofa good police force was the absence ofcrime so it can be argued that themeasure of good security is the absenceof security breaches; especially if otherorganisations are experiencing anincrease in security events. Now, you

OPINION

cannot collect these metrics withoutknowing what to collect, which is wherethe risk governance framework comesinto play. I can hear your groans now, butthere is a direct correlation between goodrisk management and governancematurity. Basically if residual risk is lowbecause of good control, then governancematurity is high. I can measure thegovernance maturity of any IT function injust a few days by examining its relativematurity across 34 key IT processes. Thedifficult part for the IT function is decidinghow it then goes about improving itsmaturity in selected processes. They getdepressed when I show them that theirchange management process is based ona trust model. Remember the auditmotto: trust but verify. True forgovernance too. And when did you lastfind a security professional who trustedanyone? So here are my predictions for2010 and these are threats to the securitymanager. Less trust in trust. More trustin using standards and best practices.More metrics to prove that thegovernance model is effectively operating.More reliance on the technology and lesson people. But as the technology isdesigned by people there will be a rise inthe need for suitably qualified securitymanagers. What qualification? Well, thereis only one candidate here: the CertifiedInformation Security Manager (CISM)from ISACA. CISSP is fine for the securityadministrator, but I am talking high-levelsecurity governance. Sorry, but that’s theway the game is going.

For more information visit:www.bcs.org/security

With the new year fast approaching, John Mitchell saysfuture technology will be all about managing people.

YOU’RE THEWEAKEST LINK

Gartner Identity & Access Management Summit 20103 – 4 March 2010 | Lancaster London, UK | europe.gartner.com/iam

Register Noweurope.gartner.com/iamTel: +44 208 879 2430Email: [email protected]

europe.gartner.com/iam

The Gartner Identity & Access Management Summit will help you to exploit the full potential of new and future IAM investments, to fully realize their risk-management and governance benefi ts and their direct business value.

Prepare for the Best: The IAM Enabled Business

View the full agenda online at europe.gartner.com/iam

Pioneering End-User Case Studies from:

HOT TOPICS

Documents

COMING THREATS Stay vigilant in the ever changing threat landscape