Human Factors

Posted in Uncategorized on 10 Jul 2012 by Stuart Aston

So… about 50% of security events require some human level of interaction to be successful; this is an unpleasant reality, technology, at the moment, just isn’t smart enough, to deal with a user who isn’t aware… It’s difficult to have digital solutions to analogue problems…

I commute into London on a regular basis, and this morning I was sat between two people using their computers for business, one from commercial organisation and one from a public sector organisation, both were processing in clear sight information that was sensitive to their organisations, predicted sales for the commercial employee and a draft policy document for the public sector employee, I will let the reader judge if that is sensitive or not, but to me it was interesting reading.

If the screen can display it and I as a user choose to display it then anyone who can see the screen can see the data… so whilst it’s convenient to work on the train, I do it, am doing it as I type, I tend not to work on sensitive material… My PC is secure, but, it wont stop someone “shoulder surfing” my screen.

The technology wont fix this problem, we need to teach the user how to behave, it needs to be driven into the culture of our organisations from the top, and if its not… well then the technology is almost not relevant.. sure technology will get better, and sure you can minimise the risk by architecting the technology in a sensible way, the user must be informed on how to manage risk…

Cyber Security Snake Oil

Posted in Cyber Security on 1 May 2012 by Stuart Aston

magic magicianA friend of mine uses the phrase “Pixie Dust” a lot when he looks at security products; that and a phrase along the lines of “My granny could break into that…” but essentially it is  vendor making a classic “snake oil” sales pitch, upgraded for the cyber-security-age.

I have really only recently begun to encounter this in volume, I used to encounter small pockets of it here and there with specific customer engagements over the years, but it does seem to be in growth.

Some top tips for spotting the "Cyber Snake Oil” Salesman: 

-My product is unique … well ok , this one might be true, but chances are it isn’t .

-My product is invulnerable … no it isn’t, it software built by humans ergo it is vulnerable and not knowing where it is vulnerable, is not the same as being invulnerable.

-My product cures all known and unknown malware/vulnerabilities … err… ok lets just think about that for a couple of Pico-seconds… no still sounds like nonsense to me.

-My product is secure even if the client is compromised, or it is impossible to compromise the client … this is very popular and at best usually comes from a failure to understand how a secure channel can work … “but I have a secure tunnel” “yes, and the end of it is already pwn3d so it can see all the way into the tunnel" … “but, it uses ‘military grade’ encryption” … sighs and breaks out the clue stick…

-My Product is completely non-invasive … if it is prompting me to do anything then its not really non-invasive, perhaps you meant it has zero client foot print, you did? and you still want claim its secure even if the client is pwn3d… I see… actually with a good 2FA this is possible (or at least limits the compromise to the current ‘session’), something I have and something I know is good, if the thing you have is the thing that’s pwn3d then not so much…

In many cases this is done by people who are well meaning; they actually believe the “snake oil” works; which just goes to show that social engineering is alive and well …

The reality is that some of these products might actually add some value to make the attackers job more difficult, but only if you have done basic hygiene first:

-use strong passwords; we may not like passwords as a security token but they are here to stay for the time being so you might as well use a strong one…

- apply security updates regularly; for all the software on your computer, it’s not sexy, it doesn’t feel like “cyber”  but it does make it much more difficult for the bad guy when he doesn’t get a free pass …

- use a good AV product and firewall … if you are using Windows you can get them for free…

- Invest in new products… well you would say that wouldn’t you … look, at best the security model of any given bit of software is as robust as the day the product ships, more realistically built or designed. But, the attacks that it receives evolve over time, unlike the architecture of a given bit of software. Newer versions of software typically have more and more defences built into them, so the newer a bit of software is the more difficult it is likely to be for an attacker to overcome it’s defences.

It’s not that “cyber security products” wont make you more secure Secure PC computer securitymany of them will, but if you haven’t done the basics then it really will not make any difference.

So… do the basics, then have a look and see if a specific technology can add value to your specific scenario, who knows it might just work .. or it could still be snake oil, but one things for certain if you don’t do the basics it makes the bad guys job trivial.. and no snake oil on the planet will save you then.  

10 years of building trust

Posted in Cyber Security, Security, Security Development Lifecycle, TWC on 12 Jan 2012 by Stuart Aston

image

When I joined Microsoft  the world was a different place, we were not always connected and always on, and computer threats were a curiosity for the majority.  That started to evolve rapidly and  10 years ago today Bill Gates published his memo on Trustworthy Computing; he laid out the  change of direction we would take as a company placing security and trustworthiness  as integral component of the way in which we build software and delivers services to our customers. 

Over that 10 years we have changed and have evolved, SDL is not only an integral component of developing software inside Microsoft, but many  partners and developers around the world. We have made significant contributions to improve Security but also in Privacy, Reliability and Business Practices.  Newer software continues to be safer software as we have shown in our Security Intelligence Reports as a result of our efforts in SDL.  Microsoft Security Essentials is freely available to those who desire to use it to protect their computers.

In the last 10 years we have learnt a lot and built a trust with many of our customers, and trust is one of the greatest assets that a company can have. But to maintain that trust, Trustworthiness must continue to evolve and grow to deal with the changing environment, as people place a greater reliance on computing and it becomes entwined with every aspect of our daily lives, we must continue to advance trust in technology.

TWC NextBut, this is not something that anyone technology or individual or  company can accomplish alone; we will continue to work with government and industry partners, on combating cyber criminals through the work of the Digital Crimes Unit a their work on botnet takedowns and PhotoDNA, but, it is only achievable by working with partners and working together to make the internet a safer place.

How can you celebrate it ?  I think that we can best celebrate an event by embracing it:

-Moving to x64 based architectures as part of a defence in depth strategy

-Moving to the most recent version of software that you can and keeping it patched and up to date

-Employing SDL in your development practices, or looking for behaviours like SDL in software you procure for your business

-Educate your users and developers about best practice for them, and acceptable risk for you

-Educate your family on how to be safe online.        

Trustworthy computing is more important today than it was 10 years ago, and we remain committed to delivering it, with our partners.

Tell a friend…

Posted in Cyber Security, Fraud, Security, SIR, UK on 4 Nov 2011 by Stuart Aston

GSO FriendSo, in our latest SIR report we note that about 50% of attacks we see require some form of user interaction, more and more criminals are using confidence tricks either online or the telephone to target “us” and get our money.  

The reality is that the best defence to these type of attacks is personal awareness that the problem exists; sure IE9 and other modern browser can help protect you as can AV, having a strong password and staying current on all your software and keeping them updated all help, but, all those defences are not present when a criminal phones you up claiming to be from reputable company offering you support, just to be clear we will not phone you and nor will any of our partners offering support for a fee.

If you are a consumer and you think you have a security problem use this link:

https://consumersecuritysupport.microsoft.com/default.aspx?locale=en-gb&st=1&wfxredirect=1

or to contact us more generally look here:

http://support.microsoft.com/contactus/cu_sc_selector_telephone?ws=support

cut and paste them into your browser. 

Next week is Get Safe Online week, it’s about promoting awareness of these issues, helping people, and business be “safer online”. Be aware, tell a friend and get them to go and read www.getsafeonline.org , who knows if we can get our friends to be safe online maybe we can get our businesses to be safe as well…

SEC == Security

Posted in Cyber Security, Government, Security, SIR on 23 Oct 2011 by Stuart Aston

 

CF Disclosure Guidance: Topic No. 2 – Cybersecurity

600px-US-SecuritiesAndExchangeCommission-Seal_svg_-325x325I would have completely missed this if it wasn’t for a colleague who spotted it; she described it as “This is the single largest announcement in cyber security in 10 years”…

And she is right to do so; this fundamentally changes the behaviour of companies in relationship to security.

By getting companies to report incidents and assert a value associated with the loss it puts Cyber Security on the agenda of the board, which is where it should have been for the last decade at least.

It enables investors to make choices based upon reported incidents, and determine if a company is a wise investment as a result in comparison to it’s peers. 

Well done SEC… now maybe the customers will do security updates in a timely fashion, and take user education about security seriously as an investment in investor confidence. 

sir_infographic_poster_MM_v11_updateIt will be interesting to see how they report and what mitigations they start to take; in our latest Security Intelligence Report we note that of the most common attacks we see most do not use an 0-day and can be mitigated with simple maintenance and that just under half require some level of user interaction, hopefully this will put both of patch management and user training on the board agenda of all publically traded companies. 

Cloud and End Points and Security

Posted in Cloud, Security, Security Updates on 19 Oct 2011 by Stuart Aston

So…a question that often throws me for a loop is this:

Internet cloud web “If ‘I’ move to the cloud I don’t have to worry about security at my client end point, right?”…

err… no that’s not right.

But, “why”, I hear you ask?

Well of course if you go to a reputable cloud service provider they will apply security updates to the servers that provide you services as commercial providers of services they will keep those servers up to date, and hardened to deal with attack utilise defence in depth, etc…

But the end-point; the thing that accesses the actual data, mail or services; still needs to be kept up to date; as much as it does in a non-cloud scenario, that’s still ‘your’ responsibility as an IT professional  for your environment, you still need to manage it.  Malware will still be able to take data from these devices using un-patched vulnerabilities; using the privileges of the user.

Do we have to do less work keeping things up to date?  Well yes it does, for those servers that you no longer manage and have moved to the cloud they will be updated by the service supplier in a SaaS and PaaS models.  In the IaaS model, the user is still responsible for managing the patching of the guest operating system, whatever it is.

Of course you could always move the management of the endpoint to the cloud using a service like Windows InTune.

In summary; moving to the cloud doesn’t mean you can just “stop” updating your end points, depending on the model of cloud service you adopt you may be able to stop patching some of your servers.

PassW*rd N0t Al!0wed

Posted in Passwords on 1 Sep 2011 by Stuart Aston

unlock lock securityI came across this article the other day, Nick Helm’s password joke is Edinburgh Fringe funniest and I said to some friends actually that’s not a bad password strategy add some complexity and some diversity for each site you go to and its pretty good (trust a security geek to take the fun out of it). One of my friends said “Sadly – at least in my experience – 99% of sites (and therefore developers?) still do not allow special characters and/or phrase long passwords”.

Hang on – What! Why on earth not? Back in the dim and distant past like the 1990’s that might have been acceptable, but, not today!

So I’m not much of one for “a call to action”, but, being secure with a password is hard enough without some developer denying me the complexity we need to make it “safe”…

So I would ask you when you next change your password on a site and it says something like “we don’t allow spaces or special characters” ask yourself what is it protecting and then complain to the site owner; get them to change it, after all it’s only protecting your data…

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: