Yesterday I had the pleasure of attending the Digital Security & Governance for SMEs at Northumbria University. The purpose of the event was to help SMEs better understand that threats targeting their information systems, their responsibilities in securing personally identifiable information (PII) and to introduce NUWARP (more later).
After the event was introduced, the first slot was taken by David Reynolds, CEO of the International Association of Accounts Innovation & Technology Consultants (IAAITC). An accountant may have been a strange choice to start a Digital Security event but that was the point, David covered sensitive information that is handled by all types of businesses as well as covering the legal and regulatory requirements that impact all businesses. Covering the most common compliance topics including the Data Protection Act (DPA) and Payment Card Industry Data Security Standard (PCI DSS) David did an excellent job of highlighting that information security is relevant to all employees and business types, not just ‘IT’ companies or the secret techie hidden in the back corner.
Next up Paul Holborow from RMT discussed data loss and the impact that this can have on a business. Given the press coverage it received in 2007 it is no real surprise that Paul’s main case study focused on Revenue and Customs lost CDs, but Paul may have been slightly unnerved to discover some of HMRC’s auditors could be found in the audience. If you’ve spent much time working with information security or business continuity planning Paul’s talk wouldn’t have contained too many surprises, one tip that I did take from the talk was that the Information Commissioner’s Office (ICO) maintains a public list of the complaints that it has investigated, if you’re interested in a particular complaint, or just curious about what the ICO gets involved in give it a look here.
Phil and Colin, both from the University discussed their work into monitoring data leakage from an organisation. Like Paul’s talk previously if you understand and have worked with data leak prevention (DLP) technologies you’re unlikely to be surprised, but the content was definitely new to some of the delegates who I observer furiously scribbling notes. It also seemed to come as a surprise to several delegates when Phil stated that approximately 70% of security breaches are the result of insider’s not ‘mysterious hackers out there’. There were some excellent real-world examples, the one that seemed to hit home to most of the audience was the scenario of the sales person taking the client database with them to a new job. A lot of the statistics used in the talk were sourced from Cyber-Ark’s white paper ‘The global recession and it’s effect on work ethics’ (registration required), definitely worth a read if you’re interested in this area.
Chris Laing provided a live demo of an external attack. As Chris introduced himself as ‘an ethical hacker paid to break into your systems’ I was looking forward to the display, but was disappointed when Chris took control of a Windows 2000 server using an old MSRPC exploit with Metasploit. The scariest aspect of the whole event was the fact that almost every delegate took a deep breath and turned white. I did ask Chris the thinking behind using an old exploit and target, and was told he was concerned about scaring the audience too much and that some of them may be concerned that he was making exploits ‘known’ that target systems they run in production. Personally I would argue that if the exploit is already in Metasploit (framework 2, demo used WHAX as an attack platform) then it is already ‘known’ and that the demo could have had a much greater impact targeting a more recent platform. However I can understand Chris’ reasoning, and the demo still had an impact on those that hadn’t seen Metasploit at work before. My only concern would be that some may have left the event thinking ‘that was scary, glad we upgraded from Windows 2000….’
The last presentation slot was taken by Alison Pickard who discussed ‘What is effective information crisis management’. Covering the ‘softer’ side of information security Alison’s talk did an excellent job of highlighting how simple it can be for organisations to fall foul of information security regulations. Alison introduced an excellent resource that I wasn’t previously aware of in JISC infoNet. if you’re responsible for personal information or it’s security (stop thinking, after Alison’s presentation this means EVERYONE) I’d definitely recommend have a browse and seeing what you can learn.
To finish the event after scaring most of the delegates Chris again took the stage to introduce the Northumbria University Warning Advice and Reporting Point (NUWARP). For those unfamiliar with WARPs, they are:
I was definitely impressed with the proposed services to be provided by NUWARP, hopefully the group should be able to significantly improve the security awareness and defenses of local businesses and those in a wider area. Although there is a cost attached to the services provide I was honestly surprised with how low this was in relation to the specialised knowledge and information available, and as NUWARP is set-up as a non-profit all costs get fed back into the service so the resources available can only improve.
As a taster and bonus to event delegates the event pack included a number of high quality ‘best practice’ data sheets covering a full range of information security topics including the DPA, passwords and securely outsourcing. If you want additional information on NUWARP contact Chris or Phil using information in the links above, the NUWARP is something I would definitely recommend investigating to see how it could help your organisation.
— Andrew Waite
Cleaning the harddrive of any machine, be it desktop, laptop or server, before either repurposing or selling (or even scrapping), should be a basic requirement of any organisation. But there is a seemingly unrelenting stream of reported incident, some of which coming from organisations that really should know better, MI6 and military contractors for example.
Is securely wiping data from drives really that difficult? Not really.
Simply boot the system with nearly any live linux system (I use Knoppix for this kind of work), then simply use dd (discussed previously to image drives) to overwrite the drive with random data. For example:
dd if=/dev/urandom of=/dev/sda
This simple overwrites the entire physical drive, sda, with random data taken from the pseudo device /dev/urandom. For more indepth info on wiping with dd and some different options see this guide.
The downside to wiping drives in this method is the length of time involved, in recent cases I have seen a 80GB drive take a little of five hours to complete.
Disclaimer: this may not make your data completely irratrievable but it should be enough to prevent the data being obtained by the simply curious. To truely ensure irratrievable data, try this method.
Disclaimer’s Disclaimer: Server destruction should only be carried out be trained professionals, InfoSanity accepts no responsibility for loss of live, limb or eyebrow)
Quick heads up to anyone following the Phorm/privacy debates: The government’s response to an e-petition to ask the government to stop ISP’s from breaching privacy laws has been released.
The full response can be read here, it’s fairly short so I won’t go into too much detail, but I’m glad to see the government is taking this seriously and not passing the buck to the ICO (the ICOs view):
ICO is an independent body, and it would not be appropriate for the Government to second guess its decisions. However, ICO has been clear that it will be monitoring closely all progress on this issue, and in particular any future use of Phorm’s technology. They will ensure that any such future use is done in a lawful, appropriate and transparent manner, and that consumers’ rights are fully protected.
“Thank you for bringing this to our attention; your concerns are very important to us; your concern will be answered shortly…”
New story seems to be everywhere at the moment. It appears that the BBC has ‘investigated’ the impact of botnets by hiring a 22,000 strong herd and ‘testing’ on there systems, but still utilising 22,000 compromised, private machines. Original BBC article is here.
There have been many sites (The Register and The Guardian) have asked the question as to whether this is legal. The BBC article claims that:
‘If this exercise had been done with criminal intent it would be breaking the law.’
Although several places have pointed out that criminal intent is not required for a criminal act (IANAL so please don’t quote me on that).
The ‘ethical’ botnet/virus/trojan/etc. has been debated for many years (discussed in Aggressive Network Self-Defense and debated by the Tipping Point team during their analysis of Kraken). Personally I think it speaks volumes that the technical experts stop short the actions taken by the BBC, but the journalists blow through without compunction.
Will be interesting to see how this plays out.