future threats with new, powerful mobile devices · more difficult to determine an obvious ... into...

WINTER 2010 www.bcs.org/security

FUTURE THREATSWith new, powerful mobile devicescome new and dangerous threats

08 MOBILE BOT THREATWe all know about the botnet threat to PCs, butnow this is extending to mobile devices too.

12 BLOCK CRIMINAL CLOUDSWhen you consider the power and capability of thecloud, it’s not surprising that criminals use it.

T H E M A G A Z I N E O F T H E B C S S E C U R I T Y F O R U M

oxford university pdf

Winter 2010 ISNOW 03

04 ISSG PERSPECTIVEGareth Niblett, Chair of the BCS ISSG, gives his view on future threats.

06 THE E-CRIME BUSINESSCyber crime is now run as a business so what can be done to stop it?

08 THE MOBILE BOT THREATWe all know about the bot threat to PCs,the risk is there for mobile devices too.

10 OUT IN THE COLDSmall businesses can be left out when it comes to digital forensics.

12 BLOCK CRIMINAL CLOUDSIt’s not that surprising that criminals are now using cloud computing.

14 BIOMETRIC REVOLUTIONIs now the time to truly embrace technologies like fingerprint and iris readers?

16 LEGALA look at some issues around data sharing and the Data Protection Act.

18 OPINIONWhen it comes to safeguarding your belongings you need more than just good locks.

EDITORIALHenry Tucker EditorBrian RuncimanManaging Editor

PRODUCTIONFlorence Leroy Production Manager

AdvertisingE [email protected] +44 (0) 20 7074 7921

Keep in touchContributions are welcome for consideration.Please email: [email protected]

ISNOW is the quarterly magazine of BCS Security Forum, incorporating the InformationSecurity Specialist Group.It can also be viewed online at:www.bcs.org/isnow

The opinions expressed herein are notnecessarily those of BISL or the organisationsemploying the authors.© 2010 British Informatics Society Limited (BISL).Registered charity no. 292786.

Copying: Permission to copy for educationalpurposes only without fee all or part of thismaterial is granted provided that the copies arenot made or distributed for direct commercialadvantage; BISL copyright notice and the title ofthe publication and its date appear; and notice isgiven that copying is by permission of BISL. To copy otherwise, or to republish, requiresspecific permission from the publicationsmanager at the address below and may require a fee.

Printed in the UK by Interprint, Swindon, Wiltshire.ISSN 1752-2455. Volume 5, Part 2.

The British Informatics Society LimitedFirst Floor, Block D, North Star House,North Star Avenue, Swindon, SN2 1FA, UK.T +44 (0)1793 417 424 F +44 (0)1793 417 444 www.bcs.org/contactusIncorporated by Royal Charter 1984.

FUTURE THREATS

9 – 10 March 2011Park Plaza Westminster Bridge, London, UKeurope.gartner.com/iam

Gartner Identity & Access Management Summit 2011

Early-bird savings Register by 7 January 2011 and save €300

Improve Your Identity and Access IQ to Improve IAM and Business Performance

Architecture

Authentication

Enterprise Single Sign-On

Entitlements

Governance, Risk and Compliance

Identity Federation

Identity and Access Intelligence

Outsourced/Third Party Challenges

Password Management

Privilege Management

Program Governance

Regulation, Privacy and e-Discovery

Role Management

Stakeholder Engagement and Support

User Provisioning

Web Access Management

HOT TOPICS

View the full agenda online at europe.gartner.com/iam


The start of each New Year brings festivecheer and thoughts about what securityrelated treats we might see in the comingyear. I think 2011 may bring:

Targeted malware – next generationspear-phishing. The emergence ofStuxnet, which combines traditionalmalware techniques with a speciallycrafted targeting mechanism and payloadparameters, may signal a new form of

deniable attack. Even with the requiredtime and resources required to develop theintelligence and programming that feedsinto such software, it could still be a muchmore cost effective and politicallyacceptable virtual approach versusphysical alternatives. This attack vector islikely to be picked up by other online ne’er-do-goods.

Secrets revealed – exposing truths.Wikileaks, Crytome, The Smoking Gun andothers have a track record of exposing thesecrets of governments, corporations andindividuals. State and court sanctions areunlikely to deter all those seeking toexpose unlawful, hypocritical and immoralactivities. Once details are released on theinternet it is too late, however good yourcensorship capabilities are and if thetraditional press get hold of it too it’s asgood as over. As people learn theeffectiveness of such exposure we maysee more whistleblowers emerge.

Personal intrusions – self-exposure.From airport security officials wishing toeither irradiate us or touch our junk;governments wanting to know about ourworldwide banking arrangements, health,

ISSG PERSPECTIVE

happiness and online activities; socialnetworks wanting to know where you are,who your friends are and what you’resaying; advertisers wanting to know whereyou are and what you’re interested in;employers wanting to know if you’re asuitable hire or risk to the business.Happy New Year – hopefully.

Gareth Niblett is Chairman of theInformation Security Specialist Group (ISSG).

www.bcs-issg.org.uk

Gareth Niblett, Chair of the ISSG, looks at some of the things we should be looking out forin the security landscape for 2011.

Information Risk Management andAssurance Specialist Group:www.bcs.org/groups/irma

BCS Security Portal:www.bcs.org/security

ISNOW online:www.bcs.org/forum/isnow

FURTHER INFORMATION

COMING THREATS

This is happening because of the highrewards to be gained and the difficulty indetecting those who ‘do it well’. As legitimate businesses have moved online itis natural that the less legitimate seek togain the same benefits. Malware and theinternet really do make it possible for aglobal business to be established overnight.

The con trick has evolved into socialengineering. It plays an increasinglyimportant role in targeting users and helpsto establish the credibility required tomanipulate users into acting in a way thatthey would not normally do. The use ofonline social networks has provided an

assistive environment in which a fraudstercan conduct research in order to producetargeted phishing attacks. As newtechnologies emerge into wider use, theywill present business opportunities for e-crime.

Spam spottingThe manner in which a user is enticed torun malware on their computer demonstrates an increasing level of professionalism. For example, it is becomingmore difficult to determine an obviousspam email because the mistakes in theuse of language and grammar have

06 ISNOW Winter 2010

CLOSING THEE-CRIME BUSINESS

decreased. The world-wide uptake ofbroadband has produced an increase innon-English spam and reports suggest thatspammers are recruiting native speakersin order to target particular nations. Thereremain a number of countries where legislation or enforcement is weak and thatcan serve as safe havens where e-criminalscan operate unhindered.

The methods of coercion also continue toevolve. For example in recent instances aphone caller claims to be from a credibleorganisation and informs the receiver thatthey have detected a problem with theircomputer. As the conversation progresses,

Organised crime is run as a business so should we be surprised that the same methods are being used inorder to deploy malware? Recent reports have suggested that organised crime in the UK may be movinginto e-crime, says Tony ProctorWARP Manager at the University of Wolverhampton.

Hence detection can be extremely difficult.The capabilities of terrorists to conduct

electronic warfare is often hyped in themedia and played down officially. But there

is a link between some organised crimeand terrorists who need to obtain andlaunder money to support their operations.Equally, those who make malware servicesavailable for purchase are unlikely to worryabout who they are selling to (assumingthat it is even possible).

Why don’t we know more about theshady organisations that are behind e-crime? The answer is because they arecriminals. You don’t tend to know too muchabout the underworld unless you dealdirectly with it. So whilst e-commerceracketeers require the web to sell theirservices, tracking their activity is madedifficult by evasion techniques (e.g. the useof money mules) and technology (theanonymity that the web can provide).

Share and share alikeUnderground networks exist on the internetwhere hackers share information and canbe contracted to produce malware. Reportssuggest that malware can be easily bought

‘off the shelf’ from £200 with various add-ons / customisation available thatmake it difficult for defensive software todetect. Some reports even suggest theavailability of money-back guarantees.

Corrupt networking companies exist too.These effectively act as ISPs for criminalactivity. They knowingly facilitate thedownloading of illegal material, phishingemails, malware and other criminal activity.

The many tools that are readily availableon the internet can be either deadly oruseful depending on whether the colour ofyour hat is black or white. Frameworkssuch as metasploit can serve as starter kitsfor malware development. The clarity withwhich malware can be identified as a virus,Trojan or worm is becoming blurred.Thanks to botnets, the functionality of apiece of malware is determined by the


the user is talked through downloading aprogram (malware) to solve the problem.

It is also interesting that despite all theknowledge and experience that exists inthe information security world, we stillseem unable to accurately identify theorigins and purpose of some of the majormalware attacks (e.g. the conficker worm).The suspicion is that large botnets of thistype are owned by criminals who makethem (or parts of) available for hire. E-criminals make use of fast-flux hosting.This means that the spam servers or thosedownloading updates to compromisedhosts will change every few minutes.

FUTURE THREATS

nature of the update that the infected hostreceives. So something that is on one daya Trojan can the next day become a virusor a worm.

However, ‘professional’ malware goesbeyond developing code simply tocompromise a device. Increasingsophistication means that the malwaremay, for example, install itself at root leveland virtualise the machine, runningexisting applications in a virtual machine.Hence it is much less likely to be detectedby AV programs. It then creates a backdoorso that if it is found and removed it can bere-installed. It might install its own AV sothat it continues to have the dedicated useof all resources. The aim of professionalmalware is to support business continuityand hide any trace of its own existence.

The internet was not designed withsecurity in mind and it lends itself to anentrepreneurial approach that cannot berestricted to legitimate activity. The crimeis only limited by the imagination of thecriminal. Hence prevention, detection and(where possible) prosecution is aninevitable player in a continuous game ofcatch-up.

VigilanceHow can we defend effectively againstmalware that slips beneath the radar orzero day attacks? The emphasis has to beon vigilance in an effort to identify incidents early. That is to say, we educateand encourage users into noticing andreporting the unusual and we develop anddeploy better heuristic based products todetect and react to unusual activity.Perhaps a secure cloud is the answer tomany of the problems that we currentlyexperience or maybe e-criminals will simply find new and innovative ways tocontinue their business.

For more articles go online to:www.bcs.org/articles

E-criminals make use of fast-flux hosting. This means that the spam servers or those downloading updates to compromised hostswill change every few minutes.

The internet was not designed with security in mind and it lends itself to an entrepreneurial approach that cannot berestricted to legitimate activity.

The current worst challenges that are faceddaily by security and risk managementoriginate from blended threats and Web2.0. The notion of a blended threat is anattack that targets different areas of thenetwork. Since 2007 attacks have beengaining in complexity and as such requirenew security approaches. Web 2.0 hasadded to the problem by allowing users tooperate in real-time in any location atwhatever time they want. Security researchfindings show a 250 per cent increase inmalware from 2009 to 2010.Blended threats change continually and

this means that signature-based contentsecurity systems are often out of date in

less that 24 hours. At the start of 2010 thefirst genuine threat to mobile devices wasreported. The Zeus bot was specificallycrafted to steal banking details of mobilephone banking users. Two things have happened since; the

first is that the number of infected systemshas risen and the second is that the botsare now able to steal more that justbanking details (100,000 currently infected- BBC 4 August 2010). Bots can make callsor send SMS messages to premiumnumbers as well as other insidious actionswithout the user knowing. A criminal is now able to make a profit

from these bot attacks and as history has


shown, if there is money to be made, moreresource will be used to specifically targetusers via attacks that are country or companyspecific to maximise additional revenues. The application layer in itself is under

constant exploit and attack and this alsoaffects mobile users. Adobe has had toimplement a fixed security patching cyclebecause of the number of securityvulnerabilities being found on its products.Mobile devices also use some of theproducts and it could be possible to exploita mobile phone that accesses a website inthe future. When one problem is fixed itsometimes creates another unknownproblem in its place.

We all know that we need security software on our PCs, but how many of us have protection for our smartphones? Lannon Rowan MBCS examines the threat of botnets to mobile devices.

BOT THREATMOBILESTOPPING THE


Looking at the market progress, therisks are increasing by 250 per cent a yearand the threat is originating from blendedthreats, such as bots that can steal mobilebanking details. The threat is starting to develop teeth

and the countdown to widespread securityincidents started in 2007.The following are some of the

preliminary findings from the Juniperresearch centre:

• An analysis of Android Marketplace applications capable of malicious activity showed that 1out of every 20 applicationsrequested permissions that could allow the application to place a call without theuser’s knowledge.

FUTURE THREATS

• A Fortune 15 company found that five per cent or 25,000 of its mobile devices were infected with malware. • Calls to high premium numbers could generate revenue for attackers.• A 250 per cent increase in malware from 2009 to 2010. • Malware could move from mobile to PC platforms and harvest a lot more information,• 61 per cent of all reported smartphone infections were spyware, capable of monitoring communication from the device. • A different kind of big brother is listening to all your calls. Think of the implications.• 17 per cent of all reported infections were text message Trojans, which charge fees to a device’s account holder. • Attackers want to make money. Mobiles offer a new way for them to do that.

‘People are using smartphones to accesswork files, store personal information, conduct banking and download applications,’said Daniel V. Hoffman, Chief Mobile SecurityEvangelist at Juniper Networks. ‘Yet, whilemost PCs come with security baked in, virtually all smartphones remain vulnerableto even basic exploits and attacks. ‘The Juniper Global Threat Centre

identifies, monitors and responds toevolving threats to mobile devices,ensuring that Juniper customers have the highest possible level of mobile deviceprotection’.

Lack of securityThis stands in stark contrast to the securitythat is given to PCs and laptops. Mobiledevice usage is increasing; Gartner saysthat mobile phone sales grew 17 per centin Q1 and 13.8 per cent in Q2 2010 alone.Competition is driving some prices downand it is clear that the threats from mobiledevices are here to stay and will rise continually in volume and complexity. Real time security information is the only

defence for this and vulnerabilitymanagement as a whole. Proactive oroffensive security is what is now requiredas the evolution of risk domains shows. Thevolume and sophistication of securityattacks has forced a shift from traditionalreactive security models.Mobile phone providers have been

forced to support numerous new Web 2.0products such as Facebook and this hasstretched the operating system to a pointwhere security flaws are being discovered

on a regular basis. For example, ananalysis of Google Android Froyo's opensource kernel has uncovered 88 flaws thatcould expose users' data.(http://tinyurl.com/248zngk).Coverity has said it will hold off

releasing full details until January givingGoogle time to provide fixes. Functionalityseems to have been the primary aim andsecurity a second.

Malware launch padAccording to Adrienne Hall who is the General Manager of Microsoft TrustworthyComputing, ‘botnets are the launch padsfor much of today's criminal activity on the internet. In many ways, they are the perfect base

of operations for computer criminals.Botnets are a valuable asset for theirowners, bot herders, who make money byhiring them out to other cyber criminals to

use as a route to market for cybercrimeattacks such as phishing attacks, spamattacks, identity theft, click fraud and thedistribution of scam emails. Bot herdersguard their botnets jealously and investhuge amounts of time, effort and money inthem.’ It makes natural sense that thecriminals would be looking to expand theirbusinesses, and mobile devices are the next logical step.Mobile device manufacturers are

constantly bringing out new devices andoperating system updates, patches andnew releases. The continually evolvingmarket provides a continual securitychallenge and attack opportunity.

Blended threatsHow will user education programs beshaped to include mobile phones andbots? Bots are the next step in the blendedsecurity threat landscape, which is evolving on a yearly basis and internetaccess is now expected by mobile users.But at what risk? I suggest that organisations should be

thinking about and adopting andintegrating mobile security into theirsecurity strategies. But how will ourorganisations know about these threats tocorporate mobile users and other emergingthreats from bots? Users struggle withcomputer security at the best of times.

For more articles go online to:www.bcs.org/security

The attack space has widened further with theavailability of smart phones with capablebrowsers and rich featured operating systems.

Digital forensics is a relatively new field. Itcould be argued that even law enforcementin the UK is in its infancy when it comes tothe prevention, detection and successfulprosecution of cybercrime. In this new, developing field, two main

threads of the industry have formed. Thoseprincipally involved with law enforcementand those principally involved withcorporate consultancy. Subdividing evenfurther, small, independent consultingcompanies have largely tried to focus oncontracts arising from law enforcement

agencies, whilst corporate investigationshave for the most part been carried out bylarge management consultancies. These days, we often hear stories of

large companies who have been subjectedto insider and outsider digital attacks. Itseems relatively common to encounterinstances of financial fraud, employee theftor the simple misuse of IT assets in theworkplace. In response to this trend anetwork of commercial investigationcompanies, often arms of largemanagement consultancies, has sprung up


to service the demand for digital forensicsinvestigation. Access to digital forensics oreDiscovery professionals via amanagement consultancy can be extremelyexpensive, often rendering it prohibitive tosmall and medium sized companies. Itcould be argued that digital forensicsprofessionals are effectively out of reachfor small companies.Small businesses, however, still need to

be able to check and police employees andcustomers. Where any suspicion exists ofinappropriate computer use, it can be

Ron Tasker MBCS, a lead digital forensics consultant, says that even the smallest businesses may haveneed for the skills of digital forensics.

OUT IN THE

COLD


critical that potential rogue activity isinvestigated and evidence is obtained.Small businesses suffer from many formsof employee or customer abuse, rangingfrom inappropriate use of email to fullyfledged fraud. Many small businesses donot have dedicated technical staff, whichmay mean that, if undetected, perpetratorsmay continue and even escalate behaviouruntil it becomes a critical factor for thesurvival of the business itself.If the person responsible for the abuse

is an employee, then things can be verydifficult indeed. Simply poking around forevidence of wrongdoing, even if it is found,is usually not enough to satisfyemployment tribunals. Evidence must be gathered in a forensic

fashion, with audit trails and, wherepossible, full repeatability. This ensuresthat any evidence gathered is more likelyto be accepted at tribunal and less likely tobe tainted by an investigator. It is evenmore important, should evidence ofcriminal activity be found and the matter ispassed to the courts. A sound forensicapproach requires training. Investigatorsshould, apart from their technicalknowledge, be forensically trained and thismeans that digital forensics professionalsare often not cheap to employ.

Vulnerable SMBsSo where does all this leave small businesses? The answer is, surprisinglyvulnerable. With no coherent approach tosmall business from the digital forensicsindustry, small companies may becomethe target for employee abuse or worse,cybercrime.On the other hand, there is a

tremendous market opportunity forindependent forensic professionals toserve this sector of the market. Due to thenature of most small businesses, thecomplexity of their IT is often very low. This makes for small, quick and clean

investigations where an investigator needonly invest a small number of billablehours per investigation. If competitivelypriced, small companies will use digitalforensics consultancies in cases wherecomputer misuse is suspected. Digitalforensics in this sector is a volumebusiness and the industry must respond. If this potentially lucrative market sector

is to be tapped, digital forensics must losesome of its mystery and operate at a levelthat small business people canunderstand. Digital forensic services mustbe marketed as essential and basicbusiness needs at a price conducive to thepockets of small companies. Everyemployer needs peace of mind, regardlessof the number of staff employed. Aforensic check for computer misuseshould be carried out regularly by all

Access to digital forensics via a managementconsultancy can be extremely expensive, oftenrendering it prohibitive to small and mediumsized companies.

FUTURE THREATS

companies and not just when abuse issuspected. After all, the best way toapproach this type of misconduct is toprevent it or at least catch it early. Regularheath checks at the doctor or dentist areaccepted as necessary, so why not aregular sweep by a digital forensicprofessional? Even the deterrence valuealone may prevent transgression.

More graduatesThe number of digital forensics graduatesfrom universities has increased drasticallyover the last few years. This should havemade the supply of digital forensic servicesto all sectors of the business market easierto access. Recession and the lack of work arising

from law enforcement contracts has beenblamed for the relative stagnation currentlyexperienced by many small digital forensicsconsultancies. The truth may simply bethat, as digital forensics professionals, weare not moving with the new demands ofthe market place. Large practices are notbest structured to deal with volumeinvestigations, each of small duration.Small practices are. Trust relationships must be built with the

local business community in order thatthey may begin to understand the essentialnature of digital forensics to their business

operations. In the same way as accountsare audited periodically, why aren’t ITsystems forensically checked to ensurethat there are no issues? If trust is established, the digital

forensics professional can be seen as theindependent ally of the small businessperson, the third party check and balancethat gives peace of mind to entrepreneurswho have many other commercial worrieswithout worrying constantly about howtheir IT is used. After all, company directors will become

liable for any illegal activity perpetrated onthe company’s site using company assets,such as software piracy or theft ofintellectual property, should they fail totake reasonable preventative precautions.It certainly could be argued that regularchecks for computer misuse, whilst nevercomprehensive or infallible, show someattempt to take reasonable precautions.The issue may be that there are not

enough entrepreneurial digital forensicsprofessionals who are willing to look intoproviding services to the small businesssector. While this situation prevails, smallbusinesses will continue to be easy preyfor the abuse of company IT.


There are many different ways a criminalcan steal your valuable data. The mostcommon vectors are via malware installedon your machine, brute force passwordattacks or intercepting data in transit. Thecloud concept assists in all of these pathsof attack, and enables a much more efficient (and reliable) method of distributingworkload. The term cloud applies not only to

'friendly' services such as Amazon's EC2,but also to botnets, created by networks of

infected machines under the control ofcriminal gangs. These networks of 'zombie'machines can be every bit as sophisticatedas standard cloud offerings, and the vastscale of these networks (reachinghundreds of thousands of hosts in someexamples) means that a huge amount ofdistributed computing power is availablefor the right price.

Compromised servicesMalware vectors, such as the infamous


Sality virus, store a local copy of URLs fromwhich to download payload executablesand updated URL lists. Once a 'live' URLhas been located, the malware will download the files and then pass stolendata back to the control centre. These URLsare provided by the ever changing botnetthat has been created by the criminal gangbehind the malware. Usually in this case, if the local list of

URLs doesn't contain a ‘live’ link, then themalware is unable to send back sensitive

Cloud computing is the latest IT buzz word, and for good reason, as it provides businesses with highly flexible, low cost computing. However, according to Ben Ward MBCS, criminal gangs have also spotted its potential.

CRIMINALBLOCK

CLOUDS


data. This is where cloud computingcomes in. In a recent case, the Zeus bank-detail-stealing Trojan managed toinfect a vulnerable account on Amazon'sEC2 service. While it had control of this, itoperated as a back-up to the URL list,enabling infected machines to pass all oftheir data back to the criminal gangthrough Amazon's cloud infrastructure.What about the use of cloud services to

distribute malware? This is a strongpossibility, and there are already signs thatthis is occurring. It isn't just the generallyaccessible cloud that is affected, but socialnetworking sites such as Twitter, Facebookand MySpace have also beencompromised. The ability to create yourown apps within these sites has createdscenarios where malware can make callbacks to applications based in the vastsocial network cloud.

Happy hackingAnother criminal application for the cloudis in the realm of data interception. For$17, the 'WPA Cracker Service' marketsitself as a way to quickly brute force WPAhashes, enabling subscribers to crack the encryption on wireless networks within 20 minutes,instead of the five plus days it would usuallytake. It does this by utilising a cloud-basedcluster equivalent to over 400 CPUs. A quick price check on Amazon's EC2

service shows that 400 instances of their 1CPU (eCPU) option would cost just $8 (£5)for one hour, a tiny price for what could bea very powerful weapon in the wronghands. Marlin Spike, creator of the abovetool-states: ‘Security is moving into the cloud...so the attacks will follow securityinto the cloud as well. Password crackingis an obvious thing. Normally, it is cost-prohibitive to run CPU-intensive jobs.[With cloud computing] it costs a lot lessmoney than doing it yourself.’

Sincerest form of flatteryWily criminals have also been copying thebusiness model of cloud-based technologiesto maximise the profit out of their own botnets. One China based group has created an attack-as-a-service website,allowing customers to launch DDoSattacks against a target of their choice.Other 'companies' have used a subscriptionmodel, with the ability to rent your own botnet for as little as $60 per day. The distributed nature of these botnets

means that a DDoS can be deadly and canrender a company's internet presenceunusable for as long as the attackcontinues. The aggregate bandwidth of allof these machines can also be astounding,with the largest reported DDoS attackcoming in at a hefty 49GBPS, enough totake out even the largest sites globally.

FUTURE THREATS

So in light of all of these new threatsfrom cloud-based computing, is it time topanic and shut down all external facingservices?There are many ways to protect your

business from cloud based attacks.Paradoxically, one of the best ways is to host your services within the cloud. The only way to truly beat a distributed threat is to make sure that your infrastructure isalso distributed, and using cloud-basedservices is the cheapest and most effectiveway to do this. The 'safety-in-numbers'approach that can be offered by either athird party or a private cloud can reallyenable a business to keep nodes runningwhen under attack. Preventing malware infections is also

another way to prevent your business from becoming part of a botnet. The tried and

tested process of ensuring that anti-virus and malware protection is up-to-date andthat only authorised ports are open to theoutside world is the best protection for yourvaluable computing resource.

PlanningAs with all new technologies, criminals areamongst the earliest adopters of cloudcomputing. But with a little forethought,planning and best practice, the cloud neednot be feared.

References:www.securityweek.com/rise-small-botnetwww.technologyreview.com/web/24127/


The distributed nature of these botnets meansthat a DDoS can be deadly and can render acompany's internet presence unusable for aslong as the attack continues.

To protect sensitive data, organisationsneed an authentication solution that is botheasy to use and delivers an effective technical control against unauthorisedaccess. Biometric authentication solutionsappear to offer some easy answers to thischallenge, but do they really work?

What’s the problem with passwords?Password authentication is a widely usedmethod of identifying users on applications,databases and operating systems. It’s quickto implement, easy-to-use and widely available. Gartner estimates that it costsaround $50 for each password-related callto the IT helpdesk, and 30-50 per cent of

calls relate to password issues. Not only ispassword authentication expensive to manage, it is often the weakest link in thesecurity chain. The easiest way to gain access to

sensitive data is to trick the end-user intorevealing their password. There areexternal threats from key-loggers, screen-capture software and othermalware that can be introduced throughknown vulnerabilities or social engineering.There are real internal threats fromwritten-down, guessable and sharedpasswords. The human factors are themost difficult to manage and pose thegreatest threat to an organisation’s data


security. Do passwords, even complexpassword, really offer adequate protectionwhen the human factors are considered?

Which authentication solution is best?The common alternatives to passwordsinclude biometric (fingerprint, vein, iris),smartcard and token-based authenticationsolutions. Commonly organisations deploythese solutions as single-factor, dual-factorand multi-factor authentication solutions tooffer greater degrees of protection. Due to the ease of use and deployment,

biometric authentication has traditionallyhad the lowest total cost of ownership.There are different qualities of biometric

Peter Craig, Chief Technical Officer at Delaney, debates the issue of biometric authentication and theimportance of human factors when dealing with confidential and sensitive data.

REVOLUTIONBIOMETRIC


security authentication from fingerprintreaders, iris scanners and vein readers.Fingerprint solutions offer simple singlefactor solution, and certified solutions offerprotection equivalent to smartcard ortoken in two-factor authenticationdeployments. Iris and face recognitionsoftware tend to have more specialistapplications. Vein readers are increasinglypopular and easy to deploy and use. Theyare more secure than fingerprint readers,as it’s not as easy to replicate the veindata. Such is the new-found confidence invein authentication that Poland's Bank BPSSA deployed Hitachi vein-readers as analternative to PINs on its ATM machinesunder trial from May 2010.Smartcards are often a convenient and

easy to use authentication mechanism.

FUTURE THREATS

The retail industry has widely deployedsmartcards for EPOS system authenticationfor example. The introduction of PCI-DSS,encouraged retailers to reconsider the risksof smartcard sharing between staff as wellas the risks of lost and stolen cards.SecuGen and DigitalPersona OEMfingerprint modules have been widelydeployed in EPOS solutions such as Sharpand Toshiba to reduce these risks. Despitethe convenience of smartcards; the risks ofsharing, loss and theft of cards (andpasswords/PINs in two-factorimplementations) remain key obstacles,even as a two-factor authenticationsolution.

Multiple factorToken solutions, such as RSA Secure-ID,are popular two-factor authenticationmechanisms particularly for remoteaccess. Tokens offer a good level of securityvia a randomly generated code on the hardware token together with a user PINnumber. The risks of stolen and sharedPINs and tokens are real. Users may notuse the process regularly enough toremember their details, and they often usethe service when the helpdesk is unavailableor for emergencies. They often write thePIN or password details down. InSeptember 2010, DigitalPersona launchedDP Pro 5.0 that offers a software tokengenerator delivered via mobile smart-phones. The ‘virtual PIN number’ isgenerated by the fingerprint swipe processand cannot be lost, stolen or forgotten. It ispotentially a strong challenger to the traditional dominance of token solutions forremote access, especially when packagedwith whole-disk encryption.Lastly, there are multi-factor

authentication solutions such as Authasas’sAdvanced Authentication and M2SYSHybrid solution. Authasas offers a completerange of token, smartcard and biometricauthentication options to meet legacy andoperational requirements. Acting as acentral authentication server, and withoutexpanding the Active Directory tree, itdelivers secure single or dual-factor sign-on for Windows, Lotus Notes, SAP,Citrix, Oracle and SWIFT Payment Systemsto name a few.

Does biometric authentication work?The answer is certainly yes. The biometricmyths, such as using dead body partsmake good Hollywood movie scripts, butare largely irrelevant in commercial situations. A fingerprint becomes uselessafter about 10 minutes, with the iris quickly

clouding. Issues with ethnic minorities andchildren are already resolved by improvements in image resolution quality.In fact, children using library system andcashless catering solutions are some ofthe biggest users in the UK. The fingerprinttemplate is encrypted in certified solutions.If it were possible to replay the templatesubmission, certified commercial biometricsolutions automatically implement anti-spoofing countermeasures to preventthis. Additionally, it is not possible to stealand reuse the biometric information fromcommercial systems, as the fingerprinttemplate stores only a small percentage ofthe actual fingerprint. Non-commercialsystems such as US-VISIT store complete biometric information, but theirpurpose is different from commercialauthentication solutions.

Reducing riskAll multi-factor authentication mechanismsoffer improved security over passwords,however, modern biometric authenticationworks best at reducing the human riskssuch as loss, theft and sharing of passwords the most. With independentcertification, solutions are available tomeet the requirements of ISO27001 andPCI-DSS. Fingerprint authentication andiris authentication have anti-spoofingmeasures that operate effectively as partof a package of multi-factor authentication.Vein readers offer a level of single-factorauthentication security that is beyond thesecurity requirements of sensitive dataprotection. The only downside is that vein reader

hardware is currently priced around £260,around three to four times the cost of afingerprint reader. With the currentchallenges of cost reduction, IT managers with a long term view on

security and cost management should lookat the reduced help desk calls forpassword management as a result ofbiometric solutions. The operational savings estimated at

around $50 or £35 per helpdesk passwordrelated call would typically cover thereasonable hardware costs in around 12-18 months. The medium term case forbiometric security is getting stronger, andthe worldwide market is growing at 20 percent per annum. Secure, easy to use andaffordable biometric authentication mayfinally be within sight of the averageorganisation.


The biometric myths make good movie scriptsbut are irrelevant in commercial situations.

ISNOW Winter 201016

The Information Commissioner’s Office(ICO) has launched a consultation on a newdata-sharing code of practice, which aimsto clear up how organisations should besthandle data-sharing within the frameworkof the Data Protection Act (DPA). The closingdate for responses is 5 January 2011. Afterthat, a paper summarising the responseswill be published by the ICO.

The code covers a number of areas, including:

• what factors an organisation must take into account when coming to a decision about whether to share personal data;

• the point at which individuals should be told about their data being shared;

• the security and staff training measures that must be put in place;

• the rights of the individual to access their personal data; and

• when it is not acceptable to share personal data.

The ICO aim to set out a model of goodpractice for public, private and third-sectororganisations, and cover systematic, routine data-sharing where the samedatasets are shared between the sameorganisations for an established purpose,as well as one-off instances where a decision is made to release data to a thirdparty. Some efforts have also been made to

compel updates to the law and reflect bestmarket practice. For example, the EU Model Clauses were

updated earlier this year. Hopefully, this consultation will go some

way to helping businesses deal with dataprotection, but the draft code does not helpexplain some key areas of confusion thatbusinesses grapple with. For example, currently private sector

organisations, in particular, often find itdifficult to determine whether the specificact of sharing they are contemplating iscovered by one of the conditions set out inthe DPA and the draft code does little toflag this up. The ICO constantly appears totake a ‘reactive’ stance to marketconditions when, instead, perhaps what isneeded is a wholesale update of the law inthis area. The challenge facing the ICO willbe making any new law sufficiently clear,workable and flexible. An interesting example of the importance

of this area can be found in a recent Swisscase. A Swiss federal court has ruled thatLogistep’s use of file sharing monitorsoftware to identify IP addresses violatesdata protection laws. Logistep was usingthe software to locate the IP addresses ofcopyright infringers who were illegallydownloading music and passing them onto the copyright owners so that they could prosecute.

LEGALThe court ruled that IP addresses come

within the definition of ‘personal data’under Swiss data protection laws andprocessing that data without theknowledge or permission of the personconcerned was illegal.Switzerland is not subject to EU rules on

data protection, including the DataProtection Directive. Could this result bereplicated in EU countries? The position isthe subject of heated debate; the rationalein this particular instance being ‘Whyshould file sharers be able to evadedetection due to legal loopholes?’ Of course, there are policy reasons why

an indiscriminate approach cannot betaken, but some countries have addressedthis issue directly. France’s data protection regulator, CNIL,

is reported to have authorised fourcollective societies to collect IP data, whichwill later be used in the application of thethree strikes (HADOPI) law. But this wasnot without considerable initial resistancefrom CNIL (and a sharp rebuke of CNILfrom France’s highest court, the Conseild’Etat).The EU’s Working Party, which was

established to act as an advisory body, hasdirected that, unless an internet serviceprovider can say with absolute certaintythat the user cannot be identified, it will, tobe on the safe side, have to treat the IPaddress as personal data and thereforecannot share it without the infringer’sconsent. The key is that, even if the IPaddress cannot identify an individual byitself, there may be potential for theindividual to be identified through othermeans.The UK’s regulator, the Office of the

Information Commissioner, has providedguidance on personal profiling usingdynamic and static IP addresses, but it’shard to see how this would apply in thissituation. Given that successfulprosecutions have been brought in the UKand Germany against file sharers, it isstrange that this issue has not yet beentested.There is a fine balance to be struck

between protecting copyright holders’interest and the legality of infringing IPaddress collection methods. Organisationswill need clear guidance on when it is andis not acceptable to share personal data.Logistep has opened the debate; it will beinteresting to see how this plays out andwhether it influences the approach of theICO in its new consultation.

Please note that the information providedabove is for general information purposesonly and should not be relied upon as adetailed legal source. www.bcs.org/legal

Charlotte Walker-Osborn and Jennifer Liddicoat, Technology Group,Eversheds LLP, look at recent data protection updates and cases.

AND THE DPADATA SHARING

IT Security Metrics: APractical Framework forMeasuring Security &Protecting Data Lance HaydenMcGraw HillISBN: 978-0-071713-40-5£37.99

Amongst the plethora of books publishedthese days on security, there are a widerange of topics being tackled with often toomuch prescription and too little focus. Thisleaves one to wonder if much of this shouldsimply be ignored and we should focus onbasics; however, some of it is too good tobe let by.I have a similar dilemma with this book.

The author presents an extensive treatmentof security metrics, starting from thecontext, then basic definitions and then onto case studies and some valuable practicaladvice. Much of this, however, is not newand the first part (first three chapters) doesnot serve to motivate as it discusses a set

of ideas too familiar to a (security)reader.Not too often do I come across a

book as verbose as this: page afterpage, there is text (and, I am afraid,jumping from one idea to another)and more text. This makes it difficultto follow even a simple idea. This is aclassic example of a book where

illustrations could have helped (along withrelevant editorial support).If I had to choose one chapter to

recommend, I would choose chapter 8, asthe author delves into interesting detailabout security compliance and auditingstandards. This is good as it acknowledgesexisting initiatives to tackle some of theproblems mentioned in this book.I would not recommend this book to the

wider (security) readership. Those new tothe concept of security metrics may findparts of it a good introduction to some ofthe underlying motives for such efforts.

Siraj A. Shaikh MBCS CITP

Managing InformationSecurityJ. VaccaSyngress MediaISBN 978-1-597-49533-2£30.99

This book covers thecomplex and hugearea of information security andincludes information that practitioners and IT managers canuse in strategy formation, management and day-to-day operation of their information securitymanagement systems. The book begins with raising the

reader’s knowledge of securityessentials such as impact of securitybreaches, types of breaches and thevarious elements of the fundamentalsof an information securitymanagement system and thecontents thereof.

ProceduresElements of procedures and policies,information risk management, contingency planning, physical anddata security are covered in brief. Thebook quickly gets more informativeand interesting for the technical reader and gives clear explanationand examples, which enable the reader to go further in the particularareas of ID management, intrusiondetection and prevention systems,computer forensics, network forensics, firewalls, penetration andvulnerability assessment. In some areas the book is not a

‘light’ read, and readers would beexpected to have general networkingknowledge. However the individualchapters themselves are primers foreach subject and references forfurther reading are given with everychapter so that areas can be followedup. Both non-technical and technicalreaders are therefore catered for. Overall this is an excellent primer

to the complexities of informationsecurity and is an ideal read foranyone involved in or about tomanage an organisation’s informationsecurity functions or informationsecurity management system.

Georgette Banham FBCS CITP

BOOK OFTHE MONTH

Practical Lock Picking. APhysical Penetration Tester'sTraining GuideDeviant OllamSyngress MediaISBN: 978-1-59749-611-7£24.95

Although the subject of lock-picking maynot seem immediately relevant to the worldof the IT professional, the practice has along association with information security.Physical security assessments of IT departments and server rooms involveassessing both the type and the quality oflocks used.The book begins with an excellent ‘ethics

test’, which would not go amiss in otherhacking books, serving as a good reminderof how to make correct usage of informationprovided by the book.We then move on to the fundamentals

needed for an understanding of howcommon lock types are manufactured andhow they work in practice. The remainderof the book builds upon this foundation.The clear explanations and plentiful

diagrams leave the reader with a clear ideaof how lock mechanisms work, and thepractice exercises that follow build on thisknowledge to allow the reader to quicklyprogress before moving on to the simplertechniques, shimming and bumping.

9/10


4/10

It's often said that to the manwith a hammer every problem lookslike a nail. A chapter on bypassinglocks and doors in a creativemanner provides the extremelyimportant function of getting thereader to consider all aspects ofphysical security, rather thanimmediately attempt picking thelocks when carrying out a security

review.We cover the old favourites, such as

triggering a motion sensor by pushingdevices under the door, along with theeffective, often missed, possibility ofpassing wire hooks through gaps tooperate catches.Overall the book does much to dispel

the myth that lock-picking is an arcane, difficult art and puts the reader in a position to carry out more effective physical security reviews, although itwould have been nice to see more detailon how to carry out physical securityreviews for locking mechanisms and howto select appropriate mechanisms tosecure a facility.In summary this is an excellent practical

introduction to the subject and thepublishers are to be congratulated forproducing another good niche penetrationtesting book.

Vick Dunn

9/10

BOOK REVIEWS

ISNOW Winter 201018

I know that I should be more concernedwith the two previous threats, but the textinforming me I’d won lots of money wascloser to home. The email address lookeddecidedly dodgy and when I checked thesender’s number it was from Ghana.

The interesting thing about these scamsin that they rely on three common things tosucceed: greed, gullibility and technology.

It is the last one that enables thescammers to operate remotely, hit largepotential audiences and put forward anypersona that they believe will tempt you.Whereas you may have concerns about theintegrity of person in a far off land carryinga Kalashnikov, these may be somewhatallayed if you see a photograph of a personin a smart suit sitting in an office.

Even respectable businesses are notadverse to using a little technology to stealour electronic assets, as was revealedwhen Google reluctantly owned up that itsStreet View cars were, inadvertently,

collecting details of Wi-Fi networks as theycruised by. Now whatever the intent, thefact that we can be robbed remotelymeans that we have to think wider thanthe locks on our doors.

I recently advised a client who wasbased in a shared tenancy building that hecouldn’t rely on door locks as theoutsourced cleaning company had freeaccess to the building overnight. So on topof the logical security we built a CCTVrecording system with motion sensors andoff-site transmission of any triggeredrecordings and SMS alerts. It didn’t cost abundle, although the warning signs andlegal advice were almost the biggestbudget items.

When the system was operational, thechief security officer had a few busy andheart-stopping days while the system wasbedding-in and he watched the cleanerssystematically opening any unlockedcupboard or drawer.

OPINIONCuriosity killed the preverbial cat and it

certainly killed the cleaning contract whenhe drew this to the attention of his CEO.Despite the lawyers saying that evidencecollected covertly was likely to beinadmissible in court, the CEO was notintimidated and the contract was cancelled.So although electronic threats should notbe ignored we need to remember that oursecrets may be just as vulnerable from aphysical threat.

Security in depth is what I desire when Iam asked to provide assurance that thingsare OK, but as we all know a chain is onlyas strong as its weakest link. I have apseudo-mathematical technique formeasuring control effectiveness, whichalthough not perfect, does remove some ofthe judgemental errors in reaching aconclusion.

On balance I find that most controlsystems are based on trust and optimism,rather than hard-nosed pragmatism. Thetrust mechanism is usually there out of anunwillingness to face the reality that if youtake trust out of the equation, then mostcontrol processes are pretty useless. I relyon my security officer colleagues to identify the current and future threats andto suggest appropriate controls. I then sitdown with them to evaluate the effectivenessof the proposed controls. Will this controlmanage the likelihood or the consequence?Is it preventive or detective?

They often retort that, as the likelihoodof a particular threat crystallising is low, itdoesn’t matter too much if the control isweak. I answer that they may not as yethave suffered a heart attack, but it wouldbe useful if they could detect thesymptoms early enough to get to thehospital before a full cardiac arrest tookplace. So we kick the thing around a bitand find that, even with our best intentions,the residual risk remains stuck in the‘amber’ zone. But that is life. Not everythingis ‘green’. Even more so now that thethreats and controls may no longer beunder our direct control. Outsourcing andcloud computing, reliance on third-partysecurity statements and lack ofunderstanding mean that we are morevulnerable than ever to changes in the useof technology.

Providing that managers are aware ofand are willing to tolerate a risk at aparticular level, then my job is done.Despite that, it is still the people risk thatfascinates me. I have never known acomputer to attack me of its own accord.Even those 70 million zombie hosts thatare waiting out there still need a humanhand to direct their attack.

For additional articles please visit:www.bcs.org/articles

ABOUT LOCKS

Recently the Americans lost communication with around 70 of theirnuclear tipped missiles for some 50 minutes and Russia has previouslytaken Estonia off-line, but John Mitchell is more concerned about atext to his mobile and a Ghanaian email address.

IT’S NOT JUST

Services are provided by LRQA and other members of the Lloyd’s Register Group.For further details please visit www.lr.org/entities

Securing yourinformation with LRQAChoosing certification of your information security management system to the internationalstandard, ISO 27001 shows that you’re prepared to open up your systems to external scrutiny.

Importantly, certification gives you – and your customers, trading partners and other keystakeholders – the confidence that you have addressed all security risks including IT, people,physical and business continuity.

As a leading certification body, LRQA has the knowledge and expertise to help you meet yourinformation security objectives. With training, gap analysis and certification, our informationsecurity experts will help you drive improvement through your management systems.

Choosing LRQA means you’ll be working with one of the world’s most trusted and respectedmanagement system bodies providing you with business assurance.

LRQA Business AssuranceImproving performance, reducing risk

Sales Training0800 783 2179 0800 328 [email protected] [email protected]

The Open University is incorporated by Royal Charter (RC 000391), an exempt charity in England and Wales and a charity registered in Scotland (SC 038302).

Develop your IT workforce

without disruptingthe working dayOur professional development programmes can give your organisation a competitive edge and your employeesthe relevant practical, technical and managerial expertise they need to work in today’s constantly changing globalIT & Telecoms environment.

Solutions range from IT professional practice, enterprise software development, information security management, systems integration, computer forensicsand project management, to awards in IT business and management including our triple accredited MBA.

Your employees can study outside of working hours using the latest learning technologies alongside ongoing support from us and what they learn one day can be applied the next.

Did you know?• Our specialist programmes are developed by experts

in association with professional bodies, sector skills councils, IT vendors and IT & Telecoms employers

• We’re the largest and fastest growing Cisco Academy in the UK and among the top 5 universities for computer science

• Our triple accredited business school is in the world’stop 1%.

Develop your workforce

www.openuniversity.co.uk/it

0845 758 5097 Quote: ZAMAAC

[email protected]

INSPIRING LEARNING

future threats with new, powerful mobile devices · more difficult to determine an obvious ... into...

Documents