infosec4all.com

Some time ago I wrote how problems associated with proper identification of identity theft and lack of statistical data in the United States. This time, a paper commissioned by the European Network and Information Security Agency (ENISA) aiming to facilitate development of European ecommerce policy identified similar problems existing in the European Union. The paper focuses on the economics of security and discusses economic incentives to both governments and private sector that can facilitate improvement of security and customer confidence in electronic commerce.

The paper, titled Security Economics and the Internal Market provides 15 recommendations on information security issues that need to be handled at member state level and harmonized and coordinated among EU members. The recommendations call for establishment of EU comprehensive security breach notification law, better reporting on security incidents, EU standard for security of network connected equipment, mandatory distribution of software patches, better procedures for resolution of disputes in electronic transactions, and EU wide body similar to NATO in charge of fight against cyber-crime.

First Things First: Using Risk to Drive Security Planning

by Steve Brukbacher, CISSP

I attended a conference the other day addressing information security for information security staff and database admins, network guys and a variety of other IT related fields. The question that everyone seemed to have was how do we even start to get our arms around “security”? We know our IT guys “do stuff” and they seem to know what they are doing. There seem to be a million different things that have to be done to “be secure”. If we were “secure” how would we know it? Is this a state of being somewhat akin to Nirvana? Is it some kind of magical place where everything works and nothing bad ever happens? What about all these products that we see advertised especially at conferences? Hardware firewalls, IPS, IDS, internet security suites, identity management products…. Should we have a Noah’s ark of security “stuff”? Buy two of each and then we can tell the boss that we are DEFINITELY secure (yes, people try this). Or maybe there’s one thing we can do that would be the magic bullet the vendor claims it is that would take us to this security nirvana…. Or better yet, maybe we should just assume that the computer guys know what they are doing and go for coffee. In general, security seems like a way-too-big sandwich and no one can agree how to cut it up so its edible.

The wrinkle in all this is that whenever people like dba’s go to security conferences, there’s always that one presenter that gets their attention. This is the guy who describes how easy it is for the average 12 year old to use Metasploit or how fun SQL injection is. Maybe they even do a live demo on an IIS box they have back at the shop. This scares the hell out of everyone and they go to the next session wondering what do we do first, second, third and so on?

I happened to be in that session so naturally, I chimed in and started talking about risk. This is not always a familiar topic to other IT staff or for those who manage them. The unavoidable truth is that without a decent risk assessment, we are left to flounder in the darkness with the only light being our own paranoia, vendor promises or false assumptions about what our most dangerous risks are. A proper risk assessment gives us the tangible ordered list of things that need to be addressed to truly improve our security posture: what have we got, where is it, what could happen to it, how much should we care and what are we going to do about each risk (if anything). This carves up the sandwich to reasonable bites AND tells you which parts should be eaten first.

This sounds deceptively simple. It takes discipline to stop shopping for solutions before you’ve identified what the problems are that really need to be solved but without this you will waste money and likely miss your most dangerous threats.

So is there security nirvana? Of course not. What security practitioners need to teach is that risk is a sliding scale, not an on/off switch. We help management become aware of their risk levels and they choose how much risk they are willing to tolerate. There is no “ideal plane” of security: just better and worse and lots of space in the middle.

If you can teach risk based thinking to people outside of the security or audit departments, you’ll be way ahead. This is a skill which I think anyone in a position of responsibility should be armed with.

Estimating the real cost of identity theft might not be as easy as it first appears. As I already mentioned, without a proper definition of identity theft it is not possible to determine the extent of the crime, and in turn, without estimates of the extent of identity theft it simply impossible to estimate the real cost of the crime. Newman et al (Newman, 2006), quoting a Government Accountability Office (GAO) report from 2002, state that there is no comprehensive or agreed-upon way to estimate the economic cost of identity theft. This post will provide an overview of various costs associated with the crime and imposed on, not only industry and individuals, but also on the government. As we have seen in the previous chapter, not all businesses suffer from this crime.

Willox et al (Willox, 2002) suggest that identity theft statistics in 2002 were just a tip of the iceberg, and conservatively estimated loss of identity theft to be at least tens of billions of dollars. According to the United States Treasury Department’s own research, cyber criminals (although it is not clear what exactly is meant by this term) made more money than illegal drug traders in 2005. (Gordon, 2006) Javelin Strategy and Research report suggests that the annual cost for consumers alone reaches $52.6 million. (Van Dyke, 2005)

The following is a crude breakdown of the costs associated with identity theft.

Read the rest of this entry »

The International Information Systems Security Certification Consortium, Inc. [(ISC)²] just released the (ISC)² 2008 Resource Guide for Today’s Information Security Professional – Global Edition.

The guide is free and available in PDF, CD ROM, and hard copy.

Juniper networks released a new report – ‘An IPv6 Security Guide for U.S. Government Agencies’.

Thereport covers numerous aspects of security related to IPv6 transition and also provides a high level overview of the core concepts of IPv6 and the planning that must be accomplished to ensure a successful and secure transition.

From SANS reading room – Introduction to Business Continuity Planning. Good high level overview of BCP. The author targets beginners, but these are also great talking points for selling BCP to senior management.

A few weeks ago, Paul Thurrott and Leo Laporte interviewed Ward Ralston, group technical product manager for Windows Server 2008. Unfortunately, there is no transcript – only audio is available. This is a neat comparison of Windows Server 2008 and previous server products as well as Windows Vista.

Information Security magazine brings an interview with Bill Laing, general manager of the Windows Server Division at Microsoft. The article provides a more detailed insight into Windows Server 2008 security.

[...] Windows Server 2008, [...] is first server product built from scratch since the advent Trustworthy Computing at Microsoft. [...] we believe Windows Server 2008 is the most secure operating system we have ever built.

Nice overview of security frameworks by Amol Sarwate, director of Qualys’ vulnerability research lab.

[...] No longer is it enough to find and fix vulnerabilities. Today, security processes need to be well documented and substantiated. [...]

To describe ‘hot’ products – the items that are most likely to be stolen, Ronald Clarke, coined the term CRAVED in a law enforcement training manual produced for the British Home Office (Clarke, 1999). The acronym stands for five properties the item should posses to be ‘hot’: Concealable, Removable, Available, Valuable, and Enjoyable. Setting aside the argument that identity cannot be stolen, identity having properties of information, neatly fits into these categories. As it does not have physical properties, it can easily be concealed. It is not removable but it is multipliable which does not diminish this property. Availability of identifying data is immense. Its value for criminals will be discussed later. And at last, stolen identity can be enjoyed in the following ways (Perl, 2003): direct financial benefits, non financial benefits, and misuse of legal records.

Direct financial benefits are probably the most obvious. It occurs when a criminal directly obtains monetary instruments from the victim or in her name.

Non-financial identity theft might ultimately lead to monetary benefits but it starts with utilities frauds or obtaining of government documents or benefits in victims name that are later used for illegal border crossing or obtaining a job. Another common type of non-financial benefit is revenge.

The third reason criminals would steal identity is to evade legal sanctions and criminal records. (Perl, 2003) According to the same author, this type of crime is the worst case of identity theft. According to Newman (Newman, 2005) this is the major reason for stealing another’s identity. This category also includes growing number of cases where identity theft was used for supporting terrorist activities.

Finally, the concept of opportunity has also been used for explaining crime. Although, its relation to identity theft has not been formally researched, Newman (Newman, 2005) suggests a strong correlation, considering identity to be information that in turn can be perceived as a ‘hot product’.

How does it take place?
In order for identity crime to occur, the criminal must obtain personal identifiers of a person with a good credit or no criminal history, who later becomes a victim. The criminals use various methods including recruiting individuals with access to personal information, stealing documents from companies that store such information, dumpster diving, eavesdropping, shoulder surfing, burglary, stealing mail, phone scam, phishing, and pharming. Although, as we will see, use of technologies does not correlate with increase in identity theft, computer users are also targeted. According to one source, in the last couple of years, there has been a dramatic increase in number of collection methods, with over 65% increase only in key logging (Gordon, 2006) – method in which criminals use stealth key logging software or devices to secretly record key strokes that later reveal various personal information entered into victim’s computer. Personal identifiers can also be purchased on the street or Internet for the going rate of between $25 and $50. (Newman, 2005)

Stolen personal identifiers are then altered to reflect characteristics of the new ‘owner’. Development of desktop publishing technologies and their affordability also allow criminals to produce high quality replicas, while organized crime can use professional equipment that makes fakes ‘better’ than originals. It is also possible for criminals to obtain genuine identification documents through fraudulent methods like using ‘insiders’ at identification document issuing agencies. (Porter, 2005) The identity information bearing instruments obtained in this step are also known as ‘breeder documents’ since they allow criminals to proceed to the next step – obtaining false identification documents like birth certificate, social security card, drivers’ licenses, passports, voter registers, and badges. (Porter, 2005) These documents now allow criminals to further develop their newly assumed identities by creating new life history through rental of mail boxes, storage units, apartments, and vehicles, opening new accounts, and activation of telephone services and utilities, (Porter 2005) – all with timely and accurate payments just like any innocent citizen would do.

The next step – exploitation
Identity Theft is linked to many global crimes, including terrorism, money laundering and financial crimes, drug trafficking, alien and weapons smuggling. (Gordon, 2004) Once the criminal steals identity or creates a false identification document, he is able to create a fraudulent identity for himself which allows him to cross borders and also provides him with access to such identification documents as birth certificates, drivers’ licenses, and social security cards, that in turn create greater access by allowing him to procure employment, credit cards, residency and citizenship, etc. (Gordon, 2004)

Identity theft crimes are often facilitators for crimes that lead to money laundering, mortgage and insurance frauds, computer crimes, weapons and narcotics trafficking, homicide, terrorism, and illegal immigration, (Porter, 2005). As an example, Bruce Schneier (February 2007) suggests that criminals or terrorists could use stolen identities to avoid TSA screenings while carrying on attacks or other crimes. The magnitude of crimes committed with help of identity theft is best captured in Willox’s claim that identity theft is not a tool of a con artist anymore; it is indigenous to any criminal enterprise. (Willox, 2002)

The Other Side of Exploitation
One must not forget that it is not only criminals and terrorist who exploit identity theft. Financial institutions also benefit from various legal requirements by transferring the costs to consumers through disproportional increase in service fees. (Newman, 2005) On the other side there is a fast growing industry that legally profits from selling various services ranging from financial insurance, privacy protection, to credit monitoring. Currently, no supporting research exists that could back up this statement. Only anecdotal cases suggest the existence of this multi million dollar market niche.

Read the rest of this entry »

January 21, 2008 issue of The New Yorker brings a quite lengthy interview with Mike McConnell, new director of National Intelligence. Unfortunately, full article is not available online, only an audio interview with the author Lawrence Wright.

The author talks with McConnell’s about his career, his days as NSA director, and evolution of national infosec caused by modern technologies:

“When I went there in ’92 the Internet existed – it was called Arpanet – but the World Wide Web did not, [...] Then the Web made the Internet accessible for everybody. My world exploded.”

The article provides some insight in how the intelligence community adopts new technologies:

” In 2006, the community adopted Intellipedia, a secure version of Wikipeda. Blogging is now permitted on internal servers, [...] there is a new “A-Space” based on sites such as MySpace and Facebook where analysts post their current projects as a way of creating social networks.” [...] “Much of the intelligence community is technophobic and is also hamstrung by security concerns. Only recently have BlackBerrys made their way into some agencies, and many offices don’t even have Internet connections.”

Wright and McConnell also discuss how recent development in communication technologies rendered Foreign Intelligence Surveillance Act of 1978 inadequate and how privacy concerns impede its timely update.

The most interesting part of the article talks about infosec problems intelligence community faces at national level and proposed solutions:

“At NSA, McConnell set up a new office to conduct information warfare against potential enemies, but he eventually realized that America, with its huge computer networks, was far more vulnerable to such attacks than its adversaries.” [...]

“Practically nothing was being done to secure American computer networks, which the entire world routinely depended upon.” [...] “There are forty thousand Chinese hackers who are collecting intelligence off US information systems and those of our partners. how many of them can read English? Almost every one of them. if you ask how many intelligence-gathering people are doing similar things in Mike’s cast empire, the answer would be tiny. And you won’t find any who understand Mandarin. We should never get into a hacking war with the Chinese.”

“[...] he describes the three aspects of information warfare operations. Computer-network exploitation – that is, the theft of manipulation of information – is done by the NSA. Computer-network attacks are the province of the Department of Defense. The third element, computer-network defense, was not the specialty of any agency.” [...]“If the 9/11 perpetrators had focused on a single US bank through cyber-attack and it had been successful, it would have an order-of-magnitude greater impact on the US economy.”[...]

“One proposal of McConnell’s Cyber Security Policy, which is still in draft stage, is to reduce the access points between government computers and the Internet from two thousand to fifty.”