One of my favorite activities we perform for clients is Social Engineering so I thought that a recent trend, disinformation, would be an interesting topic to discuss:
In 1943, British Intelligence dressed up a corpse, equipped it with fake operation plans, and floated it out to sea where Axis troops would eventually recover it. The ruse was designed to make the Germans believe that the Allies planned to invade Greece and Sardinia, instead of Sicily, their actual target.
“Operation Mincemeat” was a successful disinformation campaign. Also called “Black Propaganda,” Disinformation is the intention is to spread false or inaccurate information to damage or gain an upper-hand against an opponent. While it was often used in wartime throughout history, the new battleground for disinformation is cyberspace where hackers spread disinformation about a company through their own systems.
According to a study on hacking incidents and trends for the first quarter of 2009, “Disinformation” is now the second most common attack outcome by hacking (losing to “Information Leakage” by only 3%). This is a major jump since Disinformation was not even on the list in the previous study, falling somewhere below Phishing (3%). Defacement, which can be distinguished from Disinformation because it spreads obviously false information, is third on this list.
And if you don’t think Disinformation can cost your company money, just ask Steve Jobs who recently shared sentiments with Mark Twain – “reports of my death have been greatly exaggerated.”
A hacker that broke into the live Mac Rumors Feed to announce – in all capital letters –“STEVE JOBS JUST DIED.” It took three minutes before a retraction was given, “Steve did not die.” In another incident, someone uploaded photos to Wired magazine’s website with a detailed story describing Steve having a cardiac arrest. In this case, it wasn’t even a code flaw that allowed the disinformation to be publicized, but an obvious application design flaw. Wired’s public image viewing utility allows anyone to upload whatever images they wish which are then viewable on their public website.
Harmless pranks? The incidents caused Apple stock to plummet from the disinformation campaign. Considering Steve’s recent health problems made the disinformation so plausible and the same disinformation was used on multiple occasions, you can’t help but wonder if the culprit has a vested interest in seeing Apple stock drop.
Disinformation isn’t going away. Consider the rise of social network trends like Twitter. Social networks are very susceptible to hacking in the first place. Twitter allows news to be sent directly to thousands of users. This makes it a very powerful platform for information or disinformation.
A couple weeks ago I wrote a Tech Insider Report for Dark Reading regarding Rotten Apples: How To Detect And Stop Malicious Insiders In Your Organization
that discusses the data breaches that occur from the inside. Last week, I wrote an article for DarkReading.com that is an excerpt from that report regarding How To Protect Your Organization From Malicious Insiders. Go give it a read!
I will be speaking on the professional development trends in malware at the annual NetSecure conference put on by IIT. Hopefully some of the readers can make it out. It is a great event. The info is below:
IT Security and Forensics Conference and Expo
http://www.cpd.iit.edu/netsecure08
Wednesday, March 26, 2008
Illinois Institute of Technology in Wheaton, Illinois
Join us for NETSECURE’08: The 6th Annual IT Security and Forensics Conference and Expo. This multi-track technical conference is attended by 200+ IT professionals and will promote the open exchange of IT security and forensics information. Register now at http://www.cpd.iit.edu/netsecure08
Current Conference Presentations Include:
* “Annual CompTIA security research: Trends and strategies for information security” Carol Balkcom – CompTIA
* “Cellular Wireless Key Managament” Alec Brusilovsky – Alcatel-Lucent
* “Microsoft Security – Growing up and Enterprise Ready” Cordell Crane – Microsoft
* “Microsoft Security – Hands on approach with tools for Threat Modeling, Code Review and Discovery” Ken Anderson – Microsoft
* “Professional Development Trends within Malware” Michael Davis – Savid Technologies
* “Network Security: What You and Your Skills Are Worth” Bob Fanelli – Robert Half Technology
* “Securing Windows – A Monumental Task?” Mike Fekety – Performance Technologies
* “Building a Secure Storage Internet” Chris Gladwin – CleverSafe
* “Do the Work Once: Harmonizing Compliance and Security Objectives” Bonnie Goins
* “The Role of Penetration Testing in Security Audits” Jeff Groman – Akibia
* “Penetration Testing: Let me probe your ports” David Kennedy – SecureState
* “Combating Insider Threats on Databases” Carl Kettler – Application Security, Inc.
* “Computer Security at Fermilab” Frank Nagy and Tim Rupp – Fermi Lab
* “Building a Linux Custom Firewall” Venkat Nandam
* “Security and Control Issues within Relational Databases” David Ogbolumani – SunGard
* “Data: How much is there, and where is it at?” John Pascoe – FBI Regional Computer Forensics Laboratory
* “Best security practices for Voice Wireless LANs” John Poust – IEEE ComSoc
* “Virtualization Security and Best Practices” Rob Randell – VMware
* “Out-Of-Band authentication using a real-time, multi-factor service model” Andy Rolfe – Authentify
* “Fighting Spam: Tools, Tips, and Techniques” Brian Sebby – Argonne National Laboratory
* “SSH” Hemant Shah
* “Multi-Factor Authentication Solutions: An Overview of Regulations, Vulnerabilities, and the Latest and Best Authentication Options” Bob Thompson – Catalyst
* “A New Model for Business Contingency Operations” Raymond Trygstad – Illinois Institute of Technology
* “Identity and Access Management” Kevin Wang – Crowe
Details:
Date – Wednesday, March 26, 2008
Attend – $95 (includes breakfast, lunch, cocktail party, and conference tote bag and materials)
Exhibit – $325 (includes 2 free attendees)
Sponsor – $300-750 (includes 1-2 free attendees)
Register – www.cpd.iit.edu/netsecure08
Location – Illinois Institute of Technology’s Rice Campus in Wheaton, Illinois
Sponsors Include:
High Tech Crime Network (HTCN), Authentify, Inc., Microsoft, onShore Networks / Fortinet, SunGard Availability Services, IBM Rational, Project Leadership Associates, Robert Half Technology, Other World Computing, SecureState, CTH Technologies, Inc., Security Services & Technologies, Catalyst Technology Group, Inc., Equivus, W.W. Grainger, Inc., CIMCO Communications, CIMCOR, Inc., Hegemony Consulting, Neohapsis, Inc., X-Ways Forensics, CompTIA Security+ Certification Program, Savid Technologies, Inc., ChicagoCon / The Ethical Hacker Network, UniForum, IEEE, and CPD.
I saw this image on Veracode’s blog and is very true! Sadly though, many managers take the number of WTFs, start yelling WTF (Who the F**k), and placing blame rather than realizing that it is usually the process and lack of developer education that causes problems not the developer themselves. I have seen that when an effective Secure SDLC is implemented and blame is not thrown around, you really do get a reduction in security bugs.
I had a discussion about IT consulting methodology while speaking about Risk Assessments at Northwestern University when a thought popped into my head regarding how the traditional IT consulting methodology is flawed.
The traditional IT consulting methodology is usually comprised of the following components:
This process has a corollary in the pure application development world referred to as waterfall development. Waterfall development is a process in which you take a set of requirements, build a plan, have a team of developers go off and write the code, test the code, and then release the product.
The main problem of the waterfall model is its inability to adapt. The waterfall project is split into separate stages and forces developers, project managers, and the end user to commitments to an outcome early on, even before the team knows how they will implement something. Changes in the waterfall project are expensive, very expensive because everything has to stop and basically start over in many places. We have seen over the past 20 years that this process doesn’t work. We see how applications consistently fail to function or perform as expected. Essentially, this means the waterfall methodology is not good for projects that have changing requirements or requirements that are not well defined or understood. Sounds like your standard IT project to me.
So why would we apply this process to IT consulting and especially to IT Security? The main reason is that the waterfall consulting methodology, if you will, does serve one purpose well – it can estimate costs rather easily because the methodology assumes everything is known upfront. Are initial costs estimates so important that organizations are willing to jeopardize the schedule and success of a project? I don’t think so. Budgets should be means to an end. Would you really consider sacrificing or diminishing the ends to hit some estimate of the means? On-time delivery and successfully meeting the changing requirements is much more important that a specific exact cost estimate. Plus, how many projects actually meet their initial budget?
The alternative approach that has emerged for us came from our IT Security practice, where the traditional methodology was completely inadequate to keep pace with the tools, threats, and techniques. The approach is quicker, iterative, much more agile and able to incorporate new learning. Now, remember, we’re talking about real IT Security here, not just the application of the latest tool, patch, or window-dressing. When we talk security, we’re not talking about the usual FUD hysteria followed by a sales pitch, we’re talking about a “bit’s eye view” of the data flow – where is it vulnerable, where does it linger, who is authorized to alter its flow, etc. We find this Agile Service Delivery , applied more broadly to IT Consulting projects, and even application development, will reduce cost, time, and increase success of critical long term projects.
Can we take the next logical step and apply this approach more broadly than just technology? Yes. The new enterprise is concerned with protecting, optimizing, and leveraging their data. To achieve those objectives the same iterative approach has been adopted through the implementation of frameworks such as ITIL that demand constant measurement and reassessment.
My post last week about Iron Mountain losing a backup tape from GE Money and losing the information on 650,000 consumers wasn’t the full story. Robert McMillan, IDG News Service, announced today that 230 different retailers had information on the tapes and it has been confirmed the tapes were not encrypted. There is just no excuse for lacking backup encryption in enterprises today.
If you don’t have backup encryption right now, stop what you are doing and get your Backup Admin in your office and get a project plan together to get encryption on your backups.
From where we are sitting, things are changing. IT buyers are starting to understand that what technology needs to “support” is the fastest and most efficient way for the company to create and deliver value. It’s not enough for developers to know how the tech tools work; they need to be able to connect with the managers who decide the value the tools should be used to create. IT projects on this landscape have some distinctly different characteristics than they did in the era of “back-office big iron.”
What IT Consulting learning are your feedback loops bringing you? Come to http://www.savidtech.com/blog/it-consulting/the-next-threshold/ and add them to the list.
An article posted at Illinois I.T. Association talks about the new IT Consulting thresholds and how the IT consulting paradigm is changing. What do you think? What are some of the changes you are seeing in the IT consulting model? Please post your comments below.
I have been an avid user of Desktop Search tools since their inception in 2003/2004. I have used Lookout, Google Desktop Search, MS Desktop Search, and now a user of X1. These tools have gotten progressively better over the years with the exception of Google Desktop Search which was built to destroy hard drives as it does nothing but thrash your hard drive.
For example, I have 4.5 GB of email. I pretty much save everything and use search to retrieve emails. I don’t organize very much except in high level buckets like Company name etc. I had to move from Microsoft’s Desktop Search, which is integrated into Vista, to X1 because the indexing was severely slowing down my laptop. A 5400RPM hard drive that is constantly being accessed is death to a power user like myself. X1 though seems to handle things VERY well and integrates into Outlook with the use of an integrated tool bar. (FYI, go get X1 if you haven’t tried it yet)
I recommend Desktop Search to everyone because it allows you to stop focusing on “where to place this email” to “what was the content of the email about”. Searching for partial phrases, parts of attachments etc, that your mind remembered from months ago will find the email thread in less than a second. An amazing time saver.
Why is this important? It got me thinking that Desktop Search is a great example of the move to content from rigid structure. Google is the leader with their “we want to index everything” approach to business and you can see how it is paying off financially but introducing many security related concerns. Security is going to move into this content focused world as well. The next few years we will see more application “vulnerabilities” that are exploited by social engineering the user (which is a content change right) such as malware and phishing do than bypassing of a program’s structure such as a buffer overflow. The ability of an application to contain Malicious content will become the vulnerability.
Malicious content, sadly, is much harder to detect than a structure violation. Structural violation can be compared against a baseline or standard where anomalies are easily seen. Malicious content, however, is all about intent – something that humans have had a hard time analyzing for thousands of years. You may think some content is malicious and others may not so who gives the deciding vote?
The Indexing and Searching of Content is changing the world and you should start recognizing the high risks of the content within your applications, databases, and file servers.
I commonly am asked questions such as “Do you prefer COBIT or ITIL?” or “We really like the benefits of framework X but there is so much more readily available for Y, what do you think?”
In 2007, the Global Information Security Survey, which represents 5,555 overall respondents covering all regions of the world had the following to say:
| Overall | NoAmerica | Europe | Asia | |
| ITIL | 45% | 43% | 50% | 46% |
| COBIT | 25% | 32% | 27% | 19% |
| BS7799 / ISO17799 / 27001 | 36% | 29% | 43% | 39% |
| SAS 70 | 18% | 28% | 11% | 13% |
| PCI | 23% | 34% | 17% | 18% |
It looks like ITIL is out on the top. I think this mostly due to the fact that ITIL has a lot of literature available in the market and there are many people that have used it so it is easier to implement for some organizations.
Source: CSO Magazine
