Digital Technology Awards 2013

Last night the team from @7elements attended the ScotlandIS Digital Technology Awards 2013 awards to find out if we were successful in the ‘Best Newcomer’ category.

With nerves increasing, thankfully our category was first up. The shortlisted companies were announced in reverse order for the award and were as follows:

The evening was great fun, and well put together by ScotlandIS. Well done to all of the other winners and all of the shortlisted companies. A full list for each category can be found here.

awards

Puppet Vulnerability

This week has seen a timely reminder on the importance of effective patch management in information security with the release of a security advisory about a remote code execution Puppet Vulnerability. Organisations needs to ensure that all services and technology platforms are covered, not just the major players.

Would you say ‘yes’ if asked if you have an effective patch management process? Yes for many people would mean that they are aware of the need to patch and take steps to maintain patching levels on core technology platforms such as Microsoft and Oracle. However, what about other key enabling technology in use within the organisation?

Puppet Labs[1] provides IT automation software that enables organisations to standardise builds and deployments and manage compliance activity through centralised patch management. On Tuesday they released information on a remote code execution vulnerability:

When making REST api calls, the puppet master takes YAML from an untrusted
client, deserializes it, and then calls methods on the resulting object. A YAML
payload can be crafted to cause the deserialization to construct an instance of
any class available in the ruby process, which allows an attacker to execute
code contained in the payload.[2]

What does this mean? Well, a malicious individual with internal network access could attack  and gain remote access to the ‘Puppet Master’.

As the ‘Puppet Master’ is the central server that manages all functions and controls the remote machines, gaining remote access to this device could potentially enable an attacker to make changes on all devices within the environment under control of the master. It would even be possible to create new accounts on all of the remote machines that are managed, thereby giving the attacker legitimate credentials on all of these devices.[3]

The ‘Puppet Master’ also functions as a certificate authority by default. So any compromise could also have an impact on the integrity of those certificates.

All in all, quite a headache if this were to be realised. It is a good example of why an organisation should take steps to ensure that as an organisation you have identified all vendors, have a process in place to collate all relevant security related advisories and are able to assess and implement updates in a timely and controlled manner.

Puppet Labs has issued updated software to address this specific vulnerability and details can be found here.

Blog Archive

Looking for blog posts prior to June 2013? Then head over to our archive here.

logo

ScotlandIS

7 Elements are proud to be a business member of ScotlandIS.

ScotlandIS, is the trade body for the ICT industry in Scotland, more information about their role can be found here.

ScotlandIS

Digital Technology Awards 2013

We are really excited and proud to have been shortlisted for the upcoming Digital Technology Awards 2013. Our successful shortlisting within the category of ‘Best Newcomer’ was as a result of our excellence in client focus, technical capability and being a forward thinking consultancy. The two other companies that join us on the shortlist are Guerrilla Tea and Hutchinson Networks, who we will get to meet on the awards night and we wish them the best of luck.

Next Thursday is the awards and we will find out if we are successful. Follow us on Twitter and we will let you know how it goes on the night.

Digital Technology Awards 2013

What is Cyber Security?

By David Stubley, CEO, 7 Elements

A question that I am often asked is “What is Cyber Security?”

Cybersecurity or Cyber Security is a widely used term and one that most people will now have heard of. Many will need to understand the term if they are tasked with protecting information systems. Cyber Security as a term can be found in news articles from the mid-late 1990s when the US Government started to understand how interconnected their systems had become and therefore potentially at risk of compromise.

However, there are many definitions that use the word ‘Cyber’ and I find that they are often confusing, for example:

Cyber security involves protecting information and systems from major cyber threats, such as cyber terrorism, cyber warfare, and cyber espionage.”

Source

Great, so Cyber Security is protecting you from Cyber <insert problem here>? Is that it, or am I missing something?

Unfortunately it is often used as part of a sales pitch and can often be misused to create a state of fear, uncertainty and doubt (FUD) aimed at generating interest in a product or service. You will often see terms such as Cyber Crime, Cyber Strategy, Cyber Security Awareness and Cyber Threat.

Lets deconstruct this further.

So, what have we got so far, well Cyber is essentially a buzz word used widely within the Information Security world to capture all ‘evil’ activity conducted over the Internet or interconnected networks and systems.

Time to define Cyber.

What do I understand the term Cyber to mean? Well let’s get away from the hype and go back to basics. To do this, we can take a look and see how the term cyber is defined within the Oxford Dictionary:

“cyber

Pronunciation: /ˈsʌɪbə/

Definition of cyber

adjective

  • relating to or characteristic of the culture of computers, information technology, and virtual reality: the cyber age

Source

Therefore, Cyber can be defined as the use of information technology and computers. I think that this is a straight forward and an understandable way of looking at it. It is therefore, no longer a ‘scary’ word used to frighten us.

Time to define Cyber Security.

So, looking at how to define Cyber Security, if we build upon our understanding of Cyber, we can see that what we are now talking about is the security of information technology and computers. Which is basically good old fashioned information security controls.

For me, Cyber Security should be replaced with:

“Information Security”

Doesn’t that sound so much clearer?!

If you are looking for a more formal definition of Cyber Security then the Centre for the Protection of National Infrastructure (CPNI) has a great example that is easy to follow and avoids over use of the word Cyber:

“Almost every business relies on the confidentiality, integrity and availability of its data. Protecting information, whether it is held electronically or by other means, should be at the heart of the organisation’s security planning. The key questions to keep under constant review are:

Who would want access to our information and how could they acquire it?

How could they benefit from its use?

Can they sell it, amend it or even prevent staff or customers from accessing it?

How damaging would the loss of data be? What would be the effect on its operations?”

Source

Threat: The Missing Component.

It is now widely acknowledged that risk management is the best way to manage security

Security risks are beginning to be integrated into organisations’ business risk management structures so that they are managed alongside other business risks. This is a significant step forward but a component is frequently missing from the security risk equation, threat. While there is no easy fix to this, the following blog is about setting the scene, and ‘why’ threat is an integral part to the overall risk management approach.

What is Threat?

There are many definitions of a threat, but within the context of security risks we will use the following: an actor that has the intent and capability to carry out an act that could cause harm to an organisation.

In some instances this is referred to as the cause of a risk. A threat must possess both the intent and capability to carry out the act and these two elements can be used to assess the size of a threat to an organisation.

In this context, the threat is a willful actor that chooses to undertake the threat.

Threats are not the only cause of risks though. Some risks may be caused by circumstances or events that do not possess intent or capability, such as adverse weather. These are referred to as hazards.

Hazards are rarely, if ever, a direct cause of a security risk and as such will not be covered in this blog.

Where does Threat fit into the risk equation?

Again, there are many definitions of a risk but we will use the following: any uncertain event that could have an impact on an organisation’s ability to achieve its business objectives.

These overarching definitions of risk clearly demonstrate the link between the risk and a business’s objectives but they don’t describe what factors come together to make a risk. The following formula lays out the series of key factors required to cause a security risk. Threat is key component of this.

A THREAT exploits a VULNERABILITY that causes an EVENT that has an IMPACT on the business.

The terms used above are all standard entities used in risk and whilst real life is never that simple most security risks follow the above formula in theory.

Why Threat is important?

A threat initiates a risk. It is not until a threat exploits a vulnerability that an event that impacts a business will occur. Without the threat, the other sequence of events will not be triggered and the consequences would not occur.

Organisations do not need to have knowledge of a defined threat to identify and manage a risk. The fact that a vulnerability exists, which a threat could exploit, is normally sufficient for an organisation and the threat element is ignored. The threat though contains a large number of variables that will determine the evolution of the event and its subsequent impact. The threat determines the timing, nature, size and velocity of an event.

It is these variables that give rise to the uncertainties of the event and therefore its subsequent impact. A defined and understood threat therefore provides additional information on the security risk that can be used to refine and target controls.

Why is Threat frequently not taken into account?

Despite its clearly important role, threat is often missed out from organisations’ risk management processes. Threats are difficult to define. They exist outside of an organisation and therefore the information is difficult to obtain. In addition, organisations can rarely influence or control a threat, without great cost.

Organisations therefore focus on the internal picture, identifying and managing vulnerabilities, which given the premise that vulnerabilities that could be exploited by a threat should be protected, they have to do anyway.

Whilst understandable, for me this misses a key part out of risk management. So, how do we take into account threat in the risk management process?

Threat Led Risk Management

The point of risk management is to understand the things that might prevent you from achieving your objectives, and managing them. It is about information and truly understanding the context in which you operate to enable you to prevent the unforeseen things, which exist outside of your plan, preventing you from achieving your goals. In this context, the threat is a vital part of the jigsaw puzzle as it provides much greater clarity on the likelihood of a risk occurring and the potential impact. Whilst risks can therefore be defined using the organisation’s vulnerability and potential impact, a risk cannot be truly quantified without taking into account the threat. We have termed this Threat Led Risk Management.

Threat Led Risk Management enables organisations to truly undertake risk management. This of course leaves organisations with a real problem, how do they get the information on threat that they need at a reasonable cost?

Threat Information

Gathering current and accurate information on the threats to a business or organisation is a difficult task. The information is not easily obtained and in respects of security risks and the likely perpetrators, information on the threat is naturally guarded. For an organisation to gather information on the threats it faces and keep that information up to date, it would need to develop an effective intelligence network with sufficient sources of information to meet its needs as well as have the capacity to analyse that information. For the majority of organisations this is unachievable.

The resource implications alone are likely to act as a barrier but in addition, the time it would take to establish an effective intelligence network is likely to prevent organisations from going down this route. In addition, organisations in similar sectors will be replicating work, in effect all seeking the same information and applying it to their businesses.

From a UK plc point of view this is a huge waste of resource to protect our businesses.

A Possible Way Forward

Organisations can obtain threat information from private companies that provide bespoke threat products but there is no guarantee on quality and those with good reputations are expensive. However, rather than individual organisations undertaking essentially the same intelligence gathering exercises on the same threats, a central non-competitive system that produces an industry sector specific threat report would provide a cost effective solution to enable organisations to undertake Threat Led Risk Management. Perhaps this is a role that could be undertaken by the UK Government.

The UK Government is currently seeking to strengthen the business sector’s resilience to attack, particularly in the area of what it calls cyber threats, and has also asked for innovative ideas on identifying and tackling the threat. (Summarised by the BBC) The Government’s current focus though appears to be on attaining the information to enable them to act, rather than sharing threat information. Whilst the Centre for the Protection of the National Infrastructure (CPNI) does work with private organisations, and provide security advice, no formal industry specific threat product exists.

The UK Government already has a system and structure in place able to gather intelligence on threats. It is acknowledged that the UK Government will not be able to share the majority of information on threats and it is not suggested that private companies are given access to all the information. However, the information could be used to provide a centralised industry sector specific threat product that would enable organisations to better manage their security risks.

By Sarah Bullen, Managing Director, 7 Elements

CLI Virtual Host Checker – bingip

bingip is a really simple tool that makes a request to bing.com to determine domains hosted at that IP, returning each in plain-text on a new line.

It’s a very simple script at the moment and can only handle up to 50 domains (due to the page limit on Bing – we will update to use API in the future).

bingip accepts a file of IP addresses as input and, more usefully, it accepts an Nmap XML file too.

This means you can run your standard Nmap scans as normal and, when you’re done use bingip to find which websites are hosted on the target IP addresses.

A simple example would be:

nmap -p 80 -oX bingip_example.xml scanme.nmap.org

Now pass the file generated, as an argument, and bingip will automatically extract hosts with web server ports:

bingip.py –nmap_file bingip_example.xml 74.207.244.221 ————– scanme.nmap.org

You can download the tool and see further examples over on our Github page at https://github.com/7Elements/bingip.

By Marc Wickenden, Principal Security Consultant, 7 Elements

Exploring the security implications of social media

The use of social media has become a ubiquitous component of the ever more interconnected world in which we now live.

The use of social media has become a ubiquitous component of the ever more interconnected world in which we now live. The use of social media platforms such as Twitter, Facebook and LinkedIn can provide organisations with new and innovative ways in which to engage with their customers and staff. However this highly dynamic and end-user focused environment can also bring with it a number of security implications of social media.

Information Disclosure

The data held within social media can provide an attacker with a wealth of information about the internal workings of your organisation. This information can include detail on roles and responsibilities, projects, commercial relationships as well as exposing information about internal IT systems, including the ability to identify security vulnerabilities.

This information can provide a valuable insight into your organisation and increase the likelihood of a successful social engineering attack or even a direct attack against your systems. For example, during a recent client engagement, we used openly available social media information to map their internal organisational hierarchy to within 86% accuracy and detect vulnerable operating systems and browser software that could have resulted in them becoming an easily identifiable target.

Reputational Damage

Social media offers the ability for organisations to spread messages in real time to a much wider audience and promotes a two way interactive dialogue between the end-user and the organisation. However, organisations need to understand both the positive and negative impact that social media can have on their brand and manage this channel of communication effectively. This will enable them to avoid potentially damaging stories around poor customer experience, service outages and other issues going unmanaged.

Malware and Viruses

URL shortening services are now an essential component for social media. This approach is commonly used by malicious parties to spread malware and viruses, as the use of shortened URLs can hide the real destination. 7 Elements recently conducted an analysis of URL shortened links within Twitter, and of the 3,465 links assessed, 520 linked to malicious content such as malware. Clicking on a shortened link would on average take the user to two different sites (via automatic redirections) for each single URL advertised, which could further increase the likelihood of coming into contact with malicious content.

Bringing it all together

Without doubt, the use of social media provides a new avenue for organisations to exploit, but at the same time will introduce fresh and potentially serious threats.

Organisations should confirm that they have the appropriate policies and procedures in place, such as an effective acceptable use policy, training and awareness for social media and a social media handling policy. This will ensure that they are able to exploit this opportunity without unduly exposing themselves to new threats and associated risks.

By David Stubley, CEO, 7 Elements

Cloud security – exploring the risks associated with use of the Cloud

As an information security professional, I am often asked about the Cloud, in particular “Is the Cloud safe?” and “Should I use the Cloud?”

For me the starting point should be: “What data do I want to put in to the Cloud and how important is that data to me in terms of confidentiality, availability and integrity?”

The answers to these questions, combined with an appreciation of the risks associated with using the Cloud, will then enable you to decide if using the Cloud is the best option for you. More importantly, it will allow you to manage the risks involved. This approach will enable your business to meet its objectives whilst managing the risk to an acceptable level.

Cloud basics

What is the Cloud? Well, in short, it is a great marketing gimmick. There is no one individual such thing as the ‘Cloud’. The Cloud is a term used to describe multiple service offerings such as Software as a Service (SaaS), Platform as a Service (PaaS) as well as Infrastructure as a Service (IaaS). All these are characterised by the use of on-demand provision, rapid ability to scale and are based on payment solely for the amount of resource required at any given point. Cloud provision often makes use of shared virtual services for the storage and processing of data.

Organisations can implement their own ‘Cloud’ or can partner with an external supplier to use their external party’s infrastructure. The basic premise is that you only provision the services required to meet your needs and that you can then grow and shrink this as required, with the organisation only paying for the resource consumed.

Key Risks

What are the key risks presented by using the Cloud? For me, the key risks and some of the issues that an organisation should explore when looking at the Cloud break down as follows:

What legal jurisdiction will my data be held within?

As an organisation you should be aware of how legal requirements to disclose data may be affected by the geography of where the data is stored. If you are based in the UK and use a US based Cloud provider, consider the impact on your organisation if the US courts enforce disclosure of your sensitive data. Where the Cloud is used to store or process sensitive personal data, there may be an impact on your compliance with the required regulation (Data Protection Act,) which you will need to fully understand and mitigate.

Will your Cloud provider place your data in multiple geographies without your knowledge?

Different geographical locations mean different legal jurisdictions, which will have an impact on your legal and regulatory requirements within each of those regions. This may restrict the type of data that can be stored or processed or limit how the data in question can be transferred between locations. The ability to encrypt data will also be impacted within certain locations due to export restrictions.

Who else may have access to my data?

Many Cloud services are based on the use of shared services or multi-tenancy solutions. The benefit to the end user is reduced costs, but this can also lead to security concerns. The data may be at risk of attack from another user of the same Cloud service due to the architecture in use. Consideration should be given to how the Cloud provider has limited the possibility of data compromise.

Will my data be destroyed securely?

As discussed earlier, the idea of the Cloud is that you can grow and shrink your resource requirement. When the data on disks is no longer needed then it will need to be destroyed. You will need to gain assurance that this has been destroyed in compliance with your organisation’s standards, that the next user of that environment will not accidentally gain access to your data, and that you have met any regulatory requirements.

What level of availability do I require for my data?

The Cloud sells itself as always being there. The data is ‘in the Cloud’, so you will always have access to it. However, the Cloud brings its own impact in relation to your organisational business continuity plans and disaster recovery approach. Consideration should be given to scenarios where the Cloud provider fails, or your ability to connect to the internet fails. This may render the data unavailable.

What other unintended consequences need to be considered?

The list above is not exhaustive and there will be other issues specific to your organisation that will need to be explored to enable you to make an informed decision about using the Cloud. There will also be further unintended consequences that the Cloud will introduce and as many of these as possible should be identified to enable a robust risk managed approach to be undertaken.

An example of one unintended consequence is that Cloud services are based on the concept of paying for the service required and on the flexibility to grow and shrink the required resource on demand. Many providers have an automatic provisioning system that enables you to manage the demand and will bill your organisation automatically. Consideration should be given to the security of this approach, focused on who can authorise the provisioning, and how costs can be limited to an acceptable level.

If there is a flaw within the provisioning system then there is a risk that this can be circumvented and result in malicious / fraudulent use. This could result in large unexpected financial bills or legal action being taken against your organisation for storing illegal data that was maliciously uploaded.

Bringing it all together

The Cloud offers a cost effective and flexible approach to manage your data storage and processing requirements. However, the Cloud is no different to the wider challenges of managing an organisation’s data securely. With these unique opportunities, unique risks will arise. A sound understanding of these risks will enable an organisation to assess if the Cloud is right for them and if it sits within the overall organisational risk appetite for data security. Risk areas identified can then be used to structure any assessment of potential providers to ensure that they can meet your requirements and that the contract will legally enforce this.

By David Stubley, CEO, 7 Elements