Measuring Psychological Variables Of Control In Information Security
- At January 19, 2011
- By Josh More
- In Business Security, Psychology
- 0
For much of the last year, I have been exploring an idea. As of a few weeks ago, I completed a paper based on my explorations. To put it very succinctly, I have long wondered why small businesses do not suffer more security breaches than they do. As a group, they tend to have sloppy operations practices and poor to nonexistent controls. While they are a smaller and less-tempting target, that alone doesn’t seem to explain the lack of problems. One thing that might explain this is the tendency for people at lower risk to compensate for that lower risk by taking larger personal risks. So I decided to study the variables of psychological control within an information security context. The conclusions were somewhat surprising… but that may be due to the limited sample set.
Anyway, if you are interested in Likert scales, psychology or academic analysis of information security, the paper is available here.
If you like, you can just jump down to pages 26-28 and get my conclusions.
I welcome your thoughts.
Not Another 2011 Security Predictions Post
- At January 04, 2011
- By Josh More
- In Business Security
- 0
Well, it’s that time of year again. I’m not talking about “vacation’s over and now we have to actually work” or the “let’s all resolve to exercise until Feb 1”. I’m talking about the annual tradition of making security predictions for the coming year. It seems that every year more companies use this time to look for problems in the upcoming year. Everyone says pretty much the same things: malware is going to get worse, mobile devices will be targeted, social media will be targeted, a big company that’s generally low on the radar will get hit big time, millions of dollars will be lost, cyberwar will knock us back to the stone age, and there’s a monster at the end of this post. (I may have made up the last two.)
It happens every year, and frankly, I’m tired of it. There’s little significantly different between 2011 and 2010, just like there was little different between 2010 and 2009, or any previous year. In fact, there are only two big trends that matter.
Big Trends
- Defenders will try to defend the best they can with limited resources.
- Attackers will try to attack the best they can with limited resources.
Of course, there are subtle effects as these trends play against one another. For example, if the defenders all invest in antimalware, the attackers will get better at writing malware. If the defenders all focus on monitoring their logs, the attackers will get better at hiding what they from the logs. It’s your classic arms race… with one exception. Every time the defenders put a defense in place, they lose resources and ever time an attacker wins, they gain resources. Sadly, this brings us to the two differences between 2010 and 2011.
Differences: 2010 and 2011
- The defenders will have fewer resources.
- The attackers have more resources.
See, every time an attacker successfully hits a business and steals half a million dollars, that’s half a million dollars that goes straight into attacking other businesses. As the successful attacks build upon one another, the attackers can build their infrastructure and fine tune their operation. Sadly, as time goes by, the defenders lose out. If they were successfully attacked, resources were either stolen directly or will be slowly leached away in terms of higher insurance premiums, lost customers and the like. If they were not successfully attacked, they often face the difficulty of explaining why they need still more resources when they have nothing to show for what they spent in the previous year.
So it appears as though the game is rigged. The attackers are going to win and the defenders are going to lose… right? Well, kinda. Fortunately, there is one single magic mitigating factor.
Magic Factor
- No two organizations are identical.
This, right here, is what is going to help the defenders. See, if you have two people defending their business and one person invests in security and the other one doesn’t, the attacker is going to go after the one that didn’t. Burglars only rob a house with the security system if there’s either some pretty fancy stuff in that house or if all the other houses have security systems. Lions and wolves go after the sick and the old in the herd. There’s less risk and therefore a greater potential reward for doing so. As the old story goes, if you’re hiking in the woods with a friend and are attacked by a bear, you don’t have to outrun the bear… just your friend.
The same thing applies to business. You don’t need to invest in every single security technology. Your office doesn’t have to look like the lair of a Bond villain. You don’t need your computer to read your fingerprint, scan your retina and get a drop of blood to log in. You just have to invest a little bit more and a little bit smarter than the average.
… which brings me to my security predictions of 2011.
- The majority of businesses will continue to under-invest in many aspects of their business, including security.
- Of the businesses that do invest, many will do so reactively and without proper analysis, in effect throwing good money after bad.
- A great many businesses will be breached… far more than we’d like, but by no means all of them.
- Some attackers are going to get rich and retire. Others will get caught. Those still at it will learn from others and get smarter about attacks.
- The handful of businesses that learn from one another and get smarter about defense will be in a much better position than those that do not.
- Many businesses will continue to believe themselves secure because they purchased a firewall/antimalware/magic box. Security is not bought, it is created day to day, month to month and year to year through intelligent investment and operations.
In short, the strong and smart will survive, the weak and lazy will not. It’s the way of the world.
Of course, those don’t help you to decide what to do, as we’ve still not discussed what “average” is. What do you need to do to be one better than your competitors? While I clearly can’t speak for your business specifically, in general…
- If you don’t have antimalware, get it and check it daily. – Malware is one of the prime tools in the attackers’ arsenals.
- If you don’t have web filtering, get it, tune it and check it weekly. – A shocking number of attacks come in via the web.
- If you don’t have antispam and email encryption, get it and check it monthly. – Email is right up there with web for attack vectors.
- If you’re not patching your systems, start and do it (at least) weekly. – If you’re not fixing your problems, it’s just too easy.
- If you’re not reviewing your logs, start or outsource it. – Most attacks show up in logs, but if you’re not looking you won’t see them.
There’s a lot more I could go into, like vulnerability assessments, security training, etc. However, if you’re not doing all five of these you’re behind the curve and are a prime target. Fix these first to buy the time to make the bigger changes.
Don't Poke the Bear
The world is abuzz today with the news of Gawker’s passwords being leaked. Rest assured, this will not be yet another “the sky is falling” post or yet another hasty analysis of what happened. If you want a good overview, please read Daniel Kennedy’s excellent post over on Forbes.com. If you want to know what it means to the security community, todb’s Metasploit post is good.
No, instead, the only specifics you need to know about this attack is that it hit Gawker, and Gawker owns sites like Lifehacker, Gizmodo and io9 and if you had an account there, you should change your password (details here). If you used that password in other places, you should change it there too. It looks as though Gawker was using poor security on their servers and in the way that they stored passwords. That’s all I’m going to say about the tech. Instead, I’m going to talk about hiking.
I like hiking. You get to be outside, you get to see beautiful scenery and enjoy the air. You get to interact with all sorts of wildlife. On my hikes, I’ve seen butterflies, frogs, rabbits, birds and even things like raccoons. I’ve known people who get far more into hiking than I do, and they report seeing even neater animals like rattlesnakes, wolves, cougars and bears.
Now, when one goes out hiking, one takes on a certain amount of risk. Usually, the risk is much lower than the risk one takes driving to the hiking trail, but I’m not going to get into safety statistics either. The point is that good hikers know to take certain precautions. For example, I’ve been hiking in rattlesnake country. There are lots of ways to deal with rattlesnakes. Here are some examples:
1) Hike where they don’t live.
2) Wear tough boots.
3) Make noise as you walk.
4) Bring a first aid kit with you in case you get bit.
5) Bring anti-venom with you in case you get bit.
6) Wear a full suit of armor.
7) Deploy a fully-automated hunter-killer drone ahead of you.
See, the fundamental problem here isn’t that rattlesnakes have mouthes full of nasty venom that can clot your blood, destroy your limbs or kill your brain. The problem isn’t even that they bite you in less than half a second. The problem is that most rattlesnakes don’t want to bite people, but sometimes people push them into it. After all, they have to wake up, do their little rattly thing, bite you, use up all their venom and then get away before you fall on them. It’s a royal hassle. Really, most rattle snakes just want to go about their day, lounge in the sun, eat a rat or two and sometimes get busy making brand new baby rattlers.
This is true with most of nature’s threats. Leave them alone, and they’ll leave you alone. Even the ones that are bigger, faster and meaner than rattlesnakes. Cougars would rather eat a deer than a person. Wolves want to run around together. Bears mostly just want to sleep. (Sleeping is awesome!)
So what’s the point here? The thing is, with hiking you can choose your location, however, when you’re on the Internet you cannot. On the Internet there’s just the one hiking “location”. You can look at different things on your hike, but it’s always in the same place… and in that place live all sorts of poisonous snakes, wolves and bears (and even nastier things). You can’t not hike there… and it’s crazy to go everywhere fully armed. It’s no fun to go hiking fully armored, and too expensive to get a ton of drones, much less adding armaments.
No, whether you’re hiking or using the Internet, there are two simple rules:
1) Take basic precautions.
2) Don’t be stupid.
For example, in the hiking world, you wear good boots and carry a walking stick. In the Internet world, you run a modern antimalware system and harden your servers. In the hiking world, you avoid walking on cliffs, don’t stick your hands into dark crevices and don’t poke any sleeping bears you may see. On the Internet, you avoid the nastier sites, keep your systems patched and don’t tick off people with more time and inclination to harm you than you have to defend against it.
Gawker found a sleeping bear. They poked it with a stick. They got mauled. End of story.
Lesson one of Internet security? Don’t poke the bear.
Been away for a while
- At October 10, 2010
- By Josh More
- In Business Security
- 0
“Hey Josh, where’ve you been?”, I hear you all asking. Over the last several months, you might have noticed a suspicious absence of security folks from the wider blogging world. The reason for this is pretty much “Sorry, been busy”, which I know isn’t much of an excuse. So here’s the deal. Security is hard. Its always been technically complex, but recent events have combined to create something of a perfect storm. We like to divide the world into “good guys” and “bad guys”. In the past, it’s been a fairly even fight. However, with the global economic recession resulting in staff cuts, there are fewer good guys. Of course, with small budgets, there have been cuts on the technology side as well. At the same time, advances in malware technology have given the attackers some extremely impressive tools. These advances have been made possible due to unprecedented cooperation within multiple groups of organized crime.
So here we are, a reduced set of security practitioners trying to help businesses maximize security benefit for the dollar against a massive global network of highly skilled and highly paid criminals who are writing highly complex malware that goes far, far beyond your old school phishing attack with key logger. This post is going to focus on a specific type of financial attack. Odds are, if you’re reading this, you’re more interested in protection than the technical stuff, so we’ll break tradition and leap straight into that.
If you’re interested in hearing more about what this particular malware can do, there are technical links at the bottom of this post. For now, know that it’s a highly complex piece of financial malware which exists to steal money in any way it can. It runs on all versions of Windows and most common browsers. It’ll come in via email, web, PDF files, USB or any way that the attackers come up with. Small businesses and nonprofits are being targeted because they tend to have weak controls, but CEOs and CFOs are also being targeted as they tend to have to more to lose.
Protections:
Within the industry, we often talk of security tradeoffs. Basically, there are costs to reducing risk… and these often go beyond mere dollars. My ultimate goal as a security consultant is to help a business make the appropriate decisions and balance security expenditure against the possible benefits. The following advice is what I believe to be true for most businesses, but please keep in mind that your particular business may have different requirements. To keep things simple, here are five technical and five financial recommendations.
T1) Use a dedicated system for financial transactions. Yes, it’s expensive, but a lot less expensive than having your money stolen. If you use the same computer to transfer money that you use to play Mafia Wars on Facebook, you’re just asking for trouble. If you’re using a shared system that’s not locked down, you might as well just cut the attacker a check… it’d save time.
T2) Use a dedicated firewall. Put a firewall between the dedicated financial workstation and both the Internet and internal network. Set it to use NAT and allow no traffic to flow from the Internet to the workstation. Allow the workstation to connect to your bank and the Microsoft and Adobe updates sites. Depending on your financial processing software, you may need more sites allowed… but keep it as minimal as possible. Only allow connections that it needs. The firewall should be a physical device as malware often disables local firewalls.
T3) Keep the workstation hardened and updated. Make it useless for anything other than financial processing. Don’t install Office. If you need to view docs or spreadsheets, install the free viewers from Microsoft. If you don’t need to view PDFs, keep Adobe as far away as possible. Update as soon as the updates are available. Forget about testing the MS patches, the vulnerability window is already negative, delaying patching is just stupid. Build your business processes to have a manual failover in case a patch breaks your financial transfer workstation. That’s a much better use of time than testing patches on a one-off system.
T4) Take away admin rights. I know it’s a pain to figure out what privileges you actually need to run that one app that is used every January to do taxes, but it’s a less than the pain to recovering half a million dollars because someone had admin access and didn’t need it. If you can use Linux and Firefox, by all means, do so… it’s a lesser target. If you cannot, go with Windows 7. The UAC security controls in Windows 7 are excellent.
T5) Use a real antimalware program. The one that comes loaded on your workstation when you buy it from Dell/Best Buy isn’t going to cut it. Freebies aren’t going to cut it. Real programs cost real money. For specific recommendations, I like Sophos because of the enterprise control features. Being able to use device-based controls and lock down applications is very important here. If you really want to go light and accept the risks that come from reduced control, Kaspersky is a good second runner. In any case, if you detect malware running on your dedicated system, notify your financial institution immediately.
F1) Set your account to use dual controls. This means that one person in your organization has the ability to initiate payments but a second person must approve them. This makes the attackers’ job much more complicated, as they have to control two systems and synchronize data in order to steal money. If your financial institution does not offer this ability, we strongly recommend finding another institution.
F2) Some institutions allow you to create a list of companies and individuals who are authorized to receive payments (called Positive Pay or Whitelisting). This list should be created outside of the Internet banking system so that an attacker cannot simply add and authorize a new account. If you have this available to you, by all means use it! This can go a long way towards preventing your money from being transferred to money mules.
F3) Almost all institutions allow you to sign up for alerts. With these systems, you get emails (or, in some cases, text messages) whenever a transaction occurs. The faster you can respond to a suspicious transfer the more likely you will be to reverse it. Bank-to-bank transfers are nearly immediate and require the cooperation of the receiving bank to get the money back. The longer you wait the more likely that the money has moved on and more institutions will need to be involved, which makes recovery much less likely.
F4) Set limits wherever you can. Many systems allow you to limit the amount of money a particular person may transfer, the amount that may be transferred per day/week/month and the times at which transfers can occur. Of course, you run the risk of being prevented from transferring money when you really need to, but in most cases you can work around this with a phone call to your institution. The protections you get from limiting transfers are usually worth the occasional irritation when you have to work outside the norms.
F5) Utilize emerging technologies. Not all banks have these options, but if your bank can provide you with a two-factor authentication token, security software to facilitate secure transfers, out of band approval systems (phone, fax, text message, etc.) or analysis of payment patterns, take advantage of them. They’re usually free to inexpensive and will give you a much deeper level of financial protection than you would get otherwise.
F6) Bonus suggestion! Some accounts have overdraft protection in place. This sounds good if you are worried about occasionally spending more than you have. However, the flipside is that it could allow an attacker to steal more money than exists in the account. If you can get by without overdrafts, turn this protection off or, if you have to, at least set the protection level as low as you can.
In the end, a combination of technical and financial controls will go a long way towards protecting you, but implementing them will require you to change your business processes. If you’re a CEO, CFO or owner you’re lucky. If you’re not, you may need to set up a meeting with your C-level people. They need to understand that they are being targeted personally because of their role. They need to know that the online systems are being manipulated. The balance reported on an infected system will be altered to hide the malware’s activities. They also need to understand that there is no 100% solution. What I recommend here is a good start, but they could still have problems if the attacker is persistent.
Technical Links:
- Zeus overview on Wikipedia
- Recent arrests related to this malware
- Zeus Tracker (This site is often attacked and may not be available.)
- SecureWorks Threat Overview
- Sophos Threat Overview
- Zeus spreading to mobile phones
Firefox Profiles
- At April 27, 2010
- By Josh More
- In Business Security
- 0
I’ve been absent from this blog for a while. Other projects are occupying my time. I hope to return to regular blogging soon… but it may be a bit longer yet.
However, one of my projects involved getting a new laptop. Since getting a new laptop is a good excuse to redo things and do them better, I decided to take a closer look at my Firefox profile setup.
I play a lot of roles, ranging from security researcher to consultant. There are different Firefox configurations that I need for each, but it’s a pain to constantly log in to different user accounts. To make this process simpler, I decided to create four different Firefox profiles, each tuned to a specific set of tasks. What follows is a description of what I did under Linux. The same process should apply to other operating systems… but I’ve not testing them there. With one exception (noted) all add ons are from addons.mozilla.org.
Warning, geekery below this line.
I started with my basic add ons:
- Adblock Plus to prevent those annoying ads (and ad-based malware infections)
- Neo Diggler to give me a quick way to clear the location bar and give me the ability to add custom stuff
- No Script to prevent scripts from running. I did a quick whitelisting of the sites I use a lot (Google, Amazon, Alliance, LinkedIn, etc)
- Web of Trust to give me a hint before I click on a link.
- Tiny Menu to maximize screen real estate. (I love me the tiny laptops)
- TorButton for quickly accessing The Onion Router (requires installing additional software to utilize)
Sadly, LongURL is not supported on the new Firefox yet.
I restarted Firefox to activate everything and configured the plugins the way I like. I also customized the Nav bar and moved everything up to the Menu bar that TinyMenu made nice and small. Then I used the View menu to turn off Navigation and Bookmarks.
Then I went into Preferences->Privacy and set Firefox to “Never remember history” and suggest “Nothing”. I also cleared my history that was created thus far. In Preferences->Security, I told it to never remember passwords, block reported attack sites, web forgeries and add ons. (By not remembering passwords, I render myself less vulnerable to risk from theft of my profile directories, but more vulnerable to keyloggers… it’s a good tradeoff to me.)
I then shutdown Firefox and went into ~/.mozilla/firefox. I did a cp -a of my profile directory to other names (this bit would be different on Windows):
cd ~/.mozilla/firefox
cp -a blahblah.default research
cp -a blahblah.default paranoid
cp -a blahblah.default webdev
Then I edited profiles.ini and copied the four top lines of [Profile0] to new blocks of Profiles 1 through 3. I edited the Name and Path to reflect each of my new profile directories (research, paranoid, webdev). I edited the Firefox launcher and appended “-ProfileManager –no-remote” to the “run command”. This way, when I click on the little icon, Firefox will prompt me for the profile I want each time I launch it, and it lets me run multiple profiles at once.
I then launched it and selected my “research” profile.
Here, I went back into Preferences->Privacy and told it to go ahead and remember history and make suggestions (as when I’m researching things, I often forget where I found things and what I searched on.) Then I installed the following add ons:
- Add N Edit Cookies for cookie manipulations
- HackBar for SQL injection fun
- PassiveRecon for exactly what it sounds like
- RefControl for mangling HTTP headers
- DeeperWeb for those occasional rambling searches.
Then I added the following search engines to the dropbox:
- Offensive Security Exploit Database
- Security Focus Vulns Search
- Security Wire Search
I’ll probably add more as I play with it. I’m still not used to using this feature to search the deep web. (Wonder if one could be written to access our corporate wiki?)
Then it was time to restart Firefox and activate, set preferences, yada yada yada.
After that, I restarted to access the “paranoid” profile. I went into Preferences->Security and turned on ALL warning messages. It’s annoying to use now, but that’s partly the point.
I set StartPage to my initial home page, using the “Generate Custom URL” feature on the site. Since I’m not storing any cookies at all, this is how it has to be done. I removed all search engines and added IxQuick HTTPS, Startpage HTTPS and Scroogle SSL. On the AddOn side, I added:
- Force-TLS to force HTTPS connections (though it really doesn’t do all I’d like it to)
- Certificate Patrol to track certificate details
- Perspectives for a paranoid check against SSL certificate alteration. This one is linked to from the Mozilla add ons site, but not installable from there.
I then disabled the CNNIC SSL certficate (Preferences->Advanced->Encryption->View Certificates->Authorities, scroll to “CNNIC ROOT” click “Edit” and unselect “This certificate can also identify web sites”.) It’s a matter of debate as to whether or not this is necessary… but so long as it’s being debated, my paranoid side will be careful. (The other profiles don’t care. :)
Lastly, I installed the Orange Fox theme, which is ugly and garish, but since I wanted a visual reminder that I was in the paranoid profile, it was exactly what I wanted.
After another restart I entered the webdev side. The fun new add ons here were:
- Firebug for tracing DOM and CSS issues, which I don’t do much anymore, but it’s still nice to have.
- CodeBurner For Firebug to add reference to Firebug
- FlashGot for massive download fun on archive.org
- Greasemonkey for fixing stupid sites (and integrating with FlashGot to bypass trivial Javascript-implemented “security” checks)
- Live HTTP Headers for watching traffic in real time, when I don’t want to launch a real proxy
- Web Developer for the same reason as Firebug
From here, I am in a position to fire up the profiles as I need them, and am able to work on the web without worrying about my tools being available.