Sunday, December 20, 2009
Odds of losing confidential personal data is increasing
This article Electronic Medical Records: The Good, Bad, And Ugly was a trigger to this post.If you lose your medical record along with 10 or 1000 others will it make any difference to you? I think it will be more traumatic if you are amongst few as the redress modes will be different. What about losing credit card details? Imagine now even malware can have QA and botnet is an industry they even run help desk. Added to this (probably) unethical practices like this and sophisticated attacks like this the chances of losing confidential information is increasing. What are the odds does an average citizen have against these? Maybe high in places like USA & Europe but in a developing country they are pretty low.
Saturday, December 12, 2009
Hacking thoughts - Insecure ATM port
Warning: These are just random thoughts and with lot of presumptions; readers are advised that trying/doing similar activity would be a serious criminal offense and finally I am not a native speaker of English and may have used colloquial words hence no arguments on English usage.
I used an ATM today; this machine of a major Indian private bank was located on the premise of its branch. As I finished and turned to exit I noticed network patch cords connected to the ATM NIC were exposed; it shouldn’t be like this … someone could a) Take a picture (like I did) and shout at the bank about the lack of cable security
b) Yank out the cord and get the ATM out of order temporarily
c) Rig the I/O (network socket) by connecting a HUB & AP (power socket was inches away) and hack into the bank network Third is serious stuff, I wondered how one could accomplish this task? here is a possible way...Requirements:
- HUB & Pocket wireless AP, Laptop…
- Tools (NMAP, Cain and Abel, Wireshark,…)
- A quiet day, companion, crutches,…
1) Select a Sunday night
a) Not much of traffic b) Detection may happen only well into business hours on Monday.
2) Get into the ATM with a companion on crutches
He needs help and this takes care of the security guard.
3) Let the companion use the ATM (just fiddling around like operating) meanwhile do something like dropping papers on the floor and under the pretext of gathering them up; quickly connect the equipment (HUB, AP & power) move something inconspicuous like wastepaper bin (there is usually one) to hide them from normal view.
This takes care of the camera (you are out of the view and just picking up some papers) and the casual glance of anyone (wastepaper bin blocks the gear)
4) Sit in a parked car within range of the AP (I saw a good quiet lane across the road), and…
4a) Check for vulnerable hosts online, PWN and get data, plant back-doors, c&c,…4b) Or simply capture packets from the ATM interface to check for valuable information
Idea of this post is just to look at the possibility hence kept simple; but this requires lot of skill (which I don’t have :-) ) and may turn out to be taken as FUD phenomenon. I plan to inform the bank about this weakness let me see how they view it.
Wednesday, December 9, 2009
Automated tool assisted vulnerability assessments
ISO27001 requirements 15.2.2: Technical compliance checking Control states - "Information systems shall be regularly checked for compliance with security implementation standards"
Code of practice ISO27002 states "Technical compliance checking should be performed either manually (supported by appropriate software tools, if necessary) by an experienced system engineer, and/or with the assistance of automated tools, which generate a technical report for subsequent interpretation by a technical specialist"
ISO27k certified companies need to conduct periodic vulnerability assessment and hence employ consultants for this. Mostly the scope is to run a series of predominantly automated tests using vulnerability scanners and provide a report & recommendations.
This makes them comply but Is this enough? NO
This post was triggered by thoughts after
> Reading Information Escapology, part five – Careful with That Proxy, Eugene... Will a standard vulnerability assessment address this? i guess no. It depends on who is doing? depth? methodology? etc.
> After hearing this from a consultant (someone i trust). It seems after a capability presentation session to a large company, the company's CISO asked him if they were the Authorized Scanning Vendor for the scanning tools & was the consulting company PCI DSS compliant... these were the only questions he had on the vulnerability assessment service process; nothing on things like what is the typical approach, methodology, depth, etc. Is it enough if your consultant is an ASV for a tool? Do you need to be PCI DSS compliant to do a vulnerability scan?
Conclusion: For most of them it looks like only compliance matters (or) they want a testing service that is so cookie cutter that the scope will be automatically limited to the basic scan-and-patch kind of findings
Sunday, December 6, 2009
CISO and/with IT roles; few thoughts...
CISO reporting to board of directors: Myth or for real? Has some quite interesting views on the role of CISO; certainly worth reading and discussing. “… four aspects to be kept in mind, while deciding a CISO's reporting pattern:
(a) The CISO should be seen as a strategic role.
(b) He must be at a leadership level.
(c) The CISO should be independent of IT
(d) He should report to a very senior person in the organization, who has strong hold within the organization”
While the points above are good in general; I believe point “c” is too idealistic and actually depends on the organization dynamics. The IT & CISO roles can conflict in certain scenarios but certainly not impossible to manage. “When a CISO becomes independent of IT, he comes out of his shell. According to the CISO of a leading Indian BPO, this widens the CISO's ability to think about security from an organizational perspective than just IT.”
One cannot presume that IT roles (I am talking about leadership roles) will so severely constrain views to the extent of being considered to be in a shell; any experienced IT pro will have the capability to avoid this state. “if a CISO is expected to limit himself only to day-to-day operational tasks, instead of assuming a larger responsibility for enterprise-wide coordination of security and risk management, he will not be able to usher in improvement”
I disagree on this; an organization having a CISO role in the ORG chart will have a reasonably mature management systems where roles are clearly defined. If a person here is doubling up for CISO role he/she will be at a level on which their involvement in the execution of day-to-day operational tasks/transactions will be nil or at the most minimal. Of course I am in agreement with the CISO being responsible for risk management and improvements. I play multiple roles; project management, service delivery, information security, etc… though I face tough conflicting situations regularly they are being managed effectively. Finally it all depends on the organization dynamics no standardizations can be applied. Well… though off-topic this article Let a Hundred Flowers Blossom has made me re-think about standardization. Right now I am thinking about the various standardizations present on our management systems.
(a) The CISO should be seen as a strategic role.
(b) He must be at a leadership level.
(c) The CISO should be independent of IT
(d) He should report to a very senior person in the organization, who has strong hold within the organization”
While the points above are good in general; I believe point “c” is too idealistic and actually depends on the organization dynamics. The IT & CISO roles can conflict in certain scenarios but certainly not impossible to manage. “When a CISO becomes independent of IT, he comes out of his shell. According to the CISO of a leading Indian BPO, this widens the CISO's ability to think about security from an organizational perspective than just IT.”
One cannot presume that IT roles (I am talking about leadership roles) will so severely constrain views to the extent of being considered to be in a shell; any experienced IT pro will have the capability to avoid this state. “if a CISO is expected to limit himself only to day-to-day operational tasks, instead of assuming a larger responsibility for enterprise-wide coordination of security and risk management, he will not be able to usher in improvement”
I disagree on this; an organization having a CISO role in the ORG chart will have a reasonably mature management systems where roles are clearly defined. If a person here is doubling up for CISO role he/she will be at a level on which their involvement in the execution of day-to-day operational tasks/transactions will be nil or at the most minimal. Of course I am in agreement with the CISO being responsible for risk management and improvements. I play multiple roles; project management, service delivery, information security, etc… though I face tough conflicting situations regularly they are being managed effectively. Finally it all depends on the organization dynamics no standardizations can be applied. Well… though off-topic this article Let a Hundred Flowers Blossom has made me re-think about standardization. Right now I am thinking about the various standardizations present on our management systems.
Subscribe to:
Posts (Atom)
