Roger Halbheer on Security » Government

Implementing the Top 4 Defense Strategies

Roger Halbheer — Tue, 13 Dec 2011 13:45:57 +0000

The Australian Defense Signals Directorate maintains a list of the Top 35 Mitigation Strategies against targeted intrusions. This is just a reference to the top strategies:

Patch Applications
Patch the Operating System
Minimize the use of local admin
Application whitelisting
…

Looking at these 35 strategies, the DSD claims that

While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.

This is pretty much in line with the anecdotal reference I could make where we see successful attacks either coming in through unpatched systems (point 1 and 2), flaws in applications developed in-house (kind of point 2) and social engineering (point 3 and 4). However, these things are not that new, aren’t they? We are talking about patch management since a long time – and patch management not only for the Microsoft environment but the all the applications, being it Microsoft, Adobe, in-house Apps as well as Open Source operating systems.

The DSD even went a step further and developed a really good paper called Implementing DSD’s Top Four for Windows Environments. Something definitely worth reading!

Roger

Council of Europe Octopus Conference- Some Thoughts

Roger Halbheer — Wed, 23 Nov 2011 11:21:49 +0000

l am still sitting in the parliament room of the Council of Europe at the celebration event for the Budapest Convention. It was another very good event advancing the challenges fighting Cybercrime. Let me try to summarize a few thoughts:

The Budapest Convention is probably the best convention out there allowing a wide adoption of a harmonized legislation to fight Cybercrime internationally.
A lot of countries outside the Council adopted or are in the process adopting the convention
It balances the fight against criminals with the protection of Privacy and Human Rights.
The willingness and the activities to collaborate internationally increase
The idea of the Cybersecurity Agenda as a mechanism to land and integrate Cybercrime and Cyberscurity resonated extremely well

A lot of good signs. There are some caveats however:

There are countries rejecting adoption mainly because Council of Europe does not have a global mandate or because it is called Budapest Convention. I guess the criminals like this approach
The economical challenges esp. in Europe decreases the amount of money available for this. The call then was, that the private sector has to do more. We are committed continuing supporting these activities but typically if governments are financially challenged- well they are our customers as well
Where is the private sector? I just meet a few companies at these events: Some security vendors, some credit cad companies and us. Where are the others? Where is Google? Where is Apple? What about IBM? Amazon? The big Telcos? Why do they not participate in addressing crime and helping governments to get better and carry the burden? Do they not care?

Roger

Cooperation against Cybercrime- Octopus Conference

Roger Halbheer — Mon, 21 Nov 2011 09:45:49 +0000

lt is time again! The Council of Europe Octopus Conference on Cooperation against Cybercrime is taking place this week. This year it is even the 10th anniversary of the Budapest Convention. Therefore a broad country of legal, law enforcement and private sector organizations are discussing the current state and the future of the collaboration to fight Cybercrime.

If you are interested, the agenda can be found here. The presentations should be uploaded as well. Finally there should be a live stream here. I will be an a panel an Tuesday between 9:30-13:00 and again an Wednesday 9:00 -13:00 where we will run a special session on the anniversary

Roger

Cyber War Will Not Take Place

Roger Halbheer — Thu, 17 Nov 2011 10:34:12 +0000

I have to admit – it is not my title but it caught my attention. Over the course of the last few years, the term “Cyberwar” came up all over the place. I was recently reading a book on it, where there was a chapter called “Definition of Cyberwar” and I thought that finally somebody took a bold step forward in this discussion but I was disappointed. The chapter did nothing more than again give examples (the classical ones like Estonia, Georgia, Stuxnet, Ghostnet) as examples for cyberwar.

A friend of mine then sent me an article called Cyber War Will Not Take Place by Thomas Rid, King’s College London, UK, which therefore I needed to read and it is very, very refreshing. In his opening he claims:

Cyber war has never happened in the past. Cyber war does not take place in the present. And it is highly unlikely that cyber war will occur in the future. Instead, all past and present political cyber attacks are merely sophisticated versions of three activities that are as old as warfare itself: subversion, espionage, and sabotage. That is improbable to change in the years ahead.

According to this paper, a conflict has to have three criteria to meet to be classified as a war (and all three need to be there):

It has to be violent in its character
It has to be instrumental
It has to be of political nature

If all three are met, you can call it a war. That’s the first time that I (not being in this business) have seen a definition. If you apply the definition, all conflicts so far are really falling under the umbrella of subversion, espionage and sabotage.

This might make a significant difference as it might calm down the discussion and/or set it at least in the right perspective. It is definitely something which is worth looking at in my opinion

Roger

Cybersecurity–More than a good headline

Roger Halbheer — Thu, 27 Oct 2011 13:47:03 +0000

A lot of governments all across the globe are working on starting, restarting or pushing their Cybersecurity initiative. What often concerns me is, that the last real headline has more impact on the strategy and the themes to be addressed than a structure or a plan or a strategy.

This made us thinking about what is needed to run a successful Cybersecurity Agenda within a country? What themes ought to be addressed and in which form.

We came up with a fairly simple model:

To explain the model, we just published two papers about it:

Cybersecurity white paper abstract – a one pager with a high-level description
Cybersecurity: More than a good headline – a few more pages going deeper into the discussion of the different subjects.

In parallel we are working on a book about this, giving much more examples and background – so stay tuned.

The only thing I really know: When I do a presentation explaining Cybersecurity and at the end show the slide above, governments love it. Typically they approach me asking for the deck – if they are not politically correct they tell me that they just want to get this slide.

Comments are very welcome. If you need/want further information, get in touch with me. Happy to help

Roger

Another Cyberwarfare School–better keep them employed!

Roger Halbheer — Thu, 20 Oct 2011 09:05:06 +0000

A lot of countries are currently looking at their capabilities to defend their networks as well as leveraging technology for offense doing “Cyberwarfare”. Let’s now not debate where this starts or ends…

Pakistan is another example: Pakistan to open cyber warfare school

I can understand where governments and militaries are coming from but this deeply concerns me if we think it through. What if these people do not get a job or if they are not satisfied with the salary they get (or their boss or …). What are they going to do? You might end up with a bunch of highly skilled unemployed people – with the possibility to do really bad stuff for money.

This is scary to me…

Roger

German’s Government-Created Trojan Vulnerable

Roger Halbheer — Tue, 11 Oct 2011 08:42:27 +0000

It is not that rare for Law Enforcement that they use software to spy in the case of severe accusations like terrorism. What is kind of surprising is the level of sophistication some of these Trojans seem to have – and not necessarily to the good side.

The German Chaos Computer Club analyzed the Trojan used by some state police force in Germany and found things like hard-coded keys, self-written encryption (well, they call it obfuscation at best) etc.

You can read the article on the CCC website: Chaos Computer Club analyzes government malware

Roger

Lessons from Some of the Least Malware Infected Countries in the World

Roger Halbheer — Thu, 15 Sep 2011 14:12:31 +0000

Over the course of the last few years we have seen some countries having constantly low infection rates. So, our team in Trustworthy Computing started to ask the question why this is the case. The countries are Austria, Finland, Germany and Japan. I think it is worth y look at them:

Roger

Does the business really hate IT?

Roger Halbheer — Thu, 23 Jun 2011 12:55:27 +0000

Back at the times of outsourcing, there was real tension between IT and the business. Internal IT had the “comfortable” position of having a monopoly: The business used the internal IT and basically just had to pay the bill. Then times came, where the business was not satisfied anymore. That basically started with the time of the PC. IT was in kind of a losing position: If the decentralized IT worked, it was just what users expected, if it did not, users complained. Additionally, as IT was treated as an art rather than an engineering discipline (that’s the way it is still run in a lot of occasions), cost just grew, without a real need of rationalizing. IT is critical for all the businesses but the value is hard to measure (until you lose your mail server once for a day).

Then outsourcing came and everything was getting better – not really. A lot of companies outsourced a problem – they used the same people with the same attitude and outsourced everything to the outsourcing provider. But now they had a contract – and so did the outsourcer. There were (and still are) numerous meetings I have been in, where the customer and the outsourcer were fighting, whether applying a patch is part of the contract or not and whether patch management should be done more than every six months. Finally, the customer had to learn to become a customer as well and specify their needs.

Why do I write this? Because I see similar discussions today with the Cloud. Business is not satisfied with how internal IT delivers. They are too slow, too expensive and too unreliable – therefore the business is looking at the promises of the Cloud: Fast, reliable, inexpensive. What does it really mean for the business? For IT?

To me the business has to understand that if they move to the public cloud, there is a good chance that they have to adapt their business processes. Remember the huge ERP projects? It is not that different. This might be good as it forces the organization to clean up – but it shall be a conscious decision. Even for the part you are moving to the cloud, you still have to keep part of your responsibilities: You are still ultimately responsible for your compliance. You should keep your identity management in house and risk management for your business cannot be outsourced. You have to have a data classification, which is applied and lived – this is, how we described it in our Cloud Computing Security Considerations. Last but not least: You are the customer of a standardized service. Make sure you understand this as this will be a long-term partnership you are going for, with very, very limited flexibility of the final solution.
If you move to the private cloud, the situation is slightly different as you might have more influence on how your solution looks like but even the private cloud is not an outsourcing as you knew it – e.g. most probably you will not be able to tell the cloud provider how they will run their datacenters. You will run on your own OS-instances (does not necessarily mean your own hardware as the solution will most probably be virtualized) but even the question of the data location might have to be negotiated. And: It definitely costs more.
If you are an IT organization: Become a Cloud provider. Become the partner for your business in the Cloud. You business will want to have part of it in a private cloud – offer this in a way you can compete with third-parties as you will not be able to compete in the public cloud.

This decision has to be a strategic decision and not a decision taken because business does not like their own IT. For the internal IT it might be a threat (if you decide to sit and wait) or an opportunity if you take the strategic decision and opportunity.

Now, the reason for this post was actually in an article, which was sent to me: Why businesses move to the cloud: They hate IT

Roger

Who cares where your data is?

Roger Halbheer — Fri, 10 Jun 2011 11:51:04 +0000

Wow, I guess the reason for you clicking on the link is this statement – right? Well, “unfortunately” I cannot claim ownership of it. It was made by a Google representative during an interview in Australia: Google: Who cares where your data is?

To me, the whole Cloud discussion sometimes drives into interesting directions. I often feel that Cloud providers develop a solution and tell the world that the policy decisions were on purpose to protect the customers. Like some providers told the world in the past that you should not care how your data is protected. They take care of your security and you should just trust them – like banks. Nonsense! If you have to prove compliance, you will definitely want to understand how your data is protected and what controls are enforced in the Cloud environment. But as the industry – including the regulators – is still trying to understand the impact of the Cloud, it is a good time to drive such messages and sell the setup as “best practice”.

Things will change and outdated policies will be adopted to today’s reality but making a statement that you should not care where your data is, simply neglects some “minor” obligations you carry like protection of the privacy of the people you have data from… or the fact that you probably not want your state secrets in another country (even though I do not expect a country putting Top Secret material to the public cloud – yet).

Just because the Cloud provider does not know, where your data is does not mean that you shouldn’t care…

Roger