Category Archives: Research

Forrester Wave: Information Security Consulting Services

Forrester publish their analysis of who to watch and who to use.  The only issue is that there is no indication of who is left out and why. Read all about The Forrester Wave: Information Security Consulting Services, Q1 2013
 photo forresterwaveinfosecconsultancies_zps8110d772.png

Forrester say

When interviewing the representatives and clients of these consultancies, it became clear to us that there are two different strategies in place. The more traditional consultancies (Deloitte, E&Y, KPMG, and PwC) focus on such elements as thought leadership, organizational transformation, risk management, and business value, while the other vendors (Accenture, BT, HP, IBM, Verizon, and Wipro) see consultancy as a steppingstone for engaging the client with their managed service offerings. This is not to denigrate or undermine the services they offer; however, it was apparent that
selling managed services is always on their agenda.

 

On the web here  Cache here

HMG Issue Guidance on Huawei and the CNI

Huawei?  Indeed, who are they? Well, ask no longer.  The UK Government has published a paper on Huawei and the Critical National Infrastructure.  The Intelligence and Security Committee have released a redacted paper explaining why they don’t like Huawei.

They say they are “shocked that officials chose not to inform, let alone consult, Ministers on such an issue”

Foreign involvement in the Critical National Infrastructure: Intelligence and Security Committee report photo foreignincni_zpsd5812253.pngKey findings include

  • The Government’s duty to protect the safety and security of its citizens should not be compromised by fears of financial consequences, or lack of appropriate protocols. However, a lack of clarity around procedures, responsibility and powers means that national security issues have risked, and continue to risk, being overlooked.
  • • The BT/Huawei relationship began nearly ten years ago; the process for considering national security issues at that time was insufficiently robust. The Committee was shocked that officials chose not to inform, let alone consult, Ministers on such an issue. We are not convinced that there has been any improvement since then in terms of an effective procedure for considering foreign investment in the CNI. The difficulty of balancing economic competitiveness and national security seems to have resulted in stalemate. Given what is at stake, that is unacceptable.
  • – The National Security Council should ensure that there are effective procedures and powers in place, and clear lines of responsibility when it comes to investment in the CNI. Crucially, the Government must be clear about the sequence of events that led to Ministers being unsighted on an issue of national importance, and take immediate action to ensure that this cannot happen again.
  • • ***. REDACTED !!
  • • While we note GCHQ’s confidence in BT’s management of its network, the software that is embedded in telecommunications equipment consists of “over a million lines of code” and GCHQ has been clear from the outset that “it is just impossible to go through that much code and be absolutely confident you have found everything”.54 There will therefore always be a risk in any telecommunications system, worldwide. What is important is how it is managed, or contained.
  • • The UK Government has been able to leverage Huawei’sreputational concerns to encourage it to invest in the Cyber Security Evaluation Centre (the Cell) and become more transparent about its equipment and business practices. This is a significant achievement. However, we question why the Cell is only now approaching full functionality, over seven years after the BT contract was awarded.
  • – Given these delays and the lack of evidence so far that it will be able to provide the level of security assurance required, we recommend that the National Security Adviser conducts a substantive review of the effectiveness of the Cell as a matter of urgency.More fundamentally, while we recognise that the Government does not expect the Cell to find every vulnerability, and that there are other mitigations in place, we remain concerned that a Huawei-run Cell is responsible for providing assurance about the security of Huawei products. Before seeking clarification, we assumed that Huawei funded the Cell but that it was run by GCHQ.
  • – A self-policing arrangement is highly unlikely either to provide, or to be seen to be providing, the required levels of security assurance. We therefore strongly recommend that the staff in the Cell are GCHQ employees. We believe that such a change is not only in both Huawei’s and Government’s interests, but that it is in the national interest.
  • – We note that GCHQ considers that there are advantages to the staff of the Cell being employed by Huawei. On the evidence that we have seen thus far we have not found this argument to be compelling. If, after further work is done to explore this issue, there are found to be insuperable obstacles to the Cell being staffed by GCHQ employees, then as an absolute minimum:
  • o GCHQ must have greater oversight of the Cell and be formally tasked to provide assurance, validation and audit of its work; and
  • o Government must be involved in the selection of its staff, to ensure continued confidence in the Cell.
  • • While we have considered the risks around the telecommunications infrastructure, the same issues apply to any aspect of the UK’s CNI. Where there is a privately owned company answerable to shareholders, many of whom may be based abroad, there will almost inevitably be a tension with national security concerns.
  • • It is not practicable to seek to constrain CNI companies to UK suppliers, nor would that necessarily provide full protection given the global nature of supply chains. The risk to the CNI cannot be eliminated, but Government must ensure that it is managed properly. There must be:
  • – an effective process by which Government is alerted to potential foreign investment in the CNI;
  • – an established procedure for assessing the risks;
  • – a process for developing a strategy to manage these risks throughout the lifetime of the contract and beyond;
  • – clarity as to what powers Government has or needs to have; and
  • – clear lines of responsibility and accountability.
  • When it comes to the UK’s Critical National Infrastructure, Ministers must be kept informed at all stages.
  • • We do not believe that these crucial requirements existed when BT and Huawei first began their commercial relationship. From the evidence we have taken during this investigation, the procedural steps that we have outlined still do not appear to exist. However, as we went to press, we were told that the Government has now developed a process to assess the risks associated with foreign investment into the UK. Whether these processes are sufficiently robust remains to be seen: the steps we have outlined must exist to ensure that Government does not find itself in the same position again.

Cached copy here 

Image

GCHQ is Following You On Twitter

GCHQ is Following You On Twitter

Hilarious. From DInk

Link

Securo-boffins uncover new GLOBAL cyber-espionage operation

Securo-boffins uncover new GLOBAL cyber-espionage operation

Reg article about global cyber malware.  Report here 

IP and Petreaus


The Office of the Privacy Commissioner of Canada publishes new research that shows how much information can be gathered from an IP address. They perform a number of standard lookups such as WHOIS to build a profile of a given IP address and more importantly the person behind that IP address:  you are not as anonymous as you’d like to be.

Somewhat more interesting is the walkthrough of the The Petraeus incident, which shows in detail how ISPs, Google and the like manage their logs and provide them on a court order.

  1. An individual received a number of “anonymous” harassing e-mails and asked the FBI to investigate. Copies of the e-mails were made available to the FBI;
  2. Although the messages were sent from an anonymizing service, the IP addresses from which they were sent were available in the e-mail headers;
  3. From knowledge of the source IP address(es), the FBI was able to identify the organization to which the IP address(es) had been allocated (typically a telecommunications service provider(s);
  4. Upon receipt of administrative subpoenas11, which are issued by law enforcement authorities without judicial oversight, thetelecommunications service provider(s) then provided subscriber information about the IP addresses used to access the originating email account, as well as any other e-mail accounts that were accessed from the same IP address(es). It has been reported that Google gave the FBI information about every IP address used when accessing that account12
  5. The ISP associated the IP addresses with various locations, including hotels;;
  6. Knowing the physical locations from which the e-mails were sent, the FBI was able to obtain lists of people who were at those locations when the messages were sent through the use of administrative subpoenas13
  7. One name kept appearing in guest lists during the times the messages were sent, so this individual was considered the most likely suspect; and;
  8. It was at this point that the FBI sought and obtained a warrant to get access to the contents of the anonymous email account.

The FBI was able to obtain the following information without having to obtain a warrant:

  1. The IP address(es) from which the harassing e-mails were sent;
  2. The names of the telecommunications service providers to whom those address(es) were assigned;The subscriber information associated with the e-mail account used to send the e-mails, along with information about other e-mail accounts that were accessed from the same IP address(es);
  3. The organizations – in this case hotels – to whom the telecommunications service provider had assigned the IP address(es); and
  4. Lists of guests who were registered at those hotels at the time the emails were sent.

Report cached here

Raspberrypi Wireless Attack Toolkit / Wiki / Home

See on Scoop.itinformation security

InfosecChap‘s insight:

raspberry pi with DNS MITM and metasploit

See on sourceforge.net

Hmm, another survey slithers out

PwC announce their latest security survey results.

Apparently readers of CIO and CISO magazines were interviewed.  The names of the publications is not disclosed.  PwC do say that the general mood among executives is positive, but with no data to support it.

PwC say that the organisation’s criteria to be “security leader” is:

  • Have an overall information security strategy
  • Employ a CISO who reports to the “top of the house” (CEO; CFO; COO)
  • Have measured and reviewed the effectiveness of their security measures within the past year
  • Understand exactly what type of security events have occurred in the past year

The key findings are:

  • Good self-assessments continue this year;  organizations exhibit the attributes of information security leaders 
  • Most respondents believe their organizations have instilled effective information security behaviors into organizational culture.
  • Information security activities are effective
  • Budget growth has slowed, but money is flowing again for security projects
  • Reported security incidents have increased marginally, financial losses due
  • to security breaches have decreased significantly
  • The economic environment ranks first among the multiple factors shaping security budgets, with information security concerns lying far down the list
  • There has been a long-term decline in the use of some basic information security
  • detection technologies.
  • Organizations are pruning their rulebooks, with some once-familiar elements
  • of information security policies becoming less common.
  • Safeguarding information is easier when you know where that information is. But
  • organizations are keeping looser tabs on their data now than they did in
  • years past.
  • As mobile devices, social media, and the cloud become commonplace both inside the enterprise and out, technology adoption is moving faster than security.
  • A focus on business success should inform all aspects of the organization’s activities; security strategies and security spending are aligned with business goals.
  • An effective coach is key to a winning team.  Security leaders lack adequate access to the executive suite.
  • People who don’t know how to do things rarely do them well, which makes the lack of staff and resources available for security training a significant problem.
  • Years of investment pay off as Asia leads the world in security practices and performance.
  • Security budgets are almost flat in North America, but certain strategies show gains.
  • As spending stalls in Europe and safeguards weaken, some security practices are improving.
  • South America plays catch-up on security investments and emerges as a leader in some important categories.

While you are at it, don’t forget Verizon’s data breach report

Who says that it’s the outsiders we should not trust.