Friday, December 7, 2012

Counter CyberCrime - Do not challenge the hackers

I'm pretty sure many organisations had faced cyber-attacks before. Some organisation might think of getting a "revenge" at the attacker. It could be a good idea, but it could also be a bad idea totally, depending on how you do it.

This is a story about why it's a bad idea, if you do it this way......

Few months ago, in that XYZ company.....

Business Owner guy: How come my users can't access this application at all? I have got emails, phone calls from everywhere, complaining!

IT Supplier chap: Mr. Business Owner sir, our Network Operation Center (NOC) just confirmed that the application is currently under DDoS attack. Our ISP and NOC is trying their best to mitigate the attack.

Business Owner guy: What? How dare they attack us. Do we have any information who is doing this to us? Can we track them?

Information Security lad: Not easy to trace. As most certainly those machines or IP addresses that we seen attacking us are zombies or compromised machines part of a botnet. I'm afraid the real attacker is a few more layers behind those compromised machines.

IT Supplier chap: We do have a solution to mitigate this attack. There is this Company P that provides protection against DDoS. It would cost us 10K EUR to use their service. From what we are seeing now, the attacks are not going to stop anytime soon and it will only get worse. Hence, it just a matter of time that our whole network would be completely brought down by it. We should engage this DDoS protection service immediately.

Business Owner guy: Ok. Let's do it. You have my approval to proceed.

2 hours later. After the solution has been implemented....

IT Supplier chap: Good news folks. The attacks have subsided. It is a right call to engage that company.

Business Owner guy: Great! But I'm still not very happy. I want whoever behind this attack punished. I want them to know that they are messing with the wrong guy. I have contacted my friend in the law enforcement and opened an official case. Not only that, I will call a press conference to tell whoever behind this that we are coming after them and that they are messing with the wrong people.

Tuesday, November 20, 2012

Counter Cybercrime - Turn insiders(employees) into assets

Security Awareness and Education

Darkreading has a very good article today - Four Ways to Turn Insiders into Assets

In general, I like the idea as I'm a believer of putting more effort on security awareness and education.

Robert Lemos, the author of the article had listed down 4 ways:
(NOTE: Text in Italic are excerpt from the original article. Comments are added by me)

1. Focus on changing user behavior
When it comes to training users, about 70 to 80 percent of companies are driven by compliance requirements and just want to get the box checked for training their employees, says Aaron Cohen, a managing partner at MAD Security, a security training firm.  

Securityisfun: This is so true. I have seen this quite a lot. Most companies do it because the law or audit results said so. Ask yourself a question. Why do you send your kids to school? Is it because the government or law requires it? No, we send the children to school for we want them become an educated person and learn how to behave correctly starting from young. So, we all understand that education or awareness is the key. It shouldn't be any different when come to information security. We have to educate all the employees.

2. Test and retest
Videos may work for some employees, but testing their reaction to an actual test can give a company an idea of what might happen, while giving the worker valuable experience in what to expect in the future. Security training company PhishMe, for example, allows companies to send their employee phishing e-mails. Anyone who clicks on the e-mail link will be brought to a special site to educate them.  

Have a fun information security story to share?

Information Security folks,

I'm sure you have some fun stories to tell as well. Why don't you share them? If you like, I can put it on my blog as well. Of course, all credits go to you :)

Think about it ;) . Just drop me a message on my Google plus or Facebook page.

Wednesday, November 14, 2012

How secure your SMS token/mTAN/TAC code is really up to you

Users will always click on an URL sent to them right? I bet any information security pros out there must have heard or said this before.

Here is a news reporting that some people in Germany got their bank account swipe out after a Trojan "intercepted/diverted" their mTAN (SMS based one time password).

Excerpt from the news by

Berlin state police warned on Tuesday that "bank customers using the SMS-TAN/mTAN process have become victim of fraudulent money withdrawals." Several people have reportedly had their bank accounts emptied in the past few weeks, the police said in a statement.

"In all cases, the SMS containing the mTAN for the online banking system was caught or diverted," the statement said. "Up until now, those affected have been customers using a Smartphone with an Android operating system."

Friday, November 2, 2012

Counter cybercrime - avoiding cyber espionage attacks

I have come across this article today - 4 factors for avoiding cyber espionage attacks. Good points... but I do have a few comments.

1. Data Policy
Yes. Define your data policy and its classification. Most of the time, the Business is the one accountable to set it, and (unsurprisingly) most of the time they failed to do so. Hence, it is our job as a information security professional to do due diligence to help them set one.  

2. Bring Your Own Device (BYOD)

Need me say more? I had written a few pieces about the risks of BYOD. Go check it out :)

3. Protect your critical infrastructure
Separation of network with the intellectual property from the rest of the network is like security 101. However, to do so, you'll need to know what you want to protect first. So the question is - how do you know? See point number 1. It's all starting with data classification - I will say it is security 100. Do a risk assessment on your data, then you'll know what to do with the risk. To mitigate or to accept.    

4. Monitor for unexpected behavior
Right. Not an easy one. You'll need to know what to look for. One might say Data Leakage Prevention (DLP) is the answer but I have yet to see a real return of investment on DLP solution. It's a pain in the XXX to get it implemented. Too many false alarms. Need full time resources to monitor etc.....

Monitoring is only effective if you know what you want to monitor. Perhaps, you'll need a holistic and overarching (my auditor friends love this sentence, like it is crafted in their gene or super-glued to their head. Stuck there forever, like a BFF ) monitoring in place (See the tongue in my cheek?). In a lay man term, that would mean having the right people, process and technology in place...

Before I keep my fingers off the keyboard. I have another point to add:

5. Awareness

Educate you employees (not just those IT folks, but all employees, including your cleaners) on how to spot someone potentially casting a cyber-espionage spell or charm on them. Educate them how to react, what to do not, who to report the suspicion to etc.... The people is always the weakest link. 

Acknowledgement - photo taken from

Tuesday, October 16, 2012

BYOD - only allow what you can manage

I have to say I can't agree more with what have been stipulated in this article. I agree 100% with Steve Damadeo:

"You need to be selective about what you do allow," he says. "We block all Android devices for now because of some of the security concerns that have come up and ease of management."

As what I had shared in my previous stories, there might be bad consequences if enterprises do not properly manage BYOD.

Acknowledgement: picture taken from 

Monday, October 1, 2012

Hackinthebox - 10 years in the box!

Dear all Information Security Professionals, you shouldn't miss this one. It is one of the greatest security conference that you can get out there. And, did I mention that the price is dirt cheap compared to that of ... "you-know-which-one" conference. This year is pretty unique coz it is "10 years in the box". 10 awesome years if I may add (I'm sure Dhillon and Belinda et all) won't argue with me on this one :) ).

Date? 8-11 October 2012, InterContinental, Kuala Lumpur.

More here -

Sunday, August 26, 2012

Information Security screw-up #3 - it's all about financial sense

Many of us as an Information Security Professionals would love to have the best of the breed security technologies in place. And, most of us are paranoid and want things to be as secure as possible. However, that's not how the real world works. Not in enterprise environment at least. And the current state of world economic is not helping as well, and adding insult to injury.

This story is about the same "young" Information Security lad....

Mr. Global CISO:  Ok, team. Now it is again the time for us to propose our budget for next year. I expect each of you to prepare a budget proposal for your region and come back to me by end of this week. Then we shall discuss. What you want to do with your region, I'll leave it to you, as long as it makes sense.

Young Information Security lad: No worry sir. You'll get it by the end of the week.

Right after the meeting, the "young" information security lad open his laptop and starts to list down all the potential information security projects. After giving some thought, he decided to give the "laptop encryption" project the highest priority.

Mr. Global CISO: So, what do you have for me?

Young Information Security lad:  Mr. Global CISO, here are the projects that I have in mind for my region. I would like to highlight to you this particular project - laptop encryption...

Mr. Global CISO: That's sound interesting. Looking at your proposal, you proposed to have all the laptops - that would be around 50,000 laptops in your region, as it would cost 200EUR for each laptop, that would be1 mil. EUR in total. Now, imagine I'm the CEO. Try convince me why should I give you this 1 mil. EUR?

Friday, July 27, 2012

Information Security screw-up #2 - it's about selling not telling!

Not many Information Security Manager or CISO has the luxury of walking around with a strong mandate from their CEO or Company Board for implementing and enforcing information security processes within their organization. Especially, if a company's bread and butter are not of finance or intellectual property in nature. In this kind of company,  it is unlikely that the people would automatically give a good support on what an information security guy try to do or enforce. People tend to see information security more of a barrier than enabler. 

Now, let's the story begin....

This story is about the same "young" Information Security lad, but now has joined a new company as the new regional information security manager. Sadly, he still has the mentality that as an information security person, everyone will do whatever he says when it comes to information security matters.

Mr. Global CISO: <speaking in a team meeting> Ladies and gentlemen, thank you for your contribution. After 6 months of hard work, I'm glad to announce that the Corporate Information Security Policy that we developed has been approved by the Management. Now, it is your task to ensure that this policy is enforced within your area. Please do not hesitate to come to me if you have any difficulties or getting push back.

Young Information Security lad:  Don't worry sir, I will ensure that this is enforced in my region. I don't foresee any issues.....
Right after the meeting, the "young" information security lad open his laptop and start drafting an email:

Wednesday, July 18, 2012

Information Security vs Auditor - foe or friend?

Auditors - hmm... most of the times, nobody really likes them right? And many people see them as a foe. As an Information Security Professional, I see them more of a friend rather than a foe. Although sometimes we don't really see each other eye to eye, especially when dealing with the "dinosaur" type of them, but most of the times I would say we do have common goals - that is to ensure adequate security measures are in place and enforced. 

This story is about how you could "make use" of auditor to achieve your security goal. Hope this would help bring closer your "friendship" with the "foe" :)

Information Security lad: Mr. CEO, after various incidents of malware outbreaks within the company, we have come to the conclusion that we need to raise the awareness among the employee. Here is the business case for our security awareness campaign. As you can see, we will work together with HR to include this proposed Computer Based Training (CBT) program within the induction training...... blah blah blah....  For this to happen, we will require budget of EUR 20K to setup the CBT etc......

Mr. CEO: I like the idea of that CBT... however, as you may have known, budget is a bit tight right now with all these cost cutting initiatives going on. We don't have extra budget for this...

Information Security lad: But Mr. CEO, we really need to do this. If another outbreak were to happen again, it will cost us more resources handle the situation. At the end of the day, it will cost more than this business case.

Wednesday, July 4, 2012

Information Security screw-up #1 - security vs uptime

Well, after reading through all of my previous stories, some of you may have had the feeling that I'm telling these stories to show that Information Security professional is always right. No, not really... we do make some mistakes... like everyone, we learn from experiences as well.

This is a story about how one Information Security lad screw-up, when "he was young" :) 

Once upon a time, there was this one "young" Information Security lad who just joined a quite successful .com company. As the new Information Security Manager, he felt like he was the town sheriff and everyone got to listen to him when it comes to security matters. 

It was a weekend, a nice weather weekend indeed, when he received a call from his company. Apparently, there was a virus outbreak in his company. He was called back to office immediately... 

Young Information Security lad: After some investigations, I found the source of the outbreak. It's coming from this server called E-pay. You shall take down this server immediately and have that malware cleaned right away!

Server Admin folk: That would not be a good idea. We can't just shutdown a server like that. I don't think the application owner would be happy with that.. we need to...

Young Information Security lad: <* interrupting *> This is a serious security issue! We must stop this before it spreads around! Shutdown that server immediately!

Server Admin folk: Errr.......

Monday, June 25, 2012

Application Owner vs Information Security fun#2 - on Web Application Firewall

I presume most of us as a security pro have heard of Web Application Firewall (WAF). It is not a new technology, but only few enterprises have seen the benefit and have the technology implemented within their infrastructure. I hope this story could shed more light on the benefit of having one and assist you in expediting your decision making process in getting a WAF :)

Information Security lad:  During our security review, we noticed that you have decided not to include WAF as an additional protection layer for your web application. Although it is not a mandatory policy in our company, we strongly suggest to have your web application protected by WAF, as your web application is internet facing and will be handling important e-commerce transactions. Moreover, as you are offering 99.99% availability to your customer, you may want to have extra layer of protection to support this commitment. New attacks could be easily mitigated by the WAF as its signatures are updated on daily basis. I do know that our IT Supplier has a very good WAF team there.

Application Owner dude: Thank you for your suggestion... I don't see the need of it right now. We already have multiple layer of protections in place. We have firewall and Intrusion Prevention System (IPS) in front of the web application. Furthermore, we have done security assessment and pen-test during our application development cycle and we have got a clean bill of health there. I believe your team did some security tests as well and found no weaknesses. The application is just robust.... Anyway, I don't really have extra budget....

Information Security lad: Well... if you insist and understand the risk, we won't stand in your way. We will approve this RFC.

5 months later.....

Thursday, June 21, 2012

The Facts of Information Security

Information Security is a Top-down approach;
Information Security needs support of Senior Management e.g. Board level;
Information Security is a responsibility of every employee;
Information Security is about People, Process and Technology;
Information Security's weakest link often is the People;
Information Security is not an IT issue, it's a business issue;
Information Security costs money, so does police, military and alike;
Information Security team is not your enemy, it is your business partner.

 Feel free to add more :)

Ain't security fun? ;)  
acknowledgement - photo taken from 

Wednesday, June 6, 2012

Business Owner vs Business IT vs IT Supplier - disaster recovery fun#2

Few weeks ago, I shared a story about the impact of not having Disaster Recovery. And I mentioned that there will be a sequel to it. So, here it goes.... the saga shall continue....

Business Owner guy: <* Addressing VIP business users *> It is very unfortunate that we were badly hit by the quake. As it was an act of God, we have to accept the loses etc etc.... . Nevertheless, we have come out with a great disaster recovery plan to ensure business continuity in the event of disaster. This time, we WILL be ready to face it!

Information Security lad: <* This guy is surely a great politician.... I wonder how he saved his ass, survived and resurrected from that gigantic mess... Last I heard, he even got a promotion*>  

5 months later......

Business Owner guy: <* shouting over the phone *> What's happening? Why can't my customer access the application?

Tuesday, May 29, 2012

Business Owner vs Business IT vs IT Supplier - disaster recovery fun#1

This is another classic story that may raise a smile for some security pros out there....

Business Owner guy: <* shouting over the phone *> What's happening? Why can't my customer access the application?

Business IT bloke:  The whole IT Supplier's data center is currently down. It has something to do with the earthquake that happened 10 minutes ago. Seems like the data center was badly hit by the quake. I managed to get hold of the service manager and he has arranged an emergency meeting in 15 minutes to update us on the situation.

After 15mins, in the emergency meeting...

Business Owner guy: IT Supplier chap, I understand you have a lot to deal right now, but my application is business critical. When can you get it up again?I'm losing like 10K per minute here!

Tuesday, May 22, 2012

Business IT vs IT Supplier Fun#2 - setting data classification

Last month, I wrote a story about BIT vs ITS on who should be the one setting the security requirements... well, as you may have guessed, the saga shall continue. This time, it's about data classification.

The Storybrooke Post today's headlines: XYZ Company fined 100Mil by Storybrooke State for non-compliance with Data Security Act 1337

Business IT bloke: What the heck is this? <* smashing the paper on the table *> . After our last meeting, we have given you all the security requirements for our system. How come we are still non-compliance with that Data Security Act? I believe we have a breach of contract here!
IT Supplier chap: I don't think so. We have carried-out and protected your data in accordance with your security requirements. The recent audit report carried-out by XYZ Group Internal Audit department confirms that. <* showing the report to BIT bloke *>

Wednesday, May 9, 2012

Application Owner vs Information Security fun#1 - data flow security

Have you ever met an old stubborn mainframe guy that just can't think outside of his archaic box? I bet you did. This is a story about this guy I met sometimes ago..... (My friend Adriano called them "The Dinosaur". BTW, if you time, you should check out his piece on this.)

Application Owner dude: We are using mainframe and we have tight ACL in place. No one can access the data inside. It's a very secure environment. I don't see any security issues here... That web interface is just a front-end for customer to see their order status...We developed this one ourselves and manage the user accounts. It's not even open to public or guest, by the way....

Information Security lad: Well... we see that there are other internal applications interfacing with this mainframe as well. How do you ensure these interfaces are secure?

Application Owner dude: Again. As I have said and stressed for so.... many times. We have strong and tight ACL in place. Those interfaces are connecting to our mainframe with their own credentials and we make sure they can only access their part of data... <* keep bragging about how fantastic ACL works on Mainframe *>

Information Security lad: <* I need to do more to than just talking to this guy to show him that ACL alone is not enough *> We going to run some test.....

Application Owner dude: Go ahead lad... No one ever broken into our mainframe before. I'll bet my every pint of beer on that.

Wednesday, April 25, 2012

Senior Manager vs Information Security Fun#3 - on cloud services

1 year ago, in a ABC company not too far away....

Senior Manager mate: <*talking to the Board members*> I'm pleased to announce that we managed to save 100K by outsourcing our storage place to cloud service provider JKL... with this, we also reduce our IT spending as we don't need as many IT support personnel for our IT system as before. Another advantage is that, now we can access our data anywhere and anytime.... blah..blah...

6 months ago, in that very same ABC company.....

Senior Manager mate: <*talking to the Board members*> I'm pleased to announce that we managed to save another 50K by moving to another cloud service provider FGH.... blah.. blah..

3 days ago, still at that ABC company....

Information Security lad: Senior Manager sir, have you read the headlines today? It says "DEF company found ABC company data on JKL's cloud storage assigned to them"......

Wednesday, April 18, 2012

Share - 5 Scary Types of Security Professionals You Will Meet in Your Career

This one is written by a good friend of mine. It's a great piece and I'm certainly of the same view :)

5 Scary Types of Security Professionals You Will Meet in Your Career - by Adriano Dias Leite

5 – The NO-Master
4 – The By-The-Book Preacher
3 – The Dinosaur
2 – The Technology-Solves-It-All
1 – The paranoid

Which one are you? ;) 

My 2 cent: 4 – The By-The-Book Preacher reminds me of certain external auditor that like to quote "according to this ISO standard... according to this "statement" blah blah blah.... no wonder people hate auditors and opined that they are just bunch of stupid fella...

Read more here -

Ain't security fun? ;)  

Tuesday, April 17, 2012

Fun with Lock Screen Policy

This one is based on a true story.....

Information Security lad: <* walking around the building and saw that most of the staffs "forgot" to lock their workstation's screen while they are away from their desk *> hmm.... I have sent many bulletins and reminders regarding this, but seems like they still don't get it. I have to do something.... I think my HR sis can help...

Information Security lad went to his HR friend and they work out an awareness "campaign"....

3 days later...

Information Security lad: <* walking around the building and saw a PC left without screen lock. He quickly sat down and open the email program *>. This going to be fun... I'm going to write an email...

Friday, April 13, 2012

Information Security vs Senior Manager Fun#2 - Admin right for "VIP" user

Here is another deja vu.....

Senior Manager mate: Love, have you got that report finished? I need it before lunch to present it to the Board.
Personal Assistant love: Sir, not yet. I tried to install that reporting software you gave me but it just failed... I tried it many time but it keeps telling me something like "insufficient right"... hell I know what's that mean...

Senior Manager mate:  Ah... I remember that.. something to do with admin right that IT folks set. Why these IT folks keep making my life harder each day!  <*picking up the phone and call the IT Supplier chap*> Can you come here immediately? I need you to install a reporting software on my PA's PC immediately.
<* IT Supplier chap arrived 5 minutes later*>

Senior Manager mate: Give my P.A the admin right. I need her to do other reports with other software and I don't like the need to call you every time I need to do so. I insist.
IT Supplier cap: If that you want Sir, please sign this admin right request form.... but before that, you should know that having admin right could increase the risk of virus infection....
Senior Manager mate: <* interrupting IT Supplier chap*> Yeah.. I know all that stuff... just get it done now!

Wednesday, April 11, 2012

Information Security vs Senior Manager Fun#1 - on BYOD

6 months a XYZ company far far away..

Senior Manager mate: You security guys put tons of security stuffs on my Windows laptop. It takes 15 minutes just to boot-up. Now you are telling me you want to put another piece of compliance software inside? Damm! I don't want to use this Windows shit anymore. See my Mac there. There is no virus attacking Mac. Mac is safe and in less than 5 minutes, I can already use it.
Information Security lad: Sir, the security software were installed to ensure your laptop is secure.. blah..blah.....
Senior Manager mate: Nah! I'll just use my Mac and iPad. Anyway, I know that BYOD policy has been approved as I'm part of the reviewer.
Information Security lad: In that case, please sign this exception form sir... <* explaining the risk of BYOD etc etc and in his head: well, I've done my job, I told you the risk and you accept it, I'm just gonna move on *> 

3 days ago.... still in that far far away XYZ company...

Tuesday, April 10, 2012

Business IT vs IT Supplier Fun#1 - who should set security expectations?

IT Demand vs IT Supply

Business IT bloke: Security? I thought you as our IT Supplier supposes to provide all this security protections by default. I paid you guys lots of money!
IT Supplier chap:  Security? We only provide the basic one. That project manager of yours didn't tell us he wanted more. Furthermore, it's not in the SLA. So, we are not obliged to do so.
Information Security lad:  <*smirking....and having fun inside*>

Deja vu! Right? I'm sure, many of you as a CISO, Information Security Manager, Consultant or Professional have had the luxury to witness this kind of argument within your organization, especially when you are working for a conglomerate that adopt IT Demand and IT Supply model (yeah...Mckinsey's stuff).

Now, as a season Information Security Professional, what would be your advice? What would be the best practice (ain't we all infosec guyz like to quote best practice?)