Wednesday, November 14, 2012

How secure your SMS token/mTAN/TAC code is really up to you

Users will always click on an URL sent to them right? I bet any information security pros out there must have heard or said this before.

Here is a news reporting that some people in Germany got their bank account swipe out after a Trojan "intercepted/diverted" their mTAN (SMS based one time password).

Excerpt from the news by Thelocal.de:

Berlin state police warned on Tuesday that "bank customers using the SMS-TAN/mTAN process have become victim of fraudulent money withdrawals." Several people have reportedly had their bank accounts emptied in the past few weeks, the police said in a statement.

"In all cases, the SMS containing the mTAN for the online banking system was caught or diverted," the statement said. "Up until now, those affected have been customers using a Smartphone with an Android operating system."

Read more »
Posted by at No comments:
Labels: ,

Friday, November 2, 2012

Counter cybercrime - avoiding cyber espionage attacks


I have come across this article today - 4 factors for avoiding cyber espionage attacks. Good points... but I do have a few comments.


1. Data Policy
Yes. Define your data policy and its classification. Most of the time, the Business is the one accountable to set it, and (unsurprisingly) most of the time they failed to do so. Hence, it is our job as a information security professional to do due diligence to help them set one.  

2. Bring Your Own Device (BYOD)

Need me say more? I had written a few pieces about the risks of BYOD. Go check it out :)

3. Protect your critical infrastructure
Separation of network with the intellectual property from the rest of the network is like security 101. However, to do so, you'll need to know what you want to protect first. So the question is - how do you know? See point number 1. It's all starting with data classification - I will say it is security 100. Do a risk assessment on your data, then you'll know what to do with the risk. To mitigate or to accept.    

4. Monitor for unexpected behavior
Right. Not an easy one. You'll need to know what to look for. One might say Data Leakage Prevention (DLP) is the answer but I have yet to see a real return of investment on DLP solution. It's a pain in the XXX to get it implemented. Too many false alarms. Need full time resources to monitor etc.....

Monitoring is only effective if you know what you want to monitor. Perhaps, you'll need a holistic and overarching (my auditor friends love this sentence, like it is crafted in their gene or super-glued to their head. Stuck there forever, like a BFF ) monitoring in place (See the tongue in my cheek?). In a lay man term, that would mean having the right people, process and technology in place...

Before I keep my fingers off the keyboard. I have another point to add:

5. Awareness

Educate you employees (not just those IT folks, but all employees, including your cleaners) on how to spot someone potentially casting a cyber-espionage spell or charm on them. Educate them how to react, what to do not, who to report the suspicion to etc.... The people is always the weakest link. 


Acknowledgement - photo taken from http://en.wikipedia.org/wiki/Spy_vs._Spy

Posted by at No comments:
Labels:

Tuesday, October 16, 2012

BYOD - only allow what you can manage


I have to say I can't agree more with what have been stipulated in this article. I agree 100% with Steve Damadeo:

"You need to be selective about what you do allow," he says. "We block all Android devices for now because of some of the security concerns that have come up and ease of management."


As what I had shared in my previous stories, there might be bad consequences if enterprises do not properly manage BYOD.


Acknowledgement: picture taken from http://www.victoriaexpert.com/blog/149-mdm-mobile-device-management-and-byod-bring-your-own-disaster.html 
Posted by at No comments:
Labels:

Monday, October 1, 2012

Hackinthebox - 10 years in the box!

Dear all Information Security Professionals, you shouldn't miss this one. It is one of the greatest security conference that you can get out there. And, did I mention that the price is dirt cheap compared to that of ... "you-know-which-one" conference. This year is pretty unique coz it is "10 years in the box". 10 awesome years if I may add (I'm sure Dhillon and Belinda et all) won't argue with me on this one :) ).

Date? 8-11 October 2012, InterContinental, Kuala Lumpur.

More here - http://conference.hitb.org/

Posted by at No comments:

Sunday, August 26, 2012

Information Security screw-up #3 - it's all about financial sense


Many of us as an Information Security Professionals would love to have the best of the breed security technologies in place. And, most of us are paranoid and want things to be as secure as possible. However, that's not how the real world works. Not in enterprise environment at least. And the current state of world economic is not helping as well, and adding insult to injury.

 This story is about the same "young" Information Security lad....

Mr. Global CISO:  Ok, team. Now it is again the time for us to propose our budget for next year. I expect each of you to prepare a budget proposal for your region and come back to me by end of this week. Then we shall discuss. What you want to do with your region, I'll leave it to you, as long as it makes sense.

Young Information Security lad: No worry sir. You'll get it by the end of the week.

Right after the meeting, the "young" information security lad open his laptop and starts to list down all the potential information security projects. After giving some thought, he decided to give the "laptop encryption" project the highest priority.

Mr. Global CISO: So, what do you have for me?

Young Information Security lad:  Mr. Global CISO, here are the projects that I have in mind for my region. I would like to highlight to you this particular project - laptop encryption...

Mr. Global CISO: That's sound interesting. Looking at your proposal, you proposed to have all the laptops - that would be around 50,000 laptops in your region, as it would cost 200EUR for each laptop, that would be1 mil. EUR in total. Now, imagine I'm the CEO. Try convince me why should I give you this 1 mil. EUR?

Read more »
Posted by at No comments:
Labels: , ,

Friday, July 27, 2012

Information Security screw-up #2 - it's about selling not telling!



Not many Information Security Manager or CISO has the luxury of walking around with a strong mandate from their CEO or Company Board for implementing and enforcing information security processes within their organization. Especially, if a company's bread and butter are not of finance or intellectual property in nature. In this kind of company,  it is unlikely that the people would automatically give a good support on what an information security guy try to do or enforce. People tend to see information security more of a barrier than enabler. 


 
Now, let's the story begin....

This story is about the same "young" Information Security lad, but now has joined a new company as the new regional information security manager. Sadly, he still has the mentality that as an information security person, everyone will do whatever he says when it comes to information security matters.

Mr. Global CISO: <speaking in a team meeting> Ladies and gentlemen, thank you for your contribution. After 6 months of hard work, I'm glad to announce that the Corporate Information Security Policy that we developed has been approved by the Management. Now, it is your task to ensure that this policy is enforced within your area. Please do not hesitate to come to me if you have any difficulties or getting push back.

Young Information Security lad:  Don't worry sir, I will ensure that this is enforced in my region. I don't foresee any issues.....
Right after the meeting, the "young" information security lad open his laptop and start drafting an email:

Read more »
Posted by at No comments:
Labels: ,

Wednesday, July 18, 2012

Information Security vs Auditor - foe or friend?



Auditors - hmm... most of the times, nobody really likes them right? And many people see them as a foe. As an Information Security Professional, I see them more of a friend rather than a foe. Although sometimes we don't really see each other eye to eye, especially when dealing with the "dinosaur" type of them, but most of the times I would say we do have common goals - that is to ensure adequate security measures are in place and enforced. 

This story is about how you could "make use" of auditor to achieve your security goal. Hope this would help bring closer your "friendship" with the "foe" :)

Information Security lad: Mr. CEO, after various incidents of malware outbreaks within the company, we have come to the conclusion that we need to raise the awareness among the employee. Here is the business case for our security awareness campaign. As you can see, we will work together with HR to include this proposed Computer Based Training (CBT) program within the induction training...... blah blah blah....  For this to happen, we will require budget of EUR 20K to setup the CBT etc......

Mr. CEO: I like the idea of that CBT... however, as you may have known, budget is a bit tight right now with all these cost cutting initiatives going on. We don't have extra budget for this...

Information Security lad: But Mr. CEO, we really need to do this. If another outbreak were to happen again, it will cost us more resources handle the situation. At the end of the day, it will cost more than this business case.

Read more »
Posted by at No comments:

Wednesday, July 4, 2012

Information Security screw-up #1 - security vs uptime



Well, after reading through all of my previous stories, some of you may have had the feeling that I'm telling these stories to show that Information Security professional is always right. No, not really... we do make some mistakes... like everyone, we learn from experiences as well.



This is a story about how one Information Security lad screw-up, when "he was young" :) 

Once upon a time, there was this one "young" Information Security lad who just joined a quite successful .com company. As the new Information Security Manager, he felt like he was the town sheriff and everyone got to listen to him when it comes to security matters. 

It was a weekend, a nice weather weekend indeed, when he received a call from his company. Apparently, there was a virus outbreak in his company. He was called back to office immediately... 

Young Information Security lad: After some investigations, I found the source of the outbreak. It's coming from this server called E-pay. You shall take down this server immediately and have that malware cleaned right away!

Server Admin folk: That would not be a good idea. We can't just shutdown a server like that. I don't think the application owner would be happy with that.. we need to...

Young Information Security lad: <* interrupting *> This is a serious security issue! We must stop this before it spreads around! Shutdown that server immediately!

Server Admin folk: Errr.......
Read more »
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)