Wednesday, June 19, 2013

Information Security Awareness - The Human Element

Information Security Awareness- The Human Element

 
Could you guess the weakest link in Information Security chain? The Human Element – It’s something technology can’t control.The human being is the most precious asset a company has, and the most dangerous thingsays founder of an international security company in UK.
 
I remember a  funny incident that an executive manager in one of  the largest multinational financial company,  while walking on the office floor, noticed a couple of unlocked user PCs. He sent a broadcast email from one PC which says “Dear All, Today’s Lunch is by me (By user X)!” it’s a happy message, but here goes the more panic one from another PC … “Dear All, I am resigning from my job with immediate effect! (By user Y)”.  Ethics behind such messages might be debated, but the moral of the incident is that employees should not leave their desk with unattended pieces of information either digital or in black & white as well. Employee awareness on the “Importance of Information Security” need to be addressed efficiently which could be a team effort by HR & Training, IT, Security and Marketing departments.



Information Security Awareness Training – Current Flaws
The main problems with how information security awareness techniques are commonly implemented relate to “business culture” and “awareness approach”. It’s a common assumption that if someone was aware of the risk or threat, then their behaviour would change.
If you are aware about the presence of attacking dogs, you would take care while walking along those country side roads.  The reality is that people may well be aware of the risk but feel constrained by other factors, such as established business culture.
Another problem is that information security professionals don’t realize information security awareness is all about Marketing. Mouse mats,  motivational posters, screen savers with messages copied from the organization’s security policy are quite easy to do, but in reality a creative marketing approach should  involve audience research, careful targeting of communications, and measuring the outcome. 
People part of Security Implementation always get unattended. The patient is dying of the common cold due to poor nursing, and yet the doctors are concentrating in health of hearts and brains. Yes, the fundamental risks need to be prioritised. The problem with managing employees is managing the motivation of the company itself.
 
Information Security Awareness Training –  A Balanced Approach
No software or anything in black and white can’t stop the spilling of company secrets through mouths of employee. The only solution is to promote real Behavioural Change.
 
It is like the Carrot-and Stick model of reward and punishment for behaviour. You might push for information security compliance by either punishing bad behaviour or rewarding good. The carrot is the better option. The logic is that rewards always motivates!
From my personal experience, I have 2 small kids in my family, and if I buy some chocolates or car toys rather than getting a stick, the effect will be healthy and rewarding as well. Same applies in Information Security awareness training as well. Say for example, If you are planning to apply the complexity requirements for a windows password, you could either punish or issue warning for those who use simple passwords “name123”. On the other side of the coin, you could show example of a strong password and give small rewards to the employees who then follow those examples. What could be your choice???


What users Need to Know?
Users need to know about information security issues that affect their work, their home, themselves and their families. They need to understand the threats and risks as well as the methods they can personally use to defend against these threats.
 
To illustrate the Human Element, let’s consider an example. You might have noticed stickers in hospitals and other public places illustrating the ideal steps to wash hands… Health Authorities and other social services organizations took many years to develop the so-called cultural acceptance of the practice of washing one’s hands to prevent infection, because there wasn’t an instantaneous negative consequence to not washing the hands. It’s the same with Information Security. When you click an anonymous email or a picture of a fair lady, your computer doesn’t immediately blow up; it maybe gets a bit slow. Someone else’s information gets stolen, and it never comes back to hurt the individual person. Hope you got the logic!
 
Message to Information Security Professionals
 

Many organizations are overlooking the security basics in favour of sexy new cyber-attacks most people don’t know about. They worry about cyber-attacks from China or Russia, but they haven’t even fixed the basics that have been broken for years since the conception of the business. Hackers understands very well the “human nature” and its impact on “employee behaviour”, that’s why social engineering and phishing attempts flourishes more than ever before.
 
Best Practices:
Communicate to users How it’s important to them personally: People are more receptive to information that affects them personally. Training should be focused on safe usage not only at workplace, but how it can be used at home as well.
Communicate with real world examples: Keep everyone’s attention by citing examples which audience can identify and realize the impacts. Use any recent public information (internal or external for which consequences could be understood)
Communicate the importance of End User Security Awareness Efforts: Vulnerabilities are not only exploited from the outside, but also can be exploited from internally as well. Approach security awareness with seriousness and give the users tools to help with security efforts.
We’re coming around to needing a balance between technological countermeasures and change in behaviour countermeasuressays Williamson in (ISC)2, USA.
 
Organizations must decide which user behaviour they most care about and focus their efforts to control that risk. Security professionals also should examine attitudes and beliefs in their organization, and take a positive approach with a right balance of technology and human element in order to ensure a secure computing environment for the business.




 

Sunday, June 16, 2013

How secure is your VoIP infrastructure?


VoIP Security - A Quick Overview! 


Security Issues in VoIP


Voice over IP (VoIP) has grown beyond expectations for the last 12 years. VoIP inherits internet's security issues as an application running on Internet. New developments in Unified Communication systems, integrates voice data with multiple communication channels such as emails, messengers, live chats, etc which opens doors to new vulnerabilities which were not at all present in old PBS systems. VoIP is a young technology, on its race to maturity. Many issues in VoIP implementations have been addressed and will achieve a secure posture as it evolves!


The security of VoIP traffic can be broadly categorised into 3 groups.
1.     Platform Security
2.     Gateway Security
3.     Client Security

Platform Security
Inheritance is a natural phenomenon. Telephone system also behaves like a client server environment. A phone system running on a standard operating systems (windows, linux, etc) would inherit the OS vulnerabilities, which requires regular patching and security hardening by the system administrators.
Another candidate is the underlying network infrastructure. If a security vulnerability at network layer is neither fixed nor noticed, could result in an exploitation by a VoIP implementation on top of that weak skeleton. In most of the corporate organizations, the internal traffic is left unencrypted not to compromise on the LAN performance. But security administrators should be aware that 71% of all security or data breaches happens internally. Though all the doors from external world are locked down with proper controls, a determined disgruntled employee can eavesdrop to the voice traffic using out of the shelf software available in the local market. Out of the shelf products like VOMIT, SipSack, SuperScan, NetStumbler, SipTap, etc can snoop on internal conversations through an unencrypted medium. These types of passive attacks can be prevented by securing the call manager servers and ensuring that the voice traffic passes through an encrypted channel as well.
Gateway Security
Gateway routers and firewalls are the first level of defence from an active attack. We should admit the fact that all the firewalls in the market are not aware of VoIP protocols such as SIP, SCCP, etc. If a firewall is not VoIP aware, it might actively scan inbound/outbound traffic and block the communication. VoIP traffic is also sensitive to time, and any performance delay will result in an end to end packet drop as well. Industry is not mature enough to trigger an intelligent scanning only on voice packets. All these factors need to be considered while defining preventive rules at the gateway firewalls to harden the security traffic.
Another external candidate is the human error in defining firewall rules and Access Control Lists. Many ready-made VoIP solutions are available in the market, which would result in unattended open TCP/UDP ports which would cause a favourable environment to lodge a Dos/DDos attack which would bring down the entire gateway. Security administrators should not be generous enough to open doors for any social engineers. We should not also discard the probability of SPIT(Spam over IP Telephony). Finely crafted pre-recorded messages can be send to IP phones exploiting the basic handshake mechanism of SIP protocols. SPIT could be a nuisance more than an attack to the VoIP infrastructure.
Client Security
It’s a fact that many system administrators gracefully forget the proper patching of the IP telephone sets before deploying to the network. Though many VoIP phones uses TFTP as the protocol to update the firmware, it could be secured through proper authentication. An unprotected TFTP server will be recipe of disaster which would host a false file from an intruder. Not but the least, the information displayed in the IP phones need to be well sorted and should not be informative enough for a technology aware employee to gather information and try some scanning or enumeration techniques.
Another possible candidate to host a VoIP attack would be the wireless infrastructure. Many of the modern business demands wireless IP phones to ease the mobility. Network Administrators need to ensure that the wireless networks are secured using centralized authentication techniques and avoid giving meaningful names to the SSID, if to be broadcasted.
Security Administrators should advise Network Engineers to implement a secure VPN tunnel before extending the VoIP infrastructure to remote offices or users. Though many free VPN solutions are available in the market, it should be well thought to lock down minute holes which could jeopardize the security investment of the organization.
Some basic steps to secure VoIP infrastructure.

1.     Diligent patching of the phone system with stable firmware and security updates
2.     Review the firewall configurations and ACLs in prior to VoIP Implementation.
3.     Implement centralized network authentication for wired and wireless networks.
4.     Review the network security or perform an internal security audit before deploying the VoIP solution.
5.     Perform a security hardening of the servers at Operating System level before starting the implementation of Call Manager system.
6.     Encrypt the LAN traffic with a QoS for Voice packets.
7.     Implement certificate server for voice clients.
8.     Review the Call Manager configuration if bought off the shelf.
Though it’s a known fact that none of the security measures can prevent a determined hacker from stealing the hidden treasure, but the Data or Information is the “Life Blood” of a Business and need to be protected with utmost care and due diligence!!!





Multi Layer Security

Thought to express my view on Multi-layer Security, as I have recently read an article by a Firewall vendor offering a comprehensive security solution through an application layer device.

Multi-Layer Security - the facts and a balanced approach.
 

The Open Systems Interconnection (OSI) model (ISO/IEC 7498-1) is a conceptual model that characterizes and standardizes the internal functions of a communication system by partitioning it into abstraction layers. The model is a product of the Open Systems Interconnection project at the International Standards Organization (ISO), developed as a guideline for developing standards to enable the interconnection of dissimilar computing devices.