tag:blogger.com,1999:blog-4564960774097319692024-03-10T20:13:19.431+01:00Web Application Security - from the startThis blog is mainly aimed at development teams responsible for producing online web applications. The goal is to help you design security in from the start. If you're looking for an SDLC Quick Reference checklist of security related topics then read the <strong> <a href="http://blog.alexisfitzg.com/2011/02/overview-of-main-posts.html">Overview of Main Posts</a></strong>. Come on in and have a look around!alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.comBlogger84125tag:blogger.com,1999:blog-456496077409731969.post-53493697127368058142015-07-04T16:31:00.003+02:002015-08-02T14:30:55.174+02:00EU Data Protection Regulation - 3 versions so far<br />
<i>updated: 2nd August 2015</i><br />
<i><br /></i>
The new proposed EU Data Regulation is slowly moving its way through the machines of EU democracy. Here are links to the 3 proposals so far from various bits of the EU bureaucracy. Useful if you want to compare them.<br />
<br />
Updated to include a link to the European Data Protection Supervisor opinion on the various proposals. There is also a link to an App of big pdf containing a side-by-side comparison plus the Supervisor's recommendation<br />
<h2>
EU Commission - 25th January 2012 </h2>
The original European Commission version is at:<br />
<br />
<ul>
<li><a href="http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf">http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf</a></li>
</ul>
<div>
The general announcement is at:</div>
<div>
<ul>
<li><a href="http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm">http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm</a></li>
</ul>
</div>
<br />
<h2>
</h2>
<h2>
EU Parliament - 12th March 2014</h2>
The amended European Parliament version is at:<br />
<br />
<ul>
<li><a href="http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0219">http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0219</a></li>
</ul>
<br />
<br />
<h2>
EU Presidency to Council - 11th June 2015</h2>
<div>
This is the version submitted by the EU presidency to the European Council</div>
<br />
<ul>
<li><a href="http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf">http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf</a></li>
</ul>
<div>
<h2>
<br /></h2>
<h2>
EU Data Protection Supervisor - Opinion of July 27th 2015</h2>
<div>
This is the opinion plus comparison of the various versions</div>
<br />
<ul>
<li><a href="https://secure.edps.europa.eu/EDPSWEB/edps/lang/en/Consultation/Reform_package">https://secure.edps.europa.eu/EDPSWEB/edps/lang/en/Consultation/Reform_package</a></li>
</ul>
</div>
<div>
<br /></div>
<br />
<br />
<br />alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com5tag:blogger.com,1999:blog-456496077409731969.post-46040049494860115242015-02-01T18:11:00.000+01:002015-06-29T19:38:01.742+02:00Application Security and Governance Task List<br />
<i>Last Update: 29th June 2015</i><br />
<h3>
Introduction</h3>
I have put together an <a href="http://bitly.com/15AyZdi">Application Security and Governance Task List </a>(See Useful Links below). This is an Excel Online document which can be viewed through any regular browser or downloaded and used in Microsoft Excel which you should be able to use through most browsers. For those in a hurry, the Task List is under the tab <b>2-Task List</b><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkDHcFFMjCeE3yGIa4ddA5mBFAz1BHJ02kIXk4A0CRWiGLxIHuSOyNzYQDM9gkZzmNBxAyFt-8bNDcyehyphenhyphenWsz7Wd1jiJlF7rS5cElGS7v0nL98uSX7NnGw0g8sge15lVAq90-UNRh-5Q/s1600/AppSecandGovernanceTaskListScreenshot.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkDHcFFMjCeE3yGIa4ddA5mBFAz1BHJ02kIXk4A0CRWiGLxIHuSOyNzYQDM9gkZzmNBxAyFt-8bNDcyehyphenhyphenWsz7Wd1jiJlF7rS5cElGS7v0nL98uSX7NnGw0g8sge15lVAq90-UNRh-5Q/s1600/AppSecandGovernanceTaskListScreenshot.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Task List</b></td></tr>
</tbody></table>
<br />
It gives a fairly high level list of tasks that should be considered at the start of a development project. It covers both security and more governance type issues.<br />
<br />
It is divided into a number of categories. Under each category, there are a number of tasks.<br />
<div>
<br /></div>
<br />
Use it just to browse the list of tasks and maybe spot some item which you had not already considered.. You can do this through your browser. The task list itself is in tab <b>2 - Task List </b>in the spreadsheet.<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNwxFTMCHXm4-FFzy3ra1FUJKF_6dcj3-PEgn7uSyjGplkioRJrNtFnQfCTe65rruy8uRlbOMcewnfCs7Q7802YqzOi312Dvx21Ea2vLyLmmfAuyAcgoz5tDGJ57M5uFOh_EStYKzOSA/s1600/ExcelExpanCollapseScreenshot.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNwxFTMCHXm4-FFzy3ra1FUJKF_6dcj3-PEgn7uSyjGplkioRJrNtFnQfCTe65rruy8uRlbOMcewnfCs7Q7802YqzOi312Dvx21Ea2vLyLmmfAuyAcgoz5tDGJ57M5uFOh_EStYKzOSA/s1600/ExcelExpanCollapseScreenshot.jpg" width="151" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Excel Expand/Collapse</b></td></tr>
</tbody></table>
<br />
<br />
You can also download it as an Excel spreadsheet and modify it in Excel. Use the <b>Open in Excel </b>or <b>File|Save As </b> options in <b>Excel Online </b>for this. Columns D to G could come in useful here to track what needs to be done.<br />
<br />
Use the Excel Expand and Collapse options on the Left Hand Side to show and hide the tasks.<br />
<br />
<b>Note: </b>This is currently in Beta mode.<br />
<br />
<h3>
<b>Useful Links</b></h3>
<br />
<ul>
<li><b><a href="https://bitly.com/15AyZdi">Application and Security and Governance Task List</a> - (Excel Online Document)</b></li>
</ul>
<div>
<br /></div>
<div>
<br /></div>
alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com2tag:blogger.com,1999:blog-456496077409731969.post-43827189549796813422014-07-21T08:01:00.003+02:002015-07-05T09:40:58.785+02:00Information Security for Business-Where to Start<i><br /></i>
<i>Update 5th July 2015, 28th June 2015</i><br />
<i><br /></i>
Where does a business or organisation start if they want to improve their information security stance?<br />
<br />
Here are some ideas. The links are at the bottom of the post.<br />
<br />
<h3>
Council on CyberSecurity Critical Security Controls</h3>
<div>
<ul>
<li>"The Council's Technology practice area is built upon the Critical Security Controls (the Controls), a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks"</li>
</ul>
<div>
This is related to the Sans Institute Critical Security Controls - See below<br />
<br />
The council also has its "<b>First Five Quick Wins"</b><br />
<ol>
<li> application whitelisting (found in CSC 2);</li>
<li> use of standard, secure system configurations (found in CSC 3);</li>
<li> patch application software within 48 hours (found in CSC 4);</li>
<li> patch system software within 48 hours (found in CSC 4); and</li>
<li> reduced number of users with administrative privileges (found in CSC 3 and CSC 12).</li>
</ol>
</div>
</div>
These are related to the Australian Signals Directorate Top 4 - See below<br />
<br />
<h3>
SANS Institute Critical Security Controls</h3>
The SANS institute maintains a list of the top 20 critical security controls.<br />
<br />
<ul>
<li>The Critical Security Controls focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness</li>
</ul>
<div>
<br /></div>
<br />
<h3>
Australian Signals Directorate Top 4</h3>
<div>
The Australians Signals Directorate (ASD) maintain that:</div>
<div>
<ul>
<li>"At least 85% of the intrusions that ASD responded to in 2011 involved adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package.</li>
</ul>
</div>
<div>
The top 4 are:</div>
<div>
<ol>
<li>Application Whitelisting</li>
<li>Patching Systems</li>
<li>Restricting Administrative Privileges</li>
<li>Creating a defence-in-depth system</li>
</ol>
</div>
<div>
<br /></div>
<div>
<br /></div>
<b>--</b><br />
<br />
Here are a number of programs from the The UK Government. <br />
<h3>
Cyber security guidance for business </h3>
This guidance is aimed at business in general and starts off with board level responsibilities.It then describes the "10 steps" to cyber security" which cover the following topics<br />
<ol>
<li>Information Risk Management Regime</li>
<li>Home & Mobile Working</li>
<li>User Education & Awareness </li>
<li>Incident Management</li>
<li>Managing User Privileges</li>
<li>Removable Media Controls</li>
<li>Monitoring</li>
<li>Security Configuration</li>
<li>Malware Protection</li>
<li>Network Security</li>
</ol>
<h3>
Cyber Street Wise</h3>
Cyber street wise has the following "five essential tips for cyber safety" for your business<br />
<ol>
<li>Install Updates and antivirus software</li>
<li>Use strong passwords</li>
<li>Only download from trusted sites and organisations</li>
<li>Beware of phishing emails</li>
<li>Review and protect your business' information </li>
</ol>
<br />
<h3>
Cyber Essentials</h3>
First comes "Cyber Essentials" which "is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks."<br />
<br />
This is more technical and covers the following five areas. <br />
<ol>
<li>Boundary firewalls and internet gateways</li>
<li>Secure configuration</li>
<li>Access control</li>
<li>Malware protection</li>
<li>Patch management</li>
</ol>
It also states the following <br />
<blockquote class="tr_bq">
"From 1 October 2014, [UK] government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme."</blockquote>
<br />
<h3>
Useful Links</h3>
<ul>
<li><a href="http://www.counciloncybersecurity.org/critical-controls/">Council on CyberSecurity Critical Controls</a></li>
<li><a href="https://www.sans.org/critical-security-controls/">SANs Institute Critical Security Controls</a><br />
</li>
<li>Australian Signals Directorate <a href="http://www.asd.gov.au/publications/protect/top_4_mitigations.htm">Top 4 Mitigation Strategies</a></li>
<li><a href="https://www.gov.uk/government/publications/cyber-essentials-scheme-overview">Cyber Street Wise</a> </li>
<li><a href="https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility">Cyber security guidance for business</a> </li>
<li><a href="https://www.gov.uk/government/publications/cyber-essentials-scheme-overview">Cyber Essential Scheme</a></li>
</ul>
<h3>
</h3>
<h3>
<span style="font-size: large;"> </span></h3>
<ul>
</ul>
alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com2tag:blogger.com,1999:blog-456496077409731969.post-46102027275822543702014-07-13T16:51:00.001+02:002014-07-13T16:51:23.990+02:00FUD: A Plea for Intolerance<a href="http://research.microsoft.com/en-us/people/cormac/cormac.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://research.microsoft.com/en-us/people/cormac/cormac.png" height="200" width="155" /></a><br />
Another interesting paper from <a href="http://research.microsoft.com/en-us/people/cormac/">Cormac Herley</a> at Microsoft Research<br />
<br />
In it he talks about "Fear, Uncertainty and Doubt" (FUD) and how <br />
<br />
<blockquote class="tr_bq">
"Even a casual observer of computer security must notice the prevalence of FUD :non - falsifiable claims that promote fear, uncertainty or doubt (FUD)"</blockquote>
It is short at 5 pages and well worth reading. <br />
<br />
<b>Useful Link:</b><br />
<ul>
<li><a href="http://research.microsoft.com/pubs/217438/FUD_APleaForIntolerance.pdf">FUD: A Plea for Intolerance</a></li>
</ul>
alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-44758143757595911832014-03-22T13:12:00.000+01:002015-06-28T17:37:44.025+02:00EU Data Protection Regulation - Application Security<div class="separator" style="clear: both; text-align: left;">
<a href="http://www.europarl.europa.eu/common/img/icon/header_icon_eplogo_print.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://www.europarl.europa.eu/common/img/icon/header_icon_eplogo_print.png" /></a></div>
<br />
<i>Update: June 28th 2015</i><br />
<i><br /></i>
<i>Progress is being made.....slowly. Here is a link to the version proposed by the European Council</i><br />
<i style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border-image-outset: initial; border-image-repeat: initial; border-image-slice: initial; border-image-source: initial; border-image-width: initial; border: none; color: #cc0000; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 19.6000003814697px; margin: 0px; outline: 0px; padding: 0px;"><a href="http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf" style="background: rgb(255, 255, 255); border: none; color: #cc0000; line-height: 19.6000003814697px; margin: 0px; outline: 0px; padding: 0px; text-decoration: none;" target="_blank">http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf</a></i><br />
<br />
<br />
<br />
The new EU Data Protection regulation took another step on its long road towards becoming law. What does this mean for application design and security?<br />
<br />
Originally proposed by the EU Commission in January 2012, the EU Parliament has now supported it (with lots of amendments to the original proposal). The next step on the long road is the EU Council of Ministers.<br />
<br />
Who knows when/if this becomes law, but it is worthwhile being aware of it. It is long and complicated and will change. <br />
<br />
What could this mean for application design and security? Here are some of the proposed amendments which may impact your application design and security when processing personal information of EU citizens. These are just the barest details based on the amendments proposed by the EU parliament. There is more information in the links below.<br />
<br />
<br />
<h3>
Article 15 - Amendment 78 - Right to Rectification <span class="bold"><span class="italic">and Completion</span></span></h3>
<span class="bold"><span class="italic">In this amendment, the data subject can request that any information be corrected. For the application developer, this means that there should be some way to correct personal information that the application stores.</span></span><br />
<br />
<h3>
Article 16 - Amendment 79 - Right to Erasure<span class="bold"><span class="italic"></span></span></h3>
<span class="bold"><span class="italic">The data subject can request that their personal data be deleted. There are various conditions around this. Basically it means that application should have the ability to delete a user's information at their request.</span></span><br />
<br />
<h3>
Article 19 - Amendment 81 - Data Protection by Design and by Default</h3>
<span class="bold"><span class="italic">This is a core article from a security perspective. It talks about "protection by design", "risk", "entire lifecycle management </span></span><span class="bold"><span class="italic">of personal data from collection to processing to deletion". </span></span><br />
<span class="bold"><span class="italic"><br /></span></span>
<span class="bold"><span class="italic">Security of personal data cannot be an afterthought. It must be considered from the start of the application design. </span></span><br />
<br />
<h3>
Article 24 - Amendment 86 - Keeping of Records</h3>
<span class="bold"><span class="italic">This article essentially means that the application must keep an audit trail. It even mentions such items as "date and time". </span></span><br />
<br />
<h3>
<span class="bold"><span class="italic">Article 27 - Amendment 90 - Security of Processing</span></span></h3>
<span class="bold"><span class="italic">This is another one directly related to application security. The main clause states that the data controller or processor must:</span></span><br />
<blockquote class="tr_bq">
<span class="bold"><span class="italic">"</span></span><span class="bold"><span class="italic"><span class="bold"><span class="italic">implement</span></span>
appropriate technical and organisational measures <span class="bold"><span class="italic">and procedures </span></span>
to ensure a level of security appropriate to the risks represented by
the processing and the nature of the data to be protected, having regard
to the state of the art and the cost of their implementation."</span></span></blockquote>
<span class="bold"><span class="italic">Again this clause mentions risk. The article itself lists a number of more detailed requirements covering such security measures such as access control etc.</span></span><br />
<span class="bold"><span class="italic"><br /></span></span>
<br />
<h2>
<span class="bold"><span class="italic">Useful Links</span></span></h2>
<ul>
<li><span class="bold"><span class="italic"><a href="http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0219">EU Data Protection 12th March 2014 - Amendments proposed by EU Parliament</a> </span></span></li>
</ul>
<ul>
<li><span class="bold"><span class="italic"><a href="http://www.theregister.co.uk/2014/03/12/european_parliament_waves_through_data_protection_reforms/">http://www.theregister.co.uk/2014/03/12/european_parliament_waves_through_data_protection_reforms</a> </span></span></li>
</ul>
<ul>
<li><span class="bold"><span class="italic"> </span></span><span class="bold"><span class="italic"><a href="http://europa.eu/rapid/press-release_MEMO-14-186_en.htm">EU Press Release 12th March 2014 - Progress on EU data protection reform now irreversible following European Parliament vote</a></span></span> </li>
</ul>
<ul>
<li><span class="bold"><span class="italic"> <a href="http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm">25th January 2012 - EU Commission proposes a comprehensive reform of the data protection rules</a></span></span></li>
</ul>
alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-2358996582299159292014-03-03T08:54:00.003+01:002014-03-03T08:54:50.281+01:00NIST Cybersecurity FrameworkThe NIST has just released the Cybersecurity Framework Version 1.0. This is mainly intended for improving critical infrastructure type facilities in the USA. However, it can potentially be applied to a much broader range of organisations across the world. <br /><br />It covers 5 main functions of a cyber security framework.<br />
<ul>
<li>Identify</li>
<li>Protect</li>
<li>Detect </li>
<li>Respond</li>
<li>Recover</li>
</ul>
<br />Each of these functions is then broken down into categories and the categories are further sub divided into subcategories.<br /><br />This is two more than Bruce Schneier who defines Protect, Detect and Respond.<br /><br />The basic idea is that you take the categories and analyze it to define your current profile. You then define a target profile and work out action plans and prioritizations to achieve the target profile.<br /><br />It is not a very long document and much of the useful information is stored in the appendixes. It widely references other public standards.<br />
<h3>
Application Security</h3>
The framework does not have much to say about secure application development. However it is extensible so you can add in your own categories and sub categories. It does talk about access control, data-at-rest and data-in-transit controls etc. <br /><br />PR.DS-7 says:<br />
<blockquote class="tr_bq">
The development and testing environment(s) are separate from the production environment</blockquote>
<h3>
Useful Links</h3>
<ul>
<li><a href="http://www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm">NIST Press Release</a> </li>
<li>http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf</li>
</ul>
<br />alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com3tag:blogger.com,1999:blog-456496077409731969.post-47480264131104941202014-02-09T20:32:00.000+01:002014-02-09T22:09:06.464+01:00Data Flow Diagrams and PCI DSS Version 3<br />
<a href="https://www.pcisecuritystandards.org/images/logo.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://www.pcisecuritystandards.org/images/logo.png" /></a>I just noticed that the Payment Card Industry - Data Security Standard (PCI DSS) Version 3 has a new requirement at 1.1.3. The old 1.1.3 in PCI DSS version 2 is now requirement 1.1.4 in PCI DSS version 3.<br />
<br />
<h3>
PCI DSS Requirement 1.1.3</h3>
So what does new requirement 1.1.3 say?<br />
<blockquote class="tr_bq">
"Current diagram that shows all cardholder data flows across systems and networks"</blockquote>
The testing procedure for this requirement says<br />
<blockquote class="tr_bq">
"Examine data-flow diagram and interview personnel to verify the diagram:</blockquote>
<blockquote class="tr_bq">
<ul>
<li>Shows all cardholder data flows across systems and networks.</li>
<li>Is kept current and updated as needed upon changes to the environment.</li>
</ul>
</blockquote>
And finally the guidance says<br />
<blockquote class="tr_bq">
"Cardholder data-flow diagrams identify the location of all cardholder data that is stored, processed, or transmitted within the network. Network and cardholder data-flow diagrams help an organization to understand and keep track of the scope of their environment, by showing how cardholder data flows across networks and between individual systems and devices."</blockquote>
<h3>
The Fundamentals</h3>
Data Flow Diagrams (DFD) are a powerful tool in many situations. Whether in the role of PCI QSA or security architect where you are trying to work out the appropriate level of security requirements. This new PCI requirement recognizes this. While PCI really only cares about payment cards, DFDs can and should also be used wherever you are analyzing data which is important to your organization.<br />
<br />
A DFD consists of three main sections:<br />
<ol>
<li>It shows the data flows - i.e. the networks etc. through which data passes.</li>
<li>It shows data storage areas. This indicates where data is stored within the system </li>
<li>Finally
the DFD highlights trust boundaries. This is where data travels across
boundaries which are not trusted. The interface to the internet is
typically a trust boundary.</li>
</ol>
<br />
A DFD need not be
complicated. At its simplest it consists of a series of boxes
indicating the data storages on a whiteboard while lines showing where
data flows.<br />
<br />
When creating a DFD, make sure to ask a series of questions such as:<br />
<ul>
<li>Where are backups held? </li>
<li>How
are test systems and data handled. Remember, if live production data is
used in a test system, the same level of security must apply as in the
production system.</li>
<li>Can users export data to desktops etc.?</li>
</ul>
These questions help build up a complete DFD picture.<br />
<br />
When
you have a good DFD, then you can start specifying the appropriate
level of security controls that are required for each flow and storage within the
DFD. For example, if sensitive data flows across the public internet then it should be encrypted using SSL. A DFD helps answer these types of questions.<br />
<br />
<h3>
DFDs and Application Security</h3>
<div>
DFDs apply when developing applications and choosing security controls. They help working out what type of security controls are required whenever data is at rest or in motion. When developing the security requirements for the application, the development team should develop appropriate DFDs. This should be done early in the development life cycle. The DFDs can then be used to make sure that the proper security controls are in place which reflect the security drivers for the application. These security drivers can include data protection legislation, PCI DSS, internal corporate policies.<br />
<br /></div>
<h3>
Useful Links</h3>
<div>
<ul>
<li><a href="http://pcisecuritystandards.org/">PCI Security Standards Council</a></li>
<li><a href="https://www.pcisecuritystandards.org/security_standards/documents.php?agreements=pcidss&association=pcidss#leadgendiv">PCI DSS Version 3</a></li>
<li><a href="http://en.wikipedia.org/wiki/Data_flow_diagram">Wikipedia: Data Flow Diagram</a></li>
</ul>
</div>
<br />
<br />
<br />alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com9tag:blogger.com,1999:blog-456496077409731969.post-90595694315783297782014-02-02T08:50:00.001+01:002014-02-02T08:50:22.299+01:00Mobile Phone Security Malware Statistics - Mobile Application Security<span style="color: #4a4a4a; font-family: Arial, sans-serif; font-size: 15px; line-height: 23px;"><br /></span>
<a href="http://media.economist.com/sites/all/themes/econfinal/images/svg/logo.svg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://media.economist.com/sites/all/themes/econfinal/images/svg/logo.svg" height="100" width="200" /></a><span style="color: #4a4a4a; font-family: Arial, sans-serif; font-size: 15px; line-height: 23px;">Which of the following statements do you believe? </span><br />
<ol>
<li><span style="color: #4a4a4a; font-family: Arial, sans-serif;"><span style="font-size: 15px; line-height: 23px;">"Given that there are around 1.5 billion smartphones and tablets in the world, that means probably fewer than 15,000 of them are harbouring mischievous software." - </span></span><a href="http://www.economist.com/news/technology-quarterly/21590753-mobile-security-when-it-comes-mobile-devices-viruses-are-not-problem-they" style="font-family: Arial, sans-serif; font-size: 15px; line-height: 23px;">The Economist</a> - November 2013</li>
<li>"32.8 Million Android Phones Infected with Malware" - <a href="http://www.techlicious.com/blog/32-million-android-phones-infected-with-malware/">Techlicious.com</a> - April 2013 based on information from <a href="http://www.nq.com/2012_NQ_Mobile_Security_Report.pdf">NQ Mobile</a></li>
</ol>
(As a long time "Economist" reader, I probably tend to go with number 1.)<br />
<br />
Does it matter?<br />
<br />
If you are trying to make informed decisions around mobile phone security for yourself or your organisation, then it does matter. Go with statement number 1, then you will be trying to implement controls to ensure around the risk that the device will be lost or stolen (encryption, backups etc.)<br />
<br />
Favour statment number 2, and you will be thinking more about security controls like anti-virus applications etc.<br />
<br />
The Economist article goes on to say:<br />
<blockquote class="tr_bq">
"Gartner, an information-technology consultancy based in Stamford, Connecticut, advises clients not to worry too much about malware penetrating their networks through the devices employees bring to work. It is the users themselves who are the problem. How, for instance, do companies prevent employees from innocently responding to “spear-phishing attacks” in the form of individually targeted, and very official-looking, e-mail or text messages, apparently from trusted colleagues, that request sensitive information? Security measures need to focus more on educating users, says Gartner, rather than on the relatively minor problem of mobile malware. "</blockquote>
<h3>
Mobile Application Security</h3>
<br />
What about mobile application security? The OWASP Top 10 Mobile 2014 risk <a href="https://www.owasp.org/index.php/Mobile_Top_10_2014-M2">"M2 - Insecure Data Storage"</a> says about the threat agent:<br />
<blockquote class="tr_bq">
"Threats agents include lost/stolen phones and the possibility of in-the-wild exploit/malware gaining access to the device."</blockquote>
If you believe The Economist, you will give less weight to the malware risk in your application design and more prominence to the lost/stolen phone risk.<br />
<br />
If the device itself is properly encrypted, then you will be less concerned about storing sensitive data on the device. Since the risk of malware is low, then it is unlikely that malware will steal the sensitive data.<br />
<br />
(Ok - you should still be careful about what data your application stores on the device.)<br />
<br />
<h3>
Useful Links</h3>
<br />
<ul>
<li><a href="http://research.microsoft.com/apps/pubs/default.aspx?id=149886">Sex Lies and Cyber-crime Surveys</a> - Microsoft Research</li>
<li><a href="https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks">OWASP Mobile Top 10 Project</a></li>
</ul>
<br />
<div>
<br /></div>
<br />
<br />
<br />
<span style="color: #4a4a4a; font-family: Arial, sans-serif; font-size: 15px; line-height: 23px;"><br /></span>alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com3tag:blogger.com,1999:blog-456496077409731969.post-16619271737533241142014-01-27T07:18:00.000+01:002014-01-27T07:18:00.525+01:00Can InfoSec Actually Help Save Money<h3>
Can Information Security actually help save money? </h3>
In terms of InfoSec, we usually think of the possible potential for future savings. Hopefully, the thinking goes, if we invest in appropriate security controls now, we will not be hacked in the future. Calculations based on this approach, such as Return On Security Investment (ROSI) try to make this argument. It's an insurance policy.<br /><br />But the present question is can we use InfoSec to actually achieve verifiable savings, now?<br />
<h3>
Availability</h3>
The third leg of the InfoSec triad is Availability (the other two, as you already know, being Confidentiality and Integrity). In general, availability means having information available when you need it. But the flip-side of this is what to do with information when you no longer require it. Can we make savings here? <br /><br />In general, companies and organisations tend to keep information for ever. We are afraid to get rid of it, because we might need it for a rainy day. However there is a cost associated with this. Even though storage costs keep going down, the amount of information that we generate keeps increasing. And it costs money to store all this data. Hardware costs, personnel, backups etc.<br /><br />If the data can be deleted, then can these associated costs can be saved?<br /><br />The possible answer is to delete it when it is no longer available. In fact, data protection legislation usually says something along the lines of "Delete personal data when it is no longer needed". If we can achieve this, then not only are we likely to save costs, but we are also more likely to be in compliance with legislation. <br /><br />What are the necessary steps?<br />
<h3>
Data Retention Policy</h3>
Develop a data retention policy. This will define how long data is to be kept and when it can be deleted. This may give rise to conflicting requirements based on the type or classification of data that is being processed. As mentioned earlier, personal data should be deleted when no longer needed. However, financial or transactional data may need to be retained for a certain amount of time for audit purposes. Important is to identify the different types of data that you process - and then to define retention periods for the various classification types. <br /><br />This bit can be tricky as you need to consider other issues such as information that may need to be retained for litigation purposes.<br />
<h3>
Identification</h3>
The next step is to identify the locations where information is stored and to classify these based on the data retention policy.<br />
<h3>
Deletion</h3>
Finally, delete the data based on the data retention policy and on classification type. Then you can reuse the freed-up space for newer data. <br />
<br />
<br />
<br />
Money saved.....hopefully!!<br /><br /><br /><br /><br />alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-52015373233552912932013-12-26T11:03:00.001+01:002013-12-26T11:03:25.798+01:00OWASP Switzerland Chapter Meeting December 2013<div class="moz-text-html" lang="x-western">
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://www.owasp.org/images/thumb/2/2e/Owasp_switzerland_logo.png/180px-Owasp_switzerland_logo.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://www.owasp.org/images/thumb/2/2e/Owasp_switzerland_logo.png/180px-Owasp_switzerland_logo.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">OWASP Switzerland</td></tr>
</tbody></table>
<h3 dir="ltr">
Highlights </h3>
<div dir="ltr">
At our recent
chapter meeting (including beer and addictive crisps*), which was kindly hosted by Credit Suisse in Zürich, we had an
interesting discussion about application security and OWASP. Obviously
no definitive conclusion was reached - but then that is not the point.</div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
Topics included whether OWASP is obsessed with XSS at the
expense of other issues. If your application does not have an audit trail, is this as as big a risk as an XSS vulnerability. This could be generalized to ask if there
is too much emphasis on the purely technical and not enough on more
esoteric issues such as risk etc. It was noted that the OWASP Top 10 is
now based on risk and also that the new OWASP CISO project attempts to address
more management type concerns.</div>
<div dir="ltr">
<br /></div>
Discussion was also had about the open/closed source debate
and what advantages each had. The consensus seems to be that both are
here to stay. Development houses should have programs in place to handle both.<br />
<h3 dir="ltr">
2014 Plans</h3>
<div dir="ltr">
For 2014 the OWASP Swiss chapter is planning 6 meetings beginning in February and every two months after that. Keep an eye on the mailing list and on the OWASP Switzerland website etc. for more details.</div>
</div>
<div class="moz-text-html" lang="x-western">
As usual if
any of you would like to give a talk on any particular topic then don't
be shy.<br /><div dir="ltr">
<br /></div>
<div dir="ltr">
A few ideas:<br />
- Agile development and security<br />
- Risk and application security<br />
- Demos of OWASP products</div>
<h3 dir="ltr">
Useful Links</h3>
<ul>
<li><a href="https://www.owasp.org/index.php/Switzerland">OWASP Switzerland</a></li>
<li><a href="http://twitter.com/owasp_ch">OWASP Switzerland Twitter: @OWASP_ch</a> </li>
<li><a href="https://www.owasp.org/index.php/OWASP_Application_Security_Guide_For_CISOs_Project">OWASP Application Security Guide For CISOs Project</a></li>
<li><a href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project">OWASP Top 10</a></li>
</ul>
<div dir="ltr">
<br /></div>
<div dir="ltr">
* Americans call them chips - but they're wrong. </div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
<br /></div>
</div>
alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-17077911567514649852013-11-24T19:58:00.001+01:002013-11-24T19:58:55.095+01:00PCI PA DSS and General Application Security<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.pcisecuritystandards.org/images/logo.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="59" src="https://www.pcisecuritystandards.org/images/logo.gif" width="200" /></a></div>
<div style="text-align: left;">
<h2>
Introduction </h2>
</div>
<div style="text-align: justify;">
This blog entry looks at how to use the PCI PA DSS in your general application security program. </div>
<div style="text-align: justify;">
</div>
<div style="text-align: left;">
<div style="text-align: justify;">
The PCI PA DSS (Payment Card Industry Payment Application Data Security Standard) version 3 has just been released. According to the standard:</div>
<blockquote class="tr_bq">
<div style="text-align: justify;">
"The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data". </div>
</blockquote>
<div style="text-align: justify;">
It applies to software vendors who develop applications which process payment cards (credit or debit cards). This is separate from the main PCI DSS (Payment Card Industry Data Security Standard) which applies to any organization which stores, processes or transmits payment card information. The PA DSS is targeted at developers.<br /><br />While this is aimed at applications which are used to process payment card information, it can also be used as a general standard for application security. If you are involved in application security, you should have a look at the PA DSS standard because you may get some useful tips from it.<br /><br />The standard contains 14 requirements. While some of these are specific to payment cards, most of the requirements can apply to general application security. In the requirement simply replace "payment application" by "application" and cardholder data or PAN by "sensitive data" and the contents can apply to any application. The application is the software application that you are developing and "sensitive data" is any sensitive data that your application may be processing e.g. personal information. The phrase "software vendor" can be replaced by software developer - essentially the team that is developing your application.<br /><br />What is the best way to use the standard for general application security? When designing your application, go down through each of the requirements in the PA-DSS documents and ask the following types of questions.</div>
<ul style="text-align: justify;">
<li>Does this requirement potentially apply to my application?</li>
<li>What is the risk of not implementing this requirement in my application?</li>
</ul>
<div style="text-align: justify;">
<br />Alternatively, if you have a secure development program within your organization, go down through the PA-DSS, perform a gap analysis and see if there are tasks which you should incorporate into your security program.<br /><br />For example, requirement 5 covers the elements of a secure development program. This should really be the first requirement. Are there sections in requirement 5 which you can incorporate into your program? Requirement 4 covers application audit trails. In particular, it includes the types of information that should be stored in the audit log itself. Audit requirements are often not included in general application security requirements. However this is one area which can be expensive to retrofit but relatively cheap to incorporate if it is included from the beginning of the development.<br /><br />Download and read the PA-DSS standard itself. Each requirement consists of a number of different subsections. There are 3 columns. Column 1 gives the requirement itself. Column 2 describes the testing procedure that that an auditor or tester would follow to see if the requirement has been implemented correctly. Column 3 gives general guidance. In reviewing the standard, you should concentrate on columns 1 and 3. <br /><br />The following sections give a very brief overview of each of the requirements. However you should download and read the actual standard.</div>
<h4>
Requirement 1:Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data</h4>
This is fairly specific to payment card applications and is probably irrelevant to your application.<br /><h4>
Requirement 2: Protect stored cardholder data</h4>
Read through the requirement. Where it talks about cardholder data or PANs (Primary Account Number) replace it with "sensitive data" and see do any of the recommendations apply to your application. Does data need to be encrypted or masked in some way when it is being stored.<br /><h4>
Requirement 3: Provide secure authentication features</h4>
Secure authentication features apply to any application where authentication is required. It talks about username requirements and the types of password features that may be used. <br /><h4>
Requirement 4: Log payment application activity</h4>
This requirement covers audit trail considerations. Does your application need an audit trail? In particular, requirement 4.3 covers the data that an application should record. This requirement is often neglected.<br /><h4>
Requirement 5: Develop secure payment applications</h4>
This covers good development practices and should probably be the first requirement. Production type data should not be used in test systems. It talks about secure code reviews, secure training for developers. There should be a "formal process for secure development of applications". Requirement 5.2 covers the OWASP Top 10 type risks. <br /><h4>
Requirement 6: Protect wireless transmissions</h4>
This is fairly specific to payment type applications and probably does not apply to most general applications.<br /><h4>
Requirement 7: Test payment applications to address vulnerabilities and maintain payment application updates </h4>
</div>
<div style="text-align: left;">
Test the applications properly and keep them patched.<br /><h4>
Requirement 8: Facilitate secure network implementation</h4>
Essentially this is saying that the application should not have a negative security impact on the environment in which it is to be deployed. For example it should not require that insecure services such as FTP are needed.<br /><h4>
Requirement 9: Cardholder data must never be stored on a server connected to the Internet</h4>
Your sensitive application data must be stored securely. It should not be on a server connected directly to the internet.<br /><h4>
Requirement 10: Facilitate secure remote access to payment application</h4>
If remote access is required to your web application then it should be implemented securely. Remote access should only be enabled when it is required and should only be allowed from specific ip addresses. Two factor authentication should be implemented. Default usernames and passwords should be changed.<br /><h4>
Requirement 11: Encrypt sensitive traffic over public networks</h4>
Any sensitive data that your application processes should be encrypted as it travels over the public network. In most cases this means using SSL/TLS over the internet. However note, the standard itself mentions a number of other technologies including bluetooth etc.<br /><h4>
Requirement 12: Encrypt all non-console administrative access</h4>
Your application should not use technologies such as telnet for administrative access. SSH, VPN, or SSL/TLS should be implemented.<br /><h4>
Requirement 13 and Requirement 14</h4>
These probably do not apply to general applications.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<h2>
Useful Links</h2>
</div>
<div style="text-align: left;">
<ul>
<li><a href="https://www.pcisecuritystandards.org/index.php">PCI Security Standards Council</a> </li>
<li><a href="https://www.pcisecuritystandards.org/security_standards/pcidss_agreement.php?association=padss">PCI PA DSS Version 3</a></li>
</ul>
</div>
alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-81608097916895597232013-10-26T09:51:00.001+02:002013-10-26T20:05:11.816+02:00ISO 27001:2013, 27002:2013 and James JoyceThe latest versions of the two ISO flagship standards are now available through <a href="http://www.iso.org/iso/search.htm?qt=27001&sort_by=rel&type=simple&published=on&active_tab=standards">ISO</a> and other standards organisations such as <a href="http://www.bsigroup.com/en-GB/iso-27001-information-security/">BSI</a><br />
<br />
They are a bit like James Joyces's novel "Ulysses". Everybody agrees it's great, but very few have actually read it.<br />
<br />
The problem with the ISO standards is that they are expensive. Each one costs in the region of £100 . They are not for the casual user. On the other hand, they will be valid for the next 7 to 8 years, going by the lifespan previous versions. If you are seriously interested in Information Security, you should consider investing.<br />
<br />
Of the two, 27002:2013 is probably the more useful. It lists various security controls that could be implemented across a range of areas.<br />
<br />
The site <a href="http://www.iso27001security.com/html/27002.html">http://www.iso27001security.com/html/27002.html</a> gives a good overview of the contents of the 27002 standard.<br />
<br />
If you don't want to fork out the money, then consider looking at the NIST special publication series.These are free. Start with <a href="http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf">Managing Information Security Risk</a>. This is the flagship document in the series. Section 1.3 links to the other important documents within the special publication series. Note that the NIST documents are meant to align with the ISO standards<br />
<blockquote class="tr_bq">
<div data-canvas-width="204.4661162212372" data-font-name="Times" dir="ltr" style="font-family: serif; font-size: 14.64px; left: 119.971px; top: 750.299px; transform-origin: 0% 0% 0px; transform: scale(1.00722, 1);">
"The concepts and principles contained in this publication are intended to implement for federal information systems and organizations, an information security management system and a risk management process similar to those described in ISO/IEC standards"</div>
</blockquote>
<br />
<br />
<br />alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com12tag:blogger.com,1999:blog-456496077409731969.post-39463107054697991362013-05-27T21:25:00.000+02:002013-05-27T21:25:45.771+02:00So secure that it's insecureA few months ago, Jeremiah Grossman, WhiteHatSec CEO, gave a detailed account of the efforts he had to go through to get access to his encrypted disk image. He had forgotten his password.<br />
<br />
Luckily, it all worked out in the end. With the help of very smart people, he managed to retrieve the password.<br />
<br />So we know the encrypted disk image was very secure since even he could not access it.<br />
<h2>
But was it secure?</h2>
Let's start with two definitions from ISO 27000:2012<br /><br /><b>Availability</b>:<br /><i>property of being accessible and usable upon demand by an authorized entity.</i><br /><br /><b>Information Security</b>:<br /><i>preservation of confidentiality (2.13), integrity (2.36) and availability (2.10) of information</i><br /><br />The definitions show us that "availability" is an important aspect of information security. The data must be "available on demand". In this case, the data was clearly not available on demand. Therefore the preservation of availability was not achieved. This means that an information security "event" occurred.<br />
<br />
The<b> </b>encrypted disk image was so secure that it was insecure. The ultimate insider attack.<br /><br />Agreed, the logic outlined above is a bit contorted, but you get the idea.<br /><br />Most people think about security in terms of confidentiality - the system was "hacked". However, don't forget that availability is the third leg of the information security triad:<br />
<ul>
<li>confidentiality</li>
<li>integrity</li>
<li>availability </li>
</ul>
For a system to be secure, it must preserve all three properties.<br />
<br />
<br />
<h2>
Useful Links</h2>
<ul>
<li><a href="http://standards.iso.org/ittf/PubliclyAvailableStandards/c056891_ISO_IEC_27000_2012%28E%29.zip">ISO/IEC 27000:2012</a> (Free) </li>
<li><a href="http://blog.whitehatsec.com/cracking-aes-256-dmgs-and-epic-self-pwnage">WhiteHatSec blog:Password Cracking AES-256 DMGs and Epic Self-Pwnage</a></li>
</ul>
<br />
<br />alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-88981688451133381072013-05-20T18:03:00.001+02:002013-05-20T18:06:14.950+02:00Irish Data Protection Commissioner - Annual Report 2012The Irish Data Protection Commissioner released his annual report for 2012. It is worth having a quick look through the press release and report to see what are the current issues. It is especially worth reading the appendix 4 on the INFOSYS system, which gives access to data held within the department of Social Protection's system.<br />
<br />
To quote from the press release:<br />
<ul>
<li><span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875);">"<span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-text-size-adjust: auto; font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: 18px;">One of the major themes in this year’s report concerns the issue of <b>sharing personal data in the public sector</b> which has featured regularly in previous annual reports from this Office". </span></span>
</li>
</ul>
The importance of audit trails is stressed in relation to who accessed data. This is of particular importance in the public sector where you usually don't have a choice as to whether you appear in the database or not. Usually in the private sector, you have some sort of say about the sites that you use. <br />
<br />
A number of cases are highlighted where data was accessed inappropriately by users of the INFOSYS system.<br />
<br />
In addition, some members of the Police Force are shown to have accessed the PULSE Police system inappropriately to look at information on celebrities.<br />
<br />
<b>This matters. </b><br />
<br />
A few weeks ago, the Irish Independent reported on the powers that the Revenue Commissioners now have. Revenue Commissioners boss Josephine Feehily told a Government committee: <br />
<ul>
<li>"that tax officials can now trawl through reams of data, including bank accounts and mobile phone numbers, to spot cheats."</li>
</ul>
This sounds like the kind of stuff that the old East German secret police could only have dreamed of - and it will only get worse. Governance in relation to how public bodies manages personal data is vital. The audits carried out by the Data Protection Commissioner are critical in making sure that there is some sort of proper security in place.<br />
<ul>
<li>How is this data used?</li>
<li>Is this data misused and abused? </li>
<li>How is the "mobile phone" and "bank account" data made available to the Revenue?</li>
<li>Is it deleted when no longer necessary?</li>
<li>Who has access to this data?</li>
<li>Is there an audit trail of all access?</li>
<li>etc.....the list goes on.</li>
</ul>
<br />
One good thing is that the Commissioner says that his office is adequately funded.<br />
<br />
<h2>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-text-size-adjust: auto; line-height: 18px;">Useful links</span></span></h2>
<div>
<ul>
<li>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-text-size-adjust: auto; line-height: 18px;"><a href="http://dataprotection.ie/docs/20-05-13--Annual-Report-2012/1304.htm">Irish Data Protection Commissioner - 2012 Annual Report</a> </span></span> </li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-text-size-adjust: auto; line-height: 18px;"><a href="http://dataprotection.ie/docs/20-05-13--Press-Release--Launch-of-Annual-Report-2012/1300.htm">Irish Data Protection Commissioner - 2012 Press Release</a></span></span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="-webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-text-size-adjust: auto; line-height: 18px;"><a href="http://www.independent.ie/irish-news/big-brother-software-will-find-tax-cheats-says-feehily-29255514.html">Irish Independent: 'Big Brother' software will find tax cheats, says Feehily</a></span></span></li>
</ul>
</div>
alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com1tag:blogger.com,1999:blog-456496077409731969.post-753189787389119622013-04-22T22:19:00.000+02:002013-04-22T22:20:38.412+02:00ICO Breach Statistics 2012<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9dx4-V5WFMs9M8Hb93p1JTTif8I6FZ__wPUSXC5IMWBBgE4mSLVWa_OzuxHcpOgtHdFgsPow-mfvW11CRhmbLOJFahyEgKdNit384sZbp11Lvq0NSI6agnMBfyTVTBR-1BL-rWuISaA/s1600/icologo.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9dx4-V5WFMs9M8Hb93p1JTTif8I6FZ__wPUSXC5IMWBBgE4mSLVWa_OzuxHcpOgtHdFgsPow-mfvW11CRhmbLOJFahyEgKdNit384sZbp11Lvq0NSI6agnMBfyTVTBR-1BL-rWuISaA/s1600/icologo.gif" /></a></div>
In 2012 the ICO (Information Commissioner's Office) in the UK found 5 websites to be in breach of data protection act.<br />
<br />
The ICO lists the actions that it takes against organizations that it deems to be in breach of the Data Protection act. This also serves as a useful source of statistical information which this blog entry briefly explores. There are a number of different actions that the ICO can take.<br />
<ul>
<li>Monetary Penalty Notices, </li>
<li>Undertakings</li>
<li>Enforcement Notices</li>
<li>Prosecutions</li>
</ul>
<h3>
Overall Statistics</h3>
For 2012 here are the overall statistics.<br />
<br />
<table border="0">
<tbody>
<tr>
<th><br /></th>
<th><br />
Total for Action</th>
<th>Nr for Web<br />
Application</th>
</tr>
<tr>
<td><b>Monetary Penalty Notices</b></td>
<td style="text-align: center;">24</td>
<td style="text-align: center;">1</td>
</tr>
<tr>
<td><b>Undertakings</b></td>
<td style="text-align: center;">29</td>
<td style="text-align: center;">4</td>
</tr>
<tr>
<td><b>Enforcement Notices</b></td>
<td style="text-align: center;">03</td>
<td style="text-align: center;">0</td>
</tr>
<tr>
<td><b>Prosecutions</b></td>
<td style="text-align: center;">06</td>
<td style="text-align: center;">0</td>
</tr>
<tr>
<td><b>Overall Total</b></td>
<td style="text-align: center;"><b>62</b></td>
<td style="text-align: center;"><b>5</b> </td>
</tr>
</tbody></table>
<br />
There were 62 incidents of which 5 relate to websites. Given the
number of online applications that process personal information, 5 seems
to be a remarkably small number.<br />
<br />
Here is a high level overview of the web application incidents.<br />
<br />
<i><b>Monetary Penalty:</b></i><br />
<ul>
<li>6th August: Sensitive personal information relating to 1,373 employees was published on the website. </li>
</ul>
<i><b>Undertakings:</b></i><br />
<ul>
<li>1st March: Disclosure of personal information in training materials published on its website</li>
<li>17th April: a web design error that created the potential for unauthorised access to individual’s personal data </li>
<li>18th April: Two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.</li>
<li>30th November: A private area on the website was accessible to members of the public </li>
</ul>
<br />
<h3>
The Rest of the Incidents</h3>
The rest of the cases are made up of a mixture of the usual suspects:<br />
<ul>
<li>Information being sent to the wrong recipient. </li>
<li>Paper files left in waste bins. </li>
<li>Unencrypted memory sticks. </li>
<li>Hard drives not securely erased at end of life.</li>
<li>etc.</li>
</ul>
<br />
It is worth taking a look at the ICO website taking actions page to get a feel for the kind of problems that exist. There is no real pattern. Website issues are only a small proportion of the overall numbers. It shows how difficult it can be for a security manager to put a comprehensive security program in place. <br />
<br />
<h3>
Useful Links</h3>
<ul>
<li><a href="http://www.ico.org.uk/enforcement">ICO Enforcement</a> </li>
</ul>
<h3>
</h3>
alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com1tag:blogger.com,1999:blog-456496077409731969.post-21801608817159395692013-04-18T22:32:00.001+02:002013-04-18T22:41:19.533+02:00Information Security Error Caused Austerity<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNmVpP4gisGUBOmeDxaYIsaT4zvcwAtuifHNOoIyS6fvsSHos91TaZSDFC-hEU9eai2GFDcVhFYg-0jW4VssVT8R5Wk6AzW7UHZMZhy5jcdA7zgPLW4lHfBXw3pZSDQfTyCOvq1wXKpg/s1600/Austerity.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNmVpP4gisGUBOmeDxaYIsaT4zvcwAtuifHNOoIyS6fvsSHos91TaZSDFC-hEU9eai2GFDcVhFYg-0jW4VssVT8R5Wk6AzW7UHZMZhy5jcdA7zgPLW4lHfBXw3pZSDQfTyCOvq1wXKpg/s200/Austerity.jpg" width="200" /></a></div>
The headline of which we dream.<br />
<br />
It looks like there was an Excel coding error in one of the main academic papers which brought this age of austerity upon us. The spreadsheet that the authors used is not accurate.<br />
<br />
The Roosevelt institute blog has all the dirty details.<br />
<br />
Now for the Information Security angle. We all know that information security is about protecting the confidentiality, integrity and availability of <br />
<br />
According to ISO 27000, information security is the<br />
<ul>
<li>"preservation of confidentiality, integrity and availability of information"</li>
</ul>
Also according to ISO27000, integrity is the <br />
<ul>
<li>"property of protecting the accuracy and completeness of assets"</li>
</ul>
The Roosevelt blog shows that the Excel spreadsheet was not accurate.<br />
Since the accuracy isn't protected, then there is an integrity issue.<br />
And since there is an integrity issue, there is an Information Security issue.<br />
<br />
<b>QED.</b><br />
<br />
Imagine having to tell the people of Europe that all these austerity measures are the result of an Information Security problem in an Excel Spreadsheet.<br />
<br />
<b>Useful Links</b><br />
<ul>
<li><a href="http://www.nextnewdeal.net/rortybomb/researchers-finally-replicated-reinhart-rogoff-and-there-are-serious-problems">Roosevelt Institute Blog: Researchers Finally Replicated Reinhart-Rogoff, and There Are Serious Problems.</a> </li>
<li> <a href="http://standards.iso.org/ittf/PubliclyAvailableStandards/c056891_ISO_IEC_27000_2012%28E%29.zip">ISO/IEC 27000:2012</a> </li>
</ul>
<br />
<br />
<br />
<br />alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-11750552825136461712013-04-08T21:30:00.000+02:002013-04-08T21:30:04.717+02:00ISO 2700x Standards on the Cheap(ish)Most people agrees that ISO 2700x family of security standards are a good idea. But like James Joyce's Ulysses, how many have actually read it? <br />
<br />
The big problem is that they are expensive to acquire. A casual user is
probably unwilling to fork out the money. Even in big organizations it
can be difficult to get hold of the standards. <br />
<br />
The two main standards ISO27001:2005 and ISO27002:2005 each cost Swiss Francs CHF134.-- (approx $143.00) each on the ISO store. And there are a lot more standards.<br />
<br />
Recently I discovered that you can purchase the main 27001 and 27002 copies of the standards from ANSI for $30 each. See Useful Links below. This is a big saving compared to the standard ISO price. The main difference is that the branding is from INCITS ((InterNational Committee for Information Technology Standards)). The text itself seems to be the same. Of the two, the 27002 is the more useful, as it lists many best practice security controls or measures that you can implement in your organization. The other ISO2700X standards are not available so cheaply through ANSI.<br />
<br />
You can also download ISO/IEC 27000:2012 "<a href="http://draft.blogger.com/null">Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary</a>" for free.<br />
<h3>
Useful Links</h3>
<ul>
<li> <a href="http://standards.iso.org/ittf/PubliclyAvailableStandards/c056891_ISO_IEC_27000_2012(E).zip">ISO/IEC 27000:2012</a> (Free) </li>
<li><a href="http://webstore.ansi.org/RecordDetail.aspx?sku=INCITS%2fISO%2fIEC+27001-2005">ANSI INCITS/ISO/IEC 27001-2005</a> ($30)</li>
<li><a href="http://webstore.ansi.org/RecordDetail.aspx?sku=INCITS%2fISO%2fIEC+27002-2005">ANSI INCITS/ISO/IEC 27002-2005</a> ($30)</li>
<li><a href="http://en.wikipedia.org/wiki/Ulysses_%28novel%29">Ulysses (Priceless)</a> </li>
</ul>
<h3>
</h3>
<br />alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-44420460813645838192013-04-04T21:55:00.000+02:002013-04-04T21:55:16.026+02:00Which is it ? - Cyber Attacks cause Huge Losses or no Losses<h2>
Do cyber attacks cause real damage or not? </h2>
<br />
According to Bloomberg:<br />
<br />
<i>"The 27 largest U.S. companies reporting cyber attacks say they sustained
no major financial losses, exposing a disconnect with federal officials
who say billions of dollars in corporate secrets are being stolen." </i><br />
<br />
Are these companies telling the truth? These reports are based on recent filings with the Securities and Exchange Commission<i> (SEC) </i>so one would imagine they should be fairly honest.<br />
<br />
According to the BBC:<br />
<br />
<i>"In 2012, the head of MI5 Jonathan Evans said the scale of attacks was "astonishing".<br /><br />One major London listed company had incurred revenue losses of £800m as a result of cyber attack from a hostile state because of commercial disadvantage in contractual negotiations."</i><br />
<br />
If it's a listed company, would they not have to reveal the loss in their annual report? Does anybody know who this company is? <br />
<br />
If you are interested, it's worth reading the paper "Measuring the Cost of Cybercrime" by Ross Anderson and associates.<br />
<br />
<h3>
Useful Links:</h3>
<ul>
<li>BBC: <a href="http://www.bbc.co.uk/news/uk-21945702">Anti-cyber threat centre launched</a></li>
<li>Bloomberg: <a href="http://mobile.bloomberg.com/news/2013-04-04/cyberattacks-abound-yet-companies-tell-sec-losses-are-few.html">Cyberattacks Abound Yet Companies Tell SEC Losses Are Few</a> </li>
<li><a href="http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf">Measuring the cost of CyberCrime</a> (PDF)</li>
</ul>
<i><br /></i>
<i><br /></i>alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com1tag:blogger.com,1999:blog-456496077409731969.post-21660586343231601612012-07-01T11:01:00.000+02:002012-07-01T11:01:25.547+02:00The Economist article on cyber-security - A Spook Speaks<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://media.economist.com/sites/all/themes/econfinal/images/the-economist-logo.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="http://media.economist.com/sites/all/themes/econfinal/images/the-economist-logo.gif" /></a></div>
This week, The Economist has an article on business and cyber-security.<br />
<blockquote class="tr_bq">
"Its costs may be hard to count, but cybercrime has companies worried."</blockquote>
They also have an online debate to accompany the article.<br />
<br />
On the one hand, the article doesn't say very much. But it is worth reading because this is the type of article about information security that business people are more likely to see. And these are the kind of people who we should be trying to get our info sec message across to. It helps to be able to reference resources in publications such as The Economist.<br />
<br />
<b>Useful Links:</b><br />
<ul>
<li><a href="http://www.economist.com/node/21557817">The Economist: A spook speaks</a> </li>
<li><a href="http://www.economist.com/debate/days/view/853">The Economist: Cybersecurity Debate</a></li>
</ul>alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-54093839418725132482012-06-26T10:05:00.001+02:002012-06-26T10:07:21.946+02:00Tuesday Top Tip - Slow Password Hashing<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOQgHwDC1_FNEwYyfThG1be-UC1-h8LUms1sXaL-8dK0FjTRy1DZVQ6Fr-JjpMGef_RY2Q1ouF_mkKUxr1EOMLcGgkrrbMoP8iwnkapZErAxTG_v_D4A4RUAPaSjjvF1YwoJlPLpE0vg/s1600/SlowCooking.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOQgHwDC1_FNEwYyfThG1be-UC1-h8LUms1sXaL-8dK0FjTRy1DZVQ6Fr-JjpMGef_RY2Q1ouF_mkKUxr1EOMLcGgkrrbMoP8iwnkapZErAxTG_v_D4A4RUAPaSjjvF1YwoJlPLpE0vg/s1600/SlowCooking.jpg" /></a>Like Slow Cooking, Slow Password hashing seems to be in vogue at the moment, using hashing algorithms such as bcrypt or PBKDF2. Troy Hunt has a mega in-depth look at the subject on his blog, with an emphasis on asp.net. This comes after recent incidents such as with LinkedIn and eHarmony.<br />
<br />
So the general recommendation would seem to be that for new projects you should consider using a slow password hashing algorithm to protect your users' passwords. I say "consider using" because there is a performance overhead associated with using these approaches which you need to be aware of.<br />
<br />
<h3>
However.....</h3>
It's also worth remembering that if you end up in a situation where you are praying that a slow hashing algorithm will protect passwords and save you, then you have other BIGGER problems. <br />
<br />
To get at your well hashed passwords in the first place, an attacker will likely have hacked your database anyway and gotten at the other information held in the database: names, addresses etc. This is the bigger issue. Somehow, hackers get access to the LinkedIn password table in the first place.<br />
<br />
So before embarking on a major exercise to introduce slow password hashing, it's worth spending time ensuring that the baddies can't get at the password table in the first place. <br />
<br />
<b>Useful Links</b><br />
<ul>
<li><b><a href="http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html">Troy Hunt: Our password hashing has no clothes </a> </b></li>
<li><a href="http://www.365daysofcrockpot.com/">365 days of Slow Cooking</a></li>
<li><a href="http://www.bbc.com/news/technology-18338956">BBC:LinkedIn passwords leaked by hackers</a></li>
<li><a href="http://news.cnet.com/8301-1009_3-57460253-83/analysis-eharmony-had-several-password-security-fails/">CNET: Analysis: eHarmony had several password security fails</a></li>
</ul>
<h3>
</h3>
<br />
<br />alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-3035519968294531552012-06-15T08:41:00.000+02:002012-06-15T10:32:11.191+02:00Spread Betting Websites and Security Controls<h3>
<b>Summary</b></h3>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieeGrA44ccbIOXXD3HBNSxbZve2zDUec3JHnRmrn3cb-z3wGjRwFHhd-FD9hoh71kMK3-rbHNjOtRFysnhKPdwTdd_FhT05NDKSHYQlofWf-oWaGPWxAlp06MKe6Gmvajl40NHsrwGzQ/s1600/spreadexlogo.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieeGrA44ccbIOXXD3HBNSxbZve2zDUec3JHnRmrn3cb-z3wGjRwFHhd-FD9hoh71kMK3-rbHNjOtRFysnhKPdwTdd_FhT05NDKSHYQlofWf-oWaGPWxAlp06MKe6Gmvajl40NHsrwGzQ/s1600/spreadexlogo.jpg" /></a>Should spread betting websites be using two factor authentication and shorter session timeouts?<br />
<br />
<h3>
<b>Background</b></h3>
The spread betting company, Spreadex, recently sued a customer in a London court for £50,000 which the customer had lost through trades in Spreadex. The customer claimed that the transactions had been made by his girlfriend's young son. The boy had access to the laptop to play games over a number of days, and seems to have initiated the transactions which caused the losses. <br />
<br />
Interestingly, the court found for the customer on the basis that he couldn't be expected to read through all the pages of terms and conditions and, thus, the contract was unfair. We'll see if Spreadex appeals.<br />
<br />
<h3>
<b>The Security </b>Angle</h3>
However from a security perspective it throws up a number of interesting issues.<br />
<br />
The first point to make is that spread betting websites involves money. As the court case shows, a customer can make or lose a significant amount of money on the website. When hard cash is involved, you really need to think about the security mechanisms. This applies to both the punter and the website. <br />
<br />
The consumer needs to be careful about the environment where he uses the application. If he uses the PC to make bets worth thousands of pounds then you have to question whether the PC can also be used as a general toy.<br />
<br />
<h3>
<b>Website Security</b><br />
</h3>
But the focus of this blog is on website security. Given the value and classification of data that spread betting sites process then the types of security controls build into the application are important. So here are a number of thoughts:<br />
<br />
Is single factor authentication sufficient to protect these financial transactions? Most online banking websites use some form of two-factor authentication to authorise transactions. Like online banks, the spread betting application involves significant transactions. Should they not consider using two factor authentication also? No doubt this would be an expensive undertaking and could well be overkill. Another option would be forcing the user to reenter their password when a transaction is initiated. This would probably have prevented this incident. <br />
<br />
Timeouts are also an important security mechanism. After a period of inactivity the application session should timeout. The next time the customer uses the application, he should be forced to logon again. Absolute timeouts force a session to terminate after a defined period of time, regardless of whether the user has been active or not. Could shorter timeouts have helped in this situation? <br />
<br />
Now, these type of security mechanisms hit directly into the usability/security conundrum. The more security controls you have, the more user unfriendly the application becomes. So it can be a difficult balancing act.<br />
<br />
Bottom line is that you need to consider your security requirements at the start of any development project. A threat analysis should not only cover direct threats against your application, but also cover threats which happen on the end-user environment.<br />
<br />
<b>Useful Links:</b><br />
<ul>
<li><b><a href="http://www.theregister.co.uk/2012/05/31/high_court_rules_against_bookmaker_in_online_betting_losses_case/print.html">The Register: Online bookie can't scoop £50k losses made by 5-year-old</a> </b> </li>
<li><a href="http://www.metro.co.uk/news/899768-boy-5-made-50-000-loss-on-spread-betting-website">Metro: Boy, 5, made £50,000 loss on spread-betting website</a></li>
</ul>alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com21tag:blogger.com,1999:blog-456496077409731969.post-31652681170608336702012-06-01T22:29:00.000+02:002012-06-01T22:31:07.954+02:00Data Deletion and DFDs<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8_RRIQ8XntT5_7d_toGo0Dt51hEg9du4dsZfWENw_hFZpbYThfXwhqSml8eUR0TpB2ugKovKUrcEOWtOp3l3PtF758VBSSLH2pyEqZuwkjVIy2dXUd8B0RmhUHrYPhB8mkSgA8LwznA/s1600/nhstrustlogo.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8_RRIQ8XntT5_7d_toGo0Dt51hEg9du4dsZfWENw_hFZpbYThfXwhqSml8eUR0TpB2ugKovKUrcEOWtOp3l3PtF758VBSSLH2pyEqZuwkjVIy2dXUd8B0RmhUHrYPhB8mkSgA8LwznA/s1600/nhstrustlogo.jpg" /></a>The Information Commissioner's Office (ICO) in the UK just handed out a £325,000 fine to Brighton and Sussex University Hospitals NHS Trust after decommissioned hard drives were sold on eBay. Basically drives containing very sensitive information which were meant to have been destroyed, somehow found their way onto eBay. The NHS trust is appealing the decision.<br />
<br />
When creating your Data Flow Diagrams (DFDs) you should also think about secure deletion of data from devices when they have reached the end of their life. In addition to asking how data is stored on devices, you should also ask what happens to these devices (hard drives etc.) when they have reached the end of their life.<br />
<br />
Make sure to have proper procedures in place to prevent this kind of thing happening.<br />
<br />
<br />
<br />
<b>Useful Links</b><br />
<ul>
<li><a href="http://security.cbronline.com/news/ico-hands-out-biggest-ever-fine-to-surprised-nhs-trust-010612">ICO hands out biggest ever fine to 'surprised' NHS Trust</a> </li>
<li><a href="http://www.ico.gov.uk/what_we_cover/taking_action/%7E/media/documents/library/Data_Protection/Notices/bsuh_monetary_penalty_notice.ashx">ICO Notice (PDF)</a></li>
</ul>alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com3tag:blogger.com,1999:blog-456496077409731969.post-30747690564935079172012-05-22T11:34:00.001+02:002012-05-22T12:41:08.730+02:00Tuesday Top Tip - EU Cookie Directive Deadline in the UK Fast Approaching<br />
If you are in the UK, you have four days to become (finally) compliant with the EU cookie directive. The (real) deadline is May 26th 2012. A year ago, the Information Commissioner gave you a year to comply. So what to do?<br />
<br />
<h2>
Approach 1 - Information Commissioner's Office - ICO</h2>
A relatively simple approach is to copy the approach taken by the Information Commissioner's office (ICO) itself. Go to the <a href="http://www.ico.gov.uk/">ICO </a>website and you will see the following at the top of the page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKUITFGKn4aD6yKL7ZZsOiPnijRVZvr4f3AXbXv9C0UCCOTj5JAiXBTUY33ix5mC2QBcDADffYvbqC2FlIRodIKM_Rt2iCM2B-ekAXPjNztYCLp83iwL0KKLkWDBHtUA3zi68UZf6lAQ/s1600/ICOCookiesHeaderMay2012.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKUITFGKn4aD6yKL7ZZsOiPnijRVZvr4f3AXbXv9C0UCCOTj5JAiXBTUY33ix5mC2QBcDADffYvbqC2FlIRodIKM_Rt2iCM2B-ekAXPjNztYCLp83iwL0KKLkWDBHtUA3zi68UZf6lAQ/s640/ICOCookiesHeaderMay2012.jpg" width="640" /></a></div>
<br />
You can click on the "I accept cookies..." button to accept cookies. If you don't click, each time you go to the site you will see that message. If you do click, then you won't see it again.<br />
<br />
<h2>
Approach 2 - BT </h2>
A more comprehensive approach comes from BT. When you go to the <a href="http://www.bt.com/">BT</a> website, you will be prompted with the following window<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDQ_skCI9I2hsmQSuVQP0UvaEeFrKq_cZQvz4mf6XJL_naG79oaHr2tDn1LmRxfL-xkzsrYbmaPAYTS0YurQBBkxyD_dmR4r17RS4nM7Gz-Xj6p5yyIbyy8T14euNtVM5G37-ixPBZMg/s1600/BTCookies1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDQ_skCI9I2hsmQSuVQP0UvaEeFrKq_cZQvz4mf6XJL_naG79oaHr2tDn1LmRxfL-xkzsrYbmaPAYTS0YurQBBkxyD_dmR4r17RS4nM7Gz-Xj6p5yyIbyy8T14euNtVM5G37-ixPBZMg/s400/BTCookies1.jpg" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you click on the Change settings, you are presented with the following which allows you to set the level of cookies that you will accept using a drag bar. You then choose Save and Close. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPfYVlotYJxuIoR3SbjFtWfEQhKWITx-asaJ4tM8hRur_YTuw1ED3Qyqg7NOZ1I6u0Ef4aKjomZtvh8BUi8XvnhVmNl2b0QZEbjvdsU3ACPgdTCF6vk6F1OHGS4Ymz-Rwyk0bdnwqrug/s1600/BTCookies2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPfYVlotYJxuIoR3SbjFtWfEQhKWITx-asaJ4tM8hRur_YTuw1ED3Qyqg7NOZ1I6u0Ef4aKjomZtvh8BUi8XvnhVmNl2b0QZEbjvdsU3ACPgdTCF6vk6F1OHGS4Ymz-Rwyk0bdnwqrug/s400/BTCookies2.jpg" width="350" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
So those are two approaches. The ICO one is more simple and might be easier to implement in the short term. The BT approach is more elegant but would take longer to implement. <br />
<br />
<br />
<b>Useful Links</b><br />
<ul>
<li><b><a href="http://www.ico.gov.uk/">ICO Website</a> </b></li>
<li><a href="http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx">ICO Cookie Guidance</a></li>
<li><a href="http://www.bt.com/">BT Website</a></li>
<li><a href="http://blogs.wsj.com/tech-europe/2012/05/21/u-k-cookie-crackdown-begins/?mod=google_news_blog#">Wall Street Journal: U.K. Cookie Crackdown Begins</a></li>
<li><a href="http://www.channelregister.co.uk/2012/05/22/ico_on_cookies_law_compliance_help_others/">The Register: ICO: Managed to comply with Cookies Law? Go help the other kids</a> </li>
</ul>
<br />
<br />
<br />
<br />alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-70263717240223793872012-05-19T10:43:00.000+02:002012-05-21T08:55:05.576+02:002 Microsoft Research Papers to Read<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJSMaQp9WK-K2LmnbFQs4zcwu4_jhYv6UFwVXhiU-EGZbTsOKjS_Jj5h7HTiEYhfuD4t1AIpytELjf-v08i5YEUQgg6KT_IpVTUrke0BolXjCmn7saMHQsq6HDoid-DlUwOyF0rh8_Vw/s1600/MicrosoftResearchLogo.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJSMaQp9WK-K2LmnbFQs4zcwu4_jhYv6UFwVXhiU-EGZbTsOKjS_Jj5h7HTiEYhfuD4t1AIpytELjf-v08i5YEUQgg6KT_IpVTUrke0BolXjCmn7saMHQsq6HDoid-DlUwOyF0rh8_Vw/s200/MicrosoftResearchLogo.jpg" width="200" /></a>Two interesting papers from Microsoft Research, both from June 2011. Interesting because they seem to go against the prevailing trend that we are all doomed as a result of poor security. They are worth reading to get an alternative point of view. You can skip over the mathematical equations if that is not your thing. <br />
<br />
<b>"Sex, Lies and Cyber-crime Surveys"</b> argues that cyber crime surveys are in general pretty rubbish. It discusses the difficult of performing surveys properly, especially on relatively rare phenomena. From section 4.3:<br />
<ul>
<li>"Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings."</li>
</ul>
Of particular interest to application security people is the following from the conclusion:<br />
<ul>
<li>"The importance of input validation has long been recognized in security. Code injection and buffer overflow attacks account for an enormous range of vulnerabilities. You should never trust user input" says one standard text on writing secure code. It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy. A single exaggerated answer adds spurious billions to an estimate, just as a buffer overflow can allow arbitrary code to execute." </li>
</ul>
<br />
The second paper, <b>"Where Do All The Attacks Go?</b>" tries to answer the question "Why isn't everyone hacked everyday?" Here's the abstract: <br />
<ul>
<li>"The fact that a majority of Internet users appear unharmed each year is diffcult to reconcile with a weakest-link analysis. We seek to explain this enormous gap between potential and actual harm. The answer, we find, lies in the fact that an Internet attacker, who attacks en masse, faces a sum-of-effort rather than a weakest-link defense. Large-scale attacks must be profitable in expectation, not merely in particular scenarios. For example, knowing the dog's name may open an occasional bank account, but the cost of determining one million users' dogs' names is far greater than that information is worth. The strategy that appears simple in isolation leads to bankruptcy in expectation. Many attacks cannot be made profitable, even when many profitable targets exist. We give several examples of insecure practices which should be exploited by a weakest-link attacker but are extremely difficult to turn into profitable attacks."</li>
</ul>
The main conclusion is that it is difficult to calculate risk accurately if you are basing your calculations on cyber-crime surveys. It is more useful just to concentrate on the impact of a threat.<br />
<br />
<b>Useful Links:</b><br />
<ul>
<li><a href="http://research.microsoft.com/apps/pubs/default.aspx?id=149886"><b>Microsoft Research: Sex, Lies and Cyber-crime Surveys</b></a> </li>
<li><a href="http://research.microsoft.com/apps/pubs/default.aspx?id=149885">Micrososft Research: Where Do All the Attacks Go?</a></li>
</ul>alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0tag:blogger.com,1999:blog-456496077409731969.post-75578077972241752382012-05-06T19:18:00.000+02:002012-05-06T19:18:09.474+02:00SDLC Quick Reference Updated<br />
I have updated the <a href="http://blog.alexisfitzg.com/2011/01/web-application-sdlc-quick-reference_16.html">SDLC Quick Reference</a>. The reference is essentially a list of security related tasks which you should think about at the start of an online development.<br />
<br />
By following these steps, you are much more likely to develop a more secure end-result.<br />
<br />
The main change from the previous version is the first section. You should identify a list of technologies that the application will use. Then find out how to use these technologies securely, both in development and in deployment.<br />
<br />
<b>Useful Links:</b><br />
<ul>
<li><b> </b><a href="http://blog.alexisfitzg.com/2011/01/web-application-sdlc-quick-reference_16.html">SDLC Quick Reference</a></li>
</ul>alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.com0