Wednesday, November 25, 2015

Social Engineering, Countering The Threat

Would You Buy A Used Monument From This Man?
"Count" Victor Lustig, con-man and Social Engineer, famously sold the Eiffel Tower. Twice.

Like accomplished Social Engineers of today, he was meticulous in his planning, thorough in his research, had an excellent understanding of human nature. He managed all of this without Google, FaceBook, Twitter, or his own printer back in 1925. Modern Social Engineers have it easy. What scams would Victor (real name Robert Miller) have to his name if he was around today? Which world leader, CEO, or politicians would be his victims?

360is have written a short guide to defending against modern social engineering attacks, and are now introducing our social engineering services to clients and partners by means of a presentation. If you are concerned that a modern day Lustig may find your organisation and its information assets easy prey, then we can help. Get in touch.

Social Engineering + Converged Communications = Bad For Security

John, I'm afraid I've got some very bad news for you.
We've recently learned that even the Director of the CIA can't keep hackers out of his e-mail. A teenager hacked into CIA Director John Brennan's AOL account. He says he did so by posing as a Verizon employee to other Verizon staff to get personal information about Brennan's account, as well as his bank card number and his AOL e-mail address. Then he called AOL and pretended to be Brennan. Armed with the information Verizon had just given him, he convinced AOL customer service to reset his password.

Brennan didn't have a bad password, he didn't e-mail it to anyone, he wasn't even tricked into entering it into a fake web page, the security failure here belonged to AOL and Verizon, and it wasn't even a technical failure at that. Now Brennan's e-mail is part of Wikileaks and a thousand articles.

Security experts including 360is have long since recommended 2 factor authentication systems for all of our clients, and yet still relatively few organisations have this kind of authentication. Their reasons? Cost, complexity, and (in)convenience. Over the last 20 years there have been a number of different companies attempting to tackle the three Cs, some of the more recent attempts make use of mobile devices and "soft tokens" on those devices, or they use instant messaging as a secure channel to convey some passcode or challenge/response.
Is there such a thing as too much convergence?

What if we are using multi-factor authentication, but thanks to the wonder of converged communications...all my factors converge upon 1 single device, normally a smartphone or tablet? What if that device were itself, compromised? Mobile devices can be cloned, rooted, or otherwise compromised just like any computer. How would that possibility change the level of trust you place in these kinds of multi-factor authentication? What if I am also trying to login to the secure service in question from that very same mobile device? If an attacker has my phone under his control, or has bamboozled me into doing something with it which help him, what happens to "defence in depth" and "fail safe"?

For these reasons, and because we don't think using 2 factor authentication should mean you have to trust a 3rd party organisation, we recommend keeping your factors as separate as possible for as long as possible. Talk to us if you want to harden your organisation against hackers, social engineers, and end users who sometimes make poor security choices.

Monday, October 19, 2015

High Performance, Low Latency, Hyper-Converged Computing

Recently 360is implemented several systems for clients who needed very high performance, within a stated budget, and had limited physical space and power to work with. For these clients we designed hyper-converged compute/storage units built from non-proprietary, commercial off the shelf components, supportable by their in-house IT team. Thanks to recent advances in storage technology it is now possible to obtain very high performance for a fraction of the cost of a traditional Server + SAN approach. Better still, these systems aren't subject to the vendor’s ideas of life-span (often artificially foreshortened), and can remain operational for 5, 10, or more years if required. You the customer, remains in control.
  • 70GB/sec streaming transfers, 4M IOPS, 4U of space, 5TB to 250TB raw capacity, 2.5PB per rack
  • 2GB/sec streaming transfers, 480TB raw capacity, 4U of space. 4.8PB per rack
  • 75% less power for a given performance level
  • 3X to 6X the performance when compared to similarly priced Server + SAN
  • On-site spares for instant access to replacement parts, forever
  • Scale-out capability with clustered filesystems like Lustre, GlusterFS, and Ceph
  • No chance the vendor can make the systems obsolete
If you are challenged to provide performance, either on-premise or in the cloud, then a hyper-converged system may be for you, and will certainly have a longer lifetime without vendor or service lock-in. For a fixed cost, a properly designed hyper-converged system will always deliver significantly more performance than Server/SAN systems. Let us know your constraints and we can give you an immediate indication of whether hyper-converged is for you.

About 360is
Our scientific approach to performance analysis and engineering has been proven in previous engagements. We work with top 5 Investment Banks, Telcos, and technology vendors. If you have an IT performance problem that is impacting your business, contact us to arrange a no-obligation meeting with one of our consultants.

Wednesday, September 23, 2015

Countering The Social Engineering Threat

An increased number of clients are experiencing social engineering attacks either directly against their finances and information assets, or the IT infrastructure upon which those assets depend for confidentiality and security.

Once only immediately saleable commodities such as credit card numbers were targeted. Now criminals are seeking medical records, credit history files, general personal identity information, significant cash funds, and online social media account information for purposes as diverse as blackmail, defamation, and identity or insurance fraud.

Highly targeted attacks often focus on uncovering commercial negotiating positions, cost-to-manufacture for orders, and in identifying holders of intellectual property or purchasing authority within an organisation. Those defending against such attacks now need to consider far more than simple monetary loss.

360is have prepared a short briefing for those tasked with defending their organisation and users from social engineering attacks including Phishing, Pharming, Vishing and SMishing. It is intended as an introduction to the technical, procedural, and human elements of a successful social engineering defence.

If you would like assistance in implementing any of the measures described in the document, or in understanding your own organisations vulnerability to social engineering attack, get in touch.

Download "Countering The Social Engineering Threat" here.

Thursday, June 11, 2015

City Security Magazine, How To Avoid Leaks

Leaks are news, whether they are about Governments, Corporations, or individuals. City Security Magazine, the print and digital magazine that promotes security issues across the UK, carries an article from 360is on how to reduce your chances of becoming the next SONY, NSA, US State Department, or celebrity to suffer a breach of Information Security and have private and confidential information leaked to the public domain.

360is are able to assist in improving your organisation’s Information Security posture, and in implementing the advice given in the article. While it may be impossible to guarantee that your confidential information will stay that way, you can significantly reduce the chances of the kind of widespread leak experienced by the US State Department, the NSA, or SONY.
To speak to one of our consultants, visit our contact page and request a meeting.

Wednesday, April 08, 2015

Meet 360is At InfoSecurity Europe 2015

Three Sixty Information Security Ltd will be at InfoSecurity Europe, Olympia, London, 2nd to 4th June 2015. We'll be meeting clients, partners, and friends among the 12000 expected visitors and 330 stands at the show this year.

If you want to discuss the results of a penetration test, arrange a confidential meeting about a  breach, or just need advice on how your organisation should handle the latest bug disclosures, get in touch. We will have technical consultants at the show.

Thursday, February 05, 2015

How do we validate a supplier has ISO 27001?

(c) Scott Adams
Most of the questions we get from our clients about ISO 27001, the standard for Information Security Management Systems, are about how they can implement this standard and possibly achieve certification.  We covered some of that in our previous blog.

The "other" question we get asked less often is "how do we validate a supplier or partner that claims to follow ISO27001 or claims to have been certified now or in the past?"
You may be surprised by the answer.

There is no such thing as a complete, current list of ISO 27001 certified companies.

That's right, it is impossible to obtain a definitive list of companies with ISO certification.

The creation of such a central list has been attempted in the past more than once, and for several ISO standards (notably ISO 9000) but such lists have always been incomplete and prone to going out of date. Part of the reason for this is that there is a competitive market between certification companies, they don't want to share their list of clients, or even indicate how many clients in total they might have, or how many might have once held certification which has since expired. Companies go out of business, get acquired, divested of, and restructured, and all these things mean that an ISO certificate issued in the past, may not count for much in the present unless the certified company has kept up with its maintenance audits (surveillance audits as we call them in ISO-speak).

Your best hope is to speak to the certification body the certificate holder used. For example, BSI allows you to query a certificate number against their database of clients to see if it was issued or is current here. Not all certification bodies have such an online service, and if you don't know who issued the certificate then you are out of luck.

360is is able to perform due diligence against your suppliers and partners to determine the strength of their information security, whether or not they have undergone any formal certification. If their technology, processes, or procedures do not provide adequate protection for your sensitive data, we are able to describe and implement improvements. If you are faced with meeting strict information security compliance targets yourself, we can help your formulate an appropriate response and program of improvements to meet expectations. Talk to one of our consultants.

Wednesday, February 04, 2015

ISO 27001, how do we prepare and what does it cost?

Need help preparing for ISO 27001? (c)Scott Adams
ISO/IEC 27001 is a standard providing requirements for an Information Security Management System (ISMS). It is part of the ISO 27000 family of standards, all of which help organisations keep information assets secure.

Like other ISO standards, some organisations choose purely to implement the standard in order to benefit from what it contains, while others decide they also want to get certified to reassure customers or clients that its recommendations have been followed. There are many Information Security standards out there (within specific industries, or for specific countries), ISO 27001 is one of the more widely recognised. 360is have been working to help companies implement the technical controls within ISO 27001 and its predecessors since the mid 90's. While we don't certify you against ISO 27001, we can help you prepare for your certification and pass your annual audits by having a strong Information Security posture.

What is an ISMS?
The Information Security Management System is a system in the broadest sense of the word. It is a mixture of people, processes, and IT systems (hardware, software, products and services) which allow you to manage risks relating to sensitive company information so that it remains secure. An ISMS isn't just a product you buy, or a configurational change you make. Rather like a religion with rites and ceremonies, it is something you must observe every day.

Control-Point Versus Procedural Standards
There are 2 kinds of IT Security standards in this world, there are those that are control-point based and there are those that are procedure-based.  ISO 27001 is control-point based, meaning that it tells you what controls need to be in place to ensure the right outcome. It is not a prescriptive "how-to" for the configuration of your IT. A control-point standard can be said to apply across a broad range of organisations with different sizes and operational patterns because the standard steers clear of the minutiae. Procedure-based standards can struggle to cater for such a broad range of organisations. However, IT staff find control-point standards harder to implement in technical configuration. 360is helps companies translate the control-point objectives of ISO 27001 into practical, technical configuration, procedures, and documentation.

How Much Does ISO 27001 Cost?

The cost of getting ISO 27001 certification depends on:
  • The size of your company and scope of the ISO 27001 certificate
  • The maturity level of your ISMS 
  • The gap between the current state and the desired state of the control environment
  • The in-house capability/capacity to develop the ISMS and close the gaps
  • How quickly the certificate is required
If you are a large organisation, wishing to certify the whole of your operations, and you have not previously invested much in ISMS, or people with the skills to build and operate such a system, then you are going to have to spend more getting ISO 27001. These costs come from 3 places:
  • The first is the cost of getting your ISMS up to scratch, "pre-certification"
  • The second is the certification process itself
  • The third is the cost of your annual certification audit in years 2 and beyond
Given the fact that there are so many variables, we will use a real client of ours as an example:
  • 50 staff, 1 office, in the UK
  • Processes sensitive data, some personally identifiable information, for medium sized banks
  • Co-locates at two UK data centers
  • Provides software (SaaS) at these data centers
  • Has a control environment that, while previously subject to external review, would still be best referred to as immature and non-fully documented
  • Has staff that are technical but not ISO 27001/ISO 27002 aware
  • Pressure from clients for independent attestation, some ask for ISO 27001
  • Need to achieve certificate (without great disruption to business) within 1 year
  • Requires a fair degree of ISO-27001 consulting to prep for the certification audit
The “external” costs to become ISO 27001 certified were:
  • Pre-certification Part 1: £15,000 (Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Part 2 Remediation Plan)
  • Pre-certification Part 2: £15,000 (Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
  • Certification Audit: £15,000
  • Total cost for ISO 27001 certificate: £45,000
To this one-time cost we can add the annual external audit in year 2 (£5000) and internal ISMS audit (£5000) in year 2.

Of these costs, the pre-certification is likely to be by far the greatest, unless you are already well prepared. It is also possible that pre-certification costs for your organisation could be significantly higher than those shown here. We have known organisations need up-to £50,000 of pre-certification work on their existing ISMS. Finally, you should also consider the omissions below carefully:

Omissions: We ignore other associated annual costs such as annual penetration testing, maintenance and support costs of the ISMS infrastructure, and the cost of any staff (new or existing) or training required to operate the ISMS. We ignore the costs of new products (hardware/software) or services which you may need to build an ISMS if you do not already have something suitable to work with. If your organisation is very large or very complex, you will have a lot of Information Security to manage. The cost of the management systems/software may be significant.

Concluding Remarks
ISO 27001 is not a one-time exam, it is more like a religion. It is a commitment to do things the right way every day, and to submit to regular audits to confirm you are observing the religions practices every day, not just when the vicar comes to tea. The total cost of ISO 27001 certification is dependent in large part on the status and strength of your existing ISMS, which should not come as a surprise.

If you would like help preparing for ISO 27001, straightforward advice on improving your Information Security posture, answering Information Security challenges from clients or the regulator, talk to us.

Tuesday, January 20, 2015

High Performance Computing Advisory Council Conference, CSCS Switzerland, March 23rd - 25th

Lugano, Location of the 2015 HPCAC Conference
Three Sixty will be attending the 2015 High Performance Computing conference held in Lugano, Switzerland from March 23rd to 25th.
The conference brings together system managers, researchers, developers, computational scientists, students and industry partners for cross-training and to discuss recent HPC developments and future advancements. This year the topics will be:
High Speed Networks
High Performance & Parallel I/O
Communication libraries: MPI, SHMEM, PGAS
GPU computing, CUDA, OpenCL
Big Data 
There will be practical workshops for clustering, networks, troubleshooting, tuning, and optimisation.

Will we see some British companies there this time?

Three Sixty helps UK organisations adopt new, high performance computing technologies and methods. To find out why it is vital that UK organisations do this, talk to us.