- Email: [email protected]
Watch your ex-employees, warns Secret Service
ISSN 1361-3723 May 2005
Featured this month The Mobile hazard - a fad or formidable threat?
Contents NEWS Watch your ex-employees, warns
A quarter of the population of this planet now use mobile phones. In addition, phones are becoming more complicated with more advanced processing capabilities. In effect, they are looking more like PCs. So far phones have not faced the security onslaught undergone by their desktop counterparts. But mobile malware is definitely becoming more feasible. Malware needs a critical mass of potential victims. It also needs functionality to disrupt. Mobile phones can now satisfy these needs. The most prominent strike has been Cabir, which hit Symbian systems and relied on Bluetooth. This worm was held back, however, due to the geographic limitations of Bluetooth reach. Another more sophisticated piece of malicious code, dubbed Commwarrior, looked much more like the massmailers we see affecting desktops. It used the Multimedia Messaging Service (MMS) to spread and selected names from the phonebook to target. Turn to page 4...
Watch your ex-employees, warns Secret Service
Secret Service Hampshire police smart with cards
2
Blades cut out the users
2
FEATURES Mobile Malware Handheld hazards: the rise of malware on mobile devices
The Report, which focused on 49 cases of insider sabotage against critical infrastructure sectors found that ex-staff were driven by revenge, after experiencing trauma at work. Most of them then went on to attack their former organization through remote access. "The power of a terminated employee with system administrator access should not be underestimated," said Dawn Cappelli, senior member of the technical staff with CERT. "Some organizations completely neglect disabling access upon termination. Others go through the steps to disable access, but the insider is able to find that one access control gap that was overlooked." Turn to page 2...
Risk assessments: a business and technical communion
4
Risk Control Risk control: a technical view
8
Intellectual Property Aspects of intellectual property management
The US Secret Service warns companies to beware of ex-employees with a grudge to bear in its latest Insider Threat Study Report. The study, done in conjunction with the Carnegie Mellon Software Engineering Institute (CERT), revealed that the majority of insider attacks against organizations come from former employees.
1
12
Interview Interview – new chief of ISC2
15
Voice security Tackling voice security
16
ID theft Identity theft - theft, loss and giveaways
18
REGULARS News in brief
3,4
Events
20
Risk assessments offer recommendations that are often too basic for IT security professionals. On the other hand technical staff often lack business knowledge. This means that key controls are often ignored. Assessments are increasingly becoming mainstream business concerns with the rising significance of corporate governance. Both business and technology aspects must be intrinsically linked in formulating assessments in this current climate. Turn to page 8...
ISSN 1361-3723/05 © 2005 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS
Editorial office: Elsevier Advanced Technology PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843645 Fax: +44 (0)1865 853971 E-mail: [email protected] Website: www.compseconline.com Editor: Sarah Hilley Editorial Advisors: Peter Stephenson,US; Silvano Ongetta, Italy; Paul Sanderson, UK; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P.Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA Bill J. Caelli, Australia Production/Design Controller: Colin Williams Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by: Mayfield Press (Oxford) LImited
2
Computer Fraud & Security
Watch your ex-employees, warns Secret Service Continued from page 1
More than half of the insiders (57%) exploited systemic vulnerabilities in applications, processes and/or procedures to get back at their employee. And 60% of them compromised computer accounts, created unauthorized backdoor accounts or used shared accounts in the process. "It is important that technical staff are attentive to the obscure methods used in the insider attacks in this study," said Cappelli. The Report recommends that organizations should do the following to thwart attacks: · · · ·
·
·
·
Disabling access following termination. Management attention to negative events in the workplace. Establishing formal grievance procedures as an outlet for insider complaints. Creating reporting processes for when a colleague notices or suspects concerning behaviour. Enforcing comprehensive password policies, computer account management practices and layered security for remote access. Using configuration management practices for detection of logic bombs and malicious code. System logging and monitoring, and backup and recovery problems.
Hampshire police smart with cards Sarah Hilley
officer productivity and compliance with security standards. The introduction of cards for 6000 officers and staff means the Force can comply with national police guidelines, such as the Unified Police Security Architecture. The system, which went live in January, took six months to deploy, said Marc Hudavert, vice president and general Manager of ActivCard Europe. It allows officers to access the network without having to remember and enter passwords. They don’t escape entirely, though, as they do have to remember a PIN number. The card stores their name and employee number. It also contains credential information including digital certificates and static passwords. It does not hold biometric data, however. Officers will use the card to authenticate themselves in many situations. These include remote access, secure logon to Windows, Single-Sign-On to the network, physical access and permitted application use. To help administer the process, Hampshire Constabulary also bought a management system from ActivCard, which enables the enrolment and issuance of cards. This links into the existing in-house directory – the central repository of all employee details. "The cost per user including software and hardware is about Euro 90 per user,” said Hudavert.
Blades cut out the users Nova Dudley-Gough
P
C
The Force has opted for two-factor employee authentication from ActivCard, combining smartcard and PIN, to ensure security of criminal records and protection of investigations. Paul Harding, Information Security Officer at Hampshire Constabulary said the smartcard implementation helps increase
The US Military has embraced blades as a solution to data leakage. A hospital in Oklahoma has also turned to blades to solve hygiene problems and prevent the spread of disease through computer usage. For every implementation of IT in a hospital, which can be expensive, time consuming and laborious, there is no doubt that simply having a PC in the room can save lives. Doctors and nurses have patient data to hand and that time
olice officers at the UK Hampshire Constabulary have been carrying smart-cards to log on to their computers and gain entry to their office buildings since early this year.
omputers are being locked away and users are being left with dumb terminals in the form of PC blades instead.
May 2005
Featured this month The Mobile hazard - a fad or formidable threat?
Contents NEWS Watch your ex-employees, warns
A quarter of the population of this planet now use mobile phones. In addition, phones are becoming more complicated with more advanced processing capabilities. In effect, they are looking more like PCs. So far phones have not faced the security onslaught undergone by their desktop counterparts. But mobile malware is definitely becoming more feasible. Malware needs a critical mass of potential victims. It also needs functionality to disrupt. Mobile phones can now satisfy these needs. The most prominent strike has been Cabir, which hit Symbian systems and relied on Bluetooth. This worm was held back, however, due to the geographic limitations of Bluetooth reach. Another more sophisticated piece of malicious code, dubbed Commwarrior, looked much more like the massmailers we see affecting desktops. It used the Multimedia Messaging Service (MMS) to spread and selected names from the phonebook to target. Turn to page 4...
Watch your ex-employees, warns Secret Service
Secret Service Hampshire police smart with cards
2
Blades cut out the users
2
FEATURES Mobile Malware Handheld hazards: the rise of malware on mobile devices
The Report, which focused on 49 cases of insider sabotage against critical infrastructure sectors found that ex-staff were driven by revenge, after experiencing trauma at work. Most of them then went on to attack their former organization through remote access. "The power of a terminated employee with system administrator access should not be underestimated," said Dawn Cappelli, senior member of the technical staff with CERT. "Some organizations completely neglect disabling access upon termination. Others go through the steps to disable access, but the insider is able to find that one access control gap that was overlooked." Turn to page 2...
Risk assessments: a business and technical communion
4
Risk Control Risk control: a technical view
8
Intellectual Property Aspects of intellectual property management
The US Secret Service warns companies to beware of ex-employees with a grudge to bear in its latest Insider Threat Study Report. The study, done in conjunction with the Carnegie Mellon Software Engineering Institute (CERT), revealed that the majority of insider attacks against organizations come from former employees.
1
12
Interview Interview – new chief of ISC2
15
Voice security Tackling voice security
16
ID theft Identity theft - theft, loss and giveaways
18
REGULARS News in brief
3,4
Events
20
Risk assessments offer recommendations that are often too basic for IT security professionals. On the other hand technical staff often lack business knowledge. This means that key controls are often ignored. Assessments are increasingly becoming mainstream business concerns with the rising significance of corporate governance. Both business and technology aspects must be intrinsically linked in formulating assessments in this current climate. Turn to page 8...
ISSN 1361-3723/05 © 2005 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS
Editorial office: Elsevier Advanced Technology PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843645 Fax: +44 (0)1865 853971 E-mail: [email protected] Website: www.compseconline.com Editor: Sarah Hilley Editorial Advisors: Peter Stephenson,US; Silvano Ongetta, Italy; Paul Sanderson, UK; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P.Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA Bill J. Caelli, Australia Production/Design Controller: Colin Williams Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by: Mayfield Press (Oxford) LImited
2
Computer Fraud & Security
Watch your ex-employees, warns Secret Service Continued from page 1
More than half of the insiders (57%) exploited systemic vulnerabilities in applications, processes and/or procedures to get back at their employee. And 60% of them compromised computer accounts, created unauthorized backdoor accounts or used shared accounts in the process. "It is important that technical staff are attentive to the obscure methods used in the insider attacks in this study," said Cappelli. The Report recommends that organizations should do the following to thwart attacks: · · · ·
·
·
·
Disabling access following termination. Management attention to negative events in the workplace. Establishing formal grievance procedures as an outlet for insider complaints. Creating reporting processes for when a colleague notices or suspects concerning behaviour. Enforcing comprehensive password policies, computer account management practices and layered security for remote access. Using configuration management practices for detection of logic bombs and malicious code. System logging and monitoring, and backup and recovery problems.
Hampshire police smart with cards Sarah Hilley
officer productivity and compliance with security standards. The introduction of cards for 6000 officers and staff means the Force can comply with national police guidelines, such as the Unified Police Security Architecture. The system, which went live in January, took six months to deploy, said Marc Hudavert, vice president and general Manager of ActivCard Europe. It allows officers to access the network without having to remember and enter passwords. They don’t escape entirely, though, as they do have to remember a PIN number. The card stores their name and employee number. It also contains credential information including digital certificates and static passwords. It does not hold biometric data, however. Officers will use the card to authenticate themselves in many situations. These include remote access, secure logon to Windows, Single-Sign-On to the network, physical access and permitted application use. To help administer the process, Hampshire Constabulary also bought a management system from ActivCard, which enables the enrolment and issuance of cards. This links into the existing in-house directory – the central repository of all employee details. "The cost per user including software and hardware is about Euro 90 per user,” said Hudavert.
Blades cut out the users Nova Dudley-Gough
P
C
The Force has opted for two-factor employee authentication from ActivCard, combining smartcard and PIN, to ensure security of criminal records and protection of investigations. Paul Harding, Information Security Officer at Hampshire Constabulary said the smartcard implementation helps increase
The US Military has embraced blades as a solution to data leakage. A hospital in Oklahoma has also turned to blades to solve hygiene problems and prevent the spread of disease through computer usage. For every implementation of IT in a hospital, which can be expensive, time consuming and laborious, there is no doubt that simply having a PC in the room can save lives. Doctors and nurses have patient data to hand and that time
olice officers at the UK Hampshire Constabulary have been carrying smart-cards to log on to their computers and gain entry to their office buildings since early this year.
omputers are being locked away and users are being left with dumb terminals in the form of PC blades instead.
May 2005