Developing corporate information security – Step 2: Identify assets
This post is part of the Developing information security series. Please, start reading from the first post.
What is really important for your company? What are the information assets that your business is most dependent on?
Information assets include documents, data and information systems. It is crucial that company knows what to protect. Every company have different assets to protect and assets may vary during the different phases of the company.
Typical assets to protect are:
- Business information
- Customer information
- Product development information
- Sales information
- Production information
- Human resources information
- Critical information systems
- Etc.
Let’s take a look at what is important for our case company DeepWhite Software.
Case DeepWhite Software – Identifying assets
DeepWhite gathers cross organisational team for identifying important assets.
Current business is based on customer deliveries. Although most of the projects are done in customer premises, there are cases that are developed in DeepWhite premises. DeepWhite has own development environment for these cases. The company doesn’t have own production servers; part of the customer deliveries are hosted at 3rd party cloud service and managed by DeepWhite.
Projects that are done in customer premises are all hosted by customer’s IT department. As described in first post, DeepWhite is launching own product development and this requires separate development environment.
DeepWhite’s information security team identifies following assets during their sessions:
- Customer project development information and systems (including development servers, testing servers, version control system, source code, design documents etc.)
- Product development information and systems
- Bug tracking / ticketing system
- Production servers
- Finance information (billing, bookkeeping etc.)
- Human Resources system
These are information assets that DeepWhite is most dependent on. These shall be protected at required level.
Step 2: Identify critical information assets
What risks and threats are identified assets facing? Next step is concentrating on threats and risk management.
Do you think that DeepWhite should have identified more assets? Please, feel free to share your own experience.
Developing corporate information security – Step 1: Commitment
This post is part of the Developing information security series. Please, start reading from the first post.
Commitment. In order to get anything done there has to be commitment. Someone has to be committed enough to push through the change.
Information security literature, standards and best practices always emphasize top management commitment for information security development. That is important in large companies, but here we are talking about small and medium sized enterprises (SMEs) and commitment at wider perspective.
SMEs do not usually have extra resources for internal development (like dedicated process development department). These kind of projects are carried out along with other daily tasks. I recommend that SMEs leverage first step from management commitment to commitment in general.
Before going any further, information security development team should be involved and get committed to the project in hand. Otherwise there is always a customer project or important meeting that postpones the final goal.
Let’s see how our case example company DeepWhite Software handles this. Please, see first post of the series for more information about DeepWhite.
Case DeepWhite Software – Commitment
Lately there has been a lot of hassle about all sorts of information security violences. Motives for these violences vary from governmental interests to industrial espionage and hacktivism. News about password leakages and targeted attacks are spreading.
DeepWhite has grown and is working with several big customers. In the conversations with customers there is more and more pressure for DeepWhite to develop their own information security practices. DeepWhite is planning to launch own product development – soon there are more own assets to protect.
Head of Development and CEO both agree that at this point something has to be done. They gather a team of key persons to discuss about security concerns. Team has members from all over the company. Team agrees that DeepWhite launches corporate information security development project.
The team is committed and is spreading the word.
Step 1: Get management and organization commitment for information security development
Do you think that DeepWhite is handling commitment in a right way?
Developing corporate information security – Post series starts
This starts a post series that helps corporates to systematically improve their information security. This series is intended mainly for small and medium enterprizes (SMEs). We are following an imagenary case example of SME called DeepWhite Software.
Case example is from IT field, but instructions in following posts can be easily adapted to other information centric industries.
Case DeepWhite Software
Case example DeepWhite Software (later DeepWhite) is a small size company that is providing software development services mainly for large local companies. DeepWhite is specialized in developing custom web applications.
DeepWhite facts and figures:
- Founded two years ago
- Privately held
- 5.1 milloin euro revenue
- 31 employees
Even DeepWhite is mainly providing software development services, it has some own intellectual property (IP). DeepWhite has developed own utility libarary that speeds up development of web applications and gives competitive advantage during the bidding phase.
The organisation structure is flat and there is CEO and few managers that has own responsibility area. The company has three technical sales persons that are handling both the new customers and traditional account management. Big part of the sales comes from old customers that are developing new applications and improving old ones.
Development teams are formed for each customer case and development is mainly done in customer premises.
The whole company started as a one development project for the biggest customer. DeepWhite has grown rapidly and main focus has been on customer cases and deliveries.
During the customer projects teams have identified one product initiative that could be next B2B hit. The company is now setting up an own product development and set up team of five for product realization.
So far it has been all about customer cases, but now company has grown and management sees that there is a clear need for improvement in the information security practices.
We are ready to move into Step 1: Commitment.
T2’12 infosec conference, day 2
Day 2 started with “Draw Me A Trojan” by Yuval Polevoy / RSA. Polevoy spoked about advanced multilayered trojan. Trojan uses several techniques for hiding itself from the AV-software. Overall very informative presentation of modern malware.
Next was “Finding Flame” by Constin G. Raiu (twitter: @craiu). Raiu presented connections between Flame, Stuxnet, Gauss and Duqu malware. Estimation of total development costs of Flame is between $10-$50 million. Costs for calculating the MD5 collisions utilized in Flame are $1.4-14$ million. There are traces of several teams developing different modules for Flame. Raiu is an experienced speaker who can spice up the presentation with jokes etc. Really enjoyed.
After lunch break I attended to “SAP Slapping” by Dave Hartley (twitter: @nmonkee) from MWR InfoSecurity. Hartley presented SAP systems from penetration tester’s perspective. There is lot of attack surface at most SAP systems because of misconfigurations. This was totally new area in the infosec for me.
Fourth one I attended was “Burping up the serialized communication” by Miika Turkia / Nixu. Miika presented Burp Pro plug-in that he created with Ruby for testing serialized java fat client – server communication. Miika also presented one “zero-day” vulnerability in java. He has reported it already to Oracle two years ago.
Day ended with Solving the T2’12 Challenge.
Great conference!
T2’12 infosec conference, day 1
I am attending to T2 infosec conference this year and here is a wrap-up of the first day.
T2 is a small yet really high profile international conference at Helsinki, Finland. There are only 99 seats available each year, so it is really great opportunity to have a word or two with speakers if you want to. This is my first time at T2.
Day started with opening words from the organizer Tomi Tuominen.
Keynote was given by Rick Falkvinge (twitter: @falkvinge) the founder of the Pirate Party movement. Falkvinge is a good speaker. He spoked about early stages of the Pirate Party, how to make a change and few words about leadership. Good keynote.
Then we moved to something more technical. Second speaker was Felix FX Lindner of Recurity Labs GmbH. He had studied Huawei VRP platform used in Huawei routers. Results: huawei copied code from Cisco IOS platform, session hi-jacking of web-UI, buffer overflow that could be used for owning the router and last but not least hardcoded passwords. Not the kind of list you would like to hear from your router provider.
Next I was attending was “Secure exploit payload staging” by Georg Wichersky from CrowdStrike. Georg talked about their attendance to Defcon 2011 CTF. Interesting story about obfuscation, encryption etc. they used at the competition. Quite technical stuff.
After lunch I attended to Stonesoft / Olli-Pekka Niemi session about testing IPS systems. Session was called “Game of Lies”. Olli-Pekka pointed out some problems that most of the IPS providers are not handling properly. It seems to be possible to bypass most of the IPS systems by using evasion. This is not detected in normal certification testing these days. Stonesoft has recently released their testing system for public use. Interesting points there.
After the coffee break it was time for the last presentation. Presentation was titled PinPadPwn and was presented by Nils of MWR InfoSecurity. MWR guys had bought bunch of used pinpads from various sources like eBay and studied security. Results were impressive: it is basically possible to run own code stored in specially crafted smart card in the pinpads. Nice three demos were presented two of the a live. Hope these demos can be found on-line soon.
I left after the drinks and networking (great conversations by the way). Some of the attendees headed for dinner after that.
Great first day, really looking for tomorrow.
Update:
Ryan Naraine’s blog post about day 1: https://www.securelist.com/en/blog/208193917/T2_12_Huawei_Routers_Pin_Pad_Terminals_Under_Security_Scrutiny
Could hashing protect your personal passwords at security breach?
This article is mainly targeted for Information Technology and Security professionals.
I was one of the victims at recent LinkedIn password hash leakage (found my password hash there without leading 0000). It made me wonder how my other passwords are protected. I know that there are services out there that do not even hash passwords but store them as plain text instead. (Update: Yahoo! Voice 450k passwords + email leaked – example of passwords stored as plain text.) This is a tricky situation, because we as human beings tend to either use same password to many services or use something similar. Leakage at any service could reveal at least some sort of hint to attackers about my passwords at other services. So I came up with this idea about using hashes instead of real password. So here we go:
Instead of entering plain password how about if you would create your passwords like this:
Service specific password + General password -> hash function -> Actual password to service
Service specific password should be fairly easy to remember and general password can be more complex.
Simplified example:
- Service specific password (LinkedIn this time): LiNsalt
- Your general password (same to every site): SF0HJxLs
- Combined: LiNsaltSF0HJxLs
UnixMachine:~ jani$ echo -n "LiNsaltSF0HJxLs" | shasum 2b7eccfe8022c631ff3c857412c53fdef29a56c0 -
And here we have strong and unique password for the service. This method prevents attacker to get any hint of actual password.
Obviously this method needs some fine-tuning but I hope that idea is presented clear enough. Basic hash functions are available to all platforms including leading smartphone platforms, so it would not be problem to generate these anywhere. Generally I like the idea that you don’t have to store passwords anywhere.
I did some googling and find out that this is not completely new idea, there is one readymade browser plug-in:
http://crypto.stanford.edu/PwdHash/
The page looks a bit outdated the developer team has identified some challenges, but the concept is good. I think that similar mobile application would solve major of these issues. This is free idea for mobile app developers! 🙂
Summary
It should be service provider’s responsibility to protect user passwords. However this is not the case at every service and there are things that users can do to protect their passwords even at services with poor security implementation. Hashing presented in this post is one of them. Let this post be a discussion starter about this idea.
Further reading
- Recommended reading for service developers about storing passwords securely at Throwing Fire blog: http://throwingfire.com/storing-passwords-securely/
Remember that password?
Article complexity: This article is intended for normal internet user.
Password strength
Without going deep into mathematics basically password strengt is a combination of password length, character set (special characters, capital and lower-case letters, numbers etc.) and randomness. Strong passwords tend to be hard to remember and you should have different password to every service. In this post I will preset three methods that could help you remember strong passwords.
Warning: If you are not absolutely sure what you are doing be extra careful with the sites that provide “test your password strength” – services. Services like that might be created for phishing your password.
Three methods
Write them down! – (F-Secure/Annika method)
This method is fully explained in F-Secure Safe and Savvy blog. Basic idea is to have part of your service dependent password at paper and remembering a secret “PIN” that is added to this password. Thoughts behind this idea are good but there are couple of things to notice:
- I recommend using much longer password and PIN than presented in that blog post
- In case of password breach at one of the services you should change password to all services since PIN is exposed. This can be really frustrating.
Overall this method provides means for good passwords.
Password manager
Password managers like LastPass and 1Password can store strong passwords and you only have to remember one password to use all your passwords. Password managers are really good solution, but there are also some issues:
- You are fully dependent on the password manager – cloud solutions bring some help but adds concerns related to all cloud services.
- There is a single point of failure possibility – all your data is behind one password. Leakage of that password exposes all your passwords.
Passphrase
Passphrases are like passwords that consists of words instead of letters. Here is an example: ThoseThreePonysArePinkAndReallySmall! That is an actual phrase that can be remembered. However it does not offer good randomness, so better passphrase would be: ShirtSunWavesLivingSafeTreeAdsDoorPopularity? This is better since it has more randomness (not completely random words though) but not as easy to remember. If you want to add some complexity you could use several languages and special characters. Couple notes:
- Not all the services accept really long passwords (unfortunately)
- You should use totally different words for each services and this could lead to original problem (hard to remember)
Summary
As seen there is no silver bullet for the problem. I hope that this blog post brought some help for you when dealing with your passwords. I will continue the hunt for good solution and keep you updated!
