John Walker FBCS CITP CISM A'IISP MFSoc

1
ISACA May 2008
'Compliance or a Tick which option?'
John Walker FBCS CITP CISM A.IISP MFSoc Director
of ISSA (UK) Expert Panel
2
Consider . . . .
Deployed Best Practice Security, had a visit from
Audit, so everything MUST be OK - Right, we got
another GREEN a tick in the box.
v
Lets look at the WIDER CHALLENGES
3
Profile of Audit

• Arrive in two profiles
• Professional, and looking after the Business
• 2. Political Pawns Consultative, Manipulated -
  Owned

VS
Is this why we have seen so many issues?
4
Tower Box
Organisations can suffer the issues of Tower
Box Syndrome
Tower Policy is KING, REACTIVE to Security
Door
Lid
Box HIGH Focus on the visible areas, but lacks
imagination
5
Corporate Responsibility
Corporate SMEs MUST take more action, and
responsibility to deliver, and assure Best, or
ADEQUATE Security Practices are in
place. Businesses MUST ensure that when they
consider what security should look like, they
consider the problem end-to-end - Example DNS
(and ISPs)! Businesses MUST act with Social
Responsibility considering their Clients and
Customers no matter how small Example Loss of
Data!
There is progress to drive Security HoL
- Kite Marks - Reporting -
Centralised Agencies
6
BISH, BASH, BOSH to Compromise 5 Mins Tutorial
BISH Zone Transfer all assets, and gain
visibility of potential Targets
BASH Identify interesting Resources
BOSH Investigate Finds, Gain Intel, and Gather
Artifacts
Service.xxxx.co.uk. zz A
xxx.xx.xxx.xxx Stats.xxxxxx.co.uk. zz A
1x.xx.2.xx xxx.xxxxx.co.uk. zz A
1xx.1xx.1x1.xx Test1.xxxxx.co.uk. zz A
1xx.4x.xx1.2 Test2.xxxxx.co.uk. zz A
xxx.1xx.x.xx test3.xxxxx.co.uk. zz A
1xx.xxx.2.xx Test4.xxxxx.co.uk. zz A
xx7.1x.1xx.xx Test5.xxxxx.co.uk. zz A
xxx.xxx.xxx.xx test6.xxxxx.co.uk. zz A
xxx.1x.1x.x
_uOsr27xxxxxx _uOkw27xxxxx"_uOsr28
xxxxx" _uOsr29xxxxx_uOsr30xxxxx.xxxx
LowFruit.xxxxx.co.uk. zz A xxx.1xx.x.xx
Badly written HTML provides information ref an
Internal Server Side Script.
7
Encryption Good and BAD
It can be used to secure business data and
information v
It can be used for illicit purposes, by internal
people - X e.g.
It can be used as an Anti Forensics Tool - X
consider the options!
8
When the ROT Sets In!
AKA Punyyratr - Jura gur EBG Frgf Va!
Telling Signs 1. Punyyratr - Jura gur EBG Frgf
Va naq zbirf guvatf nebhaq 13 gvzrf!
1. Challenge - When the ROT Sets In and moves
things around 13 times!
Remember its capabiliies may be enhanced with
additional shifts say 2 (ltgt) 13 !
9
TCs Privacy
TCs get presented everywhere, we never read
them (most of the time) And are you happy to
agree them . . . ?
Consider CPSs on sites that we visit in most
cases they mitigate culpable Obligation
Tracking - Phorm - to be Deployed by Telco, and
partner user Opt, in or Opt Out? Is this
illegal under RIPA? - simply change the TCs!
eBay TCs, in the main remove any ownership,
and pass them to the user/client.
10
Anti Forensics
As discussed Encryption
StenoImage
Trojans

Malicious Code

Streams
11
eFraud Landmarks gt 1999 Internet Fraud on the
rise gt Limited edition Firbies AN NOW
eCrime
Loss - based on a gusstimate but they are
REAL, and have impact on GDP
Growing FAST successful, the only thing its
perpetrators have not achieved is an Industry
award for creativity, maybe they
were too shy to apply!
12
Malicious Code
No longer the noise good malicious code can
pay dividends
But are they the next tools of choice to
enhance security of systems and applications
if a virus can carry an EVIL payload, it can
carry a GOOD.
Now a tool of choice for Criminals, and Fraudsters
And . . Was SPAM that passive after all?
13
Global Challenges
International Cyber Law one fit for all
Cyber Attacks
Internet with Boarders
Council of Europe's Cyber Crime Convention
Cross Boarder Cyber Crime
Internet Security Monitoring, Freedom of
Speech, Human Rights.
Lack of Acceptable Use e.g. 911
Drive anarchy!
Cyber Terror
And who controls the NET?
14
First Internet System
26th Feb 1996 a company called Auction Web
placed the first policy in place to attempt to
counter fraudulent use of On-line services.
15
On-Line Security
PC Pro April 2008 Review of On-Line Banking. So
me came out well, and with Good Security
Profiles e.g. First Direct . . . As for
others . . . . . . . . . . .
The Co-op's Internet Bank Smile scored only 2
out of 6, and was found to be lacking In Good
Security Practice. Worryingly, it is a
bank which achieved BS7799 Certification!!!!
16
I Can Fly
Can be used for both Good and Bad
Duplication of bad world practices, in Virtual
Worlds consider!
But if you are a BAD Guy, take care, Law
Enforcement are in there with you . .
17
(No Transcript)
18
May 2008 - LinkedIn Natasha Kone I am Natasha
Kone a 22 years old lady now, i was born on the
1st of january 1986 to the family of Kone. My
father's name is Camara Kone. . . . . . . . . .
. . . .
Social Networking
Popular, but needs to be used with care.
HR utilise it to check up on people.
Criminals use it to get information.
Can pose a risk to your business do
you let your users use it?
And you can still commit the offence of
Slander . .
Fact File Location High Court Date 3 April
2008 Company Pallion Housing Charge Web
Harassment Cost 119,000
19
Caution consider local laws, or and tolerance
in Japan images which are deemed appropriate,
will break the law in the US images that are
deemed OK in the US UK, will not be India
Child Protection
Social Responsibility to support the countering
of this Criminal Act yet at times the response
when such images are located is flawed!
Damage Limitation may be considered priority,
and NOT Child Safety

• They may be
• accessed,
• copied by
• internal personnel
• Culpable to a Criminal Acts!
• Who watches the Watchers?

Finds may NOT be subject to reporting out
to Agencies
http//www.ceop.gov.uk/
20
Section 67 of Indias Technology Act
Imprisonment for anyone who 'publishes',
transmits, or causes to be published
'lascivious' material Delhi Public School MMS
Sex Scandal
21
Where Next
Maybe the world of Infosec, and technological
survival need to be both, more, creative, and
imaginative, in its adoption of an infosec with
a God Particles AKA Higgs Boson. New
thinking, new minds, and an extended
imagination of what the manifestation of REAL
risk profiles really are.
22
Conclusion
6. Look back to learn from what was 7.
Look Forward and Apply
1. REAL Threats and more of them 2. REAL
Governance 3. Understand Security 4. MORE
Responsibility 5. Trained Security Savvy Staff