Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
  • Insights

    Advisory: OpenSSL ‘Heartbleed’ Security Alert – What it is,…

    There’s been a major security alert over the last week regarding the heartbleed bug in OpenSSL (see the OpenSSL Advisory). A vast number of systems and sites have been affected, this is no storm in a teacup – it’s serious, and cannot be ignored.
    OpenSSL is a component used to provide secure communications protocols for HTTPS websites used by a wide variety of systems (Twitter, Facebook, Remote VPNs, Remote Admin interfaces..) from a wide variety of vendors (Cisco, Big IP, Juniper, McAfee, Apache…), which means that it has hit a huge number of services and companies across the globe, from the likes of Google and the Canadian Revenue Agency to the shop around the corner running a simple payments page over HTTPS.
    So, what is this bug exactly?
    The flaw was discovered in the method used to implement TLS Heartbeats. These can be used to maintain long-lived TLS sessions. To create a heartbeat, either the client or the server can request some data from the other. The way they do this is to send a request with the data, and here’s the fun part, the length of the data sent [*].
    Client: Hi Server, send this back to me : Carrots, 7 letters long
    Server: Hi Client, I’m still here, proof: Carrots

    All well and good. But what if we send a short sentence, and tell the peer we sent a long one?
    Client: Hi Server, send this back to me: Car, 10 letters long
    Server: Hi Client, I’m still here, proof: Car.FHULWF

    Aha! What have we here? We get the original string back, plus an additional 7 characters from whatever was in the memory of the process after the string we sent. The protocol allows for up to 64Kb of data to be sent, so the attack basically sends one byte of data, and gets over 63,000 extra ones back.
    This could be anything in the memory of the process being compromised – other web pages, secure pages, usernames, passwords, your private SSL keys…. it’s serious. As an example, the Canadian Revenue Agency has determined that approximately 900 Social Insurance Numbers were leaked due to this bug, and Yahoo! were reported to be leaking usernames and passwords of their users before they had patched as well.
    You don’t need to authenticate against the server to do this, so there’s no need to know any existing secrets or to have an existing account. Worst of all, there’s every chance that it won’t be logged either as the session does not need to even request any actual web pages.
    So what do I do?
    You need to do three things, in this order:

    • Patch
    • Re-generate your private keys, revoke and re-issue your SSL certificates
    • Change your passwords for the affected services

    Right, I’m convinced. But what do I patch?
    At the most basic level, you need to patch OpenSSL, which is the root cause of the issue. This affects all versions of OpenSSL from 1.0.1 to 1.0.1f. A fix has been released in version 1.0.1g, and older versions are NOT affected. The catch here is that OpenSSL is a component of other systems, and as it is an open source product, it can be (and has been) included in other commercial systems. The key to tracking down what needs to be patched is your software and hardware inventory which, in conjunction with vendor advisories, will help you narrow down what needs to be updated. For our own managed service customers, we maintain inventories that have enabled us to rapidly identify and update our customers systems. Without such lists, you will need to treat anything serving or terminating a HTTPS connection as suspect until you can examine and prove otherwise. Vendor advisories are also critical, as you may have no way of knowing what a commercial system is using to terminate HTTPS until your vendor can confirm it.
    As a starter, The following systems are known to be affected:

    • Big IP F5 (versions greater than 11.0, or if using COMPAT ciphers)
    • FortiOS 5 and up
    • Aruba 6.3.x, 6.4.x
    • Centos & RedHat Linux using stock OpenSSL libraries versions 6.5 and greater
    • Debian Linux 7 and up when using stock OpenSSL libraries

    Other vendors have reported in the negative for issues (e.g. Checkpoint) or have yet to respond. We strongly recommend that everyone should check their environments for this vulnerability.
    References:
    http://xkcd.com/1354/
    http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
    http://heartbleed.com
    http://security.stackexchange.com/questions/55116/how-exactly-does-the-openssl-tls-heartbeat-heartbleed-exploit-work

    Insights

    The view from inside


    There is no doubt about it, the most common information security incidents we are asked to deal with are ones that have arisen from inside the organisation – and to be honest, internal threats are often more difficult for businesses to come to grips with.  There is an unintentional sentiment, especially with management not on front line of managing risk, that if the breach occurs internally it won’t be as damaging to businesses as an external attack.
    Unfortunately this is not the case – the extent of the hype, headlines and customer backlash knows no such boundaries and does not noticeably distinguish between the nature of an incident – a breach is a breach.
    From our work there are three common internal information security incidents:

    1. Unapproved content – a frequent but less discussed incident type we encounter is one where  staff are accessing content and information at work  that is simply off-policy and inappropriate.  On the surface what can appear to be a  misdemeanour can have ricochet effects across the organisation and needs to be handled carefully.
    2. Accidental error – whether it’s caused by people, process or technology slip ups accidental error is when critical information ends up in the wrong place or with the wrong people causing a breach to the business’s information security.  Simple mistakes that unfortunately can have serious consequences
    3. Intentional internal fraud – simple and straight-forward, the planned action of accessing and taking critical information from the business for malicious use.

    Three very different situations: each of which is reasonably common in our experience.
    What’s important is what can you do about it?   Here are sensible, pragmatic steps that we recommended you consider to help reduce the risk of these types of incidents happening to your business.
    Accessed denied – many channels make it hard work!
    The lines between work and home have blurred considerably over the last decade and today we  are used to having the flexibility of ducking in and out of work mode to quickly surf the net, have a chat or catch up with a friend – they call it “me entitlement” time!
    All in all, it’s not a new phenomenon but from an information security perspective the multi-device, mobile, internet  and social networking era presents a new set of challenges.  The fact is that many cases we are called in to look into often involve employees accessing unauthorised content or information when at work.
    Most companies today are savvy and responsible enough to have policies, procedures and filtering systems in place to help avoid such a situation arising. Commendable as it is, it simply is not enough.  Companies under estimate the full ramifications of the discovery of an unauthorised access situation and in most cases are simply not equipped to deal with this when it occurs.  Depending on the type of incident the, ramifications can range from a HR disciplinary action to a potential court case and legal proceedings.
    However our intent is not to scaremonger – it is to realistically help companies be prepared.  Here are four steps what we recommend businesses follow:-

    • Educate –at the bare minimum make sure you have a thorough acceptable use policy (AUP) in place relevant to your business and that every employee is well aware of what it is and what it contains.
    • Prevent – put teeth into the policy by putting in place a good content filtering solution that will police your policies around the clock.  Remember that in today’s world you need to cover the myriad of channels that are open to people – from email and chat rooms to file sharing and the hidden web.
    • Police – review regularly what people are accessing to ensure your policy continues to be relevant and your prevention is effective.
    • Prepare – probably the most important but frequently overlooked step is to have a formal pragmatic incident response approach in place.  If a situation occurs it may quickly become more than an internal HR issue and companies that can clearly show they engaged robustly by reporting, investigating and protecting assets uncovered for further investigation can positively  influence how their own liability is viewed.

    In truth unauthorised content access is unfortunately quite common in organisations today. It’s hard to discuss and difficult to deal with, but the consequences can be far-reaching so it must be proactively addressed.
    Accidental error – can you eradicate mistakes?
    In our view accidental error is probably the hardest information security threat for businesses to come to terms with.  The fact is that even if nobody means harm, harm still gets done and customers are no more forgiving just because the mistake was internal.
    To look at it simply accidental error falls into two main categories and here’s how we recommend you approach risk management for each:

    1. System, process and technology slip-ups

    It’s a common scenario  – the business is rolling out a new system or process or making changes and upgrades to what’s already in place.  The development work is done, user testing is complete and everyone is trained up.  Go-live is in two days and someone thinks about security (or not in some cases!).  There simply isn’t enough time to properly assess the risk or run a security test on the new systems or altered processes – so by default the business is left un-intentionally exposed.

    It’s a frequent occurrence and one that can easily be remedied.

    Our advice – based on hard earned experience –  is that when it comes to any process or system change that touches the critical information assets of the company, security must be first and foremost on the agenda at every step of the way.

    Coming to the party late leaves the business compromised – but forewarned is forearmed and in many cases embedding security assessments along the way alleviates risk, ultimately saving time, money and reputation.

    What’s needed is a simple change to how businesses run projects – big or small – moving information security from being a last minute consideration to becoming a systemic part of project management.  A simple step that will shift the dial on a company’s exposure to accidental risk.

    Forewarned is forearmed so be forward thinking!

    2. People and plain ordinary mistakes

    Most of the time when we are called in to deal with an internal security incident that has been caused by human error, the bottom line is that the people involved simply did not know the importance of the information they were dealing with.  Across the world this seems to be a common phenomenon with only 42% of staff saying they have received training in how to be secure at work.

    The fact is, people don’t know what they don’t know and as a business it’s your responsibility to educate, guide and give them guard rails to work with.

    It all boils down to awareness and ongoing education – if people are dealing with sensitive data, they need to know the potential consequences of simple errors.

    And, in our experience it’s not just about annual training courses (but they do help!) its more about making security a day-to-day conscious feature in the work practices of those involved with sensitive data.  It must live and breathe in everything that gets done and become an ethos, culture and behavioural set achieved as much by education and change management as by technology.

    Getting the frontline right is fundamental.

    Pre-planned and pre-mediated – sometimes it is the bad guy’s fault!
    Make no bones about it – sometimes we are called upon to help deal with a straight-forward incident of someone in the business deliberately taking information that they simply are not allowed.
    It happens often and it happens for many reasons.  Sometimes they simply want to bring the information with them when moving company or job and other times it’s a bit more serious and the intent is to sell the information for fraudulent activities.
    Regardless of the why, let’s focus on the what to do about it.   In our view there are two things that are key:-

    1. Do not enter – Often people steal information because they think they won’t get caught.  They think they won’t get caught because they connect information security practices with something the business focuses on for compliance and audit reasons.  Taking information security out of the wood work and making it a living, breathing entity in the business is like putting up warning sign for all to see.  It won’t prevent every incident but it will prevent some.

    2. Match make – this is one area that technology can be your friend.  People have fairly clearly defined roles and responsibilities – with these comes an understanding of the systems they need, the information they use, the frequency they use it and what they do with it.  What you need to do is match the person with a profile and use technology to monitor for suspicious activity such as lengthy accesses to critical data files, out-of- hours extended usage, large extracts of sensitive data – things that are slightly out of kilter with normal behaviour.  Insights that will alert you to take action in time to prevent an incident occurring. Solutions that customers typically use to help achieve this include Data Loss Prevention and Security Incident and Event Management (SIEM) solutions.

    So in short, based on our experience and feedback from others who research the area, internal incidents are the biggest threat to information security locally and globally.
    While each type of incident requires specific actions, there is one over-arching piece of advice that will make a difference to all types of incidents.  To those of you who read our insights frequently you will know it a common mantra – get the subject of information security out of the annual audit and compliance agenda and on to the daily business agenda.  Making security systemic in the business will go a long way to keeping the business secure.
    For more information on insider threat or any information security issue call us on (01) 642 0100
    This document is for general guidance only and should not be regarded as a substitute for professional advice.
     

    Insights

    Data protection strategy key, says Wards Solutions CEO

     
    Pat Larkin, CEO of Ward Technology talks to the Irish Independent about how Irish companies can ready themselves for incidents around data loss – whether accidental or malicious, internal or external – and how to limit the damage they cause.  Ward has many years of experience working with clients to devise effective data protection strategies to keep businesses’ critical information assets safe and compliant with best practice and legislative requirements.
    View PDF >

    Insights

    IT security ‘minefield’ can be managed

    Both locally and globally information security breaches took centre stage in 2013 and the trend seems set to continue based on what we have already seen happen in the early days of 2014. The statistics, the incidents and the attacks are all there to remind us that security breaches are a very real problem from which no-one – from multinationals and government agencies to small companies serving local communities – seems to be immune.
    Wards Solutions has been quietly specialising in this area for many years. With a long history of being the trusted information security partner for some of Ireland’s leading companies the team at Ward has built up an impressive degree of expertise and insight into the minefield of information security.
    Pat Larkin and Paul Hogan are the founders of Ward Solutions – it’s their pragmatic, systematic and human attitude to information security that makes Ward stand out from the crowd. There are three underlying principles that govern the company’s approach to helping their clients devise and implement practical strategies to protect their organisations and customers.
     
    1. It’s not a flash in the pan 
    Annual audits, actual incidents or compliance reviews are often factors that bring information security onto the agenda of the executive team and understandably so. But it is this ad-hoc or annual approach that often leaves companies most vulnerable and open to potential incidents. In today’s business world information security needs to be at the forefront of every executive’s mind and systematic in everything that gets done – whether it’s marketing, running a promotion, your finance team altering billing processes or the IT department rolling out mobile devices to their sales force or executive teams.
    “What we find in most businesses we work with is that security comes on to their agenda once or twice a year – yet changes to their processes, applications and systems happen on an ongoing basis and new threats arise daily leaving them unintentionally exposed,” according to Larkin.  “Every time a company makes a change to a process or application they need to factor into the equation the question of security. Even in a static environment they need to constantly reassess the external risks they face, the vulnerabilities they have and the impact of those risks occurring in their business.”
     
    2. It’s inside and out 
    Most of the news stories we hear about relate to security incidents that are a result of organised malicious attacks from external sources. The possibility of an external security breach, within any business today, is very real and as a result many companies are actively starting to raise the bar on their information security strategies. While this is commendable, it is equally as important that organisations strike a balance between protecting against malicious threats and the un-intentional internal security breaches. Often companies emphasise their focus on outsiders getting in and forget to look internally at weaknesses in their processes, procedures and systems that also make them vulnerable.
    “Hackers, cybercrime and malware are huge threats today and we must do all we can to protect ourselves and our customers if an incident occurs – this is fundamental,” said Ward co-founder, Larkin. “However, equally as important is turning an eye inwards and looking at where the business is exposed to risk through poor practices and processes or through the actions of a rogue insider. The internal loss of a customer database business due to system or information security failure may not always hit the headlines but remains a very serious and damaging security information incident for any organisation.”
     
    3. People plan attacks 
    Much of today’s externally driven security attacks are executed by highly sophisticated and intelligent technologies. However, it pays to remember that behind the technology there are always people or teams of people totally focused on trying to find weak spots through which to penetrate, normally for very damaging purposes. At Ward, the risk assessments and security testing we carry out combines brains and technology.
    We use the industries very best information security solutions in combination with a team of highly-skilled security consultants. Our consultants approach each project from the viewpoint of a professional criminal, internal or external hacker or inadvertent staff member, bringing a degree of rigour and a 360-degree view to the assessment process that only comes with experience, expertise and the human touch.
    “Over the years we have built up a team of really smart, savvy and technically astute security consultants. The combination of great talent and technology is without doubt our secret sauce” commented Larkin.
    Ward Solutions have been in the business of information security for over 15 years. The company has a team of over 60 security professionals working with over 250 clients in Ireland.
    For more information contact Pat Larkin on (01) 642 0100