Τετάρτη 25 Μαρτίου 2015

0 comments
ISL Admin,

Setup an Information Security Awareness Program


Protecting corporate data should be part of any organization-wide information security awareness program. The security awareness program should be delivered in a way that fits the overall culture of the organization and has the most impact to personnel. Security awareness should be conducted as an on-going program to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to maintain a high level of security awareness on a daily basis. Ensuring staff is aware of the importance of data security is important to the success of a security awareness program and will assist in meeting various standards’ requirements.

The first step in the development of a formal security awareness program is assembling a security awareness team. This team is responsible for the development, delivery, and maintenance of the security awareness program. The size and membership of the security awareness team will depend on the specific needs of each organization and its culture.

Security awareness may be delivered in many ways, including formal training, computer-based training, e-mails, memos, notices, bulletins, posters, etc. It is important to target cyber security awareness notifications to the appropriate audience to ensure the information is read and understood. By disseminating security awareness training via multiple communication channels, the organization ensures that employees are exposed to the same information multiple times in different ways. By targeting the material and communication channel to relevant personnel, the security awareness team can improve adoption of the security awareness program. One key to an effective security awareness program is in targeting the delivery of relevant material to the appropriate audience in a timely and efficient manner.

Role-based security awareness provides organizations a reference for training personnel at the appropriate levels based on their job functions. Establishing a minimum awareness level for all personnel (management and employees) can be the base of the security awareness program. The first task when scoping a role-based security awareness program is to group individuals according to their job functions within the organization. Having a team in place will help ensure the success of the security awareness program through assignment of responsibility for the program. A solid awareness program will help all personnel to recognize threats, see security as beneficial enough to make it a habit at work and at home, and feel comfortable reporting potential security issues.

Management leadership and support for the security awareness program is crucial to its successful adoption by staff. Managers are encouraged to:

  • Encourage personnel to actively participate and uphold the security awareness principles.
  • Model the appropriate security awareness approach to reinforce the learning obtained from the program.
  • Include security awareness metrics into management and staff performance reviews.

As stated above, it is recommended that training content be determined based on the role and the organization’s culture. The security awareness team may wish to coordinate with the appropriate business units to classify each role in order to determine the level of security awareness training required for those specific job duties. This is vital in development of content, to avoid “over-trainning” or “under-trainning” an employee. In addition to general security awareness training, it is recommended personnel be exposed to general concepts of data security, to promote proper data handling throughout the organization, according to their role in the organization.

Training materials should be available for all areas of the organization, such as the corporate intranet. Choosing which materials to use in a security awareness training program is highly dependent on the organization. Each organization should consider its culture when selecting the materials to use for the security awareness training. The following are examples of reference materials that may help in the development of a Security Awareness Program:

  • National Institute of Standards and Technology (NIST) Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, www.nist.gov
  • International Standards Organization (ISO) 27002:2013, Information technology -- Security techniques -- Code of practice for information security controls, www.iso.org
  • International Standards Organization (ISO) 27001:2013, Information technology — Security techniques — Information security management systems, www.iso.org
  • COBIT 5 Appendix F.2, Detailed Guidance: Services, Infrastructure and Applications Enabler, Security Awareness, www.isaca.org/cobit
Additionally, due to the increased focus on cyber security awareness, many government agencies and industry bodies provide training materials to the public at no cost.

To ensure all personnel are engaged stakeholders in the security awareness program, the roles and responsibilities of all staff to protect corporate data should be outlined during all security awareness training, in accordance with organizational policy.
Because data is at risk both in electronic form and in non-electronic (paper) form, it is recommended that the different ways to safeguard information for different media be covered at a basic level for all personnel. For instance, considerations for protecting data in electronic format may include secure storage, transmission and disposal. Considerations for paper-based formats may also include secure storage and disposal as well as a “clear desk” policy. Without an understanding of how different media types need to be protected, personnel may inadvertently handle data in an insecure manner.
Another important consideration for inclusion in general security training is awareness of social engineering attacks. One way an attacker may use social engineering is to acquire a user’s credentials and work their way through the organization from a low-security area to a high security area. Tailoring this awareness to reflect the types of attacks that the organization may encounter provides the most effective results. Users should be aware of the common methods by which fraudsters, hackers or other malicious individuals might try to obtain credentials, payment card data, and other sensitive data, to minimize the risk of personnel unintentionally disseminating sensitive information to outsiders. Training in organizational policies and procedures that specify proper data handling, including sharing and transmission of sensitive data, is also recommended.
Feedback on training content and comprehension are key to ensuring personnel understand the content and the organization’s security policies.
In addition to content for all personnel, management training should include more detailed information regarding the consequences of a breach to management stakeholders. Management should understand not only the monetary penalties of failing to safeguard assets, but also the lasting harm to the organization due to reputational (brand) damage.
As previously discussed, management will need to understand security requirements enough to discuss and reinforce them, and encourage personnel to follow the requirements. It is recommended that management security awareness training include specific content relevant to the area of responsibility, particularly areas with access to sensitive data.
Management that is security-aware better understands the risk factors to the organization’s information. This knowledge helps them make well-informed decisions related to business operations. Managers who are security-aware can also assist with development of data security policies, secure procedures, and security awareness training.

Metrics can be an effective tool to measure the success of a security awareness program, and can also provide valuable information to keep the security awareness program up-to-date and effective. The particular metrics used to measure the success of a security awareness program will vary for each organization based on considerations such as size, industry, and type of training.

Σάββατο 14 Μαρτίου 2015

0 comments
ISL Admin

Ides of March


So, you have studied hard and succeeded in your CISA exams. You passed a strict selection process and got the certification. You abide by the code of professional ethics. And now what??
Sometimes people forget, quite quickly... Being an auditor, does not mean that you have ascended in some semi-divine rank where you see mortal mistakes as a sin that needs to be crushed. Users are sinful, but so are the auditors. Please, bear in mind that you where once among the users, do not forget that. Perhaps a poem for wannabe "CISARS" will change your mind, read it just before your next audit.

Historical background: Artemidoros tried - without success - to warn Julius Caesar on March 15 - Ides of March - about the assassination conspiracy led by Brutus.


Ides of March, The Canon

Be fearful of exalted rank, o soul.
And if you are unable to subdue
your aspirations — doubtingly pursue them
and with precautions. And the more you rise,
the more examining, the warier be.

And when you are arrived at the supreme
height of your glory — a Caesar, as it were:
when you are become a man so widely famed:
then specially be wary — at such time
as you come out into the thoroughfares,
a noted ruler with great following:
if peradventure, from the multitude,
some friendly person, an Artemidorus,
bringing a paper, should press near to you
and rap out sharp “Read this without delay;
herein are weighty matters touching you”,
fail not to tarry; fail not to postpone
all talk or business; fail not to turn off
the different hangers-on who bow and scrape,
(you will attend to them in time); let even
the Senate wait; — leave all, and learn at once
the grave things written by Artemidorus.

 --Poems by C. P. Cavafy. Translated, from the Greek, by J. C. Cavafy. Ikaros, 2003

Δευτέρα 2 Μαρτίου 2015

0 comments
Nikolaos,

UI Interference Attack


The method relies on exploiting the shared memory, meaning the memory almost all programs use to store the nuts and bolts of their work, which enables various processes running on the operating system to share data between them.
In this case, graphical user interface (GUI) frameworks that can be used to determine every UI state change , which can be accessed without special permissions.
Knowing this state change the attacker, can know when sensitive data are being photographed or typed or used in general, enabling the attacker to transmit them to the receiver application. Of course this method needs the injection of a spy application in the targeted OS and as researchers claim this attack can work on almost all current OSes. such GUI confidentiality breach is indeed possible, leading to serious security consequences.

So let’s look into the android exploit that is already published. The fundamental reason for such confidentiality breach is in the Android GUI framework design, where every UI state change can be unexpectedly observed through publicly accessible side channels. Specifically, the major enabling factor is a newly-discovered shared memory side channel , which can be used to detect window events in the target application. This side channel exists because shared memory is commonly adopted by window managers to efficiently receive window changes or updates from running applications.

Window manager is a system software that interacts with applications to draw the final pixels from all application windows to the frame buffer, which is then displayed on screen. After evolving for decades, the most recent design is called compositing window manager , which is used virtually in all modern OSes. Unlike its predecessors, which allow individual applications to draw to the frame buffer directly, a compositing window manager requires applications to draw the window content to offscreen buffers first, and use a dedicated window compositor process to combine them into a final image, which is then drawn to the frame buffer.

In Android, the UI state our attack infers is called Activity. An Activity provides a user interface (UI) for user in off-screen. Client refers to the application, and server refers to the window compositor.
Due to security concerns, by default apps cannot know which Activity is currently shown in the foreground unless they are the owners or the central Activity manager.
An Activity may display different content depending on the app state. For instance, a dictionary app may have a single “definition” Activity showing different texts for each word lookup. We call these distinct displays View States. Denoting the state of the user experience.

Activity transition
In Android, multiple Activities typically work together and transition from one to another to support the functionality of an app as a whole. An example during a typical transition, the current foreground Activity pauses and a new one is created. A Back Stack  storing the current and past Activities is maintained by Android. To prevent excessive memory usage, at any point in time, only the top Activity has its window buffer allocated. Whenever an Activity transition occurs, the off-screen buffer allocation for the new Activity window and the deallocation for the existing Activity window take place.
Activity transitions can occur in two ways: a new Activity is created (create transition), or an existing one resumes when the BACK key is pressed (resume transition), corresponding to push and pop  actions in the Back Stack.

Knowing these fundamentals we will try to explain this novel attack on our beloved smartphones and maybe all new OSes we use.

LoginActivity Attack Overview
The spy app uses Activity hijacking to determine when the state its looking for will come to focus. Let’s use a typical login screen such as facebook or maybe a PayPal login.
LoginActivity, is about to enter the foreground, the attack app simultaneously injects a pre-prepared phishing LoginActivity into the foreground. Just at the right moment so not to make a visual disruption. Thus, enabling the spy app to steal the login data but still log the user in the appropriate application so there will be no trace of the disruption.

Camera Peeking Attack Overview
Due to privacy concerns, many apps store photo images shot by the camera only in memory and never make them publicly accessible, for example by writing them to external storage. This applies to many apps such as banking apps (e.g. Chase), shopping apps (e.g. Amazon), and search apps (e.g. Google Goggles).
Such photo images contain highly-sensitive information such as the user’s life events, shopping interests, home address and signature (on the check). With Activity tracking such sensitive and well-protected camera photo images can be successfully stolen by a background spy app. Targeting at the camera photo shot by the user, instead of random ones of the environment.
This attack uses the OpenGL library many new phones and tablets use , which has very high frame rate and does not need the sound turned off cause it does not use the shutter sound.
Even though Android disallows the taking of photographs in the background that does not mean that it does not stack the camera usage requests while the camera is in use. So when the user photographs something of importance the activity tracker tells the spy app to take another photo just when the camera is released and the user returns to the application he was using.
The camera has a very low release time about 500ms,so the spy app can shoot another shot or the sensitive data milliseconds after the original which makes it very likely the user is still pointing at the document.

There will be information about defending ourselves against these attacks soon.


Image by Benjamin F. Clay CC BY-SA 3.0