bcs nottingham offshoring and security in reverse order n.
Skip this Video
Loading SlideShow in 5 Seconds..
BCS - Nottingham Offshoring-and-Security (In Reverse Order) PowerPoint Presentation
Download Presentation
BCS - Nottingham Offshoring-and-Security (In Reverse Order)

Loading in 2 Seconds...

play fullscreen
1 / 27

BCS - Nottingham Offshoring-and-Security (In Reverse Order) - PowerPoint PPT Presentation

  • Uploaded on

BCS - Nottingham Offshoring-and-Security (In Reverse Order). John Walker FBCS CITP CISM MICAF PG.Cert British Computer Society Registered Security Specialist Head of Operational Security john.walker@uk.experian.com. Genesis. 1993 - Polymorphism arrives as a real threat.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

BCS - Nottingham Offshoring-and-Security (In Reverse Order)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
bcs nottingham offshoring and security in reverse order

BCS - NottinghamOffshoring-and-Security(In Reverse Order)


British Computer Society Registered Security Specialist

Head of Operational Security



1993 - Polymorphism arrives as a real


Examples (Viruses):

Brain – from Pakistan

Jerusalem – Israel

Cascade – West Germany

Vienna – Austria

Ping-Pong - Italy

1995 - Is Windows NT susceptible to

virus infections? (VB March 1995 ISSN


First virus discovered in the Russia = DOS 6.2 - Vienna

Virus Developers Quarterly – raw source code

landscape about the task
Landscape – About the Task
  • Virus Writers, Hackers, and SpyWare folk have learned Project Management Skills (not the case early 2004)
  • Mobile Computing, Extended Perimeters of Operations bring with
  • them there own set of problems
  • Viruses – From a sample of 1,500 Windows Users, 44% confirmed
  • they had suffered virus infection (I think that number is LOW)
  • COMOUTING 27 Jan 2005
  • 25% of that same sample had suffered Spyware, or Phishing Attacks

I am assuming the other 75% were aware that they were clean?

  • Trojans – MS Windows Media Player – WmvDownloader.a
  • & WmvDownloader.b
  • Regulation and Governance – there is a lot of it
  • DDoS - New Security Considerations - VoIP - spIM
consider something old
Consider . . . (Something Old)

How many holes do you think software could have?

Consider Windows XP:

40 Million: Is the number of lines of code in Windows XP (60M? in SP2).

5 per 1,000: With high quality coding, you still have an estimated 5 bugs in every thousand lines of a program.

200: The number of security holes in WinXP (if only 1 out of

1,000) are remotely exploitable. Might be -much- higher...


The same consideration may be applied to other

Applications – just look at the history of exploits!

the brothers spam spim
The Brothers SPAM & spIM

Loads of SPAM:

Prescription Drugs

Healthcare, Begging Letters

Easy ways to make money

The usual stuff (images)

Low cost, ripped off software

Loads of spIM: Possibly the first IM based attack to be mounted

was against AOL, using the AOL IM. This scam has the subject

Confirm AOL billing info and attempts to convince the user to reveal

their AOL username and password. The communication goes on to

advise that if the user does not follow instructions,

payments to AOL can't be processed.

phone a friend voip
Phone a Friend - VoIP

In the next generation of security threats, it is highly likely that VoIP will be/is a target!

Proof of concepts do exist (USA) that allow hackers to manipulate

communications by inserting their ‘own’ choice of words into live

Conversations – consider the ramifications.

Bottom line – as with any other Network Based System, VoIP needs to

be secured – don’t just think of it as a new telephone system

See: www.facetime.com for information on VoIP Security

here s looking at you spyware something borrowed
Here’s Looking at You – SpyWare (Something Borrowed)
  • Code of computers (none authorised)
  • Pop-ups
  • Redirection
  • Affiliate money makers
  • Slowing PC’s
  • Crashing PC’s
  • Keystroke Monitors
  • And more . . . . . . .

Based on trends to date, expected to rise by a factor of10

lets go phishing
Lets Go Phishing

Project managed attackers - Spyware can act as triggers (Crimeware).

This malware runs, it may start collecting data when a user visits a

selected site.  These emails try to drive users to the real site to log in,

which will activate the spyware. 

An example

not forgetting viruses and worms
Not Forgetting VirusesandWorms
  • Now an accepted way of life for any user of a computer, no matter at home, or in the office
  • They spread fact, and can have high impact of system availability
  • Prediction - They will get smarter, do not have to be destructive, why
  • not leverage their power to work for the attacker – imagination will
  • be the only limitation here
  • You got AV in place – so what, that does not ensure you will remain
  • Infection free

W32/Rbot_GR (Peeping Tom) – locates, and uses Web Cams

To look into your personal space.

hidden content whatever you wish something new
Hidden Content – Whatever you wish (Something New)

The file C:\xxx Settings\xxx\Local

Settings \TemporaryInternet Files

\Content.IE5 \xxx\xxx is infected

with Mr-Nasty.gen - Known Virus,

Detected with Scan Engine 4.4.00

DAT version 4.0.4422. The file was

successfully deleted.(from

PC0xxxxxxxx IP xx.xxx.xxx.xxx

user xxxx running VirusScan

4.5.1 SP1 OAS)

Every picture tells a Storey

hidden content whatever you wish something potentially blue
Hidden Content – Whatever you wish (Something Potentially Blue)


Every picture tells a Storey – AND SOME MAY BE NOT


the need to move mobilisation
The Need to Move - Mobilisation

The Mobilisation of the workforce dictates that what has been seen thus far as the preserve of Perimeter Security to underpin and deter attacks has now had a quantum shift, encompassing such areas as:

WiFi (802.11b/g, Bluetooth, Smart Phones and PDA’s,

Outsourcing – how will it affect the Perimeter of Security, or what has

been thus far accepted as the organisational ‘Area of Control’

(will it push it or pull it?

legislation controls challenges
Legislation & Controls - Challenges

Gramm-Leach-Billy Act of 1999 (GLBE)

Securities and Exchange Commission (SEC) Compliance issues (17a-4)


Sarbanes-Oxley Act

USA Patriot Act

HIPAA Privacy

HIPPA Security

FDA’s Electronic Recordings/Signatures (ERES-21CFR11)

Mental Hygiene Law Sec. 33.13


Computer Security Act


And . . . . . . . . . . . . . . . . . . . . . . . . . .There are MORE

build them secure or suffer
Build Them Secure – or Suffer

Probably one of the most important aspects (the FIRST) of technical security is that of how systems are built:

Remember – out of the box, does not necessarily support security

Have an agreed Baseline Build for all systems, including Workstation,

Mobiles (Laptops etc), Servers, and any other device that serves a

Production environment – you also need to consider Phones, and PDA’s

If you outsource, or use Third Party Services Providers –

don’t forget this may also apply to them

This is something old, but still gets missed

alerting key stuff
Alerting – Key Stuff

High importance should be placed against obtaining early

reports of Vulnerability Alerts – if not in place, how do you know

what you are at risk from

Don’t forget this is equally important for any systems outside the

Perimeter of the Organisation – home users, and say Outsourced

Systems/applications can also support insecurities and vulnerabilities

- so make sure you encompass them in the plan

Out of sight/site, should not be out mind

patch and fix or die

This is as important as deploying Anti Virus signatures

- Yet it still seems to take a back seat

Patch and Fix – or Die

Closely following Alerting –Patch and Fix

Lots of stuff to consider here – Most important aspect is to stay connection to those security alerts

it don t have to be expensive
It Don’t Have to be Expensive

It is not always necessary to spend high numbers to achieve

Operational Security - consider:

What do you own - already

What can you leverage from the O/S and applications

LOW cost, HIGH Functionality

However, if you have a financial pot with no bottom

please feel free to discount these ideas

it don t have to be expensive what you can leverage
It Don’t Have to be Expensive (What you can Leverage)

1. SNORT:Good IDS, very effective (use the language)

2. Office 2003: Document Security

3. AP Logging:Review them on a regular basis

4. Vulnerability Alerts:There are many good free ones (take a look at OSVB)

5. Use Free Encryption:Turn on NTFS for NT, 2000, and XP – better than nothing (EFS for 2000 >>)

6. WiFi - WEP: Not great, but better than nothing

7. O/S Options: Eventtriggers (Win2k, XP, 2003)

it don t have to be expensive spyware
It Don’t Have to be Expensive (SpyWare)

Anti-SPAM is no longer to be considered a nice to have, but is

A MUST. MS have produced a very functional tool.

Here in its Beta Release

it don t have to be expensive log analysis
It Don’t Have to be Expensive (Log Analysis)

Drill Down

Sawmill – LOW Cost, HIGH Functionality

security testing who when why
Security Testing – Who, When, Why

It is essential that in any project, or application lifecycle, the element

of security is both acknowledged and addressed (for the ex

Government People in the audience – remember Memorandum No10

For HIGH assurance this should be done:

  • During development phases
  • Post time of deployment
  • After any change has been applied
  • Periodically

When conducting testing, for best effect and value, use a known methodology such as -OWASP

policy and governance has its place but
Policy and Governance has its Place . . BUT
  • Security Policies are very important to underpin the security mission of any business – they are the rules that all should abide By – and if not, there will/may be consequences. However, remember:
  • Security Policies are passive – just because you have one, does not make you secure – so don’t fool yourself
  • They underpin the day-to-day operations and practices, however, in an operational sense, they have no real value.
  • They do not proactively avoid an insecurity occurring, they only advise the rules - they will not tell you when things go wrong, but they may be used after-the-fact.

Governance should help the business, not grind it to a holt

what next what can help
What Next – What can help

MSc in IT Security – Fred Piper – Royal Holloway

IISP – Institute of Information Security Professionals – Jan 2006

CISM – Certified Information Security Manager

CISSP – Certified Information Security Professional

BCS Membership – Professional Development (is key)

Read, read, and . . . Read – it is a fast moving area – to keep up

future of it security
Future of IT Security

Drivers are high – it is now a Main Board topic, and key to

the business

Personal opinion – I feel it will become a Main Board position

The area of expertise will grow – needs technical underpinning

I believe that it is a science (a mix of physiology and technology)

It is a challenge – can be pressured – has an element of

‘the book stops here’ – but is also rewarding and enjoyable

One quality required is, ‘decision makers are key’




Risk Assessments – post not pre

Contracts and SLA

Team Work

Compliance and Governance

Lets talk:




Mapping Process and Procedure

Are they IN or OUT?

outsourcing security
Outsourcing – Security

Outsourcing is now on the up, and many organisation have entered

into contracts - but the security model needs to be Considered!

  • Any pre-deployment Risk Assessments to take into account, not
  • what is today, but what will be tomorrow
  • How do the pre, and post deployment perimeters compare – has the
  • companies boundary of operations moved?
  • Where do you deploy your security defences? (dependent on the
  • aforementioned factors)
  • Do your policies and baselines work – are Minimum
  • Controls achievable, and maintained?
brief qa
Brief QA