UNCLE: UNix Computer security Lab-E


Walter Cooke, CISM, CISSP

Data Classification using Expert Systems

Classifying data according to its sensitivity and value is part of the due reasonable care that should be practiced in every organization in their Data Governance process. This work is usually done manually, but time and resources may be saved by automating the entire data classification process. Automation may use any of the Expert System software packages that run on ordinary personal computers.

Everyone is beginning to suspect that Information Security is in a bit of a crisis these days. Sony, Target, Home Depot, multiple banks and many government departments have had the inner sanctums of their IT infrastructure pillaged by outside hacker teams who, with seeming impunity, wiped systems and stole all of their crown jewels. Sony’s debacle where their security team didn't seem to be aware of the attacks until after it became a Hollywood-sized spectacle is a truly face-palming moment that makes us all cringe and shake our heads in dismay. Not 111MB or 111GB, but 111TB of data were taken? Really?

Obviously the old security paradigm we have been promoting for the past 30 years just isn't up to the challenge of protecting our data assets any longer. The old paradigm - build a bastion castle with thick walls, keep your valuables locked up inside the castle where the 'good' people live, and keep all the 'bad' people outside - no longer applies. Now we live in a world where our good sales team is working outside the castle walls and some bad disgruntled employees may be working inside the castle walls. Plus, we now have VPN tunnels going under the moat and through the walls giving our (hopefully) trusted staff access to the castle’s inner sanctum. And the evil outsiders now mail plague-infected packages to the unsuspecting castle occupants. It no longer looks like a very secure castle, does it?

2015 was a wild and crazy year for anyone involved in IT security– entire industries hacked and gutted, the rise and fall of high-tech cybersecurity stocks, governments demanding back door encryption keys and the discovery of long-standing nation state back-doors in commercial firewalls.

What’s next? 2016 promises to be another banner year, although hopefully with more good news than bad news. A lot of ideas that were being built and tested over the past few years will become more mainstream in 2016. In the meantime, it will also become ever more obvious that the old 'war tubas' of WW1 (like current political demands to replace strong encryption with state-sponsored key escrow) have had their time and need to be retired this year.

In its ongoing attempts to capture our attention these days, the media labels everything as “Xtreme” – sports, politics, automobiles and surprise: computer hacking too! But with our current preoccupation on all things hacker-related, we seem to have forgotten about the basic necessities of life when it comes to IT security work.

When my clients invite me in for a conversation these days, it often reminds me of what I refer to as the Airline Inflight Magazine Syndrome: an executive has read about some fancy new solution to a current pain point for the company, and has returned to the office wanting to show technical leadership by having the IT department implement this new holy grail of advanced business acumen (e.g., “let’s save money and move everything to the cloud”). For security consultants, that conversation often requires finding “Xtreme” solutions to the hacker threat – what magic silver bullets do you have that will kill the evil hacker vampires who are threatening us? Can what happened to Acme GmbH happen to us? What about next generation firewalls and network intrusion detection using artificial intelligence? *sigh*

The use of deterrents to help enforce and highlight IT security controls never seems to get much attention, even though they can be an easy, cheap and effective way for security staff to reduce security risks.

Here are a few of my favourite deterrents:

“There are just two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again” says Robert Mueller, FBI Director.

If we are always going to be several steps behind the computer hackers who eventually find the means to engineer their way into our protected networks and systems, what then should we do? We need an imaginative and proactive stance to help minimize the risk of data loss if or when we get hacked. I have a wacky idea to share with the IT Security community, and I’d like your feedback please.

With the recent news that the National Security Agency and it’s ‘Five Eyes’ partners apparently intercepted literally billions of cell phone SIM crypto keys en route from the manufacturer Gemalto, we have another nail in the coffin of personal privacy. In the words of Star Trek’s irascible Dr. McCoy: “He’s dead, Jim.”

It might be argued that Five Eyes are just doing their job to help intercept network communications that might lead them to useful intelligence concerning international terrorist activity, drug trade, money laundering and other criminal actions. However, we might feel this was less of a totalitarian invasion if the recent NSA revelations did not just look like the bulk collection of global communications of interest everywhere about everyone, and instead helped provide some basic protection for our industries, jobs and personal privacy.

I have a scary thought to share with you concerning the security of every cryptographic key used in the entire world.

A recent revelation from the Edward Snowden treasure trove of secret National Security Agency documentation concerns the wholesale theft of Gemalto SIM card encryption key data that is used by cellular telephone carriers around the world. Every cell phone has a SIM card that uniquely identifies the phone and, as an afterthought, also holds keys used to encrypt the phone’s transmissions, providing us with a modicum of privacy on our phone calls. If a third party has a copy of my SIM keys, then my phone call can be decoded and my privacy has been compromised.

My last cyber security post introduced the concept of Situation Awareness – having your finger on the pulse of your computer network and knowing whether you’re having a ‘good day’ or a ‘bad day.’ Hopefully your organization’s IT security posture promotes this concept and uses it to help stay one step ahead of the recent computer hacking headlines we’ve all been reading.

Nobody wants their company’s IT security failure to be the headlined subject of tomorrow’s paper. And it seems that 2015 is already off to a bad start. Security researchers are predicting that 2015 will be “the year of the healthcare breach.” The recent access of perhaps more than 80 million client records at Anthem Health - the second-largest health insurer in the United States - would seem to mark that prediction as correct. The information accessed includes customer names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data. While the damage assessment is ongoing, Anthem said there is no evidence at this time that credit card or medical information was compromised. However, we should not simply shrug our shoulders at this latest in a long line of IT security bad news stories and just carry on as normal.