Tuesday, 22 April 2014

Aliens on the roof!

So I've caught your attention... either you’re like me and a bit of a Trekkie and therefore maybe curious about the subject or also like me, you have a passion for Business Continuity and are wondering what on earth I'm talking about!

One vital element of delivering a successful Business Continuity programme and one in my opinion often overlooked is to validate your plans and strategy. This takes time and commitment. In turn this will provide reassurance and confidence, training and awareness, greater understanding of procedures and responsibilities. So how do we achieve this? Simply put we complete exercises, tests, rehearsals. There are many different styles that can be delivered...process driven, call cascades, partial or full invocation, desktop, scenario based and more. 

However, the temptation to simply use the same old format or content over and over again should be avoided. Just because you've changed the location, date or time of the details within the exercise doesn't make it different or acceptable. Where we can truly add value to our Business Continuity programme is to allow us to understand what our core risks and concerns are. Understand where the potential pain is, what the impacts of an incident really are on our core business activities, systems and people. 

Spending quality time on developing an exercise which is fit for purpose is where the true benefits can be gained. Taking the time to understand your local surroundings, potential incidents and challenges enables us to develop something that is realistic, believable and purposeful. 

Even if your only discussing why we do Business Continuity and raising peoples own knowledge and perception of the value, using realistic examples helps to strengthen the justification. 

During my recent travels I've been fortunate to not only raise awareness of Business Continuity but to deliver exercises. I have taken the time to understand the business requirements, the pains and been able to deliver something that is realistic, making a conscious decision to not copy one idea for all. However, as a result I'm now being known as a fortune teller or person of doom! The exercise has gone well, lessons have been learned, objectives achieved, attendees have had fun which is just as well as within a relatively short period of time the example given has happened for real. 

I'm superstitious and now spend time 'knocking on wood' to counter-jinx the topic of discussion. Whilst firmly believing on providing realistic examples I don't actually wish the incident to happen. So, to add to my repertoire I will now throw in the incident whereby 'aliens have landed on the roof', surely that can't happen, can it? 

Claire Phipps, MBCI

Wednesday, 16 April 2014

Heartache from Heartbleed goes on and on

Following on from our earlier post on the Heartbleed bug we wanted to remind you of some of the lessons learned and also to remind the reader of best practice regarding securing yourselves on the internet.
The Heartbleed bug again demonstrated that regardless of the precautions taken when using the internet you can still fall foul of information release or compromise from third party sites or systems. We no longer (alas) live in a world where trust is implicit and ok.
There was a time (not that long ago) that it was normal to leave your home unlocked and if a stranger asked a question or wanted information then it was ok to answer truthfully. We live now in a world where your information is valued and can be combined to infer more or to become more of a commodity. Your date of birth, place of birth, name of your pet or favourite colour can now aid an adversary to begin unpicking your digital and online identities. The simple passwords that proved to be convenient to remember and use across multiple domains and sites can now come back and result in widespread damage to reputations and credibility. Our online footprint can reveal the actual answers of most typical security questions to a skilled or determined attacker rendering the secrets anything but that.
With the notable exception of Government or Healthcare systems it now could be the time to begin lying on the internet; when I personally sign up for services I take a number of simple precautions that when combined offer more benefits than the truth has and these include (and are not limited to) -
Date of Birth – why does any non official site want or need this information, I’ve not been truthful about answering this question, varying the day, month and year frequently and without any real method apart from not using the actual date.
Place of Birth – my Bank knows this, my medical records and passport have this but why should a website want or need the real answer?
Pet’s name – I use random values when asked
Address – Unless I’m paying for goods / services or expecting something to be delivered to my home address I will use a fictitious one
The same goes for favourite colour, first car, school, mother’s maiden name - anything that isn’t actually needed is changed and rarely (if at all) the real information supplied. The sites I’m signing up with don’t need the real information; they just want something they can validate you against if you ever need to prove who you are. I make a note of the information given to each site in a note section of the password manager I use, if I ever need to answer the question of “Where did I go to school?” I can check the corresponding details and answer “Third moon of Pluto” (assuming that’s the answer I gave). The exceptions to this are things that I can control or have more authority over (ie: phone or mobile numbers) as these can sometimes be used for two factor authorisation or reset dialogue. If someone is able to clone my phone or steal my handset then I have more to worry about than a password at that point.

The most beneficial two tactics I employ on the internet are using unique email addresses and unique passwords. Not everyone can use the unique email addresses as it needs a suitable email setup to receive the mail, the benefit of having it ensures that if I start getting unwanted 3rd party email to a unique email address I know that either that email has been sold to spammers or the service I used it with has been compromised; it’s a good safeguard but needs extra effort to manage and check multiple addresses.
The most important single thing that anyone and everyone can do on the internet is to use complicated and unique passwords. There are downsides to this but the protection this one single action allows is worth it. As Heartbleed and high profile breaches have demonstrated, regardless of the steps we take to protect ourselves on the internet we can still fall foul if servers and services are compromised or our data released. If a service or server I subscribe to is breached and my data is released, it’s generally one (unique) email address and one random password lost. I employ a password manager to maintain the majority of my general passwords (this has the benefit of assisting in the memorising of them and the input of the same), I don’t use the password manager for my most important credentials, and these are deliberately not written down anywhere nor saved anywhere where they could be found; they are the exceptions. My password manager also has additional security that allows me to use two factor authentications. I chose and use two factor authentications wherever possible, anything that makes it harder for my credentials to be usurped is worth using.
A typical password I use is limited only by my imagination and the complexity rules of the site I’m signing up with, it’s not unusual for me to use 25+ char passwords that include special characters, upper, lower case and numbers and spaces. They are painful if I have to input them manually anywhere (such as tablets or games consoles) but that annoyance is worth it when I consider the value of the protection of complex passwords that aren’t used anywhere else. If my password needs updating or changing it’s a simple act; if that password or username/password combination is used on all sites the risks of data loss or compromise isn’t something I could or would want to deal with.
The Heartbleed bug will have a long lasting impact, the depth of the problem is still being fully analysed, it’s not just websites that were/are affected, the nature of the modern world means that there are embedded OpenSSL instances in all sorts of unexpected and difficult to patch places (home routers, firewalls, mobile phones and so on). I suspect there will be ongoing attacks for years to come and it should be accepted that some of the vulnerable systems and services will never be fixed or solutions made available. You may be able to trust the online service / bank or the like but that won’t be able to stop you being owned or affected by seemingly safe devices. We cannot be certain where the OpenSSL Heartbleed bug can be found but we can do everything else to minimise the problems caused if we unknowingly have our information disclosed or released.
Anyone that still has an easy or common password needs to rethink how they are potentially exposed if that information or password is released. We in 2014 are still facing an ongoing problem of common passwords breaking security and trust, if you can authenticate to anything using 123456 or password, qwerty or princess, trustno1 or admin or anything that isn’t “complicated” and using all the characters’ available then you’re taking a risk.  I would like to see services and sites ban people from using simple words or limit their choice to alpha numeric alone with fixed max length under 10.
Complexity is good, length is beneficial. Simplicity in passwords should be consigned to the yesteryear when it was ok to leave your car or house unlocked and have a hope that your possessions and property would still be there anytime afterwards. That age has gone, let’s make sure our weak passwords don’t undermine the security in this modern world we live in. The internet is a wonderful place to be but not one you should blindly trust with anything other than unique throwaway information.
Jamie Duxbury, Senior Security Specialist