ID

Facebook (and a number of other platforms in the Social Networking revolution) enables great minds to do great things. Many of us uses these services on a regular basis (daily, hourly, or even every moment of the waking hours). 

I for one is a huge fan of networking, and using networking sites enables me to communicate and stay in touch with old and new contacts easily. On the other hand, I recognize the security challenges - namely the ID-theft and the social engineering (SE) possibilities that is enabled through such services. 

One of the messages I try to convey in speeches and trainings is the threat that Facebook Apps may be. Granting an application access to your profile, automatically enables that application to harvest a huge amount of data about you and your friends. Now, most applications are "for real" - thus doing only the thing it claims to do. Still, imagine a business manager sitting on 10s of thousands of users and their data, in need for money. It would be extremely easy to use the data already harvested,  as well as rewrite the application to be more aggressive in it's harvesting. 

The other scenario is malicious apps appearing cool and fun and a "must have". These apps would offer you a service (chocolate) as a killer app - something you just have to have. And you would invite all your friends to use it too. By offering the coolest, it will become popular, and thus the road is open to harvest and use information. Information that you normally only would share with friends only.   

---

In enters the Social Engineer. Uses the information about you, collates it with other info shared on other sites, creating a complete profile of you, your interests, your family, friends, co-workers, neighbors and so forth. 

Perhaps one day he bumps in to you at the local mall. Or calls you because "someone said that you could be interested in ..." 

Having a complete profile of you, he (she) would know all the answers, and thrill you into doing anything. Given enough time, and a valuable target, there are no limits to what can be achieved. 

---

Given this outlook - perhaps it is best to continue as before - in ignorance. Hoping that "it will never happen to me".  

---

I gotta run.

Just got this incredible, almost unbelievable, opportunity! This complete stranger called me out of nowhere!

See you in a bit!  

---

Ka-zing. 

---

(Thanks to Liquidmatrix / Dave Lewis. And man, do I love that cartoon!)

A while back I came across my next Security Profile. He is from Estonia. He is not afraid of taking even the Estonian Security Police heads on. And he covers a lot of topics including security.

Jaanus Kase is a fun read combined with great insights. He also lets you in on a different cultural background – different from us who grew up in the west.

A former Skype marketing guy, Jaanus is speaking freely on topics of his interest.

On explaining what Information security is in his point of view, he is hard to stop.

Jaanus came into the information security area by working at a security product vendor (Cybernetica - www.cyber.ee). Later he moved on to a company focusing on ID-cards and digital signatures (Sertifitseerimiskeskus - www.sk.ee). His background is diverse, and adds to his wide definition of the topic.

On defining

K: Jaanus, how do you define Information Security (IS)?

JK: IS is actually a pretty simple thing. And yet it is very important, as we must all deal with it as individuals and employees, whether we want it or not. It used to be very simple in the Middle Ages -- you stayed at a village and had a limited circle of people to interact with. Whereas these days, information is increasingly digital, be it your bank data, your health records or confidential work data. And information can be moved globally at an instant. So it's important to be conscious about what and where you post or store.

Regarding the meaning of IS, the classic definition continues to work very well. IS is defined as a mixture of confidentiality, integrity and availability. Confidentiality means that secret information should remain secret and the information owner should define who can access it and who can't. Integrity means that information shouldn't be changed by unauthorized parties. And availability means that information should be available to those who need it at all times according to the access policy of the specific info.

Global impact

K: Do you have any examples of how this impacts business?

JK: This may sound like an academic discussion, but recent events of the world and Estonia have driven the message home to many people in the world. We were targeted by an organized cyberattack in April and May.

Discussion continues about how exactly it was organized and what is its long-term and political impact, but from a technical perspective, it was definitely an IS event. For example, bank systems were targeted, rendering card payments in retail stores suddenly unavailable for a short period during the business day.

I believe this event suddenly made a lot of people both in Estonia and elsewhere yet again realize that we live in a networked world where the threats are very different from what they used to be. It used to be so that you could see and touch the enemy and could physically attack and destroy him in a conflict, if we talk about war. Now conflicts are more virtual and asymmetric.

Age of information security

K: This sounds like war?

JK: This sounds a lot like the rationale about "war on terror" and it's indeed all kind of the same thing.

So IS these days has an all-encompassing global impact and yet is able to reach every individual in different ways. So if we say that we live in an information age, you could also call it the age of information security.

IS has the same impact as, for example, physical security. It is understandable for most businesses that they need to lock their doors and windows and maybe maintain on-site manned security and CCTV surveillance and such, and maintain proper policies and procedures.

It's a bit less obvious about IS policy and procedures, but from business perspective, it's exactly the same thing. In both physical and IS, there are many different measures you can take to protect your assets, and they have wildly different prices.

So it becomes a simple question about cost-benefit analysis to determine the appropriate thing to do. And it's not only limited to businesses -- the same kind of analysis applies to every individual when securing their homes and online records.

Psycology in attacks

K: What challenges do you see emerging?

JK: One challenge is that cybercrime definitely continues to be active, and continues to go towards "social engineering" type of things, and not only pure technical attacks. When the IT industry was younger, it was often effective to do online attacks to businesses and try to e.g steal credit card information by cracking the servers.

By now, the cyberdefenses have become pretty good and it is more effective for attackers to try to subvert their way in to end users' computers with the help of what's generally called "malware" (the differences between types of malware continue to blur).

This may be needed to get access to resources in that particular business, or it may be an operation to extend criminal botnets. And it becomes harder and harder to distinguish "good" and "bad" contacts in case of e.g. email -- the phishing mails have become really really good.

Converging technology

JK: Another challenge has to do with "convergence" and with technologies like VoIP. Not one particular VoIP product, just the concept in general. It used to be so that in a company, your IP network, phone network and CCTV networks were all separate and redundant. This meant that even if one went down, others remained up, and they didn't interfere with each other.

But these days, there is a trend to move everything to IP (wired or wireless). This makes a lot of sense as it makes e.g the physical setups simpler and provides great cost advantages, but it also means that a whole new class of risks and threats are introduced that businesses now need to understand and manage.

Thank you Jaanus for sharing your valuable insights with us! 

You meet Jaanus at his blog: http://www.jaanuskase.com/

I believe you will enjoy it!

Many website owners and companies do not spend enough time considering security. Things is slowly getting better, but not in the speed required to counter fraud and identity theft.

Gnucitizen made a clear post regarding how password recovery works (warning - it gets quite technical towards the end). It is a great explanation of the 4 different automatic password recovery/resetting methods, including pros and cons. The second part of the post also gives the interested a step-by-step description of how to automate the testing process.

If you still do not get the message - consider this:

You are able to automate testing in order to counter hackers. It is easy, and takes very little knowledge and effort, thus it is not very expensive. You may or may not choose to do it. One thing is certain, though - hackers and ID-thieves allready do this. As they have done for years. 

Your choice is simple: either test and alter your code as required, or wait until you are loosing data. Not a hard choice, is it?