User-Interface design: an overlooked security matter

Human error is one of the most overlooked threat to most IT systems. A low level of user acceptance of the security features can be one of the most challenging part of the transformation of a company into a secure organization.

KISSS: Keep it Simple, Stupid and Sexy. The last S from this new version of this old acronym comes from Laurence Vanhée, Chief Happiness Officer. Can we make people happy with security? Why not?

Tech companies have invented the WAF, Woman Acceptance Factor. This factor was defined to predict if the woman were ready to accept the purchase of a new home appliance (Smart TV, and so on). The main factor was usability and attractiveness. At that time came the « girly » versions of a lot of appliances and the simplified version of the remote controls. Not that Woman aren’t capable of using complex systems, they just don’t want to bother about some useless complexity. And I don’t think it’s a « woman » thing. We all do, eventually. But in security, we tend to forget that we need to convince our users to be more secure.

Darin Senneff, a creative user interface designer from New-York, has created and shared on Codepen a very nice user login interface that should inspire other website designers.

As you can see, the nice gorilla’s avatar change its behaviour as you type your email and your password. One could add some new behaviour when the password would not be strong enough and some other (positive reinforcement) when the password reach a certain level of complexity. Such interface will likely be more efficient reinforcer of a security aware behaviour than just a message as it will provide a sense of peer pressure and fun, leveraging security without the fear and the stress factors.

Darin shared the code on Codepen. Get inspired, use it, improve it.

Risk management as a decision tool: a synthetic diagram

Whatever the reference you might use (ISO27001, NIST CybersecurityFramework,the Australian ISMF, the german IT Grundschutz,…), all information security framework has risk management as its core.

Some people think of risk management as a painful and lenghty process used to justify security expanses or to achieve compliance with a standard. It can be just that.

But, first of all, it is a decision tool. A risk assessment is the tool used by senior managers to decide wether or not they should invest (additional) money in (more) security controls and in which one. For this reason, the identified risks must be credible, realistic and their likelihood (or frequency) and impact as accurate as possible. A bad assessment will likely lead to an unwanted level of residual risk.

Taking the time to clearly and concretely explain the risk scenario is an important task as senior managers are often lacking the technical knowledge to understand all the extent of the risks on their business. And this is normal, this is the risk managers or security officers’ job to translate these risks for the board.

I’m working for some time on a modelization of the information security governance processes in order to show the need to integrate all the available data. There is already a few models available but I try to create one that shows clearly the need to include information from a lot of sources in order to have a sound and efficient security management process. Here is a first draft of the integration of the risk management process in the software/system/solution developpment lifecycle.

Global security management process-V0.3

Any feedback will be welcome. Information security governance is a complex process, any suggestion to improve it will be taken into account and shared with the community.

If there was only one, what would be the security behaviour change you’d like to see?

If you have a very limited budget and you can only focus on one security awareness activity focused on on message, on one behaviour, what would it be?

Tough question. It was asked by Dr Jessica Barker during the last (ISC)² Secure Summit in Amsterdam. There was hundred of security professionals in the room. The answers were quite classical at start: Passwords, phishing, trust, and so on.

The best suggestion, from my point of view, was this one: Ask for help!

Too often, users don’t ask for help. Likely because they don’t want to loose time waiting on the line while calling the helpdesk or they don’t want to look stupid (and there is probably a lot of other reasons and a mix of it). But security has become an increasingly complicated matter over the years. Hoping our end users will become better or as good as security professionnals might be a wishful thinking (although, in some cases, average users are better than most security professionals in some security specific tasks, I’ll come back to that another day).

So, « Ask for help », is the most reasonnable action to ask to our users. It is something they can easily understand, it will cover a large panel of situations and probably increase your reaction time and decrease the number of incidents.

Of course, you need to make it easy (simple phone number, easy to remember email address, one button to click in an email to signal a fishing attempt), responsive (people don’t like to wait) and nice (you don’t like that the person on the line make you feel like a fool).

Think about it. It might be a good start for a more human centric security (hence more efficient and cost effective).

How do penalties affect your security policies effectiveness?

One of the requirements of any decent policy (and law) is having a penalty link to its non-respect. In penal law, « Nulla lege sine poena » (no law without punishment) is one of the corollary of the famous principle « Nulla crimen, Nulla poena sine lege  » (no crime, no punishment without a law).

From a behavioural point of view, it is often more efficient (and more humane) to use the carrot (and even more the intrinsic motivation to do the things right) instead of the stick. However, knowing there is a stick helps to give some consistency to the rule, some consequences. So, when we are drafting policies, we always insist on the necessity to clearly define the consequences of any non-compliance with the rules. Organizations may be fined for it, so should their employees.

It’s often a difficult part of the policies drafting process, moreover in large organization, as we must find a proportionate response and it must be, in some countries, negotiated beforehand with trade unions and social partners.

But there is more to say about it. First, the consequences mentioned are quite often individual ones: loss of privileges, impact of financial bonuses or removal from offices. Though, there is more to it. Breaking rules can lead to huge monetary losses for the organization, resulting in cost cutting and having colleagues losing their jobs, putting families in financial and personal difficulties. It’s a bigger picture; it’s not a systematic consequence, although more likely than ever, but mainly it is a foreseeable consequence that might trigger more emotional response than the one of the person’s own demise (although it might have some opposite effect if the person has a grudge against the entire company, including its workers). Emotions are leading our choices more than rationality.

The second point is that it must be fair. As suggested by Herath & rao (2009), too severe punishment will have an adverse effect and increase the likelihood of the infringement. This effect is likely similar to the one observed with the pictures of sick lunges of cigarettes pack: they tend to increase the consumption of cigarettes (mostly with young adults and adolescents).

The third point is that the rule must be the same for everybody, in theory and in effect. So, we must ensure that we can systematically detect these infringements (see Herath & Rao, 2009) to increase the compliance.

But how often do we see people in organization breaking the rules willingly without any consequence? Sometimes because this person is an expert in his/her field and we believe we need her/his knowledge more than we would. Sometimes it’s for some internal political reasons. Sometimes because (s)he’s a relative of someone high in the food chain.  Whatever the reason, this is not fair and it has some huge impact on the behaviour of your employees. Worse, it becomes part of your culture and that’s something that you will have a lot of difficulties to change after.

So, mind your punishment twice.

References:

Fappening 2.0: You should mind who you trust!

It seems that one of the trendy subject of the moment is the return of the fappening (a portmanteau of the words « fap », a slang term for masturbation, and the word « happening »[according to Wkikipedia]). As most sequel, the second one is not better than the first one. But my point isn’t to make a parallel with the cinema industry.

For the Fappening 2, it seems that this time two young actresses have been the new victims of hackers disclosing some intimate or sexy pictures. It is not necessary, I hope, to remind that this kind of behaviour is not only illegal as an illegal hacking but that it is aggravated by its intimate implications for the victims.

According to the journalists, there is not yet an explanation on how these pictures have been compromised. There is already a lot of advises given by newspapers and blogs on what to do and not do to avoid such situation. However, one thing that seems to be a common point to these pictures is that they have been taken by someone else than the victims themselves.

When you share information with a third party, you need to ensure that they are at least as careful as you are in their handling of your information.

In this case (and it is just a theory, I have no evidence or clue so far), if friends of these young ladies have taken pictures of them in some more intimate context, even if they trust their friends with their lives, they should ensure that their beloved friends were (also) careful and were following good practices with their phones and their « cloud » storage accounts. It is what we (should) do with our suppliers or any third party in a corporate context, and it is also the right thing to do with your friend (if you want to take intimate pictures of yourself).

In the future, Fashion stores will likely be equipped with interactive mirrors encompassing cameras and allowing them to display an image of yourself in any outfit available in the store (yes, it already exist). This will be the next IoT (Internet of Things) nightmare that will likely cause more Fappening if we don’t add a S for Security to the IoT accronym.

 

Related sources:

http://thehackernews.com/2017/03/fappening-emma-watson.html

No, a virtual machine is not as safe as a physical one!

This week, during the CanSecWest 2017 Conference in Vancouver, British Columbia, is held the PWN2OWN™ CONTEST organized by Zero-Day Initiative (http://zerodayinitiative.com/). A team carried on an attack on Microsoft’s Edge browser allowing them to escape a VMware Workstation virtual machine in which it ran. This exploit fetched them 105 000$ of reward. On the same day, another team successfully exploited 3 vulnerabilities and succeed to perform a virtual machine escape.

I will state what is obvious to me since the rising of the hardware virtualization technologies: Virtual Machines aren’t as safe as Physical one. I feel stupid writing it as it is just a matter of fact but it seems it has not yet been accepted by a lot of system admins who are still in denial.

And VMware is not the only to blame, all the Virtualization solutions have already been breached (Xen, KVM,…) one way or another. And those ares just the known exploits. So, whoever you’re talking too, there is no way (s)he can pretend the risks are the same between a physical and a virtual machine.

Of course, there is economics upsides using virtualization and that’s why it is a matter of risk management. But when it comes to crown jewels, we might have to think twice or at least strongly insist on a physical segregation between more sensitive systems and internet facing one.

I don’t say we shouldn’t use virtual machine, I just say we must stop pretending they are as safe as physical one. It is just not true. Risk are different and we must take that into account. The wolfs can pass the fences…

Further reading:

SMS spammers 1 – belgium: 00

I have recently received SMS that are supposed to be sent by young ladies in search for a soul mate. Within the SMS, there is a link to a website with a specific number in the URL, giving access to a picture of young & pretty naked girl (no, I didn’t clicked on it, I tried it from a secured virtual workstation with all protections on and through a Tor gateway). Fortunately, this picture doesn’t seem to have any payload in it.

I called my provider to ask how I can stop this (in France, there is the number 33700 that helps you with SMS spams). According to my provider, the goal of such email is to have men replying to this sms, making their mobile communication bill a bit more expensive than usual. Except deactivating Mobile commerce option on my number, there is no way to prevent this and no place to signal such malicious SMS.

At the same time, we can understand operators are not in a hurry to solve a problem that create probably a substancial revenue as they likely have a nice percentage of margin on the operation.

Unfortunately, as SMS are cheap (and SMS servers can easily be hacked), it can also be used to distribute malicious paylod without going through the usual anti-malware that are now quite common on most email services. So, if we do nothing, this can become (if it is not yet the case) the new channel to target smarphone (and you know how much sensitive information your smartphone holds).

So, when will we have a central platform to gather information, block and prosecute such malicious and illegal (is it?) behaviour?

So far: Spammers: 1 – Belgium: 0.

9 tips to improve the security of your web applications

Should you be a student, a TV Show fan, a small online-shop, a small enterprise or a large corporation, you likely have a web site connected to the world wid web. You probably didn’t developped your website in PHP or in Java by yourself but rather used one of the existing (some being free of charge) framework available like WordPress for you blog, Prestashop for your online shop, Odoo, Drupal, Joomla or even Adobe CQ. While you can use a « cloud » version of these application, you might also have decided to manage it by yourself on your own server or using a hosting service like OVH, HostGator or Ikoula.

If you’ve decided to manage it by yourself, here are a few tips to ensure your server(s) is/are and remain secure:

  1. Use very strong passwords: At least 14 characters and a combination of uppercase, lowercase, numeric and special characters. Ideally change it a few times a year or at least as soon you believe your password might have been compromised. Don’t use the same password for everything.
  2. If possible, rename or disable default admin user (like admin or root) into something less common and use personnal accounts (every admin should have its own user and password). When someone leaves the company, immediately remove his/her user account from the server.
  3. Patch your systems (OS like Linux or Windows server), your middleware (like Apache or IIS), your database (MySQL, Postgress, MSSQL) and your application (like WordPress, Odoo) regularly (every week). Nowadays, most systems inform you when an update is available.
  4. Ideally, you should have a separeted test environment, being a second (set of) server(s) (that we will call the Acceptance System) replicating exactly the one you use for the publicaccess (we call it the « production system ») on which you can first test if the patches won’t disrupt, corrupt or break anything on your servers (It can happen too).
  5. Disable any un-used services on your server(s) like telnet (prefer SSH), motd, FTP (use SCP via SSH instead), IMAP, POP3 or SMTP (if you don’t use your server as a mail relay), Samba and other stuff you won’t use. Be sure to still keep a way to access your server. For Linux machines, you can use automated scripts like Bastille to help you harden your server.
  6. For your database accesses, use a specific system user per application (and per environment) that will have only the access needed on the database of the application it is used for (So, you don’t use the admin user of your database to grant access to your database for your application). If possible, restrict access to the database to the localhost or to the IP of your front-end application.
  7. If possible, force the encryption of your communication by using TLS (HTTPS instead of HTTP). For that purpose you need a cryptographic certificate (not a self-signed as it won’t be recognized by your customer’s browser). You can get free SSL/TLS certificate that will be recognized by most browser with companies like StartCom. Once your certificate installed, you can check the configuration of your SSL with the free online SSL Labs analysis tool. If you need help to configure your SSL with Apache Servers, you can use Mozilla’s SSL Configuration Generator.
  8. In order to prevent attacks like Clickjacking or Man-in-the-Middle, you can configure the HTTP(S) headers sent by your server to make it more secure (see OWASP Secure Header project for more details). Practically, you can check the status of your server’s headers on the very useful and user friendly SecurityHeaders.io website from Scott Helme. Based on the result of your servers’ hearders analysis, Scott’s website will provide you with all the necessary information to improve your headers (again, for free).
  9. Scan your server(s) in order to detect any known vulnerability. This is still possible for free with the services of BitNinja or even from one of the market’s leaders like Qualys.  If you use a Windows server, you can download Microsoft baseline Analyzer and run it against your server.

Quand les contrôles vous font perdre le contrôle

Cela fait quelques temps que ce constat revient tout au long de mes diverses missions: certains contrôles font plus de mal que de bien. Particulièrement, les indicateurs et systèmes de mesure en tout genre.

Quand nous mettons en place un système de gestion de la sécurité (qu’il soit conforme à la norme ISO27001 ou non), de gouvernance IT (genre CObIT) ou de gouvernance d’entreprise, arrive toujours un moment où nous devons définir des indicateurs de performance. KPIs, KGI, PI, Balance Scorecard, contrôles SMARTs et j’en passe, quel comité de direction ne vous réclame pas des indicateurs et de jolis graphiques pour égayer ses réunions?

Je suis cynique sur le sujet et je m’en explique. Ces indicateurs sont censés permettre aux dirigeants de l’entreprise de prendre des décisions éclairées pour diriger leur entreprise. Pour ce faire, les KPI doivent leur fournir des indications pertinentes par rapports aux objectifs de l’entreprise. C’est la base de la définition d’un bon indicateur. Pourtant, la pertinence de certains contrôles laisse parfois à désirer. Faire des indicateurs spécifiques, mesurable, atteignables, pertinent pour le responsable et définis dans le temps n’est franchement pas une chose aisée. Et dans cette quête à l’indicateur presque parfait, on se retrouve parfois dans l’imparfait. Et cet imparfait a de graves conséquences car définir un indicateur de performance, c’est définir les objectifs de la personne responsable de cet indicateur. Et même si nous avons défini des objectifs de plus haut niveau plus pertinent pour l’entreprise (agilité, rapidité de déploiement de nouvelles solutions, satisfaction de la clientèle), c’est ce qui sera mesuré qui aura le plus d’importance car c’est là dessus que les personnes seront évaluées (et que les bonus seront éventuellement distribués). Et voilà le piège. L’objectif individuel de certains manager n’est plus l’amélioration de la performance globale de l’entreprise et de la satisfaction des clients mais bien d’atteindre ou de dépasser ses objectifs tels que mesurés par nos indicateurs. Si ils ne sont pas alignés, vous pouvez imaginer les conséquences. Si vous n’y arrivez pas, voici quelques exemples rencontrés au cours de ces dernières années.

Anecdote 1

Un responsable de service desk ne veut pas mettre en oeuvre un système de réinitialisation automatique des mots de passe des utilisateurs car les nombreux appels reçus par son service pour ce genre de problème prend nettement moins de temps que la moyenne et fait donc baisser favorablement son indicateurs de performance sur le temps de résolution moyen tout en maintenant le nombre d’appel élevé.

Anecdote 2

un responsable réseau qui n’améliore pas son infrastructure car ses indicateurs de performance considèrent le % de bande passante utilisé (qui est dans les limites) mais ne tiens pas compte des temps de latence qui sont eux catastrophique. Et bien sûr, le temps de réponse des application étant un problème complexe qui peut dépendre du réseau tout comme des systèmes et des applications, n’ont pas de KPI sur l’équipe réseau (car ils n’ont pas le contrôle). Logique mais ennuyant car les temps de latence sont catastrophiques et cela impacte les opérations.

J’ai d’autres anecdotes sur le sujet mais le but n’est pas de faire le best of des échecs en termes de KPI mais bien d’illustrer mon propos.

Que faire alors?

Clairement, ce qui me semble le plus évident, c’est de mettre des indicateurs de haut niveau sur les performances de l’entreprise et sur la collaboration à tout le monde, avec une co-responsabilité. Tout comme dans une équipe de 400m relai, tout le monde à la responsabilité de démarrer à temps, de signaler et de passer le témoin. Tous ensemble vers un objectif commun.