Intelligence Sub Menu:
Benefits by Industry:
Key Interest Areas:
Information For:
SIFT Training Schedule
 SIFT is an "Australian Government Endorsed Supplier" of information security and information risk management services.
|
Intelligence
SIFT Note 2008-01 - 10 Jun 08
Privacy Practices, Standards and Risks
With the ever-expanding digital collection of user information on the Internet, the need for consumer privacy is of critical importance. Software and websites often request or demand personal information which consumers are reluctant to divulge. These requests often have no clear reasoning behind the need for such information, exacerbating the intrusiveness of the collection process.
To counteract the current lack of industry-wide standardised practices, the Privacy Guidelines for Developing Software Products and Services document published by Microsoft attempts to create a more cohesive framework and holistic understanding of Privacy issues with personal user information.
To protect this information, Microsoft recommends that before implementing any data collection systems, a review be conducted to validate the need for acquiring personal data against the following criteria:
- Does the data have to be collected?
- Is there valid business purpose?
- Will customers support the business purpose?
Ample notice of the collection of any personal data by an organisation or site should be given prior to any input by users. The type of notice required (whether a prominent or discoverable notice) depends on the user information being collected, and how it is to be used. A number of privacy standards and initiatives exist which detail and recommend exactly how to classify various privacy data (for example the IAB Standards and Guidelines). Similarly Microsoft’s Privacy Guidelines offer a mapping for transactions and scenarios to recommended notice, choice and consent items required for compliance. The general consensus is that whenever sensitive use of collected information occurs, a commensurate higher level of disclosure should be released and additionally, that individuals should always be given the option to opt out of agreements by disabling the information gathering process, or declining the initial notice and request.
Holding sensitive information introduces a level of legal responsibility to the organisation that must be adhered to including the National Privacy Principles under the Privacy Act 1988. Data breaches – which are ultimately failures of these responsibilities – can result in significant financial ramifications and legal penalties. See the case study linked below as an example.
It is therefore necessary that organisations look into privacy standards and services which ensure that their risk exposure is managed appropriately.
By adhering to and considering privacy requirements throughout system development lifecycles and utilising established privacy guidelines to aid the classification of private information at early stages, privacy-related business risks can be managed. Further resources regarding privacy and information disclosure are available from the Australian Office of the Privacy Commissioner’s website.
Further information:
Interactive Advertising Bureau - Privacy Principles
Information Week - TJ Maxx Security Breach Costs Soar To 10 Times Earlier Estimate
Information Privacy Principles under the Privacy Act 1988
Privacy Guidelines for Developing Software Products and Services
Australian Government - Office of the Privacy Commissioner
Security Issues in Heterogeneous Wireless Networks
The future of wireless mobile devices is increasingly moving towards the convergence of heterogeneous networks to support both data and voice communications. The aim of fourth generation (4G) mobile networks is to provide mixed-mode networking and seamless mobility between different network types including wireless LAN, WiMax and legacy GSM or CDMA networks. This will be achieved through the move to VoIP communications, the use of software radios and the definition of standards for roaming and handover between providers or networks.
This convergence of technologies will pose a challenge for the security community because the number of attack vectors increases dramatically as a result of additional interfaces, drivers and software. In addition, traditional network attacks may become applicable to converged networks and new attacks will surface that exploit properties of 4G networks such as handover protocols, VoIP and application-controlled software radios. Thus when using, implementing or deploying next-generation heterogeneous wireless networks, organisations need to consider the expanded threat profile presented by this convergence and take measures to mitigate risks that arise.
The security community also has an important role to play in the development of 4G networks and can assist by researching new attacks and defences. For example, if handover protocols are not sufficiently robust, an attacker may be able to exploit them in order to cause client devices to disconnect from a legitimate network and connect to a malicious network without user knowledge. This may enable further attacks against the client device that compromise its integrity or its communications.
Software radio is a relatively new technology that allows the characteristics of wireless communications to be controlled by an application as opposed to being set by hardware components. This allows the one set of radio hardware to interface with multiple wireless technologies without requiring specialised hardware for each type of wireless network. This presents a unique security threat given the ability to seamlessly alter device communications on-the-fly, and the potential for unauthorised reconfiguration of wireless communications. In addition to unintended handovers (potentially to more costly or malicious channels), the reconfiguration of radio components could be used together with malware techniques to allow the automated propagation of attacks via multiple network technologies.
Although the convergence promised by 4G networks provides a large number of benefits, organisations need to remain aware of the security risks introduced by the additional attack vectors. The converged nature of next-generation wireless networks means that vulnerabilities may no longer be limited to a particular type of technology but instead can apply across the board. The security industry has a major responsibility in defining standards and protocols for 4G networks to ensure that the mobility and flexibility afforded are not overshadowed by security issues and attacks.
Further information:
QoS and Security in 4G Networks
Web 2.0 and Social Engineering
Social engineering attacks – attacks aimed at manipulating people into providing sensitive information or access – are far more effective when the attacker has a good knowledge of their target.
Phishing attacks provide a good illustration of this fact: a crude, untargeted attack would typically involve forging an email from a major bank, online auction site or electronic cash merchant such as PayPal, stating that there is some problem with the users account. The email message would then invite the user to click on a supplied link and enter their username and password, which is fed back to the attacker. Such an attack is untargeted, in that it does not typically contain the recipient’s name or other identifying personal information – only citing their email address – and is sent to many users who do not use the bank, site or service that is the subject of the message.
Targeted phishing attacks which contain identifying information specific to an intended recipient, such as a name, and sent only to individuals with a confirmed relationship to the organization the phishing email purports to be from are much more likely to succeed on an individual basis, as well as yield higher overall returns for the attacker. This fact is the reason that preparation is the key for conducting successful social engineering attacks. The more information an attacker has, the more likely they will be able to craft a believable attack. According to many reports (see ‘further information’ below), targeted phishing attacks are on the rise.
The increasing prevalence of Web 2.0 has dramatically changed the landscape of social engineering attacks. Web 2.0 is shorthand for a so-called second generation of Internet based communities and networking websites, focused around user-generated content. Popular examples include Facebook and MySpace, which allow users to host photos and blogs and chat with friends.
Increasingly people are using these kinds of sites to build up a personal presence on the Internet. While this is very exciting and progressive in many ways, it does have significant privacy and security drawbacks. As just one example, there are numerous reports of people being sacked or denied interviews, when employers check their online presence and find inappropriate or offensive material .
While social engineering attackers have long scoured the Internet for e-mail addresses for possible login names, more sophisticated attacks use the Internet to obtain information about the company and the individual being targeted. If a person has a presence on sites such as Facebook, there is an increased likelihood that an attacker can obtain enough information to craft an effective phishing email or story for a phone call.
So what can companies do to protect themselves? Firstly, they should realise and adapt to the fact that personal information sharing through Web 2.0 communities is becoming integral to online culture. Information security awareness programs should include coverage of Web 2.0 and the importance of controlling the spread of company-related information. Such programs should also include the threat of social engineering, and approaches and responses for staff to address this threat.
Further information:
Anti-Phishing Working Group - Resources
Report: Targeted e-mail attacks increasing
Job candidates get tripped up by Facebook
Worker sacked for online attack on boss
Non-Intrusive vs Intrusive Penetration Testing
Penetration testing is a method of security assurance that aims to realistically simulate malicious activity from attackers in order to identify vulnerabilities in configuration and implementation. The two main styles of penetration testing employed by information security professionals are non-intrusive and intrusive testing and each has its place in identifying vulnerabilities.
Non-intrusive testing aims to minimise disruption to daily business operations and, as the name suggests, does not include attempts to compromise systems by exploiting identified vulnerabilities. This style of testing typically involves port, service and vulnerability scanning, and its primary objective is to identify vulnerabilities without adversely affecting systems or the network environment. The benefit of this approach is a minimised risk of service disruption or data loss, whilst still achieving the identification of vulnerabilities.
On the other hand, intrusive testing involves not only identifying vulnerabilities, but also exploiting them in order to penetrate deeper into the system or network with the ultimate goal of gaining access to the most critical components of the environment. In doing so, the potential impacts of a successful attack are made more visible to system stakeholders as they can be more accurately qualified and quantified. An additional benefit of intrusive penetration testing is that impacts can be more easily conveyed to management as they can clearly comprehend the effects on the business, such as unauthorised access to sensitive client data or the destruction of customer records, which may be difficult to grasp through the reporting of vulnerabilities and missing patches.
Although from a technical standpoint, there may not be a major difference between the vulnerability information gathered by the two different styles of penetration testing, intrusive testing can provide concrete evidence of risks through the actual compromise of systems and data. This may offer additional motivation for senior management to allocate resources to remediate identified risks. Furthermore, intrusive testing offers a more comprehensive assessment of defence-in-depth countermeasures. The successful exploitation of vulnerabilities may not necessarily yield additional access if other defences are in place and the penetration test may prove to be an effective demonstration of the effectiveness of the defence-in-depth philosophy.
The drawback of the intrusive approach to penetration testing is the increased risk of damage resulting from the testing performed. Actively exploiting vulnerabilities can lead to a loss of data integrity, system instability and decreased performance, all of which affect the ability for the business to operate.
SIFT’s capabilities comprise both non-intrusive and intrusive styles of system penetration testing and can be tailored to meet the requirements of individual client engagements. Although an intrusive test results in a higher risk of service disruption, it arguably provides a more thorough assessment of the system environment and the impacts of a successful attack.
Top
|
|
SIFT Team Delivering 3 Presentations at Ruxcon!
21 Nov 08
The Ruxcon information security conference is once again being held in Sydney on the 29th to the 30th of November. The not-for-profit conference is regarded throughout Australia and the world as one of the leading information security research events.
more...
SIFT in 2008 BRW Fast 100
20 Nov 08
In the second half of 2008, SIFT was recognised for our rapid and consistent growth through inclusion in the 2008 BRW Fast 100.
more...
|
