Intelligence Sub Menu:
Benefits by Industry:
Key Interest Areas:
Information For:
SIFT Training Schedule
 SIFT is an "Australian Government Endorsed Supplier" of information security and information risk management services.
|
SIFT Note Library
SIFT Note 2007-02 - 15 Jun 07
SIFT Grows Security Services Team Through Merger
It gives me great pleasure to announce that SIFT has successfully concluded an agreement to merge the information security consulting and services business of Safecoms Secure IT in to the existing SIFT information security consulting and services operations, positioning the combined firm for continued growth in the Asia-Pacific information security services market.
From the perspective of our customers, it is very much a case of "business as usual" (same people, same services, same commitment to quality and customer satisfaction), but with a larger team providing additional depth and breadth of resources and experience.
SIFT's CEO and co-founder Nick Ellsmore will continue to lead the combined company, which now services over 100 clients including a majority of the ASX top 20 companies, along with State & Federal Government agencies, and multi-national corporations.
The Safecoms information security consulting and services business will initially operate as a division of SIFT, and we are currently going through a transition process including integration of systems, business processes and facilities. The current operational and staffing structure of the SIFT consulting and services business is unchanged, with the addition of access to Safecoms' resources.
SIFT and Safecoms are both leading providers of information security consulting, intelligence and training services, with operations throughout Australia. The integration of the SIFT and Safecoms businesses provides benefits through economies of scale, highly complimentary staff skill sets, a very similar client profile between the firms, and a rock-solid commitment to integrity and quality service.
SIFT continues to be positioned as a key player in the Australian information security services market. As industry consolidation rolls through, SIFT provides a consistent and trusted provider to Australian business in the face of this change.
Further information:
SafeComs Secure IT
Securing Your Database From Prying Eyes
Regulatory compliance with standards, such as the Payment Card Industry Data Security Standard (PCI-DSS), requires companies to use data encryption to protect data, such as the Primary Account Number (PAN) of a card, from theft and misuse. As most of this sensitive information is stored in databases, this means that the information in these databases may need to be encrypted.
The purpose of database encryption is to ensure the ongoing confidentiality of data, even from an attacker who has managed to gain access to the stored database file. Once an attacker has access to the database files, reading the contents of those files is a simple matter. Therefore, the goal is to protect database contents by encrypting the data thus rendering it unreadable without the keys and passwords. This methodology is useful for protecting sensitive data in scenarios such as:
- An attacker compromising the server hosting the database;
- A rogue system administrator attempting to access confidential data; or
- Theft of physical media, including backups.
Database encryption provides another layer in any defence in depth strategy.
Database encryption has become less complicated now that the leading database platforms support encryption natively. Previously, businesses either purchased third-party encryption products, each with a degree of configuration complexity, or developed encryption and key management solutions in-house. By implementing encryption at a database level, key management is simplified as it is handled automatically by the database application.
Database-level encryption introduces a number of important performance implications. Each encrypt and decrypt operation increases the amount of time it takes the database to retrieve or store information. Furthermore, encrypted columns cannot be indexed as efficiently for text based searches, dramatically increasing the search time for complex queries. Therefore it is wise to encrypt only the fields that hold sensitive data.
Encryption also adds complexity to the backup process. To be effective in managing the risk of data exposure through theft of backup media, encryption keys must be stored separately from the encrypted data being backed up. When the time comes for a backup to be restored, encryption keys and their corresponding passwords are required in order to gain access to the restored data. Damaged key files or forgotten passwords will render the encrypted backup useless.
While the majority of enterprise database applications have adopted internal database encryption mechanisms, it is important to consider the implications of encryption before implementation. As long as the impact of encryption is carefully considered, organisations can gain an additional layer of security, which is increasingly required by industry standards to protect sensitive information.
Further information:
Transparent Data Encryption
Understanding Encryption and Transport-Layer Security - SQL Anywhere Studio 9.0.2
Microsoft SQL - Encryption Hierarchy
Risk Management: Safe Email Usage
Email is being relied upon more and more as an essential tool for communicating and exchanging sensitive information and documents to allow workers to work remotely. However, examples of privacy compromises due to user error are common.
One such incident occurred in July 2001, the then California Governor Gray Davis’ office inadvertently released information which was intended to be secret – through a misdirected email. The email contained data on the state’s power purchases; information which the Governor suggested would compromise negotiations for future contracts.
Carvalho and Cohen of Carnegie Mellon University recently published a paper entitled “Preventing Information Leaks in Email” which addresses a number of privacy concerns arising from the use of email. The paper indicated that information leaks can severely harm both individuals and corporations – resulting in “expensive law suits, brand reputation damage, negotiation setbacks and severe financial losses”.
The paper presents a methodology for detecting potential leaks through comparing past email content of any message / recipient pair to the new message, identifying emails with significant differences. Tests conducted were able to correctly identify email leaks in almost 82% of the test cases.
While the paper suggests this technique can be easily implemented in email client software, a number of existing solutions can also be applied. For example, forcing users to encrypt classified emails not only secures message content, but the extra steps involved in the encryption process may provide users with the opportunity to re-examine the email address prior to the mail going out.
Privacy concerns aren’t limited only to the content of the messages, but also email addresses themselves. For example, in July 2005, PayPal received much attention for a piece of buggy “unsubscribe” request software which left customer email addresses exposed to attackers. Whilst the attack only revealed a small number of email addresses, the leak demonstrated the sensitivity of this information.
Despite these publicised incidents, the average email user will likely make mistakes which threaten privacy on a daily basis. For example, SIFT staff recently received an email from an information security conference organiser containing 303 unique email addresses in the “To” field. Even within the security industry, users often forget the techniques for safe email usage.
User education on the use and functionality of carbon copy (CC) and blind carbon copy (BCC) features are essential for any organisation which conducts business via email. In general:
- The “To” field should only be used for recipients whom the email directly concerns;
- The “CC” field should generally be used for recipients, who are indirectly involved in the content and whose involvement you would like the direct recipients to be aware of; and
- The “BCC” field on the other hand should always be used when sending to a group of recipients who are not directly associated with each other on the matter discussed. For example, a mailing list.
Furthermore, organisations may also consider formally documenting these processes in corporate policy for email usage where operations require extensive collaboration on sensitive projects via email.
Further information:
California Power-Buying Data Disclosed in Misdirected E-Mail
Preventing Information Leaks in Email
PayPal E-Mail Leak Brings Phishing Worries
Search Engines Expose Web Services
For several years, search engines such as Google have been automatically finding, indexing, and serving web pages that developers never intended anyone to see. The developers reasoned that if no one could see the pages, the contents of those pages didn’t matter. Malicious hackers have abused this “security through obscurity” approach to attack poorly protected and often unsuspecting web sites.
The same search engine techniques can also be used to identify poorly secured web services.
Unsecured web administration interfaces are a classic example of this problem. Unsuspecting developers still continue to place powerful yet vulnerable system administration interfaces on public web sites that allow any user to make system configuration changes. Entire resources such as Johnny Long’s website (http://johnny.ihackstuff.com) have sprung up and are dedicated to finding vulnerable and interesting sites through the use of Google. More recently the Santy worm used Google to compromise many thousands of computers around the world.
Web services have special “formulas” by which they are activated. Unless this information is known it is very difficult to induce web services into producing useful results. The Web Services Description Language (WSDL) was created and standardised as a method for easing this interoperability problem. In most cases publicly sharing such a description will quite deliberately allow entities to use a particular web service.
In cases where the developer is unaware of the automatic publishing of WSDL documents under an environment, or where the web service is intentionally being kept secret, information disclosure problems can arise. For example, entering the keyword "asmx?wsdl" into Google searches for a file that .Net uses to locate web services. Google yields an amazing ten thousand three hundred (10,300) results generated by the .Net platform. Most of the results have been intentionally made public but a significant proportion of these results identify an unwanted exposure of web services that are assumed by developers to be private.
Publishing WSDL documents may introduce unnecessary risk exposure to organisations. Decisions to publish these documents should be examined closely for security issues and weighed up against usability gains. A worthwhile alternative may be for organisations to deliver WSDL files to entities requiring use of the web service in an out-of-band manner instead (eg. email, mail, or ftp). Through using such an approach, the risk exposure from the WSDL being available will be reduced. It should be noted however that this method alone should not be considered a complete solution - defence-in-depth best practices also need to be implemented.
Awareness of the power of search engines such as Google is crucial to the security of all web applications. In the wrong hands, sophisticated search engines can be used as excellent target discovery tools for web services. Until stakeholders in web services fully consider the information being made available to the Internet, these systems will suffer a similar fate to standard web applications – continual security breaches with the aid of search engines.
Further information:
Google Hacks
Google Search Demonstration
Top
|
|
SIFT Team Delivering 3 Presentations at Ruxcon!
21 Nov 08
The Ruxcon information security conference is once again being held in Sydney on the 29th to the 30th of November. The not-for-profit conference is regarded throughout Australia and the world as one of the leading information security research events.
more...
SIFT in 2008 BRW Fast 100
20 Nov 08
In the second half of 2008, SIFT was recognised for our rapid and consistent growth through inclusion in the 2008 BRW Fast 100.
more...
|
