Author: Stevie Heong (Page 3 of 3)

Stopping Insider Scans

I’ll admit it. I’ve knocked on doors before, while sitting at Starbucks.

“Knocking on doors” here means running port scanners like Nmap, or vulnerability scanners like Nessus or Nexpose, to see if that guy in the suit across the room is using a laptop that’s vulnerable to exploits. I was much younger then. WiFi was just introduced, and to a guy born with a curious mind like mine, this was exciting stuff. I wasn’t a hacker or cracker by any means, neither did I dwell too much in doing malicious scripts, but it was just curiosity that got me going.

I did find myself on the good side of the law soon, running DHL’s global security group in Asia, and there faced monumental challenges like random denial of services,and naughty scans from external.

However, it is usually the insiders that do us in.

I’m sure you heard before, a secured perimeter is only as strong as its weakest link. And the weakest link is usually inside. A disgruntled employee. A corporate spy. A curious, idle employee with too much time on his hands, and reading too much Network Security Online articles. Whatever the case, every company will have its day in the sun. It’s just a matter of when.

For instance, we ran our penetration testing services for a network. We usually don’t have too much issues in the scanning phase, where we enumerate services and probe a little for vulnerabilities. Our standard process was to inform our client when we were doing exploits. One thing we’ve learnt in almost every project we’ve done.

Not everything goes according to plan.

It was an internal penetration testing, but we weren’t given much details on the network or servers as agreed and we ran several IPs scan at once. Soon, our technical client came back to inform that their servers were not doing too well, and one of the virtual servers running HA has rebooted. We immediately stopped the scans and realised that the IPs given were all running on VM. Nessus and VM does not play nice. Do a search on nessus on and pick your poison.

Thankfully, nothing serious occurred, which shows us again how important it was to have people ready and standby especially in PenTest and to follow certain set procedures and standards. We continued the pentest exercise with greater care, taking into account the vulnerabilities of Nessus and VM, and using alternative scanners.

Which shows, how simple it is for someone to DOS (Denial of Service) a network, with just a vanilla Nessus running. What can a company do about it?

Well several options are there:

1) IPS/IDS (Intrusion Prevention/Detection System). These babies usually run on the network points and works wonders to detect scans and stop them, among other thing. We used to run Tipping Point a lot in my previous companies. The problem here is that for a flat network, how do we want to run this? The server needs to be segregated into its own server segment, and an IPS laid out in front of the network point. In a flat network where everything is plugged into a single IP address space, it still can be done, I suppose, but probably not the best way.

2) HIPS/HIDS (Host IPS/IDS). It’s like a mini gun compared to a gatling gun. It runs on critical servers and works about the same way, except that the network interface gets hit before the intrusion prevention services kicks in. It’s pretty effective and we ran a lot of Symantec previously.

3) If those don’t do the trick, then we could probably secure every end point. If we want to secure internal attacks, the best way is to properly guard your asset. Control all your laptops through proper asset management, no administrative capability to install Nessus and an asset scan to ensure nothing naughty has been somehow installed on by enterprising employees. You might want to control/choke up the USB ports as well.

4) Finally, set corporate policies. Many companies fail to do this and we don’t know why. Document what will happen if activities like scanning is done. Make sure employees understand their obligations to the company and sign acceptable use policies before giving them corporate-owned assets, bought by corporate owned money. Sometimes a little awareness works better at prevention.

There are probably other ways I’ve missed out, but generally this would be how we’d deal with idle employees with too much time on their hands scanning our network. That, and putting them on a cold-storage project to wash out their curiosity, maybe.

The Single Point of Failure

As technology becomes more and more advanced, we’re seeing an amazing progress in the security field. Companies spend millions to keep the bad guys out. We have IPS/IDS, NACs, AVs, FWs, AAA, TACACS, ADS, IAM, SIEM and more acronyms than a typical teenager’s vocabulary.  Security budgets consistently spans 10 – 15% of organisation budgets, and according to the greatest oracle of all, Gartner:

“While the global economic slowdown has been putting pressure on IT budgets, security is expected to remain a priority through 2016, according to Gartner, Inc. Worldwide spending on security is expected to rise to $60 billion in 2012, up 8.4 percent from $55 billion in 2011. Gartner expects this trajectory to continue, reaching $86 billion in 2016.”

So this year, we’re seeing an IT security spending of the GDP of Cuba. Yup, Cuba. Where Havana cigars come from and Che Guevara became famous. It sounds like a lot of money. And it will get higher. As long as more automation is done. As long as more technology is needed. As long as more day-to-day banking is needed. As long as human beings are lazier and want more things faster. Information Technology will continue to grow, and along with it, all the wonderfully, naughty activities that invariably accompany such growth.

While millions are spent on equipments, many of us neglect one of the most basic problem of all.

Passwords don’t work.

That’s because humans are invariably lazy. Or we would rather remember the phone number of that girl we met at the bar, or the pizza take out than to bother remembering our 12 letter, alpha numeric, lower case, upper case, special character password that must not resemble an english word or name, and must not be the same as the last 12 passwords you have, and recycled every month. And yeah, also can’t be your name, your family name, your dog’s name or the nickname you named your car. Or your bike. Or your computer, for us geeks.

It’s a broken feature. This article is both hilarious and scary. Like a korean horror movie.

Since biometric tech like fingerprint and face scanning is too expensive at the moment, passwords are still the defacto security problem many of us face. You can’t impose too complicated passwords on your users or your IT service desk will be flooded with “I forgot my password” tickets. Or you will have to constantly implement a “Reset you password” feature every day. But having no password policies is also asking for it. Users will tend to use password as password, which if you think about it, is absolutely genius if no one knows about it. It’s like doing the most stupidly obvious thing that your enemy would not believe that you’d be stupid enough to do it. Except now, it’s a known and acceptable stupidity, like lemmings falling off a cliff.

Password123, p@ssw0rd (or any other variants of that), password1, password2012 etc have all the same funky, useless theme: we are lazy creatures. The list has some interesting ones, like abc123 (who has never used that before?) and interestingly, Jesus, which is new. I mean, is that due to lots of IT users are christians, or that would be the first word that comes out of people’s lips when they think “Now what on earth is my password already???!”

Since passwords will never leave us for the near future, the best way to use a password is  simple, specific, and only you know about it. For instance, if you met your wife in Cicero’s on June 1986, your password could be c1cer0s1986_J. Or something. Craft out something that when you see that word, you can immediately associate it with a memory you have. Or if you paraglided down Mount Mutombo in Venuzuela with a guy called Hokey who then proceeded to almost kill you because you are a secret agent: Mut0mb0V3n_Hok3y_Di3! I don’t know. You get the idea.

So put away the normal passwords, and more importantly don’t ever, ever use yellow stick it notes on your cubicle, monitor, desk, pedestal, under your keyboard or under your chair. Please.

Convergence of the entire world with Tech


We’ve been talking about it for years and years. When I first started out as a young, hippie programmer who had long hair and bad breath, toiling in the underworld of Siemens, working out their WAP (Wireless Application Protocol) projects, I first came across the word convergence. There I was, fresh out of high school, on a salary that was so small that I wasn’t even in the tax bracket and they paid me monthly by cheque, where after everything paid for (my small car, and food), I had about Rm100 to spend on fun each month – the word convergence was thrown around like burgers in a high school food fight.

Of course, we all knew what happened to WAP. It evaporated. But it’s still the grandfather of much of the technologies we take for granted today. EDGE, 3G, 4G etc all got their start from the wonderful WAP speed of 14.4kpbs, much like how today’s gigaspeed lines stemmed from the noisy Motorola Modem running 14.4 on the internet when I first came to know of it.

Convergence is basically the coming together of different technologies. Telephony, voice, data, video etc. These are basically all converged now in our smart phones. Smart TV that can browse the internet and videoconference your friends. Phones that let you operate your gate and send a message to your video recorder to record the Liverpool match. Computers that double up as a coffee-holder…which has been there since the beginning of time.

And now, we see another range of convergence with Tech. The entertainment world. The recent news of Will.I.Am, the front man of Black Eyed Peas (remember, their hit, Where is the Love?) who is now Intel’s Director of Innovation, gives credence to the movement that we’ve known all along: Technology will blanket entire industries, including the entertainment and music world.

Many of course are bewildered.

According to Intel:

In his unique role, will collaborate with Intel on many creative and technology endeavors across the “compute continuum” that may include such devices as laptops, smart phones and tablets. Complimenting his visionary role as the front man for The Black Eyed Peas, is also already working on music expressly for Intel.”

The bewilderment stems from the fact that Intel makes chips. Not potato chips. As in computer chips. If he fronted a consumer product, it would make sense. But a chip? What are they going to do, have a “Will.I.Am Inside” Logo?

Intel knows their number is on the board. If they keep doing what they do, they will go down the path of Lucent, TI and some of the other big boys that became, not so big. Intel makes chips, but their recent foray into mobile computing with their ultrabooks wasn’t a smash hit, and possibly why they had to let their CEO go. But it makes sense. For Intel’s survival, they will need to move up the food chain and start controlling more of the hardware/software line, and possibly even come out with their own brand of consumer products. That, or start shoring up battle with guys like ARM, Qualcomm and mobile chip players. It will likely be the former, and that’s where a guy like Will.I.Am plays the role. He will be like a vehicle to transport Intel from chip giant to snazzy new tech company.

Now, time for me to get a “Will.I.Am Inside” Ultrabook!

The Trouble With Convenience

It’s probably not the best time to be working in a bank.

Especially if you’re in Europe of US.

Number 1, the global layoffs occuring, with HSBC announcing 30,000 job cuts in 2013. 30,000. That’s roughly 10% of its workforce. This is mainly due to operations streamlining and of course, cost cutting. Which actually doesn’t mean bad news to our region, since we’re considered as the backend of the world, and possibly, one analysts’ pay in US is equivalent to our CIO’s take home income. That’s just a wild, ignorant and completely ungrounded guess.

Number 2, more than ever, banks will be targeted by hackers, crackers and everything in between. Of course, with internet banking on the rise, and the fact that passwords are absolutely worthless these days, it only takes a very focused and somewhat skilled individual to exploit money away from other people. Even if they don’t they can still cause mischief by laying down DOS (Denial of Service) attacks on the target. We can’t really avoid it, using internet banking. That’s the trouble with convenience. It gets exploited.

Again, HSBC, which seem to have fallen from one of the world’s best and most beloved bank to one that is constantly being targeted by various groups. In October, the first wave of DOS hit them, and took out their UK site and many others. On November 4th, the similar attacks took out the UK site again, and reported, “As of yet, HSBC doesn’t know what’s causing the failure, though the spokesperson said it was likely to be something affecting the “servers or mainframe”.”

Hacktivists have taken credit for HSBC downtime, but whoever it was, it was certainly disruptive to the business.

Could the bank have done anything to avoid this?

They probably could have made it harder. But DDOS is one of the most annoying thing ever invented for an operational guy. And I would know it. I ran the global DHL network and DDOS was on our menu. Everyday.

One of the ways we did for our global website was running it on Akamai service, which alleviated the risk somewhat. But then, even Akamai gets hit so I suppose no one is safe. Until someone claims he/she has full proof solution, I guess it’s something we all have to live by.

Just make sure you have a backup and IT continuity plan ready.

PKF AvantEdge First Post

It’s always a little difficult to decide on how the first post should be created. Do we immediately go into what we do as a company? Do we state our vision, mission and all that corporate talk? Do we jump into what our industry is currently facing, at this moment, I am looking at the theft of secured information in NASA. How on earth does someone in NASA loses his laptop and not have whole disk encryption?

I think there will be plenty of time for that later.

Instead this first post simply states the philosophy of PKF Avant Edge. Not as an IT consulting company. Not as a professional service group. Not as a project management company. But simply, as an entity.

I have had more than 10 years of experience in the corporate world before I decided to set up the company. 10 years in 3 companies: Siemens, DHL Asia-Pacific Information Services and BlueCoat Systems. 2 German companies. 1 American. Along the way, I’ve met with people who had shaped me somewhat into what I am, people who had imparted their own brand of management, philosophies, methods, giving me waysigns to follow, and showing me characteristics I should avoid.

When PKF AvantEdge started, it had a simple goal. Make positive history. It doesn’t matter how. I wasn’t interested to be recycled into the myriads of System Integration businesses out there. We’ve dealt with principals, resellers all our lives, and we were following a well beaten path. This time, we needed to create our own history. Become a company that people want to be a part of. Create a culture of creativity. Create an environment of constant change. Find the patterns of tomorrow and pursue it today.

The last part proves the toughest. Wayne Gretzky, commonly known as the greatest ice-hockey player in history, says, “I skate to where the puck is going to be, not where it has been.” Through 2 and half years, that quote epitomizes our company. We envisioned a technology landscape that is so integrated to the major portions of the business that regulatory compliance is unavoidable. We saw the advent of hacktivist groups like Anonymous when we started, and pitched for companies to strengthen their technical resolves. We see a movement to information plundering using social networks and medias, trawling literally across the vast ocean of data to steal identity  and information assets.

The future of our business landscape will be defined by corporate earthquakes like Knight Capital, which saw a $440 million trading loss caused by a software glitch, and their shares free-falling 80% in two days. Or Adobe losing 150,000 user accounts based on SQL injection. Or take-your-pick ERP implementation disasters that run into the millions with no results at the end.

While I’m not saying that we are market leaders in tech consulting currently (by any stretch of imagination), I believe this is where the puck is going. Regulatory controls, more stringent requirements, certified and accredited qualifications of practitioners. It will look more like the banking landscape in a few years time.

Now, we can move on and discuss about how those geniuses at NASA can fail to encrypt their laptops….

Newer posts »

© 2024 PKF AvantEdge

Up ↑