Webpage of Eric Verheul
I am a part-time professor in
the Digital Security Group of the Radboud
University Nijmegen and I am scientifically active in the field of information
security, i.e., the field that deals with the protection of the confidentiality,
integrity and availability of information. I also provide consultancy to
organizations on information security that inspire my research/education and
vice versa.
My inaugural lecture given on Thursday 30
January 2014 in Nijmegen (in Dutch).
Google
Scholar list with citations.
These are some of my papers and
(selected) presentations.
Below I have written some of
my ideas on information security.
The playing field: the increasing challenge of information security
Lack of senior management commitment and awareness
Roughly speaking information security consists of security management
and technical (operational) security. Technical information security deals with
the development of IT security products and surrounding processes that help
organizations to protect their information. Although technical information
security is an important part of information security it needs to be aligned
with security management. Security management is the counterpart of technical
information security and deals with the way management of an organization is
(or rather should be) in control of business information security risks.
Security management is the engine of information security as it drives
information security. A common framework for security management is defined in
the ISO 27001
standard which is based on a continuous Plan-Do-Check-Act cycle. I think
that the alignment of technical information security with security management
is the real challenge in information security: using the right IT security
products to control the real business risks. And that is different from running
all the IT security products the organization’s IT department can think of
without any meaningful involvement from senior management, which is too often
the situation.
To identify the real business risks, thorough risk assessments need to
be conducted.Endnote1
Adequate information security within organizations also requires real
commitment and security awareness of senior management of organizations. And in
my experience senior management of organizations are sometimes naive with
respect to the information security risks of their organizations. And with the
rise of (targeted) attacks, see below, such naivety is getting more and more
dangerous. It seems that senior management of some organizations first
need to have a serious security incident before they act. If the organization
notices the incident at all, that is. Certainly incidents where confidentiality
of information is involved (e.g., privacy, commercial sensitive information,
intellectual property) changes are that organizations do not notice their
occurrence at all.Endnote2
As a mildly amusing anecdote on management awareness; in 2003 I thought
that the so-called vulnerability
exploit in Internet Explorer was a convincing demonstration of the
pitiful state of security in commonly used IT. This exploit implies that any
website has access to the information in a user’s clipboard through Internet
Explorer (the internal memory buffer you fill when you use copy-paste in Word,
Outlook and the like). Just think of the implications: any text you copy and
paste is readable on the internet. That could be passwords, parts of sensitive
emails, privileged stock exchange information enabling trading with prior
knowledge et cetera. And of course by using automatic refreshing web pages, an
attacker could continuously monitor the contents of a user’s clipboard! I
demonstrated the vulnerability to senior management of several organizations
but nobody seemed to be really impressed and I finally gave up. Their response
would typically be that it was a ‘techie’ thing and ‘who could seriously be
interested in my information?’. Baffling. But it explains why security
professionals currently still might have a hard time explaining the seriousness
of possible targeted attacks (see below) at their organization. They might get
the same reaction: ‘it is a “techie” thing’ and ‘who could seriously be
interested in my information?’ Just wait, I guess, and finally you will see who
was interested.Endnote3
The rapidly increasing challenge and the power of money
The trouble is that the challenge of information security is rapidly
getting bigger every day, and security professionals are increasingly lagging
behind on their opponents. This challenge is increasingly getting harder with
the rapid development of:
· security exploits
in ICT and its usage arising from the functionality thirst of users
· the threat of
information from internationally organized crime and intelligence agencies of
hostile nation states in their quest for money and/or power.
If security professionals used to be one step behind, currently they are
two steps behind. One can argue that internal organized crime is gradually
getting the capabilities that were previously limited to intelligence agencies.
With the big difference that organized crime seems to care less when their
activities get exposed. To indicate, due to the organization required for it,
breaking cryptographic keys used to be the prerequisite of intelligence
agencies. But nowadays organized crime also seems organized enough to invest in
breaking keys as is indicated by this Fox-IT
report. I actually worry if perhaps the scientific community, e.g. computer
science students, is unknowingly providing technical assistance to
organized crime. The rise of the involvement of organized crime in cybercrime
therefore also opens a new potential for plausible deniability for intelligence
agencies.
And do not underestimate the power of (tax-less) money. I always like to
play the following game with my colleagues demonstrating the power of money:
“Suppose it’s a Friday afternoon and we have a difficult report
to finish for this important client in New York (i.e. in a time zone -6 hours
from ours) that expects the report today. It’s your girlfriend’s birthday and
you planned this wonderful evening out but I - as the project manager –
am trying to persuade you to keep working on the report all evening and part of
the night too. Would you be persuaded to keep working on the report if I’d
promise you to give you the best job appraisal there is? No, probably not; your
girlfriend would simply not accept that. But what if I promise you 2.000 Euro
in cash if you work the whole evening/night?”
Most of the colleagues I played this game with would be persuaded with
the 2.000 Euro in cash reward; the ones that wouldn’t didn’t have a girlfriend
to start with.
Visible indications of the challenge
There are many visible indications of the increase of the information
security challenge. These indications can for instance be found in the fraud
figures in e-banking published by banks. In the Netherlands this figure was 1.9
million Euro in 2009, 9.8 million Euro in 2010 and 11.2 million Euro in only
the first half of 2011. See NVB
and AD.
Indications can also be found in the rise of attacks from the internet on key persons
(or their secretaries) of organizations whereby they are lured to open email
attachments or to visit certain reliable looking websites. The objective is
deception or – more extreme – retrieval of information by placing espionage
software through the attachment of website. The espionage software effectively
allows the attacker to take over the attacked workstation including its webcam,
microphone and access to fileservers the attacked person has access to. This
perhaps sounds like the script of a bad movie, but this happens and more and
more often too. And of course only a small portion of these attacks is
identified and/or publicized.
One of first publically documented incidents of this type originates
from 2008 with an attack on the Dalai Lama from Chinese soil (Ghostnet)
whereby more than 1200 (!) computers in 103 countries were compromised of which
30% can be considered as high-value diplomatic, political, economic and
military targets. Recently targeted attacks took place in Canada
and Norway.
Moreover the software facilitating taking over computers is getting more and
more user-friendly too as is indicated by the user interface of the SpyEye bot below. SpyEye is one
of the successors of the Zeus bot. In fact, a whole service oriented criminal
industry is emerging where some criminal organizations take care of finding the
vulnerabilities (exploits), others use the exploits in malicious code
(attachments, websites) and couple them with code to be run on the victim’s
machine (payload, typically rootkits) that provide other parties
the services to load bots like Torpig and SpyEye and finally you have people take care of the
configuration of the bots themselves whereby meticulously analysing the website
aimed to harvest from the infection. Depending of the actual attack many more
parties might be involved, e.g. money mules for getting the actual money from
e-banking fraud. And the power of tax-less money keeps the cooperation running
smoothly. Also see this interesting 2009 report on Mebroot / Torpig.
Stepping
stone attacks
Particularly worrisome I think are targeted attacks that take place on
organizations where the objective of the attackers is not access to the
organization itself but access to one of its clients, i.e. the targeted
organizations are only used as stepping stones. An interesting incident of this
type is the targeted attack on EMC/RSA whereby
the cryptographic keys in its SecureID challenge
response tokens were compromised. The attackers (allegedly from Chinese soil)
were interested in getting access to defence contractors such as Lockheed
Martin. Such stepping-stone attacks are particularly worrisome for two reasons:
· organizations are
typically unaware they can be used as a stepping-stone; they are usually have a
hard time finding their own security risk let alone those of their clients,
· there are many
organizations that can be used as stepping stones for getting access to others.
To indicate, any popular website might be an interesting target to allow http
redirect targets to websites infecting them using invisible iframes and
in fact there are already a trading places for compromised websites for
exactly this.
We indeed live in interesting times as security professionals.
My interests in all this
My scientific interests in the field are focussed on security management
(education) and technical information security (research).
I give a course on
security management based on the ISO 27001
standard inspired by the by the challenges I encounter in my consultancy work
implementing security management in practice based on ISO 27001: how to
identify the relevant information security risks an organization faces and how
can senior management be persuaded to act on that? I must admit I have a hard time
explaining the business value of ISO 27001 to technical students that typically
like to solve everything with technical tools instead of with these fuzzy
things called “risk analyses” and “procedures”. The non-conciseness of the ISO
27001 does not help either; standardization institutes still seem to get paid
by the page.
My research is also inspired by my consultancy work and vice versa.
Currently I am focussing on two topics:
· Prevention and
early identification of cybercrime attacks, most notably targeted attacks.
Unchartered territory I think.
· Technical
information security related to compliancy with privacy laws, specifically the
applications of pseudonimization and anonymization
techniques enabling organizations to effectively use (and link) databases with
personal data for analysis purposes or testing purposes. Actually this topic
can be considered as a more positive use of information security, i.e. not to
keep the attackers out, but to enable organizations to do things that were not
possible before.
The added value in both topics consists of a complex technical solution
coupled with a tailored management organization.
You can contact me on one of the email addresses below.
I’m
always amazed by these multinational organizations that seem to think that one
risk assessment and treatment for the whole organization suffices. These assessments
surprisingly often result in the selection of all the 133 controls from ISO 27002 as
risk treatment. When you perform a risk assessment it is also helpful that you
actually know which systems are yours and which are of subcontractors. Once I
was a client site asking whose a particular router was; the client said they
assumed it was owned by their telco and I asked the client to look into this.
Well, it turned out it was not owned by their telco and it actually was
theirs. And of course it was not secured at all, it still had all standard
configuration and passwords active.
As a
mildly amusing anecdote; I once tested the internet Intrusion Detection System
(IDS) of a sensitive organization by running all kinds of automated attacks
against them (e.g. using Metasploit). At a
certain time my network connectivity to the site was lost and I thought that
the IDS had worked. What actually happened was that my Internet Service
Provider had noticed my attempts, decided my connection had been compromised by
a bot and had disconnected my ADSL connection. The organization itself had not
noticed my attempts at all.
· I finally convinced two people to
actively act on the clipboard vulnerability. My wife who started using another
browser and the security officer of a police organization that had its content
scanner configured to remove the ‘getData’ method on
the fly.
· Microsoft actually issued a security
patch related to the vulnerability in 2002. However, apparently they
actually did not consider it a vulnerability that any website could read the
clipboard contents. The vulnerability they addressed was a flaw in the
configuration the concerned user could use to stop this default behaviour
(‘Allow paste operations via script’). Or in the words of Microsoft: “This is
an information disclosure vulnerability. Specifically, it could enable a web
site to programmatically read the contents of a user's clipboard, even when the
user has enabled the setting to prevent sites from being able to do this. The
default setting for this option is to allow programmatic access to the
clipboard. Therefore, the risk created by this vulnerability is no worse than
the default setting for this feature. However, because it allows a security setting
that controls the privacy of information to be bypassed, it does constitute a
vulnerability.”
· The vulnerability (or feature in the
perspective of Microsoft) was active until Internet Explorer 6. Starting from
Internet Explorer 7 the user was warned for a website requesting access to the
clipboard. This is still the behaviour Internet Explorer 8 as you can see here.
I wonder how many people will give act correctly on the request.