Classification

More security theory this time.

It is useful to classify your information assets - so that you can decide how to treat them, and tell your people.

Her Majesty's Government has a well developed Protective Marking Scheme, but is about to move on to a new scheme.

More simply, you might like to consider marking items CONFIDENTIAL if there are legal reasons (such as a contract or the Data Protection Act), or operational reasons (such as trade secrets or lists of clients) why access to them should be controlled.  You may want to mark assets which are even more sensitive SECRET.  

Markings would probably be at the top and the bottom of each page (paper or electronic).

You will think at first of your information as your asset.  But don't forget the computer system that it needs to work for you.  And maybe the accommodation that it lives in; and maybe the people that it needs to work for you.

Then you will probably want to put at least one barrier between the items and the untrusted world.  A barrier might be a building, or the door of a room; a safe or a locked desk; encryption; a password.

This forces you to think through who should and who should not have access to it.  

The usual rule is that the person who creates the item is responsible for its classification; and anyone who subsequently handles it is bound by that decision.

You will want to apply some rules for handling it:

• Shred it in a cross-cut shredder at the end of its life (a good shredder shreds so small that you can see no more than two printed characters on the shreds).  Physically destroy computer media (meaning disks, tapes and USB sticks).
• Don't discuss the detail on the 'phone - especially a mobile 'phone.  'Phones are not very secure any more.
• Don't fax it.  (Isn't the fax obsolete now ?)
• If it's on paper put it in a sealed envelope to move it.  Don't show the marking on the outside of the envelope.  
• Lock it away when it is unattended.
• When kept on a computer it must be protected by a password system, and encrypted.  More on this aspect later.
• If sending it by computer, including by e-mail, then you should encrypt it.
• Don't keep two classifications if material (eg CONFIDENTIAL and SECRET) together.

Some organisations under-mark their assets - possibly to save money and trouble.  They are taking unnecessary risks which might be difficult to defend in court.  

Other organisations over-mark - maybe to emphasis their importance.  This costs time and money and trouble.

Most, I suppose, just don't bother....

Syrian Electronic Army

There has been an interesting new turn of events in the world of international cyber warfare.

On Tuesday this week, the Associated Press account at Twitter was hacked; this was followed by a false tweet which said 

"Breaking: Two Explosions in the White House and Barack Obama is injured."

The DOW Jones Index dived by 150 points (worth $136 billion) within six minutes - then recovered as the hoax was discovered.

The Syrian Electronic Army is a pro-Assad hacking group: they claim responsibility.  This is not their first.

Tech details of the Twitter hack are not yet clear.


More prosaic stuff next week on the theory of infosec - unless there is something more interesting to report.

Thought For The Week - It's a People Thing

There's no two ways about it - Security is primarily a People Thing.

Less about tech or policy or governance; though lets not trivialise these.

It is about the people who attack our interests via Information assets.

It is about the people who defend.

It is about the senior management who take ownership of the problem.  Or not, as the case may be.

Probably most of all it's about the users.

Setting policy, and enforcing it, is all very well.  Putting in firewalls and antivirus and intrusion detection systems - not to be overlooked.  

The most useful thing we can do with our time is usually talking to the users.  Explaining the problem.  Explaining the Threat.  And explaining what we need from them.

Who are The Forces of Darkness

In a previous lifetime I used the expression "The Forces of Darkness" to describe all those who attack us (through our information assets.)  Who did I mean ?

Traditionally we used to think of tech attacks perpetrated by some spotty teenage nerd.  But it is a long time since that was a valid view.

More than a decade ago, car companies were said to be hiring nerds for Big Bucks to get the designs of the competition.  A month or so ago I commented on the Mandiant Report and its story about Chinese Cyber Warriors - The Comment Crew.

There undoubtedly are nerds out there, doing it for curiosity, ego and kudos; we must not lose sight of them, but they are not the main threat.

HMG security has been predicated on the assumption that we are attacked by Foreign Intelligence Services - the Spooks.  And certainly their work affects a wider spectrum of victim than we used to think: the Comment crew are said to have attacked power grids and water networks - Coca Cola even.  Again we should not lose sight of them, but for most of us they are not the top priority.

The media ?  I doubt that we yet understand how extensively the media attack us.  I suspect that it is so easy to attack e-mail and mobile phones that this has been a huge operation affecting most or even all of us.  

Business competitors are always a threat if you are in business.

We should include our own staff in the calculation - they may cause massive damage if they are disaffected, by looming redundancy, or maybe we have sacked them and compelled them to work out their notice; they may be subverted by someone who offers them money, or puts some kind of pressure on them.  They may hurt is by accident - such as the Natwest Bank story of a system update that went hideously wrong.

We should take into account the Act of God - the disaster.  remember the fire at Buncefield.  The floods.  The information aspect of the hit on the Twin Towers.  

But in my view the big threat is from criminals.

We can divide criminals into two types.  

There is a risk from Organised crime.  Gangs who have resources and money and something to gain from an attack.

But the big risk is from Disorganised crime.  People who steal your computers because they want a computer and discover by accident how important the data contents are; or that they can get your bank account, or get into your network.  People who steal a bit of wire worth a couple of pounds - costing us tens of thousands of pounds worth of lost work.  Confidence tricks or scams are a really big issue.  People who damage things.  

More of the Same

A South Korean Internet Service Provider has been attacked this week, bringing down banks and broadcasters.  Following threats by North Korea.  Credit for the attack was claimed by a group called Whole Team.

And the Talinn Manual on the International Law Applicable to Cyberwarfare came out last September.  

Cyberwar now seems to be very real.

Recent Events

Three recent events worth noting.

In February President Obama signed an executive order to enable some cyber security activities in the US.  At least he seems to acknowledge the scale of the problem, but this order is only about cooperation and information sharing.  


The Department of Homeland Security cybersecurity response team grew by 52% in 2012.

Meanwhile in the UK a hacker (apparently founder of the Ghostmarket team), imprisoned for hacking, has hacked into the prison mainframe whilst signed up to the Isis IT class.  Thank God the prisons are in safe hands eh ?

And the US National Database of Cyber Vulnerabilities was suspended after a malware attack.  Again it is as well that this database telling people how to hack is in safe hands, isn't it ?

Two lessons to take from this - hacking is real now; and we must not assume that the opposition are thick because they are criminals.  

Practical Defence

Thinking about the real world of attack and defence.

Why does anyone attack us through our information ?

• The Graffitti principle applies to some.  Maybe it makes the attacker feel clever or witty.  Something in common with climbing mountains.  

• Foreign Intelligence Services, as advertised a few days ago in the Mandiant Report.  Probably not the most common, but Mandiant makes the point that it is not just about Official Secrets - it extends to commercial secrets too.  

• Financial advantage.  This is a big deal in a credulous word or a competitive world - or in a world which transacts a lot of money's worth of business electronically.

• Political: Hactivism.

• Destructive and Malicious.  Like breaking windows or scratching your car.

Where does Wikileaks fit ?