JANET CSIRT

Today I was at the JANET CSIRT Conference, held at the International Coffee Organisation facility in London (I booked on before I knew where it was being held… honest!).

The conference covered a variety of security related issues and I’ll cover a brief summary below.

A shared approach to Information Security – Matthew Cook, Loughborough University

The EMMAN Shared Information Security Service (ESISS) can provide a complete portfolio of services to your organisation. These services are designed to reduce the risk of significant information security breaches and reduce the associated costs of prevention, management, remediation and audit activities.

Matthew Cook gave an overview of some of the services offered by a new shared service from EMMAN. Much of it was what you’d expect – consultancy, penetration testing, network health checks and so on but I was surprised by one of their new services.

Currently in development/testing and to launch in the new year, they’ll be offering reputation management to monitor the interwebs and send a weekly report to technical and PR/marketing teams to alert them of any problems with your site.  It will check social networks like Twitter, blogs as well as more technical problems like spam comments on blogs linking to dodgy websites.

There are a number of companies that offer this type of service already and it will be interesting to see how they differentiate themselves.  I’ve not looked at many other services but ESISS’ pricing doesn’t seem outlandish… as long as it’s of benefit!

The issue I have with it is the weekly nature of the email reporting.  A week is a long time in Twitter. Recent examples of #janmoir and #carterruck have exploded in a matter of hours so waiting seven days before detecting and responding to criticisms online isn’t an option.

I do hope ESISS are successful with this service – there are far too many snake oil merchants in the reputation monitoring game and so an organisation without the commercial pressures would be welcome but whether they’re able to keep pace with the fast changing social media landscape – as well as provide their more traditional consultancy services – remains to be seen.

The Value of Security Testing – Rory McCune, NCC Group

A great Security Testing 101 session which really helped bring me up to speed with some of the terminology involved.  Showed the different levels of testing that can be undertaken.

The big thing I took away from this session is not to trust third party vendors.  They usually have no interest in security so either test software yourself, or as part of a consortium.  Get security written into contracts to ensure that it’s the vendor’s responsibility to fix any problems.

Traffic monitoring and basic anomaly detection with Netflow – Nick Reynolds, ULCC

Using the NetFlow protocol built into Cisco and some other network kit, Nick showed how they are monitoring traffic at student residences and FE colleges in London. Building on basic MRTG charts they provide more advanced reporting for staff within colleges who may not have the time or skills to undertake regular monitoring.  From there they have built pattern analysis software which can look for unusual traffic patterns passing through routers as a sign of breaches in security or usage policies.  Still a little rough looking but it shows what’s possible using a few open source tools and a little development time.

SQL Injectors – Simon Baker, SEC-1

How to scare a web manager in 35 minutes…!  Using Microsoft SQL Server and ASPX as examples – not tools we develop in directly, but we do have third party SQL Server/IIS systems – Simon demonstrated a few SQL injection attach vectors which seem alarmingly easy.  Different attacks accomplish different things but with certain versions of SQL Server it’s even possible to execute commands!

If ever there was an argument for using an ORM to ensure all database interaction is correctly escaped then a session like this will prove it!  Prize goes to this session for best use of an xkcd comic strip in a presentation:

Web Application Security, OWASP – Dinis Cruz, OWASP

Somehow Dinis managed to get through three presentations each with dozens of slides in his 40 minute slot!  I must admit it was a little bit too much to take in, but the general gist was that OWASP (Open Web Application Security Project) is great and that we should all get involved.  It certainly seems to have a lot to offer.  Their best known project is their Top Ten website vulnerabilities:

  1. Cross Site Scripting
  2. Injection Flaws
  3. Malicious File Excecution
  4. Insecure Direct Object Reference
  5. Cross Site Request Forgery
  6. Information Leakage and Improper Error Handling
  7. Broken Authentication and Session Management
  8. Insecure Cryptographic Storage
  9. Insecure Communications
  10. Failure to Restrict URL Access

The use of a mature web framework helps avoid many of these problems but it’s probably time for us to do a full audit.

OWASP also offer a huge amount of other material from books to approval processes and tools.  One of their project strands concentrates on Education to get students trained up with the correct skills.  Dinis said something along the lines of:

The majority of IT Security professionals are screwed because they don’t know how to code.

Computing students and developers alike are well placed to get the skills required to create intrinsically secure websites – so-called “security experts” will struggle to match them on the details.

P2P File-Sharing and Copyright Infringement – Morgan Doyle, NetFort Technologies

Final session of the day was an interesting review of some research undertaken at NetFort into use of peer-to-peer file sharing – specifically BitTorrent – in a university environment and how it can be detected, tracked and reported on.  The reasons for wanting to do this were twofold – to be able to account for excessive bandwidth usage and to respond to DMCA notices.

I must stress that I Am Not A Lawyer, but I thought that DMCA was a American law so I’m not sure how it applies to UK file sharers, and that in most cases illegal filesharing was a civil offence.  I’m not condoning breaking the law, but I do question whether it’s the job of universities to do the dirty work of rights holders.

Wrap Up

ICO translation boothsSo on the whole a very interesting day.  Not necessarily what I expected but very useful and it’s given me lots to think about.  The International Coffee Organization is a great venue – where else can you find translation booths and flags on the wall?!  I must admit I was slightly disappointed in the quality of the coffee.  It was okay filter coffee but I would have expected something a bit more… gourmet?

Finally, it was interesting to note how little backchannel activity there was on The Twitter. A single post from someone saying they were at the conference with the rest posted by me with a few comments from my followers. What – if anything – does this say about networking or security professionals in Higher Education? 😉

>