Presentation: Security and Governance in the Cloud

Here is a presentation that I did recently for NHS CIO’s and CCIO’s.

It is all about how NHS England has followed a journey to cloud services and the IT Security & Information Governance issues we had to deal with along the way. It tries to also show other NHS organisations how they might work towards similar aims.

Cloudflare Now Active

After the recent high-profile vulnerabilities, I decided to turn on the free version of CloudFlare for this domain.

CloudFlare provides a reverse proxy service that sits in front of your domain. It will serve content where it can on your behalf (caching), optimise content where it can (e.g. minimising JavaScript, HTML, CSS, etc.). But even more important from my perspective is their ability to protect against a number of vulnerabilities.

The most obvious protection – because this is where CloudFlare started – is DDOS protection. DDOS is a way of throwing very large numbers of requests at your domain, preventing legitimate access. But CloudFlare also now provide protection against other threats and it is interesting to look at the dashboard and seeing a bunch of threats being filtered out every few days.

A recent add-on, especially to the free service, is the ability for CloudFlare to provide SSL security for free. This means that your whole site can present as HTTPS (encrypted HTTP) & you can even enforce this so that visitors cannot connect without encryption. This is easily done without the hassle normally associated with creating and maintaining SSL security.

Kudos to CloudFlare for providing this excellent service and for providing a useful free version. I’m happy to recommend it to everyone who runs a web site or service.

Stay Secure! The Latest Recommendations for IT Security

Individuals and enterprises do not understand the value of their Information nor how to protect it. This article attempts to reveal simple and practical ways to protect IT assets and outlines some of the latest thinking and tools from industry experts.

IT Security changes over time and it is important to stay abreast. New threats are appearing all the time and so threat management also needs to change.

Here are some tips and pointers to the current thinking in IT Security.

Back in February of this year (2013), the Centre for Strategic and International Studies (CSIS) in the USA published a short but to the point paper on how to successfully combat the majority of current cyber security threats. The paper gives an excellent background to the latest threats without getting too technical. But the great thing is the 4 steps that they give to combating the majority of current threats.

These are summarised as:

  1. Use application “whitelisting” to help prevent malicious software and other unapproved programs from running.
    Whiles this is not quite as convenient for users, some of whom want to run anything they like, it is vastly superior to spending money on Anti-Virus tools that can slow down PC’s and often fail to catch the key malware. Of course, Anti-Virus tools do provide additional protection and should continue to be used.
    Example products for whitelisting are: SecureAPlus (review on gHacks), McAfee Application Control, and several others
    See also the SANS whitepaper “Application Whitelisting: Panacea or Propaganda” which describes the issues and opportunities in detail and gives useful conclusions. There is also a write-up on application whitelisting on Tech Republic, and another on InfoWorld.
  2. Patch applications such as PDF readers, Microsoft Office, Java, Flash Player, and web browsers.
    Patching schedules need to be vastly accelerated for most organisations. Having 2 or 3 “updates” a year leaves vast open security holes in enterprise infrastructure that is just asking to be compromised. Patching of key applications such as those listed here needs to happen weekly at least, as soon as possible is best. The bad guys aren’t waiting, they change their toolkits within hours to exploit newly found vulnerabilities.
  3. Patch operating system vulnerabilities, for the same reasons discussed above.
  4. Minimize the number of users with administrative privileges, the highest level of authority to make changes or undertake actions on a network.
    Users with administrative privileges are the goldmine for the bad guys. They are the easy back door into the heart of your enterprise systems.

According to these papers, following these simple rules is likely to protect 80-100% of common enterprise attacks right now.

For the latest on the underbelly of the Internet and the current threats, take a look at the blog of Brian Krebbs – Krebbs on Security. In particular, I strongly recommend reading and paying attention to his article: Tools for a Safer PC. Also pay attention to his article The Scrap Value of a Hacked PC that describes just why the bad guys want your PC even though you think there is nothing of value on it.

Update on FreeOTFE

Thought I would add a quick update on using FreeOTFE under Windows and PocketPC.
I tried it under Windows on a different PC and it does indeed work OK though it is nowhere near as polished as TrueCrypt.

I’ve also tried again a few times on a PocketPC with limited success and I think I know what is happening. Firstly, you must install FreeOTFE for PPC into system memory and not on a storage card – not terribly surprising really. However, you do not seem to be able to use a secure volume from a storage card either very reliably (I tried on a T-Mobile MDA Compact III). I did have some success creating a small volume (approx. 2MB) in main memory, it did load eventually. Sorry to say that this is unworkable and I’ll be sticking to Keepass and Tombo on PPC with TrueCrypt on Windows and Linux.

It is worth noting in passing that TrueCrypt for Linux now has a native UI.

Keeping information secure but accessible across platforms

One of the issues with Linux is that I can’t use it under all circumstances. In particular I usually have to work with Windows at work. So I need cross-platform tools, especially now that I also make extensive use of a smartphone/PDA.

So here is a timely post – with the number of people in UK government departments carelessly loosing private or secret information, how do we keep this stuff secure while still being accessible from different platforms? Oh, and we don’t really want to pay out money for the privilege if we don’t have to!

Well, I’ve looked at 3 tools that will do everything we need and they wont cost a penny.

First up is Keepass.
Keepass is a tool for storing passwords, primarily aimed at web site use but it serves perfectly well for storing any password type information and I use it for storing license numbers, router passwords, etc.
Keepass runs on Windows as the main platform and that version has some really nice features such as a macro language for logging in to web sites and the ability to run local applications. This version does not need to be installed so it will run from a pen drive as well.
There is also a version for Windows Mobile/PocketPC, just synchronise the database file to keep it in step with the desktop.
Then there is KeepassX which runs under Linux and Mac OS. It is not quite as feature rich as the Windows version but it still does nicely.

The remaining two applications all work with virtual (or real) disk partitions by encrypting them and allowing you to access them like ordinary disks.

TrueCrypt comes first. This is supported on Windows and Linux (a Mac version is due out in Jan 2008). It is pretty easy to use under Windows. Linux only has a GUI for Gnome but you can also use ScramDisk for Linux as a GUI under KDE. TrueCrypt does not need to be installed so runs nicely from a pen drive. Sadly, there is no mobile version.

FreeOTFE is notable in that it supports Windows, Windows Mobile/PocketPC and Linux. The Linux support is via LUKS which is a standardised, well supported loopback encryption application (how to create a loopback secure container). I’ve not tried FreeOTFE yet, but it does seem to have a good range of capabilities. Under Windows, it also works with the Secure Tray utility (also by the same author, Sarah Dean) which allows for the automatic running of applications when a volume is mounted. I am sure that I’ll be trying this out at some point.
Update 2008-01-24: Sadly, the PDA version of FreeOTFE cannot mount Linux volumes so there is still not a true cross-platform solution. The best I can do is to set up TrueCrypt for PC/Linux (easier than FreeOTFE) and FreeOTFE for PC/PDA with an automated sync between the two.
Update 2008-01-29: I’ve now actually tried FreeOTFE on a PC and on a WM5 device and I’m afraid that they tend to hang almost continuously so this is not really an option I can recommend. It’s a shame as it looks great on paper. There is a real missed opportunity here, especially if the PDA version were to support Linux volumes.

Update 2008-07-10: An additional plus for FreeOTFE is that it does not require admin access (under Windows) to run. I suspect that this will get more and more important as more organisations lock down their PC’s but continue to fail to provide sufficient support and capabilities.

Between TrueCrypt and FreeOTFE, I’d say the former is easier to use as it hides much of the gory bits away but FreeOTFE has the features and cross-platform support. I may well find use for both.
Given the problems with FreeOTFE that I experienced. I’ll carry on using TrueCrypt on Windows and Linux and Tombo on the PDA and Windows with manual copies between the two – drat, too much reliance on Windows.