Thursday, 30 July 2009


OCTAVE-S stands for Operationally Critical Threat, Asset and Vulnerability Evaluation for Small organisations. It is a version of the full OCTAVE methodology aimed specifically at small to medium sized organisations, i.e. those with up to 100 employees. OCTAVE is a risk-based strategic assessment and planning technique for security. It is a top-down approach that is driven by the business's missions and objectives, and is not technology focussed. OCTAVE-S is simply a streamlined version of OCTAVE, with simple worksheets and less expertise required. The outputs of OCTAVE-S should be similar to those of OCTAVE, it is just that it may be possible to shortcut some of the process in smaller orgnisations. OCTAVE itself is designed to be applicable to any organisation, no matter how large.

The Main OCTAVE principles are as follows:
  • Core Information Security Risk Evaluation Principles
    • Self-directed
      • The organisation takes responsibility for the evaluation
      • The organisation makes the decisions
      • Flexible / adaptable in the face of...
        • Changes to best practices
        • Evolution of known threats
        • Technical weaknesses
        • A defined process
          • Responsibilities are set out and assigned to people
          • How activities should be performed is documented
          • Standards are set for documentation/artefacts : tools, worksheets, catalogues etc.
          • A continuous process over time
        • General Risk Management Principles (general principles beyond InfoSec)
          • Forward looking – proactive
            • Identify future asset that may be significant
            • New classes of threat
            • Focus on critical few
              • Resources are always constrained
              • Avoid spreading effort too thinly
              • Integrated management
                • Information security as routine consideration for general business strategy
              • Organisational / Cultural Principles
                • Open Communication
                  • Information sharing : avoidance of blame/judgment
                  • Global perspective
                    • Consult widely and integrate all views
                    • Widen perspective to organisational goals
                    • Based on teamwork
                  To find out more about OCTAVE-S visit the website, where you can download the Implementation Guide, which contains introductory materials as well as the actual guidelines and worksheets.

                  Wednesday, 29 July 2009

                  Lack of true Identity Verification forces need for EV SSL Certificates

                  What are EV SSL Certificates? Simply they are Extended Validation SSL Certificates. What does this mean? Well, simply put the Certification Authority goes to more lengths to validate the identity of the person asking for (paying for) the certificate. The EV SSL Certificate then will make the browser address bar go green to certify that this really is the site you think it is and not a phishing or pharming site. It gives the user a very visual check of the validity of the website that they are using.

                  Isn't this what Digital Certificates were supposed to do in the first place? Yes, but the Certification Authorities were more interested in taking people's money than verifying that they actually were the people in question. This led to almost anybody being able to sign up for a certificate claiming to be almost anybody. This, obviously, isn't a workable situation, so EV SSL Certificates were introduced to do the intended job, only at a higher price than the standard SSL Certificate (in part due to the actual identity validation performed no doubt). That being said, they are not expensive in the grand scheme of things and should be used far more widely than they currently are - for example NatWest still doesn't use an EV SSL Certificate at the time of writing this, instead they have ended up implementing Trusteer's Rapport at a much higher cost.

                  To give you some idea of cost of a digital certificate, Comodo's price is £214 per year (US$359/€359) for a single fully qualified domain name (i.e. per website); this includes their 'Corner of Trust' logo. Compare this with somewhere near $1 per customer for Trusteer's Rapport or even hosting fees and business profits! Admittedly, their cheapest SSL Certificate is only £41.95 per annum, but is £214 too much to ask when you are giving customers peace of mind, assurances over authentication and tackling phishing & pharming?

                  Why aren't normal certificates secure? Well, the problem is that most Certification Authorities don't do very much checking. Usually they check your domain name by sending you an email to an address that has the same domain name extension. All this says is that someone who has access to an email address on that domain wants to set up a secure web server. They don't actually check who you are. They are more interested in whether you will pay than if they should issue the certificate. This was demonstrated at IPICS today, when it was shown that VeriSign had given out a Digital Certificate to someone using the name William Gates! They have also fallen for scams, where they were duped into issuing a code signing certificate for the Microsoft Corporation by someone proving the point that they are not careful enough.

                  I decided to see if this was the case with other organisations, and it is. I have set up an SSL certificate just by being able to view an email sent to an address on that domain. I also wanted to know if I could be Steve Ballmer - the new Bill Gates. So, I set up an email account: using details about him, such as his year of birth: 1956. I then decided to try Thawte out, as they provide free email certificates for personal use. Sure enough, after entering the data below, I was sent an email to my address with codes to verify myself. I now have a digital certificate to sign emails from

                  Surname: Ballmer
                  Forenames: Steve
                  Date Of Birth: 1956/03/24
                  Nationality: the United States
                  Where were you born? Detroit
                  Where did you go to school? Detroit Country Day School
                  First company you worked for? Procter & Gamble
                  What is your spouse's Name? Connie Snyder
                  How many children do you have? 3

                  Now, Thawte has a little trick up its sleeve here, which aides security. Before they will assign the name Steve Ballmer to the certificate, I must pass their Web of Trust, i.e. I must convince some other users that I am indeed Steve Ballmer first by meeting them face-to-face. However, if I could supply them with details such as passport number and social security number, then I'd be set. So, I can still sign my email, but if users look closely at the signature and check the certificate, they will see that I haven't been verified. However, if they don't actually look at this carefully, and with knowledge of what it means, then they will be fooled into thinking I really am Steve Ballmer. Why should the ordinary user know about this? Comodo and VeriSign, on the other hand, provide no such backup. So, I can now sign my email as Steve Ballmer. Here's my Public Key for Steve Ballmer from Comodo showing that I really am Steve Ballmer!

                  This isn't really good enough in this day and age of phishing scams.

                  Post Script Edit
                  Two things have happened since writing this blog post. Firstly, I have become aware of an attack on SSL Certificates by using a null value inserted in the domain name to trick the CA into issuing a certificate on an invalid domain. For example,[null value] will result in an SSL certificate being issued for to the site, which will appear valid in many browsers (but not all). Link to blog post. This won't (shouldn't) affect EV SSL Certificates though, only the Domain Validated ones.

                  Secondly, Comodo, to their credit, do admit that this is a problem and are takling it. They have sent me a link via email to a video clip, which in turn links to more information. That can be found here. The bottom line really is that these EV certificates are more secure, don't cost that much and should be the norm. As an industry we should be educating users into recognising and looking for these security features.

                  Monday, 20 July 2009

                  IPICS Risk Assessment Slides

                  These are my slides on Information Security Risk Assessment, presented at the Intensive Programme on Information and Communication Security (IPICS). The topics covered are: the System-Holistic Approach to ICT Security; Risk Assessment approaches, strategies & terminology; Three Card RAG / Obstacle Poker; OCTAVE® - Operationally Critical Threat, Asset and Vulnerability Evaluation.

                  A PDF of the slides can be downloaded from here. (updated)

                  I will publish more information on the topics covered in due course (and if anyone asks). However, more information on Three Card RAG / Obstacle Poker can be found in a previous blog post.

                  Welcome to the RLR UK Blog

                  This blog is about network and information security issues primarily, but it does stray into other IT related fields, such as web development and anything else that we find interesting.

                  Tag Cloud

                  Twitter Updates

                    follow me on Twitter

                    Purewire Trust