Next week Dinis Cruz and I will be running an AppSensor workshop at Security B-Sides London 2013.

We will be demonstrating and helping attendees of the workshop specify, define and implement application-specific attack detection and real-time response. Our agenda is:

• OWASP AppSensor concept
• Attack detection exercise
• Real world implementation
• Alternative deployment models

We'll be using paper-based materials and real code demonstrations (in .Net, Java and PHP), so just bring your brains along. The workshop is being run from 14:00 to 15:30 hrs on Wednesday April 24th 2013 and can be booked on arrival at the event. It is available on a first come, first served basis. Security B-Sides London is a community-driven free event but requires registration, but due to overwhelming demand there is a waiting list.

We hope to see you there.

I will be travelling to Nijmegen on Wednesday 13th March having been invited to speak at the OWASP Netherlands local chapter.

At the meeting in the Radboud Universiteit Nijmegen, I will present two brand new talks.

• "Record It!" — Do you know security event information should be recorded by an application? The presentation will outline which event properties are useful, what should be avoided and how logging can be implemented. In this short presentation, the benefits of good application logging will also be described. The content is drawn from the OWASP (Application Security) Logging Cheat Sheet
• "OWASP Cornucopia" — Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. The PCI DSS referenced OWASP Cornucopia - Ecommerce Web Application Edition will be presented and used to demonstrate how it can help developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide.

OWASP board member Jim Manico is also presenting on the subject of "Access Control Design Best Practices". Jim is a great speaker and I am looking forward to this.

The venue is the Beta-faculty, Huygensgebouw, at Heyendaalseweg 135, Nijmegen, Parkeergarage P11. Registration and pizza will occur from 18:30 hrs until 19:15 hrs when my first talk commences. The presentations will end at 21:00 hrs followed by a period for further networking. Registration is free but necessary.

The European Commission published its Cybersecurity Strategy and details of a new proposed directive yesterday under the Digital Agenda flagship for ten-year growth.

In the Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace describes five strategic priorities:

• Achieving cyber resilience
• Drastically reducing cyber crime
• Developing cyberdefense policy and capabilities related to the Common Security and Defence Policy (CSDP)
• Develop the industrial and technological resources for cybersecurity
• Establish a coherent international cyberspace policy for the European Union and promote core EU values.

These lead to actions including:

• Developing strong national cyber resilience capabilities, notably by building expertise on security and resilience of industrial control systems, transport and energy infrastructure
• A voluntary certification programme to promote enhanced skills and competence of IT professionals (e.g. website administrators)
• Training on NIS and secure software development and personal data protection for computer science students
• Increase accountability of registrars of domain names and ensure accuracy of information on website ownership
• Examine how major providers of ICT hardware and software could inform national competent authorities on detected vulnerabilities that could have significant security-implications
• Develop ... technical guidelines and recommendations for the adoption of NIS standards and good practices
• Stimulate the development and adoption of industry-led security standards, technical norms and security-by-design and privacy-by-design principles
• Develop, in cooperation with the insurance sector, harmonised metrics for calculating risk premiums, that would enable companies that have made investments in security to benefit from lower risk premiums.

The Proposal for a Directive of the European Parliament and of the Council Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union is a complementary measure aimed to standardise efforts in member states. Responsibilities are placed on public administrations and market operators in the private sector. The latter is defined to include both providers of information society services which enable the provision of other information society services (e.g. e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, application stores), and operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking that provide credit, financial market infrastructure such as stock exchanges, and organisations providing health care.

There is a helpful commentary of initial opinions on ComputerWeekly.com

Another recent paper from Securosis addresses defending against denial of service (DoS) attacks.

Defending Against Denial of Service Attacks examines the types of attacks prevalent currently, and methods to maintain availability and minimise the adverse economic effect. The paper begins by identifying the threats‐protection racketeers, hacktivists, cyber war, exfiltrators, competitors, and business success itself.

The types of attack are described and defences for networks and applications are described. For applications, building security into the software development life cycle, web application firewalls (WAFs), anti-DoS devices and service providers, content delivery networks (CDN) are described. The need for a multi-faceted approach to application DoS protection is recommended in the paper.

I think some applications will just be more problematic than others and avoiding security vulnerabilities, minimising the attack surface and building in application-specific attack detection and response will help here too.

The paper includes links to further insightful sources of information, and recommends that to be effective, the process for defending against denial of service attacks needs to include activities before, during and after an attack.

In October Securosis published a free paper concerning the security of "big data" systems.

Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments focuses on the security aspects relating to the specifics of "big data" that are different architecturally and operationally to other environments rather than the, also important, security of the applications themselves. Thus, consideration of how nodes and client applications are vetted before joining the cluster, how data at rest is protected from unwanted inspection, the privacy of network communications, and how nodes are managed are covered.

The paper discusses what "big data" means, and the particular architectural and operational security issues that arise. It then presents six recommendations.

Applications that accept payments and are installed on consumer mobile devices, not used exclusively used for a single payment application, such as smart phones, tablets and PDAs have been excluded from the PCI SSC's validation programme Payment Application Data Security Standard (PA-DSS). These types of mobile payment acceptance applications are known as Category 3 - payment applications operating on any consumer electronic handheld device that is not solely dedicated to payment acceptance for transaction processing.

Mobile payment Acceptance FAQs, published in June 2011, recommended that Category 3 applications intended for use in the cardholder data environment are developed using PA-DSS as a baseline for protection of payment card data and in support of PCI DSS compliance, until the development of appropriate advice, guidance, and/or standards to ensure that such applications are capable of supporting a merchant's PCI DSS compliance. On Friday the PCI SSC published new guidance for developers.

PCI Mobile Payment Acceptance Security Guidelines v1.0 September 2012, describes firstly 3 objectives and guidance for application payment transactions:

1. Prevent account data from being intercepted when entered into a mobile device
2. Prevent account data from compromise while processed or stored within the mobile device
3. Prevent account data from interception upon transmission out of the mobile device

Secondly, guidance on 15 risks and controls in the supporting environment (mobile platform and associated applications):

1. Prevent unauthorized logical-device access
2. Create server-side controls and report unauthorized access
3. Prevent escalation of privileges
4. Create the ability to remotely disable payment application
5. Detect theft or loss
6. Harden supporting systems
7. Prefer online transactions
8. Conform to secure coding, engineering, and testing
9. Protect against known vulnerabilities
10. Protect the mobile device from unauthorised applications
11. Protect the mobile device from malware
12. Protect the mobile device from unauthorized attachments
13. Create instructional materials for implementation and use
14. Support secure merchant receipts
15. Provide an indication of a secure state

Recognising that no one party has sole responsibility for security of Category 3 applications, a table in Appendix B of the guidance suggests responsibilities for the 18 practices. The responsibilities are assigned to device manufacturers (e.g. Apple, Huawei, Motorola, Nokia, Samsung), operating system developers (e.g. Apple, Google, Microsoft), application developers (e.g. you?), and merchants as end-users or payment acceptance service providers.

The guidance also provides a list of ten additional sources of information to support the guidance. Further advice and standards on mobile payments are expected from the PCISSC in 2013.

In the next post, I will discuss some related updated guidance from Visa.

Summer must be the time to publish consultations before everyone goes away on holiday. the European Commission (how the EU works) has published a consultation regarding information risk assessment and breach notification.

The public consultation briefing describes how the European Commission is seeking to adopt a joint strategy with the High Representative of the Union for Foreign Affairs and Security Policy, that will ensure a secure and trustworthy digital environment, while protecting fundamental rights and EU core values. It is considering three approaches:

• Voluntary cooperation and information exchange between member states, the public and private sectors as happens currently
• Taking up minimum capabilities at a national level and promote a more structured approach to cooperation and information exchange
• Legislation to define minimum network and information security (NIS) capabilities for member states, a dedicated network for cooperation and information exchange, and most interestingly requirements for the private sector to adopt "NIS enhancing actions"

Within the last option, the Commission is considering a requirement to adopt risk management practices and to report security breaches to networks and information systems "that are critical to the provision of key economic and societal services (e.g. finance, energy, transport and health) and to the functioning of the Internet (e.g. e-commerce, social networking)".

The Commission has prepared a response form (web form, PDF) that asks a series of wide-ranging questions of governments, businesses and citizens, and there is scope for long answers and for submitting additional documents. The responses will be used to identify strategic actions and contribute to its impact assessment of the proposals. If your trade organisation or professional association is not planning a response, chase them up now.

The consultation runs until mid October 2012 (the 12th or 15th depending upon which document you believe).

Researchers from the Computer Laboratory at the University of Cambridge has published a paper describing a systematic examination of the costs of cyber crime.

Ross Anderson, Chris Barton, Rainer Böhme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage describe in the paper Measuring the Cost of Cybercrime the direct and indirect costs of cybercrime in the UK, and corresponding world estimates.

The paper describes the strong externalities of cybercrime, and the indirect and defence costs are much greater proportionately than for tax and welfare fraud and fraud that sits on the boundary between traditional and online fraud such as payment card fraud.

From a clear definition of cybercrime, through detailed descriptions of known fraud and the infrastructure supporting cybercrime, to the framework proposed, this is a thoroughly valuable read. The conclusions include the thought that more needs to be spent on catching and punishing perpetrators, and less in anticipation of computer crime.

In another consultation, the UK's Department for Energy and Climate Change (DECC) is asking for views on the draft licence conditions relating to security risk assessments and audits for the UK's smart meter implementation programme.

The licence conditions will run through to when the planned Data and Communications Company (DCC) becomes responsible for the provision of services. 55 million smart meters will be rolled out to consumers from 2014 through to 2019. The consultation is important in that it sets the precedent for the security of "end-to-end smart metering systems" in the UK. This includes equipment located at consumers' premises, the communications network between the consumers' premises and the energy suppliers, and the the energy suppliers' head end system — and all business procedures associated with the installation, operation and support of the system. The scope is all-encompassing. Additionally the government wants to ensure security is embedded into the design of the systems and that they continue to be for for purpose as risks, technologies and requirements evolve.

The consultation document includes the draft energy supplier licence conditions (in Annex A), and the consultation asks three questions:

• "Do you consider that the draft licence conditions deliver the policy intention outlined in this document? Please provide comments on where the drafting could be amended or clarified.
• Do you have any comments on the proposed approach that suppliers should carry out a number of good practice security disciplines and procedures as is set out in this document?
• Do you have any further comments with regard to the issues raised in this document? We also welcome general comments around the approach to small suppliers, the processes expected of suppliers in general, and any related costs."

The draft conditions include requirements for carrying out a comprehensive risk assessment and for securing the system to an "appropriate standard" which is a "high level of security that is in accordance with industry good practice" and "capable of being verified" independently. Licensees would have to "take all reasonable steps to ensure that it is able to comply" to comply with ISO 27001:2005 and "any equivalent standard of the ISO that updates, replaces or supersedes that standard". I am slightly concerned about the term "good practice" and would prefer "appropriate measures based on the risk assessment". Additionally it is not clear which entities the risks will be assessed for — apart from the energy companies, I would like that to include consumers and society at large, since security incidents may have wider impacts than on the ability for energy suppliers to conduct their business.

Surprisingly, there is no mention of work from other countries such as NIST Interagency Report (IR) 7628 Guidelines for Smart Grid Cyber Security, published in 2010.

The term "supplier end-to-end system" is defined in paragraph Z.5 of the appendix such that "equipment" includes "any associated software and ancillary devices". Paragraph Z.6 then goes on to provide a definition of "secure". The Supplier End-to-End System is secure if "both the System and each individual element of it is designed and operated to ensure, to the Appropriate Standard, that it is not subject to interference or misuse that (whether directly or indirectly):

• causes any loss, theft or corruption of data;
• results in any other unauthorised access to data; or
• gives rise to any loss or interruption of [electricity/gas] supply or to any other interference with the service provided to a Customer at any premises."

So, clearly protection of data and availability of service to customers. But these types of system misuse have not been mentioned:

• Use of the communications network for unauthorised purposes
• Collection or processing of unauthorised data by the software
• Use of the application to undertake unauthorised activity
• The presence of unapproved or malicious code within the authorised software
• Installation of unapproved software on any device
• Use of any part of the system to attack other systems

Surely a system would not be "secure" if any of the above occurred? Remember this includes software on the smart meters and all the business processes for support and operation. And finally, perhaps there ought to be some statement in the definition of "secure" about hardening and patching, although these might be derived from the policy. Similarly monitoring of suspicious and malicious use.

Responses to the consultation have to be sent to smartmetering@decc.gsi.gov.uk by 27 July 2012.

A new survey around experiences of Distributed Denial of Service (DDoS) attacks has been published this week.

Amongst the information worthy of attention in Distributed Denial of Service: Q1 2012 When Businesses Go Dark, includes average hourly revenue losses broken down by industry sector, the greatest fears of a DDoS attack and the average length of the attack. There is a also a breakdown of the types of DDoS protection measures used. Organisations with a greater proportion of web-based customer interaction were found to be more prone to DDoS attacks.

This average data won't necessarily help with your own estimates for loss, but is useful background information all the same.

The report is the result of surveying 1,000 North American IT professionals, mainly network services managers, senior systems engineers, systems administrators and directors of IT operations.