Colin’s IT, Security and Working Life blog

September 24, 2009

Government Security is quite good – and out to get you.

Filed under: Government IT Security — chaplic @ 6:17 pm

 

The UK Governments Information Assurance Policies (IT Security to you and I) is actually quite good.

There, I said it.

And before someone mentions the thorny issue of CDs in the post, allow me to delve a bit deeper.

Each department is responsible for assessing their own risk and putting countermeasures and functionality in place as they see fit. However, it’s driven from policy from the “centre” meaning there is a commonality across all central government departments.

For the most vital of documents, keeping them confidential, unmolested and available when they are needed is critical.

However, not all data falls into this category and to provide ultimate protection to all data would be considerably expensive and cumbersome. To help with segregation of data, the government uses protective markings.

This is a short term like RESTRICTED or TOP SECRET which is a shorthand to describe what would happen should the information be compromised. Lower markings may just mean some commercial exposure or embarrassment, right up to the compromise of other assets directly leading to loss of life. Labelling documents and systems makes it the value of the data contained within very clear

This probably isn’t directly applicable to most commercial companies. However, if many had a label of, say, “PERSONALLY IDENTIFIABLE INFORMATION” or “COMMERCIALLY SENSITIVE” and clear guidelines as to how information like this should be handled (i.e. do not take a document labelled PERSONALLY IDENTIFIABLE INFORMATION” on a laptop without hard disk encryption), how fewer cases of potential identify theft would we have?

So, the UK Government has a nice labelling system which puts all data in little pots and a bunch of policy documents telling users what they cannot do and a whole host of technical security requirements. Fascinating, but not a compelling reason for your business to get on-board with a structured security methodology?

e-Government is an agenda that’s still quickening pace. You will almost certainly have some customers who are related, or are, a government organisation.

National Government recognises the value of secure communications and is pushing is intranet (the GSi – Government Secure Intranet, and variants) out to partner organisations, quangos, and local councils. To connect up , these bodies have to warrant their systems stand up to Codes of Connection.

If you want to do business with any of these bodies you are going to have to get to grips with these requirements too. Fortunately, the requirements are not arcane, unusual or hidden. They are published on the cabinet office website and called the Security Policy Framework http://www.cabinetoffice.gov.uk/spf.aspx

Let’s quote one requirement that’s poignant here:

Departments and Agencies must have, as a component of their overarching security policy, an information security policy setting out how they, and their delivery partners (including offshore and nearshore (EU/EEA based) Managed Service Providers), comply with the minimum requirements set out in this policy and the wider framework

There’s no escaping it. Expect to see adherence to SPF in your ITT and contractual requirements (if they are not already).

Many companies, if not well-versed in Government IT Security, find the the process alarming when the full implications are realised. They may well have used enough smoke-and-mirrors during the bid phase to hide their lack of knowledge or indeed a poor score in this may not have been enough to lose the bid.

But when they come to deliver, under the full scrutiny of experienced consultants, accreditors and security officers they often find delivering their SPF-related contractual obligations to be daunting (and, expensive).

But all is not lost. This is a scenario where security can truly be a business-enabler for your company.

Firstly, it provides you with carefully thought out, well proven and common set of criteria for your IT security operation. Sometimes, even organisations with pretty tight IT security setups like banks find they do not meet the criteria. It isn’t necessarily a quick fix but a path for your organisation (or, perhaps only a subsection).

To understand how mature your Information Assurance is and how work is progressing, an Information Assurance Maturity Model is available – those who work with CMMi will be in their element.

Secondly, and most importantly – your company will likely want to do business with the government at some point, on some level. Taking these steps now will not only demonstrate the value of security to the business, it will put your company in the driving seat when it comes to delivering these new contracts.

Finally, can a UK government IT Policy catch on and be universally accepted? Well, ITIL isn’t doing to badly!

Advertisements

September 9, 2009

Microsoft won’t be on EMCs Christmas Card list

Filed under: Uncategorized — chaplic @ 10:08 am

I’ve been helping a client who have email performance issues. Problem is simple enough – most users mailboxes are in the multiple GB range, and there isn’t enough hardware to cope.

It’s all tier-1 hardware – SANs with lots of fast disks in RAID10, mulitple CPU servers. Just nowhere near enough to chew through the TBs of mailboxes and give decent response times.

As part of this we’ve been talking to Microsoft about strategic direction. The environment now is Exchange 2003, so an upgrade to Exchange 2007 with its better performance and memory usage, plus a pretty straightforward upgrade, all seems to be a no-brainer.

I’ve taken a bit of interest in Exchange 2010 and have it runninging in a semi-production environment. I read the blurb about how they have improved I/O further. But it never really occured to me how much of a step-change this new version is.

Basically, disk I/O and resilience are off the table as a concern. Microsofts advise is to forget even RAID, simply use the inbuilt replication technology to have 2,3,4… copies of mailboxes. A single (cheap, sata) disk will service a few hundred mailboxes of the monster size I’m dealing with.

For the first time outlook talks to the CAS server instead of the mailbox direct, which has allowed an easier redirect when a mailbox store goes down.

It’s hard to see why you would ever deploy a SAN for exchange again. In fact, you could arguably jettison a lot of resiliency features of your mailbox servers (dual power supplies, fans).

For many organisations, one mailbox server will be enough, with mutliple servers simply added for resilience (plus our CAS and RG servers of course).

The side effect of the move off the SAN for exchange is that because we dedicated lots of spindles to get decent performance out of exchange, we use a lot of GBs. This space can be set free, reconfigured as RAID5 for filespace or suchlike.

If you’re about to buy extra SAN storage because of email capacity issues, don’t. Go get Exchange 2010.

September 4, 2009

Back in the loop – as friends and family tech support (total virus security removal)

Filed under: Uncategorized — chaplic @ 8:44 am

I’ve not been blogging for a while as I’ve broken my collarbone following a “BSOD” biking incident.

Myself like many others I expect act as the unofficial (and often un-volunteered) technical support. I got the call on sunday from the in-law:

“My computers telling me the virus software needs updating and it won’t let me do anything”

After ascertaining it wasn’t McAfee playing up, I thought, no problem I’ll jump onto the machine using the excellent teamviewer remote support tool I’ve got installed. Only I can’t. In fact, after a bit of shouting down the phone (bit deaf), I gather it’s not installed at all.

Now the in law is 500 miles away so a site visit would be extremely time consuming!

I connected to another laptop in their home, then RDP’d to his machine, which worked.

Turned out it was fake anti virus program called “total security”. It’s the “best” implementation I’ve seen – graphics look good, spelling correct. If it didn’t stop me doing anything, my first thought would have been that it was genuine.

It didn’t allow me to get to a command prompt, run procmon or any of my usual tools. Curiously, removal guides on the net didn’t help. this appeared to be a new variant.

I was scratching my head at how to get at it, then had an idea – it did let internet explorer run. I copied cmd.exe and renamed it iexplore.exe and tenatively double clicked – it worked! I thanked my lucky stars they didn’t use a hash to determine what application to allow to run.

From there, I knew the bad guys days was numbered. I downloaded process explorer from the systinernals guys and found an add looking numbered process hanging off explorer.exe. I killed this and normal service was resumed.

Updated Malwarebytes, run scan which duly found the nasty, reboot, all clean!

The in-law was left with another warning about net hygiene. I cannot complain too much, he’s come far – at one point he was determined to enter his bank details into a phishing scam despite not having an account at that bank!

Blog at WordPress.com.