AFP arrest casts a pall over InfoSec industry

Analysts expect both CIOs and security vendors to be far more conservative about who they choose to partner with, after an employee at an Australian IT security firm was charged with hacking offences last week.

Matthew Flannery, a 24-year old employee of Content Security, was employed as a support technician for clients of globally respected Tenable Network Security and provided services to a number of large Australian customers.

The arrest has implications first and foremost for Content Security and Tenable Network Security customers, but also for security vendors that contract support services, and for InfoSec professionals more broadly.

Customers

Security analyst James Turner said the news should be concerning for any clients of Content Security or Tenable.

“They are going to wonder how much of their security secrets are now out there in the wild, and whether their security provider is going to be able to give them a definitive answer about what information the alleged offender had access to or disclosed to third parties,” Turner said.

The security analyst said the two security providers need to “urgently get in touch with clients and give them information and advice; specifically on any steps the clients should take to protect themselves.” 

He expects several Australian CIOs will be called in for board level briefings to explain potential exposure and implications.

“These CIOs should be taking the view that they are currently exposed,” he said.

“When you put security out to a third party, you are putting your trust in them,” noted Graham Ingram, an IT security veteran and general manager at AusCERT.

“Ultimately – you need due diligence to quantify that trust.”

Lessons for security vendors

Tenable Network Security has insisted that the alleged hacker was never an employee of its firm.

Matt Flannery is not and has never been an employee of Tenable Network Security.

— Tenable Security (@TenableSecurity) April 24, 2013

But industry commentators note that ultimately such a defensive response is a distraction from a more pressing issue. The alleged hacker worked for Tenable’s customers under Tenable’s arrangement with Content Security. The Tenable brand, whether they like it or not, becomes tarnished.

“Hopefully after this incident, large international companies will think twice about who they take on as third party resellers or support staff,” noted Chris Gatford, director of Australian pen testing firm, Hacklabs.

The broader InfoSec community

The InfoSec community is already reeling from a number of unfortunate events in which IT security professionals have been charged over efforts to disclose vulnerabilities.

Action brought against Patrick Webster or Andrew Auernheimer are two examples of where the line between responsible disclosure and law enforcement’s definition of “hacking” is blurred.

Few doubt however, that the hacks the Content Security engineer was charged with had any merit – and the last thing Australia’s InfoSec community needed was a scandal.

The main lesson for the InfoSec community, Gatford said, was that organisations need to do more due diligence over who they contract or hire.

“Its very clear in this case – regardless of whether the alleged hacking incidents even occurred – that Content Security didn’t do good due diligence on hiring its staff,” Gatford said.

“You only need to spend ten minutes Googling Matthew Flannery to find his Aush0k identity.”

Ingram speculates that such a hire might come down to a dire shortage of IT security talent available to choose from.

Top-notch security professionals boasting skills and experience are poached and traded amongst Australia’s largest organisations, he said. Simulatenously, no new white hats are being trained as few organisations are willing to hire an IT security manager with less than five years experience at that level. Ingram concedes it is a “massive issue” for his industry.

“And as a result, some organisations are being lured into the trap of thinking that if they can’t get a top notch security guy – a few grey hats might do.

“What we’ve seen this week is a possible outcome - which is not acceptable.”

“You can’t be a black hat one day, and say the next day you’re here to use that knowledge and experience for the good of an organisation. Trust is earned, it’s not a label you put on your front door.”

What is the best practice approach to background checks on staff? Read on for more...

Due diligence

SC Magazine asked Hacklabs and fellow penetration testing firm Securus Global what due diligence they conduct on new staff.

“We take this stuff very seriously,” said Drazen Drazic, managing director at Securus.

“All staff have police background checks and reference checks. All of those are cross-referenced across industry contacts  - as most people know each other in this industry.”

Candidates are often knocked back, he said, when background checks reveal undesirable traits.

Drazic said that even those candidates that pass a stringent interview process and sign up must first “sign-off on compliance to internal policies, that they understand all laws relating to cyber crime and related acts here and abroad, that they work under strict scoping conditions on all client engagements.”

Equally as important, they agree in their contract that they have a duty of care when it comes to customer systems and data.

Gatford notes that organisations can sort the wheat from the chaff by choosing IT security firms accredited by CREST, which provides “very specific guidelines about data handling that can be audited against.

“It offers clients a method for holding IT security organisations to a higher standard,” he said.

Gatford notes that IT security professionals do need to keep their skills up-to-date and be aware of the latest attack methods. But hiring grey hats isn’t the way a firm should achieve that outcome, he said.

“It’s a bizarre industry – pen testers have to be above board as security consultants, plus have to be aware of the sub-culture to adequately do our job. Ultimately the safest way to do that is to only ever try new approaches in context of approved client work.”

Copyright © SC Magazine, Australia