Security as a Strategy (SaaS)

Continuous Monitoring – A Critical Aspect of Risk Management

Tweet

 

Many organizations have recently discovered that - while traditional security monitoring systems can help reduce risk, they are not enough to react to today’s external, targeted, persistent, zero-day attacks. As a result, a number of Federal agencies and some private sector organizations are beginning to replace point-in-time audits and compliance checks with a Continuous Monitoring program to help them simultaneously assess the effectiveness of controls and provide visibility into current threats through situational awareness in a more efficient and effective automated fashion.

The National Institute of Standards and Technology (NIST) first described continuous monitoring as a critical component of its Risk Management Framework, when in its Special Publication 800-37 Rev 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach” it advised agencies to put in place the following elements:

• Configuration Management and Change Control: Develop processes for organizational information systems, throughout their SDLCs, and with consideration of their operating environments and their role(s) in supporting the organization’s missions and core business processes;
• Security Impact Analyses: Develop security impact analysis and conduct analyses to monitor for changes to organizational information systems and their environments of operation for any adverse security impact to systems, mission/business and/or organizational functions which said systems support;
• (Ongoing) Assessment of System Security Controls: Develop assessment frequencies based on an organization-wide continuous monitoring strategy and individual system authorization strategies; and
• Security Status Monitoring and Reporting: Communicate accurate and up-to-date security-related information to support ongoing management of information security risks and to enable data-driven risk mitigation decisions with minimal response times and acceptable data latencies.

At the heart of understanding risk is understanding change. Any time a system changes from a known state - or ”baseline” - risk is incurred. Detecting and understanding changes is key to weighing the risk associated with a given change, and to taking appropriate actions. Precision and continuous change detection is, therefore, a fundamental component of IT risk mitigation. In addition, continuous checking of settings, configurations, and system behaviors to determine anomalies is crucial to closing the risk detection and mitigation gap.

One of the first major challenges in developing a strategy for implementing a continuous monitoring effort, however, is defining the term. There have been a number of attempts: NIST has produced two documents that seek to define and provide guidance on the subject of continuous monitoring. The first of these documents is a Frequently Asked Questions (FAQ) guide on continuous monitoring that was published in June 2010. The second of these guides is the draft publication for Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organization, released in December 2010. According to NIST, continuous monitoring was defined as follows:

“Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. The objective is to conduct ongoing monitoring of the security of an organization’s networks, information, and systems, and respond by accepting, avoiding/rejecting, transferring/sharing, or mitigating risk as situations change.”

More recently, NIST released three reports that are related to continuous monitoring. The first, NIST Interagency Report 7756 Second Public Draft, “CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Model” provides a reference model for organizations to collect data from across a diverse set of security tools, analyze the data, score the data, enable user queries and provide overall situational awareness.

The model is designed so organizations can meet these goals by leveraging their existing security tool investments and avoid designing and paying for custom solutions. It was developed using the Department of Homeland Security’s monitoring framework Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (or CAESARS) architecture as a starting point.

The second document, NISTIR 7799, “Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications” provides the technical specifications for the continuous monitoring reference model presented in NISTIR 7756 with enough specificity to enable instrumentation of existing products and development of new capabilities by vendors.

The third document, NISTIR 7800, “Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration and Vulnerability Management Domains” augments the reference model with guidance on addressing these specific areas. It does this by leveraging the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability-scan content, and it recommends reporting results in an SCAP-compliant format.

While the initial thrust of continuous monitoring is controls-based in the Federal government, many forward-thinking organizations have expanded their continuous monitoring program to address threat management via Situational Awareness and Incident Response (SAIR). The result is a two-pronged approach:

• Proactive Monitoring: Vulnerability monitoring and asset/device awareness
• Detective Monitoring: Full-view, context-aware threat monitoring, analysis and alerting

The various “domains” that are candidates for continuous monitoring include the following:

Although not (yet) specified, two other domains (Digital Policy Management and Advanced Persistent Threat) are under consideration by NIST.

By adopting a continuous monitoring program that addresses both proactive and reactive monitoring, organizations in both the public and private sector are able to not only manage compliance, but can track security trends, make risk management decisions, and determine where they need to improve security posture.

An Introduction to IT Risk Management

Tweet

 

Managing IT risk is part of running any business these days. Regardless of the type of business, understanding and managing one’s IT risks will help to increase security, reduce management costs and achieve greater compliance. Managers who fail to identify, assess and mitigate IT risk are setting themselves up for serious security breaches, reputational damage, and financial losses. Further, those leaders who think that managing IT risk is the job solely of the IT staff may be in for a big shock.

Firstly, we need to understand that Information is an asset that, like other important business assets, has value to an organization and therefore needs to be suitably protected. We need to ensure that information is accessible only to those authorized to have access, that we safeguard the accuracy and completeness of information, and that we ensure that authorized users have access to that information when required.

Before discussing how to go about determining one’s level of risk, it is important to understand risk nomenclature:

A risk is the possibility of a threat (or source) acting upon a vulnerability (or weakness) causing harm to an asset (or resource).

A risk is qualified (or measured) by what the probability (or likelihood) is of the event happening and what the impact (or severity) would be of the consequences.

Risk Management is all about discovering your most critical assets and understanding their weaknesses and loss expectancy and then focusing your attention on the highest probability and highest impact areas in order to prioritize your risk treatment efforts.

The following figure (from ISO/IEC 15408, "Common Criteria") depicts the value relationship of owners to their assets. Ultimately the challenge is to introduce effective countermeasures (or safeguards) that restrict a threat agent (the catalyst that performs the threat) from successfully exploiting a known threat against an asset’s vulnerabilities.

Before any risk analysis can be performed, a Security Risk Profile must first be created for the asset(s) in question. The security risk profile gathers information about the asset to help rate its sensitivity to security risks. Factors that are considered include Financial, Legal, and Reputational damages or Regulatory constraints/restrictions that may result from a security violation. It is important that a designated Asset Owner rates the asset’s importance to the organization from an information security perspective and within the context of the entire enterprise environment. Assets are normally assigned a value (High, Moderate, Low) relative to the organization’s tolerance for risk.

Once the risk is assessed, a Risk Map is used to plot the probability and impact of the risk occurring. The map allows one to visualize risks in relation to each other, gauge their extent, and plan what type of risk treatments should be implemented. Below is a simplified example of a Risk Map. As you can see, there are various risk treatments available to decision makers.

By looking at the business risks this way, the most critical risks can be addressed and mitigated first.

It’s critical to the IT risk management process that executives not only be informed of risks, but that they assist in the quantification and definition of the business impact these risks impose. They need to sign off on the risk position adopted for the organization’s assets. Only when the IT department and senior management are aligned in the identification, assessment and remediation of IT risk will an organization be able to achieve higher levels of security and compliance.

By aggregating and reporting on the impact of security risks within IT and how these risks impact the business, security professionals can become an integral part of business decision-making and help guide the organization to a more risk-aware culture.

New security attacks against Android smartphones

Tweet

 

In 2008 Google launched the Android Market and estimates indicate there are now more than 200 million Android smartphones and tablets. And these smartphone and tablet users have downloaded over 10 billion applications from the Android Market.

With all that success, the Android application market has become an increasing target for cyber criminals.  In 2011 alone Google has removed more than 100 malicious applications from the Android Market.

Some of the tactics used by these criminals and hence things to monitor include malware bundled with fake applications. In this ruse the malicious app borrows elements of a legitimate app and then re-packages it with malicious code. In this category we find fake games, horoscopes, wallpapers and accessories to bestselling games such as "Angry Birds" and "Cut the Rope.”

Android targeted malware have been able to record keystrokes, send SMS messages to sign you up for 3rd party SMS services, record conversations, even factory reset a device without any input needed from the user.

One of the issues with the Android Market is that Google, unlike Microsoft and Apple, has not implemented a consistent program of vetting software submissions from developers and scanning applications for malware.

To combat this growing situation corporations with employees using Android powered devices are implementing remote security management systems for mobile devices. Functions and capabilities include: remote lock & unlock, remote reset, remove configuration data, ability to lock management on phone, full device encryption, wipe encrypted data, SD card encryption, add blacklist, disable application, wipe application data, enable & disable camera, enable & disable wifi, enable & disable microphone, enable & disable enterprise applications, and prevent uninstall applications by user.

So this holiday season, make sure on your Santa wish list is some capability to securely manage the growing user base of Android devices.

Human mind hacking predicted by security experts

Tweet

 

Continuing with our top lists for 2012, here are the "most outrageous security predictions" compiled for 2012.

Major sporting events draw major cyber attacks

The FIFA World Cup attracted much attention in 2010, with many victims falling for various scams, including counterfeit ticketing, fake merchandise and rogue travel agents. In the buildup to the 2012 Olympics look for criminals to use phishing techniques in offering fake tickets, spam that pushes other products but is littered with football references in the subject line and email body, fake travel and accommodation offers, and competitions for tickets and travel packages.

Cars  with computers will get hacked By Stephen Northcutt

“This is fairly related to the OSI Layer 2 prediction. Cars aren't cars anymore, they are computers with wheels. GM ships OnStar, Ford has Synch, most states require "hands free" operation so we have Bluetooth. Cars even have their own networking protocol. In 2011 and 2012 most of the hacking activity against cars will be boutique, just seeing how to do it. It won't go into high gear unless someone can figure out how to monetize it. There is extortion of course, your wife is driving down an empty road at night in the cold and rain and the attacker uses something similar to the OnStar "Stolen Vehicle Assistance" to slow and stop the vehicle. Then the attacker demands your debit card number and PIN if you want the car to run again. That is one off and possibly requires human intervention and could be high risk to the criminal since you could call police on your cell phone and report the event. Of much greater concern is the eventual integration of your PDA to the car network especially if you get one of those nifty accept credit cards on your PDA applications.”

Human Mind Hacking By Stephen Northcutt

“For over twenty years, there has been published information in the social sciences about planting false memories. A growing trend is when we are exposed to information that we do not like; you see this in politics a lot with the so-called liberal and conservative debate, the unwelcome information has a so-called backfire effect and reinforces our beliefs. If you listen carefully to someone that listens to Fox News all the time, you will come to realize Human Mind Hacking is real. Kathy and I ceased watching television over 25 years ago and I try to be careful about my news sources. You can never blindly trust in any one source…”

Peripherals Become Dangerous

 In July 2010, there was an announcement that Dell Poweredge servers R410 replacement motherboards contained spyware. And we have seen digital picture frames, USB keys and the like that come with malware out of the box. However, it is only going to get worse. As organized crime seeks new ways to initially install malware as well as keep it in place in the presence of anti-virus software and endpoint whitelist technology, they will increasingly use device drivers and peripherals. In 2012, expect to read about more cases where malware is hidden in auxiliary parts of the computer and the operating system has no direct access. Also expect to see attacks against device drivers as well as malware pretending to be a device driver.

Part 2 -Top Expert Security Predictions for 2012

Tweet

 

Here is Part 2 of our top expert security predictions for 2012 compiled from M86, Websense, SecurEnvoy, CSO, SANS and others.

Mobile malware menaces users and organizations

In 2011, the most prolific cybercrime platforms, Zeus and Spyeye, developed malware for the Android platform in order to intercept the SMS-based security controls deployed by banks to protect their customers from banking Trojans. Android has become the most-targeted platform for malware, surpassing Symbian in the first half of 2011.

Third-party software exploits gain traction

Some third-party browser software such as Java, Flash Player and Acrobat Reader have huge worldwide install bases. Because numerous vulnerabilities in these products are found and often exploited, and because it is difficult for IT administrators to promptly update these products throughout their organizations, these software products have become an increasingly viable vector for attacks.

Exploit kits and malware reuse proliferate

Malware reuse is a growing phenomenon in the underground economy and the Zeus family of malware is a great example. For the last few years, Zeus (a.k.a. Zbot) functions as one of the preferred types of malware used by cybercriminals. Until May 2011, Zeus source code was sold only to private groups, and older compiled versions of the tool were available to anyone, but then the source code of Zeus crimeware kit was leaked and is now publicly available on the Web.

Compromised websites serving malicious content accelerates

Social networking sites such as Facebook and LinkedIn are now being used by businesses to promote their organizations, generate leads and inform customers of special offers or important messages. Additionally, almost every self-aware organization has either started a blog or is in the process of starting one. Regardless of the fact that these blogs run on corporate Web servers, they often are not sufficiently protected against malicious attacks, because they allow remote attackers such as Botnet operators and traders to compromise the corporate Web server, turning it into a redirector to their malware.

Botnets disruption attempts short-lived

Botnets, vast armies of compromised machines around the globe, are the cybercriminals’ weapons of choice, and nothing suggests that this will change anytime soon. Whether it’s spam, data stealing, DDOS, or mass website hacks, botnets provide the horsepower and anonymity that cybercriminals need to perpetuate their crimes. Unless the operators are actually apprehended, botnet takedowns tend to have a short-term effect only. The Cutwail and Lethic botnets are classic examples. Despite being ”disabled” multiple times, they are still spamming today.

Attacks on cloud services inevitable

Many people and organizations are moving to various cloud services to take advantage of convenience and attractive pricing. There are valid security concerns about moving sensitive data and critical systems to the cloud, including control of data, downtime due to an outage and lack of visibility. Despite excellent security practices employed by many cloud providers, the fact remains that these services are likely to be prime targets for cybercriminals.

Organizations will move from hardware to software based tokens to authenticate users

“While you could say this isn’t really a prediction, as in truth the exodus to tokenless has already started, I’ll bravely put a figure against it and say 50 percent of all hardware tokens will be replaced with tokenless two factor authentication by this time next year.”  - Andy Kemshall, SecurEnvoy

Top Expert Security Predictions for 2012 - Pt 1

Tweet

 

It’s that time of year again when we go through the security predictions for 2012 from the leading prognosticators and the wannabes. So until St. Nick comes, enjoy the “Top”  lists we’ve compiled from M86, Websense, SecurEnvoy, CSO, the folks at SANS and others. You’ll get a different “Top” list in the next few blogs until Christmas.

Targeted attacks grow more damaging and complex

Hacktivist groups such as Anonymous and LulzSec have made security breaches a public event as we learned about the use and rise of Advanced Persistent Threats (APTs) against global organizations and government agencies.

Illicit social media scams escalate

Social media has emerged as magnets for cybercriminals as malicious spam campaigns have mimicked Facebook, LinkedIn, YouTube, Twitter and even Google+, capitalizing on the inherent trust in these brands to dupe users into clicking on links.

Social media identity theft

Your social media identity may prove more valuable to cybercriminals than your credit cards. Bad guys will actively buy and sell social media credentials in online forums.

Blended attacks increase

The primary blended attack method used in the most advanced attacks will be to go through your social media "friends," mobile devices and through the cloud.

We've already seen one APT attack that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012

Rise of geospatial mobile device attacks

People have been predicting this for years, but in 2011 it actually started to happen. And watch out: the number of people who fall victim to believable social engineering scams will go through the roof if the bad guys find a way to use mobile location-based services to design hyperspecific geolocation social engineering attempts.

SSL/TLS will put net traffic into a corporate IT blind spot

Two items are increasing traffic over SSL/TLS secure tunnels for privacy and protection. First is the disruptive growth of mobile and tablet devices. And second, many of the largest, most commonly used websites, like Google, Facebook, and Twitter are switching to https sessions by default, ostensibly a more secure transmission. But as more traffic moves through encrypted tunnels, many traditional enterprise security defenses are going to be left looking for a threat needle in a haystack, since they cannot inspect the encoded traffic.

Containment is the new prevention

For years, security defenses have focused on keeping cybercrime and malware out. Organizations on the leading edge will implement outbound inspection and will focus on adapting prevention technologies to be more about containment, severing communications, and data loss mitigation after an initial infection.

Increase in event-based attacks

The London Olympics, U.S. presidential elections, Mayan calendar, and apocalyptic predictions will lead to broad attacks by criminals. Cybercriminals will continue to take advantage of today's 24-hour, up-to-the minute news cycle, only now they will infect users where they are less suspicious: sites designed to look like legitimate news services, Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations.

Social engineering and rogue anti-virus will continue to reign

Scareware tactics and the use of rogue anti-virus, which decreased a bit in 2011, will stage a comeback. Except, instead of seeing "You have been infected" pages, we anticipate three areas will emerge as growing scareware subcategories in 2012: a growth in fake registry clean-up, fake speed improvement software, and fake back-up software mimicking popular personal cloud backup systems.

How to successfully secure a HPC system

Tweet

 

Yesterday we talked about the inherent differences and security risks between a High Performance Computing (HPC) system (computer clusters) and a traditional enterprise network.

In order to secure a cluster it must be treated as a single unit and not as a collection of independent networked machines and thus HPC requires  a different approach  from traditional enterprise-level security.

HPC systems present unique challenges to security administrators because of their following characteristics:

(1)    High bandwidth connections – To facilitate its computational goals, a cluster must have high bandwidth connections to the outside world, allowing interactive use by many users, transfer of large datasets into and out of the cluster, and fast inter-node communication. These high bandwidth connections are attractive to attackers because the attacker can subsequently leverage them for purposes such as launching denial-of-service flood attacks against other sites.

(2)    Extensive computational power – Legitimate cluster users marshal the aggregate processing power of multiple machines with the goal of solving grand challenge scientific problems. In contrast, this computational power could be used by an attacker for purposes such as carrying out brute-force attacks against authentication mechanisms on other network resources to which the attacker wishes to gain unauthorized access. For example, there have been cases where attackers have used parallel versions of traditional password cracking tools running on a compromised cluster in an attempt to decrypt stolen password files. Decrypting an encrypted password typically involves either a dictionary-type attack or a brute-force search through the entire space of possible passwords Because both of these are “embarrassingly parallel” problems, a cluster gives near linear speedup for the task, thus making the computational power of a cluster an attractive target to hackers.

(3)    Massive storage capacity – Many high-performance cluster environments include storage capacity measured in terabytes, used for storing large scientific datasets and the results produced by computations involving these datasets. To a hacker, large-capacity disk storage is an attractive target for use in creating repositories of stolen copyrighted software and multimedia files

The result of not treating cluster security as different from non-cluster security is an increased vulnerability to attacks that simultaneously target multiple cluster components.

Researchers at the National Center for Supercomputing Applications (NCSA), Department of Computer Science, University of Illinois at Urbana-Champaign put forth the following features of a security approach that would be most successful in securing an HPC system.

Process monitoring – Examining the individual processes running on each cluster node is critical for overall cluster security. Tools based on the Clumon monitoring framework  that collect information about every process on every node in a cluster, analyze the set of processes found, and visually alert the cluster administrator when anomalous conditions are discovered are important. Such anomalies might include system-related processes that should be running on a node but are in fact missing; processes that are running on a node when the node should be idle (particularly in the case of “root” processes); and an unusually-large number of processes running on an individual node or over the context of the entire cluster.

Detecting these types situations within a cluster is possible because a cluster presents a relatively limited search space for anomaly detection versus an enterprise network with machines of different types (servers, workstations, laptops) running an unbounded number of different software processes.

Network port scanning – Unexpected network ports that are opened on a cluster node can be a good indicator of suspicious activity. A port scanner that monitors ports usage tailored to a cluster environment and presents the results to cluster administrators using visualization should be required. The underlying idea is that network ports must be opened in order for an attacker to interact with a cluster, otherwise compromising a cluster is of limited value since there can be little or no interaction with compromised nodes.

Traffic analysis – Applications running on cluster systems have unique patterns of communication, making the task of distinguishing legitimate traffic from abnormal traffic difficult. This difficulty is compounded by the growing use of grid computing software that exhibit communication patterns that cross cluster boundaries by joining multiple geographically-distributed clusters into a single computational resource.

Correlation of the information from the cluster job scheduler with network traffic into and out of the cluster in order to distinguish typical cluster traffic patterns from suspicious or known malicious traffic patterns should be required. For example, an automated traffic analysis tool can use contextual information from the job manager as well as a constrained set of legitimate IP addresses belonging to one or more well-known clusters to aid in recognizing patterns of communication in parallel computations such as localized neighbor communication, many-to-many communication, or all-to-all communication.

That is, if a set of nodes are communicating with each other within the context of a single job, the traffic is most likely legitimate. This is in contrast to a machine on an enterprise network that is not attached to any unifying context. The ultimate goal is to automatically detect the types of traffic patterns.

In conclusion  to be effective, cluster security tools must monitor the state of the entire cluster, considering all facets of the cluster security problem and base decisions within this context.  And because of the performance requirements in high-performance distributed systems, it is not possible to simply retrofit existing security mechanisms and expect the HPC community to use them.

Six security risks in High Performance Computing (HPC)

Tweet

 

This is a two part blog. Today we’re going to talk about the risks many companies face in securing High Performance Computing (HPC) environments and then tomorrow we’ll talk about ways to properly secure such HPC systems.

Large-scale commodity cluster systems are finding increasing deployment in academic, research, and commercial settings. Coupled with this increasing popularity are concerns regarding the security of these clusters.

While a great deal of effort has been expended in creating tools to aid in the installation, administration, and monitoring of clusters, very little effort has been expended in creating tools that address the unique issues of cluster security, particularly for very large cluster installations

Many people believed that the issues related to cluster security were the same as for general computer security. (“What works for one system should work for a collection of 100 systems.”) However, as cluster systems have become more widespread and powerful, they have become increasingly desirable targets to attackers.

Researchers at the National Center for Supercomputing Applications (NCSA), Department of Computer Science, University of Illinois at Urbana-Champaign found six ways in which cluster security is different from traditional enterprise-level security. In order to be effective, cluster protection schemes must take these into account.

1. A cluster encompasses a collection of distributed resources to be protected. By definition, clusters are multiple, closely-coupled machines that are centrally administered. These machines share common resources such as network access, compute cycles, and storage. The challenge is to secure these internal distributed resources against unauthorized access while at the same time permitting easy access by legitimate users. In contrast, the resources found in a typical enterprise-type environment are often very loosely coupled and exhibit minimal coherence of these types of resources.
2. A cluster must provide mechanisms for resource management. The challenge here is to manage a cluster such that legitimate users can consume resources efficiently in an authorized way using an agreed-upon job prioritization system. This is distinguished from enterprise-type environments that usually do not need to manage resources between competing interests. When a user executes a job on a cluster, it is often difficult to differentiate legitimate versus illegitimate use unless there are obvious malicious process signatures. For example, legitimate cluster users are potentially able to tamper with shared data or to excessively consume compute cycles to the extent of disrupting the service available to other cluster users.
3. Clusters present a heterogeneous management environment. That is, a cluster may be composed of different hardware and software node configurations (heterogeneous clusters). Even in the case of clusters containing the same hardware and software node configurations, there is usually a separation of cluster nodes by specialized function into “head nodes,” “compute nodes,” “storage nodes,” and “management nodes.” The challenge is to coordinate security across different node platforms and different specialized function nodes. This is different from enterprise-type security in that cluster security management must be simultaneously platform independent and specialized for different-functioning node types.
4. Clusters have large-scale management requirements. As Schneier points out, security is a process, not a product . As the sizes of clusters continue to increase, the task of maintaining and monitoring cluster security becomes an intractable problem. For example, one production cluster at NCSA consists of 1,500 nodes. At this scale, it is not practical to manage a cluster without leveraging the use of automation in conjunction with human interaction. Because of the heterogeneous management environment described above, tools to automate security management need to be aware of the similarities (and differences) present among cluster resources. In this way, cluster security is different from enterprise-level security because the tools that target enterprise-level security typically assume that every resource is subtly different.
5. Clusters, considered as a coherent unit, exhibit characteristic behavior different from non-clustered machines. This is exhibited in network traffic patterns, number of bytes transferred, applications executed, and compute loads. The challenge is first to identify, and later to understand, these behaviors via profiling in order to provide appropriate protections.
6. Finally, and perhaps most relevant to the idea that cluster security is an evolving concept, cluster resources exhibit dependent risk. In enterprise-level security, a single compromise on a machine may result in unauthorized access, destruction of data, and a platform for future attacks. However, a compromised machine in an enterprise can be quarantined to prevent cascading damages. In contrast, the security of the resources in a cluster environment is dependent on the integrity of all nodes. A single compromised node in a cluster represents a dramatically-increased risk to the rest of the cluster nodes due to the fact that many nodes share identical configurations. In this way, clusters are much more vulnerable to “class break” types of attacks. Experience also suggests that security failures in clusters are worse than enterprise-level failures due to the fact that cluster users tend to coordinate access across various geographically-distributed resources. This coordination necessitates crossing security domains, and when one of these security domains is compromised, the attacker has a much easier job of compromising the other security domains.

Tomorrow: How to successfully secure HPC systems.

How to hack a corporate boardroom

Tweet

 

One of the most important things we like to emphasize is that the greatest security flaws, the weakest link in the network chain, happens when you “don’t know what you don’t know.” Therefore a systematic approach to security process assessments should be par for the course in all organizations with significant assets.

A great testimony to this was found in the stories offered by a security firm which conducts penetration tests for clients with the goal of discovering IT security risks.

These penetration tests can discover security risks that are both potentially embarrassing and create huge risk for an organization. Such was the case when a penetration test was conducted for a large multi-national company.

The penetration test found 20 IP cameras that were at risk from an undocumented way to bypass the authentication system with the username: “root” and the password: “m”. Once the researchers had control of the IP cameras they were used to watch people enter information and discuss corporate activities.

Imagine being in a boardroom and you are being spied on without your knowledge? Discussions, keystrokes, passwords, strategic decisions, all potentially compromised.

One of the lessons learned was that typical automated network security scans would not have detected this potential exploit. A deeper review and analysis by security consultants identified areas of potential risk which were then tested and analyzed with available technology.

The security consultants approached this organization like a real criminal intent on breaching the walls of the firm, by any means necessary. And in the end found a hidden rat hole that was covered up.

So the moral of the story is two-fold. Don’t trust technology alone to secure your borders. This can create a false sense of security. And regular comprehensive assessments of your organizational security, like a corporate financial audit, is a good thing.

Can technology detect fraud & embezzlement

Tweet

 

In the news this week was the story of the U.S. Army Corps of Engineers employees that were indicted in a $20 million bribery and kickback scheme involving government contracts. Quick out the gate were vendors that talked about how their fraud prevention technology could have monitored and detected such scandalous behavior.

But is this true? To find out I took a little deeper dive in the area of fraud detection security solutions to see if they really work.

In general the answer is yes, for industries in which there are high volumes of transactions and available data to model typical consumer behavior and patterns.

For example, in the credit card, insurance claim, telecommunications, and banking industries we find successful application and results of deploying fraud detection solutions.

How they work is by modeling typical consumer behavior and looking for anomalies in transactions that differ from the norm. Then in cases where fraud has occurred, they analyze multiple variables associated with the crime and criminal to create predictive models that indicate the likelihood of a future crime in progress.

Fraud detection software has been used to stop millions in payments before they reached medical providers, who vary from the norm in claims submitted. It’s been used to spot fraudulent car insurance claims. A great example that one insurance provider in Germany reported is that claimants who call back shortly after filing a report and that demand a quick settlement are more likely to be cheaters.

Similar examples are found with credit card fraud. A consumer that buys gas using a credit card at a station where no attendant is present, or buys a diamond ring soon after buying gas has a higher fraud risk profile.

Purchase of two pairs of sneakers in teenage sizes  in London, New York or Miami during school holidays gets flagged as a high risk transaction, possibly involving a stolen credit card. A $100 purchase at a liquor store that sells whisky, a plane ticket outside of the country for a flight leaving in three hours and even a moped purchase by an elderly woman are various triggers based on scoring algorithms that alert companies to possible fraud.

In the case we cited above involving the kickback scheme, no fraud detection software was involved. Just someone who blew the  whistle on the crooks and good old police work. Some things technology will never replace.