Security as a Strategy (SaaS)

Data Loss Prevention Systems: Do you need one?

Data loss prevention systems are another form of employee monitoring which aim to detect the possible transfer or vulnerable storage of valuable and sensitive data assets. Reports from Osterman Research indicate that employees who use email also use instant messaging clients and wikis, post to blogs, use personal Webmail accounts for business purposes, check email from home, send files through FTP systems, take work home and on the road, use USB thumbdrives, transport corporate data on mobile devices, and use collaboration tools of various types.

Most of these communications and files are sent and transported without any sort of monitoring, encryption or oversight. The result is that organizations are deploying a growing array of tools and endpoints for employees to become more efficient. And, at the same time, they are creating a growing number of opportunities for information to leak out of an enterprise in unauthorized and potentially damaging ways.

The vast majority of these data breaches are inadvertent, but the opportunity exists for malicious users to send confidential and sensitive data, as well.

According to a survey conducted by Osterman Research during April 2008:

• 100% of organizations have deployed anti-virus capabilities
• 99% have deployed anti-spam capabilities
• 96% have deployed anti-spyware capabilities

However, even using a fairly broad interpretation of data loss prevention (DLP) capabilities, which would include products that don’t provide true DLP functionality, only 49% of organizations have deployed these capabilities.

Clearly, the data above suggests that organizations of all sizes are well aware of the need to monitor their inbound communications for spam and malware. However, they are not nearly as aware of the need to monitor outbound communications, or they are not taking the threat as seriously as they should. This, despite the fact that 27% of organizations in the same survey reported that during the previous 12 months data or information was accidentally or maliciously leaked from their organization.

What should you do?

• Identify the leak points.
• Deploy systems that will take appropriate action. Based on the suspected level of data breach, the systems that monitor outbound communication should take the appropriate action.
• Promote appropriate employee handling of data. For example, if an employee sends an inappropriate message to a co-worker or a confidential document to a competitor’s domain, a monitoring system should remind employees of corporate policies that may exist regarding the appropriateness of the communications vehicle they have chosen or other corporate policies.
• Perform the appropriate level of inspection. Based on corporate policies, the role of the employee in the organization and other factors, content should be inspected based on the appropriate policies
• Train and make employees aware of corporate policies.
• Implement forensics capabilities. Organizations may want to implement forensics capabilities in order to check on how data has been handled after it has been sent, either for legal purposes or simply to understand how its data is being managed.
• Implement a sender authentication scheme. While not an outbound content scanning mechanism, it is important for any organization to implement an authentication mechanism, such as SPF or DKIM, to ensure that recipients of its emails are given some level of assurance that the sending organization is valid.
• Tight integration with existing infrastructure. In order to speed reduce costs, organizations should consider solutions that are well integrated with their IT infrastructure whenever possible. This approach will also speed implementation and lower on-going administration costs.

20 Controls for Effective Cyber Security and Defense

Securing our nation against cyber attacks has become one of the nation's highest priorities. To achieve this objective, the US Comprehensive National Cybersecurity Initiative (CNCI) has purposed that "offense must inform defense." In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses.

The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting the U.S. ICE Act of 2009 (the new FISMA). That new proposed legislation calls upon Federal agencies to (and on the White House to ensure that they):

"monitor, detect, analyze, protect, report, and respond against known vulnerabilities, attacks, and exploitations" and "continuously test and evaluate information security controls and techniques to ensure that they are effectively implemented."

Because federal agencies do not have unlimited money, current and past federal CIOs and CISOs have agreed that the only rational way they can hope to meet these requirements is to jointly establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms.

Consequently, a consensus document of 20 crucial controls was designed to begin the process of establishing the prioritized baseline of information security measures and controls that can be applied across Federal enterprise environments. The 20 specific technical security controls are viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future.

Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that do not appear to be able to be monitored continuously or automatically with current technology and practices.

Each of the 20 control areas includes multiple individual subcontrols, each specifying actions an organization can take to help improve its defenses. Here are the 20:

 

Critical Controls Subject to Automated Collection, Measurement, and Validation:

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5. Boundary Defense
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based on Need to Know
10. Continuous Vulnerability Assessment and Remediation
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and Services
14. Wireless Device Control
15. Data Loss Prevention

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering
2. Penetration Tests and Red Team Exercises
3. Incident Response Capability
4. Data Recovery Capability
5. Security Skills Assessment and Appropriate Training to Fill Gaps

How well do you know IT Security - Pt 2? Quiz Answers.

How did you do with the quiz? Answers are in bold.

• 0-1  Security fail (maybe time to consider another career)
• 3-5  Hacker's delight (see recommendation above)
• 6-8  Formidable defender (not too shabby)
• 9-10 Best practices model (worth every penny you are paid)

 

1. In IPSec, what kind of tunnel is first set up to initiate the VPN-creation process?

• a. IKE

•b.      ISAKMP

• c. Lincoln Tunnel
• d. SSL

The tunnel is used to negotiate security parameters for the main IPSec tunnel

2. How can ports 80 and 443 be defended against Web-based threats?

• a. Web application firewalls
• b. Content filtering
• c. White lists
• d. Black lists

•e.      All of the above

3. Two-factor authentication can include something you have, something you know and...

•a.       Something you are

• b. Something you make up
• c. Something encrypted
• d. Something unique

This can include retina or fingerprint scans or other biometrics

4. What do corporate security executives regard as the biggest threat to security?

• a. Removable media such as thumb drives
• b. Malicious insiders

•c.       Web 2.0 applications

• d. Unpatched operating systems

According to Symantec, this can include social media such as Facebook and Twitter

5. The goal of network access control (NAC) is:

• a. Remediating security shortcomings of machines before they connect to networks
• b. Making sure devices adhere to access policies once admitted to networks
• c. Linking machines with user identities to impose appropriate polices on them

•d.      All of the above

And some vendors say NAC should do more

6. What means did attackers in China use to infiltrate Google's network?

• a. Social engineering using Facebook
• b. Introducing malware via cross-site scripting of Web sites

•c.       Exploiting a flaw in Internet Explorer

• d. Brute-force attack of Google executive's passwords

7. Which botnet advance has made eradicating them more difficult?

•a.       Embedding command and control capabilities in zombie machines

• b. Reinfection via social media sites
• c. Sheer number overwhelms defensive measures
• d. Use of rootkits to make bot software more difficult to dislodge

When command and control nodes shift, it becomes more difficult to shut them and their subject machines down

8. Which of the following is not an example of an application vulnerability?

• a. Lack of sufficient logging
• b. Fail-open error handling
• c. Failure to properly close database connections

•d.      Running with least privilege

This is actually recommended to strengthen applications

9. What is one downside of public key encryption?

• a. It is less secure than using secret keys

•b.      It requires trusting party to verify public keys

• c. It cannot ensure confidentiality
• d. It cannot ensure authenticity

10. Which is not a Wi-Fi security option?

• a. WEP
• b. WPA

•c.       ICMP

• d. 802.11i

How well do you know IT Security? Take the Quiz.

Network World published this quiz to test your knowledge of IT security. Take the test to see how much of a security expert you really are. We'll publish the answers in the next blog.

1. In IPSec, what kind of tunnel is first set up to initiate the VPN-creation process?

• a. IKE
• b. ISAKMP
• c. Lincoln Tunnel
• d. SSL

2. How can ports 80 and 443 be defended against Web-based threats?

• a. Web application firewalls
• b. Content filtering
• c. White lists
• d. Black lists
• e. All of the above

3. Two-factor authentication can include something you have, something you know and...

• a. Something you are
• b. Something you make up
• c. Something encrypted
• d. Something unique

4. What do corporate security executives regard as the biggest threat to security?

• a. Removable media such as thumb drives
• b. Malicious insiders
• c. Web 2.0 applications
• d. Unpatched operating systems

5. The goal of network access control (NAC) is:

• a. Remediating security shortcomings of machines before they connect to networks
• b. Making sure devices adhere to access policies once admitted to networks
• c. Linking machines with user identities to impose appropriate polices on them
• d. All of the above

6. What means did attackers in China use to infiltrate Google's network?

• a. Social engineering using Facebook
• b. Introducing malware via cross-site scripting of Web sites
• c. Exploiting a flaw in Internet Explorer
• d. Brute-force attack of Google executive's passwords

7. Which botnet advance has made eradicating them more difficult?

• a. Embedding command and control capabilities in zombie machines
• b. Reinfection via social media sites
• c. Sheer number overwhelms defensive measures
• d. Use of rootkits to make bot software more difficult to dislodge

8. Which of the following is not an example of an application vulnerability?

• a. Lack of sufficient logging
• b. Fail-open error handling
• c. Failure to properly close database connections
• d. Running with least privilege

9. What is one downside of public key encryption?

• a. It is less secure than using secret keys
• b. It requires trusting party to verify public keys
• c. It cannot ensure confidentiality
• d. It cannot ensure authenticity

10. Which is not a Wi-Fi security option?

• a. WEP
• b. WPA
• c. ICMP
• 802.11i

Tabnapping: New Security Threat

Network World reported that all the major web browsers on Windows and Mac OS X are vulnerable to a new type of phishing scam: "tabnapping." A combination of the words kidnapping and tab as in screen tabs, tabnapping happens when an already open tab is secretly switched unbeknownst to the user. As an example, when I work I typically have several Internet Explorer (IE) tabs open. Say one of them was to my bank and I left that tab and went to my email account, when I go back to my bank page it says the page timed out so I have to log-in again. But what could happen is someone switched the page and I am actually logging-in to a page that diverts my identity log-in to a scammer.

Prevention

Here are some things you can do to avoid being tabnapped:

• Don't log-in on a tab that you haven't opened yourself. If you see a tab that contains a seemingly-legit log-in form, close it, then head to the site yourself in a new tab
• Get on the latest release of your web browser. Every major browser has a filter of some kind designed to weed out malicious sites and/or legitimate sites that are suspected of being infected with attack code. Presumably, those filters, assuming the blacklists underlying them are current and accurate, would block tabnapping attacks.
• Look at the URL in your browser's address bar before filing in any form or giving out any personal information. Unless the attackers are particularly clever and able to exploit a vulnerability or flaw to "spoof," or fake the URL, it won't match the bogus log-in screen. That's your cue to close the tab immediately.

Top 7 Threats to Cloud Computing – Part 2

The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we reviewed the top 7 threats. In this installment, Part 2, we review the remedial steps you can to take to reduce your risk profile.

Threat #1: Abuse and Nefarious Use of Cloud Computing

Remediation

• Stricter initial registration and validation processes
• Enhanced credit card fraud monitoring and coordination
• Comprehensive introspection of customer network traffic
• Monitoring public blacklists for one's own network blocks

Threat #2: Insecure Interfaces and APIs

Remediation

• Analyze the security model of cloud provider interfaces
• Ensure strong authentication and access controls are implemented in concert with encrypted transmission
• Understand the dependency chain associated with the API (application program interface)

Threat #3: Malicious Insiders

Remediation

• Enforce strict supply chain management and conduct a comprehensive supplier assessment
• Specify human resource requirements as part of legal contracts
• Require transparency into overall information security and management practices, as well as compliance reporting
• Determine security breach notification processes

Threat #4: Shared Technology Issues

Remediation

• Implement security best practices for installation/configuration
• Monitor environment for unauthorized changes/activity
• Promote strong authentication and access control for administrative access and operations
• Enforce service level agreements for patching and vulnerability remediation
• Conduct vulnerability scanning and configuration audits

Threat #5: Data Loss or Leakage

Remediation

• Implement strong API access control
• Encrypt and protect integrity of data in transit
• Analyze data protection at both design and run time
• Implement strong key generation, storage and management, and destruction practices
• Contractually demand providers wipe persistent media before it is released into the pool
• Contractually specify provider backup and retention strategies

Threat #6: Account or Service Hijacking

Remediation

• Prohibit the sharing of account credentials between users and services
• Leverage strong two-factor authentication techniques where possible
• Employ proactive monitoring to detect unauthorized activity
• Understand cloud provider security policies and SLAs

Threat #7: Unknown Risk Profile

Remediation

• Disclosure of applicable logs and data
• Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.)
• Monitoring and alerting on necessary information

Top 7 Threats to Cloud Computing – Part 1

The Cloud Security Alliance released a report on the top security threats to cloud computing. In Part 1 of this blog we review the top 7 threats. In Part 2 we'll review the remedial steps you can to take to reduce your risk profile.

Threat #1: Abuse and Nefarious Use of Cloud Computing

IaaS (Infrastructure as a Service) providers offer their customers immediate access to cloud services. The anonymity afforded in registration has attracted spammers, malicious code authors, and other criminals. PaaS providers (Platform as a Service) have traditionally suffered most from this kind of attacks; however, recent evidence shows that hackers have begun to target IaaS vendors as well.

Threat #2: Insecure Interfaces and APIs

Cloud computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. Provisioning, management, orchestration, and monitoring are all performed using these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs. Increased risk occurs as organizations may be required to relinquish their credentials to third parties in order to enable certain functionality.

Threat #3: Malicious Insiders

The threat of a malicious insider is well-known to most organizations. This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. The level of access granted could enable workers with malicious intent to operate with little or no risk of detection.

Threat #4: Shared Technology Issues

IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture. To address this gap, a virtualization hypervisor mediates access between guest operating systems and the physical compute resources. Still, even hypervisors have exhibited flaws that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform.

Threat #5: Data Loss or Leakage

The threat of data compromise increases in the cloud due to the number of interactions which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.

Threat #6: Account or Service Hijacking

Account or service hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites.

Threat #7: Unknown Risk Profile

One of the tenets of cloud computing is the reduction of hardware and software ownership and maintenance to allow companies to focus on their core business strengths. This has clear financial and operational benefits, which must be weighed carefully against the hidden security posture of the provider. Security by obscurity may be low effort, but it can result in unknown exposures.

Securing a Fool’s Paradise

"Italy convicts 3 Google execs in abuse video case," was the title of the AP news story. Briefly, some thugs beat, punished and humiliated an autistic person. And then were foolish enough to video tape the attack and post it online. The old adage holds true. You give a fool enough rope he'll hang himself and invite the world to see.

Corporate officers of Google were then held responsible for not removing the video fast enough. The irony of this case is that the video tape was used to convict these criminals, yet Google was also convicted for showing it. And without the tape the criminals would never have been caught.

We get more evidence each day that the web has become a virtual paradise for the advancement of business, government and community as well as for the expression of criminal intent. In the midst a question arises. What type of security should be provided for online, public platforms that meet community as well as individual privacy needs?  And who is responsible for this security? 

In many, if not most organizations, employees sign an Internet usage policy that acknowledges the company's right to monitor computer usage. Both incoming and outgoing communications can be monitored. In the public domain, you have to assent to the terms of service (TOS) for using online services (e.g., Facebook, YouTube) and agree you will be a good citizen. If another citizen reports bad behavior your use of the service could be terminated.

Herein lies the issue. In corporations, the liability for bad employee behavior can be assigned to the organization since the employee is a representative. But in public domains, there are no employees, just users. Some with good intentions and others born of a criminal mind. Is assent to TOS enough to remove liability from a corporation that provides a public service?

To explore this further I went to the folks at EFF to see what they had to say about this. This is the description of EFF: "From the Internet to the iPod, technologies are transforming our society and empowering us as speakers, citizens, creators, and consumers. When our freedoms in the networked world come under attack, the Electronic Frontier Foundation (EFF) is the first line of defense."

A little soupy but it works.

The body of content by EFF suggests they believe there has to be a balance between individual rights (free expression, privacy), corporate rights (innovation, profit) and the good of society (trade, communications, decency).

If more liability is assigned to a public service provider, then less individual privacy is the consequence. The entity will be forced to monitor individual usage of service to reduce its risks. Or will limit or even withdraw the service because of the cost of liability.

 We can't have our cake and eat it too.

Smart Grid Invites Hope and Fear

I took the challenge to wade through 300 pages of NIST's (National Institute of Standards and Technology) second draft of NIST IR 7628, Smart Grid Cyber Security Strategy and Requirements. My head is still ringing. 

What is it?

The nation's electric power infrastructure is called the grid. It is believed the grid will not be able to generate sufficient power for all citizens in the future. Therefore the government wants to enable more efficient distribution of energy and use of natural resources by the utilities and consumers. And the way to do this is by modernizing the electric utility distribution model using information technology. Hence the Smart Grid.

Smart Grid Vision

The NIST plan lays out a complex web of intelligent consumer devices from washing machines, water heaters and electric car batteries, connected to a computer network within the house or building; which is then connected to intelligent meter type devices; connected to a network of utilities and service providers (solar, wind, coal, nuclear, natural gas, hydroelectric); which are then connected to financial trading houses which set market prices that affect energy rates.

Imagine a network of millions of intelligent devices, homes, buildings, utilities, distributors, financial markets and service providers all connected. The Internet redux.

Except in this situation there is the massive ability to control, shut off and turn on devices central to daily living, school, industry and work. Both consumers and service providers using Smart Grid technology will be able to regulate the use of energy by individual devices within the home and also local storage of power. Storage options can range from an electric car battery to batteries which store energy generated from solar panels or wind turbines. You will also be able to regulate usage and energy storage based on real-time market prices.

So as a result of Smart Grids the public can conserve energy, lower energy costs, lower carbon emissions, and have less reliance on foreign oil (automobiles). Yet while the goals are worthy, after watching movies like the Terminator and The Matrix, I couldn't stop thinking this massive network will lead to a Doomsday scenario. Computers taking over the world.

However, this is not what keeps NIST and others up at night. The fear is that this massive network based on off-the-shelf computer technology, presents a frightening cyber security challenge. And the threats could be from terrorists, natural disasters, internal malcontents as well as consumers themselves.

Difference in security for Smart Grids vs. corporate IT

A traditional IT-focused understanding of cyber security is that protection is required to ensure confidentiality, integrity, and availability of the network and data.  The priority is confidentiality first, then integrity and availability.

For industrial control systems, including power systems, the priorities of the security objectives are availability first, integrity second, and then confidentiality (consumer data). Cyber security in the Smart Grid includes both power and cyber system technologies, processes in IT and power system operations and governance.

Because the Smart Grid includes systems from the IT, telecommunications, and energy sectors, the risk assessment process is applied to all three sectors as they interact in the Smart Grid. It is an enormous undertaking. But once the Smart Grid is secure, it will be the harbinger of daily life in the future.

Attack of the Red Dragon: China Claws Google

In their official corporate blog last month, Google reported attacks originating from China on certain Gmail accounts. Further investigation revealed the Gmail accounts belonged to Chinese human rights activists. And then they found that accounts of dozens of U.S., China and Europe-based Gmail users, who are advocates of human rights in China, were accessed via phishing scams or malware placed on users' computers.

When Google.cn (China) was launched in 2006 it agreed to censorship by the Chinese government. However, based on these latest attacks and increasing limits on free speech on the web, Google is re-evaluating their position. It is a possibility, dependent on their talks with the Chinese government they will cease operating in that land.

What are we to do when a sovereign government breaches security and attacks its own people? Who do you turn to for recompense? What additional security measures can one take?

Google is already warning all users to deploy anti-virus and anti-spyware programs, to install patches for their operating systems, to update their web browsers and to be cautious when clicking on links appearing in instant messages and emails.

But is this enough? In the old days when the government snooped on you they wire-tapped your phone, camped outside your house with long lens cameras, sifted through your trash and followed you around. It took a lot of effort and expense to spy on someone. Now in the cyber age, the snoopers are faceless and attack millions with little effort. What can one do?

Individual and corporate security measures will safeguard you to a certain point. But when a government attacks, ultimately it is the human response, the people at every node of the network who safeguard our freedoms. Unplugging will not be an option unless we desire to return to the Stone Age. Thus behind every security measure there must be people willing to stand for what is right.