Occam’s Razor for Information Security

April 10, 2012 by · Leave a Comment

What if the principle of Occam’s Razor was applied to information security controls?

“All things being equal, a simpler explanation is better than a more complex one”

In other words, if we spent more time applying simple controls rather than chasing buzzwords and “big stories”, would we see an overall reduction in data breaches?  According to the recent  Verizon Communications report (pdf)  we would.  The report indicates that 97-percent of data breaches were the result of bad guys using simple techniques that could have been countered by applying “simple or intermediate” controls.  Have we been running in circles for this long when the “simple” solution has been staring right at us?

I think this is the case because “simple” things are boring and mundane.  As such, people become complacent and start to believe that effort placed on simple tasks is a waste of time since the “real” threat is going to be much more sophisticated.  If the reported facts of data breaches are true, then that belief isn’t supported.

A variation of Pareto’s Principle (the 80/20 rule) seems to come into play.  Perhaps if we are diligent in applying simple controls (the 20%) then maybe 80% of breaches can be avoided.  Maybe instead of focusing on complex systems that require massive amounts of human resource overhead, a focus on simple controls would yield greater security results.  Applying the principle of least privilege to limit access to sensitive information or replacing local administrator rights on workstations with user or power user may just have a bigger payoff than a $100k SEIM solution that is never fully deployed.

If most breaches are due to a failure in applying simple security measures, then doesn’t it make sense to apply our efforts in improving simple controls?

———————————————————-
Photo Credit:  ddpavumba at freedigitalphotos.net

Filed Under: Business and Security, Should Have Known Better · Tagged With: , , , ,

Self-inflicted… the ongoing saga

March 28, 2011 by · 2 Comments

I could have sworn I was in a Dilbert cartoon when I got a phone call over the weekend from a small business owner who claimed a system on our network was attacking him.   The conversation went something like this:

Him:  “Your system has been attacking me on port 3389″

Me:  “Port 3389?  Did this just start?

Him:  “Yeah.  I’ve been having issues but I just looked at the firewall log today and saw your IP address.”

Me:  “What else is happening?  Can you send me the log for this?”

Him:  “Sure.  Just sent it.  As far as the server, my firewall rules have changed.  I keep getting gigabytes of files that I think are X-box games that keep reappearing after I delete them.  Oh, and there are some services running that look to be just one letter off from legitimate ones.”

Me:  “How long has this been going on? ”

Him:  “Oh, I don’t know.  I ran out of disk space about a week ago and have been cleaning it off every day.”

Me:  “Sir, I’m pretty confident your server has been compromised and if you are allowing RDP connections from the Internet, you might want to reconsider that.  You might also want to wipe and reload your server.”

Him:  “Oh, I had to do that just six months ago.  I had a SQL server that was compromised just like this.  Crazy.  I’m not sure why I’m a target.”

Me:  “So, you keep getting compromised.  Did you have RDP running on that server as well and open to the Internet?”

Him:  “Yeah.  It sure is convenient since I travel a lot.”

Me:  “Oh.  Just checking the log file you sent me sir and it looks like you may have transposed some numbers.  This isn’t coming from our network but it’s coming from a network in Texas.

Him:  “Oh.  I’m terribly sorry to bother you then.

Me:  “Not a bother at all.   If you dont’ mind can I make a suggestion?

Him:  “Sure.”

Me:  “You may want to consider getting some help securing your server and finding a safer way to access it when you’re traveling.  It may help so you don’t have to rebuild your system every few months and you can concentrate on more pressing business matters.

Him:  “Thanks but really, no need.  I’ve got it under control.”

Me:  “I wish you good luck then.  Have a good day.”

 

Certainly he had all good intentions but probably lacked the skills to adequately protect himself and his customers.  I’m a bit saddened that he wasn’t open to getting some help with this problem because I’m sure he has better things to do than rebuilding a server every few months.  Small business owners should concentrate on their core competencies and get some assistance in areas where they may not be as strong (or simply don’t want to spend the time).   In this case, it appears this business owner will be a repeat customer in the land of self-inflicted problems.

 

Filed Under: Business and Security · Tagged With: ,

Don’t Rely on Others to Protect Your Assets

December 29, 2010 by · Leave a Comment

A company has a PC infected with malware that steals the User ID and password for their bank account.  The bad guys proceed to steal a large sum of money from the company bank account.  The bank won’t refund the money and the FDIC doesn’t insure commercial accounts.   This sums up a recent case described at Krebs on Security where an Escrow company had $440,000 stolen from it’s bank account and is now suing the bank claiming inadequate controls for the movement of funds.

The bank probably shouldn’t be offering a single password to govern the approval and release of a wire transfer but are they responsible for protecting an endpoint they had no control over?  That’s quite a leap.   As a business owner you have to take responsibility for protecting your assets.

Krebs suggests two alternatives for small businesses.  I agree with both which I’ll summarize here.

1.  Separate your banking PC from your general purpose PC.   In other words, don’t access your online bank accounts from the same PC you use to check E-mail, open attachments, browse the Internet, perform work for your clients, etc.

2.  Use a Live CD that boots your computer into a version of Linux that is used only to access your online bank accounts.

A third option is to use a virtual guest machine that is purposed specifically for online banking and appropriately configured/updated.  (Not a bad idea for personal banking too)

Hopefully, this incident doesn’t lead to a knee-jerk legislative mandate that requires banks to implement vague “effective security measures”, especially those that would require them to effectively manage the endpoint systems of other businesses.  Banks could, however, provide option 2 above to their commercial customers to access online banking using a secure, bank branded Linux distribution.

Bottom line – personal responsibility.  Don’t rely on other parties to protect your information.

Filed Under: Business and Security, Workstation Security · Tagged With: , ,

Lawsuit, breaches and bashing… oh my!

January 19, 2010 by · Leave a Comment

Though it seems obvious that corporations have an obligation to protect the sensitive information they use for business it still amazes me that corporate behavior in this regard is still quite dismissive.  Lawsuits and public embarrassment seem to be the only catalyst for action for many organizations.  That is kind of sad.  Not only is information not being adequately protected by companies are ill-prepared for dealing with crisis.

As a recent example, in Connecticut, the Attorney General is suing Health Net for failure to protect medical records of over 450,000 patients.  The information was stored on a portable disk drive that “disappeared” from an office.   The information on that drive wasn’t encrypted.  Add to this the fact that the organization took six months to send notification to Connecticut residents whose information may have been compromised.  This is a failure on many levels but certainly a failure in leadership and crisis management.

What should we be asking ourselves?

  1. We need to understand the information that we use and how we use it.  How is information accessed, transmitted and stored?  What is our legal (and moral) obligation to protect this information?
  2. There is no such thing as 100% security.  If/when there is a breach, are we prepared to act swiftly and appropriately to mitigate the damage for our customers and ourselves?
  3. Do we have a communication plan in place so that we can effectively provide notification internally and externally?
  4. When examining other breaches, do we practice the same way?  Are we at risk of compromise?  How do we change this?

Part of information security isn’t just applying best practices and being vigilent.  Unfortunately, there is a need to be prepared for an incident or crisis.  I believe that one of the best recoveries from a crisis has to be credited to Tylenol in 1982.  Another example would be the handling of a Southwest airlines crash at Midway airport in 2005.  Neither one of these are information security incidents but certainly the lessons learned from their handling of a major crisis can be applied.  Just do a search and look at the response from a corporate point of view.  It’s really quite educational.

I hope we reach a time when breaches, lawsuits and embarrassment are not the motivators for applying sound information security practices and incident response plans.  I’m afraid I may be waiting for awhile.

Filed Under: Business and Security, National and State Privacy/Security Law, Should Have Known Better · Tagged With: , , , , , ,

Lessons in Due Diligence

December 2, 2009 by · Leave a Comment

An article by Kim Zetter on Wired.com caught my attention:  “Restaurants Sue Vendor for Unsecured Card Processor”.

The gist is that several restaurants purchased Point-of-Sale (POS) systems from a particular vendor.  These POS systems that were sold were apparently not Payment Card Industry – Data Security Standard (PCI-DSS) compliant and that resulted in a breach costing the restaurants a hefty sum.

One issue comes from unpatched, poorly configured remote access and the other alleged problem came from default login administrator userID and passwords.  From the article:

Visa also sent out a bulletin in November 2006 warning that one of the most frequent vectors for hackers to penetrate POS systems was through poorly configured or unpatched remote-access software (.pdf) and default passwords. Nonetheless, the restaurants say, Radiant and Computer World sold them a product that was neither PCI-compliant nor secured against a known attack.

So, the vendor sold them the product that was known to have these flaws but on the flip side, the restaurants bought these systems that are known to have these flaws.   I can certainly see the case here but from a security perspective there are some lessons learned when it comes to due diligence and basic security practices.

1.  If you blindly believe marketing slicks about the “state-of-the-art” product you’re purchasing that can do everything including cooking your dinner and washing dishes…well… you get the point.   Visa had produced a bulletin regarding the flaws with the product a year before one of the restaurants bought the product.   A little due diligence in the selection process would have gone a long way.

2.  So, you buy a product and install it.  It has remote access capabilities.  You leave the default administrator ID and password that is well known to anybody who can grab an online manual.  You’re breached.   If you install a new software product for Pete’s sake, change the default account passwords.  If your bank gives everybody a password of “password” to their online banking, would you change yours or just leave it?  (BTW, they don’t do that… just an illustration).

3.  Implementing a system with known flaws and not updating it is pretty bad.  It’s like installing a Microsoft server and not applying security patches for a year.  You get breached because of a vulnerability that should have been fixed a year ago.  Good luck blaming Microsoft for that one.   Patch management is essential.

By no means am I blaming the victim in this case.  They are chefs and restaurant managers, not IT or InfoSec people.  They relied on the vendor to provide them a product that was up to snuff with PCI requirements and trusted them to sell a product that protected their customer’s information.  When we examine and extended this into our own business and technology implementations, their experience provides some lessons for all of us.  Hopefully we can learn from this and apply due diligence to all of our vendor interactions and purchases.

Filed Under: Business and Security, PCI · Tagged With: , , , , , ,

Failures in Leadership, Ethics, and Security

November 25, 2009 by · 1 Comment

A breach of patient personal information at University Medical Center has all the makings of a made for TV movie or at least provides an opportunity to examine issues in security, leadership, ethics, and even the knee-jerk reaction of ignorant politicians trying to use the opportunity to score some free publicity.  The story “FBI looking at UMC records leak” ran this past Saturday in the Las Vegas Sun.

Security – The Insider Threat

The FBI said Friday it may investigate a breach of patient privacy laws at University Medical Center, where hospital officials are reeling with the realization that at least one of their employees has leaked confidential names, birth dates and Social Security numbers.

The breach clearly demonstrates the difficulty in dealing with insider threats.  We hire employees and give them access to sensitive information in order to perform their job duties.  We certainly have a need to control and monitor access in order to achieve and enforce the practice of least privilege.  Even the best of controls however, can be circumvented by a trusted insider with an intent to do harm.  In this case, it is alleged that hard copy face sheets were taken outside the facility and sold to an unethical breed of attorney.  I’m not sure it would be reasonable for the organization to setup exit searches of their employees every day to make sure they weren’t sneaking out these documents.  Heck, would you look in a fellow employee’s underwear to make sure they didn’t have a face sheet stuffed in there?  The ACLU would be all over this “violation” of privacy.

While not a cure for this type of insider threat, UMC may want to consider both criminal and financial background checks of new hires.  I know it’s like profiling but when protecting consumer information, corpoarte finances and reputation, having an indicator of potential behavior issues can help.   However, in these economic times, a squeaky clean person may engage in this type of behavior out of desperation.  UMC could also consider physical controls for documents, especially those that should remain with a patient’s chart.   Having face sheets printed only in one place and logging who printed them may be useful.  Of course, using electronic records rather than paper records may prevent the physical face sheet from being used at all.

Information security is more than the bits and bytes that are transmitted and stored.  Information security also involves the printed document and how it is handled.

Leadership

Until Thursday, they doubted there had been any leak and had conducted only a cursory probe into rumors of the breach. Silver was warned by sources this summer about patient records being obtained illegally. She took a quick look at which attorneys were requesting records, and then dismissed it as a “nonissue.”

Hospital leadership just blew off reports suggesting something was terribly wrong.  A cursory probe and dismissal of something that could have major repurcussions to patients and the organization is completely unacceptable.  This is fairly common though.  This smells of the “we haven’t been breached so why worry about it” attitude that is prevalent among so-called leaders.   Chasing phantoms can be a nuisance but to do nothing is irresponsible.

Ethics

The nurse told the Sun she was taken to lunch by members of a personal injury law firm several years ago. They offered to pay her for “referrals” but she refused, saying it was illegal and a violation of her nursing license.

I’m a big fan of finding the root cause of a problem and eliminating it.  While it is easy to point a finger at UMC and their poor decisions or the employee who is alleged to have stolen the documents, essentially the problem is on the “demand” side.  Unethical attorneys who are practicing in this manner should be disbarred, period.  Eliminate the demand for sensitive information, eliminate the problem.  I’m not naive enough to believe that there won’t be others lined up to fill the spot but you have to start somewhere.  We should expect more from “professionals” and if they can’t behave ethically they shouldn’t be allowed to practice.

Politicians

Earlier Friday, Clark County Commission Chairman Rory Reid called for a Metro Police investigation, demanding that the hospital do what is necessary to stop what appeared to be a “criminal offense.”

Headline grabbing, clueless politician.  The only way to “stop” this criminal offense is to stop taking patients or don’t hire employees.  Politicians are famous for taking an incident and then causing tremendous havoc with their knee-jerk reactions.   Most politicians believe the “as seen on TV” ads or marketing slicks that claim 100% security and then they go down the path of making ridiculous comments or worse, ridiculously impossible (and thus ineffective) legislation.  There is no such thing as 100% security.  It’s a process of reducing risk while allowing the business to function.

Last Thoughts

There are several lessons from this particular story.  Take security threats seriously.  Reduce risk where possible.  Know that there are unethical professionals and other business people out there who have no problem violating the public trust in order to make a buck.  Take politician’s comments with a grain of salt.  Most are looking to make a headline splash yet have very little knowledge of the topic at hand.

Ultimately, leadership failed at UMC.   They chose to ignore a potential threat rather than investigate it.  While it wouldn’t have prevented the breach, they may have discovered it sooner or reduced the damage to both their finances and their reputation.

Filed Under: Business and Security, Ethics, Should Have Known Better · Tagged With: , , , , ,

It’s Just One Little E-mail…

August 6, 2009 by · Leave a Comment

How often is e-mail used to send documents and information that contains sensitive information?  I’ve seen consultants share sensitive information about clients this way as well as staff members just “trying to be helpful”.  I’m sure this happens all the time and it can be mitigated through training and providing staff the tools necessary to send information securely.   While it is fair to say the majority of these incidents never make the news, the Commerce Department wasn’t quite so lucky:

The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed to a risk of identity theft following an inappropriate transfer of the personal information in mid-July, according to a letter sent to department employees last week.

An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form on July 13, according to the letter. The employee informed supervisors of the oversight almost immediately, and there is no indication thus far that information has been compromised, according to the letter.

Federal Eye: Personal Data Mishandled at Commerce Dept.“.   Ed O’Keefe.  Washington Post, August 3, 2009

As another case in point, a friend of mine filled out an online appointment request for his physician.  He included all types of PII including social security number, date of birth, as well as the reason for his visit.  The online form was secure however, whatever program the office used was sending the “got your schedule request” e-mail with all of the information he had put in, including the PII.  The steps the physician took to secure the request were thrown out the window because the same information was sent via e-mail in the clear.  Oops!

I’m not sure how much more the concept of not sending PII over e-mail can be hammered home.   Mistakes happen but when it’s done as part of a business practice then perhaps there needs to be some financial penalty involved to make the point.

Filed Under: Should Have Known Better · Tagged With: , , , ,

Business Ethics May Actually Still Exist

June 9, 2009 by · Leave a Comment

T-Mobile is investigating a claim that customer data was stolen and attempts made to sell the information to their competitors.  While data breaches unfortunately seem common, the good news from this story is that T-Mobile’s competitors apparently denied the offer of the theives.  This whole story may be hogwash but even the idea that ethics still plays a role in the business environment is a good thing.  Kudos to those companies!

ComputerWorld Article

Filed Under: Ethics · Tagged With: ,