The real 1 percenters….

March 12, 2012 by · Leave a Comment

There are a lot of vendors pushing their wares using zero-day exploits as a chief selling piece in their propaganda.  The problem is, the vast majority of servers are compromised by known vulnerabilities and a failure in the patching process.   It stands to reason that there is more bang-for-the-buck by addressing issues such as vulnerability and patch management, rogue IT (the pesky groups who stand up their own unprotected, poorly managed and vulnerable servers and workstations), and user behavior.  Simply put, Pareto’s principle is an effective technique in dealing with a big chunk of information security issues, especially when working with a slim budget.

Zero-day exploits aren’t hype but I’m afraid the term has been over-used as a sales technique designed to evoke an emotional response from executives.  Sales really is an emotional business.  Keep this in mind though… if you are ill-prepared to deal with the known you have little chance of protecting yourself against the unknown.  Does it make any business sense at all to apply resources to 1% of the problem while leaving 99% unattended to?   Of course not but, it’s just not as sexy or fun to play in the mundane and repetitive when the world of APT’s and Zero-Day’s are grabbing headline news.

By no means am I suggesting to ignore the evolving threats to information.  The dynamics of technology and growing demand for full-time access to information doesn’t allow for that kind of laissez-faire attitude.  The new problems we face and any solutions need to be viewed from an innovate and creative lens.  However, the need to constantly evolve a security program is no excuse for ignoring or forgetting about the known threats and vulnerabilities to information assets.

Photo credit: ddpavumba / FreeDigitalPhotos.net

Filed Under: Business and Security · Tagged With: , ,

Don’t Let FUD Trump Value

January 22, 2010 by · Leave a Comment

The Google “Aurora” incident illustrates an ongoing problem with the “media motivated” approach many organization take in regards to information security.  A major event happens and there is a short-lived window of opportunity to ride the “it can happen to us” wave to secure some funding for the latest toy or gadget.  Unfortunately, some executives are unable to step out of the headline grabbing world of FUD (Fear, Uncertainty, and Doubt) and that is the only way security efforts ever show up on their radar.  That is unfortunate but shouldn’t convince information security professionals to operate entirely in that realm.

Threats are constantly evolving.  “Aurora’ today will be something else tomorrow.  Constantly jumping from one fire to the next unfortunately takes us out of the process improvement mode of operation.  Certainly there is some lessons learned from this incident that should be applied but ultimately, information security should be an evolving proactive process, not a panic stricken FUD game.

  1. Vulnerability management is a process that requires checks and balances.  How do you know that all your systems are patched?  This goes beyond O/S patches but applications as well.
  2. Do you know what your users are installing?  Software deployment and management is part of an overall strategy to protect your systems.
  3. How do you know your systems have the latest anti-virus updates and signatures?  Obviously, anti-virus is a reactionary tool that typically fares poorly in detecting new malware but keeping out the old stuff is important too.
  4. Do you actively look for compromised systems?  How do you manage event information?  Do logs come in to a centralized location that can be indexed and analyzed or do you really believe an analyst is manually looking through millions of log events each day?
  5. Understand where your attacks are coming from and take action.  Look for weaknesses in your defenses and fix them or provide some type of compensating controls.  Learn from compromised systems and the information already available to you from IDS, SEIM, logs, etc.

Show that information security provides value without resorting to scare tactics else you become the “boy who cried wolf” and ineffective in your long term efforts.

Filed Under: Awareness and Education, Business and Security · Tagged With: , , ,

Risk-based Information Security

December 28, 2009 by · Leave a Comment

How do you even start protecting your information assets if you don’t have an understanding of the risk to them?  I would venture to say… you don’t.  It’s difficult for some to get started down this path because they quickly get overwhelmed with the task at hand.  Many times, a good effort gets set aside because the level of detail gets too cumbersome to reach the finish line.  Perhaps this can help.

Organizational assets

You have to know what you have but it doesn’t have to be a lonely road to get the information.  Start with a network scanning tool to detect the systems on your network and try to understand the type of data being stored on each.  However, don’t try to perform a risk assessment on each individual system.  Group them into sensible categories based on type of data (customer, HR, financial), application type (web, database, app) or business function (web, e-mail, accounting/finance).

Find out who “owns” this data.  A department head, Director, VP, whoever is ultimately responsible for the data.  Remember, determining risk is a business responsibility and it is up to Information Security to adequately illustrate the risk and controls so that informed decisions can be made.

The Risk Rating Matrix

There are many ways that this can be done and even sample matrices you can use online.  Take your pick.   Some assign rankings for Threats, Vulnerabilities, and Impacts for each part of the security triad (Confidentiality, Integrity, Availability).  Some take into account compensating controls.    Some use liklihood of an event happening.  Some multiply their risk rating by how easy it is to detect an issue to get an overall score.

Regardless of what method works for you any method should take these suggestions into consideration:

  • If you are assigning scores in your rankings of threats, vulnerabilities, impact, etc. make sure you use an even numbered scale like 1-6.  This eliminates the “middle of the road” pick and forces one to fall on the high side or the low side.
  • Make sure each ranking number is labeled so that it is easy to understand what a 2 means versus a 5.
  • Provide an overall ranking that can be used to compare risks and prioritize them for clearer decision making.
  • Doing something is better than doing nothing.  Don’t expect perfection the first time out.

Take Action

With your rankings and priorities established in collaboration with the data owner you are in a better position to implement controls that provide value.  The acceptance of risk should be firmly in the hands of the data owner (and signed off on).   When budgets are tight, you now have the opportunity to address the biggest risks because you have taken the time to identify them.

There is no such thing as 100% security.  Reducing your risk profile by applying a measured approach to risk management is however, entirely possible.  Doing nothing is a bad choice.  Where do you want to be?

Filed Under: Business and Security · Tagged With: , , ,

Lessons in Due Diligence

December 2, 2009 by · Leave a Comment

An article by Kim Zetter on Wired.com caught my attention:  “Restaurants Sue Vendor for Unsecured Card Processor”.

The gist is that several restaurants purchased Point-of-Sale (POS) systems from a particular vendor.  These POS systems that were sold were apparently not Payment Card Industry – Data Security Standard (PCI-DSS) compliant and that resulted in a breach costing the restaurants a hefty sum.

One issue comes from unpatched, poorly configured remote access and the other alleged problem came from default login administrator userID and passwords.  From the article:

Visa also sent out a bulletin in November 2006 warning that one of the most frequent vectors for hackers to penetrate POS systems was through poorly configured or unpatched remote-access software (.pdf) and default passwords. Nonetheless, the restaurants say, Radiant and Computer World sold them a product that was neither PCI-compliant nor secured against a known attack.

So, the vendor sold them the product that was known to have these flaws but on the flip side, the restaurants bought these systems that are known to have these flaws.   I can certainly see the case here but from a security perspective there are some lessons learned when it comes to due diligence and basic security practices.

1.  If you blindly believe marketing slicks about the “state-of-the-art” product you’re purchasing that can do everything including cooking your dinner and washing dishes…well… you get the point.   Visa had produced a bulletin regarding the flaws with the product a year before one of the restaurants bought the product.   A little due diligence in the selection process would have gone a long way.

2.  So, you buy a product and install it.  It has remote access capabilities.  You leave the default administrator ID and password that is well known to anybody who can grab an online manual.  You’re breached.   If you install a new software product for Pete’s sake, change the default account passwords.  If your bank gives everybody a password of “password” to their online banking, would you change yours or just leave it?  (BTW, they don’t do that… just an illustration).

3.  Implementing a system with known flaws and not updating it is pretty bad.  It’s like installing a Microsoft server and not applying security patches for a year.  You get breached because of a vulnerability that should have been fixed a year ago.  Good luck blaming Microsoft for that one.   Patch management is essential.

By no means am I blaming the victim in this case.  They are chefs and restaurant managers, not IT or InfoSec people.  They relied on the vendor to provide them a product that was up to snuff with PCI requirements and trusted them to sell a product that protected their customer’s information.  When we examine and extended this into our own business and technology implementations, their experience provides some lessons for all of us.  Hopefully we can learn from this and apply due diligence to all of our vendor interactions and purchases.

Filed Under: Business and Security, PCI · Tagged With: , , , , , ,

Patch Management Only 1/2 the Battle

October 14, 2009 by · 2 Comments

An audit of cybersecurity for DHS’ nine most frequently visited Web sites found that although general security protocols were followed, there were still a number of vulnerabilities and gaps in security, including inconsistent management of security patching and security assessments.  Lipowicz, Alice.  “DHS Web sites vulnerable to hackers, IG says”, Federal Computer Week, 09Oct2009.

It is almost hard to comprehend that even after years of pounding the message of “patch your systems” that unpatched systems are still making headlines.   I can picture some internal servers running legacy applications that fail if the latest O/S patches are applied being kept off of a patch management system but simple internet facing web servers?  This report is especially egregious considering these systems are managed through DHS.

Beyond the issue of patch management is the use of regular vulnerability assessments as part of an overall risk management program.  The two questions I like to ask are 1) Are your systems up to date?  and 2) How do you know?   Just like there are a number of patch management programs available there are also a number of vulnerability scanning tools.   I’ve used several and many do a good job at pointing out glaring (and not so glaring) problems.

The real trick to vulnerability scanning tools is using the information to fix problems when they are found.  If you aren’t going to do anything with the information then why even bother.  If available, use the help desk and log a ticket.  Notify the department head and schedule a meeting to discuss the timeline for remediation.  If the system is incapable of supporting a patch due to application incompatibilities, look at compensating controls to at least reduce the exposure.  The very worst thing that can be done is to sit on the information.  Information is only valuable if it drives action.  So, take action but do so as a partner, not as a dictator.

Filed Under: Business and Security, Should Have Known Better · Tagged With: ,