Pingree On Security

Don’t get me wrong at all, I love Cloud computing and even invest in cloud computing companies but since cloud computing is becoming more popular than ever as more and more applications core to our businesses move into the cloud we need to consider some of our own risks. One thing I’m not sure if you or your business has thought of is availability on your own end (your internet connections). Availability is not just on the provider side which is normally fully redundant. Being that I am a CISSP, of course I know the clever Triad, but given that most of availability issues are still addressed by other parts of our organizations (network engineering, telecom etc). I know that I myself mostly focus on confidentiality and integrity related controls and not on availability. I don’t think I’m the only one in the security industry that is in this boat.

So, if we take a moment and step back from our little paper cluttered desks filled with pie charts and excel spreadsheets of PCI or SOX controls and take a look at availability, we should ask ourselves these questions: Would our company function if we lost our primary internet connection? How about if we lost our internet connections entirely? How about if a global routing event or some other attack on the Root DNS servers was successful? hmm…

My 2 cents is that companies are relying very heavily on a mixed bag of routing protocols and interconnected networks who don’t always have your company’s goals at heart. I’d love to see a lawyer try and say that the company internet connection going down should be reimbursed to the level of reliance that has been placed on those same connections. So please please please ensure you have fully redundant internet connections and think this issue through. Keep in mind that you may have two circuits coming out of your data center but they often could go physically through the same single fiber connection at the Telco (a single point of failure). You should also consider financial risks associated with the 2nd and 3rd Tier cloud providers. Providers such as Salesforce.com and Amazon are best suited to provide you financial stability and fault tolerance, but startups often lack the resources or money to really cover all these availability issues effectively so be cautious and have a backup plan in place to address any of the issues that could arise.

More questions to ask….If your internet went down:

1. Would your helpdesk software work?

2. Would your finance portal work?

3. Would your out-sourced marketing work?

4. Would your advertising continue?

5. Would your paycheck administration continue?

6. Would your recruiting efforts continue?

8. Would your customers be able to buy from you?

9. Would your banks be able to communicate to you?

10. Would you be able to get updates for your operating systems?

The list goes on and on…. Think about it at least a little.

Many corporations in the world are now mandated by PCI to perform at least quarterly scans against their PCI in-scope computing systems. The main goal of this activity is to ensure vulnerabilities in systems are identified and fixed on a regular basis. I myself think this is one of the more important provisions of PCI and one that I believe is tantamount to maintaining a secure environment.

What most corporations initially do is start by using simple scanning tools such as nessus, Gfi languard, ISS scanner etc and perform on-demand scans. While this is all well and good and provides an immediate snapshot of a particular point in time. There are several major flaws that must be addressed through richer tools.

First, it is great to get vulnerability and patch data, however providing a systems engineer or administrator with only one single report with many if not hundreds of things to fix this method becomes quickly unreasonable for them to track and respond to. We often forget that this systems engineer is often tasked with many other duties they must prioritize including new installs, troubleshooting, bug patching, administration, configuration etc that demands most of their time. These activities are often far more time sensitive in their eyes as projects etc have people bugging them regularly for completion. It is also important to note that the business is pushing them for ever greater functionality/features.

Given this fact, a simple scan report is just not viable for them to prioritize and track against existing workload. this has givrn rise to vulnerability management a.k.a. the process of managing vulnerabilities to remediation through the use of ticketing/reporting to management.

Secondly, another important flaw that exists with just simple scanning is the lack of overall metrics with regard to measuring risk. Measuring risk is hard is hard to do in security, but if you have an automated scanning process that is scheduled on a regularly occuring basis (i.e. more than once every 3 months) your vulnerability data over that time can be measured as systems become either more exposed or less exposed as they are patched or new vulnerabilities are found. This is one way you can effectively measure the effectiveness of your patch management and your security program.

Thirdly, this ensures your company clearly see’s that security is a process and not just a one time effort. This distinction is important because you as a security practitioner will need data to prove you need a consistent and ongoing supply of money to maintain security. Security is continuous and ever changing, stagnation is a guarentee of breach.

Moral of this story… manage security, don’t just triage it and forget it.

Great tools for managing vulnerabilities are:
-Rapid7
-McAfee Vulnerability Manager
-Qualys

With all of today’s focus on securing for PCI or SOX we often find ourselves leaving our security risk managrment priorities behind. As we all know there are many ways to breach the security of a corporation and many safeguards we have to select from.

Which brings me to the fact that there are many internal web applications used inside companies that
we sometimes forget that can cause the rest of our security to fail. Good examples of such sites are intranets, bug tracking apps, internal document websites, employee benefit portals, time tracking portals etc.

It only takes one of these sites using a non-encrypted session (i.e. no ssl) to render an entire corporate PCI or SOX security paradigm useless. One single use of Cain & Abel sniffer tool along with ARP spoofing can suck down the passwords your privileged users use and give rise to an attacker gaining access to your sensitive data.

Although most corporations ask employees to use different or more complex passwords on disperate applications, the move to centralized LDAP or AD authenticated environments means now passwords are no longer different on these systems.

The moral of this story is, please don’t ignore your weakest link. Security is end to end.

Strengths
•    Compliance Reporting is fairly comprehensive
•    Verizon has a great deal of experience in monitoring for security events at many large corporations
•    Verizon portal provides richer user experience than alternative leading competitors
•    Extensive devices included in Verizon monitoring will provide more actionable data to corporations
•    Verizon is known to have best of breed monitoring against its competitors
•    Corporate SOX controls can be adopted to leverage this to satisfy a company’s daily review lowering management review times

Weaknesses
•    Increased time to troubleshooting with existing limited personnel regardless of SLA (If managed device option selected)
•    Reduced flexibility to respond to organizational needs with regards to tool configuration (If managed device option selected)
•    Coordination of Rule/Security event tuning issues will persist with any external vendor selected
•    Although Verizon is known as best of breed for monitoring, this mostly reflects monitoring and not tools management
•    Net Increase of workload to coordinate administration of the tools under management (If Managed device option selected)

Opportunities
•    Verizon seems willing to include McAfee or other product countermeasure awareness in their overall solution (future)
•    Firewall rule management can reduce workload of existing Network Engineering resources (If Managed device option selected and offered)

Threats
•    Verizon may not be able to meet SLA’s
•    Tools Verizon supports may not be what your comapany wishes to select or invest in while lower cost options may be available
•    Increase in alerts prior to tuning will at least initially increase the workload of existing resource utilization
•    Many companies have negative experiences with outsourced management using other MSSP’s which can indicate potential pitfalls of outsourced tool management using yet another MSSP external management option.

Summary
Given the extensive negative experiences that many companies have had with regard to externally managed devices via managed services, it is my opinion that selecting Verizon for their Security Monitoring Only solution will provide the best net value gain for a company’s IT Security and Network Engineering functions and provide a corporation the greatest enhancement towards its ongoing security/compliance goals. Selecting the monitoring option in conjunction with the tools management option I believe will cause a net increase in complexity and communications overhead which can result in further constraints on existing IT Security and Network Engineering resources and should be considered carefully.

My Recommendation
Deploy Verizon Business Services Security Monitoring in a monitoring/reporting mode only and maintain system ownership, configuration and administration functions in house as opposed to externally.

Top Business Driven Security Mistakes
(yes I do realize there’s a balance between security and business)

1. Implementing an IPS in a IDS mode with no blocking whatsoever. Under the guise of ‘uptime’ businesses often deploy time tested IPS products foregoing their real value advantage of blocking attacks because IT is wary of impacting the business. Meanwhile a breach such as TJX can cost over $250 million dollars for a similarly sized company. Question is, would the IPS interrupting a few ‘false positives’ cost a company $250 million? Hmm

2. Focusing on compliance and proceedural controls instead of technologies to protect data. Often companies are preparing fpr the ‘audit attack’ instead of the ‘hacker attack’. They have impeckable processes such as firewall review, termination processes and user certifications, all well and good initiatives if you’ve already covered your proverbial security bases with preventative controls.

3. Funded only till compliant. Need I say more?

4. Perfected processes require execution. Many information security professionals as well as their IT counterparts find themselves spending most of their days executing proceedures that cannot be given enough time for proper review due to resource constraints. This makes the controls weak at best and at the same time de-emphesizing real prevention measures.

5. Following the alert rabbit hole. most large companies have implemented SIEM tools to monitor logs and end up following the login failure alert rabbit hole which often ends up to a dead end. For example if you have failed login lockout controls yet you still are required to investigate. Hmmm the red pill or the blue pill? Waste of time (IMHO).

5. Not keeping up with the times. Lack of resources gives the security team an inability to have enough resource time to study or perfect their knowledge. This leads to service failures, outtages etc because they need to have the proper amount of on the job research time to do to a quality job.

I’ve not blogged in quite some time, mostly due to being very busy these days. However I felt I should talk a bit about compliance and how it seems to have changed security from eliminating threats to eliminating compliance gaps.

In the last few years, many regulations have emerged that are now controlling our security initiatives and goals. PCI, SOX, HIPAA, SB1386, Massachusetts Privacy Law, and more on the way. Now, I’m not one to say that regulation does not help in some respects, but often it has undesirable effects that cause many security professionals much discomfort.

What I feel has changed in the security landscape is rather than targeting the latest “threats” we find ourselves doing burdensome business processes which do little or nothing to improve the overall security of our companies. One notable pain point is in an area of PCI that I think drives many of us nuts. The “log review” provision.

In PCI 1.2, the requirement for daily log review in and of itself is well intentioned and something that I cannot argue cause most of us don’t do enough of it. What I find difficult is that we find ourselves reviewing things such as “successful logins” or “failed logins” to comply with these stated controls and I feel there is very little value to doing so. Many companies mandate that system owners review these logs on a daily basis, is our investment really giving us a return? For instance, most companies utilize domain policies that cause account lockout to occur at 5 times and complex passwords to be employed. This represents a compensating control and therefore monitoring and reviewing failed logins is burdensome and unnecessary. That being said, there is still residual value if you receive alerts or reports of extremely high numbers of login failures so it does make sense to monitor for those.

Another issue that I see happening across the industry is when executives  make financial decisions based on whether or not they meet these minimum regulations. Often my friends have told me that their companies are cutting back their budgets once they receive their PCI ROC, or their HIPAA compliance report etc. This causes security professionals to face the daunting task of justifying their budgets to mitigate threats against a management who’s already met the minimum bar. Quite a quandary for many of us. I am very hopeful that PCI will continue to morph so that it addresses threats more directly by requiring harder line approaches such as actual inline IPS’s being mandatory and in a blocking state. Or ensuring that application Firewalls are mandatory. Gone are the days you can expose an application to the dirty internet without all your defenses in an active state.

Trust in computing today is different from human trust because trust is basically implicit. Trust is defined by humans, it is determined and interpreted by humans by an assessment of history provided by the human experience and the history of that experience of a given technology. (i.e. We trusted WPA until the recent discovery of its discovered weakness). Computers do not yet learn trust as humans do, there is no continued assessment of historical data that is automatically assessed by a computer. A computer must rely on humans to decide whether another system is “trusted” or not based on a variety of factors such as known state, historical exploit data, virus or malware infection etc. This puts humans at a great disadvantage because they cannot possibly monitor all interactions a particular system has. This has given rise to behavioral analytics which I will try to cover in a later post but this concept is of great historical significance as it truely affects us all and the automation of future systems.

Over the next few weeks or so I will be focusing on issues of trust, these blog posting will cover the following sub topics:
- What is trust?
- Trust in Relationships
- How is trust different in computing?
- Trust based technologies
- Behavioral analysis
- Future thoughts on behavioral analysis

rm -r bin/laden

# cd Iraq/Al_Qaeda
Al_Qaeda: does not exist

I was searching for a new iGoogle gadgets to add to my iGoogle dashboard for my security research and  came across something quite interesting. If you search the iGoogle gadget directory for “mcafee security” you come up with some interesting spam gadgets that are using the images to advertise within the directory’s search results titled “Do you know?”. I’ve not been brave enough on my production machine to click to add them but I imagine there’s some nice malware linked if a user were to add them to their iGoogle and click on the links the iGoogle gadget creates.

Check this screenshot:

Try the iGoogle Directory search by clicking here

.