http://www.digitalforensicsassociation.org/storage/The_Leaking_Vault-Five_Years_of_Data_Breaches.pdf

or click here.

So, if we take a moment and step back from our little paper cluttered desks filled with pie charts and excel spreadsheets of PCI or SOX controls and take a look at availability, we should ask ourselves these questions: Would our company function if we lost our primary internet connection? How about if we lost our internet connections entirely? How about if a global routing event or some other attack on the Root DNS servers was successful? hmm…

My 2 cents is that companies are relying very heavily on a mixed bag of routing protocols and interconnected networks who don’t always have your company’s goals at heart. I’d love to see a lawyer try and say that the company internet connection going down should be reimbursed to the level of reliance that has been placed on those same connections. So please please please ensure you have fully redundant internet connections and think this issue through. Keep in mind that you may have two circuits coming out of your data center but they often could go physically through the same single fiber connection at the Telco (a single point of failure). You should also consider financial risks associated with the 2nd and 3rd Tier cloud providers. Providers such as Salesforce.com and Amazon are best suited to provide you financial stability and fault tolerance, but startups often lack the resources or money to really cover all these availability issues effectively so be cautious and have a backup plan in place to address any of the issues that could arise.

More questions to ask….If your internet went down:

1. Would your helpdesk software work?

2. Would your finance portal work?

3. Would your out-sourced marketing work?

4. Would your advertising continue?

5. Would your paycheck administration continue?

6. Would your recruiting efforts continue?

8. Would your customers be able to buy from you?

9. Would your banks be able to communicate to you?

10. Would you be able to get updates for your operating systems?

The list goes on and on…. Think about it at least a little.

What most corporations initially do is start by using simple scanning tools such as nessus, Gfi languard, ISS scanner etc and perform on-demand scans. While this is all well and good and provides an immediate snapshot of a particular point in time. There are several major flaws that must be addressed through richer tools.

First, it is great to get vulnerability and patch data, however providing a systems engineer or administrator with only one single report with many if not hundreds of things to fix this method becomes quickly unreasonable for them to track and respond to. We often forget that this systems engineer is often tasked with many other duties they must prioritize including new installs, troubleshooting, bug patching, administration, configuration etc that demands most of their time. These activities are often far more time sensitive in their eyes as projects etc have people bugging them regularly for completion. It is also important to note that the business is pushing them for ever greater functionality/features.

Given this fact, a simple scan report is just not viable for them to prioritize and track against existing workload. this has givrn rise to vulnerability management a.k.a. the process of managing vulnerabilities to remediation through the use of ticketing/reporting to management.

Secondly, another important flaw that exists with just simple scanning is the lack of overall metrics with regard to measuring risk. Measuring risk is hard is hard to do in security, but if you have an automated scanning process that is scheduled on a regularly occuring basis (i.e. more than once every 3 months) your vulnerability data over that time can be measured as systems become either more exposed or less exposed as they are patched or new vulnerabilities are found. This is one way you can effectively measure the effectiveness of your patch management and your security program.

Thirdly, this ensures your company clearly see’s that security is a process and not just a one time effort. This distinction is important because you as a security practitioner will need data to prove you need a consistent and ongoing supply of money to maintain security. Security is continuous and ever changing, stagnation is a guarentee of breach.

Moral of this story… manage security, don’t just triage it and forget it.

Great tools for managing vulnerabilities are:
-Rapid7
-McAfee Vulnerability Manager
-Qualys

Which brings me to the fact that there are many internal web applications used inside companies that
we sometimes forget that can cause the rest of our security to fail. Good examples of such sites are intranets, bug tracking apps, internal document websites, employee benefit portals, time tracking portals etc.

It only takes one of these sites using a non-encrypted session (i.e. no ssl) to render an entire corporate PCI or SOX security paradigm useless. One single use of Cain & Abel sniffer tool along with ARP spoofing can suck down the passwords your privileged users use and give rise to an attacker gaining access to your sensitive data.

Although most corporations ask employees to use different or more complex passwords on disperate applications, the move to centralized LDAP or AD authenticated environments means now passwords are no longer different on these systems.

The moral of this story is, please don’t ignore your weakest link. Security is end to end.

Weaknesses
•    Increased time to troubleshooting with existing limited personnel regardless of SLA (If managed device option selected)
•    Reduced flexibility to respond to organizational needs with regards to tool configuration (If managed device option selected)
•    Coordination of Rule/Security event tuning issues will persist with any external vendor selected
•    Although Verizon is known as best of breed for monitoring, this mostly reflects monitoring and not tools management
•    Net Increase of workload to coordinate administration of the tools under management (If Managed device option selected)

Opportunities
•    Verizon seems willing to include McAfee or other product countermeasure awareness in their overall solution (future)
•    Firewall rule management can reduce workload of existing Network Engineering resources (If Managed device option selected and offered)

Threats
•    Verizon may not be able to meet SLA’s
•    Tools Verizon supports may not be what your comapany wishes to select or invest in while lower cost options may be available
•    Increase in alerts prior to tuning will at least initially increase the workload of existing resource utilization
•    Many companies have negative experiences with outsourced management using other MSSP’s which can indicate potential pitfalls of outsourced tool management using yet another MSSP external management option.

Summary
Given the extensive negative experiences that many companies have had with regard to externally managed devices via managed services, it is my opinion that selecting Verizon for their Security Monitoring Only solution will provide the best net value gain for a company’s IT Security and Network Engineering functions and provide a corporation the greatest enhancement towards its ongoing security/compliance goals. Selecting the monitoring option in conjunction with the tools management option I believe will cause a net increase in complexity and communications overhead which can result in further constraints on existing IT Security and Network Engineering resources and should be considered carefully.

My Recommendation
Deploy Verizon Business Services Security Monitoring in a monitoring/reporting mode only and maintain system ownership, configuration and administration functions in house as opposed to externally.

So the day starts with me waking in the morning at SIX to my Chumby alarm playing. I get up and start to get ready for work with my normal routine, 2 cups of coffee, shower, walk the dog, eat a quick tangerine. I call my dog in from her early morning walk, she runs in and I then shut the door behind her and I hear a quick pop. This time though the door doesn’t shut, it simply bounces. The door is now missing a knob and a lock. So now the door simply glides open and closed lightly with the breeze like a windsock I suppose. Shortly thereafter my dog gets a glimpse, of a cat posing outside she pushes the door open and shoots outside in a cinch. I run rapidly after my dog and finally catch her, return her back to the house and prop the door with a chair so as to not let her escape again.

Now I’m ready to leave for you so I walk to the garage and I open the door to my car and hop on in. I have some nice electronics for my listening and driving pleasure. You know, the pleasures such as the Ipod with stereo integration, a navigation system and mp3 playing stereo system. But wait just a moment, why was GPS invented? Oh yeah, the Department of Defense created that for security, so since this is a day without security my GPS no longer worked. Well, I sat into my car and realized that the door locks were missing from my car, someone grabbed all my stereo equipment. I never heard my alarm (remember this is a day without security).

Then I quickly jump in my car and I’m then dumbfounded by the fact that oh my, I no longer have keys to start it. So I’m now forced to become quickly familiar with hotwiring my car. I twist together some wires under my dash, and luckily get the engine started for my trek to work.

I jump onto the freeway and I’m trying to change lanes to merge and for some reason everyone is doing 120 MPH past me and being real jerks just flying by with no regard to anyone at all. They all seem to own the road. I wonder to myself, why oh why would this be happening? And then it dawns on me… no police, no highway patrol (oh my, I guess they are for security too). So I speed up rapidly (my 4 cylinder maxed out) and join the ever speedy flow of annoying and law breaking citizenry, each time I change lanes my doors fly open since there are no latches to hold them. I feel like going back home. But alas, I press on.

I finally get to work and I’m totally overwhelmed, I park my car in the garage and walk to the entrance of the building and notice people running with boxes, computers, electronics and other various expensive items. My gosh, they are robbing the place, no security of course. The entryway have no badge readers and the doors no locks. Finally I enter the building and go up the elevator to my floor. I then arrive at my desk with a sigh of relief and collapse into my chair and plug in my mouse. I power up my laptop I’m ready to start my day. My computer boots up with no password to again my dismay. I launch a browser to go check my mail and low and behold its a task that will fail, because without logins and passwords at boot personalization and customization is all totally moot.

I pop up a website and shown right at the top is a small little news clip “There’s a new worm we must stop”. My computer starts spittering and sputtering and junk and before you know its an unusable hunk. So tell me again out there that security is just a cost, when without it I’m telling you your business is a complete loss.

QUOTE:

“Do not download the 5958 DAT file. Reports are coming in where this is causing major issues. Info from the community can be found:

http://community.mcafee.com/thread/24056?start=15&tstart=0

Most recent info I have is this: https://kc.mcafee.com/corporate/index?page=content&id=KB68780

“

1. Implementing an IPS in a IDS mode with no blocking whatsoever. Under the guise of ‘uptime’ businesses often deploy time tested IPS products foregoing their real value advantage of blocking attacks because IT is wary of impacting the business. Meanwhile a breach such as TJX can cost over $250 million dollars for a similarly sized company. Question is, would the IPS interrupting a few ‘false positives’ cost a company $250 million? Hmm

2. Focusing on compliance and proceedural controls instead of technologies to protect data. Often companies are preparing fpr the ‘audit attack’ instead of the ‘hacker attack’. They have impeckable processes such as firewall review, termination processes and user certifications, all well and good initiatives if you’ve already covered your proverbial security bases with preventative controls.

3. Funded only till compliant. Need I say more?

4. Perfected processes require execution. Many information security professionals as well as their IT counterparts find themselves spending most of their days executing proceedures that cannot be given enough time for proper review due to resource constraints. This makes the controls weak at best and at the same time de-emphesizing real prevention measures.

5. Following the alert rabbit hole. most large companies have implemented SIEM tools to monitor logs and end up following the login failure alert rabbit hole which often ends up to a dead end. For example if you have failed login lockout controls yet you still are required to investigate. Hmmm the red pill or the blue pill? Waste of time (IMHO).

5. Not keeping up with the times. Lack of resources gives the security team an inability to have enough resource time to study or perfect their knowledge. This leads to service failures, outtages etc because they need to have the proper amount of on the job research time to do to a quality job.

McAfee on the other hand was still recovering from their stock option scandal, brought in a completely new management team in with a billion dollars in the bank. At the same time, Sophos, Kaspersky and other anti-virus companies were pounding the pavement as well. This created a hyper competitive marketplace for Symantec’s leadership. Then last year, McAfee announced their “Security Innovation Alliance” which basically allowed them to bring smaller vendors in and integrate functionality into their ePO console providing McAfee a better integration story against Symantec.

So where’s the “Trump card”?

The real trump card for Symantec against McAfee and others in the security industry is the Altiris management console. The key benefit for Symantec is the framework that Altiris provides to the multi-faceted agent based technologies that Symantec has acquired over the years. Altiris is very well known for their asset management technology and the ease of management of agent based technologies. This combo will provide Symantec a significant advantage against McAfee mostly in the ease of adding new integrated agents. I feel the Altiris integration framework is  superior to that of McAfee’s ePO  so if Symantec is successful in making this their main console to manage  their endpoint protection products this could be a game changer  and bring much greater competitiveness to Symantec’s story. Stay tuned….