Pingree On Security

Many corporations in the world are now mandated by PCI to perform at least quarterly scans against their PCI in-scope computing systems. The main goal of this activity is to ensure vulnerabilities in systems are identified and fixed on a regular basis. I myself think this is one of the more important provisions of PCI and one that I believe is tantamount to maintaining a secure environment.

What most corporations initially do is start by using simple scanning tools such as nessus, Gfi languard, ISS scanner etc and perform on-demand scans. While this is all well and good and provides an immediate snapshot of a particular point in time. There are several major flaws that must be addressed through richer tools.

First, it is great to get vulnerability and patch data, however providing a systems engineer or administrator with only one single report with many if not hundreds of things to fix this method becomes quickly unreasonable for them to track and respond to. We often forget that this systems engineer is often tasked with many other duties they must prioritize including new installs, troubleshooting, bug patching, administration, configuration etc that demands most of their time. These activities are often far more time sensitive in their eyes as projects etc have people bugging them regularly for completion. It is also important to note that the business is pushing them for ever greater functionality/features.

Given this fact, a simple scan report is just not viable for them to prioritize and track against existing workload. this has givrn rise to vulnerability management a.k.a. the process of managing vulnerabilities to remediation through the use of ticketing/reporting to management.

Secondly, another important flaw that exists with just simple scanning is the lack of overall metrics with regard to measuring risk. Measuring risk is hard is hard to do in security, but if you have an automated scanning process that is scheduled on a regularly occuring basis (i.e. more than once every 3 months) your vulnerability data over that time can be measured as systems become either more exposed or less exposed as they are patched or new vulnerabilities are found. This is one way you can effectively measure the effectiveness of your patch management and your security program.

Thirdly, this ensures your company clearly see’s that security is a process and not just a one time effort. This distinction is important because you as a security practitioner will need data to prove you need a consistent and ongoing supply of money to maintain security. Security is continuous and ever changing, stagnation is a guarentee of breach.

Moral of this story… manage security, don’t just triage it and forget it.

Great tools for managing vulnerabilities are:
-Rapid7
-McAfee Vulnerability Manager
-Qualys

With all of today’s focus on securing for PCI or SOX we often find ourselves leaving our security risk managrment priorities behind. As we all know there are many ways to breach the security of a corporation and many safeguards we have to select from.

Which brings me to the fact that there are many internal web applications used inside companies that
we sometimes forget that can cause the rest of our security to fail. Good examples of such sites are intranets, bug tracking apps, internal document websites, employee benefit portals, time tracking portals etc.

It only takes one of these sites using a non-encrypted session (i.e. no ssl) to render an entire corporate PCI or SOX security paradigm useless. One single use of Cain & Abel sniffer tool along with ARP spoofing can suck down the passwords your privileged users use and give rise to an attacker gaining access to your sensitive data.

Although most corporations ask employees to use different or more complex passwords on disperate applications, the move to centralized LDAP or AD authenticated environments means now passwords are no longer different on these systems.

The moral of this story is, please don’t ignore your weakest link. Security is end to end.

In a surprise move by AT&T Kevin Mitnick (famous social engineering hacker) was told he was too difficult to protect by AT&T and his accounts terminated. Its funny that a corporation with so many customers would do such a thing to such a widly syndicated person. If I were AT&T I would take the oppprtunity to use Mitnick’s accounts as a honeypot adding extra monitoring so I could boost security, but instead it appears AT&T decided it was easier to boot him out. Makes me wary of using AT&T because it says to me they lack dedication and proper infosec strategy. Who am I though? I am only one voice in a very large crowd.

Story source:infosecnews.org

Yesterday I was on my way home on BART, and I noticed a woman holding a copy of Time magazine. She was reading an article about how Iran’s protests had gone from being publicly held to a second more private phase. The article described that the Iranian’s were going home and just before the government run newscast they would switch on all their home appliances causing a denial of service to the power grid. Quite an interesting and innovative way to protest in my opinion. It was a good way for Iranians to stay somewhat anonymous and still have the desired effect.

Which brought me to think about how only a few years ago, California’s weak electrical grid went throught serious termoil and made it obvious to everyone how critical electricity and its continuous supply really is to us. Another thing we learned was how weak our grid really is, and that only a small increase in use could have such devistating effects. That being said, It makes me wonder how prepared our electrical suppliers are if our citizens were to stage similar protests and how our entire economy could be put at risk with such few people. Another interesting aspect is that really, how would one prosecute such an act? I don’t believe there are any laws to prevent/prosecute over use of your home appliances

1. Web application security scanning
2. Enterprise (closed loop) helpdesk ticket integration
3. Breadth and coverage of vulnerabilities (active research).
4. Low cost & low maintenance
5. Single enterprise vulnerability management console