After some modifications, a senate committee has approved the controversial “The Protecting Cyberspace as a National Asset Act of 2010”. The most controversial portion of the bill was the provision allowing the president to shut down the internet which has been modified somewhat. Details of the bill are here.
Many corporations in the world are now mandated by PCI to perform at least quarterly scans against their PCI in-scope computing systems. The main goal of this activity is to ensure vulnerabilities in systems are identified and fixed on a regular basis. I myself think this is one of the more important provisions of PCI and one that I believe is tantamount to maintaining a secure environment.
What most corporations initially do is start by using simple scanning tools such as nessus, Gfi languard, ISS scanner etc and perform on-demand scans. While this is all well and good and provides an immediate snapshot of a particular point in time. There are several major flaws that must be addressed through richer tools.
First, it is great to get vulnerability and patch data, however providing a systems engineer or administrator with only one single report with many if not hundreds of things to fix this method becomes quickly unreasonable for them to track and respond to. We often forget that this systems engineer is often tasked with many other duties they must prioritize including new installs, troubleshooting, bug patching, administration, configuration etc that demands most of their time. These activities are often far more time sensitive in their eyes as projects etc have people bugging them regularly for completion. It is also important to note that the business is pushing them for ever greater functionality/features.
Given this fact, a simple scan report is just not viable for them to prioritize and track against existing workload. this has givrn rise to vulnerability management a.k.a. the process of managing vulnerabilities to remediation through the use of ticketing/reporting to management.
Secondly, another important flaw that exists with just simple scanning is the lack of overall metrics with regard to measuring risk. Measuring risk is hard is hard to do in security, but if you have an automated scanning process that is scheduled on a regularly occuring basis (i.e. more than once every 3 months) your vulnerability data over that time can be measured as systems become either more exposed or less exposed as they are patched or new vulnerabilities are found. This is one way you can effectively measure the effectiveness of your patch management and your security program.
Thirdly, this ensures your company clearly see’s that security is a process and not just a one time effort. This distinction is important because you as a security practitioner will need data to prove you need a consistent and ongoing supply of money to maintain security. Security is continuous and ever changing, stagnation is a guarentee of breach.
Moral of this story… manage security, don’t just triage it and forget it.
Great tools for managing vulnerabilities are:
-McAfee Vulnerability Manager
With all of today’s focus on securing for PCI or SOX we often find ourselves leaving our security risk management priorities behind. As we all know there are many ways to breach the security of a corporation and many safeguards we have to select from.
Which brings me to the fact that there are many internal web applications used inside companies that
we sometimes forget that can cause the rest of our security to fail. Good examples of such sites are intranets, bug tracking apps, internal document websites, employee benefit portals, time tracking portals etc.
It only takes one of these sites using a non-encrypted session (i.e. no ssl) to render an entire corporate PCI or SOX security paradigm useless. One single use of Cain & Abel sniffer tool along with ARP spoofing can suck down the passwords your privileged users use and give rise to an attacker gaining access to your sensitive data.
Although most corporations ask employees to use different or more complex passwords on disperate applications, the move to centralized LDAP or AD authenticated environments means now passwords are no longer different on these systems.
The moral of this story is, please don’t ignore your weakest link. Security is end to end.
Imagine for a moment, that we take all of today’s technological developments and remove security and compliance completely from them. Then we put ourselves through a single day in our lives, just one harmless fun loving day. Lets just see what happens along our merry way.
So the day starts with me waking in the morning at SIX to my Chumby alarm playing. I get up and start to get ready for work with my normal routine, 2 cups of coffee, shower, walk the dog, eat a quick tangerine. I call my dog in from her early morning walk, she runs in and I then shut the door behind her and I hear a quick pop. This time though the door doesn’t shut, it simply bounces. The door is now missing a knob and a lock. So now the door simply glides open and closed lightly with the breeze like a windsock I suppose. Shortly thereafter my dog gets a glimpse, of a cat posing outside she pushes the door open and shoots outside in a cinch. I run rapidly after my dog and finally catch her, return her back to the house and prop the door with a chair so as to not let her escape again.
Now I’m ready to leave for you so I walk to the garage and I open the door to my car and hop on in. I have some nice electronics for my listening and driving pleasure. You know, the pleasures such as the Ipod with stereo integration, a navigation system and mp3 playing stereo system. But wait just a moment, why was GPS invented? Oh yeah, the Department of Defense created that for security, so since this is a day without security my GPS no longer worked. Well, I sat into my car and realized that the door locks were missing from my car, someone grabbed all my stereo equipment. I never heard my alarm (remember this is a day without security).
Then I quickly jump in my car and I’m then dumbfounded by the fact that oh my, I no longer have keys to start it. So I’m now forced to become quickly familiar with hotwiring my car. I twist together some wires under my dash, and luckily get the engine started for my trek to work.
I jump onto the freeway and I’m trying to change lanes to merge and for some reason everyone is doing 120 MPH past me and being real jerks just flying by with no regard to anyone at all. They all seem to own the road. I wonder to myself, why oh why would this be happening? And then it dawns on me… no police, no highway patrol (oh my, I guess they are for security too). So I speed up rapidly (my 4 cylinder maxed out) and join the ever speedy flow of annoying and law breaking citizenry, each time I change lanes my doors fly open since there are no latches to hold them. I feel like going back home. But alas, I press on.
I finally get to work and I’m totally overwhelmed, I park my car in the garage and walk to the entrance of the building and notice people running with boxes, computers, electronics and other various expensive items. My gosh, they are robbing the place, no security of course. The entryway have no badge readers and the doors no locks. Finally I enter the building and go up the elevator to my floor. I then arrive at my desk with a sigh of relief and collapse into my chair and plug in my mouse. I power up my laptop I’m ready to start my day. My computer boots up with no password to again my dismay. I launch a browser to go check my mail and low and behold its a task that will fail, because without logins and passwords at boot personalization and customization is all totally moot.
I pop up a website and shown right at the top is a small little news clip “There’s a new worm we must stop”. My computer starts spittering and sputtering and junk and before you know its an unusable hunk. So tell me again out there that security is just a cost, when without it I’m telling you your business is a complete loss.