Security's Everyman

Security's Everyman

Tuesday, January 29, 2008

Join me at CSO Perspectives

I just got word from the CSO Perspectives team that I can bring a friend with me to the conference for a deeply discounted rate. The normal rate is $1495 and if you are interested in going I can get you in for $395. The date is March 16-18, 2008 here in Atlanta. If you are interested in joining me and the rest of the attendees drop me a note and I'll get you the information.

The lunatic is in my head

timeline_darkside You can stop with the snide comments now. :)

It seems that every week we read about another insider who has done something to damage the company. Sometimes it is physical (postal shootings, Coke document theft), sometimes it is digital theft, planting of a virus or logic bomb, unauthorized access after termination of employment, etc... It seems to me that there are two common themes in most of these:
1) Disgruntled employee.
2) Human error. This ranges from a lack of implementing proper controls or procedures, lack of following proper controls or procedures, laziness, apathy, or carelessness.

This morning I read this story on about an inside job where an employee of AT Systems (an armored money delivery service) stole 8.5 million dollars. He was able to pull it off by being smart and observant.

He used another employees security code to gain entry to the building after hours. The story doesn't say how he got the code. Did the other employee give it to him? Did he get it by "shoulder surfing"? Did he find it written down somewhere? Let's look at each of these and see what went wrong.

  • It was given to him. I would imagine that a company that handles large amounts of cash would have a policy against sharing your access code with others. So the human error of laziness, apathy or carelessness comes into play.
  • He "shoulder surfed" it. I would think that the company teaches their employees to be careful when entering security codes to ensure that others do not find out what their code is. So again laziness, apathy, or carelessness comes into play.
  • He found it. I also imagine that they have a policy that forbids you to write your code down. Most of these codes are fairly short (4 to 6 digits) and are easy to memorize. So what went wrong here? Again, I have to point to human error.

Regarding this I have a couple of questions. Why did the code give 24/7 access (I'm assuming) to the building in the first place? Was there a legitimate business need for full and unfettered access? I doubt it and if there is when access to that much cash is involved I would think that dual access control would be called for. This is where policy and procedure needs to step up. Never should any one person be allowed to gain access to that much cash or even the facility that houses that much money.

The other thing that the article mentions is that he "watched and listened".

 "I decided to steal money from AT Systems' vault," he wrote. "I set about learning codes and watching and listening."

One thing that I preach in User Awareness is that you have to be careful what you talk about and where you talk about it. Even if you are at work. There are things that not everyone need to know. Don't discuss procedures around people who don't need to know them. Again, when entering passwords, access codes, combinations, etc ensure that no one else can see what you are doing. In my opinion those who were careless in what they discussed and how they didn't protect the information to gain access to the money are partially to blame for the loss. 

Friday, January 25, 2008

SANS Top 10 Security Threats for 2008

SANS has released it's list of the Top 10 Security Threats for 2008. Since I didn't make my own list of predictions (you can't really count the one I did) I decided to comment on theirs.

  1. Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities - Especially On Trusted Web Sites
    This is the thing that scares me the most. It has gotten amazingly easy for the bad guys to infect our machines. Historically we had to do something to get infected with malware (click on a link, run an .exe, etc). Now all you have to do is visit a site that has been compromised. Even better worse that site itself may not be compromised but maybe the site that hosts the banner ads on it has been compromised. It's almost a no win situation. Even those who are very careful may end up getting pwned. The best defense is to stay on your guard and make sure that you keep your system patched. That means all parts of it. Operating System, Applications and browser addons. (See "Will Malware Kill the Internet?" for more tips.)

  2. Increasing Sophistication And Effectiveness In Botnets
    This is another scary one. Storm work and others like it are almost smart. It's almost like this thing thinks on it's own. The techniques that they use to keep a botnet up and running make it almost impossible to defeat. At least the good news (as far as I know) is that you have to do something to get it.

  3. Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts Of Data - Particularly Using Targeted Phishing
    I wish I was as good a fisherman as these guys are. Phishing emails have come a long, long way. No longer are they (the good ones) filled with bad spelling and grammar. No longer do they look fake. Now they look, sound and even feel real. Then to add insult to injury the bad guys are making the emails very personal. They often mention things about you and your company that all but ensure that they are illegitimate messages. These types of attacks will force us to pay closer attention to our emails. If we are to prevent a possible major catastrophe we will be forced to make User Awareness Training a higher priority and we will require that the be relevant, effective and interesting.

  4. Mobile Phone Threats, Especially Against iPhones And Android-Based Phones; Plus VOIP
    For the last few years we have been hearing warnings about how we had better get a handle on mobile devices before they become commonplace. I'm afraid that most organizations have ignored this warning. This means that now instead of being ahead of the curve and having a policy and plan in place to deal with them companies are having to play catchup. What is going to make this even more difficult is that now the users are used to having them and connecting them to the network. They are used to doing as they please and we have the fun job of telling them to stop. This does not go over well in most organizations and in even more management gives in and allows it to continue.
    As for VOIP it to will become a headache because, as in most things, security wasn't built in and taken into consideration from the early stages. Now we are having to figure out how to secure it after the fact. Another factor in this is that many organizations are deploying it and thinking that there are no security concerns with it. They approach it like they have traditional voice in the past. It's not the same and it has lots of potential to be trouble if not implemented and managed correctly.

  5. Insider Attacks
    We've already seen several examples of insider attacks this year. The bank in France that was defrauded out of $7 BILLION dollars by a rogue trader who worked for the bank and the Administrative Assistant who deleted $2.5 million dollars worth of documents because she thought that she was going to be replaced. The sad part of this is that these are just those who are trying to do bad things to our networks and companies. Another front that we have to secure against is the insider mistake. While this isn't an attack per se it can still have a devastating effect on our systems. Ensure that your employees don't have more rights than they need to do their jobs and we have to put controls in place to prevent their mistakes from becoming our nightmare.

  6. Advanced Identity Theft from Persistent Bots
    Getting a keystroke logger or rootkit on your machine is never fun. Especially if it leads to identity theft or extortion. This is a fairly new attack vector where the goal is still financial gain for the bad guy but they seem to have an additional motive of playing games. Maybe they learn enough about you to impersonate you online because they have all of your social media credentials or they send nasty emails to others on your behalf (of course w/o your knowledge or permission). Then it usually comes down to trying to get more money from you. If they can't have fun while doing it through extortion or such they will just take it out of your account.

  7. Increasingly Malicious Spyware
    So far I've never seen malware get less malicious and easier to detect and remove so there is no reason that it will start this year. The thing about this is that it is now a business just like legitimate software sales. The bad guys are offering support and various levels of use. Since they are making money from using it themselves and selling it they will work harder and harder to make it better and more effective.

  8. Web Application Security Exploits
    Again these get worse every year and more prevalent. This will require that our Web dev teams take security seriously and learn how to not only code securely but to think about security while coding. Then of course the rest of IT has to play it's part. The DBA's have to ensure that the databases are secured and the network team has to ensure that the firewalls, IPS and the rest of the infrastructure does their part.

  9. Increasingly Sophisticated Social Engineering Including Blending Phishing with VOIP and Event Phishing
    Social engineering is another area where the bad guys are getting better and unfortunately this is an area where technology is limited. We can put the controls in place but if the users give out the information over the phone or click on the link or send the data in an email then there is little we can do. You can say that there is technology to stop most of this but it's too expensive for most companies to deploy all of it and if they do they don't have the staff to support it. Our best bet here again is better User Awareness Training. We have to constantly update our message to keep it fresh and ensure that the users are hearing us.

  10. Supply Chain Attacks Infecting Consumer Devices (USB Thumb Drives, GPS Systems, Photo Frames, etc.) Distributed by Trusted Organizations
    This is an area that I think will continue to grow as a malware distribution point. As we get more and more "connected" in all we do we are plugging everything we get into our computers. About the only way to ensure that it doesn't happen to you is to have a system that you check all of these devices on before you put it on your main system. Of course you and I may do that but I can assure you that my in-laws won't. I quit using the USB keys that I get at conferences for this very reason. Not that I don't trust the vendor who gave it to me but I don't trust where they got it.

There you have it. My thoughts on this Top 10. I hope you found it helpful.

Conferences and Speaking

Correction - The Birmingham InfraGard meeting is March 11, 2008 not the 4th.

One thing that I really enjoy doing is going to conferences and getting to meet others in IT and Security. Unfortunately I don't get to attend as many as I would like. There are a couple of events here in Atlanta that I'll be attending in the next few weeks that I hope will prove to be fruitful.

The first is SecureAtlanta 2008. This is an ISC2 event that takes place Feb 28th at Georgia Tech. The focus is on Computer forensics. It's pretty high level and is aimed at gaining a better understanding of the why's and legalities of digital forensics than the how to do it. If you are interested in going you can register here. It's free for ISC2 members and ISSA members get a reduced rate.

I'm also attending CSO Perspectives 2008 March 16-18 here in Atlanta. The nice people at CSO Executive Programs were kind enough to allow me to attend as Press. This is a conference that I'm really looking forward to.

Finally March 4th I'm speaking at the Birmingham InfraGard Chapter. I'll be talking about some of the challenges in my current position as Security Officer as well as about the Security Catalysts Community.

I'm hoping to make RSA this year but once again I have a few challenges that I have to overcome to get there. Maybe it will all work out.

If any of you are going to be at any of the events that I'll be at let me know. I'd love to get the chance to meet you.

Tuesday, January 22, 2008

Did I Say That?

Last week I read about the bank robbery where the guy dressed up like a courier and was able to get away with $850,000 and it struck me somewhat funny that I could see that happening. In the past I've worked for a couple of banks and I have no doubt that it could happen pretty easily. Today I saw on an article about this and a couple of other Social Engineering attacks that have recently been in the news. Good article that I think you will enjoy reading (site registration is required).

Social engineering has been around for a long, long time. Long before computers. We've all seen the movies or heard the stories about how spies would social engineer people during war to gain secrets that would help their side win the war. This usually involved sex or at least the promise of it.  Social engineering can take many routes. It happens via email, over the phone, face to face, and even by paper. They try to get you to divulge information directly or indirectly. They may try to get you to sign something that gives them access to what they want without your knowledge. They may try to get you to answer questions and then use those answers (recorded) to authorize access to their target.

Sometimes they will use flattery (we all have our vanities), they try to confuse you by asking trick or misleading questions, they may avoid answering your questions w/ ramblings so that you get off track and allow them to go on their way. Sometimes they play on your sympathies by telling you sad stories or they may try to take advantage of your generous nature. Often they just come right out and ask and hope that your are either not paying attention, don't care, or are just too stupid ok stupid is what they are hoping for.

The successful social engineer relies on a toolbox full of tricks that can hack away at the psychological traits we all share. These traits include human desires to be:

  • helpful or friendly
  • competent in our positions
  • trusting of other people
  • advancing our own cause and career
  • attractive to those we admire or desire
  • perceived as a team player
  • avoiding bad consequences for ourselves or others

But bad people are bad people, and they will want to exploit an employee’s goodness. Your employees should routinely verify:

  • 1. With whom they are talking and,
  • 2. That they are entitled to the information they are requesting.

“Your employees should be absolutely sure of this,” Cole notes. They should be encouraged to think carefully and, when in doubt, take a message and check with a supervisor.

The above is a quote from the bankinfosecurity article that helps us to see a little of why social engineering works and what we can do to stop it. This is something that I stress to everyone that I talk to about this. VERIFY, VERIFY, VERIFY the identity of anyone who comes to you asking for information, seeking to work on something in your area, or hoping to find their way somewhere within the building. If they are lost and you don't know them escort them to where they say they need to go after you have verified their identity. Don't just let them continue to wander aimlessly around the building.

The other thing that the article points out that I want to comment on is the rise of "spear phishing" attacks. We need to teach our employees not to blindly answer emails or phone calls from someone just because they say that they are someone important. An email that looks like it came from the CEO (or anyone for that matter) needs to be verified before you blindly send sensitive information to them. I know the idea of teaching your users how to check email headers makes you sick, but it's worth it if it prevents the leak of sensitive data.

The important thing is that we make our users aware of social engineering threats and at the very least teach them to not just blindly give out information. If they are unsure then they need to refer the person to management. Teach them to stop and think before acting.

Monday, January 21, 2008

A little clarity

I've gotten a bit of feedback on my post "Will Malware Kill the Internet" and I want to clarify a few things.

  • I don't really think that malware will kill the internet. As Kurt Wismer put it "malware profiteers need the internet"
  • I won't quit using the internet. I can assure you that I my usage will most likely increase not decrease. Just today I joined Twitter.
  • I may quit using the Internet for financial dealings. Things such as online banking, stocks, etc...
  • For online purchases I'll probably start using one time use credit card numbers.

I do have fears that things will continue to get more dangerous to the average user. I'm not an average user. I'm very careful but as the bad guys get smarter and better at what they do it makes it more difficult for even the most careful of us.

Now on Twitter

I'm not sure why but I have decided to join Twitter. I have a few friends who are one it and thought "Why not?". If I don't like it I can always quit using it and delete my account.

So if you want to follow me via twitter you can check the home page of my blog, go here, or add me to your list of those to follow. I can't promise just how much I'll update. I guess it will depend on what I'm doing and if I remember to add updates.

Thursday, January 17, 2008

Will Malware Kill the Internet?

There was a question posted to the Security Catalyst Community forums earlier asking about our thoughts on the MBR (Master Boot Record) malware that is circulating again. I've mentioned several times in the past that the Internet scares me since it is so easy to drop malware on your computer. The fact that now it is getting more common for Owned sites to be Pwned makes it even worse. Then to hear that security companies and malware researchers are saying that malware increased between 500% and 1000%.

What chance do we have? I hate to sound so "doom and gloom" but you almost hate to think what things will be like this time next year. I've gotten used to not writing checks and doing all of my banking online. Yet, I hate to think of what would happen if my computer was infected by a site that was serving up malware unknowingly. I may have to go back to writing checks.

I'm not normally negative about such things, but this has me worried. Also, not being one to point out a problem w/o offering up solutions I will repeat what all of you probably know. A few things that you can do to reduce the chance of getting malware on your system when surfing the Internet.

  1. Don't use your computer logged in with privileges any higher than "User"
  2. Don't click on links from emails, IM's unless you are 100% sure that they are valid and safe.
  3. When possible type the address in yourself.
  4. Verify links before clicking on them by making sure that they take you where they say they are going to take you. You can do this by putting your mouse over them and checking the browser status bar or by looking at the page source.
  5. Be very wary of shortened links that are created with things such as TinyURL.
  6. Use Firefox or another alternative browser instead of Internet Explorer.
  7. If offered by your browser community use things such as "no script" and "ad blocker".
  8. Stay off of web sites that are known for serving up malware. (Porn, gambling, hacker, etc)

There are lots of other things that you can and should be doing to keep yourself safe. These are just the basics. If you are not aware of what else you can do then I highly recommend that you search for ways to secure your PC or email me and I'll give a more detailed list.

Asking the right questions?

Tom Olzak has a post on his ITToolbox blog "Adventures in Security" about the theft of equipment, including 2 laptops with voter PII, from the Davidson County Tennessee Election Commission Office.

It's obvious that they didn't take "reasonable" security precautions by keeping them in an office that was only minimally secured. The next thing is the fact that the laptops contained PII and especially Social Security Numbers of the voters. I like the question that Tom asks.

The first question the election commission should ask is whether information like social security account numbers is actually required on a laptop.
Too often this simple, basic question is not asked. IMHO this question should be answered before ANY data is put on a mobile device. Actually it should be answered before any data is allowed to be stored on any device, even desktop PC's. If the data is stored anywhere but on devices that are controlled by the IT staff (servers, SANs, etc) then there needs to be a valid "business need". Allowing this because it is easy or keeps the users quiet is not a good reason. Office politics are not a valid reason to allow this.

We have to ask the right questions about what we allow and don't allow the users to do. I get lots of request every week from users who want us to forward their email to their personal devices such as their IPhone, Blackberry, Palm, etc... The first question I ask is "What is the business need for you to get your email on your phone?" Usually they say "So I can get my email while in meetings." That is not a valid business need. Unless your job requires immediate response or action to email then you don't need immediate access to your email in meetings.

The other thing is that if there is a valid business need then at least 2 things should happen. First, your manager should request that your email be sent to your phone. Second, the company should provide you with a email enabled phone. The IT department should not be responsible for supporting personal devices. Not to mention the security and legal implications around allowing company data on personal devices that are not managed by corporate IT.

So, we need to learn what the right questions are and start asking them and requiring that they be answered satisfactorily before we allow users to have control of data.

Wednesday, January 16, 2008

Reacting or Thinking

Yesterday I drove to work which isn't something that I typically do. I like my sanity too much (what little is left) to fight Atlanta traffic on a regular basis. I woke up late and missed the one bus that will get me to the office in a decent amount of time so I decided to work from home for a couple of hours and then drive in after rush hour was over. I had the same thought process for my commute home. Leave before rush hour and work remotely for a couple of hours. So I left early and went to my favorite coffee house and set up office for a while. I let my wife know that I was close by in case something happened and she needed me in an emergency.

Some would say that I was setting myself up for this but about an hour later my cell phone rang and it was her. "You've got to come home right now! Bella drank about 1/4 cup of Hydrogen Peroxide!" CLICK My phone went dead just as I was about to tell her to call Poison Control. So, I packed up quickly and hit the road. I called back to calm my wife down and to have her call Poison Control. When I arrived home my wife informed me that our youngest daughter may have also drank some of the peroxide also.

My wife was rushing around getting ready to take the girls to the doctor and getting upset with me because I wasn't panicking. I knew that peroxide could be dangerous to a child if enough was ingested but I also knew that it would cause them to throw up soon. So I convinced her to wait a while and see what happens. I also asked my daughters about how much they had actually drunk and called Poison Control myself to talk to them. It turns out that the oldest only had a "good swallow" and that the youngest just tasted it. The oldest did throw up and Poison Control told me not to worry.

That got me to thinking about how IS/IT teams often react to emergencies at work. Do they panic and rush into a plan that hasn't been thought out or do they take a deep breath and look at what is going on and try to learn the facts of what has happened and what their options are? If you don't have an incident response plan I can tell you that more than likely people are reacting instead of thinking. Even if you have an IR Plan if it hasn't been tested and the team isn't familiar with the plan and their role in the incident they will usually just do whatever comes to mind first. Sometimes that works well and sometimes not so much. You can't take that chance.

Tuesday, January 15, 2008

Yeah! MySpace

MySpace has been a Security Professionals, Privacy Rights Advocate and Parents nightmare from the beginning. Between the security vulnerabilities, privacy concerns, ease of ruining or tarnishing your reputation and ability for predators and others to harass you there has not been a lot of good to come from MySpace. Of course all of this is my opinion. There those who love MySpace and don't think the issues associated with it are any greater than any other social networking site including business related sites such as Linkedin or ITToolbox. In fact some say that all web sites present equal potential to do harm to you or your computer.

Even though I'm not a big fan of MySpace I have to give them credit for working towards making things more secure and safe for their users. They are working with the Attorney Generals from 49 States and the District of Columbia to come up with a plan that hopefully will be adopted by most other social networking sites. NetworkWorld has a write up on it here. You can read the article and also find the original document to read.

Some of the things that they are doing are:

  • All profiles of users under 16 years old are automatically set to private
  • No one over 18 can view the profile of anyone under 18 (w/o jumping through hoops)
  • No one under 14 can have a MySpace profile
  • Create a database or email addresses that can't have a profile (parents can add their kids to this database)
  • Monitor and remove inappropriate material uploaded
  • Break links to porn sites and other inappropriate sites.
These are all good and well to help make things safer and hopefully guard privacy of our kids. Unfortunately most of these can be easily gotten around.
  • To keep my profile from being set to private automatically I just lie about my age
  • To be able to view and contact those under 16 I just create a profile of someone under 16
  • If I'm 12 I just lie about my age so I can have a profile
  • If my email address is blocked I create a new email address
So, as good as it seems most of this is just fluff designed to make us think that MySpace and other sites are safe for us and our kids. It will encourage deception and create a false sense of security for kids and parents. This will lead to less monitoring by parents and more risky behavior by kids.

Like it or not parental monitoring of sites such as MySpace is the only way to ensure that your kids are safe and not doing things that they shouldn't be doing and to lessen the possibility of them communicating with those they don't need to communicate with.

Sunday, January 13, 2008

PCI Compliance "Why Bother?"

Alex is convinced that PCI compliance has little to do with information security, at least in terms of companies desire to achieve compliance. It's all about the semantics involved in getting past the legal mumbo jumbo involved in meeting each section of the DSS. His hypothesis is based partially on the questions that are asked in the Yahoo! Groups PCI Compliance group. I'm also a member of that group and I would agree that most of the questions are not "how do I become more secure" but "How do I comply with a particular section?" That is to be expected just because of the nature of the group. It is about PCI compliance and not security in general.

I still have to agree with Alex though. Based on the discussions that I've had with others about their PCI experience and also with vendors the quest isn't "more secure" but "just enough". It appears that companies aren't working towards protecting their networks, systems and data but keeping the auditors happy and getting a check mark in all of the check boxes.

This leads me to wonder then do the auditors need to expand their scope beyond the regulations? Of course not. That wouldn't work because they have to have limits on their power and scope. What we need to do is get management out of the compliance mindset and into the security mindset. This will take time and will require that we be able to quantify the benefit of security. Maybe it's building cases based on past breeches of other companies and showing what the associated costs were. The real cost not the cost that the analysts come up with.

What will actually work better (and in concert with) is to show the vulnerabilities that have been remediated by what has been currently done and those that will be remediated when other controls are put into place. Then show real world examples of how not being affected by these issues saved time, money and resources.

We have to build our case built on reality and not on FUD. A good example (going back a few years) is blaster. Lots and lots of companies were hit time and time again with blaster. Just when they thought it was cleaned up a forgotten system was turned on or a laptop user connected to the network and then it was running amuck again. Yet those companies that had been patching regularly were unaffected. A good plan for maintaining AV (especially in emergencies), patching, keeping up with all systems (permanent and mobile), having the right routing and firewall rules in place, etc... would have kept your company blaster free. Yet most companies did not employ these things.

So back to PCI. I'm not a big fan of security by compliance because human nature causes us to do just enough to get by but it does at least open our eyes to the need for more security. It also (hopefully) paves the way for us to realize that check boxes aren't enough and reach for real security. Build your case and sell it.

Friday, January 11, 2008

Is Your Information Security Program Real or Only a Check box?

We all know that in order for a Information Security Program to really be successful it has to have support starting at the top. The IT manager can't decide that a program is needed and start implementing it and expect it to really succeed. That doesn't mean that it won't succeed but the IT manager will have to do a lot of leg work to make it happen.

Often a company will be informed by their Internal Audit Team that they need to have an "official" Information Security Program in order to achieve compliance w/ Regulations X,Y and Z or to continue to pass external audits. Then they will start the process of finding and hiring a Security Officer and hopefully some staff.

This is all good and well but is it effective? An audit or regulatory initiated program does not guarantee management support. So the program is still going to face a huge uphill battle to succeed. If the program does not have the support from the CEO and if that support does not cascade down to the levels below then it doesn't matter that they have a program in place it will be severely hampered. To further make things more difficult the information security team will be aware of the lack of support and it will affect their attitude and therefore their performance.

A good Information Security Officer will work tirelessly to get the needed support of the CEO and the rest of the C-Level Management team. It's not easy to do sometimes and it surely isn't a quick process. You have to start out with doing what you can and then build your case. You have to show the benefit of what has been done and what can be done.

There are a couple of things that are troubling to some Information Security Officers. Things that can severely hamper their ability to win the needed support. The first is when the C-Level team is practically unreachable. When they are too busy to be bothered by lower level staff. When they feel that other things more important than hearing about the need for information security.

The obvious thing to do next would be to start with members of management teams that do have the ear of the C-Level team. Of course that means that you have to have the support of that level of management and often time that is also missing. This can happen in companies that have been around for a while and that have management that is from the "old school". They have the mind set that says "We don't need no stinkin' information security program". Information Security is new and it is the "hot" things right now and therefore it can be threatening to the "old guard". They see it as being something that they got along without for years and now it has been forced on them. So what's next will it become more important than their teams and take away some of their prestige, power and pull with upper management?

These are some pretty big hurdles to overcome in lots of companies. They can frustrate security teams and have to be overcome. So what is the answer? First, the Information Security Management has to keep a positive attitude around the rest of the staff. They have to be diligent in building their case and getting it in front of those that matter. Start small and gain the allies that you can. Use them to gain more allies until you have what you need to present your case. During this phase you have to do two other things. 1) You have to be building your C-Level case so that it is rock solid when you present it. 2) You have to do what you can to secure the environment and get the program going. You man not be able to do all that you want but do what you can.

Keep on keepin' on and success should soon follow.

Wednesday, January 09, 2008

Breaches and Incident Response

This is old, December of last year but Darknet reported about a GFI sponsored study on SMB security (this will open a pdf in a browser window). I don't want to talk about the survey results so much as about the next step. Incident response. What are these companies doing in response to their lack of security? Do they have a security incident response plan in place to give guidance or do they just play it off the cuff. I know a guy who asked his manager if the company had a IR plan and his boss said "Yes, we call you and you investigate it, fix it and keep it from happening again." Not exactly a good plan.

An incident response plan is crucial to your security plan and to the successful investigation, response and (hopefully) recovery from an incident. If a plan is not in place then anything can happen to hamper recovery or even worsen the effect of the incident. There needs to be a clear plan of action so that staff knows what to do and what not to do. The plan also needs to outline when to call in outside help. There are times when an investigation requires more skill and expertise than you have in house. If there is the possibility of legal action then a trained digital forensics expert needs to be called in. He/She will know how to best gather evidence and conduct the investigation so that the evidence will be admissible in court. They understand chain of custody and how to maintain it.

A IR plan will cover all of this and more. Each type of system may require different responses to different attacks. A one-size-fits-all approach to IR will not do it unless you are a very small company with a very limited IT infrastructure. I know that for my company I have a generic plan for non-critical systems and then it gets specific for certain systems. My ERP system requires a different plan of action than other non-mission critical systems.

The last thing I want to say about your IR plan is that they are like all policies and plans. They are living and they need to be reviewed regularly and updated. They need to be tested and re-tested. You can write it and file it.

Tuesday, January 08, 2008

The Importance of Good Change Control Practices

A while back one of our Server Admins logged into a server that runs our SNMP management application. Immediately he was hit with an IP address conflict message. Some other machine had taken his IP address. He was on his toes and wrote down all the information that the message gave him (system name and MAC address). Then he sent out an email to the technology group asking who was responsible for this system and no one responded.

Needless to say it raised a red flag in my mind. We started an internal investigation to find out where the system was, what it was, what it was doing, etc... I immediately ran some scans on the system to find out what I could about it. Everything came back blank. NMap and several other scanners all reported that it couldn't tell anything about the OS because the fingerprint matched too many different things. The MAC address was reporting back as all 0's (00:00:00:00:00:00). Finally Nessus was able to tell me that it thought it was a Samba system. A quick check of the team determined that no one here was even familiar w/ Samba much less had deployed one.

Now we decided to shut down the port that it was connected to and hunt it down. Of course the cable had to be traced and it was a mess. Once we finally found the system it turned out to be an ILO port on a DB server. One of the very DB teams that we had asked about it and they denied knowing anything. That is another topic for another post.

Now we have a change control process that works pretty well. It's still young and his not fully automated yet but if the proper procedures had been followed we could have eliminated this whole fiasco. They could have had a free IP assigned for them to use and lots of time and manpower could have been saved. Not to mention the gray hairs that it added to my head. It's a good thing that I'm a blond so they don't show (no blond jokes allowed). :)

So please follow the proper procedures and policies that your company has in place. They are there for a reason and it's not all about making the auditors happy.

Monday, January 07, 2008

Where's Andy?

I'm still here. It's been an odd year so far. Most of my work life isn't worth blogging about and the parts that are I can't talk about. Nothing in the news has grabbed my attention so I'm keeping quite. I doubt it will continue for long and when I get started again you may long for my days of silence. :)

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.