Tuesday, December 28, 2010

Predictions for 2011

Here are a few predictions for 2011:
  • Cybercrime will continue to grow and more Zeus-like malware will continue to flood the black market.
  • Data loss prevention systems and DDoS protection will be on everyone's mind after the Wikileaks debacle. 
  • The perimeter will continue to fade with the use of mobile devices being attached to the network (tablets, phones, etc..). How to secure the data on these devices and the network needs to be reviewed.
  • A rise in malware based apps for Smartphones, especially on the Android platform since its open. This is the next big risk that's just waiting to happen.
  • Cloud based providers will be breached and we'll start seeing some of the potential dangers about blind trust to a service provider.
  • Social media will continue to be a sore spot with information security and it will be interesting to see how companies deal with the growing need for these sites, while securing data.
  •  The media will pay more attention to cyber attacks.
  • Security vendors will continue to merger until we're left with three major players that do everything. 
If you have any more, let me know.

Thursday, December 23, 2010

People Are The Weakest Link

In today's modern day network companies are spending millions protecting their perimeter and keeping the bad guys at bay. They invest in firewalls, web filtering, intrusion prevention systems (IPS), SSL encryption, VPN's, spam filters, etc, to stop the malicious no-gooders from gaining access to their precious data. But what if the bad guys were already in your network? That's today dilemma.

Targeted attacks by persistent individuals will entail days if not weeks of physical reconnaissance on the organization they're looking to infiltrate. This will include watching when employees enter the building and what their habits are around the work place. Trying to get close enough to get a picture of their company badges in order to replicate one and gain access. Going through their trash at night or "dumpster diving", attempting to find information about the company that might not be public. Dressing in a stolen or replica uniform that could allow hackers to walk through the front door without being stopped, and much more. (Have you ever held the door for the Fedex delivery man while he walked up to the building holding a large box? Are you sure that was a Fedex delivery or did you just give some hacker access to your building?)

Another area that doesn't really get looked at enough is the complete and almost blind trust that people allow their cleaning crews. Many if not most cleaning crews are hired as a third party and are normally given keys to almost every office and room in the organization. What if a janitor making minimum wage was given $1000 to put a hardware keylogger on the CEO's workstation for a week and than send it back via mail to a P.O box? Better yet what if he was given multiple hardware keyloggers and asked to place them on the IT staffs desktops for a day, collecting as many high level logins as possible. The hacker for around $1500 dollars could have almost every admin login to the network and systems without even using a computer.

Another way that hackers gain access to an organization is through phishing and social engineering. They use these techniques to con people into giving them information they need. This is normally done over the phone and through an e-mail campaign directed at a compnay to make it look like the correspondence was legitimate. Examples of these would be e-mails coming from someone claiming to be from IT asking you to enter your username and password into a new system as a test (This is a text book example of a phishing e-mail, collecting the credentials that you just gave up willingly to a hacker). Or someone calling as the companies Helpdesk explaining to you that there's been an issue on the system and you need to change your password right away, oh and by the way here's a secure password for you to use.

So as companies continue to tighten their network perimeter the hackers are going to continue going after the low hanging fruit, the employees. You can have a $50 million dollar IT Security budget blown away by the receptionist being tricked into giving away her password over the phone.

Now that the perimeter is relatively secured, its time to start looking inward and securing the new target area; except here you can't buy hardware to stop the attacks. You need to educate the people on how to act and what to look for, which is easier said than done.

Tuesday, December 21, 2010

How secure is "The Cloud"?


I don’t trust Google at all and what ever happened to their mantra of “Don’t be evil”?!  http://www.f-secure.com/weblog/archives/00002076.html That being said, if this was some startup that was offering this service instead of Google would you feel the same way?

Where does the data reside? Who has access to it? Is it backed up? If so where do the backups reside? etc...Its not the point of having data off site, its not having the guarantee and control of the data after its offsite. I’m satisfied with the technology of having it delivered securely to where the data silo’s reside, its after the data's at rest where the security issue comes into play.

This being said some data is more confidential than others and some companies might benefit from this model. If you think about it this is really nothing new, customers have been pushing their data to MSP's or hosting there data in co-locations for years.
You need to look at the confidentiality, integrity, and availability of the data to make a wise decision. Do you really know whats going on with your data at all times? Are you sure people aren't making copies of your backup tapes (confidentiality) or changing the data after it was at their site (integrity) and are you guaranteed you'll be able to get to your data when needed (availability)? Etc, etc, etc...

You also take this risk with internal employees and data, but you have the control to make adjustments and take action quicker when the data resides in-house.

I think this is all based off risk. If you can afford the risk it might be a good idea. That’s the major reason customers of MSPs actually went down this road to begin with. The risk and price of doing business was acceptable to doing business without it.

So I guess it depends on the company and the data being stored, but if possible it wouldn't be my first choice. 

Wednesday, December 8, 2010

4CHAN/WIkileaks "Operation: Payback" & "Operation: Avenge Assange"

 The 4CHAN (aka Internet pranksters) “Anonymous” group have taken down multiple sites in retribution of the way Wikileaks has been treated by the media and affiliated organizations. They're calling their attacks "Operation: Payback" & "Operation: Avenge Assange". The following companies and people have had their websites knocked off-line:

·        Mastercard

·        Visa

·        Paypal

·        Joe Liebermans website

·        Sarah Palins website

·        Julian Assange’s Swedish prosecutor

·        PostFinance

These site have been taken down by the group “anonymous” by distributing a DDoS tool called Low Orbit Ion Cannon that allows the downloading computer to participate in a voluntary botnet aimed at these sites. In response the “Anonymous” site anonops.net has been hit with a counter DDoS attack knocking their site off-line.

A DDoS (Distributed Denial of Service) attack uses multiple machines sending network traffic to a particular service or device in order to overwhelm it with requests, hence not making service available to the public.

A botnet is a group of machines running particular software under the originator (aka Bot herder) that can have the machines in the botnet perform certain commands on a very large scale. The average size of a botnet has around 20,000 computers under the control of the Bot herder.

The DDoS method has continually been used as a successful way to attack a site without the ability to trace it back to a particular person or group. This also allows a relatively easy way to stop a web presence without fear of legal action or responsibility of the attacker. It would be great to start seeing ISP’s take a more proactive stance against DDoS attacks.

DDoS attacks haven’t gone away and are still a constant threat by attackers. The 4CHAN group DDoS is a great example of hactivism, or the hacking or breaking into computer systems for a political or socially motivated purposes (right or wrong). This is also interesting because these attacks aren’t directed towards a particular political group, but rather against private companies that are affiliated with the political group. This is an interesting way of attacking an organization by attacking the services they use to do business.

Saturday, December 4, 2010

Wikileaks Cablegate: An Information Security Case Study

The Wikileaks Cablegate fiasco will be used as an information security case study and eye opener to everyone in the security community. Despite how you feel about the leaks one thing is for sure, the protection of data has to increase.

Here are a few topics from Cablegate that should be thoroughly reviewed and studied from an InfoSec insight:

How did 250,000 classified records make there way out of the secure DoD SIPRNet and NIPRNet networks and onto  wikileaks for public disclosure? How can the DoD go through all the work of creating a secured network and than not establish a secured data leakage protection program? According to one report there were too many users on these networks with promiscuous permissions that allowed DoD classified computers to deploy removable media, such as USB drives with write capability. I'm sure we'll see DLP solutions being marketed heavily by vendors within the next year all the while using Cablegate as a major marketing push.

The Wikileaks.org website has sustained an incredible amount of DDOS attacks against its domain before and after publishing the Cablegate records. They were being hit with a steady 10Gbps of network traffic forcing them to host their domain with Amazons webservers. This was an interesting choice because they used the cloud to mitigate the DDOS traffic. They were than dropped shortly after by Amazon and their DNS provider EveryDNS.com stating that they were dropping the domain due to the amount of traffic that was destined to it. They supposedly dropped the domain because it was causing outages for other clients that were utilizing their services.

The real reason is most likely due to having pressure from United States Senators lobbying to have this site removed, and they were successful in doing just that. Having no where to go they brought up the site www.wikileaks.ch which is a Swiss domain that is being hosted out of Sweden. I find this particularly interesting in two way: (1) Both of these countries are neutral and are in the mindset to "stay out" of other countries affairs, giving Wikileaks more of a chance to stay on-line by having these countries fight their political battles. (2) Now that they aren't affiliated with any American company its going to be harder for the United States to peruse legal action against them. It seems that America might have accidentally protected wikileaks by forcing it out of its jurisdiction.

Only time will tell.