Saturday, December 22, 2012
The Computer Incident Response Planning Handbook: Executable Plans for (Google Affiliate Ad)
I know this blog dedicated to information security, but there are things in life that take precedent before cyber security. Living in New York I saw firsthand the devastation that was left from Hurricane Sandy. This storm might seem like a distant memory for some, especially if you weren't in its path, but the effects are still lingering with many along the coast of New York and New Jersey. This video shows what many are still going through during this Christmas season. Please pray for them and their families. This video is a collage taken from Breezy Point by one of its residents that we volunteered with during this tragedy.
Wednesday, December 12, 2012
Tuesday, December 11, 2012
Tuesday, December 4, 2012
The systems in place that can assist with monitoring/securing your systems from application layer attacks are Next Generation Firewalls (NGFW), Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF). Here are just a few more “bumps in the road” that I’ve seen when it comes to these devices:
- Monitoring traffic at the application layer needs much love. You can’t just turn on a system like these and assume that you’ll be catching every bit of malicious traffic that comes past your interface. We’ll dig deeper into this later on, but each one of these systems needs to be tuned in order to work for your organization. Not all filters or signatures are going to be turned on by default and knowing what’s behind these security devices is going to be key (AKA Understand your network).
- Even with tuning in place you’ll still get false positives, albeit fewer, but false positives nonetheless. Management and others involved need to understand that this isn’t a silver bullet and that when properly tuned will assist with blocking malicious traffic. But the potential for false positives will always be there. What needs to be shown is the risk between having a potential false positive versus a security breach.
- These devices are always going to be in-line with your network and because of this will also be a concern as single point of failure if not configured properly. Making sure that the systems that are in place to protect your business don’t bring it down should be a priority. Having performance issues due to the signature load it’s scanning for or not having load balancing or clustering on them isn’t an option when they’re in such a delicate part of your network.
Saturday, December 1, 2012
When it comes to your network edge, the first devices to examine are your routers and firewalls. These devices are most commonly found in the network and are also most commonly an area of weakness. Here are just a few “bumps in the road” that I’ve seen when it comes to these devices:
- I’ve seen many networks that have old versions of software running on their perimeter devices mainly because the network admins are comfortable with the version they’re running, or they don’t want to risk the downtime or issues of upgrading to a more stable and secure version. Outdated software gives attackers an opening to exploit. You could have the best policies in place to filter traffic at the edge, but if your devices aren’t up-to-date with the latest OS, you’re giving the bad guys an easy way in.
- Not having the appropriate access control on these devices is another common oversight. Who has the ability to make changes to these systems? Should these personnel be able to make them at any time? Even though access control is more of an internal issue, it’s still needed to protect your perimeter from attack.
- Don’t forget about your firewall rulesets and router ACLs! Firewalls and routers are designed to ALLOW traffic through them. I know we often think of them the other way around, especially with firewalls, but these are in place to forward traffic back into your network. While a big part of their job is to block traffic, they’re ultimately in place to ALLOW traffic into your network. Ultimately, just because a ruleset is locked down to certain ports, doesn’t make your network secure. This is where IPS/NGFW technology comes into place, but we’ll get to that in the next article.
Monday, November 5, 2012
As we prepared for Halloween last week, I sat down with Alan Shimel (Networkworld.com) and Nimmy Reichenberg (Algosec.com) to share some of the scary things we've all seen or heard about in our time in information security. Here's the podcast recording which is also available on Network World at http://bit.ly/RspHm5.
Friday, November 2, 2012
With the majority of NY and NJ without power attackers could have taken this time to launch attacks towards unprepared victims. At a time when companies in this area are most likely failing over their systems to other locations, and IT support is either out of power or are being overwhelmed with other duties, an attack could go unnoticed. Talk about adding insult to injury!!
Security monitoring needs to be considered as a major part of your business continuity program. We need to have people and resources in place to make changes and monitor your environment during and after a major catastrophe. Don't get me wrong, it sucks without power, but we need to make provisions to keep our guard up during these hard times.
We need to start thinking like criminals and understand that they're very opportunistic in nature and if they can make some money quickly, without being seen, they're going to do it. It's similar to criminals launching DDoS attacks as a diversion to even more malevolent activity behind the scenes.
This being said, my heart goes out to all those who were effected by this horrible storm. We need to have our priorities in place and keeping our families, friends and neighbors safe is on the top of the list. There is nothing more important than that, but we should have policy/procedure in place to continue our security posture during and after a catastrophe so we can focus all our energy towards what really matters.
I was informed earlier in the week that “Front Line Sentinel” was named a Top National Security Resource on the subject of Cybersecurity by the site www.masterofhomelandsecurity.org. You can review the full list here.
Thursday, October 25, 2012
Once I heard they were breached I spoke with two store managers regarding the incident and their impression of how it was handled. The first store I visited wasn't part of the breach, but I went there to get a better view on how they were handling the incident in general. Once a POS is breached it's imperative that you not only replace and remediate the systems which were abused, but to also eradicate the possibility of an attacker coming back. This would be part of the containment and eradication phases in the incident handling process. During my visit to the store I talked with the store manager on staff who spoke freely about the incident, or of which she was aware of, without questioning me or why I was there.
From her responses, only the PIN pads were effected and altered by an outside party. To her knowledge this was not an inside job. She also mentioned that they knew about the incident for the past month or so and were working with federal agents to gather more information. The store manager also said that as soon as the breach was found they removed all PIN pads from each of their 700 stores in the same day and are now looking into further details. This to me shows that Barnes and Noble took this breach seriously by moving quickly to erradicate the threat of additional theft, especially with the upcoming holiday season arriving. I went to this store on purpose to see how they were dealing with the incident as a whole, and not as isolated incidents. They passed this test.
After first going to a store that wasn't hit, I than spoke with a store manager via a phone call at a site that was targeted. This store happens to be about 10 miles from the first store I visited and in a much wealthier part of town, which leads me to think that the thieves had a good idea of where they were aiming based off the store locations. This is a theory, but it would make sense if you're trying to make money, hit the place with debit/credit cards that have the most on them; common sense really.
Anyway, when speaking with this store manager he seemed very helpful at first when I asked him the same questions about how it happened, when it happened and if they'd be getting the PIN pads back, if at all. At first he was very helpful and gave me the same canned answers as the first store manager, but after he realized that I was starting to ask more technical questions he diverted me to another associate after a few minutes of hold time. Apparently, I was taken as a someone from the media and was forwarded to someone that was slightly more polished with their answers, which I found very reassuring once again. They passed another test.
Overall, everyone at one point in time is vulnerable to attack, but when in reality it's how you deal with the fall out that keeps you from becoming an even bigger mess. After a first glimpse of how Barnes and Noble responded to the incident by removing the effected systems and giving the people at their shops the knowledge to speak, without giving to much away, and diverting curious folks like myself to more "in the know" individuals is a sign that they're taking this breach very serious; as they should. And in the long run this could very well save them from additional embarrassment. They also have a list of stores that were targeted on their site and are being transparent about the breach. It's my opinion that as of right now they're dealing with this breach in a responsible manner, which in the long run could be one of their saving graces.
You can view the breach notification released by Barnes and Nobel here for further details: https://oag.ca.gov/ecrime/databreach/reports/sb24-36794
Wednesday, October 24, 2012
This can be in the form of legal risk, if it relates to personal information, or competitive risk, in the case of commercial information, like trade secrets and client lists.
Most firms maintain security policies and procedures to mitigate these data security risks. These can range from adding passwords on smart phones used outside the office, to signing complex NDA agreements with third parties when confidential information is shared, like in an M&A transaction or a licensing deal.
However, while these measures provide some level of risk mitigation, many firms still continue to engage in risky day to day business activities that can jeopardize these efforts.
For the most part, these risky activities are an afterthought, as they center on three necessary components of every business person’s day – email, third parties and being out of the office.
Your confidential information is at an increased risk of being exposed if you engage in even one of the following activities:
1. Send confidential or sensitive documents to third parties via email
2. Share confidential or sensitive documents with third parties for a limited time
3. Access confidential or sensitive documents outside of the office
4. Transport confidential or sensitive documents using zip drives or hard drives
5. Store confidential or sensitive documents on your own servers in your office
Below are a few examples of what can happen if just one confidential document gets emailed to the wrong person, or a firm relies of ‘traditional’ methods to deliver sensitive information.
In November 2011, the personal information of current and former employees at Regions Financial Corp was compromised after a flash drive went missing. The flash drive, which contained information about thousands of 401k retirement plan participants, including their names and social security numbers, was mailed by an external auditor to another one of its offices. To make matters worse, the flash drive was put in the same envelope as the decryption code, and when the package arrived, the flash drive was gone.
In September 2009, a California judge ordered Google temporarily de-activate a Gmail account after a bank employee mistakenly sent sensitive data to the wrong recipient. When the employee realized his mistake, he immediately sent a second email, instructing the recipient to delete the email and attachment without opening it. When he got no response, the bank contacted Google to find out if the account was still active. However, Google would not disclose such information without a court order, so the bank had to sue Google to obtain the account holder’s name and contact information.
Accessing Data outside the Office
In August 2012, a software engineer for Motorola was sentenced to 4 years in prison for stealing trade secrets. The employee was stopped during a random security check at O’Hare International Airport in February and found to be carrying $31,000, along with hundreds of confidential Motorola documents stored on her laptop, four external hard drives, thumb drives and other devices. Prosecutors alleged that among the secrets she carried were descriptions of a walkie-talkie type feature on Motorola cellphones, which prosecutors argued would have benefited the Chinese military.
These examples remind us that simple day to day activities could be putting your corporate data at risk, undoing all the things that security policies and procedures aim to protect.
Many firms are therefore implementing more secure document sharing methods, like virtual data rooms, to exchange information with clients and third parties.
A virtual data room is a cloud-based document repository used by business professionals to share confidential documents around M&A transactions, litigation, fundraising and government compliance. The administrator invites users into their online data room behind a secure login to review confidential documents. These documents are protected with 256-bit encryption and Digital Rights Management, allowing the administrator to control who can access certain documents and what they can do with them (e.g. view, print, or save). Administrators are also able to lock documents to an individual computer, or revoke access remotely, even after the document has been downloaded from the data room.
By using a virtual data room, the firm maintains complete control over how sensitive information is viewed, thereby mitigating the risk of it falling into the wrong hands.
Wednesday, October 17, 2012
The reason is simple - employees like to use their own stuff. As consumers, they have access to some of the best devices — iPads, iPhones, Android phones, Android tablets — and all the apps that come with them. Employees don't want to use the clunky laptops and complex software of their employers. And they don't the hassle of carrying around two separate phones.
Rather than fight it, the smart companies are embracing the BYOD trend. Kraft, Whirlpool and IMB are just some of the larger names that have already implemented BYOD guidelines for their employees.
However, at the same time, there are some serious concerns attached to BYOD schemes, especially around the security of corporate data.
BYOD — A Security Nightmare
Without a proper BYOD policy in place, employers can easily lose control over how and where their corporate information is stored.
Cloud computing technologies now make it easy for employees to self-select and install their own business apps, without the need to consult with IT. This presents a significant security concerns for employers, who have little insight into what apps are being used and whether they are secure enough to house confidential corporate information.
It’s not uncommon, for example, for business users to use personal cloud solutions, like Dropbox, iCloud and Google Drive, to store business files. These applications are relatively cheap, if not free, and provide convenient access to documents from multiple locations. However, because they are designed for personal use, these applications also lack the vigilant security protection needed for confidential corporate data; things like data encryption, managed user permissions and offline document control.
The recent Dropbox security breach is a timely reminder of how easily information stored through these applications can be compromised. It’s no surprise that in May 2012, IBM banned the use of Dropbox by all of its employees.
Lax Approach to BYOD Security Causes Major Headaches
Another concern around BYOD is the lax approach some employees take toward mobile device security.
According to a recent survey by Coalfire, 47 percent of respondents had no password protection on their mobile phone, even though 84 percent admitted to using this device for work.
What's more, 36 percent said they reused the same password, and 60 percent are still writing down passwords on a piece of paper!
Employees Unaware of Security Risks The Coalfire survey also revealed that nearly half (49 percent) of respondents said their IT departments had not discussed mobile security or cyber-security with them. Only 25 percent reported a discussion with IT, suggesting that 75 percent were left to exercise their own judgment.
What’s more, 51 percent said their company did not have the ability to remotely wipe data from their mobile device if it was locked or stolen — a huge problem if the device is also not password protected.
A BYOD Policy is Essential for Every Workplace
In order to reduce BYOD security risks, employers should implement a BYOD policy and update their other existing security policies to include the use of personal devices. They should also consider implementing the following initiatives.
5 Ways to Boost BYOD Security
• Arm your employees with knowledge: Educate employees on the security risks and best practices for using personal devices in the workplace
• Power-on passwords: Enforce power-on passwords for all devices containing corporate data; a power-on password buys time to wipe a device in the event that it's lost or stolen. Companies should also extend policies around password-strength and password expiry for personal devices.
• Monitor business app usage: Require employees to provide IT with a list of the business apps they are using, along with the account information (username and password). IT should have permission to monitor these apps, and check them before they are shut down permanently (especially after the employee leaves).
• Stronger authentication: Enforce a stronger authentication process if users are allowed to store sensitive data or trade secrets on their smart phones or tablets.
• Encryption or nothing: Make encryption the price of being allowed to keep corporate data on personal devices. This can be challenging in mobile security because there are different encryption options for various mobile platforms. Build and maintain a list of ‘approved’ devices that meet your security criteria.
While the BYOD phenomenon can’t realistically be eliminated, employers can learn to adapt. Part of this involves being vigilant in protecting their corporate information. Without the proper guidelines and employee education in place, they could stand to lose a whole lot more than they bargained for.
Content courtesy of Firmex Virtual Data Rooms
Saturday, September 29, 2012
Wednesday, September 19, 2012
Monday, September 17, 2012
We haven't even scratched the surface on the implications of having devices like these attached to the internet. The more you expose, the vulnerable you'll be, and I doubt people are thinking about lasting security consequences when rushing products to market.
This is where the physical world meets the cyber security world. No longer are you looking at hacking to steal data, but in these instances you're able to do physical harm to another person or people with these compromises. The ability to hack the electronic system of cars and pacemakers is a perfect example of this.
Companies are rushing to attach their technology to the internet without thinking of the long term risks they might have. I sound like a crotchety old man here, but I think in the grand scheme of things this will end up causing more harm than good.
What do you think?
Friday, September 14, 2012
- Create data controls as close to the data as possible, since much of this data isn’t “owned” by the security team. The risk of having big data traversing your network is that you have large amounts of confidential data – such as credit card data, Social Security numbers, personally identifiable information (PII), etc. -- that’s residing in new places and being used in new ways. Also, you’re usually not going to see terabytes of data siphoned from an organization, but the search for patterns to find the content in these databases is something to be concerned about. Keep the security as close to the data as possible and don’t rely on firewalls, IPS, DLP or other systems to protect the data.
- Verify that sensitive fields are indeed protected by using encryption so when the data is analyzed, manipulated or sent to other areas of the organization, you’re limiting risk of exposure. All sensitive information needs to be encrypted once you have control over it.
Wednesday, September 12, 2012
Malware writers are getting smarter and their viruses more sophisticated. Criminals are using encryption in their malware, along with robust business models that include quality control checks, license keys, upgrades, support and marketing. The bad guys take beating antivirus programs very seriously, and so should we.
A standard antivirus package is no match for today's malware because it is based on signatures. Having to keep thousands of antivirus clients up to date with the latest signatures is also something that becomes an issue; as AV signatures age, their effectiveness declines. This is just a cat-and-mouse game we play with cybercriminals that they are winning. In fact, most attackers test their malware against common antivirus products before ever employing it to ensure that the malware can get through. Although antivirus is still a needed layer in the defense-in-depth paradigm and demanded by many regulations, any organization that relies on antivirus alone for its endpoint protection has cause for concern.
Consider the path a malicious file normally takes before it arrives at an endpoint: The file is sent from the malicious source and makes its way through the Internet, onto the network, through a company's systems, and eventually onto its endpoint. Along this path are multiple opportunities within the network to catch this traffic and stop it before it causes a breach or infection.
Throughout this article, we'll look at each one of these locations in the network and propose a few technologies that can assist with the process of implementing a new endpoint security strategy for stopping malware before it strikes.
Antivirus alternatives: The cloud layerThe cloud has a scary reputation when it comes to storing data, but cloud computing can be especially helpful from an antivirus perspective. Many antivirus vendors now offer services in which they combine intelligence from tens of thousands of customers, partners and even other vendors to better pinpoint potentially malicious activity. The knowledge enables a more predictive form of protection from malware before it even hits a company's network.
When attempting to stop malware from infecting an endpoint, it should be stopped as close to the source as possible; the fewer layers it penetrates, the less likely it will get anywhere near an endpoint. There are only so many new signatures, antivirus or otherwise, that can be pushed down to a multitude of endpoints. If malware can be stopped in a choke point once, it would free up these nodes. Using cloud-based systems as part of the antimalware infrastructure reduces the number of malware instances that make their way to the local network.
Services like those provided by FireEye and ValidEdge allow traffic to be scanned for malware before it hits the network. These providers' services rely on appliances that are in tune with similar systems and work together against known recent attacks. This allows for quicker and more comprehensive protection before potentially malicious traffic enters into the network. In essence, the cloud allows many systems to globally share intelligence to stop malware.
Read the rest of my article for SearchSecurity.com at: http://searchsecurity.techtarget.com/tip/Antivirus-alternatives-Evolving-enterprise-endpoint-security-strategy?utm_source=twitter&utm_medium=social&utm_campaign=searchsecurity_mpascucci_09042012_1PM_tip
1. HTTP Open on the Router
While reviewing security for a company from the perimeter I discovered that HTTP was enabled on their core Cisco routers. They were both running very old versions of the IOS and were using the default credentials to log into the device. After getting into the router I was able to escalate to “enable” mode and could in theory have changed routes or wiped the NVRAM. After speaking with the network owners we quickly removed the HTTP service from the core routers and dodged a bullet.
2. Password Files Stored on Router
Everyone knows that if you’re going to store passwords you should do it in a secure manner as to not divulge your credentials. Well, in this instance an admin decided to store all of the company’s credentials in a Microsoft Word file on the router’s storage. This router was running SSHv1 and penetration testers were able to gain access to the system. After finding this file they were given complete access to the company without blinking an eye. When the admin was confronted about the file being stored his response was, “But you can’t open the .doc file on a Cisco router!!”. He obviously wasn’t getting it.
Read the rest of my article posted on Algosec's blog: http://blog.algosec.com/2012/09/network-security-horror-stories-router-misconfigurations.html
Monday, September 10, 2012