Archive | July 2011

Good Thing We Don’t Sell Firewalls

At a local chamber breakfast meeting this morning I had the opportunity to introduce my company to a room full of people who I had never met before. Staring into my bowl of granola and strawberry yogurt, I tried to summarize in my mind what it is that GreyCastle Security does. I needed to come up with something catchy and simple so that the 30 or so individuals at the meeting would both understand our mission and want to talk to us. We’re all in Marketing, as the saying goes.

“Good morning everyone, my name is Reg Harnish and I’m the Founder of GreyCastle Security. My company is in the business of preventing ugly headlines. You know how you’re constantly reading about companies that are being hacked, breached and robbed? We can help keep you from becoming one of those companies.”

It seemed to work, given how popular I was after the presentation.

Unfortunately for many of the businesses in that room, it’s probably too late.

According to The Ponemon Institute, annual spending on IT security has nearly doubled over the past five years.

IT Security Spending

Reaching nearly US$80 billion dollars in 2011, U.S. companies are spending upwards of 3-10% or more of their budgets on security initiatives. This sounds like a lot. But there’s a problem.

There is a major disconnect between security spending and risk. Decisions on security spending are based on many things – it’s the way we’ve always done it, it’s what other companies like us are doing, it’s what our Chairman wants us to do. Sadly, risk is usually an afterthought.

What has resulted is a disproportionately large increase in the costs of cybercrime. Cybercrime CostsWhen an organization is not protected from attackers, or is unprepared to deal with the aftermath, its costs of recovery go up. Way up. When an organization doesn’t understand what its real risks are, it can be very difficult for it to protect itself.

So who’s to blame? All parties involved.

  1. First and most obviously, it’s cybercriminals as well as the organizations that enable, ignore or patronize these gangs as they are at the root of this criminal ecosystem. Naturally where there is opportunity there will be opportunists.
  2. Secondly, it’s any company who believes that they are somehow immune or flying under attackers’ radar. They are not only negligent, but will likely find themselves liable in a court of law some day. Each business is responsible for its own security, and the economics are clear – it’s cheaper to avoid an incident than to recover from one. In the meantime, they are promoting a culture that will cost you and your customers dearly.
  3. Lastly, it’s the security firms who have yet to recognize (or admit) that hardware and software do not solve security problems. Yes, it’s true that a firewall can prevent certain nefarious activities, but by itself it is a simple device that requires a strategy, proper implementation and measurement to be successful. “Security” providers who make their living peddling these wares create downstream issues, forcing client security issues to look like nails for their hammers, and slathering their constituencies with a false sense of security. If you’re not part of the solution you’re part of the problem, as they say.

It’s time to think differently about how we protect ourselves and our clients. It’s being proven on a daily basis that traditional approaches to security aren’t working, and we’re fighting enemies that circumvent million-dollar technology with a simple e-mail. It’s not about how much money you spend, it’s about how you spend it.

I wonder how many business cards I would have gotten if I told them I was selling firewalls.

Advertisements

Security Audits and Plausible Deniability

On Tuesday, July 19th the Troy Record published a story regarding the results of a recent security audit of the Cohoes City School District’s information technology controls. The story, which you can find online by clicking here is short and sweet, as the school district decided not to publish the results of the audit. Naturally this left readers, and more importantly taxpayers and other vested parties of the Cohoes School District in a potentially undesirable position. After all, it’s their data that is being (un)secured, and with their tax dollars.

This issue was raised in a few security circles where it was suggested that the city of Cohoes was doing more damage by leaving the unknown unknown. People have vivid imaginations, and with the proliferation of databreaches, insider fraud and other security incidents that have been cropping up in Tech Valley, the mind runs wild with the possibilities. We conjure up images of “the Duanesburg incident“, Eastern European hackers and another $500,000 financial loss. Some suggested that they’d likely already been compromised.

While I too, can imagine the possibilities, I believe there are other factors at work.

Having been in the information security business for over a decade, I have been through tens, maybe hundreds of audits. HIPAA, SOX, SAS70, NERC CIP – you name it, I’ve lived it. Some of them have been succesful. Some of them have been horrible. Most of them have been somewhere in between. But in none of these cases was I tempted to share my results with outsiders. Why?

  1. Audit results have no context – Auditors are paid to identify weaknesses, called findings. If you get a good auditor they will remain objective, understand the security controls in question and interpret standards, regulations and other requirements in a balanced way. But an audit represents performance results at a single point in time. It doesn’t tell the full story. It won’t give you a break because you put a new application on the wire the week before the audit. It also won’t ding you for having the same audit items show up time after time after time. That’s somebody else’s job.
  2. Audit results are never current – Audits take time to properly prepare and document, and your infrastructure keeps changing. In nearly every one of my audits, I had remediated critical items before the audit was published. That left my audiences with an inaccurate picture of the current state. If you are effectively moving the security needle, your last audit will be out of date before anyone sees it.
  3. Audit results are implicitly sensitive – Good news or bad, audit results should not be made public. Instead, we should be developing metrics that demonstrate key security performance indicators, security goals and how well we’re progressing against them, which can then be shared with broader audiences. There’s no sense in broadcasting your weaknesses, we’ve got LulzSec for that.

In summary, I feel that we do owe our constituencies a sense of how well we’re protecting their assets, especially when they’re paying the bills, and writing our paycheck. I can’t imagine keeping my old bosses in the dark about our security posture (although I’ve had supervisors who wanted plausible deniability). That being said, there are ways to obfuscate the details and still give authorized parties enough information to make business decisions and do their jobs.

Lastly, I commend the Cohoes City School District for undergoing a security audit, whether it was self-selected or mandated. I hope they used a qualified security firm (they did not use us) that was thorough and objective. I hope that they are focused on addressing their risks and not just installing new hardware and software. I hope that the results of their next audit are better than the last.

I can recommend a good security company.

Go Forward and Cloud

Cloud computing has become the hot technology du jour. While there may be many contrasting definitions of what cloud computing is, the fact remains that your organization, along with most of the Fortune 500, is likely investigating, implementing or already using some type of cloud-based service. From CRM and payroll to supply chain and collaboration the cloud has made great inroads to corporate America.

And why not?

The advantages of cloud computing are many. Access on-demand, pay-as-you-go, rapid deployment – cloud-based services solve many of the challenges that have fraught IT for decades. For companies that adopted the cloud early, the juice has been worth the squeeze.

But despite this success there has been one area of the cloud where businesses have been hesitant to go – security.

For those things that need to be secured, or for those things that do the securing, many organizations have felt that they should, or could do a better job. And after all, security is one of those things that you don’t outsource, right?

Maybe.

First, not all cloud security providers are created equal, and not all cloud providers go to the same lengths to protect your assets. Secondly, when there’s an incident at a cloud provider, it tends to be catastrophic. I read a great analogy somewhere comparing cloud security to flying in an airplane – there are very few failures, but when they happen they’re major disasters.

All that being said, there are natural characteristics of cloud and cloud security providers that give them fundamental advantages over on-premises solutions. Here are a few:

  1. Availability – In most cases, cloud providers have invested in infrastructure far beyond what your organization is will to develop. In many cases cloud providers are required by law to implement security controls beyond what a client would normally do due to the nature of their business.
  2. Isolation – A databreach, malware outbreak or other incident at your organization may have less impact because some of your assets are in the cloud. If your critical datastores all live on different networks, it becomes more difficult for incidents to span multiple repositories, and a local disaster won’t impact assets stored elsewhere.
  3. Specialization – Cloud security providers generally do one thing – security. You may suggest that your security team is in the same position, but I submit that they also go to meetings, work on projects and get sick once in a while. Your security resources are also most likely spread among many different security disciplines, or worse – spread among security and other IT groups. The right provider will be on 24x7x365 and will be doing one thing all the time.
  4. Transference – Not all risks are mitigated with hardware and software. A well written contract will give you even stronger controls over your assets than if they remained within your four walls. Ensuring contractual right-to-audit will give you peace of mind.

Whether you’re a fan of cloud computing or not, you probably will be. The early stumblings of SaaS and other like solutions are giving way to reliable providers with excellent Service Levels. Selecting the right provider still requires due diligence, but looking under the covers won’t be as nasty as it used to be.

And don’t forget that the first Savings Bank didn’t have armed guards or a vault, but it didn’t stop early Americans from putting their money in it. Go forward, and cloud.

Upromise to Explain This?

Earlier today I received a concerned e-mail from my girlfriend, who thought she may had been the target of an attempted cybercrime. Below is a screenshot of the e-mail:

As a security professional, my immediate reaction was to provide counsel on safe e-mail practices as I read through what appeared to be a legitimate security notification regarding a brute force attempt on her account. As I continued reading, I noticed a conspicuous lack of links, misspellings and poor grammar – again suggesting a legitimate source. My next step was to inquire about the strength of the password that she had been using on this web site, and how recently it had been changed. All evidence to this point suggested that this was indeed someone attempting a Lindsey Lohan-esque attack, albeit less successful (as far as I could tell so far).

Now it was time to dig a little deeper, as at this point we hadn’t really made any determination as to the success of the alleged attack.

As I went through the source code for the e-mail looking for suspect links or domains, I asked her to go directly to the Upromise web site and attempt to log in. Normally I would have asked her to log in from a PC that she doesn’t typically use, but she was at work and didn’t really have that luxury.

As it turned out, her account was not locked.

After requesting that she change her password and log out, I continue my research. The source code showed no signs of malice, so I called the 800 number that was provided. My Call was answered by an interactive voice system claiming to be a Upromise that was “experiencing a higher than usual call volume”. A dead-end number – was it real?

After digging through an e-mail, source code, a web site, changing a password and calling the company’s 800 number, I still could not confirm the legitimacy of any of this.

Was this a sophisticated phishing attack that incorporated offline voice? Was the company’s DNS compromised such that valid domains were poisoned? And did they get money from my girlfriend’s account?

Like any good cliffhanger, you’ll have to wait until next time for the conclusion to this story. But there’s a lesson here; as the headlines of databreaches, malicious insiders, corporate failures and compliance penalties pile up, we are slowly learning to distrust the systems, applications, networks and technologies upon which we base our digital lives. As technology continues to occupy more of our day, so does distrust. It’s a dangerous cycle that will be difficult to stop without a change in our collective security mindset.

If Upromise to, Ipromise to.

Don’t Bring a Gun to a Strife Fight

“I have six locks on my door all in a row. When I go out, I lock every other one. I figure no matter how long somebody stands there picking the locks, they are always locking three.” – Elayne Boosler

This past Monday night I attended the monthly business meeting for a pistol range in my area. Having heard great things about the facilities and management, I decided that it was time to join another range – it’s great to have options. This particular range is used by DHS, DEA and 10 other law enforcement agencies which added to its legitimacy. The club also offers regular combat and tactical training courses, an added bonus.

But this story isn’t about that kind of security.

During the meeting the chapter Vice President rifled (oops) methodically through each committee update and then stopped to share with us some issues that the club had been having regarding unwanted visitors. Without giving away too many details, the club is protected by proximity card access control in various places, and cards are only granted to members of reputable standing. I made some assumptions about the “issues” that they could be having, recognizing that cards can be shared or stolen, card readers don’t prevent tailgating or social engineering and remembering that there were few visible supporting controls in place. Having experience on many ranges, I know how irresponsible, careless and downright malicious people can be.

The Vice President, after describing numerous incidents of non-member trespassing, facility damage and seriously dangerous shooting conditions, opened it up to the floor for suggestions on how to deal with this latest rash of problems. The club’s insurance, after all, did not cover all of these liabilities.

The monthly meeting was attended by individuals of all ages, from various walks of life. One thing they had in common, however, was a shared love for the 2nd Amendment. If there was one thing these guys knew, it was how to protect their property.

“We need cameras in here!”

“Put a gate out front!”

“Change the locks on the doors!”

As the new guy I sat quietly listening to each suggestion as the roar became deafening. Clearly, the club and its members were passionate about protecting their assets. They weren’t about to let a few malicious interlopers get away with this.

Unfortunately, they didn’t know how to stop them.

Preventing crime, cyber or otherwise, is not about technology. We continue to see firewalls, antivirus software, gates and door locks fail to protect us for one simple reason – they are created by, configured by and susceptible to people. A review of our industry’s survey’s, articles, databreach reports and analysis all point toward one conclusion – people continue to be the greatest weakness in the security chain. Until our security programs, budgets and corporate priorities address this – our real risk – we are doomed to repeat history.

In short, the pistol range will be more succesful if it trains its members – its security control with the greatest surface area, intelligence and liability – how to detect, prevent and correct security incidents like those that have been occurring over the past several months. A well-trained membership will be far more capable of dealing with a negligent individual or trespasser than a “No Trespassing” sign or a card-activated gate. As it turns out, training will also be a lot less expensive. While human psychology will usually default to technology (firewalls or guns) for addressing security, in most cases addressing the human element is the most effective.

While this didn’t occur to the membership on Monday night, I’m sure some well-meaning member will eventually make this suggestion.

Perhaps next month I won’t sit so quietly.

Not Guilty or Innocent? There’s a Difference.

Tuesday, July 5th, 2011 will be remembered by many as a day when the United States Justice system failed.

The Casey Anthony verdict, handed down in front of an estimated audience of 130 million television, radio and web viewers shocked a nation. After 33 days of testimony, 400 pieces of evidence and more than 90 witnesses, the State of Florida could not prove beyond a reasonable doubt that Casey Anthony was indeed the perpetrator in the case. The verdict has hit a nerve with many, frustrated with the notion that someone as “guilty” as Casey Anthony could now walk despite a mountain of circumstantial evidence.

In this great land we call America, we are innocent until proven guilty. Those on the wrong side of the law have learned to abuse this right, twisting it until its original intent is no longer recognizable. Like the highly-publicized Casey Anthony case, claimants from businesses of all types find themselves in court attempting to recover losses from malware attacks, reputation assassination and the $250,000 missing from their bank account. Those that find themselves prosecuting – CEOs of banks and credit unions, general managers of fast food chains, Provost’s of local colleges and other business leaders – beware. If you plan on recovering financial or legal losses from a security breach or incident, the burden of proof is yours.

Information security can be a dirty job. There have been many occasions where I’ve been called in to help new clients respond to and recover from databreaches and security incidents that they weren’t prepared for. As a security professional, these requests elicit a series of pre-programmed responses:

  1. Is the incident contained?
  2. What is the extent of the damage?
  3. Is the attacker or payload still resident?
  4. What recovery mechanisms are in place and will they work?
  5. What legal and regulatory reporting is necessary?

Whether you subscribe to NIST, ISO, ITIL or other standards, there are a number of steps to ensure successful incident handling. As was learned in the Casey Anthony case, none is more important than the proper collection and handling of evidence. The following are a number of recommendations that will keep you from making serious errors when performing any type of forensics activities:

  1. Have a plan – First, assume that you will experience a security incident. It will happen, I promise you that. That being the case, having a plan is the number one thing you can do to help your business respond to one. Identify the types of incidents that are possible, who will lead the response team and the basic steps you will take to recover. The previously named standards are an excellent resource for process frameworks, there’s no need to reinvent the wheel.
  2. Use certified professionals – Asking your team to completely, accurately and legally respond to a security incident is like asking the Pakistani Army to capture Osama bin Laden. It will be messy and you won’t get the desired outcome. Enlist professionals to assist with forensics, evidence collection, chain of custody and legal advice. The money spent here will be recovered in the court room.
  3. Minimize change – Until the professionals arrive, minimize change to the affected environment. Leave the PC, server, room, facility or any other asset exactly as it was following the event, if possible. In certain cases, this may not be possible if said assets are incurring further damage. Evidence preservation and incident containment need to balance.
  4. Minimized contact – If possible, minimize or eliminate human contact with the environment.
  5. Document everything – Keep a log of everything that occurs, beginning with the instantiation of the event. Take pictures, write logs, do whatever it takes to capture everything.

There are some in the security industry that will tell you that there’s little we can do to avoid being a victim of a security incident. While I believe that there are reasonable mechanisms for protecting your business, realistically speaking most of us will become a statistic. Those that are prepared will respond, recover and go on with business. Those that are not, will not.

By learning a few basic maneuvers, we can avoid becoming the next State of Florida. After all, there’s a difference between “Not Guilty” and “Innocent”.

%d bloggers like this: