October 26th, 2007
For years news stories and postings have focused on the disproportionately high percentage of attacks on US government and other systems that appear to have originated from the Peoples Republic of China (PRC).
I have seen firsthand systems that appeared to have been attacked and taken over by individuals within this country. In one case a Web server for a site that distributed data related to nuclear physics research had obviously been compromised by someone from the PRC. The source IP address of traffic sent to this server was one registered to a host in the PRC (which in and of itself was not by any means conclusive proof), the destination of many outbound connections initiated by that server was addresses in this country, and the intruder had downloaded many files written in Chinese.
Interestingly, this and a number of related attacks within a relatively small period in time occurred at the time a US military aircraft had collided with one belonging to the PRC over PRC air space.
Over the last few years US State Department computers have apparently been targeted by the PRC. Attackers exploited vulnerabilities in programs such as Microsoft Word to craft attachments that if opened caused malware to be installed in the victim machine. Destination addresses of connections from the victim machines were traced to the PRC. Earlier, the UK Home Department experienced a rash of attacks (including “spear phishing” attacks), once again apparently from the same origin.
Has the PRC launched a massive espionage effort, and if so, is this country the only one involved in such an effort?
Joel Brenner, US National Counterintelligence Executive and Mission Manager for Counterintelligence in the Office of the Director of National Intelligence, recently said “no” to the later question. He asserted that attacks against US government computing systems originate from many nations, certainly not exclusively from the PRC. Brenner pointed out the fact that spoofing source IP addresses of Internet attacks is commonplace.
But what about the answer to the first question above? Is the PRC involved in international espionage?
In my mind, there is little doubt that this is true. At the same time, however, it is important to realize that many other countries, the US included, gain intelligence information in a wide variety of ways. Gaining unauthorized remote access to systems and/or installing malicious code and then copying files and sniffing keystrokes comprise a rather easy, low risk, and low cost method of obtaining needed intelligence information. My hunch is, therefore, that virtually all the world’s largest countries as well as many others are actively involved in computer-related espionage efforts.
The real question thus is what can be done about such attacks, given that the probability of apprehending and bringing those who perpetrate international espionage attacks is nearly zero?
What many senior managers of corporations and heads of other organizations such non-profit research institutions and universities do not realize is that their computing systems are just as likely to be attacked by perpetrators of international espionage as are government systems. Gaining proprietary, state-of-the-art information about technology is, for example, extremely advantageous to a country.
So what is the solution?
The solution is developing a program that results in an adequate or better security posture, one that manages security-related risk to an acceptable level.
Too many organizations, government organizations very much included, have not achieved this goal; many are not even conscious of the need for doing so. In many ways, therefore, the practice of information security is still in the “dark ages.”
Perhaps the realization that one’s computing systems and information stored therein are often the targets of proficient and sustained espionage efforts will help serve as a wake-up call that motivates senior management to start taking information security seriously.
~ : ~
October 24th, 2007
In addition to being the Chief Technology Officer of High Tower Software, I am also the Chief Information Security Officer. The latter of these roles is often much more intensive and time-consuming than I originally envisioned. The good news is that I have laid a lot of the groundwork for our ongoing security practice and have had phenomenal support from High Tower’s senior management. The bad news is that there is never enough time to do all the things that I would like to do to grow our information security program.
Being a security manager also involves many so-called wake-up calls, events that happen that take you by surprise. One of my wake-up calls began last summer.
High Tower outsources its payroll and some of its HR functions to a large administrative services provider. Last summer all High Tower employees were required to complete training concerning harassment on the job; to do so, each employee had to hit a link on the service provider’s Web site. To obtain a password, however, employees had to first enter their Social Security numbers. When I learned of this, I contacted the service provider to express my concerns. My inquiries were bounced around from one manager to another until they somehow ended up in the hands of a product manager who worked in services technology. He assured me that there was really no danger in requiring that employees enter their SSNs.
That was red flag number one.
When I replied, protesting that phishing threats are one of today’s major security threats and that forcing employees to enter personal information effectively set them up for phishing attacks, I received no further reply.
Just today I received a phone call from a High Tower employee who informed me that she had recently received a letter from the service provider saying that her SSN and other personal information were on a laptop that was lost. She was assured, as I was previously, that there was really no danger that resulted from this incident, but nevertheless the service provider offered her free credit monitoring services for one year.
That was nice, but I fear that this company is totally missing the point when it comes to information security.
Frankly, I am nervous about doing business with this company because of its obvious lack of due care in these security matters. High Tower works hard and invests a considerable amount of resources to ensure that its computing environment and data therein are safe. This service provider in effect comprises a weak link in High Tower’s practice of information security.
I wrote a message to the service provider pointing out the deficiencies in its practice of security and asking not only that it cease requiring that SSNs be entered for users to obtain passwords, but also that this company will no longer store our employee data on laptop systems. I am waiting for a reply.
Hopefully, this service provider will have its own wake-up call and will start addressing the deficiencies I have identified. If not, there is no question in my mind that I will press for dropping this company as our administrative services provider.
Security counts. Services that are delivered without suitable security are not acceptable. And I predict that in the future there will be more companies such as mine that will notice security deficiencies in provided services and do something about them—press for change or change service providers altogether.
~ : ~
October 22nd, 2007
The word “compliance” has developed a meaning and significance of its own in the IT sector, the IT security part of this sector very much included. A variety of new regulations has surfaced over the last decade; many of these regulations’ provisions in some way involve information security. For example, Sarbanes-Oxley (SoX) section 404 requires continuous real-time monitoring of assets that contribute to the profit-loss status of a publicly-held corporation in the US.
Whereas information security professionals have traditionally viewed security-related risk in terms of confidentiality, integrity and availability, the many regulations that to some degree involve information security have forced information security professionals as well as senior-level management to embrace the concept of compliance-related risk. Failure to comply can produce far worse outcomes than can some of the most egregious security-related incidents, not only in terms of fines, sanctions, and even jail terms for senior management, but also in terms of negative public perception.
In theory, complying with information security compliance regulations should be neither conceptually difficult, nor should an organization have to expend a consider amount of resources to do this. In reality, however, the dead opposite has generally been true. One of the major obstacles to achieving information security compliance is ambiguity in interpretation the requirements of each provision within each regulation. Additionally, the sheer number of regulations—the European Union Privacy Directive, ISO 27001, SoX, Gramm-Leach-Bliley, HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), FISMA (Federal Information Systems Management Act), Basel II, and others, have made compliance a major headache for a large number of organizations.
From a pure information security perspective, compliance is a two-edged sword. Without it, organizations with deficient security practices are too often content with the status quo. At the same time, however, compliance does not necessarily produce adequate security. The best example is FISMA compliance in which an organization with an exceptionally poor security control posture can pass FISMA audits with flying colors simply because it has produced a large amount of documentation.
All things considered, compliance requirements have served to boost the security control postures of organizations for several reasons. First and foremost, because these requirements generally involve information security, senior management has tended to get information security professionals involved in compliance-related issues, thereby elevating the value, status and credibility of information security. Second, the need for information security-related compliance has provided information security groups with resources that almost certainly would not otherwise have been available. Third, organizations have been forced to deal with security issues such as adequate access controls for access to financial information and adequate monitoring processes that might otherwise have been overlooked.
If anything, expect an increasing number of information security-related compliance requirements in the future. Tolerating poor security controls postures that lead to a plethora of security-related incidents is no longer feasible. The number and severity of security threats are growing at an astronomical rate, resulting in escalating risk with huge potentially negatively impacts upon the public as well as stockholders. So compliance is here to stay, no matter whether or not you or anyone else likes it. The only reasonable response is to deal with it as one of the many types of risks that must be mitigated.
~ : ~
October 18th, 2007
IT security and information security are viewed by many as being the same, but they are in many respects worlds apart. Information security addresses a wide range of security-related risks, benefits and processes associated with information and information processing resources. Additionally, information security is generally driven by executive management, usually with at least some level of support from the board of directors.
In contrast, IT security focuses on technology—the technology needed to achieve security and is typically driven by the CIO. In IT security risk mitigation translates to using tools such as firewalls, intrusion detection and intrusion prevention systems, virtual private networks, anti-virus and anti-spyware tools, third party authentication solutions, and more.
Information security and IT security are not diametrically opposed to each other. For example, information security does not by any means eschew security technology; an effective information security practice in fact uses security technology liberally. Without firewalls, intrusion detection and prevention systems, and so on it is virtually impossible to adequately manage security risk.
At the same time, however, the emphasis of information security is on the business of the organization that it serves. According to this view, technology exists only to serve the business; technology that is not related to business drivers is a wasteful mistake.
Until the last few years, the overwhelming emphasis within the information security arena was on IT security. Major breakthroughs in security technology helped to make this trend inevitable.
In the last few years, however, things have changed considerably in that information security is starting to gain the upper hand. One of the most important indicators of this change is the fact that information security managers, formerly often buried somewhere within IT organizations, are now more than ever C-level officers of organizations; they frequently report directly to the CEO, or if not to someone other than the CIO. Information security is also often now a board-level issue. Previously, information security managers frequently held one or more degrees in computer science; today’s information security managers increasingly hold one or more degrees in business or a related discipline.
Although information security is starting to gain the upper hand, IT security is still well-entrenched and is likely to be with us for a long, long time. The tendency to make security-related decisions based purely on technological considerations is likely to persist. But doing this is foolish, and in time information security is bound to prevail because it is far more closely aligned with organizations’ business drivers than is a pure technological approach.
Again, technology does not drive the business. Business should instead drive technology, and the more that it does, the better technology’s return on investment is.
~ : ~
October 15th, 2007
Every once in a while I read something in the news that is so outrageous that I just have to rant a bit, so here goes. The founders of a certain Web site, WabiSabiLabi, have recently announced their intention to create and run a vulnerability auction site. They will verify that each vulnerability that is reported is bona fide and will with each vulnerability they sell provide proof of concept. Initially (i.e., the first half year) access to the site will be free; afterwards buyers and sellers of vulnerability information will be assessed a charge of 10 percent for each transaction in which they engage. Ultimately, the founders of this site think that the majority of the profits they make will come from services based on a vulnerabilities knowledge base that will be created from the vulnerability information that is auctioned.
The founders of the WabiSabiLabi site claim that by holding auctions for vulnerability information they will be bolstering the practice of information security. They assert that currently the researchers who discover vulnerabilities must too often resort to giving away the information they discover for free; the information may even fall into the hands of computer criminals. Instead, according to the founders, researchers will be compensated fairly for their efforts. WabiSabiLabi is being funded by individual investors.
I have no argument with those who criticize the way that vulnerability information is currently disseminated. Anyone who finds a vulnerability is currently in many respects stuck between a rock and a hard place. Vendors in whose products vulnerabilities are found put pressure on vulnerability researchers to disclose what they have found to them and only them. Many vendors look down upon (and too often openly criticize) vulnerability researchers who do not promptly disclose vulnerabilities exclusively to them. At the same time, however, many vendors act in a less than desirable manner once they obtain new vulnerability information in that they tend to be much too slow in developing, testing and distributing suitable patches. While the vendor takes its own sweet time, other vulnerability researchers (or worse yet, the black hat community) might discover and announce the same vulnerability, robbing the original finder of credit for originally discovering the vulnerability. Vulnerability researchers who simply publicly post their discoveries receive credit for finding vulnerabilities, but are widely criticized (especially by vendors) for posting such information before patches are available.
Now enter WabiSabiLabi, which is now promising to fill the pockets of vulnerability researchers (while all the more filling its own pockets). What WabiSabiLabi’s founders do not realize is that by creating an auction site for vulnerability information, they are upping the stakes for vulnerability management far more than ever before. With the highest bidder getting the early vulnerability information independently of the apparent legitimacy of the use of this information being scrutinized, WabiSabiLabi is opening the door for organized crime, pernicious governments, and unethical individuals to pool resources to win auctions. The white hat community will be forced to spend more than ever before to have a chance of winning auctions, and the more spent in auctions, the less resources will be available for badly needed security controls. Furthermore, many of the so-called “vulnerability researchers” are actually nothing more than members of the black hat community who will undoubtedly be exuberant that WabiSabiLabi will provide them with a large piece of their livelihood. So much for WabiSabiLabi’s founders’ claims that they are actually improving the practice of information security.
What we have here is a major ethics issue, one that WabiSabiLabi has entirely overlooked. Vulnerability information ending up exclusively in the hands the highest bidder means in effect that ethical considerations are completely ignored by the seller. Becoming in effect an employer for the black hat community and its activities is unconscionable. There appears to be one and only one logical course of action for information security professionals to not aid and abet the enemy, so to speak, by refusing to participate in WabiSabiLabi’s vulnerability actions. At the same time, however, there is some consolation reports indicate that to date not many individuals and organizations have registered themselves for the auctions. There are, after all, many other potential sources of early vulnerability information, and WabiSabiLabi is by no means the only player in town. Perhaps reason and ethics will ultimately prevail, and WabiSabiLabi will change its approach to disseminating vulnerability information.
~ : ~
October 11th, 2007
Keeping up with the various technologies designed to boost security is one of the most important things that an information security professional can do. Security risks have become increasingly technical in nature, making technical solutions increasingly essential. For example, PC security without anti-virus software and personal firewalls is for all practical purposes an oxymoron. Additionally, today’s security threats have necessitated developing security measures that for various reasons operating system and application vendors have not incorporated into their products.
At the same time, however, a temptation to view security technology as a panacea always exists. Too often I hear an information security manager make a statement such as: “We have a secure environment—we have firewalls, intrusion detection and intrusion prevention systems, anti-virus software, virtual private networks, third-party authentication, and other technology.” As good as security technology has become, none of it is capable of completely mitigating security risk. Humans pose the greatest risk to computing systems and resources; as long as humans are in computing environments, at least some degree of uncontrolled risk will be present. Additionally, humans must nearly always be in the loop when technology is installed, configured, maintained, and ultimately at some point removed, resulting in an elevated probability that someone will in some way subvert the technology.
Security technology is indeed no panacea, yet information security practices that use it properly reap immense benefits. The trick is to achieve the right balance between security technology and non-technical sides of a security practice. In many respects using non-technical controls such as using policy, standards, procedures and guidelines is potentially less costly from a financial standpoint. If, for example, a provision in a security policy directs users to avoid visiting Web sites that promote racial and ethic hatred, it is not unreasonable to assume that the vast majority of employees will abide by this provision. A small percentage will not, but given that most employees will, this solution could very well be much more cost effective than implementing a set of technical controls that monitor Web access and abort sessions in which users visit hate sites. Assuming that sufficient resources for security controls exist (something that in real life settings is seldom true), the following considerations need to be taken into account in planning for and using security technology:
- Costs versus benefits. How much will the technology cost in terms of purchase and maintenance costs over its lifetime? What liabilities does the technology introduce? Do the benefits, primarily business benefits, sufficiently outweigh the costs?
- Amount of risk mitigation. Some security technology is intrinsically better than others because it leaves less residual risk when it is deployed. For example, some security technology (such as single sign on technology) does not do nearly as well in reducing risk related to falsified identities as do most types of third-party authentication.
- Availability of human resources. Security technology offers a potentially huge advantage in that it can serve as a resource multiplier in an arena in which there are never enough resources. There is no better example than monitoring, which is one of the most labor-intensive tasks in information security. Technology such as intrusion detection and intrusion prevention tools as well as security event management technology automates the monitoring process, freeing technical staff to work on other important tasks.
- Integration with other technology. Technology that fits in with existing technology is best. “Point solutions” are unsatisfactory in that they require too much independent “care and feeding” and are likely to cause more disruption.
- Longevity. Some technologies quickly come and go, whereas others are likely to persist even though it is likely that they will change over time. Selecting the technologies that promise longevity is thus also essential.
- Flexibility and adaptability. Business needs and technology both change over time. Technology must be sufficiently flexible and adaptable to be able to change as business needs change.
- Usability. Security technology that maximizes usability should in general be chosen. Training costs are likely to be substantially lower and user resistance, one of the potentially greatest problems information security practices face, will diminish.
- Defense in depth. No control, whether or not it is technological in nature, is in and of itself all sufficient. In time one or more weaknesses or limitations in a control will result in the ability to defeat or bypass it. Defense in depth is thus an extremely important consideration. If a control is defeated or bypassed, additional controls need to be in place to deter attacks.
In closing, it is important to remember that using security technology does not ensure high levels of security. Many organizations do not correctly use security technology; accordingly, they reap few if any benefits from it. However, for reasons mentioned earlier, good security without suitable security technology is impossible. The trick is to learn about, plan for and deploy suitable security technology. Paying attention to the considerations discussed in this paper will greatly increase the likelihood of success.
~ : ~
October 8th, 2007
Hi. My name is Dr. Eugene Schultz and I am the Chief Technology Officer as well as the Chief Information Security Officer of High Tower Software.
High Tower produces an appliance that aggregates the output of various computing systems and devices on the network and applies powerful event correlation algorithms to determine whether security breaches and/or policy violations have occurred and if so, their nature and the details surrounding the incident.
Equally importantly, the High Tower appliance provides assurance that organizations that deploy this tool are in compliance with security monitoring-related provisions of laws and regulations such as Sarbanes-Oxley.
I have been in information security space for nearly 25 years, having been involved in both academia and the business world. I have done things such as teach courses and conduct research in various areas of information security, but particularly firewalls, incident response, intrusion detection, and human factors in information security.
I have also founded and managed the US government’s first incident response team (CIAC) and have consulted for a variety of commercial and non-commercial organizations. I’ve also been the editor-in-chief of information security journals such as Computers and Security (2002 - this year) and Information Security Bulletin (2000 - 2001) as well as the associate editor of or contributor to a number of others.
Finally, I have written or co-written five books; I hope that you have had the time to read at least one of them.
I am launching a blog to share my experiences and lessons learned with you as well as my perspectives concerning a wide range of issues that you and I as information security professionals face or will likely face sometime in the future.
I am interested in a wide range of issues - information security governance, security program progress indicators, security training and awareness, security convergence issues, identity management, computer crime-related legislation, intrusion detection and intrusion prevention, insider attack detection and deterrence, incident response, professional certification, usability considerations related to information security, and more. If you have ever read my editorial comments in the SANS NewsBites (for which I serve as a member of the editorial board), you can be confident that I will fully speak my mind.
Certain developments, such as known attackers of computer systems escaping punishment for their computer crime-related activities, incite me to express strong objections. Other, less controversial issues may not stir me up as much, but trust me, I fully intend to always have something interesting to say concerning them. Any opinions I express will, of course, be purely my own; they will not necessarily represent those of High Tower.
So hang on to your seat, so to speak, and enjoy the ride. And if you don-t like or agree with what I write, please feel free to let me know by emailing me at gschultz @ high-tower.com. I cannot guarantee that I will answer every message that I receive, but I assure you that I will try to do so.
~ : ~
