January 30th, 2008
You probably noticed all the hoopla recently concerning Société Générale’s catastrophic trading incident that reportedly cost this bank nearly €5 billion. Although this loss figure is huge, it is not unprecedented. Brian Hunter, then of Amaranth, lost the equivalent of €4.5 billion in bad energy trades in 2006.
How do incidents of this magnitude happen?
The disturbing answer is that it depends. The case of the Jerome Kerviel and Société Générale had a huge security component to it. Kerviel initiated huge trades that turned sour. He should not have been able to initiate such large trades because of controls that Société Générale had in place that required additional approval for such transactions.
Kerviel reportedly broke into systems of his fellow employees, however, by allegedly simply learning and guessing usernames and passwords to these systems while he worked late. With access to these accounts, he allegedly was able to use automated means to initiate the necessary approvals, thereby effectively bypassing the traditional “two man rule” that permeates the financial and trading arenas and rendering the bank’s risk management staff unable to see his huge transactions on the bank’s direction of indexes.
He allegedly also entered bogus trades that were in the reverse direction from real ones that he made to further cover up his actions. This set of events was very similar to ones that transpired well over a decade ago when a Barings Bank trader, Nick Leeson, was able to social engineer his way around trading controls. In so doing, Leeson racked up a loss of $1.3 billion, an amount that would translate to approximately $2 billion in today’s economy.
Hunter, on the other hand, did not really engage in any activity that could be construed as improper. He ended up being the manager of an energy trading unit within Amaranth and started initiating larger and larger transactions without the restrictions that he had before he was promoted. The only potential clue that Hunter might be a bad risk is that he had a troubled history in his previous job with Deutsch Bank.
Because the cause of incidents such as the ones I have just discussed generally varies so widely, it is important for information security professionals (who are so often pressed to come up with an overwhelmingly convincing case for investing resources in needed security-related controls) to be ultradiscreet in coming up with and communicating “lessons learned” from such incidents.
A definite security-related “lesson learned” exists in the Kerviel incident—at a minimum, any financial (let alone other) institution that relies on password security for mega-transactions is effectively “asking for it.”
In contrast, no such “lesson learned” appears to exist in the Hunter incident. At the same time, however, these and other incidents in which huge trading losses have occurred once again all point to one indelible truth—that when all is said and done, people are by far the greatest source of risk.
~ : ~
January 28th, 2008
Despite assertions that the practice of information security constitutes a “folk art,” I have a high regard for this field. One of the things I like the best about information security is that it is based on an abundance of sound, well thought out ideas, concepts, and models.
The pioneers of this field in the late 1960’s through the early 1980’s deserve the preponderance of the credit for coming up with the seminal ideas, concepts and models that have set such a good foundation for information security. It is in this context that I pay tribute to the late James P. Anderson, Jr., who recently passed away.
It is difficult to envision how anyone could have contributed more to the field of information security than James Anderson.
He, for example, contributed substantially to the content of the “Rainbow Series,” particularly the “Orange Book” (Trusted Computer System Evaluation Criteria) and the “Red Book” (Trusted Network Interpretation). He is widely credited with having created the concept of the “Security Reference Monitor,” a component of a trusted computing system that checks to determine whether or not access attempts are legitimate. He is also widely credited with coming up with the concept of intrusion detection, an area that has grown prolifically over the years.
Just three years after James Anderson’s now legendary report to the US Government in which he coined the term “intrusion detection” and pointed out the need for it, the first intrusion detection system was built and deployed.
James Anderson also worked extensively with the US Government to help establish an agenda and plan for government-funded information security research. Despite all his accomplishments, James Anderson remained a modest, humble person.
The pioneers of the field of information security deserve considerable credit and recognition, and in my mind none deserves more than James Anderson. We can only hope that another generation of bona fide innovators of the caliber of James Anderson will surface and move the field forward to the degree that Richard Anderson did.
~ : ~
January 24th, 2008
International cooperation on computer crime and information security will grow substantially
This blog entry covers the last of my ten predictions about events and trends that I expect to occur in 2008. My final prediction is:
10. International cooperation in dealing with computer crime and information security issues in general will grow substantially due to the increasing realization that the overall lack of cooperation that has been too widespread over the years has gotten law enforcement and countries nowhere.
International cooperation with respect to fighting any kind of crime is almost without exception difficult to achieve.
Different laws in different countries, different values concerning what is worth prosecuting, different levels of authority given to various law enforcement entities, lack of up-front agreements, mistakes made during investigations, the elusiveness that criminals can achieve by crossing international borders, and sometimes just plain everyday pettiness within law enforcement entities have all proven to be significant hurdles to prosecuting international crime.
Fighting computer crime is no exception to the rule, although success in prosecuting international Internet-based child pornography rings has occurred more frequently than in prosecuting other types of computer criminals. Interpol and Europol are at least in theory coordinating the investigation and prosecution of computer crime in Europe, but no matter how well they have tried, neither of these organizations has racked up many significant victories in their efforts.
What Robert Courtney said well over two decades ago, mainly that most computer crime does not result in prosecution, and most computer crime prosecutions do not result in convictions, still very much holds today. The elusiveness of electronic boundaries over which the Internet crosses has only made things worse.
In recent years, however, international efforts to track computer criminals and bring them to justice have started to produce a greater number of success stories.
Recent arrests followed by convictions in countries such as the US, UK, Russia and Romania have involved coordination among law enforcement officials from a variety of countries.
Slowly but surely countries are passing new anti-computer crime legislation and sometimes also updating old legislation such as the UK’s Computer Misuse Act (which was originally passed in 1990) to make its provisions correspond more closely to the nature of today’s computer crimes. Additionally, law enforcement officials are becoming increasingly computer savvy, something that has become necessary because of the ever growing sophistication of computer crime.
Finally, the growing concern over terrorist attacks has contributed considerably to growing cooperation among law enforcement entities in different countries. It is thus not at all difficult to predict that cooperation in fighting computer crime will increase considerably in 2008.
~ : ~
January 21st, 2008
TJX’s Security Breaches Will Force it to Go out of Business or to Merge with Another Company
This blog entry is the ninth related to my ten predictions concerning events and trends that I have gone on record as saying will happen in 2008. This prediction is:
9. The financial and legal repercussions of TJX’s data security breaches will snowball to the point that this company will be forced to sell itself or to merge with another company just to survive.
TJX experienced the all-time largest data security breach involving payment card information. Somewhere between 46 million (according to TJX) and 94 million (according to credit card-issuing banks) customer credit cards were compromised as the result of a remote computer break-in at TJX that, unbelievably, no one discovered for over 18 months. The incident has led to numerous cases of identity fraud as well as lawsuits by credit card issues and individuals.
TJX is a huge corporation with massive financial assets, making it difficult to imagine how such a giant could go out of business or be forced to merge with another corporation to stay in business.
Could losses of a magnitude that could force TJX out of business occur? Forrester Research gave the first inkling of this possibility by predicting that TJX’s incident could ultimately cost this corporation $1 billion, a number that initially proved to be the basis of considerable debate. Forrester’s prediction is, however, becoming less controversial as TJX’s incident-related costs have soared.
TJX itself has reported that it has by now spent or put aside approximately $250 million in connection with the incident. This estimate (like all the rest of TJX’s estimates in connection with its data security breaches so far) is almost certainly an underestimate. And there is much more in store for TJX, both of terms of still unsettled lawsuits and penalties to be assessed for TJX’s having been found to be in violation of PCI-DSS standards.
Furthermore, the negative impact upon TJX’s public image is difficult to assess, but it is not difficult to imagine that it has been large.
Finally, it is important remember that there is a precedent for a large company having to sell itself out as the result of massive data security breaches. Card Systems Solutions was forced to sell out to Pay by Touch in the aftermath of its then record number of data security breaches several years ago.
I truly hope that TJX will not go out of business; it is a real shame that the possibility of going out of business even exists.
The big lesson learned out of this whole mess is that senior management must genuinely wake up to the need for effective security risk management. Once security breaches of the magnitude of the ones experienced by TJX actually occur, senior management gets a dramatic wake-up call, so to speak, but by then it is often too late.
~ : ~
January 17th, 2008
The Growth of Importance of PCI-DSS Compliance
This blog entry is the eighth concerning my ten predictions regarding events and trends that I have said will come to fruition in 2008. The eighth is:
8. PCI-DSS compliance will grow in focus and importance to point that it will become one of the top two or three security issues in security practices of organizations that deal with credit card information. The amount of fines for non-compliance will also proliferate greatly as an increasing number of corporations and organizations are found to be out of compliance.
Although I knew something about compliance before I came to High Tower Software, my work here has made me realize how relatively little I actually knew before.
My job has necessitated that I become thoroughly acquainted with the major regulations and statutes involving information security issues. Of all the ones with which I have dealt, none has been as complex to both interpret and translate into requirements for the High Tower security event management appliance’s reporting capabilities as PCI-DSS requirements.
Some PCI-DSS requirements, such as not allowing credit card information to be transmitted over networks in the clear, are straightforward. Others, such as monitoring the creation and deletion of all system-level objects, are much more difficult to interpret as well as to devise some way to demonstrate compliance with them. The fact that there are four levels of PCI-DSS compliance only complicates things more.
Complexity does not in and of itself necessarily increase the importance of an issue, however. The constantly growing importance of PCI-DSS compliance traces largely to the consequences of being caught out-of-compliance.
Enforcement of PCI-DSS compliance is very similar to the way the purchase of subway tickets is handled in numerous European countries. Every subway rider is required to purchase a ticket, but instead of there being someone to check or punch tickets before the rider can enter the boarding area, each rider is allowed to go to and board a train without any check whatsoever. If someone does not buy a ticket, that person may get away with having done so (the most likely possibility).
However, the subway police sometimes enter a train and check tickets. If someone is caught without a ticket, a hefty fine is levied on that person. The same is true of PCI-DSS compliance. An organization can do absolutely nothing to comply; if so, it is very likely that the organization will get away with it. If an incident occurs in which it is apparent that the organization is out of compliance, however, a variety of penalties against the organization can be assessed.
One of the most austere penalties is raising the cost of each credit card transaction, something that can in the long run increase the cost of transactions by millions of dollars every year. The PCI consortium is in effect just starting to assess fines; as their mechanisms for checking for compliance become more sophisticated in time, the likelihood that more credit card-issuing organizations will be found to be out-of-compliance will in all likelihood increases. Additionally, more second- and third-time violations will be discovered, resulting in escalating amounts of fines.
Finally, PCI-DSS applies to many more organizations than originally widely believed. Even colleges and universities, which typically have many credit card transactions in connection with donations, ticket sales for cultural and athletic events, and more, are now having to devote concerted effort to achieve the necessary level of PCI-DSS compliance.
As I have said in other blog postings, compliance is becoming one of the most if not the most important areas within information security, one that generally merits board-level attention. PCI-DSS compliance is no exception, so considering this as well as the other reasons I have discussed in this posting, it is logical to predict that the importance of this type of compliance will greatly increase in the coming year.
~ : ~
January 14th, 2008
CISOs Will Increasingly Report to Top-Level Management
This blog entry explains the seventh of my ten predictions regarding events and trends that I have claimed will come to fruition in 2008. The seventh one is:
7. The trend of CISOs reporting to executive-level management will accelerate due to the increasing importance of information security within organizations.
Not so terribly long ago, the title “Chief Information Security Officer (CISO)” was virtually unheard of. Information security managers were generally buried somewhere at lower levels within organization charts, often two or more reporting levels removed from the Chief Information Officer (CIO).
Things have changed drastically over the last six or seven years, however. There has been a growing recognition of the reliance organizations have on information and information processing assets and the critical need to protect both that has greatly expanded the perceived importance and reliance upon the information security function.
News of often dramatic security-related breaches in which organizations have lost millions of dollars and have also sustained major public relations damage has made its way into the media such as the Wall Street Journal to which executive management pays attention.
Additionally, the ever growing need for compliance due to the many regulations that now exist and that have at least some information security-related components in them has created the need to have input from and action by the information security function within organizations.
These developments have all led to a marked trend for information security managers of organizations to both report directly to executive-level management and to be called CISOs. A 2005 PricewaterhouseCooper’s report in fact indicated that 21 percent of CISOs surveyed reported directly to the CEO.
This trend has if anything only become more pronounced since this survey’s results were announced. The majority of my friends and colleagues who hold the top information security management positions within their organizations have the title of CISO and report directly to the CEO. Some still report to the CIO, something that I do not consider optimal because information security far transcends IT security, but if they do, at least they report directly to the CIO rather than to a CIO intermediary.
With cybercrime and cyberespionage growing as they have been, with malware continuing to become increasingly complex, and with the complications that invariably accompany compliance, information security has become increasingly visible not only within “C-level” management, but also within boards of directors.
It is thus not at all difficult to predict that CISOs will if anything increasingly report to top-level management.
~ : ~
January 10th, 2008
Someone Will Bring the Internet Down
This blog entry elucidates the sixth of my ten predictions regarding events and trends that I have predicted will transpire in 2008. This prediction is:
6. An attacker or group of attackers will for the first time succeed in an attempt to bring the entire Internet down for a period of several hours or possibly even longer.
Denial of service attacks occur frequently—much more often than people realize. The consequences of these attacks varies from minor ones such as temporary unavailability of networking and system freezes to major ones such as the kind of complete network failure that occurs in distributed denial of service attacks. The motivation for launching such attacks also varies greatly.
Some attackers are “joy riders” who receive satisfaction by causing disruption in systems in networks; others appear to be “electronic vandals” who are in many ways analogous to people who shatter windows in buildings. Still others are motivated by the desire for financial profit, often by attempting to extort organizations into paying them for leaving their public Web sites undisturbed.
How vulnerable is the Internet to a denial of service attack that brings it down?
Continuing debate concerning this issue has occurred for many years and is likely to continue once the Internet is actually brought down.
Two well-known attempts to bring the Internet down in the early 2000’s nearly succeeded. In both instances someone (or, more likely, a group of individuals) took down a substantial proportion of the Internet’s root domain servers for a number of hours. The result in both cases was a slowdown but not a failure in Internet performance. Experts speculated that if the perpetrator or perpetrators had been able to bring down one or two more root domain servers, the Internet would indeed have gone down.
ICANN, the Internet’s governing body, made several significant changes after the second nearly successful attempt to bring the Internet down occurred. One of the most important of these changes was distributing the administration of root domain servers more widely, so that no attacks against any single entity would be much less likely to result in a massive outage.
Despite these changes, the Internet still remains more vulnerable to a massive outage resulting from denial of service attacks than many people imagine. When push comes to shove, denial of service attacks are fundamentally one of the hardest if not the hardest types of attacks to counter because Internet mechanisms are built to allow, not deny; the Internet backbone is in essence designed to pass a high volume of traffic between one point and another.
In contrast, to prevent denial of service attacks requires the ability to not only filter out undesirable types of traffic, but also to monitor and limit the amount of traffic. Additionally, the protocols on which Internet relies are by no means deficient, yet from a security some of their properties are potentially extremely useful to perpetrators of extensive denial of service attacks.
Consider, for example, the IP protocol; IP packet fragmentation can readily cause denial of service. And services such as the domain name service (DNS) on which Internet functionality depends were not by any means originally created with security in mind. Some degree of security has been retrofitted into these services, but retrofitted security is never as good as security that has been built in.
The “bottom line” is that it is just a matter of time, probably sooner rather than later, before the entire Internet is brought down. The amount of disruption and loss will be huge because of the great dependence that businesses have on Internet transactions.
The good news is that the outage is not likely to last for more than a few hours. The combination of the built-in resilience of Internet functionality and mechanisms and dedicated, concerted efforts by organizations will in all likelihood lead to rapid diagnosis and remediation of the cause of the outage.
~ : ~
January 7th, 2008
Linux and Macintosh Systems Will Be Increasingly Attacked
This blog entry explains the fifth of my ten predictions concerning events and trends that I predict will occur in 2008. This prediction is:
5. Attackers will continue to shift their focus from attacking Windows systems and towards attacking Linux and Macintosh systems.
Over the years patterns of attacks have changed drastically. Two decades ago attacks such as brute force password-guessing attacks were among the most prevalent of attacks. Today few such attacks occur. The same is true for attack targets. Two decades ago VMS systems were the preferred targets of attack. Since the mid- to late-1990s until this year Windows systems have been targeted more than any other type of systems. I predict, however, that Windows systems will soon lose the allure that they have had for attackers for so many years and that Linux and Macintoshes will be the new preferred targets.
There should be little mystery concerning why Windows systems have been so frequently attacked for so long. Three major factors have come into play:
- Windows systems have typically proven to provide a target-rich environment for attackers. Until only several years ago, new releases of Windows operating systems have been bug-ridden, allowing attackers many options regarding ways to gain unauthorized access to systems and also (more importantly) to gain unauthorized Administrator of SYSTEM privileges.
- Windows users constitute an unusually weak link with regard to security. Users of Windows systems tend to be the most naïve of all when it comes to knowledge of sound security practices, in part because of the extreme ease-of-use of Windows user interfaces and in part because Windows systems tend to be very affordable for home users compared to other types of systems. Despite warnings, these users continue to engage in dangerous computing practices such as opening attachments that they are not expecting, visiting dangerous Web sites, and failing to install badly-needed patches.
- Animosity towards Microsoft. For a variety of reasons, many attackers and authors of malicious code have had hostile attitudes towards Microsoft and its products.
Attackers’ preferences are already changing, however, in that are now focusing an increasing amount of attention on Macintoshes and also on Linux systems, a trend that is likely, if anything, to grow even more. For example, the last SchmooCon Conference (which, by the way, I consider to be one of the best one or two conferences for technically-oriented security people available anywhere) focused far more on attacking Macintoshes than any other type of system. Why? Again, a variety of reasons exist, including:
- Boredom. The attacker community has mercilessly attacked Windows systems for years using a variety of methods. After all these years, however, the “thrill” of attacking Windows systems has subsided substantially. This community is thus not surprisingly turning its attention to new challenges that include attacking other systems such as Linux and Macintosh systems.
- Windows systems have become more difficult to attack. First and foremost, Windows systems are now far more secure after installation than ever before. Microsoft’s Trusted Computing Initiative (TCI) that Bill Gates started nearly five years ago among other things mandated much better security engineering in Microsoft’s software development process than ever before. This initiative has over time proven to be highly successful, as shown by the much better out-of-the-box security of Windows operating systems such as Windows Server 2003 and Windows Vista. Microsoft is also now doing a much improved job of creating and distributing patches for these systems.
- The number of vulnerabilities being discovered in Linux and Windows is larger than once might suspect. Vulnerability statistics such as those at secunia.com show that a substantial proportion of the security-related vulnerabilities found and reported are in Windows, Linux, and Unix systems (including Macintosh 10.x systems), not merely in Windows systems. The many vulnerabilities in Linux and Macintosh systems thus also help create a target-rich environment for attackers.
- Linux and Macintosh users are comprising an increasing proportion of casual users. The increasing popularity of Linux and Macintosh has resulted in a substantial growth in the number of casual Linux and Macintosh users. Their knowledge of good security practices is no higher than that of Windows users, leaving them and their systems highly vulnerable to attacks.
- Operating systems other than Windows systems often facilitate script-based attacks. Scripting provides a very powerful way to attack systems. Linux and Unix provide the richest and most readily available scripting environment.
~ : ~
January 7th, 2008
Rootkits Will Proliferate
This blog entry explains the fourth of my ten predictions regarding events and trends that I have gone on record as saying that will occur in 2008. The prediction is:
There will be a proliferation of rootkits, particularly kernel-level rootkits and rootkits that work as spyware, to the point that a surprisingly large percentage of systems that connect to the Internet will be rootkit-infected without the knowledge of either users or system administrators.
A rootkit is a kind of Trojan horse program that if installed on a compromised host alters the systems’ operating system such that signs of attackers’ activities (including changes to the system during installation of the program) are not evident. Attackers who have installed this program can remotely access the host whenever they want.
Rootkits often substitute system programs and libraries with versions that seem to be normal, but that in actuality sabotage the integrity of the compromised host. Rootkits are in many ways the ultimate type of malware nowadays because computer criminals increasingly desire financial gain from their activity, but to achieve their goal, they must be as surreptitious as possible.
User-level rootkits replace executables and system libraries that system administrators and users use, with any changes being carefully hidden. Kernel-level rootkits change parts of the kernel of the victim host’s operating system or may actually even replace all of the kernel. Process and other listings are altered to disguise kernel-related processes and other signs of the rootkit. Program execution is often “redirected” such that malicious instructions, not the original ones, are executed in memory.
I have seen various statistics concerning how prevalent rootkits are.
For example, in 2006 Trend Micro found that the number of reported rootkits increased over the year and that rootkits were the most frequently found type of malware. McAfee Labs has reported similar results. At the same time, however, it is difficult to obtain accurate statistics concerning rootkit prevalence because of the extreme difficulty to identifying rootkits.
AUSCERT, the Australian CERT Team, found that commonly used anti-virus software fails to detect up to 80 percent of Trojan horse programs that reside in systems. I have no trouble believing AUSCERT’s claims; after all, anti-virus software is designed more than anything else to discover viruses and worms by using signatures, but signature-based detection methods are much less likely to work when malware is purposefully covert.
Furthermore, rootkits are much more clandestine than are “normal” Trojan programs. The inescapable conclusion, therefore, is that any statistics concerning the prevalence of rootkits must almost certainly seriously underestimate the actual prevalence of this type of malware.
Spyware has also become more prevalent over the years, and not surprisingly, a growing portion of spyware has rootkit functionality. A good example is Rebery, which is injected into victim PCs at malicious Web sites through exploiting bugs in Web browsers. Rebery becomes active when users visit certain on-line banking or e-commerce Web sites. It captures customer and transaction-related information (including screen shots), which it then transmits to another Web site. Spyware is quickly and easily installed without users noticing, so the increasing convergence between spyware and rootkits will only make rootkits increasingly prevalent.
Finally, even if rootkits are found, eradicating them is generally not easy.
Numerous programs purported to be rootkit removal tools are widely available, but none of them are anywhere close to 100 percent effective.
Most users, let alone a sizable proportion of system administrators, do not know this, however. Running rootkit removal tools leads to the unfortunate assumption afterwards that a system is normal and healthy, an assumption that too often is blatantly false.
The most reliable way to remove a rootkit is in fact to completely rebuild the system in which the rootkit has been installed, something that most users do not even know how to do. The fact that rootkit eradication is so difficult is yet another reason why rootkits are bound to become increasingly prevalent.
~ : ~
January 2nd, 2008
Security in eVoting Systems Will Become Considerably Better
This blog covers the third of ten predictions regarding events and trends that I have foretold will occur in 2008, namely that:
Vendors of eVoting systems will greatly improve the out-of-the-box security of their products to the point that they will be widely deployed with far less concern for their security than has surfaced so far.
In an earlier blog I discussed security in eVoting machines, saying in essence that there has been a marked improvement in the out-of-the-box security of these machines.
One of the main reasons for this improvement is the fact that states such as California and Maryland have had such serious security-related concerns with some of these systems that they have refused to allow certain vendors’ products to be used in upcoming elections. Countries such as Ireland have pronounced eVoting machines insufficiently secure and reliable to be used in elections.
Whereas eVoting machine vendors initially leveled fierce counterattacks against anyone who raised security concerns about their products, the vendors could not withstand the constant discovery and announcement of serious security-related vulnerabilities in their products.
The University of California research team led by Dr. Matt Bishop produced extremely compelling findings earlier this year that in many ways represented the culmination of proof that security in eVoting machines is badly flawed; they found numerous ways that perpetrators could defeat or bypass security in eVoting machines to manipulate election results.
Vendors have thus really been left with no other choice but to attempt to improve the security of their products.
Significant change never comes overnight, and eVoting system security is no exception. Security flaws are still being found in eVoting systems; this trend is not likely to go away.
What has changed, however, is that eVoting systems that were not certified or that were decertified for use in elections only a few years ago are now starting to be certified for such use. News concerning discovery of new vulnerabilities in these systems also seems to be less commonplace.
Before I close, I feel compelled to recognize an individual who pioneered the effort to identify security-related flaws in eVoting systems and to educate the US government and the public about them — Dr. Avi Rubin, professor of computer science at Johns Hopkins University.
He persisted in his efforts even though there was little or no personal gain in store for him and despite numerous death threats. Secure eVoting systems are starting to be reality, not an impossible wish, and Dr. Rubin deserves a great deal of the credit.
~ : ~
