03. August 2009 · Comments Off on Vendor “fined” by customer for lax security that resulted in an incident · Categories: Breaches, Risk Management, Security Management, Vendor Liability · Tags: , , , , , , ,

Richard Bejtlich reports on a story that appeared in the Washington Times last week, "Apptis Inc., a military information technology provider, repaid
$1.3 million of a $5.4 million Pentagon contract after investigators
said the company provided inadequate computer security and a
subcontractors system was hacked from an Internet address in China
…"

As Richard said, this may be a first. When is this going to happen in the commercial market?

Last week at Black Hat, Peter Kleissner, a young software developer from Vienna,
Austria, showed an interesting variation on a rootkit he
calls Stoned which he said can bypass disk encryption. However, I don’t think any disk encryption product, by itself, claims that it cannot be
bypassed by a keylogger.

Here is the scenario: If you lose your PC and the disk
is encrypted with a quality disk encryption product, you can have a high degree
of confidence that no encrypted information will be disclosed.

However, if the
PC is returned to you, you cannot be sure that a root kit and a keylogger have
not been installed on the machine. The risk of disclosing information occurs
when you boot up the machine and authenticate. At that point the keylogger can
capture your credentials and eventually access all the data on the disk (as you
would).

Also, the risk of your PC being “rootkitted” (if there is such a word) while browsing increases if you are working on your PC as an Administrator. Clearly
organizations have policies against this and are able to enforce it.

02. August 2009 · Comments Off on The most severe breaches result from application level attacks · Categories: Application Security, Breaches, Risk Management, Security Management · Tags: , , , , ,

Last week, I highlighted the Methods of Attack data from the Verizon Business 2009 Data Breach Investigations Report. Today, I would like to discuss an equally important finding they reported about Attack Vectors (page 18).

The surprise is that only 10% of the breaches were traced to network devices. And network devices represented only 11% of the actual records breached. The top vector was Remote Access and Management at 39%. Web Applications came in second at 37%. Even more interesting is that 79% of all records breached were the result of the Web Application vector!

Clearly there has been a major shift in attack vectors. While this may not be a total surprise, we now have empirical evidence. We must focus our security efforts on applications, users, and content.

31. July 2009 · Comments Off on Clampi malware plus exploit raises risk to extremely high · Categories: Uncategorized · Tags: , , , , , , , , , ,

The risk associated with a known three year old Trojan-type virus called Clampi has gone from low to extremely high due the sophisticated exploit created and being executed by an Eastern European cyber-crime group.

Just as businesses can differentiate themselves by applying creative processes to commodity technology, so now are cyber-criminals. Clampi has been around since 2007. Symantec as of July 23, 2009 considered the risk posed by Clampi as Risk Level 1: Very Low. I don’t mean to pick on Symantec. McAfee, which calls the virus LLomo, has the Risk Level set to Low as of July 16, 2009. TrendMicro’s ThreatInfo site was so slow, I gave up trying to find the Risk Level they chose.

The exploit process used was first reported (to my knowledge) by Brian Krebs of the Washington Post on July 20, 2009.

On July 29, 2009, Joe Stewart, Director of Malware Research for the Counter Threat Unit (CTU) of SecureWorks released a summary of his research about Clampi and how it’s being used, just prior to this week’s Black Hat Security Conference in Las Vegas.

Clampi is a Trojan-type virus which, when installed on your desktop or
laptop, can be used by this cyber-crime group to steal financial data,
apparently including User Identification and Password credentials used
for online banking and other types of online commerce. Apparently, this
Eastern European cyber-crime group controls a large number of PC’s
infected with Clampi and is stealing money from both consumers and
businesses.

Brian Krebs of the Washington Post ran a story on July 2, 2009 about a similar exploit using a different PC-based Trojan called Zeus. $415,000 was stolen from Bullitt County, KY.

Trojans like Clampi and Zeus have been around for years. What makes these exploits so high risk is the methods by which these Trojans infect us and the sophistication of the exploits’ processes for extracting money from bank accounts.

Security has always been a “cat-and-mouse” game where the bad guys develop new exploits and the good guys respond. So now I am sure we are going to see the creativity of the security vendor industry applied to reducing the risk associated with this type of exploit. At the most basic level, firewalls need to be much more application and user aware. Intrusion detection systems may already be able to detect some aspect of this type of exploit. We also need better anomaly detection capabilities.

Detailed
empirical data on IT Security breaches is hard to come by despite laws like
California SB1386.
So
there is much to be learned from Verizon Business’s April 2009 Data Breach
Investigations Report
.

The specific issue I would like to highlight now is the
section on methods by which the investigated breaches were discovered (Discovery
Methods, page 37). 83% were discovered by third parties or non-security employees
going about their normal business. Only 6% were found by event monitoring or
log analysis. Routine internal or external audit combined came in at a rousing
2%.

These numbers are truly shocking considering the amount
of money that has been spent on Intrusion Detection systems, Log Management
systems, and Security Information and Event Management systems. Actually, the
Verizon team concludes that many breached organizations did not invest sufficiently
in detection controls. Based on my experience, I agree.

Given a limited security budget there needs to be a balance
between prevention, detection, and response. I don’t think anyone would argue against
this in theory. But obviously, in practice, it’s not happening. Too
often I have seen too much focus on prevention to the detriment of detection
and response.

In addition, these
numbers point to the difficulties in deploying viable detection controls, as there
were a significant number of organizations that had purchased detection
controls but had not put them into production. Again, I have seen this myself
as most of the tools are too difficult to manage and it’s difficult to implement
effective processes.



30. July 2009 · Comments Off on Information Technology Security Management is Business Risk Management · Categories: Books, Risk Management, Security Management · Tags: , , , , , , ,

I view Information Technology Security Management from a
business risk management perspective. After all, in the modern enterprise,
every significant business process depends on information technology. Therefore
any risk to the confidentiality, integrity, or availability of digital assets
is a risk to the business.

But what is risk really? A practical definition would be the
probability and frequency of bad things happening and the resulting loss to the
business. From an IT perspective, the bad things are the disclosure, alteration, or destruction of
information based assets like intellectual property, customer information,
trends and projections, and financial, health, and personnel records. The
impact includes the costs of recovering from the incident and also loss of
reputation which often translates into lost revenue and profits and a drop in
stock price.

While I am going
to be spending most of my time on IT Security Risk, it’s obvious that there are
other types of IT Risks not to mention the myriad other business risks that
must be identified and managed as part of an overall risk management effort. For
a comprehensive analysis of IT Risk, you might consider IT Risk by George
Westerman and Richard Hunter, Harvard Business School Press, 2007
.