04. October 2009 · Comments Off on Canadian study reports breaches triple in 2009. Is this a valid statistic? · Categories: Breaches, Security Management · Tags: , , , ,

Earlier this week, Telus released the results of their 2009 joint Telus/Rotman School of Management at the University of Toronto study on Canadian IT Security Practices, which claimed that the number of breaches tripled to an average of 11.3. Here is the press release. But are these valid claims?

First, let's take a deeper look at the average of 11.3. By simply taking the raw answers of the 2009 question about the number of breaches during the last 12 months, the average, i.e. mean, is indeed 11.3. However, let's take a closer look at the actual responses:

Number of Breaches   Percentage of Organizations

0                                      14%

1                                        6%

2 to 5                                 33% 

6 to 10                                9%

11 to 25                              7%

26 to 50                              3%

51 to 100                            2%

More than 100                     2%

Don't know                          23%

Given the number of outliers, the average (mean) is not really a valid number. Those outliers significantly skew the average. The mode, between 2 and 5, is much more meaningful.

Also, there is no attempt to correlate the number of breaches an organization suffered with the organization's size. Of the 500 organizations participating, 31% had under 100 employees and 23% had over 10,000 employees. The point here is that the outliers may very well be a small group of very large organizations.

Now let's address the claim of "tripling." What could account for this huge increase?

  1. It may just be a case of people being more honest this year, i.e. reporting more breaches. After all, this is just a survey.
  2. It may be that organizations actually have better security controls in place and therefore detected more breaches.
  3. It may be a function of the organizations participating. In 2008, there were only 297 versus 500 in 2009.
  4. It could be the change in the way the question was worded in 2009 versus 2008. Here is the question from 2008 (In fact the only place in the study that uses real numbers rather than percentages):

Q40. A major IT security incident can be defined as one which causes a disruption to normal activities such that significant time, resources, and/or payments are required to resolve the situation. Based on this definition, how many major security incidents do you estimate your organization has experienced in the last 12 months?

1 to 5             63%

6 to 10             2%

More than 10    1%

Don't know       24%

The 2009 study question:

Q48. How many Security breaches do you estimate your organization has experienced in the past 12 months?

I provided the responses earlier in this post. The point is that in 2008, the question specifically asked about major incidents while in 2009 the question was about all breaches.

Also note, in both cases the organizations were asked for "estimates." Don't most of these organizations have Security Incident Response Teams? At least the 69% with over 100 full time employees? Wouldn't they know exactly how many "incidents" they investigated and how many were actual breaches? 

I suppose studies like these, based on surveys, have some value, but we really need information based on facts and analysis based on sound techniques.

22. September 2009 · Comments Off on Twenty Critical Cyber Security Controls – a blueprint for reducing IT security risk · Categories: Risk Management, Security Management, Security Policy · Tags: , , , ,

The Center for Strategic & International Studies, a think tank founded in 1962 focused on strategic defense and security issues, published a consensus driven set of "Twenty Critical Controls for Effective Cyber Defense." While aimed at federal agencies, their recommendations are applicable to commercial enterprises as well. Fifteen of the twenty can be validated at least in part in an automated manner.

Also of note, the SANS' Top Cyber Security Risks report of September 2009 refers to this document as, "Best Practices in Mitigation and Control of The Top Risks."

Here are the twenty critical controls:

  1. Inventory of authorized and unauthorized devices
  2. Inventory of authorized and unauthorized software
  3. Secure configurations of hardware and software on laptops, workstations, and servers
  4. Secure configurations for network devices such as firewalls, routers, and switches
  5. Boundary defense
  6. Maintenance, monitoring, and analysis of Security Audit Logs
  7. Application software security
  8. Controlled use of administrative privileges
  9. Controlled access based on need to know
  10. Continuous vulnerability assessment and remediation
  11. Account monitoring and control
  12. Malware defenses
  13. Limitation and control of network ports, protocols, and services
  14. Wireless device control
  15. Data loss prevention
  16. Secure network engineering
  17. Penetration tests and red team exercises
  18. Incident response capability
  19. Data recovery capability
  20. Security skills assessment and appropriate training to fill gaps

I find this document compelling because of its breadth and brevity at only 49 pages. Furthermore, for each control it lays out "Quick Wins … that can help an organization rapidly improve its security stance generally without major procedural, architectural, or technical changes to its environment," and three successively more comprehensive categories of subcontrols.

12. September 2009 · Comments Off on Apache.org site hacked – details published · Categories: Breaches, Risk Management, Security Management · Tags: ,

The Apache.org team published the details of a recent incident where one of their web sites was breached. While the details are, of course, very technical, it provides a great learning experience for the rest of us. Dan Goodin of the Register summarized the incident.

Unfortunately, most organizations are very reluctant to even admit when they are hacked, let alone share the details of the experience. Hence the various federal and state laws forcing organizations to report incidents where people's personal and/or financial information may have been disclosed.

Given the fact that Apache produces open source software (the number one web server software), it is appropriate that they would be so open about a breach.

07. September 2009 · Comments Off on Court allows bank customer to sue bank for “negligent” security practices · Categories: Authentication, Breaches, Funds Transfer Fraud, Legal, Risk Management, Security Management, Vendor Liability · Tags: , , , ,

Computerworld reported last week that a judge in Illinois ruled that a couple who lost $26,500 when their bank account was breached can sue the bank for negligence for not implementing "state-of-the-art" security measures which would have prevented the breach.

While bank credit card issuers have been suing credit card processors and retailers regularly to recoup losses due to breaches, this is the first time that I am aware of that a judge has ruled that a customer can sue the bank for negligence.

The more detailed blog post by attorney David Johnson, upon which the Computerworld article is based, discusses some really interesting details of this case.

The plaintiffs sued Citizens Financial Bank for negligence because it had not implemented multifactor authentication. The timeline is important here. The Federal Financial Institutions Examination Council (FFIEC) issued multifactor authentication guidelines in 2005. By 2007, when the plaintiffs' breach occurred, the bank had still not implemented multifactor authentication. The judge, Rebecca Pallmeyer of the District Court of Northern Illinois, found this two year delay unacceptable. 

Two interesting complications – (1) The account from which the money was stolen was from a home equity line of credit account, not a deposit or consumer asset account. (2) This credit account was linked to the plaintiffs' business checking account. I discussed the differences between consumer and business account liability here. Fortunately for the plaintiffs, the judge brushed these issues aside and focused on the lack of multifactor authentication.

One issue that was not addressed – where was Fiserv in all of this?
They are the provider of the online banking software used by Citizens
Financial Bank. Were they offering some type of multifactor
authentication? I would assume yes, although I have not been able to
confirm this.

In conclusion, attorney David Johnson makes clear that this ruling increases the risk to banks (and possibly other organizations responsible for protecting money and/or other assets of value) if they do not implement state-of-the-art security measures.

Roger Grimes at InfoWorld's Security Central wrote a very good article about password management. I agree with everything he said, except Roger did not go far enough. For several of Roger's attack types password guessing, keystroke logging, and hash cracking, one of the mitigation techniques is strong (high entropy) passwords.

True enough. However, I am convinced that it's simply not possible to memorize really strong (high entropy) passwords.

I wrote about this earlier and included a link to a review of password managers.

06. September 2009 · Comments Off on Browser vendors add innovative security features · Categories: Risk Management, Secure Browsing, Security Management · Tags: , , ,

The browser vendors are adding innovative security features to help protect users against web-based attacks. Here are some examples:

  • Firefox 3.5.3 will check your Adobe Flash add-in and warn you if it's not current. It is believed that as many as 80% of browser users are using older versions of Adobe that contain vulnerabilities that are fixed in new versions.
  • Internet Explorer 8 added a raft of security features including URL filtering, Cross Site Scripting (XSS) filtering, click-jack prevention, domain highlighting, and data execution prevention (requires Vista SP1). The Cross Site Scripting filter is very impressive. Here is a detailed explanation of XSS and how the IE8 filter works. XSS attacks are particularly nasty because it can
    happen through no fault of yours. All you have to do is go to a site
    that has been successfully exploited. Details on the other features are here.
  • Opera 10, just now shipping, also includes URL filtering.
  • Safari 4, when running on Windows, will integrate with your Windows anti-virus software to check any files, images, or other items you are downloading via Safari. It also has URL filtering watching for phishing sites and sites known to harbor malware.
  • Chrome 2.0.172.43 was released on August 25, 2009 and fixed several high severity issues.

Firefox has long benefited from third party security and privacy add-ons. NoScript is one of the more popular add-ons that blocks javascript and let's you selectively turn on javascript per content source.

While I have not personally checked these security features, assuming they all work as advertised,  Microsoft's Internet Explorer 8 leads the way in security innovation.

I thought a post about Database Activity Monitoring was timely because one of the DAM vendors, Sentrigo, published a Microsoft SQLServer vulnerability today along with a utility that mitigates the risk. Also of note, Microsoft denies that this is a real vulnerability.

I generally don't like to write about a single new vulnerability because there are just so many of them. However, Adrian Lane, CTO and Analyst at Securosis, wrote a detailed post about this new vulnerability, Sentrigo's workaround, and Sentrigo's DAM product, Hedgehog. Therefore I wanted to put this in context.

Also of note, Sentrigo sponsored a SANS Report called "Understanding and Selecting a Database Activity Monitoring Solution." I found this report to be fair and balanced as I have found all of SANS activities.

Database Activity Monitoring is becoming a key component in a defense-in-depth approach to protecting "competitive advantage" information like intellectual  property, customer and financial information and meeting compliance requirements.

One of the biggest issues organizations face when selecting a Database Activity Monitoring solution is the method of activity collection, of which there are three – logging, network based monitoring, and agent based monitoring. Each has pros and cons:

  • Logging – This requires turning on the database product's native logging capability. The main advantage of this approach is that it is a standard feature included with every database. Also some database vendors like Oracle have a complete, but separately priced Database Activity Monitoring solution, which they claim will support other databases. Here are the issues with logging:
    • You need a log management or Security Information and Event Management (SIEM) system to normalize each vendor's log format into a standard format so you can correlate events across different databases and store the large volume of events that are generated. If you already committed to a SIEM product this might not be an issue assuming the SIEM vendor does a good job with database logs.
    • There can be significant performance overhead on the database associated with logging, possibly as high as 50%.
    • Database administrators can tamper with the logs. Also if an external hacker gains control of the database server, he/she is likely to turn logging off or delete the logs. 
    • Logging is not a good alternative if you want to block out of policy actions. Logging is after the fact and cannot be expected to block malicious activity. While SIEM vendors may have the ability to take actions, by the time the events are processed by the SIEM, seconds or minutes have passed which means the exploit could already be completed.
  • Network based – An appliance is connected to a tap or a span port on the switch that sits in front of the database servers. Traffic to and, in most cases, from the databases is captured and analyzed. Clearly this puts no performance burden on the database servers at all. It also provides a degree of isolation from the database administrators.Here are the issues:
    • Local database calls and stored procedures are not seen. Therefore you have an incomplete picture of database activity.
    • Your must have the network infrastructure to support these appliances.
    • It can get expensive depending on how many databases you have and how geographically dispersed they are.
  • Host based – An agent is installed directly on each database server.The overhead is much lower than with native database logging, as low as 1% to 5%, although you should test this for yourself.  Also, the agent sees everything including stored procedures. Database administrators will have a hard time interfering with the process without being noticed. Deployment is simple, i.e. neither the networking group nor the datacenter team need be involved. Finally, the installation process should  not require a database restart. As for disadvantages, this is where Adrian Lane's analysis comes in. Here are his concerns:
    • Building and maintaining the agent software is difficult and more time consuming for the vendor than the network approach. However, this is the vendor's issue not the user's.
    • The analysis is performed by the agent right on the database. This could mean additional overhead, but has the advantage of being able to block a query that is not "in policy."
    • Under heavy load, transactions could be missed. But even if this is true, it's still better than the network based approach which surely misses local actions and stored procedures.
    • IT administrators could use the agent to snoop on database transactions to which they would not normally have access.

Dan Sarel, Sentrigo's Vice President of Product, responded in the comments section of Adrian Lane's post. (Unfortunately there is no dedicated link to the response. You just have to scroll down to his response.) He addressed the "losing events under heavy load" issue by saying Sentrigo has customers processing heavy loads and not losing transactions. He addressed the IT administrator snooping issue by saying that the Sentrigo sensors doe not require database credentials. Therefore database passwords are not available to IT administrators.

Controversy around the PCI DSS compliance program increased recently when Robert Carr, the CEO of Heartland Payment Systems, in an article in CSO Online, attacked his QSAs saying, "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem."

Mike Rothman, Senior VP of eIQNetworks responded to Mr. Carr's comments not so much to defend PCI but to place PCI in perspective, i.e. compliance does not equal security. I discussed this myself in my post about the 8 Dirty Secrets of IT Security, specifically in my comments on Dirty Secret #6 – Compliance Threatens Security

Eric Ogren, a security industry analyst, continued the attack on PCI in his article in SearchSecurity last week where he said, "The federal indictment this week of three men for their roles in the
largest data security breach in U.S. history also serves as an
indictment of sorts against the fraud conducted by PCI – placing the
burden of security costs onto retailers and card processors when what
is really needed is the payment card industry investing in a secure
business process."

The federal indictment to which Eric Ogren referred was that of Albert Gonzalez and others for the breaches at Heartland Payment Services, 7-Eleven, Hannaford, and two national retailers referred to as Company A and Company B. Actually this is the second federal indictment of Albert Gonzalez that I am aware of. The first, filed in Massachusetts in August 2008, was for the breaches at BJ's Wholesale Club, DSW, OfficeMax, Boston Market, Barnes & Noble, Sport Authority, and TJX.

Bob Russo, the general manager of the PCI Security Standards Council disagreed with Eric Ogren's characterizations of PCI, saying that retailers and credit card processors must take responsibility for protecting cardholder information.

Rich Mogull, CEO and Analyst at Securosis, responded to Bob Russo's article with recommendations to improve the PCI compliance program which he characterized as an "overall positive development for the state of security." He went on to say, "In other words, as much as PCI is painful, flawed, and ineffective, it
has also done more to improve security than any other regulation or
industry initiative in the past 10 years. Yes, it's sometimes a
distraction; and the checklist mentality reduces security in some environments, but overall I see it as a net positive."

Rich Mogull seems to agree with Eric Ogren that the credit card companies have the responsibility and the power to improve the technical foundations of credit card transactions. In addition, he calls the PCI Council to task for such issues as:

  • incomplete and/or weak compliance requirements
  • QSA shopping
  • the conflict of interest they created by allowing QSA's to perform audits and then sell security services based on the findings of the audits.

Clearly organizations have no choice but to comply with mandatory regulations. But the compliance process must be part of an overall risk management process. In other words, the compliance process is not equal to the risk management process but a component of it.

Finally, and most importantly, the enterprise risk management process must be more agile and responsive to new security threats than a bureaucratic regulatory body can be. For example, it may be some time before the PCI standards are updated to specify that firewalls must be able to work at the application level so all the the Web 2.0 applications traversing the enterprise network can be controlled. This is an important issue today as this has been a major vector for compromising systems that are then used for funds transfer fraud.

30. August 2009 · Comments Off on Skype wiretapping trojan publicly released · Categories: Malware, Risk Management, Security Management

In the 'it was bound to happen" category, a trojan that can intercept Skype calls has been developed and released by its creator. What's interesting is that the trojan was developed by the Swiss government. 

Should it be surprising that wiretapping Skype conversations is possible? As Symantec points out, it's not a flaw in Skype itself. At the point that the outgoing part of a conversation is recorded, it must be in memory in "clear text" prior to encryption. If you can capture the bits before encryption you are in business. By the same token, received bit streams must be decrypted so you can hear it. This is the same issue music encryption faces.

Does anyone believe that Switzerland is the only government to develop Skype wiretapping software?

Finally, from a business risk perspective – Do you know who is using Skype in your organization?

27. August 2009 · Comments Off on Estonian Internet Service Provider is a front for a cyber crime network · Categories: Risk Management, Security Management · Tags: , , , , , ,

TrendMicro's security research team announced a
white paper detailing their investigation of an Estonian Internet
company that was actually a front for a cybercrime network. This white
paper is important because it shows just how organized cyber criminals
have become. I have pointed this out in an earlier post here.

Organizations in the U.S. and Western Europe may wonder how this is relevant to them:

"From its office in Tartu [Estonia], employees administer sites that host codec
Trojans and command and control (C&C) servers that steer armies of
infected computers. The criminal outfit uses a lot of daughter
companies that operate in Europe and in the United States. These
daughter companies’ names quickly get the heat when they become
involved in Internet abuse and other cybercrimes. They disappear after
getting bad publicity or when upstream providers terminate their
contracts."

The full white paper is well worth reading.