As I look over my experience in Information Security since 1999, I see three distinct eras with respect to the motivation driving technical control purchases:

  • Basic (mid-90’s to early 2000’s) – Organizations implemented basic host-based and network-based technical security controls, i.e. anti-virus and firewalls respectively.
  • Compliance (early 2000’s to mid 2000’s) – Compliance regulations such as Sarbanes-Oxley and PCI drove major improvements in security.
  • Breach Prevention and Incident Detection & Response (BPIDR) (late 2000’s to present) – Organizations realize that regulatory compliance represents a minimum level of security, and is not sufficient to cope with the fast changing methods used by cyber predators. Meeting compliance requirements will not effectively reduce the likelihood of a breach by more skilled and aggressive adversaries or detect their malicious activity.

I have three examples to support the shift from the Compliance era to the Breach Prevention and Incident Detection & Response (BPIDR) era. The first is the increasing popularity of Palo Alto Networks. No compliance regulation I am aware of makes the distinction between a traditional stateful inspection firewall and a Next Generation Firewall as defined by Gartner in their 2009 research report.  Yet in the last four years, 6,000 companies have selected Palo Alto Networks because their NGFWs enable organizations to regain control of traffic at points in their networks where trust levels change or ought to change.

The second example is the evolution of Log Management/SIEM. One can safely say that the driving force for most Log/SIEM purchases in the early to mid 2000s was compliance. The fastest growing vendors of that period had the best compliance reporting capabilities. However, by the late 2000s, many organizations began to realize they needed better detection controls. We began so see a shift in the SIEM market to those solutions which not only provided the necessary compliance reports, but could also function satisfactorily as the primary detection control within limited budget requirements. Hence the ascendancy of Q1 Labs, which actually passed ArcSight in number of installations prior to being acquired by IBM.

The third example is email security. From a compliance perspective, Section 5 of PCI DSS, for example, is very comprehensive regarding anti-virus software. However, it is silent regarding phishing. The popularity of products from Proofpoint and FireEye show that organizations have determined that blocking email-borne viruses is simply not adequate. Phishing and particularly spear-phishing must be addressed.

Rather than simply call the third era “Breach Prevention,” I chose to add “Incident Detection & Response” because preventing all system compromises that could lead to a breach is not possible. You must assume that Prevention controls will have failures. Therefore you must invest in Detection controls as well. Too often, I have seen budget imbalances in favor of Prevention controls.

The goal of a defense-in-depth architecture is to (1) prevent breaches by minimizing attack surfaces, controlling access to assets, and preventing threats and malicious behavior on allowed traffic, and (2) to detect malicious activity missed by prevention controls and detect compromised systems more quickly to minimize the risk of disclosure of confidential data.

During the last several years we have observed dramatic changes in the identity of attackers, their goals, and methods. Today’s most dangerous attackers are cyber criminals and nation-states who are stealing money and intellectual property. Their primary attack vector is no longer the traditional “outside-in” method of directly penetrating the enterprise at the network level through open ports and exploiting operating system vulnerabilities.

The new dominant attack vector is at the application level. It starts with baiting the end-user via phishing or some other social engineering technique to click on a link which takes the unsuspecting user to a malware-laden web page. The malware is downloaded to the user’s personal device, steals the person’s credentials, establishes a back-channel out to a controlling server, and, using the person’s credentials, steals money from corporate bank accounts, credit card information, and/or intellectual property. We call this the “Inside-Out” attack vector.

Here are my recommendations for mitigating these modern malware risks:

  • Reduce the enterprise’s attack surface by limiting the web-based applications to only those that are necessary to the enterprise and controlling who has access to those applications. This requires an application-based Positive Control Model at the firewall.
  • Deploy heuristic analysis coupled with sandbox technology to block the user from downloading malware.
  • Leverage web site reputation services and blacklists.
  • Deploy effective Intrusion Prevention functionality which is rapidly updated with new signatures.
  • Segment the enterprise’s internal network to:
    • Control users’ access to internal applications and data
    • Deny unknown applications
    • Limit the damage when a user or system is compromised
  • Provide remote and mobile users with the same control and protection as itemized above
  • Monitor the network security devices’ logs in real-time on a 24x7x365 basis

Full disclosure: For the last four years my company Cymbel has partnered with Palo Alto Networks to provide much of this functionality. For the real-time 24x7x365 log monitoring, we partner with Solutionary.

19. January 2011 · Comments Off on HIghlights from Sophos threat report · Categories: blog · Tags: , , ,

Highlights from Sophos threat report.

The recently released Sophos Threat Report claims that with more than 50 percent of companies allowing free and open access to social networking sites:

  • 67 percent of users were spammed on social networks – double from when the survey began in 2009 (33.4 percent)
  • 40 percent were sent malware
  • 43 percent were phished – more than double from when the survey began in 2009 (21 percent)

The answer is not totally blocking access to social network sites. People in marketing and sales need access, but they don’t need to be playing Farmville. Also totally blocking all aspects of social network sites might create a morale issue.

Anti-virus can play a role, but a defense-in-depth strategy is needed that includes Next Generation Firewalls.

14. December 2010 · Comments Off on Network Security Blog » Customer information stolen · Categories: blog · Tags: , , , ,

Network Security Blog » Customer information stolen.

Three database/email server compromises were revealed over the weekend.  A business partner of McDonald’s lost their promotional mailing list, Gawker’s entire user database was compromised and posted, and the DeviantArt user mailing list was also stolen, along with additional user information, again through a partner.  None of these cases involved financial data; none of these would have been covered in any way by the PCI requirements.

So what is the value to the hackers? Martin sums it up nicely:

The danger with the McDonald’s and DeviantArt compromises isn’t the account names, it’s the the potential for phishing and other scams.  The phishers now have a validated list of customers they can target their spam at, quite likely starting with fake alerts about the compromise itself to get users to click on links to malicious sites.  From there, they can move on to lower impact, less obvious attacks, but that’s how I’d start.  The potential of a user trusting an email warning them of danger is quite a bit higher than the other emails.

PS: Walgreen’s customer email list was compromised. Again, no big deal, just email addresses. But as Martin said above, a valid list of email addresses is a great starting point for phishing scams.

25. May 2010 · Comments Off on Tabnabbing – a new variation on phishing · Categories: Malware, Phishing · Tags: ,

Aza Raskin, the Creative Lead for Firefox, (via Ajaxian) describes a new variation on phishing called "tabnabbing," the "process of replacing the entire contents of a page while it's on a background tab." This is another example of malicious Javascript in action. Does your Secure Web Gateway vendor block this attack?

02. January 2010 · Comments Off on New non-ASCII domain names increase risk of phishing attacks · Categories: Phishing · Tags: ,

An article in the London-based Times Online last week pointed out the security risks, particularly phishing, of the recent ICANN expansion of domain names to non-Roman characters. Here is the key quote from the article:

The problem for Western users is that the internet addresses of many
well-known companies, such as Apple, Yahoo, Google and PayPal, can also be
rendered to look identical in Cyrillic scripts, such as Russian.


To a Roman-reading eye, an e-mail containing a link to any one of these sites
might appear genuine, while to a Russian-reading eye, “paypal”, for example,
reads as “raural”. An e-mail link could thus lead to a clone site
constructed by unscrupulous thieves, who could then use it to harvest
personal and financial details, or to steal cash.

There are two key reasons for ICANN's expansion decision (from the TechNewsWorld article):

  • Not introducing international domains would mean that alternate root
    servers will be set up around the world because the demand is so high,"
    Tina Dam, senior director for IDNs (international domain names) at
    ICANN, told TechNewsWorld.
  • It is definitely timely to make the IDN TLDs (top level domains)
    available, and we have also seen a demand from Asia and other parts of
    the world for quite some time," ICANN's Dam said. "The fact that you
    have to use a Latin character Web address on a site where the entire
    content is in Russian is not fair for Russian Internet users and does
    not make sense," she added.

There are some good comments on the Times Online article regarding how this type of phishing attack could be blocked. I'm sure most of the email, browser, and URL filter vendors will be responding soon.

21. October 2009 · Comments Off on Phishing emails have become more convincing · Categories: Botnets, Funds Transfer Fraud, Malware, Social Engineering · Tags: , , ,

The "quality" of phishing emails continues to improve. In other words, the attackers continue to make their phishing emails seem legitimate and thus trick more people into taking the emails' suggested actions. An article in Dark Reading this week discusses research done by F-Secure about new, more convincing, phishing attacks generated by the Zbot botnet which attempts to infect victims with the Zeus trojan. I wrote about how the Zeus trojan is used as a keylogger to steal banking credentials which enable funds transfer fraud

While one might have considered the Dark Reading article a public relations piece for F-Secure, its validity was increased for me by Rich Mogull at Securosis who wrote about  "the first phishig email I almost fell for," i.e. one of these Zbot phishing emails.

If a security person like Rich Mogull, who has the requisite security "paranoia DNA" can almost be fooled, then the phishing attackers are indeed improving their social engineering craft.