22. September 2009 · Comments Off on Twenty Critical Cyber Security Controls – a blueprint for reducing IT security risk · Categories: Risk Management, Security Management, Security Policy · Tags: , , , ,

The Center for Strategic & International Studies, a think tank founded in 1962 focused on strategic defense and security issues, published a consensus driven set of "Twenty Critical Controls for Effective Cyber Defense." While aimed at federal agencies, their recommendations are applicable to commercial enterprises as well. Fifteen of the twenty can be validated at least in part in an automated manner.

Also of note, the SANS' Top Cyber Security Risks report of September 2009 refers to this document as, "Best Practices in Mitigation and Control of The Top Risks."

Here are the twenty critical controls:

  1. Inventory of authorized and unauthorized devices
  2. Inventory of authorized and unauthorized software
  3. Secure configurations of hardware and software on laptops, workstations, and servers
  4. Secure configurations for network devices such as firewalls, routers, and switches
  5. Boundary defense
  6. Maintenance, monitoring, and analysis of Security Audit Logs
  7. Application software security
  8. Controlled use of administrative privileges
  9. Controlled access based on need to know
  10. Continuous vulnerability assessment and remediation
  11. Account monitoring and control
  12. Malware defenses
  13. Limitation and control of network ports, protocols, and services
  14. Wireless device control
  15. Data loss prevention
  16. Secure network engineering
  17. Penetration tests and red team exercises
  18. Incident response capability
  19. Data recovery capability
  20. Security skills assessment and appropriate training to fill gaps

I find this document compelling because of its breadth and brevity at only 49 pages. Furthermore, for each control it lays out "Quick Wins … that can help an organization rapidly improve its security stance generally without major procedural, architectural, or technical changes to its environment," and three successively more comprehensive categories of subcontrols.

Roger Grimes at InfoWorld's Security Central wrote a very good article about password management. I agree with everything he said, except Roger did not go far enough. For several of Roger's attack types password guessing, keystroke logging, and hash cracking, one of the mitigation techniques is strong (high entropy) passwords.

True enough. However, I am convinced that it's simply not possible to memorize really strong (high entropy) passwords.

I wrote about this earlier and included a link to a review of password managers.

27. August 2009 · Comments Off on Estonian Internet Service Provider is a front for a cyber crime network · Categories: Risk Management, Security Management · Tags: , , , , , ,

TrendMicro's security research team announced a
white paper detailing their investigation of an Estonian Internet
company that was actually a front for a cybercrime network. This white
paper is important because it shows just how organized cyber criminals
have become. I have pointed this out in an earlier post here.

Organizations in the U.S. and Western Europe may wonder how this is relevant to them:

"From its office in Tartu [Estonia], employees administer sites that host codec
Trojans and command and control (C&C) servers that steer armies of
infected computers. The criminal outfit uses a lot of daughter
companies that operate in Europe and in the United States. These
daughter companies’ names quickly get the heat when they become
involved in Internet abuse and other cybercrimes. They disappear after
getting bad publicity or when upstream providers terminate their
contracts."

The full white paper is well worth reading.

The Washington Post reported yesterday that there is an increase in "funds transfer fraud" being perpetrated by organized crime groups from Eastern Europe against small and medium U.S. businesses. 

It's hard to know the extent of this type of crime because there is no breach notification requirement since no customer information is disclosed. However, many companies are reporting these crimes to the FBI and of course to their banks.

The risk of funds transfer fraud to businesses is much higher than to consumers for the following reasons:

  • Dollar amounts are higher.
  • Under the Uniform Commercial Code, businesses only have two days to dispute charges they feel are unauthorized. Consumers have 60 days from the time they receive their statements.
  • Because banks are liable for the consumer losses and less so for the business losses, they invest more resources in protecting consumers.

The complete article in the Washington Post is well worth reading.

In a previous post, I highlighted one of the techniques used by cyber criminals where they surreptitiously install the Clampi trojan on a PC in order to get the login credentials needed for online banking.

Recommended actions:

  • Install anti-virus/anti-malware agents on all workstations and keep them up-to-date
  • Use an end-point configuration management system to discover all workstations, to assure the above mentioned agents are installed and up-to-date, and to assure that unauthorized software is not installed
  • Implement firewall policies to (1) assure that only authorized people (i.e. people in authorized roles) using only authorized workstations can connect to financial institutions to perform funds transfer transactions, (2) assure that people not authorized cannot connect to financial institutions, (3) generate alerts when there are attempts to violate these policies
  • Implement a process where funds transfer transactions are reviewed on a daily basis by someone other than the person or people who perform the transactions

The Department of Health and Human Services this week published the regulations for the "breach notification" provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act, of the American Recovery and Reinvestment Act of 2009 (ARRA). In effect, this is an extension of HIPAA and further strengthens HIPAA's Privacy Rule and Security Rule.

The new breach notification regulations are in a 121 page document. HHS also issued a press release that summarizes the new regulations.

This type of breach notification regulation started in California with SB 1386 which went into effect on July 1, 2003. Since then about 40 other states passed a similar law.

In 2008, California went on to pass a specific health care information protection law, SB 541, which requires notification of breaches and financial penalties up to $250,000 per incident. Here is a Los Angeles law firm's presentation on it.  Since SB 541 went into effect on January 1, 2009, there have been over 800 incidents reported.

18. August 2009 · Comments Off on Gmail vulnerability shows the value of strong (high entropy) passwords · Categories: Authentication, Malware, Risk Management, Security Management, Security Policy · Tags: , , , , , , , , ,

Weak passwords and other password issues continue to be the bane of every security manager's existence. Becky Waring from Windows Secrets reports on a Gmail vulnerability where an attacker can repeatedly guess your password using Gmail's, "Check for mail using POP3"
capability. This is a service Gmail provides that enables you to use an email client rather than the Gmail browser interface. You can read the details of the vulnerability at Full Disclosure.

The unfortunate reality is that we have reached a point in the evolution of technology that if an attacker is in a position to implement an unimpeded repetitive "guessing" attack on your password, like this Gmail vulnerability, there is no password you can remember that can survive the attack. In other words, if you can remember the password, it's too weak, and it will be cracked.

NIST Special Publication 800-63 rev1 "Electronic Authentication Guideline" Appendix A (Page 86) discusses the concepts of password strength (entropy) in detail.

The only way you can really protect yourself is by using an automated password manager. LifeHacker has a very good review of the top choices available.One of the side benefits of these products, is that you should not have to physically type your passwords, thus reducing the risk associated with keyloggers, which I discussed in previous posts here and here.

Steve Gibson has a site called Perfect Passwords that automatically generates high entropy passwords.

At the very least, follow the advice in Becky Waring's column.

The recent Goldman Sachs breach of proprietary trading software highlights the risk of insider fraud and abuse. RGE, Nouriel Roubini's website, has the best analysis I've read on the implications of such an incident.

Here is the money quote, "What is troubling about the Goldman leak is how unprepared our infrastructure is against active measures. We already have good security practices, defamation laws and laws against market manipulation. What we don't have is a mechanism for dealing with threats that appear to be minor, but where the resulting disinformation is catastrophic."

I cannot imagine any better proof of the need for better user, application, content, and transaction monitoring and control tools.

Read the whole article.

03. August 2009 · Comments Off on LoJack-For-Laptops creates rootkit-like BIOS vulnerability · Categories: Breaches, Malware, Risk Management, Security Management, Security Policy · Tags: , , , , , , , ,

Alfredo Ortega and Anibal Sacco, researchers for penetration testing software company Core Security Technologies, demonstrated at Black Hat how Absolute Software's Computrace LoJack For Laptops contains a BIOS rootkit-like vulnerability.The reason this is significant is that about 60% of laptops ship with this installed including those from Dell, HP, Toshiba, and Lenovo. These companies are listed as OEM partners on Absolute's web site.

Here is a good article which describes how LoJack for Laptops works and the vulnerability. Lest you think this is only a Windows issue, the software is also used on Macs, although Apple is not listed as an OEM partner.

In order for this vulnerability to be exploited the bad guy would need physical access to your laptop or remote access with Admin/root privileges. If you are running in User-mode, which should be an enforced policy, the risk drops significantly. The high risk exploits are:

  • A keylogger is installed and used to capture your passwords which, for example, you use to access your bank accounts
  • An agent is installed that enables the bad guy to retrieve whatever data is stored on the system, such as intellectual property, financial records, etc.

There are always trade-offs in technology. By definition, adding features increases the attack surface. The good news is that LoJack for Laptops reduces the risk of disclosing information on lost or stolen laptops. The bad news is that by using it, you are increasing the risk of a rootkit-like attack on the laptop.

03. August 2009 · Comments Off on Vendor “fined” by customer for lax security that resulted in an incident · Categories: Breaches, Risk Management, Security Management, Vendor Liability · Tags: , , , , , , ,

Richard Bejtlich reports on a story that appeared in the Washington Times last week, "Apptis Inc., a military information technology provider, repaid
$1.3 million of a $5.4 million Pentagon contract after investigators
said the company provided inadequate computer security and a
subcontractors system was hacked from an Internet address in China
…"

As Richard said, this may be a first. When is this going to happen in the commercial market?

Last week at Black Hat, Peter Kleissner, a young software developer from Vienna,
Austria, showed an interesting variation on a rootkit he
calls Stoned which he said can bypass disk encryption. However, I don’t think any disk encryption product, by itself, claims that it cannot be
bypassed by a keylogger.

Here is the scenario: If you lose your PC and the disk
is encrypted with a quality disk encryption product, you can have a high degree
of confidence that no encrypted information will be disclosed.

However, if the
PC is returned to you, you cannot be sure that a root kit and a keylogger have
not been installed on the machine. The risk of disclosing information occurs
when you boot up the machine and authenticate. At that point the keylogger can
capture your credentials and eventually access all the data on the disk (as you
would).

Also, the risk of your PC being “rootkitted” (if there is such a word) while browsing increases if you are working on your PC as an Administrator. Clearly
organizations have policies against this and are able to enforce it.