Main

Would you Believe it? Twitter as a Way of Coping With Infosec Information Overload

Posted on February 21, 2010 by John Reno in Main | Leave a comment

The job of keeping up with latest threats and vulnerabilities is a daunting task for security professionals. There are many excellent resources for both threats (for example, Symantec DeepSight data feeds) and vulnerabilities (DHS National Cyber Security Division/U.S.-CERT). But it still requires skilled human effort to synthesize which assets in an organization are impacted by the threats, and interpret vulnerability information to understand how likely the threats are to the business, given the current controls that exist. As I’ve discussed earlier, investing in an information security risk management program is the way solve this problem in a way that maximizes benefit to an enterprise’s business.

However, you may also just want to find out what everyone else is talking about. I recently found a new service called MustExist that does this based on mining the huge data sets generated by Twitter communities. One area (among others such as healthcare) that they have targeted is information security. For example, right now the hottest topic of discussion is sort of a self inflicting wound – a phishing attack on Twitter accounts, designed to steal user names and passwords. You can also find popular tools that security engineers are using, such as a cheat sheet for the latest release of Nmap.

So, maybe it’s not something to build your security strategy around. But I’d say it’s fun and useful.

Healthcare sector investments in information security make good business sense

Posted on February 19, 2010 by John Reno in Main | Leave a comment

While companies in the healthcare sector focus on HITECH act compliance and meaningful use and healthcare reform dominates the headlines, it is worthwhile to consider some of the business reasons for investing in a strong information security program. Modernization of the healthcare payments system is one big area where the potential for cost savings are dramatic. Both providers and healthcare plans stand to benefit.

For healthcare plans the benefits include easier reconciliation of payments and remittances as well as better control over cash flows. For healthcare providers the benefits include reduced billing and insurance related processing costs as well as improved cash flows. Another significant area is the potential for increased focus on patient care. On average, physicians currently spend three hours per week interacting with health plans, at a cost estimated from $23 billion to $31 billion each year according to the Health Affairs Journal. Electronically automating and properly securing the payments and remittance processes will decrease the time physicians have to spend with insurers, giving doctors more time to focus on patient care.

For both providers and plans now is the time to streamline administrative processes and benefit from cost savings initiatives. Of course with automation comes exposure to risks of fraud and information theft. To take full advantage of the potential cost savings associated with electronically automated processes, both healthcare providers and plans must invest in an information security risk management program. We have developed information security best practices in this area over the course of several years, primarily with leading companies in the financial sector.

More Cyber Criminal Activity

Posted on February 18, 2010 by John Reno in Main | Leave a comment

This morning the Washington Post once again reported a widespread and ongoing set of attacks sponsored by a cybercriminal organization based in Eastern Europe. Amit Yoran of Netwitness was quoted as saying, “The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats,” Yoran said. “The things that we — industry — have been doing for the past 20 years are ineffective with attacks like this. That’s the story.” I have worked with Amit both at Riptech (now Symantec) and when he was National Cyber Security Division director within the United States Department of Homeland Security. We should take note. More sophisticated attacks are coming and perimeter oriented, signature-based defenses are inadequate.
What should be done? I would invest rapidly in two particular areas:

• Social engineering and security awareness
• Risk management

Social engineering and security awareness can be thought of your new front line of defense, your users. They need to be cognizant of the attacks that are being directed at them and the role they play in defending the organization and corporate assets.

Risk management can be implemented by following the process depicted above. From the standpoint of defending against cyber crime, the process helps identify the areas that are of highest impact to your business, and organizes controls to defend against the threats. Another important benefit is that business unit leaders and executive management are drawn into the process, and thus gain an understanding of the security issues and risks. Furthermore, implemented properly, risk management just becomes part of running the business similar in nature to the way the financial organization closes the books every month.

Here at Redspin we can help you understand your risks, educate your workforce and modernize your defenses.

IT Risk Management

Posted on February 11, 2010 by John Reno in Main | 2 Comments

In my last few posts I mentioned using risk management as an effective mechanism for combating cyber crime. A number of readers from the LinkedIn Information Security Group asked about recommendations for improving their risk management processes:

“In my corporation risk management is mostly controlled by finance. We can’t seem to get a discussion of IT risk, particularly cyber crime, on the executive staff agenda. Do you have any ideas to improve our situation?”
“We invested in the COSO framework to manage regulatory compliance, but risks to the business such as cyber crime are still addressed on an ad-hoc basis. What do you recommend?”
Improving the effectiveness and efficiency of IT risk management is a subject that could easily fill a multiple day workshop, but allow me to offer a few suggestions in high impact areas. The first area to address is the language used to describe risk. The MIT Sloan Center for Information Systems Research has done some well regarded work in this area. The major idea is focus IT risk on four major areas: availability, access, accuracy and agility and drive the discussion around impact to the business. Executive management teams respond more effectively to risks they understand, however unpredictable, than to one’s they don’t. IT risks are often the least understood. Most management teams do not know how to think about IT risk beyond the immediate impact on IT operations of viruses, data breaches and failed business continuity programs. They have not made the connection between failing servers and failing business operations; or between taking shortcuts and giving clear guidance.
Every IT risk has a business consequence. Yet often the decision making process around IT risk gets bogged down in technical details. What’s needed is a simple way to clarify tradeoffs and make better decisions. I’ve found that if business leadership can focus on four key IT risks they are more willing to bring the IT agenda to the table and make better informed decisions. Let’s briefly look at the 4 A’s.
Availability: This means keeping the systems running. IT needs to communicate regularly to executive staff on the availability risk to major business processes and ensure there is a business continuity plan in the case of failure.
Access: This is defined as ensuring access to systems and data. IT is responsible for providing the right people with the access they need and ensuring that sensitive information is not misused. The IT organization must regularly discuss risks associated with data loss, privacy violations and inappropriate use.
Accuracy: This means providing complete, timely and correct information that meets the requirements of customers, suppliers, regulators and management. Compliance with Sarbanes-Oxley is a common source of accuracy risk for enterprises in the United States. IT should review with management the sources of accuracy risk (and risk mitigation programs) such as the inability to get accurate, consistent, global view of key customers and product/service sales.
Agility: This is defined as the ability to make the necessary business changes with appropriate cost and speed. A specific example of agility risk would be the delay or cancellation of a merger because of the risk of integrating IT systems. The IT organization needs to discuss these risks so that management can make informed decisions and not hedge their bets because they don’t believe IT can deliver on time.
The second area to look at in terms of the effectiveness of your risk program is consistent usage of risk severity levels and the associated actions. At Redspin we use five levels:
• Critical – Corrective measures are required immediately.
• High – Strong need for corrective measures. An action plan must be put in place as soon as possible.
• Medium – Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
• Low – Management must determine whether corrective actions are required, or decide to accept the risk.
• Informational – The issue does not indicate a material violation but is something for management to consider for enhancing the overall security posture.
Drive these definitions into your risk mitigation programs, policy specifications and controls.

The last area I will suggest concerns making a business impact with these ideas for managing risk. Rather than focus on technical risks, concentrate the energy of the IT team to frame risk associated with key business processes that drive the business. An example of a common key business process that exists at nearly every organization is quote-to-cash or lead-to-support. Make an effort to quantify and explain to executive staff the risks to the infrastructure, applications and personnel that support this key business process. Identify the high impact risks, the threat probability and your plan of action. Get on the business agenda and review your progress on a regular basis. A common result is that the IT and security teams are viewed less as a cost center and more as an enabler of business goals.

Advanced persistent threats – how organizations can keep pace with the growing sophistication of cyber crime

Posted on February 5, 2010 by John Reno in Main | 1 Comment

Threats posed by cyber crime have increased dramatically in the past year. Yesterday the Washington Post announced that Google has enlisted the help of the NSA to combat cyber crime attacks directed at them and other U.S. corporations. While this is sure to generate privacy concerns in the user community, it is more importantly a visible indicator that cooperation is one of the more important factors in combating cyber crime. In fact in the last 6-12 months there has been a rapidly growing informal network of cooperation within the business and IT leadership of major corporations simply to get a handle on how to respond and manage risk in this highly dangerous threat environment. Let’s look and some of the more important ways to manage in this environment and deal with these classes of attacks.
The current reality of cyber crime is that the threat environment has shifted from broad based hacker oriented attacks that posed a primary risk to business availability to targeted operations aimed at specific corporations, particular people in the organizations and key business processes that contain high value data such as strategic plans, source code, intellectual property and acquisition intentions. What should be done? I would recommend aggressive action in several areas:
• Risk management – identify the high impact, high probability risks to the business and focus technology and skilled personnel accordingly.
• Security awareness – the target of these APT attacks are most often executive leadership; make sure they know they are likely to come under attack and prepare a response plan.
• Industry cooperation – realize that these attacks are often state sponsored and backed by significant resources. There are many resources that can be drawn from to exchange information regarding best practices, threats and vulnerabilities. Just couple of examples include the IT – Information Sharing and Analysis Center and Cisco System’s Security Intelligence Center.
• Aggressive and appropriate defense – drive your security program based on risk to your most important assets, monitor outbound and internal-internal communications for signs of data exfiltration and command/control communications and look for both network and host-based indications of compromise.

Click here to read another article titled Worse Than Useless and Some Thoughts on Cyber War

Dealing with cyber crime

Posted on February 3, 2010 by John Reno in Main | Leave a comment

CSO magazine recently released the 2010 Cyber Security Watch survey of over 500 respondents from both the public and private sector. In reading through the answers I was not surprised to find several results that set off a cause for alarm. Of course it’s always difficult to draw conclusions from survey results and you should realize that I am not really interested in a rigorous analysis of the survey information. Rather it’s simply a vehicle for discussing a significant shift in the threat environment and what security approaches companies can take to manage the risks they face.
Some of the results I found interesting:
• 58% of the respondents considered themselves more prepared to deal with cyber security threats today compared to 12 months ago; 37% considered themselves at the same level of preparedness.
• Over 75% of respondents reported that monetary losses from cyber security events either remained the same or they weren’t sure.
• Only 6% of the respondents cited organized crime as the most significant threat to their organization.
• Of the organizations that experienced cyber security events that caused financial loss or cost during the preceding 12 months only 28% found these events to be aimed specifically at them.
What strikes me is that there is a degree of complacency and a sense that status quo security measures such as perimeter protection, signature based detection and log monitoring are good enough. However, the current reality is that cyber crime is becoming increasing sophisticated and fueled by growing profits. A significant shift is taking place in the threat environment in that cyber criminals are targeting organizations and using advanced techniques to gain persistent presence in IT environments and attacking corporate business processes for financial gain. Companies face major risk exposure in a number of areas including brand damage, regulatory penalties and data breach liability.
Let’s look at some examples of what’s going on in this changing threat environment.
• Financial fraud is a leading money-maker with unauthorized bank transactions and credit card charges taking place with stolen credentials. Common techniques to steal credentials range from data theft to key-logging malware. A widespread example of this is the Zeus Trojan.
• Cyber criminals are using social engineering techniques and taking advantage of the growing amount of personal data on the web to target particular companies, business processes and even individuals within an organization.
• Crime is organized and specialized. Large businesses exist to sell zero-day exploits, malware packages and exploit kits. In a testimony to the lack of effectiveness of signature based security measures such as IDS/IPS and anti-virus many of these packages have been tested to ensure that they are not detectable.
• The scope of targets is expanding. Attackers are using their presence within corporate IT networks to perform reconnaissance and identify and steal high value information such as source code, strategic planning documents and design data.
Given these trends in the threat environment, what measures can be taken by security teams within corporations? I believe the only effective method to combat cybercrime is through risk management. This means shifting the focus from building an impermeable perimeter to protecting the information and data that drive the business. Security and business group teams need to prioritize risks based on their likelihood and business impact and then allocate resources and technology accordingly. A simple way to think about this is that it is no longer a matter of keeping the bad guys out. We have to assume that they will get in. We just have to make sure they don’t leave with anything that is valuable.

Network Security Data Considerations

Posted on January 21, 2010 by John Reno in Main | 1 Comment

Earlier this month Google discussed the nature of the cyber attacks they have been facing from China. The targets included not only politically motivated email accounts, but also attacks on the corporate infrastructure that resulted in theft of intellectual property. During their investigations, Google also found evidence of ongoing attacks on major U.S. corporations including Dow Chemical, Goldman Sachs, and Juniper Networks with intellectual property as the target.

One outcome of this chain of events for any enterprise organization should be a thorough review of the processes by which data is secured. Quite often the motivator and business catalyst for investing in data security has been compliance with government regulations. But I now think it is prudent for organizations to consider that they will be under frequent, directed attacks targeting the intellectual property, source code and design documents that drive their businesses forward.

How should corporations facing these circumstances react? A good starting point is to understand what data needs to be protected and under what circumstances. Nearly all organizations are likely facing situations where critical information is dynamic and growing rapidly. As such it is important to have criteria for understanding which data requires the primary attention.

Are current protection mechanisms sufficient? It is likely that past security issues have biased the investments or way or another. But it is important to evaluate areas of exposure whether the data is in use by an application, stored in a database or traveling over a network. This casts a broad area of concern and certainly impacts all areas of an organization.

Given the severity of these events it bears closer examination of the attack approach. In some cases the attackers took advantage of a zero day vulnerability in Internet Explorer to access employee PCs. In other cases employees were sent contaminated PDF files, leveraging vulnerabilities in Adobe Acrobat. Once the PC was compromised a Trojan was then downloaded to the machine and following that the corporate network was accessed from the hijacked end-point.

Note also that the attacks were not directed at the network but at employees using the end point compromise to go after intellectual property. The attackers capitalized on the alignment of two significant trends – high grade Trojans and broad based infection capabilities. These developments should cause both business unit managers and security staff to pause and consider their approaches to data protection.

One valuable approach is to look at the system as a whole. The primary components of this security system are policy, strategy and control. The policy component defines the risks facing the business, the security program requirements and articulates the goals and measures for the program. The strategy is developed through a model of the risk situation, data to be protected and controls to carry out the protection objective. Lastly the control section implements, audits and manages the plan. The net result is business enablement.

It is also useful to look to others in the industries that have faced similar problems. The financial sector has been tackling nearly identical issues for many years. Consider electronic fraud, rather than rob the bank attackers have targeted user accounts. Quite similar to the challenges that enterprise customers now face. What’s worked well in financial sector? Systematic hardening of the infrastructure, multiple layers of defense, active logging of user activity, data encryption and centralized key management has proven effective.

Regardless of whether you look at information security from a top down perspective or through the lens of others facing similar challenges the era of cybercrime targeting enterprises is upon us. It is worth taking a thorough review of the situation.

- John Reno

ROI, NPV and a few other words about predicting the financial performance of information security projects

Posted on January 14, 2010 by John Reno in Main | Leave a comment

Over the course of many years in the information security profession, I have heard claims that the return on investment associated with security projects cannot be calculated. Most often the perspective is that security is a cost center and should be treated as such. I do not have that opinion. The following discussion summarizes Redspin’s work with one of its healthcare customers to calculate return on investment (ROI) and Net Present Value (NPV) in order to justify and manage an information security assessment project. This methodology has been applied with many of our customers in industry segments such as retail, media/entertainment, financial services and technology.
The approach we take is based on protecting data, after all that is a primary goal of information security. Because of this fundamental approach we can use the same methodology for a wide range of projects including internal assessments and web application security assessments. The methodology to calculate ROI and NPV consists of determining the reduced liability associated with identifying and fixing information security issues (thus providing the return side of the equation) and estimating the project costs (supplying the investment information).
In the scenario with our healthcare customer we began with a few questions regarding the characteristics of their security project. For the scope of the assessment project how many data records existed? In this case the assessment spanned two data centers containing a number of databases as well as data records stored in file systems and Microsoft SharePoint. Is the customer subject to regulatory requirements? In this case, yes, the customer was obligated to comply with HIPAA, the HITECH Act, PCI and Sarbanes-Oxley. Next, we asked if a breach occurred would it be high profile (in terms of media and industry visibility) or low profile. Our customer believed a potential breach would be high profile.
The project investment consisted of Redspin costs and customer costs. The Redspin costs included the price of the assessment combined with travel and expense costs. The customer costs were broken down into security and IT staff time to manage the project and staff time to fix the identified issues. These cost estimates were then summed to determine project investment.
The project return is associated with reducing the liability due to a security breach. Our methodology relies on customer surveys performed by Forrester Research to estimate and categorize the cost of a breach per data record. The categories are service availability opportunity cost (customer churn and difficulty in acquiring new customers due to breach), lost employee productivity (employees diverted from primary tasks), regulatory fines (fines imposed by the HITECH Act, FTC, SOX, PCI, etc.), incident response (discovery, notification and response) and increased audit requirements (the security and audit requirements levied as a result of a breach). The cost per record ranges from $10 to $60.
For our customer example we estimated that liability across the five major categories would be reduced in the first year by a total of $3,321,000. The total project investment included a $25,000 Redspin assessment and 18 man weeks of customer staff time for a total investment of $83,000. The project ROI was then calculated as 40.01. The same data was also used to calculate NPV (the present value in today’s dollars of cash flows associated with the project) as $2,573,374.
We have found this methodology to work well across a range of information security projects. It works most effectively when we are working closely with the customer and the customer team includes security, IT and business unit representation.

Web Application Security

Posted on August 28, 2009 by admin in Main | Leave a comment

Customers often ask the following question: What is the best approach to securing my web applications? Of course, the answer to the question is what our web application security assessments are all about. But if you haven’t yet engaged in that process, this post briefly outlines some ideas that you can institute to have a greater degree of confidence that your web applications are secure.

Fundamentally, secure web applications are a result of a secure software development lifecycle. There are a number of books on the subject. I have found that a useful reference can be found through OWASP: http://www.owasp.org/index.php/CLASP_Concepts. What‘s necessary is for the software development team to have a structured set of guidelines to ensure that information security is kept as a key requirement as part of the development process. Often it is helpful to maintain an implementation guide and templates that reflect best practices. As with any endeavor related to security, I recommend a risk based approach where development effort to secure the application is guided by the risks to business.

In order to have an understanding of the risks associated with an application; developers must understand the threats that are present. A common practice is to develop a threat model that characterizes the threats and risks to the application. Microsoft has invested significant resources in formalizing this process. They recommend a step by step process of identifying security objectives; reviewing the application in terms of components, data flows and trust boundaries; decomposing the application in terms of components to identify areas where security needs to be evaluated; creating a structured list of threats; and enumerating likely vulnerabilities associated with the class of application in development. To assist in this effort of threat and risk modeling Microsoft advocates a threat classification scheme known as STRIDE. This scheme aims to characterize the threats with respect to the exploit that may be employed. This clever acronym stands for:

Spoofing Identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege

These areas provide a helpful mechanism for enumerating threats to the application. Closely associated with this process is a scoring scheme to help evaluate risk to the application. Another acronym applies to this problem as well: DREAD.

DREAD attempts to quantify, compare and prioritize the amount of risk presented by a given threat. It stands for

Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Typically each of these areas is assessed on a scale of 1 to 10 with 10 referring to the most severe risk. As always risk needs to be evaluated in terms of both probability and impact.

During the development process the team can often benefit from using tools aimed at identifying security flaws. The most prevalent approach used by security conscious developers is to employ source code analysis tools. These tools automate the process of evaluating source code for common security vulnerabilities. Many commercial tools have gained popularity and there are open source options as well, including RATS and Flawfinder.

As the application reaches the integration stage best practices call for black-box testing. Many commercial tools address this method of testing applications from a security point of view. Open source solutions exist as well including, Spike and WebScarab. I have found that one of the more effective processes calls for integration of the black-box test with the build cycle. In this fashion, when the application is built, the black box testing program is run as well. Once complete, developers can review the results and address vulnerabilities that have been identified.

The techniques described above help secure new applications, but organizations must also be aware of the risks associated with applications that are running in production. To assess these applications a different strategy must be employed. One potential approach is to run a black-box test with a suite of attacks that are known to be non-invasive and likely will not take down the application. Because this approach can miss many high impact vulnerabilities, I would recommend against it. A better option, given that the application is deployed in a virtualized environment, is to take a “snapshot” of the application to be tested. This image is then moved to a staging environment where it can be tested thoroughly. When vulnerabilities are identified the application must be fixed, tested and then released back to production under change control.

Hopefully, these notes on securing applications have generated some ideas regarding how you can go about improving your application security process.

A Tale of Two Citi(bank)s

Posted on July 22, 2009 by John Abraham in Main | Leave a comment

It was the best of security, it was the worst of security. This story is not about Citibank, nor London or Paris for that matter, but two anonymous regional financial institutions that characterize an interesting aspect of security. Their IT footprints are very similar in terms of staffing capabilities, budget technology deployed, etc., yet one of them runs a remarkably secure IT environment and the other exists in the realm of insecurity.

Here, we take the opportunity to compare and contrast them to try and learn how one can be so secure with a similar set of circumstances. First, the similarities: Both have liberal IT budgets and don’t have significant constraints acquiring new technology for their data centers. Both run their own data centers internally. Both have open slots to bring in new IT staff and have a difficult time finding good talent to bring into their IT departments. Both IT departments are similar sized with about 50 people each.

What makes this so interesting is that in looking at these two IT departments, they had more similarities than differences, which is what makes the contrasts so interesting. Now, while there is a tremendous complexity in IT and no two environments can be equal (and small differences can have a big impact on security risk) it is still educational to isolate some key differences. So what was different?

After reviewing this question with some of our security team, the only significant delta was the culture of the two organizations.

The secure shop was very structured – lets call them London Bank. The reporting relationships were fairly static and IT projects were carried out in an orderly fashion. Yet in the insecure shop, lets call them Paris Bank, gear was acquired with little process to map requirements to necessary features and the initial deployments often seemed to forget about the initial needs and favor the whiz-bang extra features. Very little documentation was created for new systems and there was essentially no process for initial deployments, nor the ongoing maintenance or monitoring. There was no peer review or double checking for critical deployments and very little accountability for the quality of work. Certain individuals roamed around with a lot of critical knowledge in their heads about one-off custom configuration settings and other tid-bits about mission critical infrastructure.

So if culture is important, then we need to ask – where does culture come from?

Well, as far as we can tell, it starts from the top. We have noticed that in secure organizations, managers have both an awareness of security and a commitment to the often tedious process of secure operations. Aware and committed managers seem to recruit IT leads that share these values, who in turn bring in like-minded techies. Furthermore, it often seems the case, that all of these people are bound by a consistent vision documented in their security policies. These policies, by the way, had been created in a thoughtful way, where the importance and value of these policies were well understood… from the management on down.