» cyber crime

PlayStation Network Hack – What You Don’t Know Can Hurt You

Posted on May 1, 2011 by Dan Berger in Main | 1 Comment

In a press conference late last week, Sony PlayStation Network executives confirmed that the recent hacking incident that exposed personally identifiable information and credit card numbers of all or part of the user database, was an exploit of a known vulnerability – just not one known to Sony.

The “external intrusion” has left 77 million PlayStation Network and Qrirocity users without access to the services or their personal data stored there for the past 10 days.  In the press conference, Sony Computer Entertainment CEO Kaz Hirai publicly addressed the security breach, the network shutdown and tentative restoration date, as well as Sony’s other plans to “make good”  to its  millions of loyal users.

Hirai-san stated that there’s “no evidence that credit card numbers, expiration dates or billing addresses” were stolen and that there have been no confirmed cases of credit card fraud relating to this incident. However, he later urged all PSN members to check monthly credit card billing statements for possible fraudulent charges. Previously, the company had stated that as many as 10 million credit cards may have been “exposed” but there was no “proof” that they had been stolen.

These seemingly incongruous statements may be the result of semantics, Japanese-English translation or both. Or perhaps it just shows how data security breaches by their very nature can create chaos or at least a lot of unknowns. The incubation period and extent of potential harm for stolen personal information can vary in length and degree. What is clear is that some hackers delight in infiltrating systems “just because they’re there,” most sophisticated and well-orchestrated attacks are driven by underground, malevolent economic pay-offs.

Sony’s reputation re-building efforts, proposed compensatory offers to members, network security enhancements and organizational changes are all admirable and necessary in the wake of this massive breach. But there’s also the hard truth that perhaps all of this could have been avoided. At Redspin,  we assess network infrastructure and applications against known vulnerabilities. We then take a “hacker’s eye view” and analyze and report on potential attack vectors. Our findings reports suggest improvements  to network infrastructure, tightening security controls, and hardening web applications.

We urge our clients to be proactive about security – implement a regular cycle of security testing, remediation, validation and retesting. Our Enterprise Solution provides a structured approach to institutionalize security as part of operations. And its certainly affordable – particularly when one considers the potential costs of a catastrophic breach.

 

Healthcare Web Applications – The Security Achilles Heel (Part 2)

Posted on January 27, 2011 by Dan Berger in Main | Leave a comment

Last June, one of my colleagues at Redspin blogged about his concern that security flaws in software applications that house ePHI (electronic protected health information) represent a big threat. We had just completed a security assessment for a client and had found it relatively easy to access their customer portal using a common SQL injection technique. ePHI  records represent tempting targets for cyber crime as they typically include a wealth of personal info (name and address, SSN’s, credit card numbers, DOB and more).

The healthcare industry is currently very motivated to deploy EHR systems, increase interconnectivity via HIE’s, and launch new web applications. As data is made more accessible to more audiences, the risk of a breach increases too. The scope of a HIPAA Risk Analysis should include software applications but be sure to hire a company with specific application penetration testing expertise. Make sure your provider is competent, has relevant experience and applies best practices, starting with the Top 10 Web Application Vulnerabilities list as outlined by the Open Web Application Security Project (OWASP).

Another area of focus should be your internal patch management process. Effective maintenance of your current day-to-day IT operating systems and applications is essential but be sure to conduct an inventory of older applications as well. They may have been developed by people who are no longer with your organization.  Some may perform tasks that are very mundane, highly specialized and/or are rarely used. At Redspin we often uncover these “out-of-sight, out-of-mind” applications in our HIPAA Risk Analysis process. Fortunately we have an application penetration testing methodology that is applicable to both web applications and non-web applications

Attack Surface Reduction – An often overlooked element of web application security

Posted on May 30, 2010 by John Reno in Main | Leave a comment

In industry surveys ranging from the Symantec Threat Report to Gartner analyst reports, application security is constantly cited as the most significant area of risk for enterprises and the most prevalent threat vector for cyber crime. It certainly makes sense, why bother to spend time on reconnaissance when the front door is wide open?

Many organizations have begun to spend a great deal of energy and money to secure applications. Popular approaches include code review, threat modeling, source code analysis and black box testing. Often overlooked is the rather fundamental practice of reducing the attack surface of the application.

During development and configuration of a system and the associated application the software must typically expose both customer and business assets through network ports, database access, APIs, web services and the user interface. The entire collection of entry points in a product is called its Attack Surface. These form the ways in which an adversary can attack a system. A big attack surface generally means big security issues, or often more time and budget dollars dedicated to protecting the system. It’s also important to remember that channels to local resources are not the only vectors for attack, remote resources must also be kept in mind.

Generally, when a software system is architected, implemented and configured, the top of mind issue is about providing useful functionality that meets business goals. From a security point of view, however, the design and deployment teams must also think about turning things off as well as on. From a design standpoint this involves reducing the amount of code that is executing by default, running with user privileges rather system, reducing functionality and data accessible to unauthenticated users and limiting the damage if access points are exploited. From a system configuration point of view this involves turning off unnecessary services, providing access only to required authorized users on specific subnets, and using strong ACLs to control access to resources.

The security community has done a relatively good job with respect to understanding which attack vectors are more likely targeted by adversaries.  Given that perspective, keep the following in mind:

• Minimize the use of scripting engines and controls such as ActiveX, JavaScript or VBScript.
• Avoid symbolic links as these are likely targets.
• Restrict file permissions to the fullest extent possible.
• Minimize the number of services that must run as root.
• Keep up with vulnerability research and build an effective patch process.

A useful practice is to put together a design guideline for developers suitable to your design environment and the business and security requirements associated with your system. Further, at deployment time, a security configuration guide and checklist of security best practices is recommended. Interestingly, some in the industry such as SAP have invested even more heavily in this area. SAP Labs has developed and begun pilot deployment of an Eclipse extension that uses a more formal process to measure attack surfaces. Their method involves summing the damage and potential-effort ratios (DER) of relevant resources. The relevant resources of an application include its channels, such as TCP ports; methods, such as API calls; and data, whether persistent, in memory, or in transit. The DER of a resource is the ratio of potential damage to the effort required to breach the resource. The SAP tool discovers application resources and combines that data with DER numbers to generate attack surface metrics for software components. While the discovery of resources is fully automated, the tool requires context specific configuration based on experience, judgment, and a threat modeling process.

Given the complex nature of deploying SAP software securely it’s not surprising that they have invested in this area. However, all systems can benefit immediately from simply measuring the potential avenues of attack and understanding the impact. This practice can be particularly beneficial for complex systems with many configuration decisions. In the healthcare sector, where Redspin has done many information security assessment projects, a good example is healthcare information exchange systems. A further example with broad deployment across many sectors is CRM systems.

Whether through design reviews, deployment guides or development tools, the practice of reducing the attack surface associated with an application has the potential to quickly yield a high return on investment.

Identity Theft Check Up: Electronic Medical Records are the New Credit Cards

Posted on March 3, 2010 by David Bailey 11 Comments

As credit card fraud prevention measures have made it tougher on identity thieves, identity thieves have found a new target, healthcare identities. And healthcare information systems are nowhere near ready to withstand the onslaught. A recent survey by Chicago-based HIMSS (Healthcare Information and Management Systems Society) found that most hospitals spend less than 3% of their IT budget on security, a level Lisa Gallagher, senior director for privacy and security at HIMSS, calls inadequate.

According to the New York Times, a single credit card number was going for as much as $100 on the black market in 2005. The black market has gone through turmoil similar to the stock market and the same number today sells for about $6 dollars to as little as $0.40 cents per number. The market has become flooded with numbers and banks are able to detect fraud more quickly because of online banking and increased awareness. The amount of attention focused on credit card fraud, coupled with the loss of profitability for thieves, has made it tough for criminals so their interest is shifting to healthcare identities.

Enter electronic medical records (EMR). EMRs are essentially an identity plus medical information. In 2007, an identity typically sold for $14 to $18 dollars. An EMR will usually contain a name, address, Social Security Number, date of birth, prescription information, medical history, and possibly a picture of a driver’s license. A single hospital would retain this information for every person who has ever checked in and this is all the information an identity thief would need. Patients with recent birth or death events would be perfect candidates for identity theft as no one is usually monitoring their credit. Medical records that were previously boxed up in the basement are now ripe for the picking as hospitals make the move to digitize EMRs and are slow to adopt the processes and technology needed to protect this information.

Identity theft is only half the picture. A trend is emerging with thieves targeting patient records for the medical information contained within them. These data breaches started with simple hostage/ransom demands of large record holders. In October 2008, Express Scripts was notified by an attacker that records of millions of their customers would be released into the public if ransom was not paid. In a similar April 2009 incident, an attacker hijacked the Virginia Prescription Monitoring Program web site and posted a message demanding a $10 million ransom from the state.

A shift has started where attackers are starting to sell the actual electronic medical and health insurance information. In October 2009, it was discovered that a company in India was selling British medical records. The seller told undercover investigators “I have 30,000 files to give you today, right now. I’ve around 140 diseases here. You just tell me which disease you’re looking out for – I can give you anything”. This data breach was blamed on the British hospital outsourcing its medical record transcription to a third-party business associate who in turn outsourced it to another company in India. These records were fetching £4 ($6.24) each, but the World Privacy Forum claims these records can get upwards of $50 dollars per record.

It is only a matter of time before these stolen records are regularly used for social engineering attacks against patients. Also, people desperate for medical care will begin looking to the black market to buy an insurance identity to file fraudulent claims. Several of these cases, dating back to 2005, are documented by the World Privacy Forum along with many other patient record thefts. They also note an increase in medical identity theft victims from 86,168 in 2001 to 255,565 in 2005, and this number is still increasing. Only time will tell what new crimes come with the theft of electronic medical records.

How Can an Information Security Program help?

As with most technological challenges, there are no quick fixes or easy solutions, however, there are steps you can take to mitigate data breaches. Medical records and health insurance information need to be available to those who require access and secured from thieves trying to steal the data. One cannot just say “those records are encrypted” and think they’re set, the company must demonstrate a true commitment to a complete Information Security Program (ISP). Safeguarding EMRs requires management and implementation tasks that range across the entire business enterprise.

The following recommendations can help a healthcare organization get on the right track:

  1. Demonstrate a true commitment to information security across the entire enterprise – not just within the IT arena. The most effective Information Security Program takes a risk-based approach, balancing potential risks against the convenience and expense to mitigate identified risks.
  2. View IT Security as a Competitive Advantage as companies that experience IT security breaches are subject to damaging consequences such as:
    • Large monetary penalties from regulators
    • Loss of mission-critical IT systems including web applications, business associate networks and internal networks
    • Breach notifications to customers/patients and the media
    • Legal action by affected customers/business associates/vendors
    • Theft and/or misuse of data
  3. Implement and follow well-documented security policies and procedures. Periodically review and adjust these and monitor and measure compliance to industry best practices.
  4. Collaborate with business associates on the implementation of EMR security programs.
  5. Conduct independent security assessments. HIPAA law requires covered entities to conduct routine evaluations of the effectiveness of EMR security programs, policies and procedures. It is also important to evaluate business associates with whom health data is exchanged.

As with any new regulated law, it is important to take a step back and fully understand how this impacts your organization. There are no “cookie-cutter” solutions however understanding the current infrastructure by taking a holistic, risk-based approach and balancing potential risks against the convenience and expense to mitigate identified risks are the recipe for success. Strong leadership, organizational competency, risk classification, collaboration and continuous process improvements are the benchmarks for best practices in healthcare information security and compliance.

More Cyber Criminal Activity

Posted on February 18, 2010 by John Reno in Main | Leave a comment

This morning the Washington Post once again reported a widespread and ongoing set of attacks sponsored by a cybercriminal organization based in Eastern Europe. Amit Yoran of Netwitness was quoted as saying, “The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats,” Yoran said. “The things that we — industry — have been doing for the past 20 years are ineffective with attacks like this. That’s the story.” I have worked with Amit both at Riptech (now Symantec) and when he was National Cyber Security Division director within the United States Department of Homeland Security. We should take note. More sophisticated attacks are coming and perimeter oriented, signature-based defenses are inadequate.
What should be done? I would invest rapidly in two particular areas:

• Social engineering and security awareness
• Risk management

Social engineering and security awareness can be thought of your new front line of defense, your users. They need to be cognizant of the attacks that are being directed at them and the role they play in defending the organization and corporate assets.

Risk management can be implemented by following the process depicted above. From the standpoint of defending against cyber crime, the process helps identify the areas that are of highest impact to your business, and organizes controls to defend against the threats. Another important benefit is that business unit leaders and executive management are drawn into the process, and thus gain an understanding of the security issues and risks. Furthermore, implemented properly, risk management just becomes part of running the business similar in nature to the way the financial organization closes the books every month.

Here at Redspin we can help you understand your risks, educate your workforce and modernize your defenses.

IT Risk Management

Posted on February 11, 2010 by John Reno in Main | 2 Comments

In my last few posts I mentioned using risk management as an effective mechanism for combating cyber crime. A number of readers from the LinkedIn Information Security Group asked about recommendations for improving their risk management processes:

“In my corporation risk management is mostly controlled by finance. We can’t seem to get a discussion of IT risk, particularly cyber crime, on the executive staff agenda. Do you have any ideas to improve our situation?”
“We invested in the COSO framework to manage regulatory compliance, but risks to the business such as cyber crime are still addressed on an ad-hoc basis. What do you recommend?”
Improving the effectiveness and efficiency of IT risk management is a subject that could easily fill a multiple day workshop, but allow me to offer a few suggestions in high impact areas. The first area to address is the language used to describe risk. The MIT Sloan Center for Information Systems Research has done some well regarded work in this area. The major idea is focus IT risk on four major areas: availability, access, accuracy and agility and drive the discussion around impact to the business. Executive management teams respond more effectively to risks they understand, however unpredictable, than to one’s they don’t. IT risks are often the least understood. Most management teams do not know how to think about IT risk beyond the immediate impact on IT operations of viruses, data breaches and failed business continuity programs. They have not made the connection between failing servers and failing business operations; or between taking shortcuts and giving clear guidance.
Every IT risk has a business consequence. Yet often the decision making process around IT risk gets bogged down in technical details. What’s needed is a simple way to clarify tradeoffs and make better decisions. I’ve found that if business leadership can focus on four key IT risks they are more willing to bring the IT agenda to the table and make better informed decisions. Let’s briefly look at the 4 A’s.
Availability: This means keeping the systems running. IT needs to communicate regularly to executive staff on the availability risk to major business processes and ensure there is a business continuity plan in the case of failure.
Access: This is defined as ensuring access to systems and data. IT is responsible for providing the right people with the access they need and ensuring that sensitive information is not misused. The IT organization must regularly discuss risks associated with data loss, privacy violations and inappropriate use.
Accuracy: This means providing complete, timely and correct information that meets the requirements of customers, suppliers, regulators and management. Compliance with Sarbanes-Oxley is a common source of accuracy risk for enterprises in the United States. IT should review with management the sources of accuracy risk (and risk mitigation programs) such as the inability to get accurate, consistent, global view of key customers and product/service sales.
Agility: This is defined as the ability to make the necessary business changes with appropriate cost and speed. A specific example of agility risk would be the delay or cancellation of a merger because of the risk of integrating IT systems. The IT organization needs to discuss these risks so that management can make informed decisions and not hedge their bets because they don’t believe IT can deliver on time.
The second area to look at in terms of the effectiveness of your risk program is consistent usage of risk severity levels and the associated actions. At Redspin we use five levels:
• Critical – Corrective measures are required immediately.
• High – Strong need for corrective measures. An action plan must be put in place as soon as possible.
• Medium – Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
• Low – Management must determine whether corrective actions are required, or decide to accept the risk.
• Informational – The issue does not indicate a material violation but is something for management to consider for enhancing the overall security posture.
Drive these definitions into your risk mitigation programs, policy specifications and controls.

The last area I will suggest concerns making a business impact with these ideas for managing risk. Rather than focus on technical risks, concentrate the energy of the IT team to frame risk associated with key business processes that drive the business. An example of a common key business process that exists at nearly every organization is quote-to-cash or lead-to-support. Make an effort to quantify and explain to executive staff the risks to the infrastructure, applications and personnel that support this key business process. Identify the high impact risks, the threat probability and your plan of action. Get on the business agenda and review your progress on a regular basis. A common result is that the IT and security teams are viewed less as a cost center and more as an enabler of business goals.

Advanced persistent threats – how organizations can keep pace with the growing sophistication of cyber crime

Posted on February 5, 2010 by John Reno in Main | 1 Comment

Threats posed by cyber crime have increased dramatically in the past year. Yesterday the Washington Post announced that Google has enlisted the help of the NSA to combat cyber crime attacks directed at them and other U.S. corporations. While this is sure to generate privacy concerns in the user community, it is more importantly a visible indicator that cooperation is one of the more important factors in combating cyber crime. In fact in the last 6-12 months there has been a rapidly growing informal network of cooperation within the business and IT leadership of major corporations simply to get a handle on how to respond and manage risk in this highly dangerous threat environment. Let’s look and some of the more important ways to manage in this environment and deal with these classes of attacks.
The current reality of cyber crime is that the threat environment has shifted from broad based hacker oriented attacks that posed a primary risk to business availability to targeted operations aimed at specific corporations, particular people in the organizations and key business processes that contain high value data such as strategic plans, source code, intellectual property and acquisition intentions. What should be done? I would recommend aggressive action in several areas:
• Risk management – identify the high impact, high probability risks to the business and focus technology and skilled personnel accordingly.
• Security awareness – the target of these APT attacks are most often executive leadership; make sure they know they are likely to come under attack and prepare a response plan.
• Industry cooperation – realize that these attacks are often state sponsored and backed by significant resources. There are many resources that can be drawn from to exchange information regarding best practices, threats and vulnerabilities. Just couple of examples include the IT – Information Sharing and Analysis Center and Cisco System’s Security Intelligence Center.
• Aggressive and appropriate defense – drive your security program based on risk to your most important assets, monitor outbound and internal-internal communications for signs of data exfiltration and command/control communications and look for both network and host-based indications of compromise.

Click here to read another article titled Worse Than Useless and Some Thoughts on Cyber War

Dealing with cyber crime

Posted on February 3, 2010 by John Reno in Main | Leave a comment

CSO magazine recently released the 2010 Cyber Security Watch survey of over 500 respondents from both the public and private sector. In reading through the answers I was not surprised to find several results that set off a cause for alarm. Of course it’s always difficult to draw conclusions from survey results and you should realize that I am not really interested in a rigorous analysis of the survey information. Rather it’s simply a vehicle for discussing a significant shift in the threat environment and what security approaches companies can take to manage the risks they face.
Some of the results I found interesting:
• 58% of the respondents considered themselves more prepared to deal with cyber security threats today compared to 12 months ago; 37% considered themselves at the same level of preparedness.
• Over 75% of respondents reported that monetary losses from cyber security events either remained the same or they weren’t sure.
• Only 6% of the respondents cited organized crime as the most significant threat to their organization.
• Of the organizations that experienced cyber security events that caused financial loss or cost during the preceding 12 months only 28% found these events to be aimed specifically at them.
What strikes me is that there is a degree of complacency and a sense that status quo security measures such as perimeter protection, signature based detection and log monitoring are good enough. However, the current reality is that cyber crime is becoming increasing sophisticated and fueled by growing profits. A significant shift is taking place in the threat environment in that cyber criminals are targeting organizations and using advanced techniques to gain persistent presence in IT environments and attacking corporate business processes for financial gain. Companies face major risk exposure in a number of areas including brand damage, regulatory penalties and data breach liability.
Let’s look at some examples of what’s going on in this changing threat environment.
• Financial fraud is a leading money-maker with unauthorized bank transactions and credit card charges taking place with stolen credentials. Common techniques to steal credentials range from data theft to key-logging malware. A widespread example of this is the Zeus Trojan.
• Cyber criminals are using social engineering techniques and taking advantage of the growing amount of personal data on the web to target particular companies, business processes and even individuals within an organization.
• Crime is organized and specialized. Large businesses exist to sell zero-day exploits, malware packages and exploit kits. In a testimony to the lack of effectiveness of signature based security measures such as IDS/IPS and anti-virus many of these packages have been tested to ensure that they are not detectable.
• The scope of targets is expanding. Attackers are using their presence within corporate IT networks to perform reconnaissance and identify and steal high value information such as source code, strategic planning documents and design data.
Given these trends in the threat environment, what measures can be taken by security teams within corporations? I believe the only effective method to combat cybercrime is through risk management. This means shifting the focus from building an impermeable perimeter to protecting the information and data that drive the business. Security and business group teams need to prioritize risks based on their likelihood and business impact and then allocate resources and technology accordingly. A simple way to think about this is that it is no longer a matter of keeping the bad guys out. We have to assume that they will get in. We just have to make sure they don’t leave with anything that is valuable.