» Practical Security

FTC slams ControlScan

Posted on March 3, 2010 by Nathan Drier Leave a comment

I wrote about this a while back, but it seems like others are taking note:

“The U.S. Federal Trade Commission (FTC) on Thursday (Feb. 25) screamed “the Emperor has no clothes” by reporting to consumers that one of the largest firms issuing “Verified Secure Breach Protection” seals doesn’t really verify much at all. The practical impact of the ruling for E-Commerce sites is unclear, both because the FTC has little authority to enforce its rulings and because consumers have typically been impressively apathetic about security and privacy issues.”

http://www.storefrontbacktalk.com/securityfraud/ftc-to-controlscan-your-web-site-security-seals-are-lies/

and

http://www.databreaches.net/?p=10165

Virtulization Sprawl: Don’t be Victimized!

Posted on December 11, 2009 by Nathan Drier Leave a comment

A few days ago, I was talking about spinning up a new VM to take on some random task, and a fellow Redspin geek jokingly asked if I had ever heard of virtualization sprawl.  I took a second to think about the population of Debian VM’s I had built in the past year;  I had more than doubled the headcount in our server block.  The geek in me says “Spin em up! Disk space is cheap! Cacti loves to make graphs!”, while the security engineer in me says “How the heck are you going to keep all these boxes secure?”

Virtualization is huge, and its here to stay.  It just makes the trigger so easy to pull.  It takes 20 minutes to build a new Debian VM from scratch, or only 3 minutes to copy an image and give it a new IP.  No more hunting for hardware or trying to salvage some old server.  You get an entire server, with a entire stack of services and a fresh operating system at the click of a mouse.  One of the last customer sites I visited had grown their VM farm as well, from 30ish virtual machines in 2008, to 200+ virtual machines in 2009.  While virtualization is fantastic, it comes with a little baggage:

  • Machine Management. You’ve gone from 4 VM’s to 400, and you’re a little lost on how to manage them.  Your old policies on managing hardware-based servers don’t apply, and you have everyone in your company begging you to let them spin up a new virtual server.  How can you keep track of machines if you don’t even know they exist in the first place?  How do you limit or control the creation of new virtual machines, without squashing all the sweet benefits that virtualization offers?
  • Security. Just because they are virtual doesn’t make them unhackable.  In fact, virtual machines have a higher attack surface than their hardware-based brethren since attacks can be focused either at the hypervisor, or at the VM itself.  They require the same security TLC as a regular server (patching, hardening, GPO policies, auditing, etc) but the speed at which these machines arrive makes it hard to manage.  Are you sure all those windows servers made it into your WSUS schedule?   Mix that in with 12 different operating systems across 3 hypervisors, and you’ve got a playground for conficker.
  • Support. Here comes the hard part.  You’re not sure who built the VM, when it got spun up, or who takes care of it – but you know its down because your phone is ringing off the hook.  You don’t know the operating system, let alone admin credentials to even begin troubleshooting.  The VM is a ghost, but obviously a critical ghost.  How can you expect to fire up the engine again when you can’t even pop the hood?
  • Cost: One of the main keys of virtualization is to save money.  Less hardware = more in the IT fund…right?  Where hardware costs go down, the cost of licensing can skyrocket.  Since VM’s are so easy to create – sometime they get built out of ease and convenience instead of business needs (or the VM’s built outrun your licensing pool).  Why bog down a domain controller when you can build a new VM to serve up NTP?

So whats an admin to do?  You cant fight the charm of virtualization, but you want to do it right.  As the coming months and years roll by, virtualization is going to get bigger, more affordable, and more mainstream.  If setting up some sort of virtual infrastructure is in your plan, now is the time to start some prep work.  If you already have a ton of VM’s floating around – take a second look at your deployment and management policies and see if they could use a tuneup.  The benefits it brings to your organization can drastically outweigh the cons by considering the following:

  • Policies: Like we said before – your old hardware-based policies don’t apply.  Create a guideline to enforce deployment standards.  Specify who can build images, who is responsible for importing them into hypervisors, and who will manage them.  Create a detailed list of all current VM’s and their use (see below), and be sure to audit this list on a regular basis to find VM’s that are no longer used and can be decommissioned or consolidated.  If the rules are laid out beforehand, anyone who wants to play will have to abide by them.
  • Standard Images: Creating some standard images to build off of will help streamline the process.  This creates a baseline for all VM’s to be built from that can include basic hardening, auditing, installation of company-wide applications (antivirus, logging agents, etc).  This gives you tighter control over the deployment process by specifying the operating systems and configuration baselines that get pushed out.
  • VM Lifecycle Management: A very important issue with VM’s is lifecycle management.  It basically boils down to keeping track of VM’s and their use.  VM’s, unlike physical servers, easily travel from hypervisor to hypervisor, making them somewhat difficult to keep track of.  VM’s also have lifespan issues – where a forgotten VM that is no longer used, is no longer on a patching schedule, but still has a live IP address can cause lots of problems.  Microsoft and Novell (along with others) have released software applications to help with VM lifecycle management.  These work by tracking new virtual machines are they are spun-up, moved into production, bounced around hypervisors, and then retired.

Its up to you to decide how fancy you get.  Your tools to combat VM Sprawl can be as simple as Nmap and a spreadsheet, or as complex as enterprise management applications that can store entire network state.   Whatever path you find yourself on, take an hour or two to go through your existing VM’s to document them, and get some sort of plan in place for adding more.  You’ll thank me later.

A Tale of Two Citi(bank)s

Posted on July 22, 2009 by John Abraham in Main | Leave a comment

It was the best of security, it was the worst of security. This story is not about Citibank, nor London or Paris for that matter, but two anonymous regional financial institutions that characterize an interesting aspect of security. Their IT footprints are very similar in terms of staffing capabilities, budget technology deployed, etc., yet one of them runs a remarkably secure IT environment and the other exists in the realm of insecurity.

Here, we take the opportunity to compare and contrast them to try and learn how one can be so secure with a similar set of circumstances. First, the similarities: Both have liberal IT budgets and don’t have significant constraints acquiring new technology for their data centers. Both run their own data centers internally. Both have open slots to bring in new IT staff and have a difficult time finding good talent to bring into their IT departments. Both IT departments are similar sized with about 50 people each.

What makes this so interesting is that in looking at these two IT departments, they had more similarities than differences, which is what makes the contrasts so interesting. Now, while there is a tremendous complexity in IT and no two environments can be equal (and small differences can have a big impact on security risk) it is still educational to isolate some key differences. So what was different?

After reviewing this question with some of our security team, the only significant delta was the culture of the two organizations.

The secure shop was very structured – lets call them London Bank. The reporting relationships were fairly static and IT projects were carried out in an orderly fashion. Yet in the insecure shop, lets call them Paris Bank, gear was acquired with little process to map requirements to necessary features and the initial deployments often seemed to forget about the initial needs and favor the whiz-bang extra features. Very little documentation was created for new systems and there was essentially no process for initial deployments, nor the ongoing maintenance or monitoring. There was no peer review or double checking for critical deployments and very little accountability for the quality of work. Certain individuals roamed around with a lot of critical knowledge in their heads about one-off custom configuration settings and other tid-bits about mission critical infrastructure.

So if culture is important, then we need to ask – where does culture come from?

Well, as far as we can tell, it starts from the top. We have noticed that in secure organizations, managers have both an awareness of security and a commitment to the often tedious process of secure operations. Aware and committed managers seem to recruit IT leads that share these values, who in turn bring in like-minded techies. Furthermore, it often seems the case, that all of these people are bound by a consistent vision documented in their security policies. These policies, by the way, had been created in a thoughtful way, where the importance and value of these policies were well understood… from the management on down.

Taking the Ethical out of Hacker

Posted on July 10, 2009 by admin 2 Comments

Security Review Site Really a Front for a Security Consulting Company?

The security space is a very interesting arena. For the customer, it’s often very difficult to separate fact from fiction in many aspects. There are security companies that sell you audits, and then sell you their “solutions”. There are security companies with flashy websites and huge marketing campaigns, only to be stocked with sub-par talent and less than average processes. There are security companies that praise their technical ability and hacker prowess, only to plug your website into a bulk vulnerability scanner and hand you output. Now, it appears that customers have yet another foggy metric to analyze:

Biased inner-industry security company reviews.

Recently, we were alerted that we are under review from a blog that “exposes” IT security providers. Due to popular demand, we were named as the next in line for review (http://secreview.blogspot.com/). Thinking something seemed a little fishy, we set off to track down some details that made us believe this review site was really a front for Netragard:

Also, check out this Google search that one of our engineers tracked down.

  • A Fox in the Henhouse. Some weeks ago, we were approached via echat from someone claiming to be a potential customer, but really turned out to be members of Netragard and Snosoft inquiring about our services. Netragard provides IT security services. Knowing that when a company in the same industry as yours comes calling and asking all about your services, its probably not because they need an audit, we were very leery about doling out any in-depth information. When you spend years refining a process that provides the best possible value to your customers, why hand it out to all your competitors?
  • No Hackers Allowed. We find part of our external IP space interestingly blacklisted from accessing www.netragard.com, aligning suspiciously with the blog posting on the Secreview site.
  • We are the Best! Interesting enough, Netragard gets the highest rank from the Secreview site. They get the only A+ (the plus must mean better) out of all the reviews. Most everyone else gets a C or below.
  • I Know your Way Home. Digging through our chat logs, we found an interesting little trail. The chatters claimed to be using a whitepaper from “one of our competitors” to ask questions regarding our services. At this point in the chat – we have a suspicious feeling that whoever is on the other end is with SnoSoft/Netragard. When asked about their relation to SS/NG – they replied:

“I’m not sure why you are asking me about snosoft/netragard other than the fact that these questions come from one of their white papers.”

  • Using the email they provided in our chat session – we got down to work. The email is referenced in a Google-indexed PDF. We search the PDF to find end notes that reference the email address to a current high-ranking employee of Netragard. We found multiple social networking accounts, all belonging to employees of SS/NG, with the same user name as the initial email.
  • I Got My Reviewing Degree Online. Even if this reviewing site was from an unbiased team, the review methodology is a little questionable. I’m not sure how you can forecast about a security company’s technical abilities by analyzing the copy on their website, but it appears to be a valid metric on the Secreview site. I’d rather see some actual, real world work from the company in question to make my decision.
  • Spikes! A nice spike in traffic from Netragard LLC IP space to the redspin.com website.

Hits

So let me ask you this, If I got to grade all my peers in my Art History class – would you believe the results? Forget the reviews you read, as the industry has apparently progressed (or regressed) to the point where reviews by “Real World Ethical Hackers” are nothing more than biased marketing shouts by false-fronts to other security companies. Why not try the following to REALLY audit the auditors:

  • Communication. If you feel dirty after talking to an auditor, chances are they aren’t for you. Call up and chat with an engineer or sales rep. They should be helpful and willing to answer your questions if you are legitimate customer.
  • References. Ask your auditor for some references, and chat up those references about the quality of work, the communication process, and the technical ability of the auditor. Nobody will give you a better review of a company than someone who paid for their work.
  • Contributions to the security community. Does your auditor do research, write relevant articles and papers, or stay on the cutting edge? Ask for education histories and recent research to be sure.
  • Objectivity. Does your auditor sell firewalls and managed services? If so, you can expect their number one finding to be that you need them. Make sure your auditor is purely objective and doesn’t try to sell you solutions.

See here for more information: http://www.redspin.com/research_eight_questions.html

In the end, it comes down to you to make the decision. Know the right questions to ask, build relationships with your vendors, and take an active part in the choices your organization makes regarding security. Stay safe, its stormy out there.

P.S. Our CEO has contacted the Secreview blog site and is waiting for a response. If anyone has experience with Secreview and wants to chat, don’t hesitate to contact us.

The Gear Myth: does more gear = more security?

Posted on June 24, 2009 by John Abraham in Main | Leave a comment

AKA: Are you building a house of cards?

The gear myth is the mythical view that investing in more technology will inevitably make an enterprise network more secure. While there is a tremendous amount of new gear available to help make networks more secure, our perspegear-myth1ctive is that more gear, in fact,  may not only fail to achieve your security goals, but it may even add risk.

First let me visually explain the gear myth, then I’ll discuss why layering additional technology into a network can be counterproductive.

Initial state: we have some security risk, lets address it by deploying some new technology.

The image at left is a graph that shows how someone, say an IT manager, might view their level of security for a specific component of their IT environment. The scale shows that the level of security is very low.  Based on this assessment the IT department deploys some new technology.

The new gear is installed: everything is fine, no risk…. right?

After deploying some new gear, which in many cases is limited to buying expensive technology and lobbing it into the data center, the perceived level of security is much higher. Read more