Security Ideas: Back to Basics isn’t a bad thing.

I’ve been pondering the Palin e-mail fiasco of late. It never fails that it’s the simplest of things that leave open doors in environments. I had suspected that at some point this would happen: all the FUD that the overall security industry has heaped upon the average person has dulled their sense of security and awareness. And it’s starting to show itself in today’s environment. Last weeks crash seemed to mimic the crash we’ll likely see at some point in computer security.

Seriously. We should not have mentalities where employees spend their day poking their Facebook applications; that it’s corporately acceptable to never change our default password from the very first one we received; that laptops issued to mobile employees don’t come with security filters to prevent theft of intellectual property. Our environments are far too connected to ignore the simplest of security practices. People are starting to become lax in security in the wrong areas. There is a belief by many that local networks do not need to have security because, well, it’s internal. While we’d like to believe that all employees are here to do a good job and not go over to the competition, it happens.

So the obvious question is what do we do when we’ve pushed people to the limit of their wanting to be security minded and this has resulted in a more lax attitude towards the simplest of security features. So here’s a list of the simplest of things that you can do, whether at home or at work:

Passwords: Always use passwords and ensure they are a combination of lower case, upper case, special characters and numbers. The trick is to create a password that rememberable and doesn’t have to be written down to be recalled. First, let’s consider what not to use: birthdates, names of family and friends, no pet names, no kid names, no names of favourite teams, singers, actors, etc., do not use your SSN/SIN, or other common identifiers.  Now, what should we use? A phrase that you like can be used as the password if it’s got enough varying characters and such. Alternatively, you can use a password generator like the following to create a password and commit it to memory. This is the method I prefer to use and have a variety of generated passwords committed to memory as “regular” passwords that I use.

Secure Network Practices: Regardless of what is being transported on the internal network, some form of network security should be utilized. Since most home environments today utilize wireless this should be easy to do. Products like Linksys WRT54G Wireless-G Router to create a secure local environment. I’ve used this particular brand for the last four years with great success. You can use this to ensure that any connections are protected, at least, by WEP. Again, you can use the password generator to create new passphrases to generate a good key.

Updates: It’s not just Windows that needs updates but also your applications, anti-virus programs and spyware detection programs. Keeping these up-to-date can help address those new virii that are and will be released. When you do your scans, put your system into safe mode and do the scan in that mode. If you run these scans when the system is fully running, it will slow down the progress of the scan and some trojans/virus will hide when the full kernel is loaded.

This is a good enough start but there is more to do and I will be adding those thoughts and ideas over the next few days and weeks. If there is an area of specific interest, let me know.

ARTICLE: Ten Back to School Security Tips for Administrators

With the start of school around the corner, many IT administrators have to prep their environments for the hordes of students that will insist on downloading the entirety of Internet. Interestingly enough, our employees sometimes feel that they should do the same.

While they may not necessarily be visiting unsavory sites, they are likely to visit a variety of other sites that will distract them from their learning or job responsibilities. So what are those things should be done in preparation for the start of the school year (many at little-to-no-cost), whether at the school or in the work environment?

1. Educate your users. This cannot be stressed enough. Even if the site is about flower arrangements, it may be enough to distract users and eat up precious resources. This means users should be reminded that the computer and the network that it uses are the property of the company or the school and should only be used explicitly for reasons related to that organization.

2. Remind users that all things may be public. Whether it’s their activities and where they surf, emails or IMs they send or receive, it is all fair game and that there is no expectation of privacy. Additionally, public social networking sites can be used to connect with colleagues outside of work but common sense about what can be posted on those sites should be used.

3. Ensure that there are firewalls in place not only to protect the corporate environment from attack (outside in) but also firewall rules to limit what exits your network (inside out). It may be an innocuous gaming site but there could be malicious scripts on it that piggyback on connections.

4. Anti-virus and malware detection tools are still tools that should be incorporated into any standard educational or corporate environment. Just because we haven’t heard of any latest attacks doesn’t mean that they don’t exist. New attacks are occurring and new attack vectors are being used. Take, for example, Facebook applications which often grab as much info about a user from their cookies as it can and there is no mechanism to check if it grabs other cookies as well.

5. Take the stance of “less is more” on user environments. In addition to firewalls, anti-virus and malware detection tools, the actual desktop should be hardened. NIST/NSA still provides free hardening guides on the majority of systems. Remove what is unnecessary and only add the minimum of what is needed. If a user needs more, they will ask.

6. For those users that are mobile or heavily connected (the Blackberry crowd), invest in some simple laptop locks, Blackberry protective cases (like those from Otter) or other mechanisms. The Otter, I found, is great for klutzes like me at protecting my Blackberry when I drop it. You can use Roblock to track down lost or stolen Blackberries.

7. Take an inventory. It’s amazing how many companies let their laptops, Blackberries and other devices become property of individual employees. Asset tags and a simple asset tag database can work wonders. It’s important to keep track of those items as lost or wayward devices can add up to additional costs for a company. MyAssetTag.com may be a good site to visit to get such tags and they even have some for PDA/Smartphones.

8. Laptops and desktop LCDs should, by default, come with security screen filters. Laptops in particular should be outfitted these. With researchers and executives on the road, it’s important to ensure that wandering eyes don’t steal proprietary intellectual property. Whenever a new laptop is issued, it should come with a decent security filter. (3M makes an excellent line of these). With a bit of searching you can find some privacy screen filters for Blackberries and other such devices.

9. VPN tokens and the usage of VPN in general for all communications can help ensure that all sessions are protected. This may seem odd for a school to use but when an organization like Blizzard introduces it to improve security on its popular World of Warcraft online game, it’s definitely time to have it as a regular part of school or large organizational life. At $6.50 each, this is a cheap option to ensure that a person is a legitimate member of the community they are supposed to be a part of.

10. Weekly notifications of viruses and ideas to protect the company. The more informed an end-user is, the better it is for your organization. These don’t have to be in-depth but it may be enough that when a user uses their home computer to access work (since many companies are trying to employ telecommuting or 4-day work week options to save money) they protect those machines as well.

Oh, look. We’ve ended back at education again.

More importantly, turn these into good habits and standardized processes. When you close the door to security threats, you get more done faster.

And that means less homework for everyone.

ARTICLE: Adding Voltage for Secure Databases

When I moved to the US to return to teaching, I knew that things worked a little different here. One of the things that surprised me was how often I was asked for my Social Security Number (SSN in the US; SIN in Canada). It wasn’t that hard to get one but it seems near impossible to keep secret.

Everyone – and I mean EVERYONE – wants it for one thing or another. How is an individual to keep it secret when everyone wants it? And if it’s hard for me, what about companies that have to store it in their credit card databases?

Most companies use a variety of methods that piece things together in hopes that what needs to remain secret does. And when it came to actually protecting the data itself, often a restructuring of the database environment is necessary. This means higher costs, more downtime, more potential for error as systems are transferred over and just general headaches for administrators.

Why can’t you encrypt the data without having to change the environment? We would no longer have to force the square block into the round hole. We can, instead, transform the square block so that it’s a round peg, but still contains square data – just encrypted.

Voltage has introduced FPE, or Format Preserving Encryption. Simply, it encrypts the data in the same length and character type as the original data. This means a database doesn’t need to be recreated to account for encrypted data and that makes it easier to incorporate into existing systems, even legacy systems.

Another plus is platform independence. And the ability to be called into a script or via command-line is a big plus in my book.

When you look at the alternatives, you really do realize that this is the way to go. Let’s consider our other options.

First, you could encrypt the whole database. Oh joy. Performance-wise, this ought to be fun when it comes to adding data regularly. As an administrator the last thing I want to deal with is a slow database. Because that means users get to call me when I’d rather be out playing WoW or golf or something else.

A second option is to encrypt at the column level, but this requires specific database types, removes separation of duty options and limits the amount of security in applications. This means I have to spend for a specific database type, not all my applications will be protected and I still get calls. Not a good thing. I really don’t like be limited to the database type I can have, not when I’m in a recession and trying to save money by using my legacy database as long as possible.

For a third option, I can encrypt from the application level down, but I have to plan for that first before implementing it because it means the database has to be designed for it. That’s great out of the starting gate, but what about those older applications with hundreds of gigs of data and a database schema I’m happy with? Planned downtime with a permanent coffee IV? I don’t think so.

And that is no better than doing a “look-aside” database where critical info is kept in an encrypted database that’s referenced by a key. We’d still have to re-engineer everything to account for it and take a performance hit while waiting for a search for data to return information that is encrypted into an unencrypted format.

Why would I go through any of these when I can use my existing database and encrypt the data so it’s the same length and format as the clear-text version of the data? I save myself so much time and effort that I can use doing other things.

With FPE (aka Voltage’s SecureData), we can avoid many of the above issues, plus: no need to hire experts; no lengthy install/integration into existing systems; can use existing legacy databases; can keep full separation of duties; very little overhead to existing queries (batch queries might experience a small performance hit). And, if you’re inclined, you can create our own applications that can tie into the existing toolkit (using Java or C code).

To further bolster this, FPE employs AES256, meaning that data can meet the rigorous encryption standards that are required for many applications and environments. And since we don’t have to redo our databases, FPE can scale well as a company grows over time.

“Per infrastructure” pricing starts at $35,000, according to the company.

This is all great stuff. The one downside is the inability to deal with things like audio and jpegs. But that’s OK in general. Most critical data is text based, representing the majority of what we want to protect (e.g., credit card numbers, SSNs).

I think that if I knew more organizations were using this to protect my SSN, I would not be as concerned about being asked for it so often.

ARTICLE: The Stewards of Online Reputation

Reputation.

We all base so many interactions on it, both personal and professional, but it remains an elusive concept for some. After all, what does it matter what others think about you, right?

People always make assumptions about others that are based on ignorance or rumor. Often, these can be dispelled, but when it comes to businesses, the same can’t be said.

How can a company ensure that its reputation is sound in an environment where anyone can be anybody?

The reputation that businesses often try to build and maintain can easily be damaged if they are associated with an attack against a third party, or worse, a competitor. So the challenge becomes, what if some other entity pretends to be me in the form of phishing or other kinds of activities rooted in malware? What if it’s used against a competitor and makes my company look like we’ve done something malicious? How can a company ensure that its reputation is sound in an environment where anyone can be anybody?

As many of you know, one of my biggest pet peeves is the sheer amount of phishing emails and spam today. We shouldn’t have to rely on perimeter security to address this. And how nice it would be to identify this stuff before it even reaches that perimeter?

Recently, Dr. Phyllis Schneck, Vice President of Research Integration for Secure Computing Corporation, walked me through the TrustedSource Portal and the entire TrustedSource concept. It was developed, in part, to help enterprises protect their reputation.

When companies earn reputations as being security risks or locations where bad emails originate, it can hurt business prospects in the long run. How can other companies and individuals be sure that emails are from the true source and can be trusted? Even more so, what about emails from unknown sources?

This is where the TrustedSource Portal comes into play.

How It Works

Imagine a credit score for an entire company, but instead of judging its financial smarts, TrustSource offers a glimpse at its approach to online security.

In essence, the TrustSource project gathers information from over 7,000 sensors in 68 countries (these results are from more than 110 billion messages per month and millions of URLs, tracked by the TrustedSource Portal). With this amount of data, it can help validate a company’s reputation online and prove whether they are trustworthy or not, as well as help companies keep their good reputations intact.

They can also learn whether they have potential avenues that can be used against them or others and then address those. And thanks to over 5 years of data collection, they are able to predict potential attacks and their sources. Criminals, it turns out, are often habitual types, repeating the same kinds of attacks from different locales.

One of the cornerstones of TrustedSource is its focused attention on security and reputation on the Internet as a whole. When we gain the ability to identify known, trusted sources versus malicious or criminal hotspots, then we can protect ourselves better.

Consider this: if an employee uses a Blackberry or other mobile device, they may have an avenue into the corporate environment that bypasses simple perimeter security. As a result, they end up spamming both internal and external sources. But if the network appliances are tied to the TrustSource portal, then they can detect the potential flood and stop it from making worse a situation that could ding a company’s reputation.

I like that companies are stepping up to the plate to finally address the concern over outside forces affecting the bottom line and the overwhelming amount of spam and other questionable content that chokes mail servers and inboxes. To have to deal with spam rates of over 90 percent (depending to whom you talk) isn’t acceptable. With TrustedSource I can at least verify where the email has come from and the likelihood of it originating from a valid and trustworthy source.

As an experiment I decided to check out Antionline.com and EnterpriseITPlanet.com as well as my personal site, http://www.msmittens.com at http://www.trustedsource.org. All these sites came back as neutral (meaning there were no bad messages nor known good activity from these sites – they just exist). Checking http://www.microsoft.com did earn a “Trusted” rating which means that anything that comes from Microsoft in the form of messages or emails should be trusted as being from that source.

And we’re not just talking domains here. It actually lists the IP addresses associated with that domain so I can further break it down as needed. I can check that the IP address is, in fact, a match.

Looking at an address like 65.78.169.170 (a known Storm infected site as of this writing) and we see it listed as malicious. Looking under Threats and Trends we can see where questionable activity is occurring and block those sites from affecting our networks—well before the perimeter if we want to.

Even if you don’t have TrustedSource appliances you can still take a look into the individual company search to see if they are trustworthy, or as an individual, use the toolbar option in Outlook to see if emails come from trusted sources. It’s very quick at identifying untrustworthy sources and that means that you can easily eliminate potential espionage or criminal activities before they even enter your environment.

The fact that TrustedSource can be and has been used as a way of limiting the effects of online organized crime means that we can reduce the viability and profitability of phishers and malware pushers.

In the end it comes down to this: Can I trust you? And how do I know I can trust you online when I’m not sure who you are? TrustedSource gives me a place to check and verify that your source is a trustworthy source.

Have you earned a reputation that I should be worried about?

ARTICLE: Smartphones: Pocketable Endpoints or Network Backdoor?

In today’s corporate environment, very few people are without some kind of cell phone. And many phones have more functions and options than the average user needs. For better or worse, they are a ubiquitous part of life, and for many, they are simply indispensable.

As a result these are becoming the backdoor into corporate networks.

Backdoors, in this context, describe non-obvious devices and technologies that can interface with a network and pry open an attack vector that most security mechanisms don’t account for. For example, unauthorized wireless access points can be considered backdoors. Software backdoors — and the paranoia surrounding them — is a topic for another site

This whole article came about when a friend asked about what items he should put on his new smartphone to protect his small business. It occurred to me that, in his scenario may not be all that unique. And, on a larger scale, corporations may be overlooking a glaring backdoor in their network security.

So what are the risks?

Many of the ones that we see for wireless and Bluetooth as well as existing desktop OS risks are the same ones that can affect phones. Many phones today are being bundled with Windows Mobile, Microsoft’s PDA/cell phone OS. This OS allows for greater interoperability with standard Windows applications and allows users to feel comfortable since they are already used to Windows on their desktop.

So, unsurprisingly, there exists malware and viruses for these tiny computers. Take a look at yours. Where’s the firewall to protect against intruders? No? What about encryption to protect those passwords you use to access email or your voice-mail? No? What about anti-virus and spyware detection? No?

It is becoming evident that as part of the cell phone package, providers may need to include these items, particularly for their corporate customers. There are a few ways infection can occur. The first is the standard and most obvious one: get the user to download something, preferably something they want. Say, for instance, a free Texas Hold ‘em Poker or Sudoku game for the phone.

Or perhaps something that “promises” ways to get more messages to and from friends. Whatever the program, it’s enticing; it’s important; it’s “needed”. Once the program is downloaded and run, the malware is launched.

This, in case you haven’t already noticed, is very similar to what happens in the desktop world.

An additional factor is ever-present, never-dying spam.

It is easier to fill a cell phone mailbox with spam than it is a modern computer. And yet, we have no filters for this. I personally experienced a mini-flood done by my personal cell phone provider when their email server began sending out things in triplicate.

It can be frustrating since there is no header info, no filter options for MMS and no mouse to easily select a bunch and just delete. While reports of this are sporadic, it will undoubtedly, climb since it’s not hard to generate phone lists.

The other two methods include MMS messages with attachments and the Bluetooth option.

The MMS option works very similar to that of email: double-click on the attachment and the virus/malware launches. The one that is most interesting is the use of Bluetooth as a vector of attack. Similar to wireless, Bluetooth is often used in cell phones and PCs, and used to allow communication between phones and PCs. If the phone is in discoverable mode (that is, it’s attempting to find a Bluetooth device nearby), then an attacker can connect and inject.

Find Me

The challenge is finding devices in discoverable mode. An application like Blooover II makes finding discoverable phone easier. Blooover is one of a few tools out there; others include Super Bluetooth Hack, BlueTest, BTCrack, T-Bear, Bluesnarfer and many others.

A simple search for “Bluetooth hack” will generate enough results to keep someone busy for a little while (most of these will require installation on a phone with Jave ME to work). The biggest impact made by these tools, like their predecessors in the wired world like ettercap, is that they make it easier to get into systems with little to no knowledge.

In essence, these tools allow for an attacker to sniff a Bluetooth stream for info or to inject nastiness.

In addition, they can also find Bluetooth devices that are discoverable and, if encryption is used, crack it. Of course, for any of these attacks to prove successful, proximity is critical (10m/30ft but some devices have a range of roughly 100m/300ft). But when the financial institutions of the world are close to each other and everyone goes for lunch to the same deli or sushi place, it shouldn’t be too hard to do.

With all these threats are there steps that can be taken at the enterprise level to address this? You could invest in existing technologies that address cell phone issues such as McAfee’s Total Protection or Sophos Endpoint Security and Control. But in addition to this, education remains the primary method of addressing cell phone security. Users should be reminded of the following:

  • Work cell phones are corporate property. No unauthorized applications should be installed
  • Personal cell phones should be disabled at work and/or the Bluetooth discoverable feature disabled.
  • Bluetooth discoverable should only be used with encryption and only for specific devices (that is, set the discovery for manual pick up rather than automatic).
  • Set a boot password and a main phone password. This helps secure the phone even when lost.
  • Remind users that work phones are NOT to be unlocked (this avoids someone bypassing security measures that may be tied to a SIM).

Even though Cabir, the first mobile phone virus, is a toddler of sorts now that it’s 4 years old, it’s not the last virus or malware attack we’ll see for the mobile. The rest are just over the horizon.

Are you ready?

IT Belt Tightening? Don’t Let Security Suffer

So as the year trudges forward and the ominous threat of recession looms, thoughts of implementing and enhancing security seem moot. As often happens, security is viewed as a cost center, even more so during times of financial belt tightening.

But is now really the time?

This is the time to implement security or add those final pieces of the puzzle that have been missing from your environment. While it may seem daunting at first, corporations are continually weaving security into their environments pieces, particularly now that security software makers have made it easier to integrate those products.

But more money for anti-everything and the security appliances just isn’t in the cards. Then consider better and more consistent security practices and procedures. While it is still a cost center for a company, it is an easier one to swallow. And these practices will help save your organization from the jaws of pesky online threats no matter how little technology you have to throw at them.

What pests am I talking about? Let’s explore…

Spam = Wasted Bandwidth

Of the major security issues and annoyances that plague businesses today, one of the biggest is spam. Spam, depending on whom you ask, accounts for about 70-90 percent of all email. Regardless of the amount, it still remains an undisputed bandwidth waster. Further, this spam often includes links to questionable sites that employees may think are legitimate, and can, when clicked on or visited, inadvertently invite malware into the corporate environment.

Quite a few good tools exist to tackle spam at the end-user level, or even at the portal of a corporate network. However, there often needs to be better controls at the internetwork level to prevent the wasted bandwidth.

But the sad truth is that unlike many sneakier threats to security, spam is usually easily identifiable. Seriously, how many pills does one need to enlarge various body parts?

Here is where the “it’s not my problem” mindset rears its ugly head. Since the internetworks of the Internet are shared between major ISPs, it is everyone’s problem and no one organization can convince them to work together to eliminate this. How about some cooperation then?

One thing that might help is to require consumer ISPs to freeze Internet access for those where it’s determined that someone is sending spam and/or viruses. This can help reduce or eliminate the source of most of the spam. Certainly, some providers ensure that all mail relayed to a user is checked for malware before it hits the inbox, but the effect of this has yet to be seen and my not be quantifiable for a few years.

Another challenge that remains today is the set of vast email lists that are circulating among spammers. To this day, one specific email account that I have used for over 10 years receives spam email regularly, enough for me to finally disable it for the time being to see if it will settle down the volume to a dull roar.

No Thanks for All the Phish

Related to spam is my long-standing pet peeve: phishing.

It’s interesting to note that the Anti-Phishing Workgroup has indicated a bit of leveling out in regards to phishing attack activity, although September 2007 did show a record high of 38,514 phishing emails (PDF).

Attackers are also getting a little savvier and realizing that they cannot continually assume the same major corporate identities. I do recall receiving such phishing emails for Canadian banks such as Royal Bank of Canada and Bank of Montreal — unusual since prior to that my inbox was assaulted by fake versions of WaMu, CitiGroup and an assortment of larger US banks.

ARTICLE: CSI Survey 2007, Part 3: Tech and Tribulations

When it comes to employing security technologies, firewalls and antivirus are the main variants that everyone seems to use. The key, of course, is to ensure that these are configured properly and updated regularly to account for new attack types.

VPNs and spyware detection software come in at a distant third and fourth (VPNs were added to the list just this year). Most of the technologies were at the same usage levels as last year with one glaring exception: server-based access control lists dropped from 70% to 56%. This may be due to a tendency to rely on single-sign-on (SSO) methodologies as well as other forms of authentication and access. This likely reflects the evolution in how we communicate and network between organizations. And since we’re using all this technology, we need to verify that it’s being used accurately.

Companies are investing in internal audits primarily as a method to determine whether there are problems or not. While the figures suggest less than 65% are performing such audits, it is at least being done. It’s important to recognize that doing audits of the systems can be helpful at reducing internal issues and uncovering weaknesses and vulnerabilities.

Remember that an audit (which is an evaluation of a system) is different than a penetration test (actual planned and approved attack against a system) and for certain environments doing one of each can be helpful. Internal “pen testing” was the second most common method of evaluating security technologies. These kinds of testing, even if done by internal staff, is the additional factor to making security more robust as well as changing the nature of attacks that occur.

But in addition to technology, the individual must be trained to understand how security works and why it’s important to them. To this end, security awareness training is paramount.

I’m a firm believer that awareness training is actually one of the best forms of security you can have for an organization because it means everyone gets involved in security and you have far more eyes looking for breaches than just your own. So it is disconcerting that awareness training still is on the lower rung of importance for many companies.

Less than 20% of companies don’t have any training and an additional 35% don’t verify that their training was effective. Using anecdotal experiences or written/digital testing are not necessarily effective methods of determining the effectiveness of training. Written/digital tests are just methods of determining how well one tests or understands the questions of a test while verbal anecdotal are based on how our minds interpret particular situations.

Verifying how often or the types of support calls or types of incidents as well as doing social engineering testing are more valid methods of testing the effectiveness of training. Very similar to the situational testing undertaken by various response agencies to simulate disasters, this kind of testing is as close to real world without causing damage to the company. This also allows us to see how we react to situations and whether additional training or changing the existing training is necessary.

Awareness training is important to some but it may be targeted at specific individual types. Respondents to this year’s survey said that network security, security management and security policies were important for training. This kind of training is often done at a higher level than the average employee and there may be a gap in security as a result of this. Certainly the IT administrators and other IT staff are getting the necessary training but the bulk of the population in organizations may be missing out on something that is critical for the sake of company security.

Knowing, as they say, is half the battle. And many organizations aren’t that interested, it seems, in necessarily knowing or learning overall.

Also, it appears that they are tight lipped as well. 50% said that they do not belong to an information sharing organization. I find this rather disturbing, as sharing information about attack types and detected vulnerabilities is critical. I’ve long been an advocate of full disclosure and believe it’s even more important now as systems become even more complex than they were even 5 years ago.

While some may infer that exploits only occur when a patch is released, the reality is that exploits are constantly being created and explored. They become more numerous after patches, certainly, but creating patches can take time and if we know about the vulnerability beforehand we may be able to put in place stopgap measures that minimize the impact. This would help reduce any potential bad publicity that might occur should a system be compromised prior to a patch release.

In fact, negative publicity still likely remains the main reason as to why few companies go to law enforcement or get legal advice after an incident. The mainstream media doesn’t truly understand security and when a breach happens, they only publish the details that will attract eyeballs rather than facts that explain how to properly deal with the issue or that the company did all necessary due diligence possible.

The last portion of the survey covered the effects of Sarbanes-Oxley, or rather, the perceived effects. While most feel it has been effective there are is large chunk — about 25% — that feels it hasn’t. While SOX was meant to encourage more of a corporate policy or adherence to security, it may not be as effective as planned. It may also be due to a lack of understanding as to why it would be helpful. This would tie into security training again, specifically non-technical training along the lines of awareness and understanding of the impact of security in general.

All public companies need to comply with SOX and the rules it sets forth help to encourage effective processes. In fact, these processes can streamline security and make it easier to detect flaws in systems.

One of the newer items was an open-ended question as to what is the major security issue that an organization will face over the next couple of years. Not surprisingly, most of the responses centered on data protection and legal issues and compliance. Without a doubt data protection is critical as is ensuring that we meet or exceed any new laws. Dealing with both of these requires non-technical solutions and more of a managerial bent. I wonder if most of the respondents to this open-ended question were from managerial positions.

As with previous years, the CSI survey is invaluable to the IT security industry at giving us a peek into how we tick. Robert Richardson and his crew do an excellent job at providing us the glimpse we need to better understand our own nature. While there are always more questions and more input we would want in the survey, without it we wouldn’t have an idea as to how security is truly viewed by those in the industry.

And as I’ve said repeatedly, knowing is half the battle.

ARTICLE: CSI Survey 2007, Part 2: Meat and Potatoes

Let's start with the good news. When it comes to the percentage of companies that experienced an attack or security incident, the number continues to decline; 46 percent versus last year's 53 percent. And while you may have noticed that there are roughly 100 fewer respondents this time around, it is not likely enough to account for the decline percentage-wise.<br />
<br />
If one theme emerges from this year's survey, it is that the face of security is changing drastically after some hard lessons learned.<br />
<br />
Since it's now viewed as an integral part of what it means to setup an environment, administrators and other IT professionals are becoming savvier at ensuring security on a regular basis. The weak point, as is so often the case, remains the non-IT savvy individual.<br />
<br />
That said, one of the more disturbing revelations is the fact that the number of security incidents saw an unusual jump in the "more than 10" category, rising from 9 percent for last year to a whopping 26 percent this year. This increase means that quite a few companies were seeing "repeat business" from attacks. As to why, one can only guess as to the specifics.<br />
Fox in the Hen House?<br />
<br />
A few theories include internal espionage, not determining the true cause of attacks and not keeping antivirus and/or other detection tools current. Given that there was a 4 percent increase in the number of companies that thought insiders didn't account for any of their breaches, this particular aspect may be OK to eliminate. That, or insiders are getting better at covering their tracks. Additionally, the actual cost of insider attacks may not be as visible as other types since they often target intellectual property and private information such as blueprints, source code, customer databases and the like.<br />
<br />
Nonetheless, the insider threat can't be dismissed. Some attack types are on the wane — sabotage weighed in at 4 percent — while insider abuse of the Net access saw a sharp increase to 59 percent. Awareness programs are the ideal method to address this. Given the lack of training, however, it's not surprising to see this statistic rank rather high.<br />
<br />
Website defacements, virus attacks and DoS attacks, normally the things that make news, remain relatively low on the attack scale. The survey included new categories of attacks including phishing, DNS exploitation, sniffing, bots and theft of customer/employee data.<br />
<br />
As time progresses, the inclusion of newer attacks should help narrow down the prominence of certain attacks and the likelihood of others. I believe this will help security individuals determine where the greatest risk is for an attack or policy violation.<br />
<br />
One of the most interesting drops was in the percentage of website incidents. Last year over 59 percent experienced 10 incidents or more against their website. This year, that number plummeted down to 2 percent!<br />
<br />
This is a major achievement. Either we're getting better at securing our websites (this would include front-end as well as back-end) or they are losing their attack appeal. While I suspect both are part of the equation, I do believe that the front-door attack is starting to go by the wayside and we're seeing more sophisticated attacks against companies via social engineering and other stealthier methods.<br />
<br />
Additionally, these attacks were not specifically targeted or at least not believed to be so. When asked, the majority of respondents, 67 percent, simply didn't know, compared to the 28 percent that were aware. This is a figure to continue watching as attacks become more targeted.<br />
<br />
Your Business in the Crosshairs<br />
<br />
Malware developers are adding specificity to their efforts, increasingly opting to strike surgically than employ often fruitless shotgun approaches. Comparatively, mass attacks are not as effective and do not necessarily generate a specific financial gain. Attacks are no longer motivated by "because it was there" sort of ideals. Rather, today's attacker is more likely to think, "How much can I scam out of this?"<br />
<br />
So how much did these attacks cost companies? Unfortunately, we saw a jump and an interesting one at that.<br />
<br />
Last year, 313 respondents said that attacks costs them over $52 million. This year, 194 admitted that attacks cost them over $66 million.<br />
<br />
This would represent a substantial increase but given that the major security infraction was due to inappropriate Web surfing, it's likely that a lot of it was tied to loss of employee productivity and phishing/bot attacks.<br />
<br />
Yet the biggest chunk of attack costs was attributed to financial fraud. It would be interesting to see how much additional money was lost on an individual basis and study its impact on companies in terms of lost productivity due to employees dealing with personal issues.<br />
<br />
This was also the first year that viruses or other attacks weren't at the top of the pile. In fact, last year, financial fraud only accounted for $6 million in costs. That figured ballooned to $21 million this year, earning it the top spot.<br />
<br />
The fact that the virus was dethroned may also indicate that we're getting better at containing malware before it gets too far out of hand. Yes, we can all agree that virus infections can and will occur, but they do not have to deliver the network debilitating effects of the I Love You virus of 2000, for example. Even so, we are nowhere near the point where we can count viruses out, and so vigilance, as always, is recommended.<br />
<br />
Look out for Part 3 where we delve into how businesses are protecting their networks.

ARTICLE: CSI Survey 2007: Lay of the Land

Well, after waiting and waiting for it, the CSI Survey for 2007 was finally released. And after 12 years, it still fills an important role in determining that state of IT security today.<br />
<br />
The first and most obvious change this year was the FBI's absence in the title. This doesn't indicate a lack of involvement, rather that CSI is the main research partner for this study. The integrity of the study, however, still stands.<br />
<br />
I regularly comment on this survey since it provides a window into what is going on in the world of corporate IT security. Yet one of the biggest drawbacks of this survey is that the data comes from the mouths of the converted. That is, those that participate are part of CSI itself. Perhaps one day an enterprising firm will take on as many companies and organizations that don't belong to a security-minded club and see how they compare. I personally think it would be interesting to see what kind of impact that has on how a company operates in terms of security.<br />
<br />
But I digress.<br />
<br />
In typical fashion, a few items immediately raise my eyebrows. When I think back to the past year or so, I realize that things seemed rather quiet when it comes to big security issues. There have been a few minor things bubbling here and there but either the media is getting complacent; fewer companies are reporting events (to avoid bad press); or attacks are rarely occurring.<br />
<br />
Then again, it could be a combination of all of those factors.<br />
<br />
The survey was completed by 494 organizations, a drop from previous years but like any survey, the number of participants can go up or down. It does represent about 10 percent of CSI's membership so it proves more than adequate. I still contend that the majority of security problems today remain somewhere in the domain of spyware and phishing. And I think some of the results are pointing to that.<br />
<br />
First, however, let's see who is involved.<br />
<br />
Industry sectors are more delineated than in previous years, but the percentage remains generally the same. While I still believe that there could be more, the consistency of the respondents helps to ensure the accuracy of the survey itself. New categories this year include law enforcement and military. Additionally, the company sizes still remain relatively the same.<br />
<br />
As usual, not everyone reported revenue amounts, but that's OK. In this context, revenues only count to help determine how much is dedicated to IT spending, and specifically, IT security spending.<br />
<br />
One of the most interesting stats revolves around "who" responded. The Chief Privacy Officer represented less than 1 percent of the respondents. The title may not be something considered necessary or may have been rolled into another title.<br />
<br />
The most common title was Security Officer representing 41 percent of respondents. This may reflect the notion that privacy is not something to worry about internally and is viewed as an external issue (which would be addressed by overall security). The industry should be reminded that internal corporate privacy is just as important (e.g., employee privacy) as external client/customer privacy (e.g., credit card numbers).<br />
<br />
Second, exactly how important is security to companies as a whole?<br />
<br />
It's interesting to note that 26 percent of all companies reported spending 3-5 percent of their IT budget on security. Compare this to only 6 percent of companies that did so in 2006. I suspect that this includes companies that previously spent 10+ percent and those that spent less than 1 percent. Therefore, it may be representative of more realistic values being placed on the cost of security. However, it is still not adequate enough, likely resulting in overworked, underpaid administrators and other staff.<br />
<br />
As we venture further into the survey, it becomes apparent that most of the budget is likely built on tangible items like firewalls and antivirus software rather than the intangibles such as awareness training. The fact that for about 48 percent of companies spend less than 1 percent of the total IT budget on awareness further supports the idea that companies are looking for the tangibles. Unfortunately, companies need to realize that the intangible security benefits last far longer than the ones you can install and configure, and have a greater impact on an organization's image and long term security.<br />
<br />
One unsurprising finding is that IT security isn't generally outsourced.<br />
<br />
This is likely due to the fact that it's easier to manage security locally than remotely. This is particularly true for physical security as well as organizations that require proximity to internal customers. Most outsourcing today remains in the realm of support operations or to support 24/7 needs.<br />
<br />
While a fair amount of IT security hasn't been outsourced in the last two years — 61 percent indicated that it's not for 2006 and 2007 — that figure may change as some security functions like log reviews and overnight monitoring of IDS are outsourced. Perhaps with the assurance of external insurance policies they would be willing to take the risk. But as it stands, this is still an area that the majority does not invest in.<br />
<br />
Be sure to check back for Part 2 as we examine attack types and their effects on businesses.<br />
<br />

ARTICLE: Rugged Security: MESHnet Firewall

When we talk about security here, we generally refer to corporate security and how to best implement it to protect a business. For 95 percent of companies, the standard advice applies.<br />
<br />
But how do you deal with over 2,000 mobile users that don’t have desks, drive in armored vehicles and have to stay mindful of an attack, all the while trying to send secure communications and mission details?<br />
<br />
Military operations often require a special kind of security that’s usually a step above that of a corporation. It also has to be one that can handle any kind of physical environment. We don’t often have to worry about –40 degree C weather, raging sand storms or artillery shells dropping from the sky. Very little of what is created for the IT industry is designed to be this tough.<br />
<br />
<div class="serendipity_imageComment_right" style="width: 110px"><div class="serendipity_imageComment_img"><a class='serendipity_image_link' href='http://www.msmittens.com/serendipity_archive/uploads/meshnet.jpg'><!– s9ymdb:108 –><img width='110' height='101' src="http://www.msmittens.com/serendipity_archive/uploads/meshnet.serendipityThumb.jpg" alt="" /></a></div><div class="serendipity_imageComment_txt">MESHnet Firewall</div></div>Additionally, there is often little thought to security for rough and tumble environments. Think about it. How often does your cubicle dip below freezing? Do dust storms run rampant through your datacenter?<br />
<br />
This isn’t the standard office environment but for the military and workers in extreme environments, this is business as usual. They don’t need to sacrifice the advantages that computers and networking afford because of conflict or the challenges presented by extreme climates.<br />
<br />
<a href="http://www.msmittens.com/serendipity_archive/exit.php?url_id=1049&amp;entry_id=303" title="http://www.securecomputing.com/" onmouseover="window.status='http://www.securecomputing.com/';return true;" onmouseout="window.status='';return true;" >Secure Computing</a> and <a href="http://www.msmittens.com/serendipity_archive/exit.php?url_id=1050&amp;entry_id=303" title="http://www.gdcanada.com/" onmouseover="window.status='http://www.gdcanada.com/';return true;" onmouseout="window.status='';return true;" >General Dynamics Canada</a> don’t think so either.<br />
<br />
Their combined efforts have created one of the toughest firewalls on the planet: MESHnet Rugged Firewall. Its compact, conduction cooled chassis (it can actually withstand temperatures from -40C to 55C) can run on military vehicle power. And its 15lb weight makes it portable if necessary. The best part is that it ensures security for the mobile unit with Secure Computing’s Sidewinder Firewall, all a single unit that looks the part.<br />
<br />
As I spoke with Rick Bracken, Project Manager at General Dynamics, and Scott Montgomery, VP of Product Management at Secure Computing, it occurred to me that we’ve heard very little about truly securing mobile units.<br />
<br />
Today’s militaries are well beyond trench warfare and radio communications that I remember dealing with. Signals are sent via the same kinds of networking environment that is used by the average business user. And it’s even more critical to ensure that these lines of communication remain open and secure. Unlike in the corporate world, a compromise in this environment could literally cost lives, and potentially, lose a war.<br />
<br />
Not surprisingly, this product – initially designed for the British Ministry of Defense – conforms to the EAL4+ standard and meets MRPP (Medium Robustness Protection Profile). Installed onto the physical box is Sidewinder, which has the unique position of being the only firewall to incorporate both these standards.<br />
<br />
I do love that this product is physically designed to meet the extreme challenges found in the kinds of environments faced by many of our troops. It can handle the rough and tumble terrain that many military vehicles face when roads are lacking. And because of its compact size, it can easily be deployed as is needed.<br />
<br />
Even better, the firewall itself cannot be altered locally; only an administrator-level user can make changes. Additionally, there are no warnings displayed like software-based firewalls. It is either allowed or not. You can set rules based on role, rule/policy and/or at the application level.<br />
<br />
It features four 10/100 ports: one is internal trusting; one is external trusting; one is DMZ and the last one is dedicated to management. This creates a very straightforward, yet advanced security appliance for an organization that requires simplicity when out on the field. No need to configure or reconfigure. Just plug it into the mobile vehicle’s power, plug in the cables as needed and you’re done.<br />
<br />
But it’s also more than just a plain old firewall.<br />
<br />
TrustedSource global reputation services are built-in. This means that based on monthly analysis of over 100 billion email messages, the firewall will learn which streams are legitimate sources of data and which ones are questionable.<br />
<br />
Further, Sidewinder also has a built in IPS (based on a signature service) in addition to various “antis”: anti-spam, anti-spyware, anti-virus, and anti-fraud. And you can ensure that streams going through also are checked via URL filtering and SSL decryption. Normally, this would mean 5-6 different appliances, which would limit the space in a military vehicle, even by gargantuan Hummer standards. So by incorporating it all into one single, compact chassis, the device promotes better TCO and centralized administration.<br />
<br />
So, what does this mean for corporations? Well, for some industries that operate in rugged, environmentally challenging places and need to ensure security compliance (say, oil rigs and major construction sites) this may be the answer.<br />
<br />
Contact General Dynamics for pricing information and more details.