May 21st, 2011
In a perfect world the idea of ubiquitously sharing and using data files from anywhere around the globe is a great idea. Some might even invent an esoteric term for it like Cloud Computing.
File hosting services definitely provide convenience to people on the go. Until it doesn’t; such as the aftermath of security breach, resulting in a spill of private or confidential information.
While there are currently not a plethora of horror stories about such breaches, the recent Federal Trade Commission complaint about Dropbox certainly should give any file sharing service subscriber a moment’s pause. The popular Dropbox with apparently 25 million customers is being investigated for questionable confidentiality and privacy security measures. The first few paragraphs of the complaint are as follows:
1. Dropbox has prominently advertised the security of its “cloud” backup, sync and file sharing service, which is now used by more than 25 million consumers, many of whom “rely on Dropbox to take care of their most important information.”
2. Dropbox does not employ industry best practices regarding the use of encryption technology. Specifically, Dropbox’s employees have the ability to access its customers’ unencrypted files.
3. Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data.
4. Dropbox’s customers face an increased risk of data breach and identity theft because their data is not encrypted according to industry best practices.
5. If Dropbox disclosed the full details regarding its data security practices, some of its customers might switch to competing cloud based services that do deploy industry best practices regarding encryption, protect their own data with 3rd party encryption tools, or decide against cloud based backups
completely.
6. Dropbox’s misrepresentations are a Deceptive Trade Practice, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of The Federal Trade Commission Act.
Security Anomaly or Business as Usual?
So is the Dropbox security question an anomaly or consistent with the level of security found in other file sharing services. According to a recent study entitled Exposing the Lack of Privacy in File Hosting Services published by 1DistriNet, Katholieke Universiteit Leuven, Belgium 2Institute Eurecom, Sophia Antipolis, France, researchers investigated the privacy of 100 file hosting services and discovered that a large percentage of them generate download uniform resource identifier (URI) in an insecure manner, which jeopardizes the confidential and privacy of user data.
The file hosting services generate unique file reference numbers for each user document, called uniform resource identifier. The way the these numbers are generated makes it easy for a person with malicious intent to predict what a valid URI might be and query the file sharing service to identify client names and ultimately their data.
The study identified that offending host services generate sequential numbers for URIs or generate very short identifiers that can be easily guessed by an attacker.
Upon securing a valid user URI, the researchers found that by querying user a user file with a valid URI, sharing services often returned pages containing some information about the document (e.g., filename, size, and number of times it was downloaded), followed by a series of links which a user must follow to download the real file. This user information was hacker heaven as an attacker could initially scrape the name of each file, and then download only those files that looked promising.
In order to then determine if the URI vulnerability might result be a real world security threat, they experimented to see if potential attackers were actually aware of the vulnerabilities. They were.
To determine whether an attacker might try to exploit the identified vulnerabilities the researchers created honeypots composed of bogus files which they called HoneyFiles. Indeed, hackers downloaded these files and then attempted exploits on the HoneyFiles, as they contained opportunities for financial gain such as such as bogus PayPal accounts and credentials.
This article deals with security concerns about relatively unsophisticated, commodity file sharing services. The next logical question is: Are high profile commercial grade cloud computing services doing a sufficient job with their security?
Have a secure week. Ron Lepofsky CISSP, CISM, BA.SC (Mechanical eng) www.ere-security.ca
Tags: cloud computing security, FHS security, file sharing services security
Posted in Security Postings | 2 Comments »
April 14th, 2011
Last week I discussed Data Loss Prevention as a solution in search of a problem. This week I’ll reduce the level of flip and review more detail deliverables of DLP solutions and some DLP vendors.
Data leakage prevention technology tackles both data at rest residing within a network and specifically on disk storage and of course when data is in motion during telecommunications sessions.
Vendors of these technologies vary in what elements of the problem they wish to tackle. Some try to solve all possible problems.
So let’s start with data at rest. Typically a vendor will create a crawler program to comb through files looking for data that matches filters. The client identifies which files are in scope and often have input to the filter configurations.
Filters can be set to look for specific data content such as SIN numbers and credit card numbers. They can be tuned to look for breaches in corporate policy, such as identifying profanities, client names within certain types of files, or image files (which may contain hidden malicious code or pornography).
Some tools are designed to identify data content threats within databases, such as sensitive data residing in areas that are in too low of a security classification.
While some technology is designed to simply alert on DLP vulnerabilities within data at rest, others are more pro-active and can block transfer of data deemed sensitive and can similarly lock offending files.
Data in Motion
Monitoring and blocking of sensitive data can take on all forms. Some products log sensitive data moving both in and out of an organization. Others identify, classify by security level and can pro-actively block by client determined policy including whether or not the data is sufficiently encrypted.
Some tools have a fairly narrow scope of telecom vectors they monitor while others can encompass email, instant messaging, file transfer protocols, exporting to external storage, movement to network endpoints such as Wi-Fi, Bluetooth, and firewire and so on. Similarly you can choose technology to monitor a wide variety of internal communication vectors such as to internal printers, screen captures, burning to USB and hard drive devices, moving data to removable storage devices.
The world of risk signatures for data on the move has grown from anti-virus and anti-spam to include cloud computing threat signatures.
To Connect or to Not Connect
This article would be incomplete without mentioning a class of inspection software that has been around for years which validates any workstation requesting connectivity to a corporate network.
It examines compliance with a corporate defined security standard. Example criteria include an appropriate version of anti-virus running, the status of patch updates, the identification any applications that violates policy, and identifying other communications channels that may be active while the device is connected to the corporate network.
Data Leak Prevention Vendors
Vendors are easily found using keywords such as “data leak prevention”, “data loss prevention” and “data loss prevention companies.” A search on “DLP” leads you into the world of projectors.
Below are a few of the mainstream vendors, some of whose products I’ve found to be most useful.
•WebSense Data Loss Prevention
• Sophos Data Loss Prevention
• RSA Data Loss Prevention Suite
• Safend Data Protection
• Symantec Data Loss Prevention
• Barracuda web filter
•MacAfee Network DLP Manager
Have a secure week. Ron Lepofsky CISSP, CISM, BA.SC (Mechanical eng) www.ere-security.ca
Tags: data leak prevention, data leak prevention vendors, Data loss prevention, DLP
Posted in Security Postings | 1 Comment »
April 6th, 2011
Data loss prevention technology sounds like a no-brainer from the get-go. DLP technology tells us when confidential data is in danger of compromise or when users’ behaviour may lead to the threat of compromise.
Pro-active DLP products stops potentially threatening situations from developing and if they do occur it blocks, encrypts, and suggests reconfigurations on the fly. The more comprehensive enterprise versions of DLP are highly integrated with many of the above features and more all packed into one product.
So why am I questioning the validity of DLP? I question the return on investment of the total cost of ownership and management of the technology. There are several issues that in my opinion need to be examined:
1. What are the specific business problems that need to be addressed?
2. Are they being addressed by other overlapping technologies currently deployed?
3. Are compliance and IT security managers directed to manage specific control points other than DLP by auditors or by regulatory mandates? If “yes” then DLP challenges become secondary priorities, if indeed priorities at all.
4. Can a more cost effective solution such as consistent, uniformly enforcement of security policy be a candidate solution?
DLP Technologies are indeed Impressive but Not New
I remember in the mid 90’s an Israeli software package that did web browsing monitoring, outbound email filtering, alerting on pre-defined email content, and identifying and reporting on user traffic by service type.
So that tells us that DLP is really a new branding strategy for technology that has existed for quite a while. This mid 90’s technology did not need agents; it could monitor an enterprise; its reports were easily understood and pointed to clear calls to action. The user interface was… OK.
There have been products on the market that compile inventory lists of devices connected to a network, including peripherals on workstations. Some will even evaluate workstations that request connectivity to the corporate network and will block connectivity unless they pass a predetermined compliance list with regard to patch compliance, peripherals attached, and communications capabilities.
The difference with the new DLP technology is the degree integration of multiple capabilities within one product offering. For instance one product may be comprised of any number of:
• Anti –virus
• anti-spam
• web browsing monitoring
• Identification of threatening URLs
• Identify sensitive data and data files at rest.
• Blocking access to sensitive data and data files according to access privileges.
• Identification and/or blocking of restricted communication technology: Wi-Fi, infrared, blue-tooth
• Identification and/or blocking of restricted input / output technology; USB memory, DVD, firewire, external disks and tapes, printers,
• Identifying sensitive data in motion within email, IM, file transfers
I wholeheartedly agree that these are all laudable, excellent features.
Where’s the ROI?
The return on investment of deploying DLP depends upon a risk analysis as the basis for determining what needs to be protected and at what cost. DLP may not come out on the winning side of a risk analysis if a corporation’s auditors or compliance group determine that other priorities take precedence.
For instance, as part of SOX compliance, an organization may be forced to implement critical asset identification and strict access control over those critical assets. We know that specific files and types of data will be considered critical assets.
So the organization should implement as part of their access control strategy at least a rudimentary version of:
• A strictly managed user identification / authentication / privilege management / credential management policy with enforcing technology.
• File access restricted by a user privilege table or by a more elegant set of document classifications and user privilege levels.
• Creation and strict enforcement of an IT security policy, with uniform and regular enforcement which means meting out disciplinary sanctions that are clearly identified in the policy.
It is assumed they will also deploy the absolute basics in countermeasures and monitoring such as anti-spam, anti-virus, URL filtering including identification of potentially malicious URLs, event log monitoring for critical assets, and monitoring of the IT security infrastructure.
To determine if a DLP solution should be considered as an alternative in the SOX compliance situation above, the costs of all the above then need to be compared with the total lifecycle cost of ownership and management of a separate DLP solution.
I’ve run out of time and space, so next week I’ll discuss in more detail deliverables of DLP solutions and some DLP vendors.
Have a secure week. Ron Lepofsky CISSP, CISM, BA.SC (Mechanical eng) www.ere-security.ca
Tags: data loss, Data loss prevention, DLP
Posted in Security Postings | No Comments »
March 31st, 2011
A few weeks ago I wrote about the anticipated positive aspects of NERC CIP 011. I received comments and questions about timing of approval and implementation, as well as a request to briefly clarify the intent of the current standards. So here goes.
Approval Status of CIP Version 4 Standards
NERC CIP 011 was approved by the NERC Board of Trustees on January 24, 2011, and is now collectively called CIP Version 4 standards; CIP 002-4 through CIP-009-4. My understanding is the standards have been recently filed with FERC for approval for the US, and they have similarly been filed for approval with a variety of Canadian provincial authorities for consideration.
Once approved, CIP Version 4 standards will completely replace the current CIP standards.
To assist those wishing to receive first hand updates on CIP developments directly from the NERC site, I’m providing a navigation guide to get you directly to where you need to go:
1. NERC CIP home page: www.nerc.com
2. In the top blue banner, click “Standards”
3. In the drop-down menu, click “Standards under development”.
4. In the search box in the upper right, search for “CIP”.
5. Select “CIP 011-1”
6. Click on “Project 2008-6- Cyber Security – Phase II Standards” (Jan 31, 2011)
7. This page shows you the current status of approval and you can review each standard during its various versions of iteration.
Summary of Current NERC CIP Standards
The current standards can be reviewed on the NERC site by clicking “Standards” in the top blue banner, and then “Reliability Standards” and then finally click Critical Infrastructure Protection (CIP) or just click: http://www.nerc.com/page.php?cid=2|20
As they now stand, here’s what they mean:
- CIP 001-1a Sabotage Detection
Identify and report on anomalous activities. Triage to determine if they constitute possible sabotage and report accordingly.
- CIP 002-3 and 002-4 Critical Cyber Asset Identification
Identify key cyber assets, including hardware, software, and processes, with the use of a risk analysis. The NIST risk analysis methodology is described in an accompanying document. http://www.nerc.com/fileUploads/File/Standards/Critcal_Asset_Identification_2009Nov19.pdf
- CIP 003-3 Security Management Controls
Implement control points for the critical assets identified in CIP 002. In my opinion this standard is not sufficiently proscriptive, but version 4 will add immensely.
- CIP 004-3 Personnel and Training
Training employees on how to comply with physical security access controls as well as IT security awareness training.
- CIP 005-2a, 005-3, and 005-4 Electronic Security Perimeter(s)
Just like it sounds for IT perimeter security, but overlaying the standard on some of the other standards. Again in my opinion this standard is insufficient in specific security controls: deterrent, preventative, detective, corrective, recovery, and compensating. I’m looking forward to Version 4!
- CIP 006-3c and 006-4 Physical Security of Critical Cyber Assets
Ditto for CIP 005 but for physical security.
- CIP 007-3 and 007-4 Systems Security Management
This is the compliance piece; monitoring, testing, gap analysis, for logical (technical), physical, and policy control points. It includes having test or audit plans and actually implementing the plans.
- CIP 008-3 Incident Reporting and Response Planning
This standard identifies compliance requirements for incident reporting plans for other CIP standards, but does not really identify how to create and test a process for incident monitoring / analysis and triage / reporting.
- CIP 009-3 and 009-4 Recovery Plans for Critical Cyber Assets
Ditto for CIP 008-3 but for DRP.
- CIP 010-1 BES Cyber System Categorization ( in draft)
This is a superset of CIP 002 cyber asset identification, to include the systems to which cyber assets belong. This is more in-line with classic IT security as a compromised system can provide an attack vector to one of its subsystems.
Have a secure week. Ron Lepofsky CISSP, CISM, BA. SC. (mechanical) www.ere-security.ca
Tags: CIP 011, CIP version 4, NERC CIP 011, NERC CIP version 4
Posted in Security Postings | No Comments »
March 22nd, 2011
Last blog I ran out of time and space. This blog covers how FIM works and where to search for vendors that provide related tools.
Here’s how File Integrity Monitoring works. The files of interest are scanned initially to create a baseline. Then, each time the file is scanned again, according to any period of time you wish to specify, the current configuration is compared against the original. Any changes detected to the file are logged and included in reports.
The results of a file scan are stored as a hashed value, a one way encryption technique that is used for verifying other data that is too important to be stored in the clear, such as user credentials. The hash value of a rescanned file is compared with the hash value of the initial scan and if a difference appears, then a change was made.
Various vendors of FIM tools can define the granularity of their reporting by how granularly they decide to store subsets of data within a file. For instance some vendors will test and report upon changes to access permissions to a file and details about what has been changed within a specific permission.
Vendors of FIM tools also differ in how their tool is deployed and the deliverables. So some of the key variables to consider when evaluating FIM tools are:
• Granularity of reporting.
• Are agents required on each endpoint and what is the total lifecycle cost of managing the agents.
• Can the tool provide more than FIM, such as the ability to communicate with a policy compliance software tool.
• Triage of vulnerabilities by risk and can risk levels be ascribed by the user.
• Auto discovery of files in order to identify forgotten files / servers.
• Flexibility in scheduling and period for re-scanning.
• Ability to remotely manage the tool.
FIM Vendors
Vendors can be easily found by using keyword phrases such as: file integrity monitoring, file integrity checking, file integrity monitoring comparison, file integrity managing, file integrity monitoring, Windows file integrity monitoring, and open source file integrity monitoring.
You will find many vendors including:
Hope this is helpful. Have a secure week. Ron Lepofsky CISSP, CISM, http://www.ere-security.ca/
Tags: file integrity management, file integrity monitoring, FIM
Posted in Security Postings | 1 Comment »
March 16th, 2011
If you have not yet deployed FIM perhaps now is a good time to ask “why not”.
If your organization is now addressing data loss prevention (DLP) by minimizing the risk of damage by malicious code and by enforcing strict access controls to mitigate unauthorized access, then FIM is something you might also want to consider.
FIM is essentially monitoring all aspects of changes to key files to quickly detect any attempted or successful unauthorized changes, in order to take quick mitigation steps.
In the terms of reference of this blog, the main concern addressed by deploying FIM is to ensure that malicious code has not been embedded within critical applications and operating system files. Current concerns are for botnet or other large scale intrusion attempts to install Trojans including rootkits.
Just to be thorough, file integrity breaches can be caused by all manner of problems within file management lifecycle, such as transmission errors, software bugs, storage errors, write errors, and by incorrect change management procedures.
The important changes integrity monitoring should discover relate to:
• File size
• Version
• When it was created
• When it was modified
• The login name of any user who modifies the file
• Its attributes (e.g., Read-Only, Hidden, System, etc.)
• When group ownership of files is changed.
• Improper user access or attempted access of confidential files
• Changes to security access permissions for files, including new permissions, deleted permissions, and changes to permissions.
• Changes to directories
• Files and folders that re moved and added
The types of files of concern include:
• Key data files (Typically stored as alphanumeric and special symbols as ASCII files.)
• Database files.
• Web files.
• Video and audio files.
• System binaries (These are typically executable versions of programs stored in machine readable format consisting of “0”s and “1”s.
• Configuration files (When a program executes, it refers to the configuration file what settings are in effect. These files are sometimes stored in the systems registry, which is part of the guts of an operating system. The registry is essentially a database used by the operating system to store configuration details)
Delving into more technical detail on the registry subject, the following other types of changes could / should be monitored with regard to registry values, keys, and subkeys are:
• new registry keys and subkeys,
• removed registry keys and subkeys
• changed registry values.
• This detection ability includes changes to normally hidden registry keys such as the SAM and SECURITY keys.
FIM Compliance with IT Security Standards
Several security standards also require a file integrity monitoring and management program in order to achieve compliance. Some of these standards are:
NERC CIP 011
Table R15 15. 1 Limit propagation of malicious code
Table R15 15.2 Detect and respond to the introduction of malicious code
Table R15 15.3 Implement processes to test and update malicious code protections.
NIST
SI-4 Information System Monitoring
SI-7Software and Information Integrity
PCI –Data Security Standard
10.5.5 Use file-integrity monitoring
11.5 Deploy file-integrity monitoring software
SANS Consensus Audit Guidelines (CAG)
3.5 integrity checking tools and change management
3.7 integrity checking tools
So the bottom line of FIM is to ensure that during the course of regular business which includes changes to files, the files always remain in a known and trusted state.
I’ve run out of space for today. Next blog I’ll cover how FIM works and where to search for vendors that provide related tools.
Have a secure week. Ron Lepofsky CISSP, CISM, B.A.SC (Mech Eng) www.ere-security.ca
Tags: file integrity management, file integrity monitoring, FIM, Malware, NERC CIP, NIST, PCI DSS, SANS
Posted in Security Postings | 1 Comment »
March 7th, 2011
Electrical utilities are already challenged with the process of becoming certified for compliance with the NERC CIP standard for IT security.
The NERC CIP standard is evolving, thank goodness. Perhaps you haven’t noticed the innocuous sounding proposed new standard now in the creation process. To me it looks like the heavyweight in the list of otherwise fairly general standards.
It’s called CIP 011 1 BES Cyber System Protection (in draft) and can be found at the end of the NERC CIP list of standards.
In order to understand this new standard in context, it is useful to look at the other existing standards which are as follows:
CIP 001-1 Sabotage Detection
CIP 002-1 Critical Cyber Asset Identification
CIP 003-1 Security Management Controls
CIP 004-1 Personnel and Training
CIP 005-1 Electronic Security Perimeter(s)
CIP 006-1 Physical Security of Critical Cyber Assets
CIP 007-1 Systems Security Management
CIP 008-1 Incident Reporting and Response Planning
CIP 009-1 Recovery Plans for Critical Cyber Assets
CIP 010-1 BES Cyber System Categorization ( in draft)
CIP 011 1 BES Cyber System Protection (in draft)
What’s Different about CIP 011-1
NERC CIP 011-1 puts a knockout punch into NERC CIP by defining very specific control points. These control points do not contradict other CIP standards but instead are drilldowns and complementary to them.
In my opinion 011-1 control points resemble NIST security control points defined in the document: Recommended Security Controls for Federal Information Systems and Organizations. The 011-1 control points, which I have listed below for clarity, will be costly to implement and to audit but I think they are specifying critical requirements to harden our electrical security grid.
CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R6 – Physical Access Control Systems
CIP-011-1 Table R7 – Account Management Specifications
CIP-011-1 Table R8 – Account Management Implementation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R10 – Account Access Control Specifications
CIP-011-1 Table R11 – Wireless and Remote Electronic Access Documentation
CIP-011-1 Table R12 – Wireless and Remote Electronic Access Management
CIP-011-1 Table R13 – Remote Access Revocation
CIP-011-1 Table R14 – Wireless and Remote Electronic Access Controls
CIP-011-1 Table R15 – Malicious Code
CIP-011-1 Table R16 – Security Patch Management
CIP-011-1 Table R17 – System Hardening
CIP-011-1 Table R18 – Security Event Monitoring
CIP-011-1 Table R19 – Communications and Data Integrity
CIP-011-1 Table R20 – Electronic Boundary Protection
CIP-011-1 Table R21 – System Boundary Protection
CIP-011-1 Table R22 – Protective Cyber Systems
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R24 – Information Protection
CIP-011-1 Table R25 – Media Sanitization
CIP-011-1 Table R26 – Maintenance
CIP-011-1 Table R27 – Cyber Security Incident Response Plan Specifications
CIP-011-1 Table R28 – Cyber Security Incident Response Plan Testing Specifications
CIP-011-1 Table R29 – Cyber Security Incident Response Plan Review, Update, and Communication Specifications
CIP-011-1 Table R30 – Recovery Plan Specifications
CIP-011-1 Table R31 – Recovery Plan Testing Specifications
CIP-011-1 Table R32 – Recovery Plan Review, Update, and Communication Specifications
Wouldn’t it knock us all out if we find out critically important NIST standards are finally implemented by the custodians of our electrical grid?
Have a secure week. Ron Lepofsky CISSP, CISM, BA. SC. (mechanical) www.ere-security.ca
Tags: CIP 011-1, NERC CIP, NERC CIP 01-011, NERC CIP 01-09
Posted in Security Postings | 1 Comment »
March 1st, 2011
Doing an application audit is like looking for land mines. If you want to find all the land mines, you have to search every single square inch of real estate you want to ensure is mine-free. Otherwise, what’s the point of looking for them in the first place?
Similarly for application audits, it’s necessary to audit the entire scope of applications in question, or there is no point in doing the exercise.
Application owners sometimes get confused when doing a follow-up audit after they have implemented all recommendations made in an original audit. Some owners think they can save money on a subsequent audit simply by having an auditor validate the mitigation recommendations were implemented correctly.
Which is 100% correct.
Unless the owner is actually concerned about new vulnerabilities, or land mines to continue with the analogy, that have been introduced into the environment since the last audit.
To put a fine point on this issue, it is possible two activities occurred within the same timeframe, which are:
• The remediation steps were implemented.
• New vulnerabilities or land mines were introduced.
This issue is obviously exacerbated in the case of web facing applications where the consequences of vulnerability can increase exponentially with access.
Calculating the Correct Audit Scope
The correct audit scope is one that has an appropriate return on investment. This is a decision usually made by the IT security steering committee or by an executive management committee.
Since technical IT security details are not relevant to senior management, it is incumbent upon the security analyst to convey the ROI case for the audit cost in terms of cost and risk. Risk, risk appetite and ROI can be evaluated in terms of:
• Estimated costs to the corporation for each instance of a vulnerability being compromised.
• The estimated number of compromises that might occur in a year, depending upon the degree of IT security due diligence performed by the corporation.
• The appetite of the executives for accepting risk.
• The cost of an initial audit and of subsequent audits.
• The ratio of annual estimated total potential downside costs : annual audit costs
Parameters to Scope an Application Audit
Just like all aspects of IT security, which is most effective when deployed in complementary layers, application audits are also performed in complementary layers. These layers are mutually exclusive and one layer does not replace another layer. They are simply different ways to evaluate the security health of an application.
Some of the key layers of a web facing application audit are:
External vulnerability assessment
Core issues are authorization and authentication, susceptibility to failure by overloading with large traffic volumes, application owner’s security reporting on suspect activity, and existence of known vulnerabilities.
Code Review
The goals are to identify the existence of known vulnerabilities, weaknesses in coding architecture, and adequate documentation / commenting in order for an auditor have sufficient understanding of intended logic in order to review the security quality of the code.
Code Lifecycle Review
Identify Critical security flaws which are often found in areas of not incorporating security into the coding architecture, poor or non-existent code change management, and lack of separation of duties between writing code / testing code / handing production code.
Physical Security
Determine the degree to which unauthorized and untraceable access to code is possible, throughout all lifecycle aspects, including storage / transportation (including electronic) and destruction.
Metaphoric land mines abound!
Have a secure week. Ron Lepofsky CISSP, CISM, B.A.SC. www.ere-security.ca
Tags: Application audit, code lifecycle review, code review, external vulnerability assessment, Return on Investment, ROI
Posted in Security Postings | No Comments »
February 23rd, 2011
Intrusion detection technology presents a confusing array of acronyms, abstract concepts, and hazy deliverables. This exacerbates the difficult situation for executives who are asked to pay for these security goodies.
In a nutshell here are the questions and answers about everything an executive may want to know about IDS:
• What business benefits does IDS deliver?
• What is the difference between all these technologies and buzzwords?
• How do they pay for themselves?
• Why bother in the first place?
IDS is one of many complementary layers of IT security technology. Several security layers exist because no one layer can provide all the security measures itself. IDS does several things that basic firewalls, for instance, cannot do:
• Identify anomalous packet content or patterns of traffic that are different from normal for any particular company’s network.
• Identify patterns, called signatures, of malicious content within packets coming into or leaving a company’s network.
• Identify changes in the security health or “state” of corporate servers.
The business benefit IDS provides is reducing the chance of missing security threats which could compromise confidentiality, integrity, privacy, or availability of mission critical assets and processes.
The return on investment calculation for IDS is predicated upon executives and asset owners identifying mission critical elements, the estimated financial loss associated with a security risk developing into a real life security event, and then comparing the lifecycle cost of IDS against the estimated financial loss associated with a breach.
An important consideration in lifecycle cost is managing and tuning out false positives generated by IDS. These activities are onerous and in my experience most network managers would rather outsource these tasks to experts.
The next issue becomes selection of the appropriate IDS technology, which basically come in two flavours: network intrusion detection (NIDS or IDS) and host intrusion detection (HIDS).
These two technologies are very different. They are not redundant in what they do. They are deployed completely differently. They are complementary and cannot be substituted for one another.
Network IDS sits on the network telecommunications media such as an Ethernet network or a wireless network, and passively monitors the contents of packets of information flowing in all directions. IDS looks for types of content, types of services, volumes of services, and source and destination of traffic that shouldn’t be present and alerts upon suspicious activity. IDS does not typically examine changes over time, but alerts on suspicious events which it sees at any one point in time.
For the most effective deployment network IDS should have data collection points both on the Internet side of the corporate firewall and on the corporate network side of the corporate firewall. This allows the IDS to see traffic coming from both directions which may be blocked by yet not reported as dropped by the corporate firewall.
Host IDS is an entirely different ballgame. It has agents which reside on servers. It monitors several types of changes over time on servers which may indicate security problems. HIDS monitors the dynamic behavior and the state of a computer system and compares what it expects to see with what it actually sees. Examples of what HIDS monitors are:
• What resources each program typically accesses.
• Changes to the authentication database.
• Changes to specific regions of memory have not been modified, such as the system call table for Linux, and various vtable structures in Microsoft Windows.
• The state of a system, such as state information stored in RAM, .dll files, and in log files.
HIDS accomplishes all this by creating a database of attributes (permissions, size, modifications dates) of whatever subjects (elements) it is monitoring and does regular comparisons for changes.
Intrusion Prevention or IPS is intrusion detection plus the additional capability to actively restrict / deny access in response to a perceived security threat. This is a good feature for networks that do not change and have a very steady state of operation. Otherwise IPS can and does incorrectly interpret some bone fide business traffic as threatening and then it unnecessarily denies access to a process(es).
Why Bother?
In my opinion implementing IDS is worth investigating if business drivers merit a first look. It’s also my opinion that it’s worth doing a trial period with IDS to quantify: the numbers of high, medium, and low threats during the trial period; what subsequent mitigation steps were implemented by the company; and the potential cost of losses that may have been averted by the mitigation steps.
If the dollars show a positive ROI for IDS, then by all means it was worth the bother.
Have a secure week. Ron Lepofsky CISSP, CISM, B.A.SC. www.ere-security.ca
Posted in Security Postings | No Comments »
February 15th, 2011
The Government Accountability Office recently warned that the quick uptake of smart grid infrastructure is likely to result in more cyber attacks. I think what they actually mean is lots of destruction and damage as the result of new cyber attacks.
It strikes me that the GOA, Department of Homeland Security, Stuxnet-nail-biters, and the like all have the impression that Smart Grid technology introduces some mystifying vulnerability into the electrical grid mix. I don’t think so.
Smart Grid technology is simply new. Any new technology brings to the table potential vulnerabilities both intrinsic to the technology and how it is implemented within an existing infrastructure. In this case the existing infrastructure is a continent covered by legacy electrical networks.
Legacy can be secure if it doesn’t leak like a security sieve. Unfortunately not so with our legacy electrical networks. The powers that be have bolted onto them SCADA real time monitoring and management systems which is no problem in itself. However, the fact that some SCADA servers reside on poorly secured networks does present serious security vulnerability.
So where does Smart Grid technology fit into all this? Quite simply; the exact same was as does SCADA. What I mean is that if the SCADA host networks are hardened then they would also be more secure for hosting Smart Grid network technology.
But Smart Grid experts will metaphorically jump down my throat and point out that since Smart Grid technology communicates with customers’ very own houses and places of business, it therefore opens a Pandora’s Box of new problems.
Hogwash.
If the host servers for the Smart Grid technology are properly isolated and secured from the rest of the SCADA network and from the rest of an electrical utility’s administrative network, there is very little increased chance of a security breach.
The way to properly secure these Smart Grid servers has been well known for many years. NERC CIP standards are written expressly for electrical utilities. If rigorously deployed they are a material step towards Smart Grid network security. In my humble opinion a more comprehensive set of security control points within COBIT, upon which IT SOX compliance is based, should also be considered for hardening the electrical grid.
Dazed Defenders
So where’s the gap between implementing high confidence security standards for the Smart Grid and the current worry storm?
The gap is usually found in utility managements’ unwillingness to adequately fund network security. I’ve spoken with lots of in-house IT security folks at electrical utilities and most of them know exactly how to solve the Smart Grid security shortfall. Unfortunately their management seems confused on the issue. You may wonder why management is confused if their security experts aren’t. I think there are two reasons why:
• Executives are more receptive to network security studies than to actual security solutions.
• In house security experts speak technology and not Return on Investment to their execs.
The solution? Have all security-befuddled executives to call me for a 10 minute clarifying conversation.
Have a secure week. Ron Lepofsky, CISSP, CISM www.ere-security.ca
Tags: Critical Infrastructure security, NERC CIP, security Electric Networks, Smart Grid
Posted in Security Postings | 1 Comment »
|
|
