SecureAlert « SecureThinking

Wednesday, September 1, 2010

Back to School Security: Or, What Insider Threats I Mitigated This Summer

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

The summer heat waves are hopefully behind us, and the kids are starting to make their way back to school. Do you remember those days? The first lessons of the year are always occupied by new teachers doing a quick refresher to make sure the students are familiar with the necessary material.

As such, it’s a good idea to revisit the basics of information security and, specifically, what we know about the most common source of trouble — insider threats. And it’s important to remember one crucial lesson — not all insider threats are malicious. Most are, in fact, accidental. A quick review of our “Confirmed Kill” data shows that more than 70% of such events that originated from inside customer networks were ultimately due to individuals trying to do the right thing, but falling afoul of policy, acceptable use restrictions, or change control windows.

The tricky part of this is that, since these incidents aren’t running exploits, or allowing malware to propagate, or otherwise doing something which looks inherently dangerous, signature-based tools are unlikely to have anything to say about them. Yet if someone, using valid credentials, from an authorized source, happens to make a temporary change to a firewall rule or an ACL on a database, and then forgets to remove it, there is a potentially huge exposure created entirely by accident. The risk calculation from these insider threats is therefore largely about what might happen next.

The best solution is to couple behavior-based anomaly detection with a monitoring program which is able to incorporate normal activities and escalate them against contextual policy requirements. If you have a rigid change control window for certain types of activities, and they are observed outside of that window, then you still need to know about the configuration changes, even if they are done correctly by authorized users. If you don’t have such rigid controls, but your work patterns tend to cluster around common sources or timeframes, a behavior-based system can generate a reasonable profile of “normal” activity and still raise a flag if something appears to deviate.

What about if you’re a global business, with activity happening all the time, from sources all over the world? Consider that you can still differentiate by internal subnets, or groups of usernames, or other logical groupings, even while everyone works within a single policy framework. Your monitoring controls therefore should be architected to be able to observe data which is logically consistent with your internal groupings. This gives you greater flexibility to tolerate different applications of policy without forcing a global team to jump through too many hoops.

Let us know in the comments if you’ve stumbled upon other considerations or techniques, and if you’d like someone to contact you to discuss your particular organizational needs down these lines — we’d be happy to talk with you.

Thursday, August 26, 2010

A Tale of Two Reports

By Ben Rothke, Senior Security Consultant, BT Global Services, CISSP, CISM

An August 3 Wall Street Journal article, Grid is Vulnerable to Cyber-Attacks, notes that networks controlling the electric grid are plagued with security holes that could allow intruders to redirect power delivery and steal data, according to the DoE.

The irony is that these issues center around lack of basic information security controls. These problems could have been easily avoided had management ensured that the software security patches were installed and had their organization practiced basic password management.

In another recent report, A Human Capital Crisis in Cybersecurity, a principle finding is that the cyber threat to the United States affects all aspects of society, business, and government; but there is neither a broad cadre of cyber experts nor an established cyber career field to build upon.

The report twice uses the term desperate shortage when referring to the dearth of information security professionals. It astutely notes that having the right number of people with the requisite technical skills matters.

But as to this desperate shortage, I have my doubts. I have yet to find a single firm where management values information security, pays its information security staff a reasonable salary, and struggles to find good people. Most of the desperate shortages for security staff are at firms that want security experts at an intern’s salary.

If one were to correlate these two reports, it would seem that what’s needed to fix the plethora of information security problems are more security professionals. But what “seems” is not always reality.

The reality is that the reason there are so many security problems in networks and applications is that information security is not taken seriously. This is not a technical problem, rather, it’s a management problem. Had management understood the threats of deploying insecure networks and applications and had been held accountable for them, such deployments would likely never have occurred.

Rather than training more security people to beg to be hired by apathetic management, perhaps it is management that needs the training. In addition to that training, they need to be held accountable for their actions.

Insecure applications and networks cost more to deploy and support in the long-term, and as such, demonstrate a lack of basic management skills.

The real information security problem is not that there is a shortage of skilled professionals; it is a shortage of skilled IT management that values and understands the criticality of information security.

The desperate shortage detailed in A Human Capital Crisis in Cybersecurity is not so much about the security professionals, rather about management that does not know that they need the security professionals.

The minute that information security becomes of value, and when management takes its role as seriously as it should—that’s when many of the information security problems will be solved.

Getting back to the power grid — I am a member of the NIST Smart Grid Interoperability Panel – Cyber Security Working Group,working with others trying to create the security requirements for a secure smart grid. The goal is to ensure that when the smart grid is finally completed, that security will be built in as core functionality, not as an afterthought.

The final version of the Guidelines for Smart Grid Cyber Security should be released in the spring and will contain three comprehensive volumes:

Smart Grid Cyber Security Strategy
Security Architecture and Security Requirements
Supportive Analyses and References

Whether management decides to deploy the myriad security recommendations from the working group is ultimately up to them. But given that the country is faced with a desperate shortage of management who truly understands the nature of information security, that is a real cause for concern.

Tuesday, August 24, 2010

Schneier on Security – What Does Bruce Have to Say about Cyber Security?

By Tara Savage, Global Security Marketing Manager, BT

The threats posed to national and economic security from cyber space are a hot topic of conversation this year. But how do you separate the hype from the issues that matter?

This September, the University of Nebraska College of Law will address this and other issues relating to cyber space and outer space security during its annual conference in Washington, D.C. (September 9 -10).

BT’s Chief Security Technology Officer and industry luminary, Bruce Schneier, will be leading the keynote conversation at this year’s conference. Joining Bruce will be Stewart Baker, formerly Assistant Secretary of Policy for the Department of Homeland Security.

While this panel is scheduled for September 9^th, you can catch up on some of Bruce’s thoughts on the psychology of security and its effect on risk at Schneier on Security.

Thursday, July 22, 2010

Is a hack into our nation’s domestic infrastructure possible?

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

The National Security Agency recently unveiled a program to help secure the networks of crucial domestic infrastructure, including the networks of electrical companies and nuclear power plants. Called “Perfect Citizen,” the program is geared to bring attention to the possibility of grid hacking.

Interestingly, a recent Wired article asked, “…if it’s so easy to turn off the lights using your laptop, how come it doesn’t happen more often?” According to the article (“Hacking the Electric Grid? You and What Army?” (July 13, 2010):

Your average power grid or drinking water system isn’t analogous to a PC or even to a corporate network. The complexity of such systems, and the use of proprietary operating systems and applications that are not readily available for study by your average hacker, make the development of exploits for any uncovered vulnerabilities much more difficult than using Metasploit.

To start, these systems are rarely connected directly to the public Internet. And that makes gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled — nation-states, in other words.

Let’s pretend for a moment that hackers were planning to attack the U.S. What would they need to do to gather enough information necessary to take out the electrical power in key parts of the country? They don’t want to fiddle at the edges, mind you. They want to have enough data to build the technical capability necessary to shut out the lights in Washington or New York or California at precisely the time and for exactly the duration they want.

For starters, they would need to know things like: Where are the power plants? What kind of plants are they? What sort of fuel do they use? Who built them and when? What sort of materials and technology were used when they were built? Who manufactured the generators, turbines and other key equipment? Whose SCADA software are they running? Who runs the plants? How does fuel, people, supplies get into or out of the plant? What sort of security do they have? And perhaps most importantly: which plants supply power to which parts of the country?

While the Wired article included a lot of questions that are interesting, we ask: Are foreign attacks on our nation’s crucial infrastructure possible? Our answer is absolutely. This is a real security threat and one that shouldn’t be taken lightly.

In fact, The New York Times reported last week that a new virus targets the computers used to manage large-scale industrial control systems used by manufacturing and utility companies. While the SCADA systems that run the software are not typically connected to the Internet, this specific virus spreads when an infected USB stick is inserted in the computer.

To assist these organizations, BT Managed Security Solutions Group offers a multi-layered, holistic approach to secure critical network infrastructure (CNI) and organizational monitoring. This offering enables any organization to have a view of its security posture as it relates to its critical infrastructure (substations, control centers, energy management systems) and its interconnectivity with the organization.

With a holistic approach, the footprints of an attack may be discovered across multiple systems or even across multiple operating areas. As organizations merge to achieve economies of scale, disparate geographic operating regions become interconnected via common enterprise environments.

In today’s regulatory-driven environment, an organization must consider its entire critical infrastructure – from the substation to the control center and out to the enterprise network – when making security monitoring decisions.

The fast and accurate detection of security-related events is an organization’s first line of defense against security intrusions. This can only be achieved through a holistic solution that provides enterprise-wide security by aggregating and correlating information from both critical network infrastructure and enterprise networks, providing organizations transparency into their security posture.

Wednesday, July 14, 2010

Kraken is Baaaaaaaack

By Senthil Venkatachalam, Product Manager, and Tom Le, Director of Research and Development, BT Managed Security Solutions Group

Botnets, in general, are very dangerous and difficult to extinguish. Within the past several weeks, we’ve learned the Kraken botnet has returned from the dead and is gaining strength yet again.

According to a recent Dark Reading article, the botnet—despite being dismantled last year — has recently compromised more than 318,000 systems. That is nearly half the number reported at Kraken’s peak!

How does Kraken work?

Kraken came to the fore in 2008, after infecting hundreds of thousands of computers and causing them to send enormous numbers of spam emails. While the authors of Kraken were arrested in 2009 and the network was disabled, the new Son-of-Kraken seems to be a variation which re-uses Kraken’s malicious code. This code is propagated by a botnet framework – or butterfly framework – which is known for its efficiency in spreading such malware. Some of you might remember another famous and large botnet, the Mariposa botnet, which also used the butterfly framework.

Detecting the “classic” Kraken

Botnets are difficult to prevent, and, once a network is infected, are even more difficult to detect. If you are using anti-virus tools, Kraken is nearly impossible to detect. AV defenses and anti-malware defenses are often disabled by bots during the original infection. Therefore, IT professionals must gain network level detection applications. Suspicious activities that can be used to detect a botnet include:

DNS lookups to certain domains
Traffic on unusual (typically high) port numbers
Connections (or attempts) to IPs in a known range
Network protocol violation in datagrams or sessions traversing firewall (e.g., encrypted traffic over port 80, or non-SSL over port 443)
Excessive outgoing emails or other activity not usually associated with business traffic

But to assume you don’t have a botnet infection because there are no visible symptoms is a mistake. Because bots seek to avoid detection, you need to constantly check firewall and IPS logs to unearth an infection.

Preparation is key

George Hulme said in a recent InformationWeek article, “One thing is certain: current methods of bot detection and remediation are not getting the job done.”

It’s essential that companies ensure they have maximum and continuous early-warning security measures in place to protect the integrity of their assets and mitigate risks. For BT Managed Security Solutions Group (MSSG) customers, the good news is that a botnet detection module is a standard Managed Secure Monitoring service available to all customers.

BT MSSG has had significant success in using its customers’ firewalls to detect botnets through log analysis and event correlation. Based on a fundamental understanding of botnet behavior, the BT team reasoned that since every botnet needs to call home at some point in order to be activated, outbound messages traversing a firewall will create detectable patterns of behavior that accurately indicate botnet activity before it has the opportunity to take over your network.

One question remains — is your company prepared for the Son-of-Kraken?

Friday, June 25, 2010

Keeping it Simple, Before You Drift into the Cloud

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

This past week Gartner held its annual Security and Risk Management Conference at National Harbor, just outside Washington, D.C. It’s interesting to note that in the last couple of years, Gartner has shifted the conference from being the IT Security Summit to focusing on risk management as a fundamental element of security.

One of the top risks to be managed, according to vice president and distinguished analyst, John Pescatore, is the explosion of botnets. While most companies have dealt with botnets as something to respond to once they have been detected, Pescatore urged companies to focus on preemptive strikes: looking for ways to detect botnets prior to activation.

As companies place more of their trust and their resources in the cloud, preempting botnets becomes particularly important. Pescatore suggested that the future of securing virtualized environments lies in web security gateways, application aware firewalls and web site security products.

But what can you do now to preempt botnets, especially if you’re struggling to find budget for security spend at the same time as more of your business processes are moving into the cloud?

What about leveraging your existing security infrastructure, particularly your firewalls? BT MSSG has had significant success in using its customers’ firewalls to detect botnets through log analysis and event correlation. Based on a fundamental understanding of botnet behavior, the BT MSSG team reasoned that since every botnet needs to call home at some point in order to be activated, outbound messages traversing a firewall will create detectable patterns of behavior that accurately indicate botnet activity before it has the opportunity to take over your network.

While there are many more things that can be done to protect your company against botnets, this is a productive first step with an immediate and tangible return on investment.

Wednesday, May 26, 2010

Wither VeriSign? Further Consolidation in the Security Marketplace

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

How could this happen? VeriSign used to have more brand equity in Internet infrastructure security than anybody. They built public certificate authorities and secured widespread adoption of their root certificates starting in 1995 – and along with Thawte, they were the first root CA to have certificates installed in Netscape Navigator. They became inextricably linked with the Padlock Icon revolution of browsers. VeriSign purchased Thawte Technologies from Mark Shuttleworth for $575 Million in stock in 1999 – more than $850 million in today’s money – and owned the two largest Certificate Authorities online. They took a commanding role in the Managed Security Services space, buying Guardent in 2003. Along the way, they built significant businesses in secure mail, payment processing and professional services.

VeriSign also acquired Network Solutions in 2000 and started building out an enhanced Naming & Directory Services group, which controls .com, .net, .cc, and .tv. They used to operate .org as well but had to give it up in 2003. VeriSign claims it operated comfortably in excess of 30 billion DNS inquiries every day, and the company operates the internet’s two root name servers.

Yet in the past several months – culminating in the most recent announcement of Symantec’s acquisition of the “authentication services” business for $1.28B – VeriSign has pared itself down to have little to do with enabling security at all. The company sold its MSS business in mid-2009, and messaging, reselling, and various other units have all moved on or disappeared. VeriSign’s press release of May 19 even says, “Following the close of this transaction, VeriSign’s remaining business will consist of its Naming Services business, which contributed approximately $162 million or 61 percent of the company’s revenues in the quarter ended March 31, 2010.”

VeriSign was originally a spinoff from RSA, intended to commercialize the cryptography technologies required to create X.509 certificates and build a services business around them. They did so, very successfully, and as a result invited a lot of competition. Ultimately, many of these businesses saw tremendous increases in price pressure, and a tendency towards commoditization, and its profitability waned. You can make up some of the difference if you can increase sales volume, but only to a point; eventually, your overhead and organization becomes the limiting factor, and you can’t afford to support the business any further.

Yet security has only increased in prominence in the past 10 years. Why does VeriSign believe they should no longer make a business of it? It’s hard to say. Despite VeriSign being a public company, mandatory financial reporting didn’t include a detailed breakdown of P&L by business unit, and historically those numbers have been deliberately opaque. A simple example: when SecureWorks acquired the VeriSign MSS business, the press release claimed that the combined revenues were “greater than $100M,” yet the industry scuttlebutt on each company’s individual run rates would have led us to expect a figure closer to $200 million at the time.

The market has changed. At its peak, VeriSign’s stock traded at more than $258 (in February 2000) and now hovers around $27. Its market cap today is $5 billion, compared to an on-paper peak of almost $50 billion at the height of the dot-com boom.

Profits don’t come easily, and opportunities to innovate require a lot more insight and discipline than they used to. That’s the same trend any market will experience – it’s standard business school 101 stuff. Yet rather than stay and fight, VeriSign has decided to abandon its roots and focus purely on a market in which it holds something close to a monopoly interest.

There is no doubt that internet directory and naming services will continue to grow and be essential, but what happens when the other TLD registrars prepare for their next phase of growth? VeriSign needs to bring its significant intellectual capital and resources to bear on increasing its scope of services and opportunity for its customers, rather than entrenching itself around the chosen core.

Monday, May 24, 2010

Are PDFs secure?

By Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Founded in the 1980s with the mission of ensuring uniform typefaces, Adobe Systems has created a set of products, particularly the Acrobat PDF Reader, that are used by millions every day.

In fact, for all business transactions that don’t occur over an SSL connection, a majority now have at least one stage that includes a PDF document. These documents – scanned, printed, downloaded, attached, completed, and returned, or kept as receipts – are ubiquitous.

But, SSL and PDF have sizeable security problems which seem to be deepening every month. Recently, SSL was implicated in a man-in-the middle attack, allowing a malicious party to cause a “renegotiation” that enables the attacker to inject input into the TLS stream with the original captured session preamble; and the server would treat it as if it were coming from the victim prior to the renegotiation.

While OpenSSL has fixed this in version 0.9.8m, Adobe’s PDF has slipped down several rungs of the security ladder. Security researcher Didier Stevens has published information on how PDF files can be crafted to successfully execute programs on a user’s PC without an underlying functionality.

One issue is that embedding an executable within a PDF can be socially engineered to compromise fully patched XP boxes running Acrobat. Also, Acrobat Reader turns on JavaScript by default when a user opens a PDF. And most of Acrobat’s vulnerabilities have resulted in numerous system compromises by loading — if malicious PDFs downloaded or emailed to victims over the last 18 months used JavaScript as a means to the end. In fact, Colin Ames developed an exploit on the Metasploit Framework that generates a malicious PDF still using JavaScript to execute part of the function.

Since active scripting is not typically necessary to read a white paper, invoice, receipt or letter, there is a strong argument to disable it for reasons of security. As more organizations turn off access to the very function that exploits need to work, the less the realized threat is. Finding a system that is not only vulnerable to a specific threat, but also allows Active Scripting to unwittingly assist in the exploitation of this threat is still possible, but not as likely as it was, even a year ago.

Ames’ achievement in tweaking Acrobat to fire up a system executable without even needing a vulnerable stack to overflow was a significant step forward. Not until Didier’s post did we realize that this exploit could be performed on systems which were not only running current and patched software, but were also baseline security compliant in having JavaScript disabled in their browsers and Acrobat Reader.

The third strike is Didier’s link showing that not only can Acrobat be used to launch an unrelated executable from a completely different path, and not need JavaScript to do it; but it also can control the output of the one barrier that stands between security and complete compromise. A simple social engineering message included in the Acrobat warning popup box can be modified by the attacker to say whatever he or she wants. Didier shows something akin to “click Open to read the encrypted message.”

A more effective social engineering attack to be used in a spear-phishing campaign might be: “This encrypted message includes confidential information and is protected by ACME Inc.’s Prudent Use Policy as well as applicable State and Local Laws. You are only authorized to click ‘Open’ if you are the intended recipient, of this digital communication, janedoe@acme.org. Otherwise, kindly click ‘Do Not Open’ and this message will terminate.”

Removing the necessity of JavaScript, exploiting an application without vulnerability and allowing customization of the warning message really spells trouble for security administrators and the general computing public.

Thursday, May 20, 2010

Key players in private cybersecurity

By Pete Russo, Senior Marketing Manager, BT Global Services

A recent article in the Washington Post included a list of key players in the federal cybersecurity community. According to author Tom Temin, the mix of players includes experts from academics, the military and the technology and intelligence arenas.

His list includes:

Lt. Gen. Keith B. Alexander — director, National Security Agency, who is soon to be appointed as leader of the new Pentagon Cyber Command
Rand Beers — Homeland Security undersecretary for the National Protection and Programs Directorate
James A. Lewis — director and senior fellow, Technology and Public Policy Program, Center for Strategic and International Studies
Allan Paller — director of research at the SANS Institute, a local education and cyber certification nonprofit. Paller keeps track of all of the major online threats, including programming mistakes that make for insecure software
Ronald Ross — senior computer scientist at the National Institute of Standards and Technology
Howard Schmidt — White House cybersecurity coordinator
John Streufert — deputy chief information officer and chief information security officer, State Department

But what about the private sector? If we had to list key players on the private side of the fence, we would start with (please forgive) Bruce Schneier, security expert and cryptographer.

Who would you include on this list? Please drop us a comment and let us know.

Tuesday, May 18, 2010

The Worm That Turned, and Turned Again: Conficker Exposed

By Pete Russo, Senior Marketing Manager, BT Global Services

It’s not often that cybersecurity gets its moment in the sun in the mainstream media. Sure, we get sound bites on the latest credit card breach, VA breach, or password protection strategies. But this report from The Atlantic is full-on investigative journalism at its best!

Mark Bowden, an Atlantic national correspondent, wades deep into the battle being waged by the cybersecurity community to stem Conficker’s spread and defeat the worm entirely.

To read Mark’s article and learn why Conficker would cause trouble for Captain Kirk, click here.