SecureServices « Secure Thinking

Friday, January 20, 2012

Cannon Balls and Firewalls

By Dr. Robert Ghanea-Hercock, Chief Researcher, BT Security Research Practice

Since ancient times, people have constructed defences based on physical barriers – from stone-age earth banks and wooden forts, to the monumental stone castles of the late Middle Ages. However, with the advent of gunpowder and iron cannons the defensive value of such fortresses was rapidly diminished. Forts evolved in design to counter the overwhelming impact of the canon, but it was a futile exercise and most armies began to invest in stronger mobile forces, (and bigger cannons!)

The culmination of this process was the French Maginot Line, built along the French-German border from 1930 to 1939. The cost was over 3 billion francs, a huge amount of investment at the time. It was state-of-the-art, with air-conditioning, and its own underground railway network. As it turned out, it was quite impervious to attack, a stroke of pure genius.

Of course the rest is history as they say; the Germans just didn’t play fair and simply went around the wall. Worse still, the investment in the fixed fortifications had seriously eroded investment in the French mobile forces, tanks and troops that could have countered the attack.

Returning to the cyber domain, we have seen precisely the same logic played out in firewalls and most organisations’ network defence. Of course since ~ 2003 security experts have advocated the value of de-perimiterisation and having a flexible virtual wall around core assets. However, the mentality remains that there is still an inside and outside to the business network. Hence, the outrage from all sides when a major breach occurs, Sony style. Managers and executives simply refuse to accept that their multi-million pound network asset could be contaminated. The reality is that there is no spoon, (see the Matrix).

What is required is a philosophical stance built on the concept of fluid resilience. An example of this is Japanese pagodas, which remain standing in a high earthquake zone for centuries. They are flimsy towers of wood and paper! But when an earthquake occurs they flex and bend like reeds, and stay intact. This ethos is reflected across Eastern culture in the ideas of Yin and Yang in balance.

We should be teaching our system administrators and security managers Zen philosophy, rather than how to mix stronger concrete!

Monday, December 5, 2011

Next Generation Firewalls and Web Proxy: Better Together Apart

By Hans Haverhals, Business Development Director, BT

Traditional network layer firewalls rely on ports and protocols for security policy enforcement and management. This approach has traditionally provided adequate visibility and control, but with today’s changing threat vectors, has become completely ineffectual.

The task of securing an organization from the Internet has become very difficult now Internet hosted application delivery technologies have utilised random port hopping as compared to the ‘good old days’ when they simply used HTTP port (80) or HTTPS port (443) for everything. The problem is magnified by the fact that network layer firewall platform development has stagnated for over a decade while internet hosted application delivery has rapidly evolved.

Over the past few years, most enterprises have adopted additional filtering technologies in an attempt to fill the widening gap between the capabilities of traditional network layer firewalls and the requirements of risk management. One of these technologies is the web proxy/cache, which was originally deployed to accelerate applications and save bandwidth.

Proxy/caches do a critical job, providing a single point of controlled egress to the internet, typically saving about 25-30% of bandwidth and accelerating HTTP-based application delivery.

The exponential increase in traffic volumes and the proliferation of web-hosted applications has exposed the flaws in the additional filtering technology approach. Traditional web proxy implementations have limits in that it can’t keep up: web proxies struggle with today’s throughput numbers, adding latency to real-time applications. In addition, developing functional control by proxies for every web-based application takes time and slows development of proxy-based solutions to a point where enterprises can’t control all of their traffic except by a very broad brush approach – just a few of the applications running over some of the more common protocols.

As a result, many enterprises are concerned that they have become overly dependent on this inefficient and expensive architecture…

In essence, a firewall must enable an organization to see and control, in a policy-based manner, what users and applications are doing between the private network and the Internet. But traditional network layer firewalls have fallen down on the job. Security and risk management requirements have changed, and firewalls must now understand both users and applications.

More band-aids (i.e., web proxies and other filtering technologies) are not going to fix the problem. However, the answer may be found in a next-generation firewall.

Next-generation firewalls put application visibility and control back into the firewall, removing the need for the deployment of additional filtering technology. This approach has brought the enforcement of security policy (and the control over what users and applications are[h1] doing) back to the firewall, where it belongs. In doing so, proxy & filtering solutions can be utilized for what they were designed to do: acceleration and bandwidth management.

There is no doubt that next-generation firewalls and web proxies are critical to the enterprise IT infrastructure, but like many things, these two are best deployed when they play to their own strengths.

[h1]Important to stress control of users and applications, as this distinguishes nex-gen FWs from network layer FWs…

Wednesday, November 30, 2011

Debate: Are Risk Assessments an Outdated Approach to Security?

At a recent BT security forum, one of the participants expressed the following opinion: “I think risk assessments are an outdated rather subjective approach to security. Probabilistic analysis is only leading to predictable results. Sociology suggests basing security in trust base methods – not risk.”

This is an interesting statement and many of our readers are probably trying to determine the best way to analyze security metrics and determine their risk appetite. Rather than just comment back, we thought we’d asked our experts within BT for their opinions on this issue.

Michael W Nawrath, BT Senior Security Consultant, says:

I cringe at the statement that a “risk register doesn’t work” or implying risk management is not a good process to continue to develop; I find that statement totally incorrect. A lot of thought has to go into developing an adequate risk management process and when implemented correctly can greatly focus spending more wisely for an organization.

Risk Management works very well if implemented and used correctly. Risk Rating can be thought of as an equation: Likelihood x business impact. We use effective risk ratings to help decide where to focus our time and resources.

A big problem in the past for many financial organizations was that, all too often, IT folks would determine the risk rating. The Federal Financial Institutions Examination Council (FFIEC) has, over the past few years, helped guide financial companies towards a more comprehensive risk rating process. It incorporates key information from business decision makers that is used to feed the Business Impact determination, with IT SME’s or assessors determining the Likelihood.

Tom Le, Director of Research and Development, BT Managed Security Solutions Group offers a competing point of view:

The main argument against risk assessments and risk registers being effective is the same argument that Nassim Nicholas Taleb uses to explain outlier events: that almost all major events and innovations are unpredicted and unpredictable. Describing these outlier events as ‘Black Swans’ he argues that the unlikelihood of an Outlier events is so huge, that risk models just don’t account for them properly. Even if you assign something a .0001% probability, what if that probability does occur and destroys your entire business?

I’m not arguing against risk models, just suggesting that from a customer communication perspective, if they believe that the reason risk models do not work well is because of outliers, then there is no way to convince them, no matter how structured and developed a risk model you present. A good approach is to understand what they find subjective. Somewhere in the discussion, I expect you will hear them say something like “how do you know if the probability of a targeted attack is really 0.00001% and not 0.001%? And how do you decide that the damage to the business is only $135 x number of accounts breached and not significantly more based on brand damage and legal liability? If you can’t answer this with any degree of certainly, how do I know that you’re not off by a factor of 10 or 100… or 1000?”

Omar Zaidi, Senior Principal Consultant, IT Optimization Practice Head, BT, offers additional guidance:

You have to have a way of assigning likelihoods to risks so you can balance off where to assign your resources to mitigate them. That’s not where you stop. I highly doubt sociology on its own can give you the answers, and I would challenge the CSO back to ask how a sociological approach is better than a risk management approach. Many, many sociological studies I’ve seen done have flawed statistical analysis and data gathering methods.

As mentioned above, Black Swans are always there, but you have to decide how much capital (people, tools, etc.) is going to be tied up in mitigating something with 0.001% probability, but, which if it happens, could put your company into a fatal death-spiral.

Savvy CIOs and CSOs and business risk analysts should factor this in. If they’re not, you run the risk of ending up with a headline and a news story that has legs at best, and a business closing its doors, at worst. Risk assessment is the first step. Once you know what the risks are, you need to dig into each one deeper to find out what you would have to do if that risk emerges. Then, you can assign a financial/capital/business/customer impact. At that point, you know how to reorganize your risk matrix from to better reflect a total picture.

In my opinion, true risk management is about digging deeper into the events, looking for black swans, figuring out what your company’s level of exposure is, and how your IT and Risk teams would handle the situation.

SecureThinking readers: What’s your take on this debate? Join in on the conversation by including a comment below.

Friday, November 11, 2011

What’s Your MSSP Done for You Lately?

By Jeff Schmidt, Global Portfolio Head of Business Continuity, Security & Governance Capability, BT

I would suspect your answer is that your MSSP has provided you with top flight protection against attacks, enabled your company to meet its compliance goals, kept your device signatures up to date and delivered reports that contain information that’s relevant to your IT team up through your Board of Directors. After all, that’s what you pay them for, right?

But what if you had the opportunity to peek at what your security colleagues were getting from their MSSP? Would you feel like the guy in the middle seat of coach, when they found out that their colleague flying in business class paid the same amount for their ticket?

Without trying to create ‘FUD’, are you checking up on your service provider and are you validating the components and service levels? After all, the best security services at many times are ones you don’t know are there because they are catching, preventing and defending against attacks before you know about them. So is your MSSP doing all they should? Are they supporting and proactively preventing mischief in your enterprise and driving along your corporate mission to ensure that you are well paired? For starters, if you’re not a BT customer and you’re reading SecureThinking, is it because your MSSP isn’t investing in thought leadership or because their blog is a simply a series of intelligence summaries that you already pay for in your monitoring contract?

And, if you’re reading this blog today and you’re a BT customer, you didn’t have the opportunity to attend BT’s annual Security Leaders’ Conference this September. It’s one of the events I look forward to throughout the year; the 3 days when we bring our customers together with our in-house security rock stars, industry analysts and partners to share, connect, and collaborate.

When we first put together this concept 6 years ago we made certain to keep the sales pitches at bay and focus on developing the conference as a vehicle for thought leadership. We offer our customers unfettered access to our senior leadership team to ask the hard questions about road maps, technology development and service delivery and, in return, to offer their input into those key areas. Then, there are the roundtables, keynotes, and track sessions where our customers can take a step back from the tactical responsibilities of their day job to focus on the bigger picture and hear many different, yet well-informed, perspectives.

Being a security practitioner is a tough job. Amidst the constant changes, new risks and threats, how do you keep up with it all and sleep well at night? While BT’s customers still face these challenges on a daily basis, they do so in a collaborative environment; not only with their teams at work, but with also with their teams at BT whose passion it is to protect our customers, their people, reputations, and intellectual capital.

Tuesday, November 8, 2011

BT Opens a New SOC in Sydney, Australia

By Tara Savage, Senior Marketing Manager, BT Global Services

Today BT will be opening its latest Secure Operations Center (SOC) in Sydney, Australia. Jeff Schmidt, Global Head of BT Assure, BT’s global security capability unit said “the Sydney facility is a strategically important investment for BT and will enable our customers to transact business in the region with added levels of security and confidence.”

This is the twelfth 24×7 center to be opened by BT and continues to build on BT’s investment in the region and commitment to support Australian and multinational companies as they expand into the Asia-Pacific region.

The facility, will manage customers’ security environments within the healthcare, finance, retail, and manufacturing sectors and will integrate seamlessly with BT’s other SOCs to ensure that threats are managed proactively and assist customers in meeting compliance and governance mandates.

Like all of BT’s SOCs, the Sydney facility will be staffed by highly trained security experts who monitor and manage customer networks and devices on a ‘follow-the sun’ pattern. BT’s SOCs have maintained a 100% uptime since they commenced operations and are accredited and audited to ensure they meet global and local information assurance standards, such as SAS70 and ISO 27001.

Monday, October 24, 2011

Why You Still Can’t Teach a Machine to Hack

By Konstantinos Karagiannis, Principal Consultant, Ethical Hacking

Hackers thrive on eureka moments. Nothing makes us happier than receiving the ultimate reward for hours of looking through logs, poking at parameters, and otherwise attacking apps. Part of the job isfinding and documenting the low hanging fruit, sure. But the biggest thrills are in those magic moments, which often come after enough coffee to kill lesser mortals. Moments when we move from documenting SSL certificate errors to capturing 50,000 social security numbers!

You know what never experiences eureka moments? Today’s web application scanners.

As expensive as they are (some well above $10,000), web application scanners are sort of … lame. Currently, scanners possess the intellect of insects, unintelligently navigating web sites and occasionally stumbling across obstacles they may or may not recognize. I mentioned low hanging fruit before, and scanners can find lots of these. Yet they miss most of the really dangerous issues, and, perhaps worse, send developers on “fruitless” quests with false positives that far outnumber valid findings.

With the exception of annual audit checks and sites that have been gone over repeatedly, every new hack that comes our way holds the promise of a big finding. While we do have a plump methodology, the WAM (Web Assessment Methodology), using such a thing doesn’t let us predict what digital door or loose window may lead to a showstopper break in. It could be the way the app’s pieces interact; or a custom encryption method that can be cracked to reveal sensitive data to the world. We don’t know where this magic weakness will appear up front, and that’s part of the thrill of the hunt.

Currently a hacker with a modest year of experience, armed with a solid methodology, should win a bakeoff against all the world’s leading web app scanners combined. Creativity can’t be programmed, after all. Even Watson, the supercomputer that slaughtered the Jeopardy! champs failed to come up with anything but a wager during Final Jeopardy. It was Jennings who creatively wrote in that he welcomed the coming of our “computer overlords.”

Funny as Jennings was with his parting quote, Artificial Intelligence (AI) is seriously advancing. It’s only a matter of time before the computing horsepower of something like IBM’s DeepQA engine creates a Watsonesque hacking machine. Watson himself has since been adapted from game-show contestant to a healthcare analyst, working on treatment options for a pool of 34 million patients. Couldn’t a machine like that learn about the types of mistakes web developers make and become an uber-hacker?

With a literal quantum leap in computing on the horizon (Quantum Computing is coming, and I’ll have more to say in a future blog), running advanced AI software could be trivial in just about any industry. Web application scanners may go from simple comparison checkers to intelligent hacking systems that follow every possible exploit down every digital rabbit hole, all in minutes.

Will this be the end of human hackers? Will we be, as Jennings hinted at, serving our computer overlords, perhaps making sure their kernels are patched and tweaked?

I have more than a gut feeling this won’t be the case. Even after the inevitable Watsonesque scanners arrive, they won’t truly think or achieve creativity. Hacking is not about checking off boxes and moving on. Methodologies and repeatable quality of work are important ingredients, but without creativity and curiosity you just don’t have a true hacker.

Several big companies are recognizing that as scanning gets better and is more ingrained in the development cycle, hacker talent can be applied in other ways. The whole concept of Threat Modeling (one more blog topic on my to-do text file) is devoted to six major steps of analyzing the big picture of a particular system or application. While it reads a little dry for the layperson, the Threat Modeling methodology requires human interaction and hides between its lines a familiar concept:

Looking for that eureka moment.

Friday, October 7, 2011

The BT Information Security Journalism Award Goes To…

by Tara Savage, Senior Marketing Manager, BT Global Services

Journalism has faced such a dramatic shift with the rise of social media, that the industry has been revolutionized. Reporters find themselves competing with the real-time snippets of information and news that is being released by…well, anyone that has access to a smart phone, internet connection or video device. Within this tough environment, there are select journalists who continue to report on stories and provide true value to their readers, especially in the IT Security sector.

For the past five years BT Global Services has recognized information security journalism in the UK and honoring specific journalists who have demonstrated leadership, innovation and excellence.

Ray Stanton, chairman of the panel and Vice President Professional Services, BT Global Services, announced the winners at an awards lunch on the 6^th October. Ray commended the nominees saying: ”enormous credit should go to each of our shortlisted journalists. Each demonstrated an ability to write clear, compelling and important stories. Each was comfortable in tackling a wide range of issues and asking difficult questions. And each played a crucially important role in helping to sustain the impressive reputation of information security journalism in the UK.”

So, without further ado, here are this year’s winners:

Information Security Journalist of the Year: Misha Glenny (Freelance)
Best Information Security News Story of the Year: Jacob Aron (New Scientist)
Best Overall Information Security Feature Article of the Year: Danny Bradbury (Infosecurity),
Best Privacy Feature of the Year: Sally Adee (New Scientist),
Best Cybercrime Feature of the Year: Mark Ballard (Computer Weekly)
Best Business Continuity Feature of the Year: Cath Everett (Computer Fraud & Security)
Best Generic Security Feature of the Year: Jerome Taylor (The Independent)
BT Enigma Award: Davey Winder (Freelance)

Congratulations to all the winners, and to all the nominees, for the important work they do.

Wednesday, October 5, 2011

Everything’s Changed: Defining the Next-Generation of Threats

By: Phillip Lin, Director of Product Marketing for FireEye

99%. That’s the percentage of enterprises that had malicious infections entering the network each week despite the fact that over $20 billion is being invested in security mechanisms each year.[1]

Based on our 1H 2011 Advanced Threat Report [2], compromises were widespread. How is this possible? Quite simply, the threats confronting businesses in 2011 bear very little resemblance to those of the past, but the IT security infrastructures still look a lot like they did three years ago.

Changing Tactics: From Known to Unknown

Today’s criminals leverage an arsenal of zero-day vulnerabilities, commercial-quality toolkits, and social media to perpetrate the next-generation attacks. These threats move “low and slow”, using several stages and channels to duck traditional defenses and find vulnerable systems and sensitive data.

Traditional defenses rely on such techniques as signatures and behavioral heuristics, approaches that help guard against known threats. However, attacks morph daily to look new and unknown to signature-based tools. These attacks do not trigger heuristics because of techniques like camouflage, multi-stage packaging, and other advanced persistent threat (APT) tactics. That’s why traditional defenses like firewalls, intrusion prevention systems (IPS), antivirus, and Web gateways fail to stop unknown, targeted APT threats.

Changing Motivation: From Hacks to Theft of PII to IP and Credentials

Ten years ago, the main threat to businesses was website defacement or network disruption. Today, businesses confront a spectrum of threats, with the most damaging attacks resulting in stolen intellectual property, credentials, and cash.

Attackers still pursue personally identifiable information (PII), as demonstrated by the theft of email addresses at Epsilon marketing—but this is not the end game. A few years ago, these stolen emails may have been sold to spammers. Now, they are used in targeted, personalized “spear phishing” emails that lure victims to click malware-laden links. Spear phishing and malicious URLs are the first salvo in a coordinated series of steps that result in successful network compromises and data theft.

Changing Targets: From Big Business to Every Business

Versatile drag-and-drop toolkits allow criminals endless attack options. Consequently, it is nearly free to scale the volume, variation, and sophistication of threats. Thus, criminals can successfully, and profitably, target medium and small businesses.

Every business has a bank account, a customer database, a product design, or some asset of value. Even if no data is stolen, every compromised system is a backdoor trap waiting to be sprung. Every business is a target and that’s why this 99% figure is so troubling: every business has proven vulnerable.

[1]Gartner. “Forecast: Enterprise Security Infrastructure, Worldwide, 2008-2014, 1Q11 Update“

[2]FireEye Malware Intelligence Labs. “FireEye Advanced Threat Report—1H 2011” http://www.fireeye.com/resources/pdfs/FireEye_Advanced_Threat_Report_1H2011.pdf

Monday, October 3, 2011

October is Cyber Security Awareness Month

By Tara Savage, Senior Marketing Manager, BT Global Services

October is Cyber Security Awareness Month, and we will be posting a series of blogs focused on the areas that the National Cyber Security Alliance (NCSA) targets for education: the family, small/medium businesses, and of course, our core audience, enterprises. The NCSA’s primary mission is to reach every “digital citizen” with the message: “Stop. Think. Connect.”

The NCSA is a non-profit organization that works with the government, government-civilian agencies and corporations to educate people and businesses about using the Internet securely to protect themselves and their digital assets. The NCSA sponsors Cybersecurity Awareness Month to reinforce that we are all responsible for securing the Internet and that that security includes devices and networks as well as individual actions.

If every individual and corporation took the time to understand the risk, implement stronger security practices on personal and business devices, and train others on safety and security, then we can all connect with greater confidence.

Is your business participating in Cybersecurity Awareness Month 2011? Share your activities with us here.

Thursday, September 1, 2011

One Minute Wonders: Mobile Security

By Tara Savage, Senior Marketing Manager, BT Global Services

As part of our One Minute Wonder video series, we stopped Jill Knesek, CSO of BT in the hallways to get her perspective on the most pressing security issues facing multi-nationals around the globe. Not surprisingly, mobile security and managing end-user devices topped the list.

Check out Jill’s thoughts here and view her series on mobile security here: