SecureServices « Secure Thinking

Friday, November 11, 2011

What’s Your MSSP Done for You Lately?

By Jeff Schmidt, Global Portfolio Head of Business Continuity, Security & Governance Capability, BT

I would suspect your answer is that your MSSP has provided you with top flight protection against attacks, enabled your company to meet its compliance goals, kept your device signatures up to date and delivered reports that contain information that’s relevant to your IT team up through your Board of Directors. After all, that’s what you pay them for, right?

But what if you had the opportunity to peek at what your security colleagues were getting from their MSSP? Would you feel like the guy in the middle seat of coach, when they found out that their colleague flying in business class paid the same amount for their ticket?

Without trying to create ‘FUD’, are you checking up on your service provider and are you validating the components and service levels? After all, the best security services at many times are ones you don’t know are there because they are catching, preventing and defending against attacks before you know about them. So is your MSSP doing all they should? Are they supporting and proactively preventing mischief in your enterprise and driving along your corporate mission to ensure that you are well paired? For starters, if you’re not a BT customer and you’re reading SecureThinking, is it because your MSSP isn’t investing in thought leadership or because their blog is a simply a series of intelligence summaries that you already pay for in your monitoring contract?

And, if you’re reading this blog today and you’re a BT customer, you didn’t have the opportunity to attend BT’s annual Security Leaders’ Conference this September. It’s one of the events I look forward to throughout the year; the 3 days when we bring our customers together with our in-house security rock stars, industry analysts and partners to share, connect, and collaborate.

When we first put together this concept 6 years ago we made certain to keep the sales pitches at bay and focus on developing the conference as a vehicle for thought leadership. We offer our customers unfettered access to our senior leadership team to ask the hard questions about road maps, technology development and service delivery and, in return, to offer their input into those key areas. Then, there are the roundtables, keynotes, and track sessions where our customers can take a step back from the tactical responsibilities of their day job to focus on the bigger picture and hear many different, yet well-informed, perspectives.

Being a security practitioner is a tough job. Amidst the constant changes, new risks and threats, how do you keep up with it all and sleep well at night? While BT’s customers still face these challenges on a daily basis, they do so in a collaborative environment; not only with their teams at work, but with also with their teams at BT whose passion it is to protect our customers, their people, reputations, and intellectual capital.

Tuesday, November 8, 2011

BT Opens a New SOC in Sydney, Australia

By Tara Savage, Senior Marketing Manager, BT Global Services

Today BT will be opening its latest Secure Operations Center (SOC) in Sydney, Australia. Jeff Schmidt, Global Head of BT Assure, BT’s global security capability unit said “the Sydney facility is a strategically important investment for BT and will enable our customers to transact business in the region with added levels of security and confidence.”

This is the twelfth 24×7 center to be opened by BT and continues to build on BT’s investment in the region and commitment to support Australian and multinational companies as they expand into the Asia-Pacific region.

The facility, will manage customers’ security environments within the healthcare, finance, retail, and manufacturing sectors and will integrate seamlessly with BT’s other SOCs to ensure that threats are managed proactively and assist customers in meeting compliance and governance mandates.

Like all of BT’s SOCs, the Sydney facility will be staffed by highly trained security experts who monitor and manage customer networks and devices on a ‘follow-the sun’ pattern. BT’s SOCs have maintained a 100% uptime since they commenced operations and are accredited and audited to ensure they meet global and local information assurance standards, such as SAS70 and ISO 27001.

Monday, October 24, 2011

Why You Still Can’t Teach a Machine to Hack

By Konstantinos Karagiannis, Principal Consultant, Ethical Hacking

Hackers thrive on eureka moments. Nothing makes us happier than receiving the ultimate reward for hours of looking through logs, poking at parameters, and otherwise attacking apps. Part of the job isfinding and documenting the low hanging fruit, sure. But the biggest thrills are in those magic moments, which often come after enough coffee to kill lesser mortals. Moments when we move from documenting SSL certificate errors to capturing 50,000 social security numbers!

You know what never experiences eureka moments? Today’s web application scanners.

As expensive as they are (some well above $10,000), web application scanners are sort of … lame. Currently, scanners possess the intellect of insects, unintelligently navigating web sites and occasionally stumbling across obstacles they may or may not recognize. I mentioned low hanging fruit before, and scanners can find lots of these. Yet they miss most of the really dangerous issues, and, perhaps worse, send developers on “fruitless” quests with false positives that far outnumber valid findings.

With the exception of annual audit checks and sites that have been gone over repeatedly, every new hack that comes our way holds the promise of a big finding. While we do have a plump methodology, the WAM (Web Assessment Methodology), using such a thing doesn’t let us predict what digital door or loose window may lead to a showstopper break in. It could be the way the app’s pieces interact; or a custom encryption method that can be cracked to reveal sensitive data to the world. We don’t know where this magic weakness will appear up front, and that’s part of the thrill of the hunt.

Currently a hacker with a modest year of experience, armed with a solid methodology, should win a bakeoff against all the world’s leading web app scanners combined. Creativity can’t be programmed, after all. Even Watson, the supercomputer that slaughtered the Jeopardy! champs failed to come up with anything but a wager during Final Jeopardy. It was Jennings who creatively wrote in that he welcomed the coming of our “computer overlords.”

Funny as Jennings was with his parting quote, Artificial Intelligence (AI) is seriously advancing. It’s only a matter of time before the computing horsepower of something like IBM’s DeepQA engine creates a Watsonesque hacking machine. Watson himself has since been adapted from game-show contestant to a healthcare analyst, working on treatment options for a pool of 34 million patients. Couldn’t a machine like that learn about the types of mistakes web developers make and become an uber-hacker?

With a literal quantum leap in computing on the horizon (Quantum Computing is coming, and I’ll have more to say in a future blog), running advanced AI software could be trivial in just about any industry. Web application scanners may go from simple comparison checkers to intelligent hacking systems that follow every possible exploit down every digital rabbit hole, all in minutes.

Will this be the end of human hackers? Will we be, as Jennings hinted at, serving our computer overlords, perhaps making sure their kernels are patched and tweaked?

I have more than a gut feeling this won’t be the case. Even after the inevitable Watsonesque scanners arrive, they won’t truly think or achieve creativity. Hacking is not about checking off boxes and moving on. Methodologies and repeatable quality of work are important ingredients, but without creativity and curiosity you just don’t have a true hacker.

Several big companies are recognizing that as scanning gets better and is more ingrained in the development cycle, hacker talent can be applied in other ways. The whole concept of Threat Modeling (one more blog topic on my to-do text file) is devoted to six major steps of analyzing the big picture of a particular system or application. While it reads a little dry for the layperson, the Threat Modeling methodology requires human interaction and hides between its lines a familiar concept:

Looking for that eureka moment.

Friday, October 7, 2011

The BT Information Security Journalism Award Goes To…

by Tara Savage, Senior Marketing Manager, BT Global Services

Journalism has faced such a dramatic shift with the rise of social media, that the industry has been revolutionized. Reporters find themselves competing with the real-time snippets of information and news that is being released by…well, anyone that has access to a smart phone, internet connection or video device. Within this tough environment, there are select journalists who continue to report on stories and provide true value to their readers, especially in the IT Security sector.

For the past five years BT Global Services has recognized information security journalism in the UK and honoring specific journalists who have demonstrated leadership, innovation and excellence.

Ray Stanton, chairman of the panel and Vice President Professional Services, BT Global Services, announced the winners at an awards lunch on the 6^th October. Ray commended the nominees saying: ”enormous credit should go to each of our shortlisted journalists. Each demonstrated an ability to write clear, compelling and important stories. Each was comfortable in tackling a wide range of issues and asking difficult questions. And each played a crucially important role in helping to sustain the impressive reputation of information security journalism in the UK.”

So, without further ado, here are this year’s winners:

Information Security Journalist of the Year: Misha Glenny (Freelance)
Best Information Security News Story of the Year: Jacob Aron (New Scientist)
Best Overall Information Security Feature Article of the Year: Danny Bradbury (Infosecurity),
Best Privacy Feature of the Year: Sally Adee (New Scientist),
Best Cybercrime Feature of the Year: Mark Ballard (Computer Weekly)
Best Business Continuity Feature of the Year: Cath Everett (Computer Fraud & Security)
Best Generic Security Feature of the Year: Jerome Taylor (The Independent)
BT Enigma Award: Davey Winder (Freelance)

Congratulations to all the winners, and to all the nominees, for the important work they do.

Wednesday, October 5, 2011

Everything’s Changed: Defining the Next-Generation of Threats

By: Phillip Lin, Director of Product Marketing for FireEye

99%. That’s the percentage of enterprises that had malicious infections entering the network each week despite the fact that over $20 billion is being invested in security mechanisms each year.[1]

Based on our 1H 2011 Advanced Threat Report [2], compromises were widespread. How is this possible? Quite simply, the threats confronting businesses in 2011 bear very little resemblance to those of the past, but the IT security infrastructures still look a lot like they did three years ago.

Changing Tactics: From Known to Unknown

Today’s criminals leverage an arsenal of zero-day vulnerabilities, commercial-quality toolkits, and social media to perpetrate the next-generation attacks. These threats move “low and slow”, using several stages and channels to duck traditional defenses and find vulnerable systems and sensitive data.

Traditional defenses rely on such techniques as signatures and behavioral heuristics, approaches that help guard against known threats. However, attacks morph daily to look new and unknown to signature-based tools. These attacks do not trigger heuristics because of techniques like camouflage, multi-stage packaging, and other advanced persistent threat (APT) tactics. That’s why traditional defenses like firewalls, intrusion prevention systems (IPS), antivirus, and Web gateways fail to stop unknown, targeted APT threats.

Changing Motivation: From Hacks to Theft of PII to IP and Credentials

Ten years ago, the main threat to businesses was website defacement or network disruption. Today, businesses confront a spectrum of threats, with the most damaging attacks resulting in stolen intellectual property, credentials, and cash.

Attackers still pursue personally identifiable information (PII), as demonstrated by the theft of email addresses at Epsilon marketing—but this is not the end game. A few years ago, these stolen emails may have been sold to spammers. Now, they are used in targeted, personalized “spear phishing” emails that lure victims to click malware-laden links. Spear phishing and malicious URLs are the first salvo in a coordinated series of steps that result in successful network compromises and data theft.

Changing Targets: From Big Business to Every Business

Versatile drag-and-drop toolkits allow criminals endless attack options. Consequently, it is nearly free to scale the volume, variation, and sophistication of threats. Thus, criminals can successfully, and profitably, target medium and small businesses.

Every business has a bank account, a customer database, a product design, or some asset of value. Even if no data is stolen, every compromised system is a backdoor trap waiting to be sprung. Every business is a target and that’s why this 99% figure is so troubling: every business has proven vulnerable.

[1]Gartner. “Forecast: Enterprise Security Infrastructure, Worldwide, 2008-2014, 1Q11 Update“

[2]FireEye Malware Intelligence Labs. “FireEye Advanced Threat Report—1H 2011” http://www.fireeye.com/resources/pdfs/FireEye_Advanced_Threat_Report_1H2011.pdf

Monday, October 3, 2011

October is Cyber Security Awareness Month

By Tara Savage, Senior Marketing Manager, BT Global Services

October is Cyber Security Awareness Month, and we will be posting a series of blogs focused on the areas that the National Cyber Security Alliance (NCSA) targets for education: the family, small/medium businesses, and of course, our core audience, enterprises. The NCSA’s primary mission is to reach every “digital citizen” with the message: “Stop. Think. Connect.”

The NCSA is a non-profit organization that works with the government, government-civilian agencies and corporations to educate people and businesses about using the Internet securely to protect themselves and their digital assets. The NCSA sponsors Cybersecurity Awareness Month to reinforce that we are all responsible for securing the Internet and that that security includes devices and networks as well as individual actions.

If every individual and corporation took the time to understand the risk, implement stronger security practices on personal and business devices, and train others on safety and security, then we can all connect with greater confidence.

Is your business participating in Cybersecurity Awareness Month 2011? Share your activities with us here.

Thursday, September 1, 2011

One Minute Wonders: Mobile Security

By Tara Savage, Senior Marketing Manager, BT Global Services

As part of our One Minute Wonder video series, we stopped Jill Knesek, CSO of BT in the hallways to get her perspective on the most pressing security issues facing multi-nationals around the globe. Not surprisingly, mobile security and managing end-user devices topped the list.

Check out Jill’s thoughts here and view her series on mobile security here:

Wednesday, August 31, 2011

One Minute Wonders: The impact of new technologies on cybersecurity

By Tara Savage, Senior Marketing Manager, BT Global Services

Continuing our video series, we have captured yet another gem from our team of experts from the BT partner conference in the UK. In this one minute wonder video, Jim Tiller of BT Global Services talks about the evolution of technology as it moves more into the mobility space and its impact on security. Check out Jim’s thoughts:

Wednesday, August 10, 2011

Kids and the Internet: Keeping them Secure

Jim Tiller, Global Security Practice Head, BT Global Services

I recently read a post on SecureThinking from Martin Brown, aka “Evil Dad.” I too have kids and can relate to Martin’s woes because as parents, it’s in our DNA to protect our offspring. The Internet represents a broad range of threats we’re still struggling to fully understand. Kids are ingenious, naturally intuitive, and, of course defiant at times, constantly challenging us in their quest for independence. But instead of sneaking out at night and going for a joyride in your brand new BMW, they’re poking away on the Internet in the middle of the night.

They’re in that margin between skill and knowledge, and far from wisdom, and, unfortunately, threats on the Internet are poised at the ready to exploit their trust.

Nevertheless, it’s important we acknowledge and respect what our children are experiencing. Take a moment and think about how truly different their world is from ours. As much as you think you know the Internet, you will never see it through their eyes. Like Martin, I’ve been in security for a while, grew up with rotary phones, and was there when the Internet was born. The Internet and all this implies evolved with us. Our children know nothing of this evolution – it just is. It’s a natural part of their lives and as such they view it, interact with it, and live in it in ways we can’t fully appreciate.

In short, the Internet represents a monumental dynamic in human history. Our children are the first generation to be deeply intertwined with the Internet, something vastly different from other milestones in human development, such as the introduction of tools, farming, language, and architecture to science, the industrial revolution, and even space travel. More importantly, unlike past leaps in technology that took several generations to be fully absorbed, the Internet happened overnight creating a tangible gap in a single generation.

If we acknowledge the existence of this truly unique human condition, and further resonate with the inherent inability for adults to fully comprehend what their kids are going through due to the gap, we therefore have to accept that we may not know what’s best all the time – as scary as that may sound.

The truth of the matter is although my generation built the Internet, we were winging it; we only guessed at the potential and speculated on possibilities. The next generation defined it, gave it life. They are now the custodians of the Internet and will continue to shape its future; how it will be developed, governed, and even regulated.

So, if we may not know what’s best, who does?

Here’s the interesting part: Kids are smart. Yea, I know, when you’re picking paint out of their hair it certainly doesn’t appear that way, but nevertheless, their exposure to technology from an extremely young age means they “get it”. Combined with their natural intuitiveness and battle for independence, they will figure out how to get past your firewalls, IDS, and just about anything you put in place. Their newfound access may not last long when “evil dad” discovers it, but it will always be a constant challenge between kids and their parents.

The key is, as Martin alluded to, is to help them understand the threats – a framework if you will, allowing them the freedom to make good decisions as opposed to black and white laws that won’t scale to meet the diversity of challenges they will come to face. This is analogous to telling your kids not to get in a car with a stranger, don’t walk alone in dark streets, and the like. Conversely, we tend to want to provide more detail and specifics when it comes to the Internet, but this has proven to be complex and is really only reflecting our own concerns and interpretations as opposed to accepting they inherently know things we had to learn.

Interestingly, it usually boils down to security 101. Nothing about technology, vulnerabilities, malware, or stuff like that. It’s helping them understand the value of trust and privacy.

In the real world they have multiple, fine-tuned senses developed over millions of years to help determine trust and evaluate threats, and basically none of these are useful to them on the Internet. Kids are developing new senses and that is where we can provide the biggest help. It’s less about browsers, antivirus, and Facebook, and more about helping them to develop their capabilities in identifying threats, understanding the importance of trust, and the value of their privacy.

Armed with these deceptively simple basics applied within the context of the Internet, we’ve helped build a foundation for critical thinking and ethical behavior allowing them to make informed decisions. Of course, you’re still going to have to pick paint out of their hair.