Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

SecureThinking > Tags

Posts tagged Google

Monday, April 26, 2010

Are your company’s passwords protected?

By Pete Russo, Senior Marketing Manager, BT Global Services

We all know there is a risk to opening an email attachment if you don’t know who sent the message.  But what if you got an email with a work-related attachment from your boss? That would be okay, wouldn’t it?

Maybe not, according to The Washington PostHackers infiltrated Google and 30 other large companies, including Adobe, Northrop Grumman and Yahoo, by commandeering email boxes of system administrators and executives – and then using them to gain access to passwords and intellectual property.

In a cyber attack such as this, once a hacker has gained access to those user names and passwords, it can take only minutes to take over the company’s entire network.  More and more sophisticated attacks are being mounted from across the globe as hackers use “innocent” emails to gain insider information about how to compete against companies in a strategic market.

Once in — and having assumed the identity of an executive — the hacker is not easily identified and can gain access to even more information.  In fact, using the email attachment to get into the network is just one minor step in a detailed attack that is usually well planned and focused on obtaining critical competitive intelligence.

What is your company doing to ensure that everyone – at every level – understands how to protect passwords and other intellectual property from potential hacking?

Posted at 3:25 PM in SecureAlert | No Comments »
Tags: , , , , , ,

Bookmark and Share

Monday, April 19, 2010

Security Threats Don’t Die, They Just Lose ‘Teh Sexay’

By Toby Weir-Jones, Vice President, Product Development, Managed Security Solutions Group, BT Global Services

Last week, we found out that, despite all the progress on both technical and legal fronts, the volume of spam during the first quarter of 2010 increased six percent over last year, according to Google’s Postini group.   

Google offered up some insight but its bottom line was “keep moving things to the cloud so we can take care of them for you.”  Cloud-based or not, an enterprise mail administrator is still going to deal with virus attachments, image payloads and dangerous embedded links coming into their own server infrastructure.  And some users still open/click/download, bless their hearts.  

So what makes a security threat go away?  Clearly, not 100-percent user awareness or 100-percent effective technologies.  Yet management is inclined to think that, if it’s not on the front page of the paper anymore, it must be taken care of.  Positive ROI achieved.  On to new things!

IT Security Managers know the truth is far less convenient.  They’re still dealing with legacy Windows NT boxes, modems, and an inability to keep flash drives out of USB ports.  They set up access control lists and proxy servers, and then have to bypass them because “Somebody Who Matters” can’t get to the scheduler for tee times.  Yet if they go looking for fresh budget on an “old” problem, their entreaties about evolving attack sophistication and more complex use cases get swept aside.

People who control the budgets but aren’t in the trenches need to understand that it’s very difficult to retire a class of threat, especially when the attackers have monetary incentive to keep trying.  Spam works because users keep clicking on the links – even when the mail is in their Spam folder – and the bad guys know this, too. 

A coordinated IT Security Plan needs to ensure that defenses against established threats remain relevant and funded, while emphasizing the advantages of integrated tools to keep the hardware and support footprints under control.  If you’re buying assessments against your perimeter or internal security, don’t strike off the war dialing just to save a few dollars, because a lot of machines still have modems plugged into POTS.  If you have a legacy app which “absolutely needs” some archaic device and all the bizarre workarounds to keep it alive in a current network, spend the money to upgrade the application or build a new solution. 

In the end, it’s like your crazy relative who keeps their ancient vacuum cleaner because “it works fine.”  They don’t want to consider how limiting their choice is and place no value on the extra time and effort they invest personally.  Businesses cannot afford such complacency (or, worse, fear) and IT Security Managers need to be able to communicate the risks clearly and in financial terms.

Posted at 5:03 PM in SecureAlert | No Comments »
Tags: , , , ,

Bookmark and Share

Friday, February 5, 2010

Operation Aurora: The Dawn of a New Era of Network Attacks

By Toby Weir-Jones, Vice President – Product Development, Managed Security Solutions Group, BT Global Services

Over the past few weeks, there has been a great deal of coverage given to Google’s announcement that it has been the target of sophisticated network attacks from China.  While many have suspected that western companies and government agencies have been attacked by the Chinese, Operation Aurora was confirmation that online espionage, if not cyber war, is prevalent. 

It’s interesting to note that the purpose of the attacks was not to gain information for immediate profit, as is typically the case, but to keep tabs on the movement of information between individuals, groups, corporations, and government agencies without needing to filter content. 

As has been well documented, Operation Aurora took advantage of a vulnerability in Microsoft’s IE platform.  This continues a pattern of browser-based attacks originating in China against US networks, the most notable of which, until now, being Titan Rain back in 2003.  The specific mode of attack is not new and is not really the story in this case; sadly we’re all familiar with proliferation of attacks against browsers and their plugins, the resulting malware, and ceaseless buffer overflow attacks against thoroughly-vetted products.

But what can companies do to combat these attacks and secure their operations?  After all, not doing business in China isn’t really an option for most companies that are recovering from the economic downturn.  And really, we shouldn’t single out China as the only source of suspicious firewall logs, nor should we assume that addresses originating in the US and Europe should be benign.

What can the CSO do, then, to protect the company and customers?

Product vendors will universally claim they could have detected the attacks because they would have seen it either in the raw network traffic (for NIDS products) or in the application data in memory (for AV and HIDS products).  However, this level of detection relies on buffer overflow alerts that are so generic you’ll never know where the threat is coming from.  In their defense, host products, such as AV and HIDS, can potentially detect the source of the attack as they are application aware.  However, as is often the case, to use these host products effectively, the advanced application protections need to be enabled and not turned off—as many are—to avoid reporting false positives.

On the front-end what we advise our customers to do is to ensure they are monitoring the right devices, and logging is configured correctly.  They also need to ensure that a well-documented and rehearsed incident response plan is in place in the event that a breach occurs.

In the SOC what we’re doing is much more time-consuming.  Our analysts and engineers are relentlessly scouring every log, every security and non-security event, collecting every piece of contextual evidence and sending it back to the lab for analysis, comparing the results of a single customer network against our global customer base to document quickly and accurately that one host in a thousand within a monitored subnet is actually compromised. 

Whether the motivation is fraud, spam, or espionage is technically immaterial because it has no bearing on finding infected hosts or revealing the methods of attack.  What we rely on instead is dozens of combined years of experience in monitoring network security activity; we’re not limited to expertise on one or two technologies, we have extensive knowledge across numerous vendor platforms.  Our CMAL and CBOT modules (first released in 2008) are great examples of advanced technology that solves real business problems, and they don’t simply offer up pretty reports about knee-jerk reactions performed by other devices. 

We want to know where it’s coming from first, and then worry about the details behind what it’s doing.  Security policies don’t distinguish between the details of buffer overflow attacks vs. brute-force — they focus on intent, so focusing efforts purely on signature-based detection can dangerously restrict your view. 

This is the first post in a series about Aurora that we’re working on.  Next up, Rob Jamison, our Manager of Network Intelligence, will offer up more insights into Aurora’s methods of propagation and detection.

Posted at 7:16 PM in SecureAlert | No Comments »
Tags: , , , , , , , , , , , , ,

Bookmark and Share

Thursday, January 21, 2010

Is Free really Free in the online world?

By Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services, CISSP, CISM, CISA, PCI QSA

One of the challenges for Internet companies is to make a profit by providing content and services to a community that largely expects those services or content to be free. There was a time when organizations charged for providing email.  Remember MSN and AOL? Fast forward a few years to an unlimited number of free email services.  Not only is the expectation that the service be free but users moved to other e-mail providers when storage limits or functionality was restrictive.  Free and unlimited is just what our community expects.

Last year, Rupert Murdoch announced News Corp. will start charging for online access to its news services.  It will be interesting to watch how this fares for consumers who are used to receiving free services.  News Corp. is also suggesting it will charge search engines for the ability to crawl through its sites.  Services that are not free need to distinguish themselves as being remarkable to ensure a community that is used to no charge will be willing to pick up a tab.

Similarly, there has also been a shift by almost all of the free online services to start charging for premium services to reduce dependence on online ad revenue. For example:

  • LinkedIn has introduced a paid tool that can be used by recruitment companies
  • Skype is now started charging for voice mail
  • Panadora has introduced a paid online radio service with no advertisements

There is no doubt during the next two years, we will see many more companies actively moving towards a paid model with earnings supported by advertising revenue. However, even as companies look for ways to earn direct revenue for some aspect of service, the question becomes, “What should we expect for the free services that are used to reel consumers in?”

The loss of our SecureThinking blog this past month, which was being hosted for free, brought forward these questions of what our right to availability really is.  What does our loyalty and presence entitle us to?  What are fair expectations for free services?  It appears that free entitles us to a service without support.

Organizations that provide services like blogging, social networking and online applications are all mostly free.  Consumers expect these services to be reliable, secure and constantly available. But is this expectation too high?  Are we losing high value services because we do not want to pay for Internet services and content?

Certainly our desire for free services and content is negatively impacting notable TV, entertainment and newspaper companies.  When we have no more credentialed journalists because we did not want to pay for their time, I wonder if the value of the content we will be accessing will decline.  Is our lack of desire to pay actually killing the golden egg?  After all, there is an intrinsic cost in supplying a product.

If you are providing a product and building a business model around charging for additional services, I believe the service you are supplying must be indicative of the quality of the product you paid for.  The product must provide its users with confidentiality, integrity and availability. How will we know that the paid product has these qualities?  Organizations that provide a multi-level service model, service levels for paid services and no service level for free are at risk of alienating the community they initially attracted by providing the service in the first place.

In our situation, our response has been to move the SecureThinking blog to a new platform that we host and pay a small fee to use.  There was a misalignment between our expectations and the supplier’s product, but that is often the case when a product is free. 

I’d be interested to hear your feedback on whether you think free services should be held to the expectation of secure and reliable.  What do you think? 

http://www.btsecurethinking.com/2009/11/integrating-web-2-0-tools-securely-into-the-business-environment/

Posted at 4:20 PM in SecureROI | 1 Comment »
Tags: , , , , , , , , , ,

Bookmark and Share

subscribe - log in