Can Technology Alone Make Your Information Safe?

Have you ever thought to yourself: “If only they would build some kind of IDS or something that really works! A little box I could plug into my network that would tell me when someone was doing something they weren’t supposed to do. Then I could just kick back, and let technology secure my data. I wouldn’t have to worry at all!” Do you really think that is true?

During World War II, the Germans thought that their Enigma code machines couldn’t possibly be compromised. After all, the Enigma was the epitome of high tech; years ahead of it’s time! They thought that their advanced technology would keep their data entirely safe. They were sure they didn’t need to worry. Were they right? No! Not only was the Enigma compromised, it was compromised in short order by a combination of espionage, clever cognition and (yes) technology. If this instance of German reliance on high technology didn’t cost them the war outright, it certainly made the war much shorter and cost the lives of thousands of German troops.

In the early 1960’s, the United States Military thought they no longer needed to mount guns on their new F-4 Phantom fighter. After all, the F-4 had new, high tech air to air missiles like the Sidewinder and Sparrow! The Military thought no enemy would be able to get close enough to use their guns. They thought that aerial dogfights were a thing of the past! Were they right? No! The enemy was able to exploit tactical errors and circumstance and get in too close for the vaunted high tech missiles to work! This instance of over reliance on high technology caused the death of American pilots and the loss of expensive aircraft!

In the 1980’s and 90’s, the CIA thought that there was very little need for human intelligence sources anymore. Why put agents on the ground when you can see what other countries are doing from space using high tech satellites and hear what they are planning using high tech electronic surveillance and code breaking equipment? The CIA thought they could save money and avoid putting their agents in danger by relying on these high tech solutions. Were they right? No! During the lead up to the current war in Iraq, the CIA found that all the high resolution photographs and electronic intercepts they had told them next to nothing about the state of the Iraqi nuclear and biological programs. Without agents on the ground, the CIA was forced to rely on intelligence from such shaky sources as Saddam Hussein’s own son in law and the few agents that other countries like Germany and Great Britain were able to recruit. The CIA concluded that Iraq had advanced weapons programs and that the U.S. and her allies were in imminent danger of attack. Were they right? No! The CIA’s over-reliance on high technology and their failure to recruit human agents in the Gulf region helped lead to a full scale war in Iraq that has cost the lives of thousands!

Much the same thing is happening today with distributed computer information systems. Organizations think that better firewalls and intrusion detection systems are the answer. Are they right?

Twenty years ago the Internet was just starting to grow. Personal computers were getting more powerful, faster and more useful every day. Lots of software was appearing that made almost every business task easier to accomplish and keep track of. Businesses were able to streamline their operations and get a lot more work done with a lot less people. Everything was becoming more user friendly. Prices were down and profits were up!

Then the crackers started to appear. Information started to disappear! Computers suddenly stopped working! Data began getting corrupted and changed! Confidentiality was lost! Businesses and government agencies began to panic.

What was the problem? Why was this happening? Well, the main problem was that the Internet and transmission protocols that the Internet is based on were designed for the free and easy interchange of information; not security. And by the time people began to realize the importance of security, it was too late. The Internet was in place and being used by millions of people and thousands of businesses. People were unwilling to just scrap the whole thing and start over again from scratch! And there were other problems. The fact that the most widely used operating systems in the world are based on secret source code is a good example. Clever people can always reverse engineer operating code and expose its weaknesses.

So we are stuck with using an information technology system that cannot be reliably secured. And it cannot be reliably secured largely because of a technological flaw. So why would we think that technology alone could solve this problem ?! It can’t.

What government agencies and business organizations are coming to realize now is the need for a renewed emphasis on the application of operational and managerial security techniques to accompany their technology-based information security systems. A good example of this is the requirement by the FFIEC and the other financial agencies that financial institutions must use something more than single part authentication techniques (user name and password) to protect high risk transactions taking place over the Internet. Did they come right out and demand financial institutions use technology based (and expensive!) solutions such as Tokens or biometrics? No! The Agencies happily, and I think wisely, left the particular solution up to each organization. They simply required that financial institutions protect their customer information adequately according to the findings of risk assessments, and they left plenty of room for financial institutions to apply layered operational and managerial security techniques to accomplish the task instead of once again relying solely on high tech.

And despite the insecurity and frustration this lack of clear guidance initially causes organizations, I think ultimately it will help them in establishing tighter, cheaper and more reliable information security programs. If financial institutions and businesses want to get off the merry-go-round of having to buy new IT equipment for security reasons seemingly every day, they are going to have to bite the bullet and do the security things that everyone hates to do. They are going to have to make sure that all personnel, not just the IT admins, know their security duties and apply them religiously. They are going to have to track the security of customer information through each step of their operations and ensure that security is applied at every juncture. They are going to have to classify and encrypt their data appropriately. They are going to have to lock up CDs and documents. They are going to have to apply oversight and double checks on seemingly everything! And everything will need to be written down.

At first this will all be a mess! Mistakes will be made! Time and money will be wasted! Tempers will flare! But the good thing is that once everyone in the organization gets the “security mind-set”, it will all get easier and better.

The fact is that once an information security program is fully developed and integrated, and all the bugs are worked out, it actually becomes easy to maintain. Personnel apply their security training without even thinking about it. Operating procedures and incident response plans are all written down and everyone knows how to get at them. And when personnel or equipment changes occur, they integrate smoothly into the system. Panic is virtually eliminated! And almost all of this is provided by the application of operational and managerial security techniques. In other words, policies and procedures.

So when your organization gets that required risk assessment done. When you develop your required incident response and business continuity plans, don’t just let them sit in the filing cabinet! Use them, and actually start applying them to your business. It will give your organization a head start on what is almost surely going to be a requirement in the future, and could save you some money in the process!

The World Needs “Open Source Security Best Practices”

Continuously, there are client questions about best practices on a myriad of different ideas, technologies and strategies. Put four or five information security teams together and some of the basics shake out but the higher-level best practices remain “under discussion”.

We need a better way to make this happen. We need a wikipedia-like, open source discussion mechanism for best practices that can bring people together, establish baselines and encourage discussion of the sticking points. I would have MSI attempt this, but as a vendor, it should be viewed as a conflict of interest. That said though, someone needs to support an interactive way to make this discussion feasible, free, open and accessible. SANS, OWASP, CISecurity and others are all good starts and highly powerful as organizations, but we need some open group to establish an open forum that creates, revises and reaches consensus on best practices for everything from system settings to physical access processes.

Perhaps this exists already and I just can’t seem to find it. But, neither can the other folks that ask for this type of information. If it is out there, we as infosec professionals need to do a better job of making it known.

If you have an organization willing to undertake such a project, or are willing to lead a group to undertake such a task – drop us a line. We would love to contribute.

Safe Travels For the Holidays

As we Americans depart for the Thanksgiving holiday, we often engage in a large amount of travel around the country. This year, I would like to have all of our readers pay special attention to the safety measures being used to protect you as you travel about.

On the roads, check out the numbers of police, their laser/radar guns and the automated systems they have been placing around the country for the last year or more. Do these deployments and tools really make you safer, or do they just make you feel safer?

At the airport, you will be asked to remove your shoes, place your laptop in a bin and put everything liquid into a clear plastic bag. Do any of these processes actually make you safer? Does having someone look at a clear liquid in a baggie make it more or less safe, or is this security theater?

Even trains, busses and other forms of public transportation have begun to deploy similiar techniques and new technologies. What is the value of these mechanisms?

So, as you travel this year, please pay attention, ask questions and compare the implementations to the risks. Some of the steps out there certainly make sense and protect us. My opinion is, many others are simply a waste of time, money and resources – since they truly provide little more than a feeling of safety or security through theater.

You decide. Maybe together, enough of us can help those in charge of such things make better choices about solutions. Maybe we can get them to focus on real risks, real threats and effective mitigations…

Either way, have a safe and happy holiday!

A new threat

A new threat in software has established itself in the last year. That threat is vulnerabilities in device drivers. Historically, security and drivers never had much in common. It appears that this line of thinking is going to cause some severe headaches in the near future.

Just a few days ago it was announced that a severe vulnerability was identified in Broadcom’s wireless drivers. There’s a buffer overflow condition in the SSID handler. Potentially somebody driving around broadcasting a malicious SSID could compromise your machine by just sitting there waiting for your computer to pick it up. It is claimed that there is a reliable exploit for this already, fortunately it hasn’t been made public yet. If this does become public, it could be very dangerous. It’s a kernel level exploit, which means it’s going to bypass any anti-virus measures on the computer. Broadcom was notified of the problem and they updated their driver, but issued no security warning. So far, it doesn’t appear than any vendors that use Broadcom chipsets have updated their corresponding drivers.

This isn’t the first occurrence of such a vulnerability. You may remember the Centrino vulnerabilities earlier this year, vulnerabilities were also identified in Apple’s wifi drivers, and recently in Nvidia’s video drivers for Linux, among others.

It’s time for hardware manufacturers to start thinking about security, and taking responsibility for any security issues just as every other software developer has to. It’s unfortunate this was not already the case, and it may be too late.

To Comply Or To Secure?

Yes, that is the question. Unfortunately, there is a difference between compliance and security, in terms of Information Security. MSI was recently approached with a simple question concerning multi-factor authentication and what the regulations really are (or will be, for those bodies of legislation that are a little behind the power curve). A quick perusal of several different pieces of regulatory guidance (i.e…NCUA 748 and the FFIEC Handbooks) indicate that, while they each call for the use of multi-factor authentication for high-risk transactions involving access to customer information or the movement of funds to other parties, there is very little guidance that dictates the level or complexity of the proposed authentication scheme.  One “attempt” at guidance says that where a risk assessment has indicated that single-factor authentication is inadequate, financial institutions should implement multi-factor authentication, layered security, or other controls reasonably calculated to mitigate those risks.  What in the world does that mean?  To me, that means that a financial institution, given a third party risk assessment has been completed, can decide to use some implementation of authentication that may not be the most secure, as long as “they” believe it to be reasonable enough.

I currently bank with a financial institution that only requires a username and a password (at least 6 characters, one capital letter, and no special characters allowed) for me to log in to the online banking site and have unfettered access to my account. To me, this is an outrage!  Granted, I can change banks.  Unfortunately, I don’t believe there are very many options that offer a more secure authentication scheme.

At MSI, we set about to try and define our stance on multi-factor authentication and whether simply complying with the regulations is going far enough to secure that precious “member data”. We were asked if, instead of implementing a multi-factor authentication scheme, would a solution that requires the use of a password and a security question (much like the age old “mother’s maiden name” question) would put a financial institution into compliance.  The short answer….yes.  The long answer…depends if the financial institution “believes” it does.  MSI’s answer….not even close.

In these types of situations (where regulatory guidance is too “willy-nilly” to enforce a secure solution) organizations should look to industry standard’s best practices for guidance and implement the secure multi-factor authentication scheme that will go much further in protecting customer data.

Multi-factor authentication is meant to be difficult to circumvent.  It requires the customer to be able to offer AT LEAST 2 of 3 possible forms of proof of identity.  Those forms are (in no certain order):

  1. Something you know (password, PIN)
  2. Something you have (ATM Card, Token, Smart Card)
  3. Something you are (Biometrics…fingerprint, hand print, retinal scan)

While ATM’s have been using multi-factor authentication schemes since the beginning of time (at least for those Laguna Beach watchers in our audience), financial institutions continue to leave the most critical of vulnerabilities unchecked.  That’s the vulnerability of an attacker exploiting the inability of a customer to keep their passwords to themselves. If those same financial institutions took that leap to offer a more secure authentication scheme, I believe the market would reward them handsomely.  They’d get my money, as measly as the balance may be.

The moral of the story is that multi-factor authentication is meant to be difficult for all parties involved.  Sure, all I hear is that security departments don’t want to hinder their customer’s or their employee’s ability to perform their work by requiring a difficult authentication scheme.  That’s the biggest complaint that surrounds multi-factor authentication. However, if it’s easy for your customers to use, it’s probably pretty darn easy for an attacker to use as well.

While the current regulations give many financial institutions a “cop-out” when deciding whether or not to implement a multi-factor authentication scheme, it should not mean that the bottom line should always be the deciding factor when protecting your customer’s personal information. Industry standard’s best practices should drive this moral dilemma. A risk assessment, performed by a qualified third party, may indicate that the risk doesn’t require a tough authentication scheme.  I have to wonder if that risk assessment bothered to contact any or all of the 10’s of thousands of people who have fallen victim to fraud or identity crimes because of poor authentication requirements?

Security, we’re all in it together.

As we’ve pointed out in a few previous posts the basics of infosec have not changed, and neither has the primary threat, the users of the network. Building a solid foundation of compliance to your security policies is fundemental. So how do get your users to invest in and live out your company security policies and procedures? How do you encourage them to be vigilant about security?

The best way to get people motivated is, as Neil pointed out to model good behavior yourself. But it shouldn’t stop there, you should always look for another person to encourage and teach in the ways of good security practices. And of course you should encourage them to find their own disciple. Ideally this kind of thing should be going on at a managerial and team leader level. I’ve found that people will generally rise to the level of leadership that is presented to them. You should be striving to build a culture where users invested in security and know that those around them are as well.

Education is, of course, paramount as users must know about the policies to be able to abide by them. Finding ways to educate users without drudgery can be challenging. Using the mentoring model is an excellent way to spread good security practices, it allows for a level of non-threatening accountability. Another idea is to use contests to reinforce training sessions. I’ve seen some security administrators set aside a few hundred dollars of their security budget to use as prize money throughout the year. use prizes of five to ten dollars to motivate their people to be on the look out for and report suspicious or unknown people in their buildings. The effort has greatly improved employees’ awareness of their surroundings and the benefits easily surpass the minimal cash investment by the company.

Don’t Forget to Vote

Tomorrow, Tuesday 11/07/06, is election day in the US, so don’t forget to vote. The polls are open in most states before and after work, so take a few minutes and let your voice count.

PS – In some states, Ohio included, make sure you remember to bring your ID in order to vote. Check with your local election officials for requirements.

Insider Theft Incident – CEO Arrested

What can you say? It doesn’t get more serious than when the CEO is the source of the threat to the organization’s assets.

In this story, CEO of MSP … Arrested a CEO is being charged with identity theft on a large scale. In this era of corporate governance and high penalties for abuse of one’s position, this will be one case to watch.

The story is via VAR Business and is pretty interesting. It is an excellent example of how identity theft from insiders has become “all the rage” in attacker circles.

Follow this one as it goes into trial. It promises to lay some groundwork for further prosecution of insider thieves to come.

Worry About the Basics

I have talked to many organizations in the last few months that are all wrapped up in deploying new security technologies and making elaborate plans for securing their organization. The problem is many of these same organizations have yet to get the basics right.

It does little good for you to invest in new IPS technologies, encryption widgets, automatic defensive packet switches, uber biometric scanners and other gadgets if your employees simply give out their passwords when asked, continue to click on email attachments that are suspicious and throw away scraps of paper with the keys to the kingdom on them. As in Neil’s earlier post, some users just continue to be the weakest link.

How can IPS help you if you can’t keep your systems patched? Maybe it could be used to stop some attacks, but without omnipresent visibility, it won’t truly defend you, just give you a false sense of security. That’s the problem with relying on technology and gadgets to secure your organization, without the other components of policy/processes that are strong and awareness that is effective, you might as well throw your money out the window instead of buying some new whiz-bang piece of hardware or software that the vendors say will solve your problems.

The basics of infosec haven’t really changed. You still need a set of policies and processes that explain how the organization operates, how you will secure and handle data and how your users are to act. They need awareness training on these processes and policies so that they know how to act, how to handle data and what you expect them to do when something bad happens. THEN, you need technology to enforce the rules, audit for “bad stuff” and protect you against users who make poor choices. That truly is the role of effective security tools.

So, before you invest in the next overreaching security vendor “silver bullet”, take a moment and ask whether or not those same dollars could be better used in helping your organization do the basics better. If the answer is yes, then quietly excuse yourself from the presentation, go back to your office and implement a plan to assist with the root of the problem. Otherwise, buy away, keep looking for point solutions and keep wondering why your users are still throwing passwords in the dumpster…

Weakest Link

As with a chain, so also with security: it only takes one weak link to cause a catastrophic Information Security Incident that leads to the theft of confidential customer data, loss of reputation and/or money.

Your company could have a bulletproof security policy on paper, but if no one in your organization is putting it into practice, or if a few people are cutting corners to save time, then that puts everyone at risk. A Kevlar vest does you no good against attackers unless you wear it.

So ask yourself: Am I the weakest link in my organization’s security? If not, how can I strengthen the other links through educating them? See if any of these apply to you or those around you, and strengthen the security chain against attackers.

  • Do you throw away business documents without shredding them?
  • Do you keep all your passwords in an unencrypted file called Passwords.doc in your My Documents folder or on your Desktop?
  • Do you hide your passwords on a post-it note under your keyboard, under a coffee mug, on the wall, or anywhere for that matter?
  • Do you use the same password for absolutely everything and never change it? Or if you do change it, do you only change a single digit?
  • Do you open any attachment or follow any link that comes in your email inbox?

These are basic security mistakes that could lead to you becoming your organization’s weakest security link. Avoid these habits like the plague, and make sure none of your coworkers are doing this either. Read your company’s security policy, and follow it. Educate and implement.

Here are a few steps you can take to strengthen your security today:

  • Install encryption software and use it to encrypt your Passwords.doc
  • Use password-generating software like Personal Security Assistant to make totally random passwords.
  • Utilize the shredder so that document reassembly will be a nightmare.
  • If you don’t know who sent you an email, then don’t run the binary!!
  • Store important files in an encrypted hard drive if the security policy allows it.

Don’t allow yourself to become the weakest link.