The New Alchemy: Data to Dollars. Now, Protect It.

Sensitive Information or Data is the New Crown Jewels

Data is Money. How Do you Effectively Protect it?

Protection of data.  That’s what security boils down to and it’s what I tell clients when they ask me what they need to protect most.  Competitors, criminals and other players covet your data because it can be converted into money.  Like an alchemist turning lead into gold.

Much of this data you are trying to protect is sensitive or personally identifiable information (PII), like medical or financial records.  So how do you protect PII and what are the ramifications if you don’t?  Well, let’s roll out some common questions I get from clients and address the issues one by one.

What Are the PII Compliance Issues?

The primary compliance issue will involve data protection.  There will be increased litigation of security breaches due to the ever increasing penetration of sensitive electronic information and its impact on consumers if disclosed.

With the “Consumerization” trend pushing the enterprise to integrate consumer devices (iDevices, Androids, Chromebooks, etc.) this opens up a tremendous amount of risk regarding the security and storage of sensitive information (PII).  A central IT organization no longer choses and controls the hardware that is utilized to access critical enterprise information.  Corporate compliance and information security will have to struggle to balance regulatory requirements on one hand with the need to provide access to critical data on the other.

Are There New/Emerging Pieces of Legislation, Including Federal That Touch on PII Protection?

There are many layers of regulatory compliance for organizations who hold sensitive electronic data.   These mandates originate from federal, state and local governments. The legal and regulatory compliance area has increased tremendously over the last decade, with HIPAA, Sarbanes-Oxley, PCI DSS, HITECH and Dodd-Frank impacting almost all industries in the U.S.

On the “new/emerging” legislation front, the FDA has also proposed a new regulatory framework called MDDS or Medical Device Data System.   Basically, any computing device, application, network or storage solution that is attached to a regulated medical device becomes a “medical device” and is thus subject to regulation.  This would include smartphones, iDevices and tablets in general.  These new regulations will create additional complexity for healthcare IT and Security staff who are attempting to gain control of an environment where physicians are attaching their own iDevices to enterprise systems.

Buried on Regulations and Guidelines

A Ton of Regulation Exists that Directly Addresses PII Security and Breach Ramifications

How About More Enforcement of Current Regulations/Mandates That Could Result in Jail/Fines?

With the advent of HIPAA and the HITECH Act, providers are ramping up their efforts to protect electronic and physical medical records.  This is primarily due to the significant fines an organization can face if records are lost or stolen.

Provisions in the HITECH Act, mandating a move toward Electronic Healthcare Records (EHR), healthcare providers are adopting EHR solutions as a means to address patient data security.  Most EHR providers provide a hosted or “cloud” solution so physicians do not have to locally host their EHR package, which reduces cost somewhat.

Expect enforcement of HIPAA/HITECH to ramp up significantly in the near future due to the added enforcement policies within HITECH.  As an example, healthcare provider Cignet received the first penalty ($4.3 million) under HIPAA, due to HITECH regulatory enforcement.  HHS OCR has recently levied penalties on other providers to continue this general trend.

Organizations who have complied with government and industry regulations are far more likely to be protected from lawsuits based on “due diligence” clauses built into many industry regulations.  PCI DSS is one example of this with its “get out of jail free” or “SafeHarbor” clause. SafeHarboris determined to be in effect if the breached organization was deemed compliant with PCI regulations at the time of the breach.

What Security Technologies, Processes or Policies Can Help?

The most significant hurdle to overcome with sensitive data security (PII) is user behavior.  Organizations will have to address where users can store and access sensitive data securely, what devices (iPhones, iPads, Androids, etc.) are allowed on the network and what policies are to be put in to place to enforce these mandates.  Educating the enterprise in the proper way of treating sensitive data in multiple scenarios will be far more challenging than implementing new technology.

Technology Alone is Not Enough to Protect Data

Training is the Most Effective Security Tool. Speeds and Feeds Only Goes So Far.

The best way to modify user behavior is effective training with simple, enforced and monitored security policies.  Unfortunately organizations have cut back training activities significantly during the Great Recession and are only now slowly adding funding back.  Organizational policies are also an issue.  In many cases these policies are lengthy, unread and unenforced tracts that languish in the appendix of the New Employee Handbook.

The complexity of security compliance with mobile devices may be simplified with the acceptance and implementation of the Virtual Desktop Infrastructure (VDI) technology in the corporate environment.  This technology has the ability to push a secure remote desktop image to a mobile device.  A user logs into a specific desktop image, the network connection is encrypted and the data is stored remotely on secure corporate storage.  The company gains greater control over mobile devices with the added benefit of providing a secure, standardized image for employees.  This VDI solution also cuts the risk of sensitive data been lost or stolen due to the ephemeral nature of the remote desktop technology.  Once the user logs out, the desktop is gone and the user is presented with the consumer mobile interface again.

I’d like to hear you take on this topic, so sound off in the comments below!

And Now A Word From Your Commonsense

Much of Security is Prevention.

An Ounce of Prevention is Worth a Pound of Cure

As infosec pros debate the finer points of IPv6, Cloud security, IDS/IPS and risk management it behooves us to stop and remember our customers. They really don’t care if your solution is FIPS certified and is SAS 70 compliant. They are only concerned if their identity is stolen and used to open a pickle stand in Zanzibar.

Open Google and search on information security tips and watch it bring around 124 million hits.  I am about to add +1 to that lengthy hit parade.  Why?  Well, I have been working the New Employee Orientation presentation circuit at one of my clients for bit and I always get a boatload of questions from the attendees. Since my presentation covers social engineering, identity theft, how a device gets infected with malware, I get a lot of queries pertaining to these topics.

This thread also ties into other commentary on endpoint security and social engineering before in the Chicago Tribune and Los Angeles Times.  The article was entitled “Security Breaches Highlight Need for Consumer Vigilance“. Just recently, eSecurity Planet also featured my contributions on how malware removal differs in the enterprise and for personal devices in their article “The Best Malware and Antivirus Tool is Prevention“.

So I decided to distill all these questions and tips down and answer them in this article.   First lets tackle some routine best practices.

When it comes to numerical pass-codes (debit cards, badges, etc.), how should one pick?

Debit card pin numbers are normally only assigned by a financial institution.  You can request to change them, but they are sent separate from the debit or credit card.  When you receive the PIN number via mail, you memorize it, and then destroy/shred the letter.  Never write your PIN on your card.  Also, when withdrawing cash from an ATM or using your card at a retailer’s terminal ensure no one is looking over your shoulder or “shoulder surfing”.  Another good tip is to inspect the point of sale terminal or ATM for signs of tampering.  If the keypad is misaligned or the card slot mechanism looks suspicous, do not use the device.  It could be compromised and part of a “skimming” operation.

When it comes to alphabetical and numerical passcodes (such as those used online), how should one pick?

Best practices for online passwords are relatively straight forward.  They should be at least 12 characters in length with a mix of upper and lower case letters, numbers and accepted special characters.  They should not consist of addresses, dates of birth, pet names, spouses or anything easily gleaned from social media or personal data.

It is better to use a “pass phrase”, basically a sentence you can easily remember that can consist of the above recommendations.  These are normally 30 characters long and consist of non-dictionary words.

These recommendations are based on applications that can accept this input.  Many online applications still only require 6 to 8 character passwords and don’t support special character content.

Bad Passwords Brought To You By RockYou Users

If You Have One of These, Change It Now

What are the most common used passwords and why should we avoid using them?

In light of the RockYou password database breach, the most common password was “123456” the next was “12345”.  Other popular passwords were “princess” and “Password”.

These passwords should be avoided at all cost because they are short, lack special characters, are easily guessed and can be cracked with software rapidly

What’s the best way to protect your identity online?

Strong passwords that are unique for critical sites, like online banking or social media profiles.  Commonsense plays a huge role as well.  Be careful whose emails you open and once in an email, what links you click on.  Legitimate organizations will not ask you for sensitive financial data, username and password information via email.  Call the organization in question if you feel the communication is suspicious.

Do not post sensitive personal information on your social media profiles, such as birth dates, when you are going on vacation or other critical pieces of information that would give a bad actor valuable insight into your life.  Ensure you are using the appropriate privacy settings in these applications and monitor your friends list for people you do not know.

My machine has a virus or malware on it.  What can I do?

In a corporate environment, the normal policy is to just wipe and re-image the infected machine.  Malware removal is an intensive and normally unsuccessful process.  Why is it unsuccessful?  Because modern malware employs tricks to hide its malicious code in memory, the boot sector or sometimes in seemingly legitimate code.   The user believes that the machine has been cleaned but when the device is restarted, it re-establishes a connection to its Command and Control server, re-installs itself on the infected machine and the process begins again.  This is normally on a laptop from Finance.

Running Your Antivirus Now Is Too Late

I Hope You Had a Backup

However if you have a few hours to burn on a Sunday before your big presentation on Monday.  There are several choices choices on removing malware from a device.

One, use the “hopefully” installed and updated anti-virus package on the device to remove the malware.  There is a slim chance of success here.

Second, if that fails, use a malware removal tool on the malicious software.  An example of this is Malwarebytes’ Anti-Malware.  A free program (free for individual use, not corporate) that is a mainstay of the malware removal trade.  Make sure it’s updated.  There is a better chance of success here.

Third if that fails, and if the user is running a Microsoft operating system, they can download the Microsoft Malicious Software Removal tool for that month.  I have had some decent success with this approach when combined with Malwarebytes.

The final option before a scorched earth re-image is to use the Microsoft operating system rollback feature to move the OS back to a date when the system was not infected.  This is a dicey approach since the malware may have hidden itself in a directory that may not be touched by System Restore.

There you have it.  A pretty high level set of tips and suggestions that will guide customers, clients or your Uncle Phil toward a hopefully more secure digital experience.

Please sound off in the comments below if you have any additional suggestions or insights to share!

Plugging Breaches with Bureaucrats

The Paperwork Makes Your Interwebz Secure.

Filling Out These Forms Will Make You Secure....Really.

Breaches within the Sony’s and Epsilon’s networks  in recent months has shone a light on a very real concern in the Age of Stolen Information.  The government believes that more legislation and regulation will solve the security problems that plague our interconnected networks and systems.

One only has to take a quick glance the latest regulations from the Food and Drug Administration (FDA) on Medical Device Data Systems (MDDS) or the new Cyberwarfare Doctrine from the Pentagon to see the trend toward greater regulation.

But rules dictated by government fiat always lags far behind technological advances and creates a “security by compliance” culture.  So what is the solution?

In my opinion, additional Federal legislation on the subject of information security breaches is unnecessary.  Currently there are multiple industry regulatory regimes that cover information security best practices.  At a high level here are a few:

I have recently contributed to three  articles that tie into my opinion on security by regulation.  One was for the Chicago Tribune entitled “Security Breaches Highlight Need for Consumer Vigilance.  It covered the impact of the Walgreens, McDonald’s, Gawker security breach.  Another was published for PCWorld on the Playstation Network security breach.  The title of the article was “Experts on the PSN Hack: Sony Could Have Done More.  Finally, a piece just ran in InfoWorld entitled “10 Hard Truths IT Must Learn to Accept” where I discuss the security by compliance issue and how the pursuit of 100 percent compliance and security is a folly.

Legislation will not address enterprise security problems.  However, if you look at what caused the PSN security breach, there were multiple issues that lead to the compromise.  The chief cause appears to be that Sony was lax about routine maintenance of the infrastructure and the complete lack of internal and external communication.  This includes:

  • Server patching and hardening
  • Monitoring the network and servers for suspicious activity
  • Disjointed or missing breach response procedures
  • Lack of security leadership in the organization
  • Lack of breach communication plan
If We Hit it Harder It Might Fit!

Government Regulations at Work.

The best way to minimize the risk of a breach for an organization is to stay on top of standard maintenance and monitoring procedures.  Keep the organizations servers patched and make sure they are hardened before putting them on the production network.

Ensure there is a security breach response plan that has been tested and communicated to the highest levels of the company.  Have a single point of contact that directs communication regarding the breach to the appropriate parties.  Also, ensure that the breach plan includes a robust communication plan for potentially effected customers.

Finally, there is always going to be a risk for a security breach or data loss.  Systems and software are designed by humans and there will be flaws that can be exploited.  Plus, social engineering will always provide a path to compromising the most secure systems due to the fallibility of the human element.  Legislation will not address these factors.

Security practitioners understand that there is always a risk for a security breach.  Therefore, risk assessment and risk management are a key component of a security professional’s job.  Identify the most critical systems and data and implement the most robust safeguards around them.  Focus monitoring efforts on these critical areas and ensure the organization’s senior leadership understands the risks, mitigation strategies and internal/external communication plans.

In my experience, compliance with multiple frameworks and regulations creates a belief in security by compliance. Organizational leadership buys into the mindset that if they have all the check-boxes marked, then they are secure and additional policies, programs and monitoring are wasted efforts.  This is a critical mistake in an age when your adversaries can turn on a time and exploit your inflexibility.

Housekeeping Isn’t Glamorous, Only Critical

Information Technology Housekeeping Is Critical

Where's Alice When You Need Her for Patch Management?

Thursday I received an email from a journalist looking for commentary on the Citigroup breach.  Since I have written or collaborated on articles that address the regulatory and security issues of the financial industry, he wanted my take on the affair.

I re-posted his questions and my responses in this article.  The main reason was to highlight what I believe to be the root cause of the breach.  Many of my answers could have been summed up with “Citigroup didn’t keep up with it’s housekeeping, therefore they were hacked”.  By housekeeping, I mean patching, network monitoring, application security, etc.  The boring stuff that doesn’t require a $350k device that sports multiple VM’s and makes cool science sounds.

So here are the results of the Q&A session:

The breach was discovered in May but wasn’t reported until now. Is this acceptable? What could take Citigroup so long to report?

While not ideal, this is relatively speedy for the industry as a whole.  In the recent events other institutions have waited many weeks or months (Wellpoint, Countrywide Financial) to finally inform their customer and the public regarding security breaches.  As to the length of time between discovery and reporting, it is my assumption that Citigroup had to perform forensic analysis on the breach, contact and work with the authorities, determine the extent of the breach and devise the appropriate communication strategy for their customers.

Is this part of a hacker campaign against high profile institutions, or just an opportunistic hack?

At this point not much is known about the perpetrators.  If we look at the current active players (LulzSec, Anonymous, Organized Crime) and the trends in recent incidents we can make some assumptions that it was a planned attack.

How did the hack work, and could it be done again?

Again, Citigroup has not really released any detailed information but we can make assumptions.  It was probably a SQL-Injection or Cross-Site Scripting (XSS) exploit.  Almost all of the latest breaches have their roots in these vulnerabilities.  This is an easily repeatable hack that can be done over and over on vulnerable web applications or sites.

Rogue Employee Cost BoA A Lot of Dollars and Credibility

I'll Take Rogue Employee for $10 Million Alex

Should other institutions be looking at their security measures? Should competitors be tightening-up security in case they’re next?

Hopefully to other organization’s executives the answers to these question is obvious.  In light of the Sony, Bank of America, Citigroup, Nintendo, Honda and Lockheed breaches, organizational leadership should immediately review their security posture and ensure they are actively monitoring their networks, patching their systems, performing trend analysis on threats, ensuring their disaster recovery plans are up to date etc.  If not, then they should expect to be an easy target.

What could Citigroup have done to avoid the hack in the first place?

If the breach was a XSS or SQL-injection exploit, then stronger application security should have been considered for their web-based applications.  Also, they should have had a reputable penetration testing firm examine their environments for vulnerabilities on a yearly basis minimum.

In your opinion how does Citigroup’s online banking security compare to its competitors? Could it have done anything better?

Based on my consulting experience within the financial industry, they are more or less the same as their competitors.  As with most financial organizations, development for online banking software is handled offshore which can be a challenge when it comes to infusing the application with information security best practices from the foundation up.

As to what Citigroup could have done better, it depends on how the breach was perpetrated.  If a rogue employee gained access to the system or administrator credentials and then used that to facilitate the breach, it is harder to address. However If the breach was a XSS or SQL-injection exploit, then their web-based applications needed stronger application security.

Citigroup Needs to Get a Better Message Together On Their Breach.

Executives Should Aspire to More "Effective" Communications.

“Security breaches happen, they’re going to continue to happen” — Citigroup global enterprise payments head Paul Galant  stated when talking to Reuters. Is he right? Is his comment acceptable? Can hacks ever be stopped?

Mr. Galant is correct in stating that there will always be the potential for security breaches.  Also, if your organization is a target of a sophisticated hacker or criminal group, odds are you are going to be compromised no matter your security posture.  This sentiment is echoed by Bruce Schneier, one of the leading voices in the information security industry.  However, you can quickly intercept a potential breach if you are actively monitoring your network and trends.  The case of LastPass and how they handled a potential issue is an excellent example of that.

As for the acceptability of Mr. Galant’s comment, he should have phrased his response in a less confrontational manner but quoted Schneier’s position and then stated the steps Citigroup has been taking to address the current breach and future plans for security improvements.

I’d like to hear your thoughts regarding my responses.  So, please feel free to drop by and post a comment below!

Research Roundup: Cisco’s Annual Report 2010

Return on Investment. Not Just for the Corner Office Crowd.

This last article in this Research Roundup series discusses the Cisco 2010 Annual Security Report.  Previously, I provided an overview of the Davos World Economic Forum Global Risks Report and Kapersky’s ThreatPost Security Spotlight for 2011.

Cisco covers a broad array of topics in it’s Annual Report. However it takes particular pains to point out that Social Engineering or Trust Exploitation is most effective tool for cyber-criminals.  Whether it is through Facebook, Twitter, LinkedIn or via an infected URL, Social Engineering is the key vector in gaining access to privileged information.  A particularly good example of this is the HBGary breach by Anonymous.

The report puts a nice graphical spin on the overall cyber-criminal market via the Cisco CROI Matrix, which looks like Gartner’s Magic Quadrant.  Basically it boils down the profitability, growth potential and effectiveness of various cybercrime techniques.  The techniques are identified as Cash Cows (profitable and reliable), Dogs (low success and profit), Rising Stars (huge success and growth), Potentials (high growth and low revenue).   At a glance, Spyware/Scareware is a Cash Cow, DDoS is a Dog, Muling is a Rising Star and Mobile Device exploits have Potential.

The report goes on to cover in detail the various threats that fall under each category and what the trend for 2011 portends.  Basically expect more of the same from 2010 with Instant Messaging Scams tapering off, the Zeus/SpyEye nexus ramping up and cybercriminals getting their sea-legs with mobile platform exploits.

Need a few more Mules...

One area that cybercriminals are running across issues is getting folks to join their “Muling” operations.  Mules move the ill-gotten gains of cybercrooks from Point A to B, with a percentage of the take for the trouble.  Unfortunately for the Mules, this is a risky proposition with a high probability of getting caught by the Feds.  Mules normally are made to pay back all the money that they have transferred to cybercriminal accounts.

Needless to say, recruitment efforts are not going well and the Cisco Report states that there may be a 10,000 to 1 ratio of stolen goods vs. available mules.  This is why Muling is a Rising Star.  Expect to see the cybercriminals get more clever and less detectable in their muling efforts.  The report further details typical Muling operations and vectors which are very worthwhile to review.

Aligning with Muling is the latest Social Engineering trends.  Cybercriminals are now concentrating on assuming the identities of individuals that someone trusts (Facebook or LinkedIn) in order to gain access to private data or encourage others to click on compromised URLs.

Education of end-users of social media software is key.  However, the Cisco Report states that 3 percent of users consistently click on spam email or suspicious links time and again.  The latest trends in corralling this incorrigible clickers is to place them in a “sandbox” which isolates them from the network until remedial training is completed.  Also, software controls are in the works that will help an organization put a tighter leash on social media users, with far more granular access permissions.

Relies on the Seven Deadly Weaknesses of Human Nature.

The report goes on to highlight some key Social Media confidence scams, like the Robin Sage experiment.  It also ties in the Seven Deadly Weaknesses and how cybercriminals exploit them so they can exploit their targets.  These weaknesses are Sex Appeal, Greed, Vanity, Trust, Sloth Compassion and Urgency.

Next up are the key vectors that cybercriminals exploit to gain a foothold in an organization or a persons data.  The obvious one cover is the unauthorized USB and Stuxnet.  Another vector Cisco covers is the Advanced Persistent Threat (APT).  At one time these were stealthy attacks designed to infiltrate and record information at length on an organization’s network.  The trend Cisco is noticing are APTs morphing into highly directed attacks at individuals with a specific goal in mind, like Whaling or Spear Phishing.  Hackers do their research on a target, find the right individuals who hold the credentials they seek, then they target them with social engineering exploits via LinkedIn or Twitter.

Java and PDFs have been bumped to the top of the Dunce List for misbehaving applications.  Cybercriminals are favoring Java over PDFs, but both provide ample means to exploit.  One particular PDF zero day exploit involved a stolen digital certificate and a comprised PDF on supposed golf tips by David Leadbetter.  I’m sure you can draw your own conclusions on the target of that particular campaign.

Lame passwords by users is still a popular trend and according to Cisco is getting worse.  The report recommends password generators and password protection software for users.

Mobile Platforms are rapidly on their way to becoming the target of choice for cyber-criminals.   Since Microsoft has gradually been getting its act together over the years, it is no longer the slowest hiker in the Bear Analogy.  This is drawing the hacker’s attention toward Apple and Android devices.  So expect a dramatic uptick in attacks toward these platforms especially now that you can pay for your latte with your iPhone.  That’s a smart idea, really.

Another trend that ties into the mobile device pile-on is mobile application vulnerabilities, especially on open source platforms.  I discussed this previously since it was written about in the Kapersky ThreatPost report.  Neither the iOS or Android devices are safe from the grim attention that is being paid by the cybercriminal community toward mobile applications.

With all these mobile vulnerabilities, it’s not hard to imagine that no one in the corporate IT hierarchy wants responsibility for managing and securing these devices.  The consumerization of the corporate environment is adding layers of complexity and infosec professionals are already saying they are stretched thin and not receiving senior leadership support on hard decisions.  The Cisco report echoes this concern and states that with the smartphone penetration, vendors will hopefully follow RIM’s (BlackBerry) example of providing robust security tools to manage their devices.

This expected influx of mobile vulnerabilities ties into the last main topic discussed, Data Loss Prevention (DLP).  To address the consumerization of the corporate environment, organizations are looking to protect data on mobile devices via digital certificates or containerization.  This will be especially critical in healthcare and financial organizations due to the amount of regulatory penalties they face regarding data breaches.

As a final summation of the reports contents, Cisco states that “Cybercriminals in 2011 will be Compromising Trust, Cashing In and Carrying out More Complex Missions.”  So now go pay for your coffee with your smartphone and download some golf tips.

Cisco Annual Security Report 2010

Research Roundup: More Detail, Less Bono

Kapersky's ThreatPost for 2011 Overview.

The anguished cry of information security professionals.

Previously, I reviewed the Davos World Economic Forum Global Risks Report and its coverage of Cyber Security.  Shifting gears from canapés to crullers; reviewing Kapersky’s ThreatPost Security Spotlight Report for 2011, we get far more detail, which is to be expected.  The Wikileaks event plays a prominent role in this report as well.  Basically they confirm my hypothesis that this breach of executive privilege has provided the motivation to address information security concerns.  It has also pushed the concept of data security front and center in the business community. Kapersky also posits that Wikileaks and the issues surrounding Cablegate will continue to reverberate throughout 2011.   Of particular concern would be the ubiquitous availability of mobile devices and the role they may play in another “Wikileaks” event. [Read more…]

Research Roundup: Rootin' Through the Data

Cyber Security and the Davos World Economic Forum

Does Your Inbox Feel Like This?

One of the biggest problems we face is information overload.  Our inboxes look like the warehouse from Raiders of the Lost Ark, Twitter releases a fire hose of information in our faces and then we have a stack of print publications teetering in the corner.

Seth Godin recently blogged about this very problem in a post titled “In and Out”.  Basically, you need to determine how much information you are going to take “in” before you actually produce something or “out”.

Well, I’m here to help with some of the clutter; at least on the cyber security front today.  A herd of security related reports were released this week and I’m going to provide an overview of each and link them all together over the next several posts. [Read more…]