Just back from presenting lab-based training session Detecting & Mitigating Attacks Using Your Network Infrastructure with Joe Karpenko at Blackhat USA 2012. Great to see a Defense track of Briefings which included Intrusion Detection Along The Kill Chain: Why Your Detection System Sucks And What To Do About It and more of an emphasis on protecting or remediating network infrastructures in topics like Targeted Intrusion Remediation: Lessons From The Front Lines. I attended several of these briefings and was impressed with the breadth of information provided for network operators. The Defense briefings align well with the network security best practices advocated by Cisco and presented in our training. These best practices include: Read More »
Hear how financial innovator Diebold gains visibility and control of the 87,000 devices on their network. David Kennedy, former Chief Security Officer at Diebold recognizes there is no stopping new mobile devices and sets course to secure the organization while ensuring the business may continue to generate revenue. Workers want to work their way securely and prefer that the security is transparent so that they have the optimal experience. He speaks to the unique granularity that the Cisco Identity Services Engine (ISE) offers to segment access by user, device, access method, posture, and time. So that engineers may have access to their codebase while marketing professionals like me have no access from my new iPad:
Today, the word “cyberspace” is used in many contexts, but it is not always clear what exactly that term describes and what it means. In this post we will compare the definitions of cyberspace from several sources with the purpose of establishing a range of notions as to what cyberspace is and to derive its ontology. Sources are relevant entities like national or regional government, standardization bodies, and dictionary.
The reason why the term “cyberspace” is chosen is that all other terms (e.g., cyber security, cybercrime, cyberwar, cyberterrorism, etc.) are based on, or derived from, cyberspace itself. Therefore, cyber security is security of cyberspace. Cybercrime is crime committed within cyberspace or where elements from/of cyberspace are used as a vehicle to commit a crime, and so on for other derived terms.
Staffing Cisco’s Compliance Solution demonstration a few weeks ago at Cisco Live 2012, I was beckoning passersby to test their knowledge of the Payment Card Industry (PCI) Data Security Standard (DSS) 2.0. Some attendees shook their head and walked (ran) the other way. Of the brave souls who ventured over to demonstrate their PCI knowledge, most spoke of the difficulties and challenges of dealing with not only PCI, but other mandates as well, such as HIPAA, FISMA and SOX. Attendees came from different industries such as Retail, Healthcare, Financial Services and Education, many of whom shared the same challenges with approach, best practices and the cost of compliance. Surprisingly, some were just beginning their journey, starting at ground zero, and were seeking guidance on how to meet the CIO’s “get compliant” edict with a balancing act between IT and Finance. Other customers were seeking guidance on specific product features that could address areas of management and reporting.
At a Table Topics session during the same event, other challenges around scoping, segmentation and wireless networks were discussed. Today, one of the challenges that merchants still face is with auditor inconsistency. This is an area that the PCI council is working hard to address by implementing training and best practices programs for QSA’s. To add fuel to the fire, in a recent QSA Insights Report, the cost of annual audits averages $225,000 per year for the largest merchants. Excluding technology, operating, and staff costs, the world’s largest acceptors of credit cards (also known as Tier 1 merchants) are spending an average of $225,000 on auditor expenses. 10 percent of these businesses are spending $500,000 or more annually on PCI auditors. The full PCI DSS is available for download at:
The list of account compromises over the past week is almost too long to list, and the numbers of verified or estimated compromised accounts has reached ridiculous numbers. With the media spotlight on these current companies’ compromises, we’ll likely get more details on the security weaknesses, outright failures, and more from the narcissistic vulnerability pimps taking credit for exposing those security problems.
Aside from the obvious of changing passwords, what can you and your organization do?
I won’t prognosticate on the list of best practices that may have been violated in these compromises, but they will be reported following the long, detailed, and expensive investigations in coming weeks and months, because most of them will be well-known but for one reason or another not practiced. The media reporting and the company’s public statements will cover those, and they will likely be worth a review for any significant points. We can let them tell the story, again.
Instead let’s focus on some things that people may not know or understand that can actually improve your security around these incidents. We highlighted a couple of these practices in the 2011 Annual Security Report, and more recently in the Emerging Threats Briefing at Cisco Live 2012.
First, let’s help our customers, users, and organizations. Given the opportunity, many people will take the simplest and easiest way. In the case of passwords, that means they will use their birthday, username, “password”, “123456”, and so on. We’ll see these lists of bad passwords in coming weeks too. It’s human nature, and too much work to try and remember all those passwords, right? Which leads to the second point of people that use the same password on multiple accounts (more on this shortly). As security practitioners, professionals,…we too often are setting up our users and organizations to fail. We have to do better, and here’s how. Every security control must have technical controls that enforce and monitor that security control, or we have no idea if it is effective. In the case of passwords, that means creating policies, security controls, and technical controls that require a user to create a strong password and change it regularly. If we let a user create a password of “123456”, they have done as should be expected, and we have failed. Even with the best account credentials, the accounts have to be monitored for suspicious activity with technical controls to alert security teams and users when, for example, a password is changed. For a good reference list see: FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics. Note the account activity items on the list: Locked out accounts, failed logins, dormant accounts, password aging…