Drawing from a recent read of “Case 1: The Seeds of Dysptopia” in the World Economic Forum 2012 Global Risks 2012 Seventh Edition, it’s now more than apparent than ever that the impact of crime and terrorism in the digital world is fast mirroring that of a physical world. We’re living in an era where attempts to build a more secure world may have unintentionally gone astray as evidenced in Ellen Messmer’s Worst Security Snafus of 2012 where such consequences were clearly not imagined or intended by security vendors and businesses alike. We’re indeed dealing with the opposite of Utopia.
Our digital reality can be very fragile when one considers that how heavily we rely on mobile devices and cloud applications not only to conduct business but also in our personal lives. And the data that is transmitted via these devices and to various cloud applications is increasingly a target for scammers, thieves and hactivists.
And, it’s not only government entities, critical infrastructure and key verticals that are the targets of such attacks; in today’s climate every organization is a prime target. Take the very recent case of an Australian healthcare organization that is being held to ransom by hackers to the tune of AU$4,000 who recently hacked into their database and encrypted the data – it seems an extraordinary scenario for a small organization to be facing. Not only has their data been compromised but it has been rendered inaccessible as the organization now has to find a way to decrypt that data, which is proving to be rather challenging.
So what should organizations do to shore up their defenses? Start by treating data as the key asset to be protected versus fortifying your infrastructure. In today’s world data takes on increased significance -- bank account statements, personal information, credit card numbers, trade secrets, government documents. Every one has data they need to ensure tight control off and aligning security controls to the CIA (Confidentiality, Integrity and Availability ) triad can help ensure the right measures are taken.
When we talk about confidentiality of information, it’s about about protecting information from disclosure to unauthorized parties. In addition to measures like encryption, look to beef up access controls by feeding security decisions and intelligence across various enforcement points in the network rather than only at a single choke point in the data stream. Integrity of information refers to protecting information from being modified by unauthorized parties. Leverage global correlation and threat intelligence with reputation-based feeds to protect against new threat vectors and emerging malware. Availability of information means ensuring that authorized parties are able to access the information when needed. Think of the network as a data enforcement layer and link that to a strategy that identifies users based on contextual attributes (where, when, how and business need to know) when accessing critical of confidential information assets. So, what I have outlined is a starting point towards moving one step at a time towards a Utopian Digital Future. What are your strategies? We’d love to hear from you.
This will be my last blog of the month in regard to our Nations Cyber Security Awareness Month. I was able to attend a webinar, “Defending Cyber Borders -- Beyond the Virtual Maginot Line” October 25th, in which a panel discussed what CIOs, CEOs, and those who work in the virtual realm; pretty much all of us, need to focus on in regard to defending our virtual borders.
The panelists were as follows:
Rick Holland, Senior Analyst, Forrester: Rick is a Senior Analyst serving Security & Risk Professionals. Rick helps clients optimize security architectures and technologies to protect the organization from advanced threats. His research focuses on email and web content security as well as virtualization security. He also supports research in incident management and forensics. He is based in the Dallas area.
Rob Lee, Fellow, SANS Institute: Rob Lee is an entrepreneur and consultant in the Washington DC area, specializing in information security, incident response, and digital forensics. Rob is currently the curriculum lead and author for digital forensic and incident response training at the SANS Institute in addition to owning his own firm. Rob has more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response.
Steve Martino, Vice President, Information Security, Cisco: Vice President Steve Martino leads Cisco’s Information Security (InfoSec) organization to innovate and adopt the most effective security technologies and policies, reflect them in Cisco’s people, products and services, and share them with customers. He has more than 30 years of high-technology experience in security, IT operations, product development and operations, marketing, and sales.
Shehzad Mirza, Director, MS-ISAC Security Operations Center: Shehzad Mirza is currently working as the Director of the MS-ISAC Security Operations Center (SOC). He is responsible for managing a team of analysts. Previously, he has worked as a principal consultant with Symantec Corporation managing various cyber security projects, and a technical trainer for New Horizons Computer Learning Center. Shehzad has worked in the security field for over eleven years and is MCSE, GCIH, GAWN, and CISSP certified. His main expertise is in network security infrastructure and assessment, firewall configuration, IDS/IPS configuration, PCI compliance, staffing and vulnerability assessments.
Rod Turk, Director and CISO, U.S. Patent and Trademark Office: Mr. Turk’s current position as the U.S. Patent and Trademark Office (USPTO), Chief Information Security Officer and Director, Office of Organizational Policy and Governance puts him at the forefront of the government’s effort on cyber security. Mr. Turk manages and oversees USPTO’s compliance with the Federal Information Security Management Act (FISMA) and implementation of IT best practices.
A major theme that resounded throughout the webinar was that everybody is a fighter in this battle. We, the end user at the device, are the ones who have to stop the intrusion first by knowing not to go to this website or click on this link from an unknown email. It was stated that many (possibly up to 97%) of these ‘fishing’ attempts can be thwarted at the end user level. It was also stated that the ability for those involved on the technology side of the house to integrate and create a relationship with the non-technology side is paramount. Together, lets to be able to teach proper protection at the end user level and create policy that is revisited, refined, and correctly implemented. Let’s not create an environment to where our “incident responders”, those who will aid in the detection, mitigation, and recovery phase, are wearing two or more hats. They have to be focused on the task at hand and be able to virtually isolate or quarantine that end user device from the network.
Rod Turk made the analogy of a hard chocolate covered cherry. The outside is protected, but once a bite, even the smallest bite is taken, and that first layer gone, the rest is just gushy and soft. He was using this to describe the security that most company’s put in place as far as protection. There has to be a focus from protecting inside out. Once again, the idea of the end user protecting or detecting malware and reporting such will allow for faster response and may also allow the responder to trace the malware back to a source.
So where do we begin? A focus has to be made in order to identify what is valuable that someone else would want? Why? Who? Why would they want to interrupt my operations? What’s important to me? What would they target? Identify those needs early and start with that. Go back to the basics in regards to solid policy and implementation; not only for end users but for IT professionals, too. Have good patch management, know what you have within your environment, you can’t protect yourself if you don’t even know what you have to protect. If you’re on a limited budget, no problem, just concentrate on what’s most important to protect right now and work from there.
Once again, the ability for the CEO, CFO, CIO, or CISO to be able to build a relationship and collaborate, I can’t stress this enough, is paramount. “Techie” talk isn’t sexy by any means, but it has to be understood on even high levels that everyone can be a stop gate or can be the catalyst to a massive intrusion. The barrier does have to come down and the old way of thinking, “I’m not a gadget guy, that’s someone else’s problem” has to migrate to the idea that this is an Asymmetrical Battlefield meaning a 360 degree fight. There are no ‘front lines’; everybody’s a target.
If you don’t get an opportunity to watch the webcast, I strongly recommend you do, then know this:
It starts with the human end user. We’re all in this toghether, so let’s be proactive in identifying what doesn’t look right, no matter how small, and report it.
Lean on your basic fundamentals either as an IT professional or the policy that outlines use of devices.
Create an environment that is conducive for incident responders to do their job by making sure their main focus is incident response
And lastly know that nothing will change if a proactive approach is not taken by both “Techie’s” and “Non-Techie’s”. Collaborate and Integrate.
It was great serving you this month! Please protect yourselves and help protect whatever agency or company you may be working for. Cyberspace is limitless and endless; we may never have a full grasp but we can start with a basic knowledge. You can check out MS-ISAC if you would like to know more.
The verdict is in — and it is all about security. Recent research from The Economist notes that security is the top concern for mobility and BYOD. Organizations want to embrace BYOD but want control to ensure secure access to the network. Chuck Robbins, Cisco Senior Vice President, wrote a blog entry that underscores what we hear almost daily in conversations with our customers and partners. The organizations we speak to have mobility policies that range from no personal devices allowed at all (which is really not BYOD), to policies that permit all personal devices with restricted access, and still others that allow all devices with differentiated access based on the device type, user, and posture.
Some common differentiation access use cases may include:
Allow my sales force to access the proposal portal remotely from their iPads but do not allow them access to the finance database.
Do not allow any jail broken device, whether personal or corporate-owned, because there is a high probability it has been infected with malware. A device is considered jail broken when the user gains root access to the operating system, allowing applications or extensions to be downloaded that are not available in the Apple Application store, which increases the risk of malware infection.
Automatically check to see if the device has pin-lock and disk encryption (basic device security), grant the device the appropriate access. If not, it will be diverted with the non-compliance explanation.
Another interesting observation is many of our higher education customers are starting to see eight devices per user versus the three devices noted. Watch out! The next workforce has some real potential to influence the new workplace.
Stay tuned -- later this year we look forward to sharing with you some further insight on mobile workers and their perceptions and behaviors regarding security. For example, how many folks download sensitive data on their personal smartphone? Or when an alert or pop-up warning occurs on their personal device what do they do? How many engage in risky behavior? Who is security aware? If you are a mobile device worker it would be great to hear your understanding of the security of your personal device in the new workplace.
The realm of Network security encompasses many perspectives and interests as is evident from the wealth of articles prevalent across the media and availability of various proactive protection measures. One particular technology recognized as integral to securing a network is the Intrusion Prevention System (IPS), which is used to detect and prevent suspected malicious network traffic or behavior. However, an IPS is not just a ‘set-it-and-forget-it’ type of solution. This is because of the necessity of employing current Cisco IPS signatures, which are the lifeblood of the IPS and are essential for it to identify and block attacks against specific vulnerabilities or certain types of threats. Because new threats and vulnerabilities are constantly being discovered, the IPS signature database for an IPS-capable device needs to be kept current to maximize the level of protection that it can provide. If you already use Cisco IPS technology, then you might already be familiar how crucial it is to use the most current IPS signatures. Otherwise, the IPS solution cannot provide optimal protection against new threats and attacks. Cisco IPS owners with a Cisco IPS Services License understand this fact and can receive signature updates as they become available. Signature updates can be installed manually or downloaded and installed automatically using native Cisco IPS capabilities or management tools such as Cisco Security Manager. For those inclined to write their own signatures, Cisco has published documentation on how to write customer signatures for the IPS.
And while the signatures are the “lifeblood” of the IPS and keeping them current is paramount, it is also important to make sure that the underlying operating system is kept up to date on the sensor as well. The underlying operating system and engines decompose and analyze the traffic as it passes through the device. Things like protocol decoding, features, and evasion resistance are handled here. The engines work but do not alert without the signature set as the signatures provide the matching framework for an alert to fire. The same can be said about the signatures. They do not work without the engines. Each requires the other to function and therefore keeping them both current is important.
As part of CSIRT’s mobile monitoring offering for special events, we undertook monitoring of the corporate and customer traffic of the Cisco House at the London 2012 Olympics. This engagement presents us with an excellent opportunity to showcase Cisco technology, while keeping a close watch on potential network security threats. CSIRT monitoring for this event will be active for the entire life-span of the Cisco House, from two months before the Olympics, until two months after.
For the London 2012 engagement, we shipped our gear in a 14RU military-grade rack that is containerized: made for shipping. Inside the mobile monitoring rack we have an assortment of Cisco kit and third-party kit that mirrors the monitoring we do internally:
Catalyst 3750 to fan out traffic to all the other devices
FireEye for advanced malware detection
Two Cisco IronPort WSA devices for web traffic filtering based on reputation
Cisco UCS box where we run multiple VMs
Lancope StealthWatch collector for NetFlow data
and a Cisco 4255 IDS for intrusion detection
We mirror the signatures that we have deployed internally at Cisco out to these remote locations. Depending on the environment where the mobile monitoring rack is deployed, we may also do some custom tuning. The kit in the mobile monitoring rack can do intrusion detection, advanced malware detection, and collect and parse NetFlow and log data for investigation purposes. The Cisco UCS rack server also helps us have several VMs, allowing us to run multiple tools that complement the other devices in the rack. For example, we run a Splunk instance on a VM to collect the logs generated by all the services. The data from the gear in the mobile monitoring rack is analyzed by our team of analysts and investigators, to eliminate false positives, conduct mitigation and remediation, and finally produce an incident report if required.