Tag Archives: security

Despite what you may think, IT security “is” your business

Many executives feel that IT security is only an issue for the IT department.  The problem is IT security is a bigger issue than just your IT department.  Everyday your company faces viruses, lost devices, stolen data, and intellectual property walking away with recently dismissed or disgruntled employees.  According to the DataLossDB project, 126,749,634 medical records, bank account numbers, names, and addresses were stolen or accidently leaked in 871 separate incidents in 2011.  Costing companies an estimated $26 billion in 2011.  Now you might say, “We aren’t in the business of IT or security.  We make widgets.  We maximize investor returns by buying, selling, and trading subsidiaries to create wealth.”  The fact is currently, for an organization to ignore IT security is clearly risky.   As reported in Forbes magazine on January 2, 2012 “If data loss continues on its current trends, it will cost the U.S. economy $290 billion by 2018”. As most cases go unreported, check out the cases that made headlines in 2011:

  • RSA
    The security division of data storage firm EMC was hit by a hack that compromised their popular SecurIDcryptographic keys, forcing them to offer replacements to their clients.  The stolen information was later used in an attack on defense giant Lockheed Martin.  RSA has provided a useful working definition of the term advanced persistent threats, or APTs, as “military-grade cyber-attacks on commercial entities.”  In the face of APTs, businesses need a new defense doctrine, which is under discussion by an increasing number of corporate chief information security officers.
  • Texas Comptroller
    A server mistakenly left open to the public contained the Social Security Numbers of 3.5 million teachers and other state employees.  No hacking was necessary to access this server.
  • Sony
    In nine different incidents, the conglomerate lost names, addresses, and credit card and bank account numbers as hackers pillaged its online game, music, and movie divisions.  Hackers made off with 77 million names, e-mail addresses, and passwords after breaching Sony’s PlayStation network.  The Sony breaches followed several similar data breaches by online service suppliers such as Play.com and Lush, so what effects are they likely to have on the online services industry?
  • SK Communications
    A complex attack on the Internet company netted the personal information of 35 million South Korean users.  That’s in a country of 50 million people.
  • SAIC
    A few of the defense contractor’s backup tapes were stolen out of an employee’s car.  The tapes contained the medical records of more than 5 million military patients.
  • Sutter Medical Foundation
    A stolen laptop from the health-care provider contained 3.3 million names and other identifying information, along with 943,000 patient diagnoses.  This incident brought on a class action suit, alleging negligence in securing data.

Can you afford to have your company on this list?  I did not think so.  All of us have a role to play in a more secure internet and it is clear  we have a problem and need to get on with fixing the issues as quickly as possible.  If your company has customer information, takes credit cards or has computers that use passwords then IT security is in fact your business.

 

 

Using Aruba’s Tunneled-Node to Extend Wireless AAA Policies to the Wire

I recently recorded a 10 minute video demonstration of how you can use an Aruba Networks Mobility Access Switch to extend your existing wireless AAA and QoS policies out to the wired access layer.

Now that you’ve watched the video, here is a quick recap of some of the benefits and use cases for tunneled-node.

Benefits (In no specific order):

  • Management – AAA profiles for wired and wireless users are created in a single location.
  • Efficiency – Ideally, you already have strong AAA and QoS policies on the WLAN. Tunneled-Node means you don’t have to recreate the wheel. Instead just reuse the same policies and apply them to wired ports.
  • Security – This is the main driver now isn’t it? Clearly, having users/devices authenticate to receive derived roles matching their requirements is a much better way to go compared to wide open wired access for all.

Limitations:

  • Tunnels – The name kind of spells out the first limitation. Given that all traffic is tunneled to you mobility controller from the switch, you will need to make sure your controller is sized to handle the increased load.
  • Closed Architecture – Currently, this solution requires you to have both an Aruba mobility controller and mobility access switch. Both products function just fine without each other, but tunneled-node functionality requires both.

When is this solution a good fit?

In my opinion, the solution fits well in the following scenarios:

  • Board rooms and public spaces – A single switch could easily increase security in areas that host both employees and guests/contractors/students. Employees get internal access in boardrooms while guests get internet-only access even when plugging into the same port.
  • New WLAN deployments – If your organization is just deploying a new Aruba WLAN, then a mobility access switch could be of great benefit. You’ll need something to provide PoE power to the access points anyway.

I really don’t want this to come across as an Aruba advertisement. There are certainly other solutions on the market today but I think tunneled-node should be given serious consideration for any organization with an already deployed Aruba WLAN.

Daniel

Please feel free to contact us, or leave a comment, if you have questions about how this solution works. Also, the lab I used in the demo was built completely self-contained and portable. So, if you’d like to have a live demo, in-person, we can arrange that as well.

 

 

 

Pay Attention!

Preying on quick decisions…pay attention!

I was travelling recently to our nation’s capital for a security conference (there’ll be another article on this topic) and most of my means of communications was through my mobile device.  I was quickly scanning my emails when the following LinkedIn invitation came through:

Most enterprise organizations have fairly sophisticated email filters today but the odd phishing, malware-link infested message does find its way through. When I receive a suspicious email, I typically look at the telltale signs of a fraudulent email – do I know the sender, who is it being sent to, do I recognize the organization.   As you can see from the screenshot above, all of the basic checks passed.  Our security awareness training teaches people to hover over the links to see where you’re actually connecting to.  However, on a mobile device, it’s not quite as easy – with all our fancy touch screens it’s sometimes difficult to select a hyperlink and browse the final destination.  I was able to determine the final destination of the hyperlink via my handheld but it made me wonder, would other people be so diligent? 

Remember the good old days when some prince in Africa wanted to transfer funds and the email body was written in horrible English and the sender would be some bizarre fellow with a name you’d never heard of.  Today’s email phishing attacks and malware link laden emails are getting quite sophisticated – pay attention…you never know when an email such as this finds itself in your inbox.

Eugene Ng 

 

Data Breaches Cost Companies over $26 Billion in 2011

According to the DataLossDB project, 126,749,634 medical records, bank account numbers, names, and addresses were stolen or accidently leaked in 871 separate incidents in 2011.  That’s an increase of incidences by over 37.4% and of records by 370% compared to 2010.  According to research conducted by the Ponemon Institute in 2010, the average cost of a data breach was roughly $209 per comprised record.  That brings the price tag for 2011 of over $26 billion. The following is an analysis of the incidents:

Types of Breaches

Hacking – deliberately breaking into computers – became the most common means of breach last year.

Top Incidents

  • RSA
    The security division of data storage firm EMC was hit by a hack that compromised their popular SecurID cryptographic keys, forcing them to offer replacements to their clients.  The stolen information was later used in an attack on defense giant Lockheed Martin.  RSA has provided a useful working definition of the term advanced persistent threats, or APTs, as “military-grade cyber-attacks on commercial entities”.  In the face of APTs, businesses need a new defense doctrine, which is under discussion by an increasing number of corporate chief information security officers.
  • Texas Comptroller
    A server mistakenly left open to the public contained the Social Security Numbers of 3.5 million teachers and other state employees.  No hacking was necessary to access this server.
  • Sony
    In nine different incidents, the conglomerate lost names, addresses, and credit card and bank account numbers as hackers pillaged its online game, music, and movie divisions.  Hackers made off with 77 million names, e-mail addresses, and passwords after breaching Sony’s PlayStation network.  The Sony breaches followed several similar data breaches by online service suppliers such as Play.com and Lush, so what effect are they likely have on the online services industry?
  • SK Communications
    A complex attack on the Internet company netted the personal information of 35 million South Korean users.  That’s in a country of 50 million people.
  • SAIC
    A few of the defense contractor’s backup tapes were stolen out of an employee’s car.  The tapes contained the medical records of more than 5 million military patients.
  • Sutter Medical Foundation
    A stolen laptop from the health-care provider contained 3.3 million names and other identifying information, along with 943,000 patient diagnoses.  This incident brought on a class action suit, alleging negligence in securing data.

Incidents by Business Type

Cybersecurity was one of the top buzzwords for 2011 as commercial organizations increasingly found themselves up against advanced and persistent attacks to the degree previously seen only in military organizations.  Information security has moved up in the agendas of most corporations and other businesses, but government too is placing increasing emphasis on the topic, backing national cybersecurity efforts with dedicated budgets.

Incidents by Offending Party

While more and more companies are becoming aware of the problem, few have taken action.  As the above analysis demonstrates, the need to take action has never been so persuasive.

To learn how to protect your organization, download our complimentary Executive Guide to Data Security.

 

WPS Brute Force Concerns and Solution

Recently, a white paper was written by Stefan Viehböck which documented a few implentation weaknesses in the Wi-Fi Alliance’s Wi-Fi Protected Setup (WPS). Immediately following the release of the whitepaper, a new tool (called Reaver) was released publicly that could be used to brute force the WPS PIN, and therefore, gain access to the WPA/WPA2 pre-shard key (PSK). The attack takes 4-10 hours on average and has an extremely high success rate.

What does this mean for you?

If you are a home user with a relatively new wireless router, you are probably susceptible to this attack. Basically, if your wireless router is WPS-capable you should assume you are vulnerable.

How do you defend against this attack?

The solution is quite simple: disable WPS on your wireless router. This renders the attack useless and it becomes a non-issue for you.

Hey, wait a minute. How come you only mentioned home users?

WPS is a system designed specifically for non-technical people. It is widely implemented in SOHO wireless routers but is generally not an enterprise wireless feature. If you happen to be running SOHO gear in the enterprise, then you will need to see if you are vulnerable as well.

Just how easy is it to perform the attack?

Easy. Here is a quick video demonstration showing how the attack works, and how to protect against it. This video was created using freely, and readily available how-to documentation on the reaver code page.

The Bottom Line

If you are running enterprise gear, you probably have nothing to worry about. If you are running SOHO gear, then you need to look into this a bit further. Increasing the length and complexity of your PSK does not protect against this attack. You need to disable WPS until the protocol can be strengthened.

Oh yeah, and Happy New Year!

The NCI Blogging Robot

Questions? Concerns? Comments? Get it in touch with us below.

 

Our true value as security professionals

Whether we are talking about financial security, territorial security, or even personal security, the concept of security is constantly evolving as it pertains to the business world and in the overall, global sense. Having recently joined the world of corporate IT security, I was immediately struck by the similarities between the evolution of corporate data, network, site and communications protection and the overall global evolution of security of state and citizen.

In many ways, the focus on IT security in a corporate environment mirrors and evolves along with the idea of security in general. The role of security professionals, whether that is in the IT world or physical world has changed with the evolution of the threat itself.

40 years ago a country could secure its borders, build a strong military, and be relatively safe and isolated from outside threats. Vigilance was reactive and often restricted to military, government, and police agencies within the country. The security of a corporate environment and communications was also a much simpler and more preventative effort.  A locked briefcase, locked doors, and secure passwords on rudimentary communication systems were generally enough to thwart attacks which were often limited to one-off rewards.

The landscape has changed and as security professionals providing security services in today’s market, our roles have evolved to include those of educators, innovators, as well as defenders. We have been shown, quite regrettably and dramatically, that in the modern world, a strong military, a great border defence program, and advanced counter espionage programs are not enough to guarantee indemnity from threats. Dedicated and organised attackers will find ways around those defences and will strike at the hearts of our most vulnerable systems and sites.

This also holds true for the modern corporation. Firewalls, authentication systems, communications monitoring, UTM appliances and software controls are all good and necessary preventative measures, but it is the ongoing vigilance, proactive posture, and prepared response plans that will ultimately provide the best security for our clients.

What does this mean for us in the security provider world?

It means a heightened responsibility and a mandated goal to stay ahead of the curve in combating threats. The challenge for us is understanding our clients and their tendencies. 

It also means we have a great opportunity. We have the opportunity to be critically integrated into the organisms which are our clients’ corporate environments. Having a defensive responsibility that stretches from the server, to the endpoints, and to the cloud, means there is an abundance of opportunities for us to be creative, inventive, vigilant and consistent in our approach to protecting our clients from the threats that exist and evolve daily.

The concept of security in 2011 is constantly changing and is just as dynamic as the world around us. The notion of “not if – but when”, offers us a unique chance to truly act as trusted advisors and as mission critical resources to our clients. Despite all of our efforts, the adversary is organized, relentless, and in many cases unpredictable due to non-specificity. Hackers will often repeatedly attack multiple targets looking for weakness that may or may not exist until, at some point, they eventually succeed at finding a way past the defences.

The key to our value is not how we stop all breaches of security; we cannot do that. The key is how we help our clients minimize that risk through deployment of  best-of-breed preparations  and a strong response plan that spells out how we will react organizationally, from CEO to end-user, when the risk confronts us as a reality. A corporation that accepts responsibility for ‘response’ along with the obligatory risk management tasks will improve overall security and reduce losses and damages in the long run.

Our role and enduring professional mission is to help our clients and our industry evolve our collective thinking in line with these goals. This presents both a great challenge and a fantastic opportunity, which makes the security industry an exciting place to work and live.

Paul Robbins

 

My journey in IT Security Certifications

IT security is one of the largest growing sectors in the IT field overall and as such IT security professionals are in high demand. As a result, security field employers are using certifications more and more as their baseline for evaluating and comparing security professional position candidates. As an IT security professional, I have gone through many certifications in my career.

Here is an overview of the major IT and security certifications I have obtained:

Cisco Track CCNA, CCNP: As many Security professionals, my journey in IT certifications started with Cisco routing and switching track, as I was in the networking field prior to the security field. Cisco certifications are highly technical and very demanding in terms of hands-on abilities on routers and switches. Cisco certifications gave me a strong knowledge on networking technologies and a deep understanding of routing protocols. Currently to obtain the CCNP certification, three exams are required (routing, switching and troubleshooting) after CCNA. Like all Cisco certifications, CCNP is valid for three years and requires taking a professional level exam or expert level written exam before expiration date, in order to renew certification.

Security+: This is the first certification to think of for a junior IT professional aiming to specialize in IT security field. CompTIA Security+ is an international, vendor-neutral certification that demonstrates competency mainly in network security, threats and vulnerabilities, access control and identity management. This was my first step in the IT security world. It was not highly technical; instead, it was more focused on learning the terminology and basic security concepts used by security professionals. Security+ is valid for three years and requires taking the exam in order to renew certification before expiration date.

CISSP: After gaining the required five years experience in the security field (with a strong networking flavour), I took the CISSP exam. This is a very demanding certification with a large volume of documentation to walk through. It took me about 4 months to finish the Shon Harris study guide (studied only during the weekends), then about a month to practice CISSP exam like questions. CISSP is not the most technical certification but by far the most complete one in terms of security subjects’ coverage. It took me around four hours to finish the 250 questions of the exam. CISSP is valid for three years and gaining CPEs is required to maintain and renew the certification.

CEH: It is much more technical than the Security+ certification and focused on penetration testing methodology and various hacking tools. I can’t say I learned pen testing with CEH. Indeed, prior to taking the CEH exam, I already had some experience on pen testing and security assessments, CEH gave me a strong knowledge on methodology and the targets to be defined for each step in the pen testing process. CEHv6.0 was more focused on tools whereas the new CEH curriculum CEH v7.0 is more focused on methodology with an OWASP flavour. CEH certification is valid for three years and CPEs are required in order to maintain the certification.

CISA: CISA is a well known audit certification, most probably the oldest certification in the field of information systems audit. The CISA exam was focused on IT governance, Risk management and General IT audit process & methodology. Unlike the CISSP exam, which I found to be pretty easy; this exam was hard, really hard. Indeed, few questions were of a technical nature and the business process and risk management related questions were very subjective and ambiguous. Just like CISSP, CISA is valid for three years and gaining CPEs is required to maintain and renew the certification.

The journey is not finished yet; this year I’m targeting GIAC certifications and will focus more on audit process, risk and security program management.

Maher G.

What has your certification path been like? Are there any certifications you would highly recommend? Do you agree or disagree with emphasis and importance that employers place on certifications during the hiring process?

(ISC)² Security Congress 2011

The congress was held Sept 19-22 at the Orange Country Convention Center in Orlando. This was (ISC)²’s first annual Security Congress, hopefully not the last! It was co-located with the ASIS International’s 57th annual seminar and exhibits, a move that recognizes the convergence of physical and information security.

After attending this congress, I realized how big the physical security world is. To give you the numbers, there were 280 attendees from (ISC)² versus 20,000 from ASIS, and enough exhibitors for this crowd to visit: 700.

There were 3 hour-long educational sessions per day, with about 25 topics to choose from for each session.

What were they talking about?

The 3 topics that was heard and discussed and debated on in almost every session (among the 10 or so (ISC)² sessions that I attended) were:

  1. Cloud Security
  2. Mobile Device Security
  3. Social Media

The trend and the focus for the information security industry in the next couple of years will be on addressing the above 3 topics with policies, regulations, products, and services. Below I’ll expand a little bit on why each area is attractive, and what are the security risks. 

1. Cloud Security

Why cloud? – Flexibility and scalability, cost savings, availability and disaster recovery

Threats? – Data loss/leakage, abuse of cloud, account/service hijacking, shared technology

What to do? – Like any other technology, cloud has risks associated with its benefits. All the classic principals of information security should be applied to it, having it in mind from the design/architecture phase. Have an incident response plan. Consider private/community/public/hybrid cloud options. 

2. Mobile Device Security

Why mobile devices? – Business rewards (response time, availability, flexibility), employee experience (ubiquitous mobile devices, employee owned), executive adoption

Threats? – Data loss/leakage, employee privacy concerns, compromise of corporate network from mobile device

What to do? – Look into device ownership (= liability) issues, have a corporate and a personal mobile device use policy, provide training to go along with that policy, harden mobile devices 

3. Social Media

Why social media? – It’s ubiquitous and unavoidable, it is the basis for Web 2.0, it has great potential to be used as a marketing and customer communication tool for the enterprise

Threats? – Faster spread of malware through the ‘trust’ factor, phishing attacks, worms, shortened URL’s, Evil Twin attack, session hijacking, identity theft, all leading to information leak and corporate liability issues

What to do? – Social media use policy (AUP), education and awareness, use of content filtering and DLP products to control traffic to and from social media sites

Some interesting notes:

  • Security is not about security, it’s about risk management
  • What is the perimeter of your network? It’s the end user!
  • A smartphone on your network should not be treated ANY differently from any other computer on your network
  • 1 out of 5 tweets names a product brand
  • Facebook mobile users are 50% more active than other users of the site
  • Sources of social media risk include: clients, employees, vendors, competitors, activists, and cyber criminals

Some interesting links:

Some interesting speakers:

  • Jeb Bush, Former Governor of Florida
  • Vicente Fox, former president of Mexico
  • Burt Rutan, designer of SpaceShipOne
  • Janet Napolitano, US DHS Secretary
  • Winn Schwartau, celebrity and power thinker on security/privacy/infowar/cyber-terrorism
  • Charlie Blanchard, Manager of Security & Privacy Services, Deloitte & Touche LLP
  • Simon Hunt, VP and CTO, Endpoint Security, McAfee
  • Shayne Bates, Director Security Cloud Strategy, Microsoft Global Security
  • James Hewitt, Director of Security Governance, CGI Federal

Vahid A.

 

Wireless Hacking with Fruit

A while back I delivered a short wireless security presentation, at a Toastmasters meeting, designed to explain a technical subject to a non-technical audience. The presentation went well enough that I’ve decided to record a modified version to place here.

This video is a very high-level explanation of how wireless networks operate. This is by design as I want to keep the information accessible to everyone and not just to those individuals who already have a deep technical understanding of wireless networking and information security.

Dan C.

Do you have additional tips for protecting yourself from this type of wireless attack? Leave your tip in the comments section and, as always, please be sure to share this post with anybody you think would benefit from viewing it.

Mobile Troubles

The growth of mobile phone usage seems to be rapidly outpacing the growth of mobile security adoption. For instance how many people are running anti-virus (AV) software on their laptops and desktops? And now how many are running AV on their mobile phone? There are several free anti-virus applications available for most platforms, including laptops, desktops, tablets or even smartphones. An informal poll conducted by SANS in July 2010 found that approximately 85% of smart phones did not have any AV installed. Of the 14% who did have AV installed, 18% had reported finding malware.

The thing I found strange about this poll is that security has seen improvements on the laptop/desktop side yet, our mobile devices have a fair bit more exposure and are left vulnerable. In 2010, Android had seen several firsts: SMS Trojan, Botnet, Monitored GPS, and even a Bank Phishing application. These firsts signal a dramatic increase of malware on the Android platform. One report, by McAfee, stated that the rise since last quarter was 76%. 

Android is not the only mobile platform that is susceptible. Research has shown that there is a positivie correlation between the popularity of the device/operating system and the infection rate. This correlation is similar to that seen in the PC world and the same is true for the techniques that are being used to infect the victims. One of the largest threat vectors I can think of is the large volume of applications within the app stores. With such an influx of new apps, it is hard to ensure that each one is safe.

You may wish to thank me for a sleepless night, but you already know how to protect yourself because mobile phones are just small computers. So you should start by doing the same things you do on your laptops and desktops. First get some basic AV installed from a reputable source. Second, perform some research before installing any apps on your phone. If you are uncertain of the source then maybe it is not worth the risk. Afterall, an ounce of prevention is worth a pound of cure.

Joe O.

What do you do to protect your mobile phone from malware? Share you thoughts, and techniques in our comments section.