Enterprise Information Security, is it BROKEN??

An industry reporter asked me a couple of pointed questions recently as part of an Weak Linkinterview for a feature article.  He wanted to know if I felt that Enterprise Information Security was broken, and what could be done to fix it.

“Given the increasing number of denial of service attacks, Java exploits, break-ins, malware delivered by spam etc. , is Enterprise Security broken?”

No, I don’t believe that Enterprise Security is broken.  I do believe that some of the fundamental assumptions that we in the Information Technology industry made early on in IT and communication development were flawed and are now being abused.  Enterprise Information Security is a strategic model whose intent is to formalize and promote security practices in a consistent manner across an organization remains a fundamentally correct objective.

One of the biggest concerns that I have had over my 30+ year IT career has been that of consistency.  Remember that Information Security as a recognized discipline didn’t exist when Information Technology was born, and came about well after IT and technology had started to mature.  We built the communications protocols at the heart of TCPIP to support and focus on resilience, continuity, and speed.  The naive belief was, if a set of rules was cast that delivered reliable communication, the job was pretty much done.  The entire concept was based on trust.  What else could you possibly want?

What was missing was consideration of the human factor; an authentication layer, a repudiation criteria, the guarantee of confidentiality, the assurance of data integrity, and the practices of controlled access and least privilege.

People are creative, curious, and in many cases, selfish creatures.  If they find a weakness in an application, or a way to take advantage of a process that will provide them with notoriety, wealth, or some other desired benefit, I guarantee that it will be exploited.  Look at how games get hacked for online gold, extra advantage, or simply bragging rights, to underline the problem.  The abuser doesn’t consider or perhaps even care that the author views the game as a years of work and a revenue stream, and doesn’t gauge the impact that player actions have on the developers’ livelihood.  They just want the desired item.

Until we can replace or rebuild the TCPIP suite with those missing pieces at its core, we need to put in place a governance and architectural model, policies, processes, standards, controls and guidance that when taken together, provide a consistent information security architecture.  That architecture should apply evenly across the enterprise, not only to this group or that region, and should be able to manage and adapt to the upcoming disruptive factors that will make up our IT world in the future.

“What are some of these recent disruptive factors?”

  • BYOD – Employees recently fell in love with the idea of using their own smartphones and tablets for work.  Management embraced the concept, since it enhanced the bottom line, eliminating the need to purchase and maintain hardware that tends to become obsolete within a calendar year anyway. 

BYOD introduced consumer tech into the enterprise, and although I like others resisted it, we all knew it was inevitably going to happen.   These new consumer devices come with all of the warts that you would expect from a consumer device; no standard image, little focus on security and data protection, few points of control, fewer points of integration, and no separation of personal versus corporate identities.

Employees are just now beginning to question how deep they will let work intrude into their personal lives.  Did IT just turn their beloved smartphone into a tracking device?  Can the company now monitor and examine their personal emails, chats, and browsing habits?   Employees are beginning to resent that personal time is now becoming potentially unpaid work time.  Managing these challenges must be part of the new Information Security Architecture.

  • MalwareMalicious software has evolved from a nuisance to a plague.  It’s been monetized, and has grown into a full blown industry unto itself.  Malware is now custom developed, the developers are organized, and they coordinate their efforts.  Some of them specialize, and offer their services to one another, mercenary style.  Our vendors need to do the same, and change the model from signature based detection to signature, characteristic (white-listing), and behavior based protection.  All of them, not one of them.

Vendors also need to move away from the “backwards compatible with everything” development model.  Bloating code to support multiple Operating Systems, especially those that are no longer being developed or supported by their creators, perpetuates vulnerabilities on several fronts.  It potentially brings all of the previous versions’ vulnerabilities into the new version, it perpetuates the existence of out dated software amongst businesses and home users, and it complicates business processes like asset and license management.  All of these result in a larger attack surface to be exploited, and liabilities to customer organizations.

Malware distribution is undergoing a major shift, from being widely distributed so as to have the maximum effect on a target rich environment, from quick in – acquire target – quick out blitzing strategies, to custom-made, no signature available, targeted to a specific industry, business, or user to limit solution development, and placed where it will be most effectively consumed by the target.  The new malware is being tweaked to avoid detection, doing nothing observably destructive, and maintaining a discrete profile for as long as possible.  It stays in the environment, collecting information, trickling out intelligence, and potentially offering backdoor access for its author or owner.  These little nasties tend to stay embedded within an organization for years.

  • Data Leakage –  I used to worry about the impacts malware had, the downtime it incurred, the mess it made, and the time it takes to clean up after an infection.  Incident Response, Business Continuity and Disaster Recovery practices have matured, alleviating the bulk of those concerns, and now I don’t have to worry as much about what sort of malware gets into the environment.  Over the years, I have adopted an attitude that concerns itself more and more with egress management.  I now worry more about what data is getting out.  In order to maximize my nightly pillow time, I develop or procure capabilities to monitor traffic flows, and to identify the types of documents, contents of documents, and other materials that should not be leaving the network.

The challenges here are accounting for every egress method, every potential removal vehicle, every characteristic that makes a document sensitive, and dealing with each one in an appropriate and manageable fashion.  The electronic communications are the low hanging fruit, they are easily monitored.  It is the physical devices that pose the greatest challenges.

  • Next Generation Firewalls – The Internet Protocol suite was built to support communication using a set of rules, identifying specific ports and protocols, packet and frame sizes, and expecting specific content to be in each frame.  The developers assumed that applications and people would operate within those rules.  We also assumed that technology would present a perimeter that could be easily controlled and managed.  If the protocol used matched the port designated for it, and that port/protocol set was allowed to pass through the firewall, it was all good.  Unfortunately, attackers do not play by those rules.  They use them against us.

Next Generation Firewalls are emerging that analyze relationships and behaviors.  They inspect traffic to ensure that someone or something is accountable for each packet on the network, that it fits within an expected data request stream, conforms to much more granular rules based on expected and observed behavior, and that it is shaped and formed the way the rules expect it to be.

  • The Cloud – Every silver lining has a cloud, and every cloud has security implications.  We experimented in the past with out-sourcing our IT worker bees in order to save costs.  In some places that was successful, and not so successful in others.  We are now doing the same thing with applications, services, data, and infrastructure.  The risks to those assets remain the same, but we are now concentrating those assets along with many other assets in one place, and giving up visibility and control, while increasing the value of the hosting target.

The arguments make sense, we are not an IT company, why do we need to invest in so much hardware, software, and staff to maintain it?  Someone else can do this better, focus entirely on it, and save us money by providing it to the masses as a Service. The other side of the coin is that the risks don’t go away, the liabilities don’t go away, but the ability to directly control and manage the out-sourced entities becomes more difficult.  Accountability becomes fuzzy, but ultimately lies with the data owner, not the hosting comapny.  In a cloud-based model, you are trusting someone else to do a better job of managing and protecting your data, you are trusting them not to mis-use your data, and you are trusting them to provide access to the right people while blocking access of the wrong folks.  Audit and Compliance issues become evident.

Ultimately, if this new juicy data target is breached by someone attacking you or one of the many other customers that use this service, your data may be exposed, and your business is liable and accountable.  Your data may not even be exposed, but if you use the breached vendors’ services, the perception may be that you were breached.  Your customers won’t care if the breach happened at your data center or your provider’s.  You were trusted with their data, and it was at risk of exposure on your watch.  You may also increase your dependency on the cloud service, and that increases your susceptibility to denial of service attacks.

  • Attacker Motivation & Capability – The enemy has found that those annoying virus and worm characteristics developed in the past for notoriety or destructive power can be used for financial gain, espionage, and they have gotten organized.  The dark side has put forth significant effort into developing a diverse set of tools, expertise, and strategies.  We need to model our defenses after those of the attackers.  Vendors need to start integrating, working together, and providing the enterprise with consumable, actionable, accurate intelligence about what is going on inside and outside of their networks.  SIEM is a step in the right direction, but let’s not stop walking forward.

 “Do we need a fundamental change in the way enterprises approach/design security?”

Here, I would say yes, and I believe that this change has been cooking along for quite some time in a very slow, “bolt-it-on” fashion.  Technology changes seem to be revolutionary, coming out of nowhere and establishing themselves quickly in response to disruptive factors and needs.  Changes in protection capabilities tend to be evolutionary, taking their own sweet time to develop and mature in reaction to unforeseen circumstances that arise post-implementation of technology.  Physicist Niels Bohr said, “Prediction is very difficult, especially if it’s about the future.”

We in IT as an industry, and businesses in general, need to realize that the perimeter is continuing to melt, to focus on monitoring the network and protecting the data, to insist on integration, increased visibility, and to demand built-in security from our products, vendors, service providers, and business partners.  Enterprise Information Security offers a conduit through architecture and governance to provide a well thought out strategy that can adapt and react to disruptive advancements in technology.  It lays the ground work, and operates best by implementing consistent governance over people, processes and technology at the enterprise level for the purpose of supporting management, operation, and the protection of information and assets.

Google Won’t Remove CounterClank Apps

Google will not remove the 13 apps reported by Symantec containing “software development tools” that enable the theft of data because they do not violate Google’s terms of service.  Lookout Mobile Security said in a blog post Friday that it doesn’t consider the applications malware, but it does appear to be an “aggresive form” of an ad networking scheme, and should be taken seriously.  I would agree with that assessment, simply because it is a new pin on an old tactic, however I would still consider this malware to the extent that spyware was once considered in a similar light.  It has proven to be a real problem with real impacts, and has been used in a multitude of nefarious endeavors.

See this SC Magazine article for more coverage and details.

Beware “Official” Android Trojans!

Symantec has uncovered a massive botnet that may have lured millions of Android users into downloading malware infected apps from the official Android Market site.  The Trojan, being called ‘Android.Counterclank’, was wrapped into at least 13 free games on the official android app download site.  The following apps are known to be affected:

  • Counter Elite Force
  • Counter Strike Ground Force
  • CounterStrike Hit Enemy
  • Heart Live Wallpaper
  • Hit Counter Terrorist
  • Stripper Touch girl
  • Balloon Game
  • Deal & Be Millionaire
  • Wild Man
  • Pretty women lingerie puzzle
  • Sexy Girls Photo Game
  • Sexy Girls Puzzle
  • Sexy Women Puzzle

If you have downloaded one or more of these games, you had best be taking some action to protect your information.  According to the description at Symantec’s site, the combined download figures for these malicious apps indicate Android.Counterclank has the highest distribution of any Android malware so far this year.

I don’t own any Android devices, so, why am I writing about this malware rather than the hundreds of malware variants found each day?  I am concerned that the “official” download site is laden with malicious applications.  The Android Market is owned and operated by Google Inc.  Android configurations really need to be tightened up, and the practices used when vetting an app for distribution on an “official” site need to be scrutinized and corrected.

Google really ought to know better.  There motto is “Don’t Be Evil”…

Malware Compromises College For 10 Years [ ! ]

Trojans and other malware have been discoverd at City College of San Francisco, with some stories indicating the malware has been in place for over 10 years.   I suspect (hope?) that this is a misquote, and that the speaker meant to say that malware has been a problem during that period!   I have not found any information positively confirming the duration of the infection, but the original article appears to imply that the malware was present for over 10 years.  Why was this not detected earlier, how did it manage to remain in place for so long?

It appears as is the case in many educational institutions, budgets are tight, interest is low, and apathy runs high. Passwords went unchanged for at least as long as the infection, security controls were extermely lax, and even after filtering controls were brought in, demand for access to highly questionable material was often approved if minimal pressure was applied.  As a result, a keystroke logger is among at least 7 flavors of malware found operating within the network, and is known to have stolen personal banking information and other data from at least one individual, and potentially hundreds of thousands of students, faculty and administrators.  The college employs 3,000 employees, and hosts about 100,000 students every year.

The college identified the infection in late November 2010 after it noticed that there were gaps in server logs located in the campus computer lab.  An AP story about the incident indicates that at 10:00 PM every day, the malware would troll through the network looking for data to send overseas.  During the investigation, the IT department saw communication with many foreign countries, including Russia and China.  There has been only one confirmed case of personal banking information being captured in this incident that I am aware of.

Upon learning of the breach, the college contained the incident by closing off the infected computer lab, removing the affected server from service, and scanning desktop computers for malware.  Many desktops were found to also be infected.  The college community was notified by e-mail on Jan. 13.  The IT department has since reconfigured the campus firewalls, improved password security controls, updated and created new security protocols, is developing a network segmentation strategy, and is preparing to install new security hardware.

It will be interesting to see what the fallout is regarding how many users are actually impacted by this breach, if there is any way to figure all that out.  What’s on your network?

Hackers Targeting SmartCards

The security firm AlienVault reports that it has seen dozens of attacks on US Government issued SmartCards, using a unique variant of Sykipot.  Attacks using Skyipot have been around since 2007.  This one is slightly different than typical.

Since passwords have proven easy to guess or brute force, SmartCards are used as an extra layer of security on top of passwords.  This malware strain specifically targets ActivIdentity, which offers a SmartCard-based PKI authentication mechanism known for its compliance with US government specifications.  The malware is capable of capturing PIN numbers allowing access to privileged information.

The attackers use a spear phishing campaign using a PDF attachment which deposits the Sykipot malware onto recipient’s systems. Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards.  When a card is inserted into the reader, the malware acts as the authenticated user and has access to sensitive information. The malware is controlled by a command & control server, getting commands, updates, and moving data as directed.

With ActivIdentity as the target, the attacks are clearly aimed at US defense agencies, but it’s still unclear what information may have been captured or compromised, if any.  As usual, there is a link to China…


FDIC Spam Delivers Malware

Continue to be suspicious and diligent whenever you receive unsolicited emails.  No matter who the sender purports to be, never open those “important attachments”.  A recent malware attack poses as a communication from the Federal Deposit Insurance Corporation (FDIC) to businesses.

SophosLabs has reported interception of a large number of malicious emails, pretending to come from FDIC, claiming to have important information about the recipient’s bank.  The emails’ subject line is “FDIC: About your business account”, followed by a random code number.  The attached filename, containing the malware, is FDIC_Information_About-your-business-account-JAN2012-XXXXX.zip (where ‘XXXXX’ is a random number).

Attached to the emails is a ZIP file which contains a malicious payload, designed to infect Windows computers.

Dear Business Customer, We have important information about your bank. Please refer to attached file to view information. This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership

Sophos anti-virus products detect the attachment proactively as Mal/BredoZp-B and Mal/Zbot-EZ.

One more note worth keeping in mind.  UPS, FedEx and other delivery services are commonly exploited in this kind of scam.  If you aren’t expecting a delivery, don’t open the attachment.  If the email contains a tracking number, go to the delivery service’s website or call them to confirm before opening a surprise attachment from aunt Martha.  Otherwise the surprise might be nastier than her old fuitcake…

KeyGen Candy Leads To Malware

Just a reminder to all of you gamers, that downloading KeyGen software is playing russian roulette with your personal computer.  KeyGens are little programs that generate registration keys for games that you didn’t pay for.  They are an executable program that was written by a programmer with the intent to allow you to pirate commercial software.

I can’t count the number of incidents that I have been called on to fix this or that strange behavior on a computer, only to trace the problem back to the installation of some stupid KeyGen or other crack.  The fact that someone is giving you candy for nothing should be your first red flag.  The fact that you have to download an executable and run it should be another.  Case in point, popular Pro Evolution Soccer 2012 game users looking for freebies are in danger of having their computers compromised, according to GFI.

Their search for a key generator can take them to a YouTube or other site offering links to download the full game, KeyGens, cracks and serial numbers, but it is of course, a scam.   One compressed download consists of 3 files: an HTML file named password, a text file named password, and another ZIP file containing the key generator app.

You would assume that the text file contains the password for the compressed file, but it doesn’t.  Instead, there is a shortened link to a site for picking up the password, AFTER you fill out a short survey.  Nothing is ever quite 100% free, you know…

After the survey is completed, the victim receives the password for running the KeyGen program.  Only, that program is in fact the ZeroAccess rootkit, designed to hide from any Anti-Virus that might be installed, interfere with legitimate programs, redirect online searches to malicious pages, and to download additional malware.

The majority of A/V products now have signatures to detect this rootkit, but not all users install A/V, configure it correctly, leave it turned on when applying cracks or KeyGens, or update their A/V regularly.  Be careful when considering too-good-to-be-true offers from unverified sources, and if you like a game enough to want a registration key, why not feed the author’s kids?  It costs money and takes talent to create good games.  If there is no return on that investment, what is the incentive to release the next one, or to make it more affordable?

Don’t take candy from strangers!  Just sayin’…