Small Business Defense – Plans and Flexibility
- At December 10, 2009
- By Josh More
- In Business Security
- 0
In the event mentioned yesterday, the business was utterly without power. This sort of event had never been planned for, and since we were a technology company, all of our client information was inaccessible due to the outage. Inbound phone and Internet was down.
In that particular case, I believe we all looked at one another, shrugged and pulled out some snacks and started playing poker while we waited for power to be restored. (It was a very small business and we were all fairly young.) After a while, one of us got the bright idea to call the phone company and set up a temporary redirect of calls to some of our cell phones. Someone else carried the workstation that doubled as a fileserver over to a neighboring business so we could fire it up and get the client contact information, so we could start calling out to let people know about the situation.
We wouldn’t connect to the remote systems via modem, but we had decent memories and it worked out OK. The clients were understanding and while we lost some productivity, it didn’t impact us too badly.
Which, really, is the point of this. We in the security world like planning and mitigation. We like it a lot. We might even like it a bit too much. See, it’s not all doom and gloom. Sometimes, bad things happen, and it all works out OK.
In a large enterprise, you have a complex infrastructure that has a lot of moving and inter-related parts, and if there is a massive failure, it’s simply not feasible to shut it down or move it. The financial cost of such an outage can get into the millions of dollars, so it makes sense to devote some resources to coming up with recovery plans. It can take months to build one and then more months to implement it. Then you have to test it.
In small business, you may not need to do this. Should you? Probably. However, not having a solid plan isn’t the end of the world, it’s just more risk. Just as in the rest of the business, you can look at risk vs reward. It often doesn’t make sense to have a full plan that covers details for floods, fires, tornadoes and Godzilla attacks. If your infrastructure is small enough, your employees are good enough and your customers friendly enough, your plan can just be “if bad stuff happens, we’ll figure it out”. It’ll probably be OK.
However… it just might make sense to look at what you need to be flexible. Are your people really as good as you think? (Can you test this?) What about availability? If you rely on your people, how are you set for disasters that impact people? What if the backhoe had hit a gas main and some of your employees were injured during the disaster? (Or, more prosaically, suppose I had banged my head trying to get out of my dark “office” and been unable to accept incoming calls?)
So yes, by all means, avoid the tedious planning that no one wants to do. Bet your business on your people (which, really, you do every day anyway)… just be sure that your people will be able to do what you’re asking of them.
There’s more value in DR testing than just testing the systems, after all.
Small Business Attack – Backhoe
- At December 09, 2009
- By Josh More
- In Business Security
- 0
Yes, you read the headline correctly.
Several years ago, I was working as a web developer and security admin for a small development house. We were located at one end of a nondescript building in the middle of a tiny little town. One day I’m working and suddenly everything goes dark.
And by “everything”, I mean everything. My office was the same as the server room, it was lit by a single overhead fluorescent and the glow of a few monitors and lots of little blinky lights. When the backhoe doing sewer work hit the main line, everything went dark and I was suddenly sitting in a tiny little pitch black room rapidly rediscovering my latent claustrophobia.
Luckily for me, I had a cell phone that could double as a flashlight in such a situation. I found my way to the door and met the rest of my coworkers to find out that the entire building was without power, Internet and phone. Business was at a complete standstill.
We were dead on the Internet. No one could reach us. And all of our clients were running that day’s production.
What could we do?
Security Lessons from Nature – Natalids and Stargate Universe
- At December 08, 2009
- By Josh More
- In Natural History
- 0
So, I’m reading a book on the mammals of Costa Rica. (Why? Because it’s more interesting than watching Stargate Universe, that’s why. (Which says a lot about the quality of storytelling these days.)) In the chapter on bats, I ran across a mention of a natalid organ.
“That’s funny…”, I thought. “I’ve never heard of that!”
So off to the Google I go, to google about and, as it turns out, waste a good hour reading about bat taxonomy. (Which is still better than watching Stargate Universe!) Here’s what I learned:
There are these bats, see, that have an organ. It’s more than one species, it’s in a lot of them… but no one knows what it does!
- Discover Life reports that the cells may be sensory or secretory.
- Novel Guide tells us that it’s bell shaped and can cover the entire muzzle (though Answers.com suggests that that’s not always the case).
- Brain Museum implies that the presence of the organ may be linked to the lack of a nose leaf. (What’s a nose leaf, you ask? Go research it yourself, I’m busy with natalids.)
- Bob’s Bat Cave, despite having perhaps one of the coolest names on the Internet, indicates that the organ is below the skin on the forehead, though other sites place it at the back of the muzzle. (This seems like a conflict to me, but perhaps I don’t know my way around a bat’s head very well.)
- Lastly, Animal Diversity gives us the useful information that only Natalids have natalid organs. Of course, the group of bats known as natalids are defined as those bats that have natalid organs, so that information is less useful than it may initially appear.
I might have learned more, had I given J STOR $19 for the full article, but let’s face it, I’m just a Stargate fan who is oddly distracted by bats, and it would be unwise to give my bad research habits free rein.
So what is all of this doing on an I.T. security blog? I haven’t the faintest clue… and that’s the important thing. The number one biggest threat out there isn’t the mysterious Chinese hacker of the organized criminals writing malware. The most dangerous threat is that of poorly-documented legacy systems. These systems exist on every business network I’ve seen. They lurk in the dark corners, staring at admins and, well, do something… I think… maybe. These systems are dangerous because:
- We have to keep them running.
- We don’t know what they do.
Most people therefore, set them on the network and proceed to ignore them until they break. Maybe all they do is serve a few static web pages. Maybe, though, they process proprietary data. However, since we don’t know, we can’t pick an appropriate method of securing them.
We can’t turn them off, because it might harm the business, just like we can’t go up to random bats and remove the natalid organ. If we don’t know what it does, we often can’t take the risk of killing the business (or bat) by removing it to find out. (Just like we can’t take the risk of not trying the new Stargate series, as they might be awesome as SG1 (though, admittedly, history has not born this out)).
We can look deeper into the systems and possibly get an insight (“hmm, it’s kinda slimy, but it also looks like it might be a detector”). We can ask those that use it what they use it for (which might be more effective in your coworkers than it is on bats). Or, we can just name it and leave it alone (“well, it’s gotta be there for a reason, right?”)…
Which works until someone like me comes along and thinks “what the heck is a natalid organ?”, and starts digging into the problem. Because at that point, you have to justify one of two likely scenarios:
- Why you kept a legacy system running and consuming resources when it serves no valid purpose to the business.
- Why you failed to adequately secure and plan migration paths for a business-critical system.
Really, it’s probably better to find out what it does and document the thing. Luckily, we have technologies now that allow us to record inputs and outputs and clone systems, so the process should be a lot less messy than dissecting the muzzle of a bat or figuring what on Earth the producers of Stargate Universe are thinking.
Mythic Monday – Love and Creation
- At December 07, 2009
- By Josh More
- In Mythology
- 0
There is a Persian creation story that goes much the same way as the usual creation myth. First, there was nothing, then there was a god (Ohrmazd). The god made stuff and then people. Then the people screwed up.
People screwing up is really a common theme in myth, when you think about it. Maybe that says something about life?
In this case, though, the type of the screwup is a bit different. There’s nothing here about wanting to the equal of the gods, disobeying orders or even just desiring to be more than they are. Instead, the people wind up having children (a popular activity). Then since they can’t bear to be separated from their kids, they eat them.
Ohrmazd the creator god is understandably surprised at this turn of events. What’s interesting is the solution. Knowing that the people just love too greatly, he reduced their love by 99%.
(As an aside, it’s worth noting that the Persians did a lot of interesting mathematical exploration and that this is the only myth I know of that uses numbers like this instead of something like “reduced their love as if love were water in the cap of an acorn, and when emptied, the moisture that remained was as the love that remained within the man the woman”. Are the two related? I don’t know, but it’s interesting.)
With the amount of love they could feel, reduced, the people were able to have children and let them live long enough to have children of their own. Thus, did humanity prosper.
Now, in the original, this was but a small piece of the story of creation (which also involved a devil and a bull, much conflict and blood and all the fun stuff you find in creation myths). However, for our purposes, it is enough.
There is a lot of talk in the business community these days about the power of love. I have no doubt that there is something there. If you love what you do, you can do it without feeling the burden. You can more easily justify risks and you can share the load by letting your love inspire others. However, there is a dark side.
The same love that makes it easy to get started on a project is what makes it hard to stop. Love can get you through the boring 20% of the work that takes 80% of the time. However, it’s not so good at allowing you to stop when you get to 100% complete. I’ve seen projects that fail because the quest for perfection goes too far. I’ve seen businesses falter and fail because the founder loves it too much to allow it to change.
That form of love is stifling, and while it’s becoming more acceptable to recognize the harms of excessive love within personal relationships, it’s still not well considered within the business world.
This is the sort of emotion that makes security practitioners secure things for the sake of their being secure… they’ve fallen in love with the idea of “security” instead of “protection”. There are many ways to protect an asset. Keeping out the bad guys is but one.
It’s a tough balance, I know. We have to love enough to keep us going in the face of incredibly difficult odds and constantly changing threats, but then, once a project is complete, reduce our love by 99% and allow our project to continue on without meddling with it and destroying it in the process.
While learning to let go is difficult and messy, if we’re lucky, we can do it without the massive quantities of blood and death that the Persians seem to have required.
Small Business Attack – Mobile Defense
- At November 12, 2009
- By Josh More
- In Business Security
- 0
As mentioned yesterday, mobile devices are a pretty big threat. In fact, it’s so obvious to those of us in security, that we often wonder why we don’t see many attacks along this vector. Of course, that all changed this past weekend. Now that we’ve had one that got media attention, there will be more… and they’ll be trickier.
So how do you defend against them?
The easiest way is to forbid such devices from accessing your network. This can be done by limiting access on the perimeter to various services. However, this won’t do anything if someone either:
- Brings their device to their workstation and does a manual sync.
- Has proprietary data on the phone that can be accessed by an attacker.
So it’s a bit more complex than that. Some people solve the problem by giving all employees a standard mobile device. IT is then responsible for maintaining the device and making sure that it’s secure. This model is pretty much the same as workstations. It balances the business’s control against the employee’s desire to be accessible.
Others say that the mobile device is the employee’s responsibility and invests in technologies that allow greater auditing capabilities. This way it doesn’t matter what attack vector is used, the data itself is protected. It allows maximal flexibility for the employee, but does require that the audit technology be reasonably layered so that a failure in one spot doesn’t expose everything.
The real risk is when a business does neither. If mobile devices are allowed access, but not controlled or protected, and there is no internal audit process, an attacker can waltz right in and take what they want, all while some employee somewhere is distracted playing their iPhone Ocarina.
Small Business Attack – Mobile Attack
- At November 11, 2009
- By Josh More
- In Business Security
- 0
Despite all the humorous commercials to which I am now receiving links, you may have in your possession an iPhone. You may have even gone through the lengthly process of installing unofficial software on it. So there you are, all happy with your fancy toy and feeling smart about yourself. Then, one day, you turn it on and instead of getting your normal pretty backdrop of a baby hedgehog you get a photograph of Rick Astley… which isn’t quite the same thing, really.
It sounds far fetched, but that’s exactly what happened to a large number of iPhone users over the weekend. A worm was launched that specifically targeted iPhones and spread over the web in just a few hours. Now, in this case, the author was just trying to make a point, and the media is generally taking a light view of things… after all, Rick Astely is funny, right?
Let’s take a different view of the situation.
Suppose that, one day, you turn on your iPhone and instead of getting your normal pretty backdrop of a baby hedgehog you get a photograph of Rick Astley. You shrug, go on with life and check your email. While you check your email, you notice that things a bit slow, but hey, it all works. You put your iPhone back in your pocket and head over to work. When you get to work, you see an upset security officer standing in your office, who informs you that someone hacked into your iPhone, copied all your email when you checked it, accessed your VPN password, used the VPN password to get into your network and download all your files, including the one containing access to your company’s bank account and transferred all of the money overseas.
That’s a bit more than an amusing little attack, isn’t it? However, to be fair, it is a little bit unrealistic. Let’s take a more realistic view:
The exact same things happened, but the security officer wasn’t waiting in your office for you. In fact, the security group didn’t even know what was going on until the accounting group called and let them know… which happened after they found the problem and were able to determine that it wasn’t an accounting error… which was in excess of the normal 48 hour window and now the money is gone, the business is going under and it’s your fault because your iPhone got hacked.
The risk here is that iPhones, Blackberries, Palms, Droids and the like aren’t phones. They’re little portable computers that work just like phones. More than that, they’re little portable computers that are always attached to the Internet, have no firewall, don’t run antimalware and are often connected directly to your network.
The fact that the first big worm just changed the background proves that we’re really lucky and should view this as a wakeup call.
Are you awake yet?
Security Lessons from Nature – Minimizing Shadows
- At November 10, 2009
- By Josh More
- In Natural History
- 0
Imagine for a minute that you’re a bug. You wander around looking for food and avoiding predators. Now, most critters that predate on bugs aren’t exactly the brightest. They just sort of fly around and look for anything that looks buggy and then try to eat it. There are generally only two clues for buggyness: movement and contrast.
Basically, if something moves like a bug, it’s probably a bug. Of course, this is only good against the bugs that haven’t learned to just keep still. If you want to keep your little bug self safe and secure, all you have to do is not move when a predator comes at you… which is a lot harder than it sounds… and not 100% successful now that predators have learned the contrast trick.
Most says, there tends to be light around, and even though bugs have gotten pretty good at matching their surroundings, if the light comes from the wrong angle, it doesn’t matter how well you match your environment, you’ll cast a nice long shadow. If a bird is looking for an area of sharp contrast, they can find you even if you manage to stay frozen.
Bad news for bugs.
Unless, of course, you manage to reduce your shadow. If you are careful to shift your position or only land in pre-existing shadows, you can really reduce these shadows. Similarly, if you only come out during mid day and stay hidden during morning and evening, you’ll avoid the long shadows. Basically, you want to reduce the amount of your body that catches the light, which would reduce the amount of shadow, which would reduce the likelihood of attack.
We do the same thing in the security world. A system can be attacked in many (many (many)) ways. Looking just at a fairly standard Web system, a system can be attacked at: ssh, apache, mysql/postresql, openssl, php/perl/ruby, ftp, or any modules contained within… and this assumes that the system has been hardened and isn’t running any of the common applications such as X, Gnome/KDE, OpenOffice.org, Firefox, portmap, r* commands, etc. The simple fact is that we load our systems with all sorts of fancy widgets, adding new functionality here and there, making it run faster (or least, more interestingly) and… if an attacker looks at… casting a very interesting shadow.
Simply put, every thing you can install can be exploited. It may be reviewed. It may be well designed. It may be hardened. However, this is not a perfect world, and there are no guarantees. You can’t make sure that everything is running exactly as it should be, but what you can know with absolute certainty is that something that’s not there cannot be exploited. People have a really hard time robbing a house that’s not been built, and they’d have similar difficulties attacking a service that’s not running.
In I.T. Security, we call this reducing our attack surface. The term can apply to an entire business, a network, a server or just an application. The idea is pretty much exactly what a bug does. We want to make our shadow as small as possible, by reducing the number of protrusions and things that make the shadow interesting. In practice, this means reducing your business (you’re not a bug anymore, by the way) to just what you need. If you don’t need modems, don’t leave them plugged in. If you don’t need to be running telnet, don’t run it. If you don’t need to employ untrusted people at incredibly low wages, don’t do it.
The point here isn’t to say that you can be completely safe by minimizing what’s running… there is no completely safe. Any bug can get eaten, despite how good it gets at what it does. The point is that by minimizing the attack surface, you can get it to a manageable size. If bugs were the size of baseballs, cast huge shadows and were slow to maneuver, they’d be eaten awfully quickly. By staying small and relatively flat, they’ve been able to focus on better defenses (such as scent bombing, protective colouration, and just plain old tasting bad). The same applies to your business. If you limit what you’re doing and running to something manageable, it can then be managed.
It also helps not to move suddenly when someone flips over a leaf… but I’ve not yet figured out exactly how that applies to business.
Mythic Monday – Rolling Along
- At November 09, 2009
- By Josh More
- In Mythology
- 0
There’s often something lacking when I read Native American mythology. Perhaps it’s that that form of mythology uses a different form of logic, perhaps they are fragmentary, or perhaps it’s because the original tellings were oral and participatory and it just doesn’t carry over to the written word. However, once in a while, you get a myth like this:
Why the sun rolls along
Sun was warned by a messenger, “Someone is coming to kill you.”
Soon a person came along and seized the Sun. He threw him toward the East, but Sun came back. He threw him toward the South, but Sun came back. The evil one came toward Sun again, but Sun began to roll along. Sun rolled and rolled and rolled along. He rolls along to this very day.
(From Shasta Indian Tales by Rosemary Holsinger.)
Clearly, there is something missing here. Such myths raise more questions than they answer… but lucky for us, this isn’t a mythology blog, so we can leave the questions alone. The point here is that the sun just keeps on rolling, no matter how the evil person tries to kill him. As with many things, it’s all about persistence.
I’ve had numerous projects in the works for years, and at some point, they just stopped moving forward. Due to a lack of energy on my part and other pressing concerns, progress just ceased. There’s only so much time a day (mostly because Sun keeps on moving), and it’s sometimes not possible to keep everything progressing and something has to stop in order for other things to continue. Last week, my blog stopped. I had taken a week of vacation to make some progress on another project. I had worked up a buffer of blog posts to cover the time I wouldn’t be paying attention to the blog… but I forgot about the post-push resting period.
Ooops.
The nice thing about being a mythic character such as Sun, is that you only have one thing on which to focus. (Well, two if you count “rolling along” and “being glowy”.) Here in the real world, we often have too many things going on to “keep on rolling” on more than one. For me, the one thing that is always 100% consistent is monitoring security posture. Things change every day. In fact, just over the weekend, we got reports of an iPhone attack, a discussion on legacy systems, and a revival of an old attack. Last month, there was a huge amount of malware to keep on top of as well as numerous patches from major vendors. The threats never stop, so those of us in security have to keep on rolling.
Unfortunately, this means that other things have to be dropped sometimes. But hey, even Sun sometimes takes a day off, so I don’t feel that bad. I’ll just try to pick things back up and get to posting again. Hopefully I won’t miss to many days as I get things running again.
Security Lessons From Nature – Pangolin
- At October 27, 2009
- By Josh More
- In Natural History
- 0
Normally in this section I pick one aspect of the natural world and focus on the security ramifications of that animal of adaptation. However, this doesn’t really do justice to the complexities that surround security posture. So today, we’re going to look at the pangolin.
Now, you can either hit the link and read all about it, or we can play the build-an-animal game. (The game is more fun.)
- Start with an anteater.
- Give it huge sharp claws.
- Now grant it the ability to spray a stinky acid like a skunk.
- Take the scales off a fish and glue them to the anteater.
- Thicken the scales so it’s armored like an armadillo.
- Sharpen each scale so it’s razor sharp.
- Oh yeah, they’re also good at tunneling and swimming.
- Now just for fun, lets expand their brains and make them little Houdinis.
Now let’s think for a minute about the threats that could have provoked such defenses. Before we had an anteater, we must have started with ants. That’s all well and good. After all, who doesn’t love a yummy meal of ants? Well, other than the ants, I guess. In the US, ants tend to build nests underground and just pile up the dirt outside. However, in anteater territory, ant and termite mounds are heavily armored, so our pangolins need big sharp claws to get to their food. Now, not only are ants yummy, but in areas where hyenas roam, so are pangolins.
Of course, the easiest way to make the annoying creatures go away is to spray them with a noxious fluid… though one has to wonder exactly how that particular defense mechanism came about.
Then there are the roaming large felines. Where those abound, it helps to grow large, thick, scales to protect yourself. Now, generally speaking, if you grew up in a world where your biggest threats are jaguarundi and sabertooth tigers (with respective Bite Force Quotients (BFQ) of 75 and 78), regular armor is probably fine. However, if your predators are clouded leopards and tigers (BFQs of 137 and 127 respectively), regular armor is apparently insufficient, and you need razor sharp scales instead.
So here you, safe against the abundant predators of Southeast Asia… except for those pesky humans. People of the area like to eat them and use part of them for medicine. Since humans tend to use tools that render claws, razor scales and explosive scent ineffective, it’s important to be able to run away. Thus, it helps to learn how to dig intricate tunnels and learn to swim out of range of these tools. Of course, some humans still manage to capture some pangolins, so it’s quite helpful be able to escape with ease.
Thus, through simple defenses against ordinary threats, we get an animal that seems almost mythological in it’s complexity. The same applies to business. We tend to build very complex systems with numerous layers of defenses, but each of them is targeted at attacks that manage to get through the outer layer of defenses.
We hardened systems, but attackers got through. We created firewalls, but attackers got through. We added application awareness to the firewalls, but attackers worked within the applications. We added kernel-level hooks to restrict what the application can do, and attackers still managed to get personal data. More recently, we’ve added Network Access Control, Data Loss Prevention, Buffer Overflow Protection and others. Of course, it’s just a matter of time until the attackers start working against those too.
Like the pangolin, we have to pay attention to new threats and adapt to new threats. If we don’t, well, the pangolin has an answer for that too.
Thanks to dotpolka for the use of the photo.
Mythic Monday – Aesop: The Dog, The Rooster and the Fox
- At October 26, 2009
- By Josh More
- In Mythology, Natural History
- 1
This isn’t one of Aesop’s more commonly known fables. Like most of them, it quite simple. Essentially, a dog and rooster are friends (we ignore the improbability of that bit), and taking a bit of a holiday. As they came do the end of the day, they decide to go to sleep. As is their nature, the rooster perches atop a hollow tree and the dog curls up to sleep inside the tree.
When morning comes, the rooster crows, and attracts the attention of a fox. The fox invites the rooster home for breakfast. The rooster, being wise (demonstrating again, that this is a fable and not reality), tells the fox the he is regrettably unable to accept such a generous offer, but instead invites the fox to join him inside the tree. The fox (seemingly unable to smell the dog within) enters the tree and is promptly devoured.
Clearly, the lesson that Aesop wished us to learn was to beware the rooster. However, it is also quite possible that Aesop was covering for the known illegal leanings of roosters and dogs. This dastardly duo was singlehandedly responsible for the massive reduction of the fox population in ancient Greece. This is much as how modern phishers work.
Security attacks have gotten sufficiently complex that different people are better at different aspects. Some attackers are best at writing malware and others are best at sending the emails that distribute the malware. So, just like the dog and rooster, they have gotten good at working together. By each relying upon their their best skills, they can take over (attract and eat) various targeted computers (foxes).
Of course, this only works on foxes that aren’t paying attention. If the fox in the story had simply stopped to realize that:
- Roosters tend not to live in hollow trees.
- Dogs have a noticeable odor. . . especially for foxes.
The same applies to phishing emails.
- Organizations such as the FBI and IRS are generally not in the habit of emailing people.
- Phishing spam also has a noticeable odor (spear phishing is a bit different).
At the core, email is not 100% deliverable. If anything is extremely important (as someting from the FBI or IRS would be), it would come in a manner that is more reliable. Registered letter and phone calls tend to be popular. Similarly, if someone has your email address, wouldn’t it make sense that they already have your name, phone number and other personal information? If an email asks you to “verify” your information, it’s good to be suspicious.
Above all, unlike the fox in the story (and just like foxes in real life) it pays to be wary.