Not Another 2011 Security Predictions Post

Well, it’s that time of year again. I’m not talking about “vacation’s over and now we have to actually work” or the “let’s all resolve to exercise until Feb 1”. I’m talking about the annual tradition of making security predictions for the coming year. It seems that every year more companies use this time to look for problems in the upcoming year. Everyone says pretty much the same things: malware is going to get worse, mobile devices will be targeted, social media will be targeted, a big company that’s generally low on the radar will get hit big time, millions of dollars will be lost, cyberwar will knock us back to the stone age, and there’s a monster at the end of this post. (I may have made up the last two.)

It happens every year, and frankly, I’m tired of it. There’s little significantly different between 2011 and 2010, just like there was little different between 2010 and 2009, or any previous year. In fact, there are only two big trends that matter.

Big Trends

  • Defenders will try to defend the best they can with limited resources.
  • Attackers will try to attack the best they can with limited resources.

Of course, there are subtle effects as these trends play against one another. For example, if the defenders all invest in antimalware, the attackers will get better at writing malware. If the defenders all focus on monitoring their logs, the attackers will get better at hiding what they from the logs. It’s your classic arms race… with one exception. Every time the defenders put a defense in place, they lose resources and ever time an attacker wins, they gain resources. Sadly, this brings us to the two differences between 2010 and 2011.

Differences: 2010 and 2011

  • The defenders will have fewer resources.
  • The attackers have more resources.

See, every time an attacker successfully hits a business and steals half a million dollars, that’s half a million dollars that goes straight into attacking other businesses. As the successful attacks build upon one another, the attackers can build their infrastructure and fine tune their operation. Sadly, as time goes by, the defenders lose out. If they were successfully attacked, resources were either stolen directly or will be slowly leached away in terms of higher insurance premiums, lost customers and the like. If they were not successfully attacked, they often face the difficulty of explaining why they need still more resources when they have nothing to show for what they spent in the previous year.

So it appears as though the game is rigged. The attackers are going to win and the defenders are going to lose… right? Well, kinda. Fortunately, there is one single magic mitigating factor.

Magic Factor

  • No two organizations are identical.

This, right here, is what is going to help the defenders. See, if you have two people defending their business and one person invests in security and the other one doesn’t, the attacker is going to go after the one that didn’t. Burglars only rob a house with the security system if there’s either some pretty fancy stuff in that house or if all the other houses have security systems. Lions and wolves go after the sick and the old in the herd. There’s less risk and therefore a greater potential reward for doing so. As the old story goes, if you’re hiking in the woods with a friend and are attacked by a bear, you don’t have to outrun the bear… just your friend.

The same thing applies to business. You don’t need to invest in every single security technology. Your office doesn’t have to look like the lair of a Bond villain. You don’t need your computer to read your fingerprint, scan your retina and get a drop of blood to log in. You just have to invest a little bit more and a little bit smarter than the average.

… which brings me to my security predictions of 2011.

  • The majority of businesses will continue to under-invest in many aspects of their business, including security.
  • Of the businesses that do invest, many will do so reactively and without proper analysis, in effect throwing good money after bad.
  • A great many businesses will be breached… far more than we’d like, but by no means all of them.
  • Some attackers are going to get rich and retire. Others will get caught. Those still at it will learn from others and get smarter about attacks.
  • The handful of businesses that learn from one another and get smarter about defense will be in a much better position than those that do not.
  • Many businesses will continue to believe themselves secure because they purchased a firewall/antimalware/magic box. Security is not bought, it is created day to day, month to month and year to year through intelligent investment and operations.

In short, the strong and smart will survive, the weak and lazy will not. It’s the way of the world.

Of course, those don’t help you to decide what to do, as we’ve still not discussed what “average” is. What do you need to do to be one better than your competitors? While I clearly can’t speak for your business specifically, in general…

  • If you don’t have antimalware, get it and check it daily. – Malware is one of the prime tools in the attackers’ arsenals.
  • If you don’t have web filtering, get it, tune it and check it weekly. – A shocking number of attacks come in via the web.
  • If you don’t have antispam and email encryption, get it and check it monthly. – Email is right up there with web for attack vectors.
  • If you’re not patching your systems, start and do it (at least) weekly. – If you’re not fixing your problems, it’s just too easy.
  • If you’re not reviewing your logs, start or outsource it. – Most attacks show up in logs, but if you’re not looking you won’t see them.

There’s a lot more I could go into, like vulnerability assessments, security training, etc. However, if you’re not doing all five of these you’re behind the curve and are a prime target. Fix these first to buy the time to make the bigger changes.

Don't Poke the Bear

Grizzly Bear (Ursus arctos horribilis)The world is abuzz today with the news of Gawker’s passwords being leaked. Rest assured, this will not be yet another “the sky is falling” post or yet another hasty analysis of what happened. If you want a good overview, please read Daniel Kennedy’s excellent post over on Forbes.com. If you want to know what it means to the security community, todb’s Metasploit post is good.

No, instead, the only specifics you need to know about this attack is that it hit Gawker, and Gawker owns sites like Lifehacker, Gizmodo and io9 and if you had an account there, you should change your password (details here). If you used that password in other places, you should change it there too. It looks as though Gawker was using poor security on their servers and in the way that they stored passwords. That’s all I’m going to say about the tech. Instead, I’m going to talk about hiking.

I like hiking. You get to be outside, you get to see beautiful scenery and enjoy the air. You get to interact with all sorts of wildlife. On my hikes, I’ve seen butterflies, frogs, rabbits, birds and even things like raccoons. I’ve known people who get far more into hiking than I do, and they report seeing even neater animals like rattlesnakes, wolves, cougars and bears.

Now, when one goes out hiking, one takes on a certain amount of risk. Usually, the risk is much lower than the risk one takes driving to the hiking trail, but I’m not going to get into safety statistics either. The point is that good hikers know to take certain precautions. For example, I’ve been hiking in rattlesnake country. There are lots of ways to deal with rattlesnakes. Here are some examples:

1) Hike where they don’t live.
2) Wear tough boots.
3) Make noise as you walk.
4) Bring a first aid kit with you in case you get bit.
5) Bring anti-venom with you in case you get bit.
6) Wear a full suit of armor.
7) Deploy a fully-automated hunter-killer drone ahead of you.

See, the fundamental problem here isn’t that rattlesnakes have mouthes full of nasty venom that can clot your blood, destroy your limbs or kill your brain. The problem isn’t even that they bite you in less than half a second. The problem is that most rattlesnakes don’t want to bite people, but sometimes people push them into it. After all, they have to wake up, do their little rattly thing, bite you, use up all their venom and then get away before you fall on them. It’s a royal hassle. Really, most rattle snakes just want to go about their day, lounge in the sun, eat a rat or two and sometimes get busy making brand new baby rattlers.

This is true with most of nature’s threats. Leave them alone, and they’ll leave you alone. Even the ones that are bigger, faster and meaner than rattlesnakes. Cougars would rather eat a deer than a person. Wolves want to run around together. Bears mostly just want to sleep. (Sleeping is awesome!)

So what’s the point here?  The thing is, with hiking you can choose your location, however, when you’re on the Internet you cannot. On the Internet there’s just the one hiking “location”. You can look at different things on your hike, but it’s always in the same place… and in that place live all sorts of poisonous snakes, wolves and bears (and even nastier things). You can’t not hike there… and it’s crazy to go everywhere fully armed. It’s no fun to go hiking fully armored, and too expensive to get a ton of drones, much less adding armaments.

No, whether you’re hiking or using the Internet, there are two simple rules:

1) Take basic precautions.
2) Don’t be stupid.

For example, in the hiking world, you wear good boots and carry a walking stick. In the Internet world, you run a modern antimalware system and harden your servers. In the hiking world, you avoid walking on cliffs, don’t stick your hands into dark crevices and don’t poke any sleeping bears you may see. On the Internet, you avoid the nastier sites, keep your systems patched and don’t tick off people with more time and inclination to harm you than you have to defend against it.

Gawker found a sleeping bear. They poked it with a stick. They got mauled. End of story.

Lesson one of Internet security?    Don’t poke the bear.

Been away for a while

“Hey Josh, where’ve you been?”, I hear you all asking. Over the last several months, you might have noticed a suspicious absence of security folks from the wider blogging world. The reason for this is pretty much “Sorry, been busy”, which I know isn’t much of an excuse. So here’s the deal. Security is hard. Its always been technically complex, but recent events have combined to create something of a perfect storm. We like to divide the world into “good guys” and “bad guys”. In the past, it’s been a fairly even fight. However, with the global economic recession resulting in staff cuts, there are fewer good guys. Of course, with small budgets, there have been cuts on the technology side as well. At the same time, advances in malware technology have given the attackers some extremely impressive tools. These advances have been made possible due to unprecedented cooperation within multiple groups of organized crime.

So here we are, a reduced set of security practitioners trying to help businesses maximize security benefit for the dollar against a massive global network of highly skilled and highly paid criminals who are writing highly complex malware that goes far, far beyond your old school phishing attack with key logger. This post is going to focus on a specific type of financial attack. Odds are, if you’re reading this, you’re more interested in protection than the technical stuff, so we’ll break tradition and leap straight into that.

If you’re interested in hearing more about what this particular malware can do, there are technical links at the bottom of this post. For now, know that it’s a highly complex piece of financial malware which exists to steal money in any way it can. It runs on all versions of Windows and most common browsers. It’ll come in via email, web, PDF files, USB or any way that the attackers come up with. Small businesses and nonprofits are being targeted because they tend to have weak controls, but CEOs and CFOs are also being targeted as they tend to have to more to lose.

Protections:

Within the industry, we often talk of security tradeoffs. Basically, there are costs to reducing risk… and these often go beyond mere dollars. My ultimate goal as a security consultant is to help a business make the appropriate decisions and balance security expenditure against the possible benefits. The following advice is what I believe to be true for most businesses, but please keep in mind that your particular business may have different requirements. To keep things simple, here are five technical and five financial recommendations.

T1) Use a dedicated system for financial transactions. Yes, it’s expensive, but a lot less expensive than having your money stolen. If you use the same computer to transfer money that you use to play Mafia Wars on Facebook, you’re just asking for trouble. If you’re using a shared system that’s not locked down, you might as well just cut the attacker a check… it’d save time.

T2) Use a dedicated firewall. Put a firewall between the dedicated financial workstation and both the Internet and internal network. Set it to use NAT and allow no traffic to flow from the Internet to the workstation. Allow the workstation to connect to your bank and the Microsoft and Adobe updates sites. Depending on your financial processing software, you may need more sites allowed… but keep it as minimal as possible. Only allow connections that it needs. The firewall should be a physical device as malware often disables local firewalls.

T3) Keep the workstation hardened and updated. Make it useless for anything other than financial processing. Don’t install Office. If you need to view docs or spreadsheets, install the free viewers from Microsoft. If you don’t need to view PDFs, keep Adobe as far away as possible. Update as soon as the updates are available. Forget about testing the MS patches, the vulnerability window is already negative, delaying patching is just stupid. Build your business processes to have a manual failover in case a patch breaks your financial transfer workstation. That’s a much better use of time than testing patches on a one-off system.

T4) Take away admin rights. I know it’s a pain to figure out what privileges you actually need to run that one app that is used every January to do taxes, but it’s a less than the pain to recovering half a million dollars because someone had admin access and didn’t need it. If you can use Linux and Firefox, by all means, do so… it’s a lesser target. If you cannot, go with Windows 7. The UAC security controls in Windows 7 are excellent.

T5) Use a real antimalware program. The one that comes loaded on your workstation when you buy it from Dell/Best Buy isn’t going to cut it. Freebies aren’t going to cut it. Real programs cost real money. For specific recommendations, I like Sophos because of the enterprise control features. Being able to use device-based controls and lock down applications is very important here. If you really want to go light and accept the risks that come from reduced control, Kaspersky is a good second runner. In any case, if you detect malware running on your dedicated system, notify your financial institution immediately.

F1) Set your account to use dual controls. This means that one person in your organization has the ability to initiate payments but a second person must approve them. This makes the attackers’ job much more complicated, as they have to control two systems and synchronize data in order to steal money. If your financial institution does not offer this ability, we strongly recommend finding another institution.

F2) Some institutions allow you to create a list of companies and individuals who are authorized to receive payments (called Positive Pay or Whitelisting). This list should be created outside of the Internet banking system so that an attacker cannot simply add and authorize a new account. If you have this available to you, by all means use it! This can go a long way towards preventing your money from being transferred to money mules.

F3) Almost all institutions allow you to sign up for alerts. With these systems, you get emails (or, in some cases, text messages) whenever a transaction occurs. The faster you can respond to a suspicious transfer the more likely you will be to reverse it. Bank-to-bank transfers are nearly immediate and require the cooperation of the receiving bank to get the money back. The longer you wait the more likely that the money has moved on and more institutions will need to be involved, which makes recovery much less likely.

F4) Set limits wherever you can. Many systems allow you to limit the amount of money a particular person may transfer, the amount that may be transferred per day/week/month and the times at which transfers can occur. Of course, you run the risk of being prevented from transferring money when you really need to, but in most cases you can work around this with a phone call to your institution. The protections you get from limiting transfers are usually worth the occasional irritation when you have to work outside the norms.

F5) Utilize emerging technologies. Not all banks have these options, but if your bank can provide you with a two-factor authentication token, security software to facilitate secure transfers, out of band approval systems (phone, fax, text message, etc.) or analysis of payment patterns, take advantage of them. They’re usually free to inexpensive and will give you a much deeper level of financial protection than you would get otherwise.

F6) Bonus suggestion! Some accounts have overdraft protection in place. This sounds good if you are worried about occasionally spending more than you have. However, the flipside is that it could allow an attacker to steal more money than exists in the account. If you can get by without overdrafts, turn this protection off or, if you have to, at least set the protection level as low as you can.

In the end, a combination of technical and financial controls will go a long way towards protecting you, but implementing them will require you to change your business processes. If you’re a CEO, CFO or owner you’re lucky. If you’re not, you may need to set up a meeting with your C-level people. They need to understand that they are being targeted personally because of their role. They need to know that the online systems are being manipulated. The balance reported on an infected system will be altered to hide the malware’s activities. They also need to understand that there is no 100% solution. What I recommend here is a good start, but they could still have problems if the attacker is persistent.

Technical Links:

Firefox Profiles

I’ve been absent from this blog for a while.  Other projects are occupying my time.  I hope to return to regular blogging soon… but it may be a bit longer yet.

However, one of my projects involved getting a new laptop.  Since getting a new laptop is a good excuse to redo things and do them better, I decided to take a closer look at my Firefox profile setup.

I play a lot of roles, ranging from security researcher to consultant.  There are different Firefox configurations that I need for each, but it’s a pain to constantly log in to different user accounts.  To make this process simpler, I decided to create four different Firefox profiles, each tuned to a specific set of tasks.  What follows is a description of what I did under Linux.  The same process should apply to other operating systems… but I’ve not testing them there.  With one exception (noted) all add ons are from addons.mozilla.org.

Warning, geekery below this line.

I started with my basic add ons:

  • Adblock Plus to prevent those annoying ads (and ad-based malware infections)
  • Neo Diggler to give me a quick way to clear the location bar and give me the ability to add custom stuff
  • No Script to prevent scripts from running.  I did a quick whitelisting of the sites I use a lot (Google, Amazon, Alliance, LinkedIn, etc)
  • Web of Trust to give me a hint before I click on a link.
  • Tiny Menu to maximize screen real estate.  (I love me the tiny laptops)
  • TorButton for quickly accessing The Onion Router (requires installing additional software to utilize)

Sadly, LongURL is not supported on the new Firefox yet.

I restarted Firefox to activate everything and configured the plugins the way I like.  I also customized the Nav bar and moved everything up to the Menu bar that TinyMenu made nice and small.  Then I used the View menu to turn off Navigation and Bookmarks.

Then I went into Preferences->Privacy and set Firefox to “Never remember history” and suggest “Nothing”.  I also cleared my history that was created thus far.  In Preferences->Security, I told it to never remember passwords, block reported attack sites, web forgeries and add ons.  (By not remembering passwords, I render myself less vulnerable to risk from theft of my profile directories, but more vulnerable to keyloggers… it’s a good tradeoff to me.)

I then shutdown Firefox and went into ~/.mozilla/firefox.  I did a cp -a of my profile directory to other names (this bit would be different on Windows):

cd ~/.mozilla/firefox
cp -a blahblah.default research
cp -a blahblah.default paranoid
cp -a blahblah.default webdev

Then I edited profiles.ini and copied the four top lines of [Profile0] to new blocks of Profiles 1 through 3.  I edited the Name and Path to reflect each of my new profile directories (research, paranoid, webdev).  I edited the Firefox launcher and appended “-ProfileManager –no-remote” to the “run command”.  This way, when I click on the little icon, Firefox will prompt me for the profile I want each time I launch it, and it lets me run multiple profiles at once.

I then launched it and selected my “research” profile.

Here, I went back into Preferences->Privacy and told it to go ahead and remember history and make suggestions (as when I’m researching things, I often forget where I found things and what I searched on.)  Then I installed the following add ons:

  • Add N Edit Cookies for cookie manipulations
  • HackBar for SQL injection fun
  • PassiveRecon for exactly what it sounds like
  • RefControl for mangling HTTP headers
  • DeeperWeb for those occasional rambling searches.

Then I added the following search engines to the dropbox:

  • Offensive Security Exploit Database
  • Security Focus Vulns Search
  • Security Wire Search

I’ll probably add more as I play with it.  I’m still not used to using this feature to search the deep web.  (Wonder if one could be written to access our corporate wiki?)

Then it was time to restart Firefox and activate, set preferences, yada yada yada.

After that, I restarted to access the “paranoid” profile.  I went into Preferences->Security and turned on ALL warning messages.  It’s annoying to use now, but that’s partly the point.

I set StartPage to my initial home page, using the “Generate Custom URL” feature on the site.  Since I’m not storing any cookies at all, this is how it has to be done.  I removed all search engines and added IxQuick HTTPS, Startpage HTTPS and Scroogle SSL.   On the AddOn side, I added:

  • Force-TLS to force HTTPS connections (though it really doesn’t do all I’d like it to)
  • Certificate Patrol to track certificate details
  • Perspectives for a paranoid check against SSL certificate alteration.  This one is linked to from the Mozilla add ons site, but not installable from there.

I then disabled the CNNIC SSL certficate (Preferences->Advanced->Encryption->View Certificates->Authorities, scroll to “CNNIC ROOT” click “Edit” and unselect “This certificate can also identify web sites”.)  It’s a matter of debate as to whether or not this is necessary… but so long as it’s being debated, my paranoid side will be careful.  (The other profiles don’t care. :)

Lastly, I installed the Orange Fox theme, which is ugly and garish, but since I wanted a visual reminder that I was in the paranoid profile, it was exactly what I wanted.

After another restart I entered the webdev side.  The fun new add ons here were:

  • Firebug for tracing DOM and CSS issues, which I don’t do much anymore, but it’s still nice to have.
  • CodeBurner For Firebug to add reference to Firebug
  • FlashGot for massive download fun on archive.org
  • Greasemonkey for fixing stupid sites (and integrating with FlashGot to bypass trivial Javascript-implemented “security” checks)
  • Live HTTP Headers for watching traffic in real time, when I don’t want to launch a real proxy
  • Web Developer for the same reason as Firebug

From here, I am in a position to fire up the profiles as I need them, and am able to work on the web without worrying about my tools being available.

Should we allow our employees to engage in social networking?

Introduction

The question often comes up: Should we allow our employees to engage in social networking? The debate has raged for years, and surprisingly, it is still not settled. In general, the discussion tends to fall down four possible paths:

1) Social media reduces productivity
2) There are a lot of threats that comes from social media
3) Social media is a new technology and therefore is scary
4) Employees don’t really need social media anyway

So let’s take a look at these:

1) Productivity

Many times the “productivity” topic rages within the security field, which has always surprised me. Keeping employees productive is the responsibility of the business owner, and while I’ve often seen it delegated, I’ve never seen it delegated to either the security people or the admins. Realistically, this is the responsibility of management or HR.

Even then, it seems that every place has slightly different rules as to what is and is not been permitted. In some places, it’s customary to spend hours each Monday morning talking about the previous weekend’s hunting or sporting events. In others, everyone takes off Friday afternoon and sits around socializing before “closing time” hits. In still others, there are required breaks every two hours as well as a mandatory lunch. However, in absolutely none of them is social interaction categorically denied. The prevailing attitude seems to be that so long as the work gets done, the specifics are irrelevant.

Different people work differently and some need the occasional long social break to limit distraction. Humans are social beings and there is considerable evidence that socialization is a deep-seated need in our species*. It seems unlikely that many people could be truly productive without a form of socialization… do the technical means really matter?

Perhaps, instead of banning the technology, it would make more sense to monitor productivity and ensure that any employees that begin to stray are quietly corrected. This would enable you to take advantage of the benefits that the technology offers without necessarily experiencing a productivity hit.

* This could be a long discussion in of itself, but, fascinating though it may be, would distract from the point

2) Threats

A considerable amount of malware and no-tech attacks come from social sites. Twitter is particularly bad, due to the inherent obfuscation used in the TinyURLesque sites (though they’re working on it). However, you can’t live a life that is entirely devoid of risks, and in most cases we don’t approach risks by banning the technology. Instead we take a balanced view and assess risks before we take action. For some reason, many people tend to approach these problems as if it were a game of whack-a-mole, which is a shame.

To draw the over-used analogy to automobiles (a similar technologically-induced societal change), in the rural states, a common threat is deer. We could address this threat by building fences along each highway (Banning) or by constructing a massive array of detectors, implanting RFID chips in each deer and building weapons-equipped automated flying drones that kill any deer wandering onto the road (Intrusion Prevention). Instead, we put up little yellow signs that tell people to be careful. For some reason, we find this a more economical solution, even though it places a slightly higher burden on the drivers to pay attention.

I think that a lot of security professionals avoid the “educate the users” tack because it’s traditionally not worked too well. Of course, a lot of us are also far more comfortable with technology than we are with people, so it is possible that the past failure of education was due to our own failure to educate ourselves on education processes. Maybe, if we were better at making little yellow signs, many people would manage to avoid the majority of threats.

3) New Technology Is Scary

I am sorry to say it, but we security professionals tend to say “no” a lot. I ran into this problem myself recently and used what I call a “shortcut no” — where I said “no” when I meant “yes we could do that, but I think it would be prohibitively expensive”. However, within the security community, when one person’s “shortcut no” is heard as a “true no”, we tend to build up an echo chamber effect and think “no one else is permitting this technology, so there must be a reason, so let’s just say ‘no'”. This, I think, results in the regrettable state of things being banned “for security reasons”.

Changes to technologies and processes must be first analyzed and the risks then be explained to management. At that time, it is their decision. I have encountered businesses that prefer to believe that regulations such as PCI-DSS, the FTC Red Flag Rules and HIPAA/HITECH do not apply to their business. In some cases, I have disagreed, but it is, in the end, their decision. Perhaps the failure was on my part, and I was less than ideally effective in explaining the risks. However, an alternate perspective is that many experience an unconscious resistance to change. The impact of new regulations is change, and in many cases, change may be scary.

Of course, fear of change is part of being human. Luckily, if you know this, you can take steps to address it. One common approach is to take a social media class. If you lack the budget for such a thing, you can also spend a day reading about it online. Good Google terms are social media in business, twitter marketing, facebook marketing, Internet Business Mastery and search engine optimization.

4) Do They Really Need It?

Four years ago I gave a presentation to a group of entrepreneurs about how to leverage technology in a start up. One question I was asked was “Do I really need a website?” I was stunned. I couldn’t imagine a new business without one. Most people I know first check out a business on the web, both for contact information and for reviews. If a business isn’t on the net, it’s invisible. If it’s on the net but no one is talking about it, it’s probably not worth much.

This is even truer today. I don’t think I’ve opened a phone book once in the last year. I’ve found many great resources through word of mouth via the Internet. Social media allows me to research a company in minutes. I can get information faster than ever before on prospective clients, partners and employees. I can check my thinking against that of others in my field. I can research threats, responses and technologies without having to do the test implementation myself. (Though test implementations are still important.) If it weren’t for social media, I would be unable to do my job.

These networked social efficiencies exist pretty much across the board. Alliance Technologies tends to “run light”. Our marketing, sales, support and administration are staffed at a level far lower than other comparable companies, simply for this reason. If we didn’t have social media, we’d have to double our staff.

Clearly, not all companies are the same. However, the effectiveness of social media in all aspects of our business leads me to believe that it’s generally useful to most businesses.

A) We Can’t Stop Them Anyway

Trying to stop people from socializing is a doomed effort. You can draft and implement all the polices you want, but if they go contrary to human nature, they will not be followed. Moreover, if they are burdensome, they will be actively rebelled against. Do you really want to spend your time protecting against outside attacks while your inside people are working to bypass your web filters, firewalls and IPS systems? I know that I don’t.

Practically speaking, web filtering technology works, but nothing is perfect. You can block most sites in a category, but there is always a way around it. You can block gambling sites, but you can’t prevent an employee from placing bets via email or SMS on their cell phone. You can block porn sites, but can’t keep someone from bringing a magazine into the office if they really want to. Generally, you just raise the barrier high enough to say “management would rather you not do this stuff” and people will take the easier path. Even then, saying “don’t gamble” and “don’t look at porn” are vastly different messages from “don’t talk”. Banning social media is equivalent to banning talking at the water cooler, over the cube walls or in the hallways. If you try, you’ll experience a lot of pushback… and as employee generations shift, the pushback will grow.

Personally, I’d rather focus my efforts towards bringing the employees in line with business goals and then combating actual threats against the business. To do otherwise is just spinning in circles.

(This post originally appeared over at Alliance Technologies)

Advanced Persistent Threat (APT)

There has been a great deal of discussion in the security community about APT. The link covers it at a high level, but in a nutshell, it’s type of hacking that is distinguished by people who have the time and money to target specific individuals and organizations. Since the number of resources (time and money) available to the attackers are at a much larger scale than what the defenders can muster, a lot of people are calling this a game changer.

As usual, the battle lines seem drawn along traditional lines, with both sides claiming that the other “doesn’t get it”. For a quick read, check out Richard Bejtlich’s post and MANDIANT’s post and, for a counterpoint, check out Gunnar Peterson’s.

Of course, they’re both right. Neither side gets it. Both are blind. Those that work enterprise security consulting see APT everywhere… mostly, I suspect, because in the enterprise security space you only call the consultants when it’s something particularly troublesome (like APT). Of course, once you’ve focused on APT, that’s what you get called in on, so the problem probably looks bigger than it is.

In contrast, those of use that don’t consult in those spaces don’t get those calls, so we don’t see it. We also probably don’t have the transparency needed to see such activity if it is going on in our organizations. So we minimize the threat.

So what do you do about APT?

I suggest that you consider the following checklist:

  1. Do you have a firewall?
  2. Does your firewall block outgoing connections?
  3. Do you have local antimalware running on all your endpoints?
  4. Do you have a web filtering solution in place?
  5. Is all access to all systems monitored and audited regularly?
  6. Do you have a process in place to pull all legacy systems off your network?
  7. Do you have a patch management system in place?
  8. Do you have a vulnerability management process in place?
  9. Do you matc all system configurations against hardened templates?
  10. Do you have a data classification policy that applies to all your data?
  11. Are you encrypting your important data?
  12. Do you have a log retention and management infrastructure built?
  13. Are you running an IDS/IPS system?
  14. Do you have third party management systems in place?
  15. Are all of your web applications running in hardened stacks?
  16. Are you using web application firewalls?
  17. Are you using database firewalls?
  18. Do you have regular employee awareness training?
  19. Are complete penetration tests conducted against your organization?
  20. Do you have an Internet data monitoring and scrubbing policy in place?

If the answer to each question is “yes”, then you should worry about APT. This is not to say that if any of these are “no”, you don’t have APT going on in your environment. I’m saying that there’s no point pursuing a full on anti-APT strategy until you have the basics in place… and there are a lot of basics. I’m also not saying that any of these technologies will prevent APT (or any security issues), or that all problems even have technical solutions. These are just 20 questions that explore what a minimal and sufficient security solution looks like for the average business.

If you don’t have a minimal and sufficient security solution in place, it’s not that APT isn’t a threat or that an unknown enemy isn’t out to get you… it’s that you probably have more important things to be working on.

Security in the Harry Potter World

I recently picked up Harry Potter 6 on Blu-ray. While I’ve read all the books, I’ve generally not been much for the movies. (I prefer the pictures in my head.) However, there is a photographic beauty to these movies that is worth both the time and the money (especially when the box set of 1-5 was on 70% off recently)… so I’m watching them and remembering the stories.

As with most works of art, the easy path to drama is to create a security failure. It makes sense, after all. As a creator, you may have a need to push your characters at time, and the easy (lazy) ways to push a character are to create a situation for them to react to. Thus, viewing the worlds as if they are real is a bit unfair… but on the other hand, nitpicking is fun.

In the world of Harry Potter, there are several security situations. The world of magic has to be kept a secret from all the muggles, the evil people have to be kept out of Hogwarts, and what is kept in Gringotts must stay in Gringotts. In fact, we know that there is some sort of magical muggle spy network, as Dumbledore knows to investigate Tom Riddle prior to his acceptance into Hogwarts. Why this same network can’t detect the attack upon Harry by the dementors in book/movie 5 is unclear. Clearly, they need to invest in redundancy for the system.

Similarly, Hogwarts seems to have a surprisingly difficult problem keeping students where they belong. It took until book/movie 6 before they put up a firewall around the school, and even then, attackers manage to encapsulate an attack within a legitimate source (Katie Bell) and also fail to Draco’s VPN bypass (terminated by vanishing cabinet). It seems that magic should be able to do better.

In contrast, Voldemort clearly knows a lot about security. He makes backup copies of his soul, just in case something happens (like a backfiring killing curse). Granted, the restoration process leaves a bit to be desired. If he really cared about operational availability, he would have tested the process and avoided that whole 12 year delay issue. (And here I thought 24 hours to deliver backup tapes from the offsite repository was a long time.)

Similarly, given that it’s been established that there is a thing called “a trace” that can detect when someone casts a spell. You’d think that they could use the same practice during quidditch matches to prevent the audience from interfering with the play… but they don’t. As a result, there are all sorts of amusing and dramatically-appropriate hijinks.

Lastly, in an environment where a bunch of students are awash in teenage hormones AND are constantly playing with potions AND know that love potions exist, you’d think that there would be an emergency bezoar in each dormitory. But there’s not.

It would be interesting to see what the world would be like if there were more audit-focused monitoring points, reactive responses points and preventative spells. However, just as in the real world, these sorts of technologies are tempered by the economics of the situation, in the fictional world, there is a trade-off with dramatic tension. Sure, there are a lot of things that Dumbledore could have done to increase the relative safety of his charges, but to do so would have drastically reduced the possibilities for dramatic tension.

This would have reduced the number of books from 7 to likely 1 or 2. In our universe, Dumbledore lives for six whole books. If he had been a more protective head of Hogwarts, Voldemort may have been defeated much more quickly and the series would have been reduced. So, like most people, Dumbledore made a self-interested decision that had ramifications outside of himself. He got to live longer and be in an incredibly popular series of books and as a result, many of his students were placed in some wonderfully dramatic jeopardy.  That’s something to consider, I suppose, when there are security decisions that you have to make.

Small Business Defense – Patch Management

There are three ways to approach this problem. The most common method is to ignore it, and apply patches as time permits. The logic here is that since applying patches can often require a maintenance window, it’s hard to balance the business’s needs against the risk of an attack by an unknown party. Since an increasing number of attacks are subtle, it’s quite easy to convince yourself that it’s not a big deal, and inadvertently accept more risk than you’d like. I don’t really recommend this method.

The second method is to fully embrace the situation and fork out the cash for a full patch management system. These solutions aren’t cheap, but it does allow you to view your entire environment from a single console. This way, you basically outsource the tedious job of keeping on top of everything and use the tool to make sure that all machines on the network are kept fully updated. Now, this solutions doesn’t eliminate the need to schedule downtime to get the patches applied, but it does simplify matters significantly… at least when you are only running software that is monitored by tool.

The third method is something of a middle solution. In situations where you either lack the budget for a patch management solution or are still investigating the varied options, you can simplify the process by doing a quick audit of each of your systems and uninstalling anything that isn’t needed. The key here is system classification:

  • Development systems should not directly face the Internet.
  • Production systems should not have development software on them.
  • Production servers should not have workstation software on them (Office, Adobe reader/flash, Web Browsers)

By eliminating all unnecessary software, you can massively reduce your attack surface. Simply put, if software isn’t there, it cannot be exploited. Now, this doesn’t eliminate the necessity to keep the software that is there up to date, but in the process of removing what’s not needed, you can get a good idea as to what is there and monitor the patch releases for those few projects. It’s not pleasant, but it is doable.

Small Business Attack – Patch Tuesday (and others)

Every month, on the second Tuesday, Microsoft releases a set of patches to their software.  They’re ranked in various ways, based on what they correct and how critical they may be.  Then, two things happen:

First of all, various security groups review them and start posting their opinions (I prefer the Internet Storm Center synopsis). After that, those of us with more internally-focused positions start reviewing the various summaries by both the security groups and Microsoft and work up an internal plan to test and deploy the patches appropriately. When, after everything looks right, we start deploying the patches to make sure that everything is nice and secure.

Secondly, the various more selfish security groups also review them… but in a tad different way. They investigate what the patches correct and start trying to come up with malicious code that exploits the problem. Then, at the same time that we’re reviewing the patches for our environment, they’re running tests against various other systems. If we’re lucky, at the time that we’re deploying the patches on our systems, they’re deploying the new malware against our systems. If we’re not lucky, they beat us to the punch.

Of course, this is a somewhat simplified scenario. There are a great many more vendors than Microsoft, so this cycle doesn’t really take place on a monthly basis. Some vendors release updates on a quarterly basis, some are yearly and some are pretty much whenever they feel like it. So really, each day is a steady flood of vulnerability information and, if we’re lucky, patches to go along with them.

If you can stay on top of the flood, you can keep your systems somewhat protected. Off course, if you miss something, you leave a hole that an attacker can easily find.

So what do you do about it?

Small Business Defense – Plans and Flexibility

In the event mentioned yesterday, the business was utterly without power. This sort of event had never been planned for, and since we were a technology company, all of our client information was inaccessible due to the outage. Inbound phone and Internet was down.

In that particular case, I believe we all looked at one another, shrugged and pulled out some snacks and started playing poker while we waited for power to be restored. (It was a very small business and we were all fairly young.) After a while, one of us got the bright idea to call the phone company and set up a temporary redirect of calls to some of our cell phones. Someone else carried the workstation that doubled as a fileserver over to a neighboring business so we could fire it up and get the client contact information, so we could start calling out to let people know about the situation.

We wouldn’t connect to the remote systems via modem, but we had decent memories and it worked out OK. The clients were understanding and while we lost some productivity, it didn’t impact us too badly.

Which, really, is the point of this. We in the security world like planning and mitigation. We like it a lot. We might even like it a bit too much. See, it’s not all doom and gloom. Sometimes, bad things happen, and it all works out OK.

In a large enterprise, you have a complex infrastructure that has a lot of moving and inter-related parts, and if there is a massive failure, it’s simply not feasible to shut it down or move it. The financial cost of such an outage can get into the millions of dollars, so it makes sense to devote some resources to coming up with recovery plans. It can take months to build one and then more months to implement it. Then you have to test it.

In small business, you may not need to do this. Should you? Probably. However, not having a solid plan isn’t the end of the world, it’s just more risk. Just as in the rest of the business, you can look at risk vs reward. It often doesn’t make sense to have a full plan that covers details for floods, fires, tornadoes and Godzilla attacks. If your infrastructure is small enough, your employees are good enough and your customers friendly enough, your plan can just be “if bad stuff happens, we’ll figure it out”. It’ll probably be OK.

However… it just might make sense to look at what you need to be flexible. Are your people really as good as you think? (Can you test this?) What about availability? If you rely on your people, how are you set for disasters that impact people? What if the backhoe had hit a gas main and some of your employees were injured during the disaster? (Or, more prosaically, suppose I had banged my head trying to get out of my dark “office” and been unable to accept incoming calls?)

So yes, by all means, avoid the tedious planning that no one wants to do. Bet your business on your people (which, really, you do every day anyway)… just be sure that your people will be able to do what you’re asking of them.

There’s more value in DR testing than just testing the systems, after all.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.