Articles

April 2011

From the Desk of the CTO

Continual Security Assessments

How often does your organization conduct a security assessment?  If compliance requirements and traditional audit practices are any indication, then the answer is probably “once per year.”

But how often do you make changes to your infrastructure?  How about your applications?  Is that answer still “once per year?”  I didn’t think so.  My guess is that you probably answered “monthly” or “weekly”... maybe even every other day.

With an environment that’s in a constant state of flux, how can you possibly keep it secure?

You can start by performing continual security assessments.

I honestly believe that annual security assessments are currently undervalued.  They are terrific tools for taking a point-in-time snapshot of your control set and your control gaps.  What’s more, a risk-based assessment can help you prioritize your security spend for the coming year, focusing your limited resources on areas that need attention right away.

Once your annual assessment is complete, it’s ESSENTIAL that you schedule smaller, recurring assessments that ask two key questions:

1)      What’s changed in our organization’s environment?

2)      What’s changed in the global information security landscape?

Every application or infrastructure change brings with it the risk of impacting the confidentiality, integrity, or availability of your business critical systems and data.  In addition to a solid change control process, make sure that the information security team has a pipeline into these changes.  During the recurring assessments, discuss these changes with respect to your annual assessment.  The sooner you align your security controls with the new environment, the sooner you close the window of opportunity for an attacker to exploit that control gap.

Likewise, continual assessments need to address how new and emerging threats might impact your organization.  Don’t wait for your next annual assessment to confirm what you knew nine months ago.  Stay current, and take the appropriate action sooner rather than later.

The output from an annual security assessment should be a living document that is at the core of your information security program, and continual security assessments can make that notion a reality.

April 2011

Security News

Are Your Users Immune to Social Engineering?  

Firewalls.  Antivirus.  Antispam.  Web Access Gateways.  Intrusion Detection Systems.  Encryption.  Data Loss Prevention. Et cetera.  When it comes to technical controls and countermeasures, we’ve got our stuff together.  We’re IT security professionals.  It’s what we do.

But I have yet to see a technical product capable of preventing our end users from sharing credentials with someone impersonating a help desk employee or clicking on a link in an email from a total stranger.

So what can we do to protect those users from social engineering attacks?

Realize that most people just want to be helpful.  That said, the information security team should deploy and maintain a core set of technical controls to protect users from themselves.  Start with this checklist:

·         OS Patch Management

·         Application Patch Management (Adobe, Java, Flash, etc.)

·         Antivirus

·         Host-Based Firewall

·         Web Access Gateway

·         Egress Filtering in the Firewall

·         Appropriate Access Controls (Principle of Least Privilege)

Phishing emails will attempt to lure users into visiting websites hosting malicious content, or perhaps prompting users for their login credentials.  By implementing the layered controls outlined in the checklist above, you can significantly reduce the likelihood of a successful exploit.

Most importantly however, EDUCATE YOUR USERS.

Annual security awareness training, combined with recurring reminders (e.g., security emails, newsletters, or posters) can go a long way toward determining whether or not your user clicks on that link or hangs up on that impostor and contacts the security team.

Finally, validate your efforts.  Perform social engineering tests throughout the year to gauge the effectiveness of your technical controls and training efforts.  Don’t leave anything to chance.

April 2011

Army of One

Epsilon Aftermath Will Expand Seriousness of 3rd Party Verification for Suppliers -- Is your firm ready?

Jacadis helps businesses prepare and respond to security questionnaires and audit requests from their usually larger customers.  We also are the audit and assessment team for some firms who choose to use external resources to review their key vendors' security.

Frankly, as breaches Epsilon isn't a big of deal.    No protected information, just names and email addresses were taken.  And more sophisticated attacks have come and gone in the press largely unnoticed. 

Epsilon has received more attention than the more impactful breaches in part because it touched so many people.  Non techies are talking about it.  We believe that buzz is going to find its way into the executive suites and audit teams of big companies and boost the rigor and frequency with which larger firms test, prod, and assess their supply partners.

In fact it isn't just us that thinks that.The Wall Street Journal reported in Insulating Your Firm from Third Party Breaches that:

Experts suggest that companies that outsource technology services take some of the following steps:

• Make sure the vendor has a recognized certification for information security, such as ISO 27001 or SAS 70 Type 2, granted by an accredited auditing organization such as the International Standards Organization;
• Sign agreements that oblige vendors to undergo regular audits by third parties, at least annually. Auditors should test software (especially software that can be accessed via the Internet) and hardware as well as people, to ensure that vendors’ employees themselves don’t fall prey to scams;
• Make sure vendors assume liability for breaches that affect customers and end users; and
• Make contingency plans with the vendor so that neither is caught by surprise in the event of a security breach.

Management consultants and corporate governance experts are providing similar advice to their Fortune 2000 and similarly sized customers.  These recommendations have been around for several years, however, the buzz from Epsilon has the potential to fuel the recommendations to reality.

This will impact you if you answer yes to any of the questions below:

• Your business is part of the supply or services chain for larger regulated firms.  We see most of the third party verification activity from firms that have regulatory obligations to HIPAA; PCI, GLBA or other financial privacy rules, or Sarbanes-Oxley.  We have seen these type of firms apply the highest security and privacy standards to their vendors even if their vendors don’t process confidential or protected information.  Do you provide services to these types of firms?
• Your business provides a service that includes considerably volatile information.  If, for instance, you process non-protected personal information but it is somehow seen as critical to your client’s business or it’s relationship with its customers this might apply.  Or, if, for another instance, you process company confidential information such as trade secret related information.  Do you provide services to these types of firms?
• Firms in the supply chain stack.  You may not be doing business with a regulated firm, but you may be providing services to firms that provide goods or services to firms that provide services to regulated businesses.  You know what they say about it rolling downhill.   Are you at the bottom of a supply chain?

Take action

If you answered yes to any of those questions we suggest the following:

1.  Look at your customer agreements with firms in the categories above. 

• Do any of those agreements place obligations on your company to protect your client’s information in a certain way? 
• Do they have the right to audit? 
• Have you told your IT team about these obligations? 
• Are you prepared to meet these obligations?

2.  Sit down with your technical leadership and discuss:

• Are we secure? Vulnerable? Do we follow a best practices approach to information security? Which one?
• Do we routinely check through tests, assessments, and/or audits our answers to the questions above?
• If we got an auditing letter from an existing customer would we be ready for the audit in a week? a month? 3 months? 
• When the auditor arrives do we have documentation that defines our security programs values (policies), details the routines we follow to meet those values (processes), shows that those routines are being followed (logs, action reports, scorecards, etc.) and that our staff is aware of their obligations (awareness training)?
• If we committed during the sales process with a new customer to do certain things to secure their data did IT and the others in the company responsible for delivering on that obligation have a hand in the answer? Are we overcommitting?
• Are we managing security well enough that we can create a competitive advantage over other firms in our class?  Can we use that advantage to build new business?

If your business provides business to regulated businesses upstream in your market we recommend you keep asking these questions until you feel comfortable with the answers.

March 2011

From the Desk of the CTO

They want to connect WHAT to the corporate network?

Smartphones and tablet devices are making their way into the workplace.  Unfortunately, the decision to connect these devices to the corporate network is often made without first consulting the IT department.  The worst part is that the information security team is frequently kept in the dark for fear that they would tell the business no.

But does security really need to say no to this request?

Of course not!  The security team should be helping the business find a way to do what they need to do securely.  Companies that embrace mobile technology in a safe and secure manner will reap the benefits that come from the increased connectivity and mobility.  The key to avoiding a security incident or data breach related to these devices is in the security details.

A few questions that the security team needs to ask the business:

·         Have we documented an acceptable use policy for mobile devices?

·         What information do we need to include in that policy?

·         How are we going to keep track of these devices?

·         What steps do we need to take to secure devices before they connect?

Permitting mobile devices in the workplace should be a business decision based on a clear business need.  Before that decision has been made, engage the security experts in order to ensure that you deploy those devices safely.  You need to involve the right players from the very beginning if you want to securely integrate mobile technology into your business processes.

Remember:  It’s better to end up in the news for a record-setting quarter, and not for a security incident that could have easily been avoided.

March 2011

Security News

Mobile malware is here…

Earlier this month, a variant of the Zeus Trojan was discovered on Blackberry mobile devices.  Zeus was created with one purpose: to grant criminals access to a victim’s bank account by compromising their online banking sessions.  Although Zeus has been around for years, the fact that it’s moved to the mobile device should have you asking one question: What am I doing to protect my users?

Whether you’re responsible for securing 5,000 mobile devices across three continents, or whether you’re the go-to IT person for your friends and family, you need to be prepared to address threats like mobile malware.

First and foremost, educate your users.  Teach them how to exercise caution when checking their email and browsing the Internet, especially from their mobile devices.  Consider installing an alternate mobile web browser if the default browser is riddled with security holes.

Second, introduce your users to mobile security applications.  For the home user, Lookout Mobile Security provides a free security app for Android, Blackberry, and Windows Mobile devices.   While this is a valid solution for the home user, it doesn’t solve the problem of malware on mobile devices connected to the corporate network.

Centralized mobile device management is the key for protecting mobile devices in the workplace.  Once you deploy a mobile device management solution, you can begin deploying enterprise-grade antimalware solutions to your mobile devices.

Having the ability to centrally manage security policies and monitor mobile endpoints is key if you want to protect your end users (and your corporate assets) from malicious software.

March 2011

Army of One

Doing More With Less

If you’re an information security professional, chances are the words “unfunded mandate” have come up more than once during your career.  Whether it’s compliance with regulations like HIPAA/HITECH and PCI, or the deployment of a new application or technology to enable the business, the available budget never seems to be enough to cover the work on the security team’s plate.

With so many priorities competing for so few resources, you’re probably asking yourself, “Where do I begin?”

Three words: Security Tool Optimization.

Most information security organizations have grown organically.  Chances are you started with a firewall, something to keep unauthorized users from accessing company resources.  Then you added antivirus, to prevent business operations from being interrupted by a virus outbreak.  Over time, you probably added an anti-spam solution, an Internet access gateway, patch management, intrusion detection, encryption, VPN, a vulnerability scanner… the list goes on and on.

Trying to maintain all those security point solutions is a nightmare.  You’re spending all of your time keeping these point solutions up and running, when your time would be better spent analyzing and addressing the specific risks that could have a significant negative impact on your business.

It’s time to take a step back and take stock of your environment, approaching the process with a fresh perspective.  Realize that your collection of security tools isn’t a burden.  It’s an opportunity.

Your company values information security enough to invest both capital funds and operating expense into deploying and maintaining security systems.  So what would happen if you combine three, four, even five of those point solutions into a single system?  You just might free up enough funds to:

·         Hire another security analyst.

·         Address a gap in your current control set by investing in a new technology.

·         Send your team to training.

·         Prove to the CIO that security isn’t a financial black hole.

Doing more with less is par for the course when it comes to information security.  Optimizing your existing information security toolset is the first step you need to take in order keep your security organization strong.

SIEM Innovation

The value of SOC/NOC convergence

August, 2010

From the Desk of the CTO

August, 2010

Security News

Credit card data – easy hunting

August, 2010

Army of One

Why INTELLIGENT logging should be a "must have", not a "nice to have"

July, 2010

From the Desk of the CTO

Make stolen data unusable

July, 2010

Security News

Prevention safeguards will fail

July, 2010

Army of One

Plugging data leak holes with egress filtering

1. To reduce the risk of data extrusion.  Cyber criminals steal data and sell it.  But before they can make any money, they have to get it off your network.  If your default egress policy allows “anything outbound”, then you’ve made the task of transferring the data very simple.  On the other hand, if you only allow certain communication methods from the inside to the Internet, you’ve complicated matters for the cyber-intruder.  He’ll need to find a different way to get the data out.  Even better, he might make a little noise as he searches for a communication path that’s allowed.  This should standout like a sore thumb.  For example, if you don’t allow outbound SSH from users, then any attempt to Secure FTP the data out will be blocked.  If you have a log management system (LMS), you can create rules that watch for blocked egress traffic, a clear sign that something isn’t right.  This leads to the second point.

2. To detect business logic violations.  There are certain things that should and shouldn’t happen on your network.  All the legitimate ways your departments, staff, systems, and applications work together is known as your business logic.  It describes the way things “should be.”  Once you know your business logic, you can use your firewall to block and alert when these rules are violated.  For example, everyone internally may be allowed to access the production database, but the database itself should never initiate an outbound connection to any external Internet hosts.  If it does, it might mean the database server is compromised and the intruder is attempting to transfer data.  With an egress filter in place, not only will this be blocked, but an alert should also be generated, giving you time to investigate proactively.