Solutionary Minds - Your Information Security Blog Source

At Solutionary, I wake up every day thinking about how else we can help our customers be more secure.  We want to bring our customers peace of mind, so they can focus on their business and worry more about the things that will bring them success in their markets.  

One area I’ve been focusing on lately is the risk associated with Microsoft’s Active Directory and how employees’ access is provisioned through its framework.   What I’ve discovered is that often, companies wrongly assume the risks associated with their domain controllers (servers that run Active Directory) are equivalent to the risks posed by other internal servers.  This is a dangerous myth.

Domain controllers allow users to log in daily, whether in the office or remote, and determine what internal domain assets the users have access to.  I can best describe this as “managed chaos”.  The risk here is very high.  Domain controllers are a single point of access to all domain assets for all internal employees (think border firewall, it’s just inside).  Security activities relevant to monitoring include user and group creation, privilege management, user authorizations, logins (success/fail), domain access (success/fail) and many others.  So, domain controllers can produce large volumes of logs, but they include high quality information.
The value of monitoring users’ access to all domain assets is high.  In addition, we find the cross device correlation value to be very high with this kind of data, especially when ActiveGuard® automatically ties user identity to millions of other devices logs’ reported activity.  

Servers, on the other hand, generally have specific applications running on them, and typically manage those applications’ access, not internal users’ access privileges.  Application behavior is usually much more predictable than user behavior.  The risk here is generally lower since a server is generally a single point of access to only its own assets and applications, not to the entire domain (think host based firewall).  Relevant activities to monitor can include access to the server and its application, and server administration.  

The value of monitoring this server is often much lower, and unfortunately often driven by a compliance check box that needs to be checked.   Further, the cross device correlation that ActiveGuard® automatically performs is often limited to the server IP address and to administrators that are accessing it, as opposed to the entire company’s employee data when ActiveGuard® correlates logs from domain controllers.

As a last bit of evidence, in our Security Operations Center (SOC), we investigate an order of magnitude (10x) more potential incidents originating from domain controllers than average servers.  (By the way, a humble thanks to the intelligence of ActiveGuard® people, processes and technology for making automatic cross device correlations and escalations possible!)
I hope this article supports an improved understanding of how domain controllers and servers differ from a security monitoring and risk perspective.  Finally, as always, with an improved prioritization of what to monitor and worry about, we hope peace of mind is delivered, so our customers succeed!

Recently I received a Solutionary Security Engineering Research Team (SERT) Emerging Threat Advisory notice regarding a Trojan specifically targeting the Mac called “Flashback”. This Trojan appeared to be an Adobe Flash update when in reality malicious software was installed on the client machine. Once installed, personal information from the users’ web browser sessions can be sent to remote servers. I found this somewhat amusing, because I have heard die hard Mac users (I won’t mention any names) boldly confess that the Mac is virtually immune to these types of vulnerabilities often seen in the wild. This is obviously not the case, and it got me wondering just how many Macs are out there compared to PC based platforms? Market share varies on who you ask, but is generally around 85-90% for Microsoft platforms, and about 5-10% for all MacOS systems. If there are something on the order of 30 million Mac systems in the real-world, that means that with as many as 600,000 systems infected with Flashback we saw a 2% infection rate. While your first thought may be “that’s not many”, you should consider that this was a platform that, for years, people have been preaching how safe Macs were.

Macs are Targets

I think one of the reasons you don’t hear about Mac specific vulnerabilities very often is simply because there are so many more PC based platforms out there that serve as “low hanging fruit” for would be hackers. That is changing however. For example, Gartner has estimated the Mac US market share to be about 10%. Security nerds have been saying for years that the main reason we have not seen as many Mac viruses as we have PC viruses is that there are just so many fewer Mac systems around. Perhaps we have a combination of events here, as critical mass of Mac volume combines with relative security complacency of Mac users and creating a perfect storm.

Keep your Mac Protected

SERT provided links in the Threat Advisory for additional information about Flashback that you may find helpful. I will also include a link where you can check to see if your machine has been infected.

Additional References:

http://www.pcworld.com/article/253361/apple_hits_flashback_trojan_with_second_java_update.html

http://news.cnet.com/8301-27076_3-57410050-248/mac-flashback-malware-what-it-is-and-how-to-get-rid-of-it-faq/

http://mashable.com/2012/04/05/mac-flashback-trojan-check/

Until Next Time

Special thanks to SERT and Jon Heimerl for additional technical consultation. Thanks very much for reading my friends. Until next time, and as always, ride safe, crank up the tunes, and stay secure!

Adding Context Around Data Can Make a Huge Difference in How you Manage and Protect Information.

Why is context important? Because without context, information is not really information; it is just data. Data is just “stuff”, while information is what that stuff means.

Would you like some plain language context for my point?

42.
African or European?
What are you, some kind of Pyjak?

My short list above just has “stuff”, unless you know how the data is used – unless you have context. Is “42” simply 6x7, or is it really the answer to life, the universe and everything? And if that is still insufficient, you will need the context of Douglas Adams (just Google “42”). If “African or European” are just words to you, you will need to the context of Monty Python. (Google “African or European”). “Pyjak” is probably the most obscure, and you won’t know it unless you know what video game I am currently playing (Google Pyjak).

Read the rest of my article at Security Week. 

It’s mid-April and it is one of my favorite times of the year: tax time (it is hard to write in a sarcastic tone…). Since I pay every year I always use it as an excuse to exercise my own security paranoia. Here are some tricks I use to protect my sensitive information:

1.    I prioritize my data, and identify my tax data as some of my most important. My tax forms include my income, interest, dividends, full address and Social Security Number. Since I e-file, they also include bank account information for my payments for that mythological thing called a “refund”. I am beginning to suspect that it is an urban legend, but if I ever get one I will still have my bank account information for that deposit.  I don’t know about your priorities, but to me, that type of data all ranks near the top of my list when I think about data I want to protect.

2.    I segregate my tax data from the rest of my environment. I store my tax files on an external drive. I make sure my tax software is updated while online, as well as my anti-malware and anti-virus software. I then remove the Ethernet cable from the back of my computer and do full system scans for viruses and malware. I connect my external drive, and do dedicated scans of the external drive. Only then do I open my tax form – so I have no network connectivity while my taxes are open. I don’t actually have my “tax-enabled” computer connected to the rest of my internal network until it is time to e-file.

3.    My “tax” folder on the external drive is encrypted. I also store a backup of my tax file on an encrypted thumb drive, which I actually store in my home safe. But, the most important point here is the word “encrypted.”

Excessive? Maybe so, but tax time emphasizes my own personal security program:
1.    Prioritize your data and identify your cool data.
2.    Segregate sensitive systems and information to the extent possible/practical.
3.    Encrypt – especially your cool data.

If your own security program, both personal and business, uses these three principles as drivers, you have already won the bulk of the battle. I guess I think it is a good thing to practice what I preach.

1.5 million is a pretty a big number, wouldn’t you agree? Unfortunately, this is not a number we pulled out of a hat… quite the contrary.  On March 30, 2012, news hit mainstream media detailing a breach of Visa and MasterCard data where an estimated 1.5 million financial records were reported stolen from Atlanta-based ‘third-party’ payment card data processor, Global Payments, Inc.  If you’ve never heard of Global Payments, Inc. or ‘third-party’ payment processing, it might be easy to think this has little chance of affecting you, and you might be right.  Then again, chances are very good your financial data has been processed at one point or another by a payment processor. Loosely defined, third party payment processers act as intermediaries between banks, retailers, and money-access systems.  Such a definition might fall short of academic, but examination of such a system might bear striking resemblance to any other sort of digital infrastructure (the details could be enough to make your head hurt).  Upon recognizing they experienced a breach, Global Payments is said to have immediately contacted Visa and MasterCard, who in-turn began notifying banks potentially impacted.

It can be difficult to appreciate the size of such a number, which is where a comparison can come in handy. 

Depending on the type of sand, 1.5 million grains can weigh somewhere around 200 pounds, which is about what you might find in a typical sandbox.

Still that’s pretty hard to imagine, so how about this?

1.5 million miles is about six times the average distance between the earth and the moon. 

No, still not much help?

Although one might find it interesting, such a number (1.5 million) takes on a whole new meaning when the context changes, especially when considering the very real impact experienced by a very large number of people.  Even then, it’s still hard to imagine, and it wouldn’t likely get any clearer if we estimated this was about twenty-one times the number of those who attended Super Bowl XLVI (approx. 68,658).  No, that won’t do.  This is such a big number we have to consider it on the scale of city populations. When compared to U.S Census data, we find this number represents a little more than half the population of Chicago, Illinois, and about a little less than three-quarters the size of Houston, Texas.  Happened to have traveled to Philadelphia or Phoenix lately? That’s getting a bit closer to the number of records we’re talking about here.

To be fair, this isn’t the only breach to have occurred, and is by far not the largest on record. However, with numbers like this involving such a complex and vital infrastructure, and with the frequency of breaches on the rise, it’s hard not to consider if more could be done to mitigate exposure to such cyber threats. At the end of the day, no matter how secure one institution is, the risk is still there, and when you get down to it, little else beats careful monitoring of activity on your accounts, and careful and regular review of your credit report(s).

The title for this blog paraphrases a line from Samuel Taylor Coleridge's famous poem,  "Rime of the Ancient Mariner" (which, despite being an English major, I probably wouldn't know if it weren't for Iron Maiden), where the main character bemoans the fact that the ship holding him and his crewmates is becalmed at sea. Although there is plentiful water in the ocean surrounding them, it is salt water and will not quench their insatiable thirst.
What, you may be thinking, does this have to do with data?

Big Data. Big Deal?

The IT industry as a whole is all abuzz about the latest computing buzzword, "Big Data". When I first heard the term, I thought to myself, "that's the best term we can come up with?" It sort of reminded me of one of my favorite childhood toys, the Big Wheel. That's obvious branding for you, right? What do we call the thing with 2 small wheels and one big wheel? Hmmm. How about the "Big Wheel?"

For those of you born before 1980 or so, that reference probably brought to mind a bright red and yellow plastic toy. For the rest of you, just Google “Big Wheel”, and you'll see what I'm talking about.

I don't get any kind of mental image when I hear "Big Data". In fact, it took some research and a few conversations with colleagues for me to figure out what it was and why I should care.

Big data is defined by Webopedia as, “A buzzword, or catch-phrase, used to describe a massive volume of both structured and unstructured data that is so large that it's difficult to process with traditional database and software techniques.”

From a security standpoint, there are two basic, high-level concerns for big data:

1. How do we handle big data? How can we glean intelligence from all of the logs being generated by applications, databases, firewalls, hosts, network devices and security appliances?

2. How do we secure big data? With all of this voluminous information now available for analysis, how do we secure and monitor this data for compliance?

While both of these are important questions, I'm only addressing question one for the purpose of this blog. My colleague Rob Kraus posed this question in a recent blog post, "how much of this information is actionable intelligence, and how much is really just white-noise?" As enterprises monitor more devices and device types, moving from traditional security devices (firewalls, IDS, IPS, WAF, etc.) to applications, databases and endpoints - the amount of log data being generated increases rapidly.

To make that data useful, enterprises need a way to examine the data and look for the important pieces of information that can make it useful to them. Further, making it useful may require examining disparate pieces of information and finding patterns in them that indicate something of security significance.

Over 1 Trillion Served

The Solutionary ActiveGuard® 4 service platform recently surpassed the milestone of 1 trillion log lines (that’s 10 to the 12th power for those of you counting at home) processed. While that is a huge number, it would be virtually meaningless if we were unable to glean intelligence from that data and provide actionable security intelligence for our clients. Solutionary processed and stored (Solutionary retains 100% of the logs received for 1 year) each of those trillion log lines for our clients.

ActiveGuard was purpose-built for handling large volumes of disparate data of this type. While much of the security industry is thinking about how to handle big data, Solutionary is enhancing the analytics and capabilities of ActiveGuard to take the capabilities even further.

See how Solutionary managed security services, based on the patented ActiveGuard Security & Compliance Platform, combine security intelligence and expertise to provide complete solutions for your organization.

Instead of the usual Top 5 security tips, such as “use a strong password,” my goal with this blog series is to list and breakdown the basics of what you should be doing, but probably are not, and are exposing yourself because you’re not.

Part 1 will look at passwords...probably the easiest mistake. 

1.) Mnemonic Passwords – Actually, let's start off with using strong passwords. Everyone knows to use a strong password, and they should use a unique password for each site they visit. However, few people do this. And those few that do typically use a password manager tied to their desktop with a browser plug-in to make submitting those complex passwords easier, or they keep them stored in an associated password storage application on their smart phone. But there is a simpler solution, and its mnemonic passwords. Mnemonic is a technique used to aid memory. Since complex passwords are hard to remember creating a mnemonic password can help ensure you have strong passwords unique to each site you visit. There are many good sites that will help you teach you to create a mnemonic password. Druid has a really good presentation that can show you how to get as complex as you want with the topic at: http://druid.caughq.org/presentations/Mnemonic-Password-Formulas.pdf

My advice is to take thirty minutes to create your own mnemonic password formula, create a formula based on the site you are visiting and reap the rewards of secure passwords forever. Basing it on the site you are visiting ensures you can reverse engineer the mnemonic password quickly. For instance you could take the site name, count up the letters in the name, use that number as the first digit in the password, then spell the site name backwards, followed by the number in special character format plus whatever else is in your formula, like a salt or whatever you want to ensure you have a sufficiently long password. So visiting eBay would become: 4yabe$fr@k where fr@k is my own added salt.

Stay tuned for the next part of this blog series on security basics that you should be doing! 

I mean, whose nude photos will be released online after their phone is hacked? Hacking a phone is one thing, but hacking voicemail is something else, and while your voicemail does have some protection, breaking into it is probably not complicated. Let’s get real here - the single best security for your voicemail is your voicemail PIN – which is basically just a numerical password – and we should all have a great sense for just how effective passwords are. We should definitely look at hacking voicemail and hacking your phone as two completely different things.

Setting the PIN
Getting to your voicemail normally requires knowing your PIN. Your phone company installed a default PIN for your account – probably 0000, or 1111, or the last four digits of your phone number. For most cellular services, this number can be from four to seven numbers. If you leave the PIN on the default setting, anyone can get into your voicemail by dialing the wireless carrier’s voicemail line, or by dialing your own phone and escaping into voicemail. On my service, you do this by simply pressing # to interrupt your outgoing greeting, enter your password, and you can retrieve your voicemail. Worst case, someone could guess the default PIN in probably three tries or less.

Read the rest of my article at SecurityWeek.com.