You may be asking yourself what information security and managed security service providers (MSSPs) have to do with “going to eleven”. It’s all about getting an extra security push when you need one.

Fans of the 1984 movie “This is Spinal Tap” will recall Christopher Guest’s character, Nigel Tufnel famously saying, “these go to eleven” as he proudly showed off his special Marshall guitar amps. Seeing how most amps only go to ten, he was proud to show off how he could go to eleven anytime he needed “That extra push over the cliff”.

Let’s not bother with the fact that the amp manufacturer could have made the volume at ten louder (as Rob Reiner’s character points out in the movie); it’s the fact that when Nigel needed an extra boost, he could go to eleven on his amp.

As a security professional, what do you do when you need to “go to eleven”? Let’s say that your company has a malware outbreak or is the victim of a malicious attacker or APT. In the vernacular of the Ghostbusters, “Who you gonna call?”

Many times, IT and security teams are already stressed and overworked before disaster strikes – they are already playing at ten. If they need that extra push, or some extra security expertise, they often have to look outside the organization to find it. This is especially true with more focused, specialized companies, or with SMBs.

With an MSSP, that extra push, the extra 1 on the volume knob, is already there. MSSPs, like Solutionary work as an extension of the internal team, providing security intelligence, visibility and knowledge. During a security incident, the MSSP works with the client team to identify and remediate the issue. The client team is not left on their own to fend for themselves. After all, even the best bands have a strong team of people behind them to make them sound great and to make sure the show goes off without a hitch.

See how Solutionary managed security services based on the patented ActiveGuard® Security & Compliance Platform combine security intelligence and expertise to provide complete solutions for your organization.

Your friend or not your friend, this is the new question, when dealing with insider threat. Often times when you hire a prospective employee, you are putting a level of trust in him or her. This trust is similar to the trust you would put in your own family. Within that trust boundary you are relying on the employee to perform their job to the best of their ability, much like we instruct our kids to do the same in life.  However, the similarities end there, and new dynamics are introduced, including the psychological unknown of people.

“With great power comes great responsibility”, a quote from Spider Man’s Uncle Ben, is an understatement when we are talking about these same employees that we empower.  We give them user names, passwords, guides to the infrastructure, and the knowledge on how to accomplish various tasks. We do all of this with the perceived confidence that the employee will do the right thing, be ethical, and not go outside of what has been instructed.

It’s the psychological unknown of the employee that is the “X Factor” in all businesses. Although we would like to think we hired a good employee, there are things outside of our control that can change the same good employee to suddenly go bad.  The triggers are plentiful given today’s economic situation. This could be money, family, stress, etc.  Many things can trigger your employee to start doing malicious things with the power they acquired.

In 2008, www.cert.org conducted an Insider Threat Study titled “Illicit Cyber Activity in the Information Technology and Telecommunications Sector”.  Within the report, they looked at 52 specific insider threat incidents that were carried out by 57 insider threats between 1996 and 2002. The stats are as follows: 24 out of the 52 were purely sabotage; 11 out of 52 were intellectual property theft; 8 out of 52 were fraud; 6 out of the 52 were a combination of sabotage and intellectual property theft; the remaining 3 were a combination of fraud and intellectual theft.

In the same report they looked at the motive of the insider threat. What were the variables that these people used to justify their malicious actions? Their key findings provided some interesting thoughts around the why and most importantly some prevention methods.

•    38% of those insider threats had prior arrests
•    73% of those insider threats explained a negative work related event trigger their actions
•    76% of those insider threats planned their malicious actions in advanced
•    50% of those insider threats had authorized access to the systems/network at the time of the incident
•    74% of those insider threats took steps to hide themselves and mask their activities
•    80% of those insiders were caught only through manual detection of a system experiencing anomalies or failures.

The outcomes of these actions are far more devastating than the dollar amount tied to fixing what can be fixed. While you can fix a server, it is much harder to fix the reputation of the company, reputation of your department, and the reputation of yourself as a hiring manager.  You simply can’t prepare for everything regarding the employees you trust. There are, however, some prevention methods to help minimize the likelihood of your company becoming a victim, and possibly losing millions in the process.

• Formulate a strong screening process for those positions that require such great powers. Depending on the sensitivity of the position, you may need to implement several screens for the duration of the employee and his/her position. Don’t be afraid to include liberal background checks for those key employees.

• Enforce separation of duties and least privilege. No one should have all the keys to the kingdom. One man IT shops are cheap and inexpensive, however they can cost you your entire company.

• Log, monitor and audit employees’ online company activities. Ensure you also have someone “watching the watcher”. No one should be an exception to this rule.

• Monitor and react to suspicious or disruptive behavior, regardless of how insignificant it may be.  If you collect enough crumbs, you will create a cookie.

• The most important step of all is to know your employees. If you honestly know your employees you increase the chances that you will be able pick up on any “psychological unknowns” that may suddenly appear. We all show signs one way or another,  and react accordingly.

I can picture the scene in my head.  A wise, time-tested senior security administrator takes the newly hired junior administrator aside and states in a firm voice, “One word – patches.”  We all know that patching is a necessity, but how many of us audit all of the software on every system to ensure it is running the most up-to-date version?  Deploying patches in a sluggish manner can turn a healthy system into a ticking time bomb.

We see some interesting things in our Security Operations Center (SOC).  Monitoring devices across several clients lends us a bird’s-eye view of activity propagating across our client base.  Lately, the SOC has noticed an increase in some remote code injection scans, which involves sending code to a poorly written application to perform malicious activity.  These scans have targeted an AWStats vulnerability in versions prior to 6.3 (CVE-2005-0116) and phpThumb version 1.7.9 (CVE-2010-1598).  Something should stand out in those CVE numbers—the year!  The AWStats vulnerability was first reported in 2005 and the phpThumb vulnerability in 2010.  One can only infer that running these scans is still “profitable” for whatever malicious entity is behind this activity.  In other words, there are still enough unpatched, vulnerable systems running old versions that are ripe for exploitation.

There truly is no excuse for not patching software, especially software running on publically accessible systems.  So why are organizations not patching?  While it at first may appear to be complacency, some system administrations are reluctant to patch because they adopt the mentality of “if it’s not broken, why fix it?”  However, taking the time to patch while the system is still functioning healthfully can save time and stress by avoiding attacks and vulnerabilities.  Further, patches should be implemented in a timely fashion.  Our fabled time-tested security administrator knows the value of patches, but perhaps due to long held dogma, still insists on testing patches before deploying them.  This may be a grave mistake.  Any time spent testing a patch increases the window of opportunity for an attacker to find a vulnerable system and exploit it.  

So, stay abreast of any patches that are available for the software you utilize and deploy them as quickly as possible.  If you are not keeping on top of your patches, someone may knock on your door and remind you.

I often wonder when I give my credit card to the restaurant server or kid behind the fast food counter, if my credit card information is really being protected. You always hear the horror stories of the service employee who is copying the credit card information in the back room that will later be used in some fraudulent way. For as little as $25, anyone can buy card scanners that either stand alone, or easily connect to an iPhone or other smart device. This brings me to today’s subject. You may have recently heard of a security incident involving a high profile sandwich shop chain that resulted in the loss of credit card information. I won’t disclose the name, but we can all tell by the picture below. This incident involved about 150 sandwich shops and over 80,000 customers.

Low Tech Sandwich Making (and Hacking)

Just as sandwich making is “low tech”, so were the alleged hacking methods of our eastern European friends. (The US District Court in New Hampshire has indicted four Romanian individuals in this particular case). The attack was simple. Scan for low hanging fruit, brute force login to the vulnerable POS system, install malware and extract the credit card information. Once the credit card information was gathered, they simply used the stolen data to produce fake credit cards and proceeded to go on a spending spree. The remaining black market value of the data was sold off to other hackers.

Hacking Details (Secret Sauce)

Targeted Port Scans:

The hackers performed targeted port scans looking specifically for remote facing POS systems that had remote desktop services enabled. This of course is a huge “no no” in terms of both PCI compliance requirements and general security best practices. This service should be disabled in most cases. At a minimum the systems should have enabled two-factor authentication and encryption.

Brute Force Login:

Once the vulnerable systems were identified, the hackers needed to simply login to compromise the system. It still amazes me how many times default passwords are unchanged or changed to obvious words such as “password”, or “qwertyui” or “12345678” because they might be easier to remember (and, unfortunately, easier to guess).

Malware Installation:

Once the system was compromised, the hackers installed key logging and back door utilities to gather the credit card information. Apparently, they also installed software to prevent any further security updates.

Credit Card Data Extraction:

One interesting piece here was that the hackers employed ‘FTP Dump” sites to store the stolen data. In this case there was cooperation from the FTP Dump vendors as part of the investigation.

The Bottom Line

Apparently, the franchise owners in this case were provided security guidelines to prevent this type of incident. Unfortunately, it appears that these guidelines were mostly ignored by the franchise owners. I chalk this up to the age old saying; “I am a (insert business type here), who would want to steal anything I have?” This may have all been avoided by following some basic security practices:

•    Understand the true value of exactly what data you have in your environment (i.e., credit card data)
•    Determine the compliance standards that are appropriate to that data and your business
•    Perform a compliance based gap assessment of your environment
•    Remediate any gaps associated with the assessment
•    Avoid a “checkbox” security compliance approach –be honest with yourself about the real world threats and how they may affect your business
•    Blend a reasonable risk based security best practices approach along with compliance requirements applicable to your business
•    Do not develop a false sense of security that the hackers don’t want what you have

Until Next Time

Thanks very much for reading my friends. Until next time, and as always, ride safe, crank up the tunes, and stay secure!

Happy New Year from all of us at Solutionary!  

Jon Heimerl put together a few points that should be on your compliance checklist in 2012.  Check it out below and cheers to a safe, secure and Happy New Year!

Important Compliance Considerations Looking into 2012
 
1.    No compliance regulation requires it, but one of the most important things you can do to help improve your compliance is perform a Business Impact Analysis, or an Information Asset Inventory, or whatever it is you want to call it. The goal is to identify all of your organizational information: what information you have, where it is, and exactly what that information is. To understand your compliance requirements you have to fully understand whether or not the information you have is PHI, or private financial information, or covered by some other regulatory requirement.

2.    Assign clear compliance responsibility to a specific authority within your organization. And, along with that responsibility, don't forget to give them the authority to actually meet those goals. Make sure everyone in your organization knows who owns compliance. Make sure those people are fully trained so that they are truly qualified to actually manage the compliance process. Understand that no one person can truly understand all compliance requirements of a complex organization, but you must identify what your specific compliance requirements are, and ensure that you have appropriate compliance expertise.

3.    Manage your other resources. In these times of limited budgets and shrinking staff, it is more important than ever to effectively manage your resources. Identify and keep your key staff. You are better off keeping good, knowledgeable staff than you are trying to find new staff, unless the people you have just don't cut it.  Make sure they get training and other benefits that help keep them at your organization, keep them engaged, and keep them happy.

4.    Pay attention to need-to-know and privileged user access. If WikiLeaks and the Occupy Movement show us anything, they show us that there are many people who are unsatisfied with the status quo. Regardless of their exact motivation, there will be people who gain unauthorized access. You should be checking your authorized access to make sure they are truly appropriate, and make sure that people do not have excess access. On top of that, you should be monitoring employee access and checking access logs.

5.    Take the results of your BIA and, to the extent possible, isolate your compliance systems. If you can segregate your PHI systems from other systems, do so. If you can segregate your credit card information from other systems, do so. If you can isolate the systems that control your compliance data, it potentially simplifies the scope of your compliance efforts, and consequently, simplifies your compliance.

Read more of Jon's compliance thoughts in a recent Dark Reading article. 

During this holiday season many of us will likely exchange really cool gifts with friends, co-workers, and family. Some of us will be lucky to receive some of the latest advances in technology, such as iPads, smart phones, computers, and anything else you can think of with blinking lights and promise of hours of enjoyment. Let’s face it, it’s a time of giving and a great time to reward ourselves and each other for all the great work we did in 2011.

If you’re like me, there is nothing more fun than ripping off the wrapping paper and getting right into playing with some of these fun electronic wonderlands. However, I am cursed with always thinking:

 “Cool new iPad; wonder what version of iOS it is running?”

I guess it is just part of being in the information security industry and part what keeps me diligent about staying secure.

I can’t help but think how many people around the world will be opening brand new computers and devices on Christmas day and jumping right on the information super highway. I also can’t help but wonder how many malicious attackers are lurking in the shadows to take control of those systems.

For those of us who battled in the department stores on Black Friday went home, wrapped gifts, and put them under the tree, great job! But now it’s about 30 days later and these new gems will be unwrapped and enjoyed.

Unfortunately, security and newly discovered vulnerabilities don’t take vacation. Over the last 30 days there have been quite a few new vulnerabilities identified in some of the toys we may be receiving over the holidays.

Conclusion: Many of the gifts you may be receiving this holiday are probably about a month behind on security patches. In some cases, your new toy may be immediately susceptible to attack due to these missing patches (Isn’t security stuff fun).

Some good guidelines to follow:
•    Take a few minutes to enjoy your new toys
•    Check to see if it is up to date for security patches
•    If the product is capable, enable automatic updates
•    Follow product recommendations for using security options it may have available

Solutionary wishes all of our clients and blog followers a happy holiday season. Stay safe and let’s ring in the New Year with best wishes to our friends, family and fellow mankind.

The Solutionary team is proud to have earned a position in the Leader’s Quadrant for MSSPs. It’s rewarding to attain industry recognition for what Solutionary clients have known for years – that Solutionary delivers leading managed security services, based on our patented, industry-leading ActiveGuard® platform and backed by our team of certified security experts.

For more information about this announcement, read the press release or download the full report.

In a world populated by cyberthieves, hacktivists and advanced persistent threats, you need a security team that can watch your back, giving you the visibility and security intelligence you need to protect your enterprise.

What are 10 Things that Should be at the Top of Everyone’s Wish list for the Holidays?

Overall, it has been a rough year for information security in the world. We ended 2010 with WikiLeaks, and it continued into 2011, supported by the disclosure to WikiLeaks of classified government material and confidential internal use only corporate information. This trend of intolerance with the system calmed through much of the summer only to resurrect itself in the form of the anti-establishment “Occupy” movement later in the year. While the Occupy movement is not itself a cyber-security worry, it does highlight that people have a considerable dissatisfaction with the status quo and are looking for change – and unmoderated change is usually not exactly good for the efficiency and security dynamics of any organization.

We’ve heard more about Stuxnet, and seen new viruses – I just picked off a copy of a Trojan Dropper last night, reading security news stories (an executable stored in Explorer temp files – cool). We’ve seen Apple systems exposed to attack. We’ve seen corrupt applets running on Android – I’m not quite ready to say I have seen Android hacks or viruses in the wild. I have seen rampant loss of control over the permissions requested by Android widgets on install (Google Maps, you really need access to my private phone information, read and write access to my contact information, along with the ability to make phone calls and record audio? Really? Update fail.) We’ve seen zero day vulnerabilities in widely used applications and services. We have seen literally millions of healthcare records breached. We have seen huge companies get breached, resulting in days and weeks of outages, and probably billions of dollars spent in recovery and rebuild. We found that an unauthorized user can access sensitive functions on an iPhone by using Siri. Should we be surprised that web-enabled printers can be attacked remotely? We have had drone hacks, ATM scammers, phone hacking and nude photos galore (so to speak). And that is just the tip of the iceberg. Sometimes it seems like the sky is falling.
Sometimes.

A friend of mine asked me a couple weeks ago, “So, with all these things going on, how do you do everything that you need to be safe?” That is a hard question. Everything?
A complete list of everything an organization should do to make itself safe would literally fill books. So, instead, if you want to take the right steps to being secure, and being compliant where appropriate, what are the 10 things that should be at the top of everyone’s wish list for the holidays?

What are the 10 things that should be at the top of every organization’s wish list for the holidays?

1. I wish for a complete BIA (Business Impact Analysis). You have to know what you have before you know how to protect it. I won’t dwell on this other than to say that if you answer these four questions and you are working on your BIA: a. What is your most critical data? b. What systems, databases, and applications support that data? c. What regulatory requirements am I required to d. What would the impact on your organization be if that data, or supporting systems, was lost or compromised (and released to the public)?

Read the rest of my Security Week article here.