Category: Uncategorized

If you want your security organization to be supported (or at least tolerated) by management, the department must become a communication station. Avoid subjective interpretations or even anecdotal information; instead, focus on metrics that are objective and indisputable.

As an example, to calculate the impact of spam filtering, the team began counting e-mails the filter rejected. Despite a few user complaints, the metrics showed these were isolated incidents and proved that a great majority of legitimate mail was getting through. This correlation of traffic to outbreaks would later help the IT staff react faster to outbreaks, because they could see worm signs before it spread.

Most infrastructure metrics are designed for gearheads, and the data is not useful to business managers.

Start with the message you want to communicate to management, then figure out which metrics would support that point. A mix of good news and bad news is to be expected–any manager knows that an employee who communicates only great news is probably a liar. If your security reports are always full of sunshine, expect management to become suspicious–and with good reason.

For instance, clients who use desktop-management and antivirus software appreciate being able to perform a “check-in”–that is, every workstation on the network “phones home” to the master console, ensuring each is in compliance with policies, such as pattern updates. This type of report is a good indicator that (a) your software investment is functioning; (b) the majority of users haven’t cleverly disabled the agent so they can download porn and install cute screensavers; and (c) you can, if necessary, invoke additional software functionality.

Indeed, any process you monitor will show that you’re on top of things–particularly if the process is new to your organization, such as vulnerability remediation, server- configuration compliance, unsuccessful login monitoring or log-exception monitoring.

When you must express dollar figures, try to associate some measure of probability with them–IT security is equivalent to risk management, after all.

Ultimately, use caution and be conservative when estimating dollar payback or you risk damaging your credibility.

Finally, in security and in business, timing is everything.

http://www.securitypipeline.com/46200070

USB flash drives, MP3 players and the like are everywhere nowadays. Giving your staff free rein to use them at work could lead to breaches of security and loss of data.

Businesses are increasingly putting themselves at risk by allowing the unauthorized and uncontrolled use of portable storage devices. The use of unauthorized portable storage devices poses many dangers, not least for the malicious code that they can introduce. High data capacity and transfer rates, and broad platform support mean that a Universal Serial Bus (USB) or FireWire (IEEE 1394) device has the capacity to quickly download much valuable corporate information, which can be easily leaked to the outside world.

Portable devices include any kind of pocket-sized portable FireWire hard drive, like those from LaCie or Toshiba, or USB hard drive or keychain drive, such as M-Systems’ DiskOnKey. They also include disk-based MP3 players, such as Apple’s iPod, and digital cameras with smart media cards, memory sticks, compact flash and other memory media.

The devices pose two kinds of threat. Intentionally or unintentionally, users can bypass perimeter defenses like firewalls and antivirus at mailserver, and introduce malware such as Trojan Horses or viruses that, if not discovered, can cause serious damage. Also, companies are at risk of losing intellectual property and other critical corporate data.

The impact of the latter goes beyond the commercial value of the data for two reasons. There are different privacy laws in different countries. This means there is more risk of legal action if personal information – belonging to corporate clients or employees – ends up in the hands of an unauthorized third party. Companies’ reputations may be damaged as a consequence of information leaks. This is particularly the case for those operating in areas where client privacy must be preserved, such as the financial market.

Managers should advise on the main procedures to be followed for the eventual use of such devices; for instance, to confirm the need for password and security protection (encryption) of stored corporate data.

Adopt personal firewalls to limit what can be done on USB ports. Leading products to consider are from vendors like Sygate Technologies, Zone Labs and Symantec. Vendors like Pointsec Mobile Technologies, Information Security Corporation and PC Guardian Technologies offer alternative specialist solutions.

On a broader level, and especially for those industries where intellectual property is of critical importance, the use of digital rights management software ensures the persistent protection of digital assets by maintaining constant control over their use and distribution.

http://www.csoonline.com/analyst/report2714.html

As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks. Forrester says now is the time for IT to take a more active role in such management.

As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks. Where a limited support policy was appropriate two years ago, IT must now take on a much more active role in provisioning, supporting, and managing mobile devices. Because many employees use their own devices to store company information or otherwise ignore company mobile usage policies, companies often don’t have control of the devices, what information is stored on them, or how the information is protected.

Unmanaged mobile devices represent one of the most serious and often overlooked security threats to the enterprise. As several incidents over the past year demonstrate, the risk of information loss or theft from laptops, PDAs, phones, converged devices, and tablets is increasing rapidly. Organizations should balance the growing requirement for mobility with sensible policies on mobile usage and security, along with technology to enforce the policies.

While more organizations have mobile policies than two years ago, comparatively few companies have invested in technology to manage and protect the devices. The proliferation of laptops, PDAs, and other mobile devices in the enterprise, coupled with the explosion of wireless connectivity options, has led to significant support issues and security risks. Mobile devices are vulnerable to theft and loss, with most companies budgeting for a 20% or higher loss and failure rate for PDAs.

While the cost of replacing the devices is relatively insignificant, more and more users store sensitive information on the devices. Additionally, mobile devices can introduce viruses or worms to the corporate network.

Based on a recent Forrester survey, only 9 percent of companies have deployed mobile management tools; another 20 percent are piloting or plan to deploy mobile management tools within the next 12 months (see Figure 1 on source web page). This report will outline both the challenges posed by mobility and the steps companies can take to manage and secure the devices.

Many of corporate IT’s challenges regarding provisioning and supporting remote workers, including predominantly mobile or untethered ones, can be resolved by articulating – and periodically revising – a formal written corporate mobile usage policy. If the company is not willing to set and enforce standards, the costs and risks associated with the mobile device population could quickly spiral out of control.

Managing and Securing Mobile Devices: Best Practices

Mobile Usage And Security Policies
– Be convenient and easy for the user to follow.
– Balance productivity requirements against security and costs.
– Vary by the users’ roles and type of information they handle.
– Specify how users should synchronize information with mobile devices.
– Include guidelines for data usage and transfer.
– Summarize proper use and care of company-owned or -supported mobile devices.
– Have a definition of corporate standards for hardware selection.
– Outline standards for support of employee-purchased equipment.

Communication and User Education
User education is also critical.
Give users some accountability.
Make it clear what is at stake, including the user’s own information.
Give users the necessary tools and easy means to secure the devices.
Raise awareness by demonstrating real security risks.

Selcting Mobile Management and Security Tools
Asset discovery to identify and track devices on the network.
Synchronization tools for PIM, email, or enterprise data.
Antivirus.
Password policy enforcement.
Remote device kill for any PDAs, laptops, or tablets with potentially sensitive data.
Encryption.
Client firewalls.

Forrester Recommendation: Take Immediate Steps to Secure and Manage Mobile Devices

http://www.csoonline.com/analyst/report2794.html
http://www.gigaweb.com/

Consider this: Gartner Inc. estimates that more than 70 per cent of unauthorized access to information systems is committed by employees, as are more than 95 per cent of intrusions that result in significant financial losses. The “2003 Computer Crime and Security Survey,” meanwhile, compiled by the Computer Security Institute and the FBI, found that 62 per cent of respondents reported a security incident involving an insider, up from 57 per cent in 2002. In such an environment, which is also increasingly beset by so-called blended threats that dynamically target the vulnerabilities of isolated security products, enterprises must adopt an integrated strategy that addresses network security at all tiers: gateway, server, and client.

The traditional perimeter firewall no longer provides adequate protection against intrusions and threats. In part that’s because the very definition of “perimeter” has become blurred. The addition of remote access servers, peer connections to partners’ networks, VPN servers, and wireless access points means that a once well-defined network boundary is no longer so well-defined. As a result, there are now multiple outside paths into the corporate network.

Integrated security uses the principles of defense in depth and employs complementary security functions at multiple levels within the IT infrastructure. By combining multiple functions, integrated security can more efficiently protect against a variety of threats at each tier to minimize the effects of network attacks.

Secures connections beyond the perimeter, enabling organizations to safely communicate across the Internet.

With these security technologies integrated into a single solution, an enterprise is better able to withstand a modern-day network threat, be it a malicious code attack, a denial-of-service attack, unauthorized access (either internal or external), or blended threat.

A client firewall that also includes intrusion detection and antivirus technology works this way: as information is received by the client, it is passed through the client firewall and scanned for network attacks and viruses by the intrusion detection and antivirus technologies.

Moreover, proper controls can be put in place so that, should an incident occur, they can act in a timely fashion.

Enterprises should have a policy outlining their information assets and all access rights to that information.

If relationships with outside contractors call for them to access the network, make sure the access is designated only for the specific services required.

http://www.ebcvg.com/articles.php?id=256

A wide variety of these products stands ready to help identify and troubleshoot security and performance issues related to wireless technology. However, based on our tests of a range of these solutions, we believe companies should carefully assess their wireless security needs because their existing infrastructure devices may already fulfill them.

Wireless IDS solutions range from handheld products that are designed for on-the-spot troubleshooting at a point in time, to capabilities integrated into existing access points and managing switches, to distributed fleets of sensors that provide round-the-clock coverage.

Defensive overlay products enable a host of security and performance monitoring capabilities and have strong policy options that alert administrators to any signs of trouble. Defensive overlay network vendors are rapidly adding features that not only alert but also can be configured to isolate and block wayward connections over the wire or over the air.

Despite recent reports of vulnerabilities in the RADIUS (Remote Authentication Dial-In User Service) authentication mechanism upon which 802.11i is based, 802.11i goes a long way toward equalizing the security of known, managed devices on wireless networks and on wired ones. 802.11i does so by delivering strong standard;s-compliant encryption via AES (Advanced Encryption Standard) and port-based 802.1x authentication to WLANs (wireless LANs). [Editors note Also look to 802.1x]

However, many threats remain outside the scope of 802.11i, including access points and client nodes that are loosely maintained (or are completely outside IT’s control). Employees installing their own unsecured access points on a corporate network leave a wide-open vector for LAN attacks that bypass network firewalls and wireless security measures implemented by IT. And misconfigured and unsecured client devices also represent a significant threat. With the proliferation of WLAN hot spots and wireless devices in the home, users are leveraging their wireless connections in a multitude of locations.

In tests, eWEEK Labs has encountered interesting results from a misconfigured client bridging the internal wired network and an unknown wireless network.

http://www.eweek.com/article2/0,1759,1633282,00.asp

They’re vulnerable, they’re unpatchable, and they’re connected to the Internet.

After he was turned down for a job with the Maroochy Shire Council in Queensland, Australia, the 48-year-old disgruntled techie unleashed his anger in early 2000 by hacking into the town’s wastewater system at least 46 times. On two separate occasions, his electronic attacks (apparently he used a stolen laptop and a radio transmitter) led to pumping station failures that caused as much as 1 million liters of foul-smelling raw sewage to spill into parks, waterways and the grounds of a tourist resort.

But there have been other control system breaches, including, for example, a 1997 control tower shutdown at the Worcester (Mass.) Regional Airport and a Slammer-related disruption of the safety monitoring system at FirstEnergy’s Davis-Besse nuclear plant in Ohio.

Electric utilities, oil and gas refineries, chemical factories and even food processing plants use control systems to digitize and automate tasks once handled by people: opening and closing valves in pipes and circuit breakers on the power grid, monitoring temperatures and pressures in reactors, and managing assembly line machinery. And because these systems are now connected to corporate networks, their vulnerabilities serve as an entrée into the guts of the nation’s critical infrastructure. A malicious hacker or terrorist group could conceivably take down parts of the power grid, throwing the country into darkness; they could take out emergency telephone systems or disable the floodgates to a dam.

Even scarier to terrorism experts is a digital intrusion combined with a physical attack—think 9/11, but magnify the chaos by adding an electronic knockout of regional or national communication and power systems. The intent is clearly present: Raids in Afghanistan in early 2002 discovered that al-Qaida operatives had scoured websites containing information on SCADA (supervisory control and data acquisition) networks in U.S. water systems and the electricity grid. Unfortunately, the people with detailed knowledge of control systems security say no. Control systems are designed for efficiency and reliability—not security. In fact, “It requires very little knowledge” to hack into a control system, says Juan Torres, program manager of the SCADA program at Sandia National Laboratories.

Experts worry that this issue is not getting enough attention from both government and the private sector, for a variety of reasons: technical ignorance, lack of funding and perhaps the absence of a major incident to date in the United States.

Older, legacy controllers can’t handle newer security technologies such as encryption; in fact, many don’t even have enough horsepower to accept operating system updates or software patches. “How a control system works is different from an IT system, technologically,” says Joe Weiss, the former technical manager of the Electric Power Research Institute’s Enterprise Infrastructure Security program, now an executive consultant with Kema. Compounding these technical challenges are a number of entrenched cultural and management obstacles.

The people generally responsible for managing control systems are engineers who often have had little cybersecurity training—or interest.

For years, distributed control systems and SCADA systems were designed with proprietary technology, and were physically and technologically isolated from the corporate networks that run standard IT applications. Fatefully, the drive for efficiencies of cost and time led many companies to knock down the wall that traditionally separated those two types of networks. Manufacturing executives wanted to pull up real-time information from, say, their assembly lines, to monitor how efficiently their factories were running. “As the networking evolution came through and local and wide area networks were installed, they were generally installed by IT. Operations, so as not to spend double the money, started using the corporate LANs and WANs for the control networks,” Weiss says. Ultimately, this meant many control systems were connected to the Internet. Now control systems are exposed—via the Internet, intranets, remote dial-up and wireless capabilities—to hacks, worms, viruses and other dangerous payloads.

That exposure scares Jonathan Pollet, president of PlantData Technologies, who advises companies on control system security. “With each release of worms and viruses, there are more and more customers with downtime,” he says. Pollet says the Sasser worm in spring 2004 took out several oil platforms in the Gulf of Mexico for two days. “They had firewalls, but worms crawled through commonly used ports like ports 80 and 139.

Accentuating the connectivity problem is the growing move away from proprietary software toward standardized and off-the-shelf software and hardware. In a typical corporate IT network, hundreds (or thousands) of PCs, servers and other devices are packed to the gills with processing power and memory. Because SCADA systems were designed for efficiency and ease of use, vendors enable their products to be accessed remotely—through dial-up modems, wireless handhelds and the like—so that customers will have an easier time making fixes to systems, often with no authentication required. Companies often fail to install the same security measures on control systems—such as firewalls and intrusion detection systems—that they use to protect IT systems.

Instead of waiting for market pressures to force them into building more secure systems, they could take a more proactive stance and begin making a concerted effort to beef up the security of their products, and work more closely with customers to identify and mitigate the vulnerabilities of existing systems. Various private industry and government groups are taking steps to make critical infrastructure companies more aware of the flaws in their control systems.

The National Institute of Standards and Technology and the National Security Agency established the Process Controls Security Requirements Forum (members include reps from the electric, water, chemical and oil industries, as well as government labs and control system vendors) to develop security specs for control systems. Other government agencies and major critical infrastructure industries have established working groups to address the issue. Notably, last December, the Department of Homeland Security created a new Control Systems Section inside the Protective Security Division of the Information Analysis and Infrastructure Protection Directorate.

But most managers, engineers and workers with day-in and day-out responsibilities for maintaining control systems may be a long way from putting cybersecurity on the front burner. Earlier this year, Weiss held a conference session attended by 30 to 40 people, some 15 of whom were plant managers. Weiss says that in his informal discussions afterward, every one of those managers thought cybersecurity had to do solely with the vulnerability of their e-mail systems. “They had no idea whatsoever about security around control systems,” he says.

What this article brings to light is not new and not easily going away. These control venues are actively being expanded, ever so quietly, into the MAN/WAN/LAN environments. As SAN and NAS technology increase and new tape systems abound, to name a couple, all of these devices implement new WEB/JAVA interfaces with imbedded technology. These remote sites of equipment whether they are valves or tape systems all need to be monitored, controlled, and reconfigured on a regular basis. Some of these devices, like SAN switches, may even be forgotten after the original installation while the tape drives are manipulated daily, on the open network.

Every day, more of these devices, whether HVAC, Public Utilities, IT infrastructure are all designed with ease of use capabilities. They can all be put to a closed or controlled network but that again, raises the cost.

Security has to be a conscience effort and alas, costs a little more. Some say that the cost is not worth the investment, until someone makes an example out of them.

While the article is right on in many respects, the terrorism aspect is pretty irrelevant. People don’t become terrorists because they’re smart, and you would need to be at least fairly bright and patient to exploit control system commands (or already be on the inside, like the Aussie case).

Low-tech attacks are much easier, cheaper and more efficient. For example, a single person with a rifle loaded with steel-jacketed slugs can take out an entire substation in seconds and is almost gauranteed to escape safely.

You should be aware that this lack of a uniform security standard for HMI/SCADA software has already been dealt with by the OPC Foundation – an International, non-profit standards setting organization.

Also a quick point about the actual threat risk analysis to control systems as the 2000 Australian sewage plant attack is almost always quoted as an example of the types of threats to protect yourself from but there are very few, thankfully, other stories of this type in the public domain. So these threats are either a very low risk or we have been very lucky or the incidents are happening and are not being reported.

http://www.csoonline.com/read/080104/control.html