Category: Uncategorized

Some examples of large security breaches resulting from poor security practices include a recent Distributed Denial of Service Attack (DDOS) against Spamhaus which clogged Internet lines leading Matthew Prince, Chief Executive of Cloud Flare, to compare the attack to a nuclear bomb.

From my discussions with top security professionals at leading security organizations, including Big 4 consulting and assurance companies, software such as Antivirus and Intrusion Detection and Prevention (IDS/IPS) are currently only marginally effective at catching security threats. In addition, many security solutions are installed out of the box with little modification or customization to the needs of each network, leading to reduced or ineffective defense.

For instance, Fireeye is a product that has developed a learning system that collects data on existing attacks from their subscribers using their custom tools. While hackers previously had the upper hand in combining security known weaknesses into highly complex attacks, Fireeye tools use the same method of sharing security breaches with each other to raise the defense profile of each of the subscribers on the network quickly.

In addition, VMware’s partnership with Cisco hardware networking products provides a robust, integrated security solution with a hardware provider that dominates the corporate LAN network device space.

Costs for adoption of OpenStack software are cheaper than VMware, but the system is newer and not as well documented. Most companies run both Linux and Windows servers, and I expect in a similar way VMware and OpenStack will coexist as solutions in the cloud space. In addition to a maturing product portfolio, IT leaders would do well to strengthen focus on security by hiring technicians with a proven security background, such as Information Assurance and Security professionals.

Link: http://seekingalpha.com/article/1324971-pandemic-cyber-security-failures-open-an-historic-opportunity-for-investors?source=feed

In MITRE’s five-day virtual war game, which the group played out in late January of 2012, the Blue Team was given a mission titled Operation Beggar’s Banquet, of killing a fictional terrorist leader named Richard Hakluyt. The scenario dictated that Hakluyt had holed up in a compound in the fictional People’s Republic of Virginia, (represented by the Red Team) which was in a state of cold war with the equally fictional Republic of New England, represented by Blue. Blue’s secret mission was to parachute a special operations group next to Hakluyt’s compound, which would use a laser designator system to help a gunship target the compound and blow it up, before deploying a Fulton Surface-To-Air-Recovery plane to retrieve the special ops team.

While the game was still in its first day of pre-action planning, Red’s hackers immediately breached Blue’s network and gained access to all of its mission plans, which had been stored on an internal wiki.

Stech and Heckman had worked on a so-called “denial and deception” system they called BlackJack, which they planned to use to create a parallel version of Blue’s network in real time to misdirect Red’s hackers with false information.

According to Heckman and Stech, Blue used those hacked accounts to feed Red a story about a member of Blue’s team who had foolishly planned to kill Hakluyt when in fact, a murder would be too politically incendiary to risk. Blue went on to create an alternate story that it planned to instead track and then kidnap Hakluyt by using information provided by a double agent within Red’s team that Blue called “Cotton Dollar.” Blue used its compromised accounts to feed Red information about when it planned to use its informant Cotton Dollar’s information to send a special forces team to kidnap Hakluyt during a trip outside the compound.

Richard Bejtlich, chief security officer with the breach response firm Mandiant, which recently detailed in a report hundreds of breaches by a prolific team of sophisticated Chinese government hackers, says that creating a fake playground for observing and misinforming intruders can be a costly and dangerous game. Or you have to do so much work setting up a juicy fake network that I pretty much guarantee it takes more time to set up than it takes the intruder to figure out that it’s fake.”

Link: http://www.forbes.com/sites/andygreenberg/2013/04/05/a-different-approach-to-foiling-hackers-let-them-in-then-lie-to-them/

After the analytics skirmishes, the other kind of “intelligence” came up, namely the number and variety of additional inputs to the algorithms: reputation, geolocation, indicators of compromise, or possibly the number of former government intelligence analysts in the research team (and/or on the board of directors).

And then it’s back to numbers: the number of external intelligence feeds that are used to enrich the data that the monitoring system processes.

Can one system produce data that is “more actionable” than another one, and if so, how do you prove it?

Not only will the data be processed “live” (which is supposed to be better than “real-time,” I understand – or maybe it’s the other way around), but it’ll be newer than anyone else’s data, still dewy from the data fields.

One thing’s for sure: buyers will still be wading through the marketing morass, trying to search out bits of dry land that will hold up to a purchasing decision. Not only will they have trouble differentiating vendors and their offerings; they’ll also struggle to find metrics that tell them when their monitoring is good enough.

Link: http://www.darkreading.com/security-monitoring/blog/240152343/is-there-any-real-measurement-in-monitoring.html

The malicious document downloads and executes a component that attempts to determine if the operating environment is a virtualized one, like an antivirus sandbox or an automated malware analysis system, by waiting to see if there’s any mouse activity before initiating the second attack stage. Mouse click monitoring is not a new detection evasion technique, but malware using it in the past generally checked for a single mouse click, Rong Hwa said. BaneChant waits for at least three mouse clicks before proceeding to decrypt a URL and download a backdoor program that masquerades as a technology by performing multibyte XOR encryption of executable files, masquerading as a legitimate process, evading forensic analysis by using fileless malicious code loaded directly into the memory and preventing automated domain blacklisting by using redirection via URL shortening and dynamic DNS services, he said.

For example, during the first stage of the attack, the malicious document downloads the dropper component from an ow.ly URL. The rationale behind using this service is to bypass URL blacklisting services active on the targeted computer or its network, Rong Hwa said. This is an attempt to trick users into believing that the file is part of the Google update service, a legitimate program that’s normally installed under “C:Program FilesGoogleUpdate”

If you think of assurance as a guarantee your cyber security is fit for purpose and working perfectly then there are a few other things you’re going to need: governance, risk management, policies, operational procedures, audit trails, personnel, effective training and awareness, security testing, oh and not forgetting the software and hardware underneath all that. In fact that’s a very concise and condensed list which doesn’t begin to cover everything but I’m trying to give the overall picture here not send you to sleep or bamboozle you.

First question: how do all these different items work together to give you that warm fuzzy feeling of assurance about your cyber security?

To have governance, just like government, you need someone or something in control to maintain oversight of the cohesive efforts being made. This person or persons will of necessity be senior personnel who have the understanding and viewpoint required to see what’s happening across the business, to make decisions and the authority to have those decisions acted upon.

We’re talking operational risk management specifically, a concept I’ve heard described as an emotional process – a statement I do understand and have some sympathy with as it’s a discipline requiring a lot of subjective thinking. Many people view operational risk management as a potential minefield inside a nightmare, but it’s not that hard to do and there are sources of information out there which can help you, although some are so badly written they can fry your brain if you’re not careful. For the moment I’ll just pare it down to bite-sized chunks of bare essentials for you by outlining an easy way I’ve used in the past to tackle it. … For the next stage you need to look at what makes these threats more or less likely to happen. Here’s an example: there’s a threat that some malcontent might break a window in your office, climb in and steal something, but if you have bars over the windows then this is less likely to happen. Ah, so they can’t come through a window but how strong are the doors? You need to consider all possible – or at the very least all you can think of – ways the vulnerabilities in the situation could turn the threats into reality. On to stage three where you’ll look at what the impact would be if something happened. Say you had strong doors and barred windows except for one which only allowed access to that old storeroom with nothing in it; that would have a lower impact than if it allowed access to the computer room. Along with the impact remember to think about the value of whatever could get lost or destroyed; that’s not just the capital cost by the way, it should also encompass the value of your brand, your reputation and anything else it’ll be expensive to get back, these are your company’s assets. … The next stage is to look at what you can do to reduce the likelihood and the cost of that incident. In many cases it can be something very simple such as putting in place a procedure to ensure the last person to leave shuts and locks all the windows; it doesn’t need to be a monstrously expensive piece of software that will automatically seal off the building at 6pm sharp. … Of course someone will need to define what the acceptable level is but we know whose job that is, governance. Last stage now, where the risk is not acceptable you’ll need to come up with a plan on how to deal with it. This might be further investment in equipment or staff, or it may be possible to devise a plan that removes the risk entirely, for example by moving valuable assets to another more secure location. These plans will be reported up to the governance level whose role is to agree to them, provide what you need to get them done and to monitor progress.

You’d be surprised how many organisations are completely missing the two items described above, although most have all the rest but they’re not much good on their own.

They don’t have to be long and wordy, in fact the shorter and punchier they are the better; they need to have impact.

Unlike policies these need to have more detail in there, they need to cater for when things go wrong as well as right and how to deal with that. They show the governance layer that procedures are being followed correctly and can be used in the risk management process to identify potential issues. If your organisation undergoes audits you’ll know auditors love nothing more than evidence; it’s the only thing that proves you’re doing what you say you do.

It’s a natural human attribute to be helpful and friendly, I’ll just see if that stranger over there needs help with carrying that suspiciously large box down to his van (that’s based on a true incident folks). It’s not easy to measure if all this investment in security is working; until someone tries to break it you’ll never know if it works or not. … The idea is you pay another company a load of money to test your security and they produce a nice big report for you in return. … Some tests need specialist skills and equipment so those you are stuck with coughing up for, but many tests can be conducted by you or your friends and colleagues. Go round the building and check doors are locked, no confidential paperwork is left out on a desk, PCs aren’t left logged in. Get a friend to see if they can get inside past reception without an appointment, tell them to carry a box and say they’ve got equipment to install in the computer room. … All these tests will go towards proving the governance is in place and working, the risks are being managed effectively and the policies are being adhered to. The only caveat to this advice is where you’ll be audited and the results of the tests are offered as evidence; I find auditors aren’t keen to accept a handwritten note from uncle Joe saying he tried but he couldn’t break in as sufficient for their needs.

They’re still important and getting the right tool will save you a lot of pain and sorrow further down the road but don’t think they’re the whole answer.

Security should be seen as a continuous circle where the outputs are constantly fed back as input and the circle revolves again, each time improving and refining the process; you need all the spokes of the wheel in place if your organisation is going to successfully move forward with a mature and effective security stance.

Link: http://www.daftblogger.com/assurance-does-not-come-in-a-box/

Identify areas of intensive data analysis and look for strategic alignments with context-aware devices that can increase reaction times without reducing effectiveness

Thinking back to the origin of the phrase contextual computing, it is important also that these actions be put into the most appropriate human context. It should be a specialist security team or officer running these processes and they need to be made in context – while thinking holistically about the overall needs of the business.

It may well be that more security technology, context-aware or not, is not the biggest requirement for some companies.

Sometimes it is the human context that needs to be improved, from a social-engineering perspective. After all, the supplemental information the software will be looking for is founded on human behavior patterns, from information user behavior and tasks to location, infrastructure and physical conditions.

Link: http://www.computerweekly.com/opinion/Security-Think-Tank-Context-aware-security-saves-time?utm_medium=EM&asrc=EM_ERU_20999938&utm_campaign=20130318_ERU%20Transmission%20for%2003/18/2013%20(UserUniverse:%20635390)_myka-reports@techtarget.com&utm_source=ERU&src=5114873