They have the tools, just not the will…

As the number of government records stolen increases, we continue asking why so much data was stolen over the past year without detection.  The answer seems to lie in an article by Michael Cooney.  It seems the U.S. government has a detection tool called EINSTEIN, but it is only partially implemented across scattered government networks.

One of the weaknesses in the EINSTEIN implementation is the lack of any behavior analysis.  For the most part, the government is only using signature-based detection.  This is a huge controls vulnerability.

What will it take for our bureaucratic quagmire of a government to implement the right controls.  Yes, all organizations are viable targets for attack.  However, detecting the attacks (e.g., anomalous network/system behavior, unexpected movement of data, etc.) is paramount to a good defense.  Looks like much of the U.S. government either doesn’t get it or doesn’t care.

Another Encryption Perspective

Hacking Team solutions aren’t the only ways government has to access encrypted information.  Most large government agencies have their own tools that perform the same tasks: capturing encrypted data when it’s not encrypted.  All data must be decrypted to be used or processes.  That is when it is most vulnerable.  So why the debate?  Ii discuss this in a Toolbox.com blog entry posted today.

CryptoWall continues to spread

CryptoWall, an instance of ransomware, is a growing threat.  Attackers use it to hold an organization’s resources hostage until they get something of value.  This costs Americans millions… and it’s getting worse (FBI, 2015).

Ransomware, like CryptoWall and Cryptolocker, encrypts media on the infected machine and all media attached to the machine.  It then demands hundreds or thousands of dollars before the attackers agree to decrypt the hostage data.

Defense against this attack method is getting harder, as attackers find new ways to deploy CryptoWall and Cryptolocker.  Advanced attack techniques often leverage human vulnerabilities to bypass security controls.

The FBI provides a long list of defensive measures.  However, businesses should begin by implementing a short list of controls that protect against all types of advanced malware, not just ransomware:  Web filtering, spam filtering, email malware filtering, and (likely most important) deny users local administrator access.  This is in addition to best practices that should already be in place, including network segmentation with an application server abstraction layer (end-user device-to-application servers-to-database servers) to help isolate critical data from infected end-user devices.

YAWN!!!!

Another article from AP today about the U.S. vulnerability to cyber attacks.  No longer news, this kind of information is simply depressing.  Mike Rogers, a member of the House of Representatives, believes that 95% “of private sector networks are vulnerable and most have already been hit.”  Maybe, but nowhere does the article offer actual statistics or source research.  Further, no mention is made of the porous security protecting government agencies.  Figures…

Rogers contends that all the government has to do is share classified threat information and all will be well.  What is he smoking?  Everyone already knows what is needed to protect our national infrastructure.  This looks like a good copout by Republicans: protecting business by doing something useless while convincing the gullible they are doing something worthwhile.  Compromising national security isn’t necessary; all we have to do is start forcing the slackers to meet minimal security requirements.  The Feds should start with their own minimal security guidelines included in FIPS PUB 200.

In my opinion, this grandstanding by legislators needing another law passed to prove their value (God knows something has to) is not helpful.  What is helpful is applying meaningful efforts to identify weaknesses–can anyone say public utilities–and apply the necessary pressure to remove them.  This must happen without whining about cost to affected businesses and industries.  My MBA helps be understand the business side, but my common sense and sense of insecurity drive me to scream, “ENOUGH!!”

Controls: The absolute minimum

Lulled into false security by years of being told anti-malware is the best way to protect networks and devices, many network administrators  leave their networks wide open.  Using only anti-malware software a firewall, and an IPS leaves gaping holes in the security controls framework.  Attackers with limited experience can locate and exploit attack vectors with little regard for these venerable controls.  While firewalls and IPS devices help, they were never intended to provide a complete prevention/detection/response solution.

SANS provides an up-to-date list of 20 critical security controls (now at version 4.0).  The downloadable documentation provides guidance on in depth, layered integration of controls necessary to fill gaps left by traditional approaches to minimal security.