Tom Olzak

Posts Tagged ‘Cybercrime’

Three controls to deal with a broken Internet…

In Application Security, Business Continuity, Computers and Internet, Cybercrime, Data Leak Prevention, Data Security, Log Management, Network Security, Risk Management, Security Management, SIEM on January 4, 2013 at 17:24

The Internet is broken.  Browsers are gaping holes in our security frameworks.  Certificates are becoming a liability as cyber-criminals or certificate authority negligence weakens our trust in the process.  If we continue to see defense only in terms of preventing the bad guys from getting to our end-point devices, we will surely lose the security war.  The answer is to shift perspective.

First, it’s important we assume that every end user device is potentially infected.  Further, we must assume that one or more of the servers in our data center are infected at any point in time.  This might not be true for all organizations, but it is a smart baseline assumption.  Once we accept that we are vulnerability and likely infected, it is easier to begin supporting preventive controls with comprehensive methods to identify, contain, and manage inevitable breaches of security: SIEM, NetFlow, and response.

Over this and the next two articles, I will take a high-level look at each of these breach-control methods.  Further, I will provide links to resources providing detailed information about how to design and deploy them.

SIEM

SIEM (security information and event management) is a comprehensive approach to assessing system and network behavior.  It requires collection of logs from various devices across the network, including firewalls, IPS/IDS, servers, and switches.  The graphic below depicts a very simple SIEM architecture.  Logs collected by each device are sent near-real-time to a Syslog server.  “Syslog is a standard for computer data logging. It separates the software that generates messages from the system that stores them and the software that reports and analyzes them” (“syslog”, 2013).  This is known as log aggregation.

SIEM Architecture

SIEM Architecture

Aggregated logs are sent to a correlation server for analysis.  The correlation server looks at all events received from across the network and attempts to mine attack patterns or other anomalous behavior.  Anomalous behavior identification is only effective if the SIEM solution is properly tuned.  In other words, the correlation server must know what patterns are normal for your network and which fall outside alert thresholds you set.  For more information about correlation in general, see event correlation at wikipedia.org.

All relevant information is usually available via a portal.  For example, a SIEM management server might post updated correlated results every five to 10 minutes.  Events meeting criteria set by you can also cause alerts to be sent to administrators and security personnel via SMS, email, etc.

Logs can tell us a lot about behavior, but they fall short of providing insight into how data is actually moving across the data center or across our network segment boundaries.  This is the topic of the next article in this series: NetFlow (IPFIX).

References

Syslog. (2013) Wikipedia.org.  Retrieved January 4, 2013 from http://en.wikipedia.org/wiki/Syslog

Health Care Information Security Challenge

In Data Security, HIPAA, Regulation, Security Management on December 27, 2012 at 15:27

In the last week, I’ve read several articles claiming that health care information is a prime target for cyber-criminals in 2013.  While I agree with this, I don’t agree with one of the reasons given.

Some bloggers and journalists claim that the HIPAA has not kept up with technology, and this is the reason health care is at risk today.  I disagree with this.  the HIPAA is strongly aligned with ISO/IEC 27002:2005.  General compliance with the ISO standard of best practice brings a covered entity into compliance with the HIPAA security rule.  Add to this HITECH, Subtitle B, and a covered entity has everything it needs to keep information safe.  In my view, the problem isn’t with the HIPAA; the problem is with perspective.

Compliance is not security: it is not effective risk management.  When I was director of security for a national health care organization, compliance initially went down this path.  C-level management began to ask why risk still existed after we were judged “HIPAA compliant.”  Putting the need in terms of bottom-line risk helped to turn perspectives; it made management look at HIPAA as a starting point, not an endpoint.

Today, many health care organizations are HIPAA compliant, but that does not mean risk has been sufficiently mitigated.  This is also true of publicly traded companies who pass SOX audits.  One of the biggest mistakes we as security professionals can make is allowing our employers or clients believe they are secure simply because they are compliant with a regulation.

So this begs the question… Is the current health care information security challenge a problem with the regulation or a problem with how we view compliance and risk?

Lion eats a Trojan…

In apple, Application Security, Computers and Internet, OS X Lion, Safari on September 28, 2011 at 14:21

If you’re a Mac user, you’ve probably grown complacent about security from time to time.  However, criminals are starting to go after you… me included.  In a recent CSO online article, George Hulme writes about two OS X Trojans that made the news this week.  In addition, he writes about a vulnerability Mac users who still aren’t using Firefox have in their Safari browsing experience:

“It’s those users that keep their standard system settings that are at the greatest risk, Intego says. Because the Safari browser is set to consider installer packages as safe (those files with a .phg or .mpky extension) it will automatically launch after download if their settings aren’t changed from the default. Intego advises users remove those settings.”

Following graphic shows the Safari setting in Snow Leopard.

Uncheck this box!

I guess it’s time for less Windows-bashing and a little more attention to Mac security…

It’s All about TRUST…

In Business Continuity, Data Security, Risk Management, Security Management, Trust on June 20, 2011 at 18:41

Consumers and the press like to bash vendors and online social networks for lacking perfect privacy, but there is no such thing.  Rather, this is the victim’s argument for getting pwned…

Whenever we perform an action, or fail to act, there are consequences.  A popular zen teaching uses an analogy of picking up a stick; if you pick up a stick holding one end, the other comes with it.  The same is true of sharing personal information online.  There is always the chance  your information will fall into the wrong hands.  Whether or not you share your information should be a matter of trust, of your assessment of risk.

Trust varies between online services.  For example, the steps my bank takes to protect my information are regulated and pretty strong–not perfect, but strong enough for me to take the risk of using its online services.  On the other hand, I would never post anything I don’t want the world to know about on Facebook.

Social networks are not heavily regulated… yet.  And we don’t want them to be.  I don’t want the government sticking its finger into everything I do online.  So, I need to take some responsibility for my actions and not complain to my congressman or senator when my pictures of my last frat party compromise my integrity and that of several others.  Knowing Facebook is a social network, designed for SHARING, why would I assume the risk of putting sensitive content there?  Why would I place my trust in any social networking service?

The same is true of doing business online.  There are differences in how “due diligence” is defined between online business services.  It is our responsibility to ask the right questions before using any service.  If we don’t, we are just as responsible as the service provider when data is stolen… or worse.  Further, regular audits or other assessments are necessary to ensure initial trust does not drift in the wrong direction.

Before sharing your business or personal information with anyone, ask yourself how much you trust the other guy.  If the answer is, “not as far as I can throw him,” then go somewhere else.

Android security…?

In Application Security, Certificates, Cybercrime, Data Security, Hacking, malware, Mobile Device Security, security, Security Management on March 6, 2011 at 20:09

A recent blog, Frequency X Blog, examines the latest Android malware, DroidDream.  The hole that allowed this is as big as they get.

%d bloggers like this: