Security Laboratory

Security Laboratory

Sec Lab: Predictions and Trends for Information, Computer and Network Security

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security


Security Errors and Omissions by Organizations As We Enter 2011


By Stephen Northcutt
Version 1.1

Errors and Omissions as we enter 2011

One of the biggest problems in security is the so called low hanging fruit problem. Any error we make allows a hacker to take advantage. Here are some reminders to keep our guards up. I have tried to list them in priority order.
The biggest oversight is failure to understand the impact of the malicious insider
. Some of the most devastating events that have happened to organizations happened at the hands of an insider: Roger Duronio who planted a logic bomb that impacted over 2000 servers and caused the demise of UBS PaineWebber; Nick Leeson, the trader that caused Barings Bank to fail; and the spy John Walker, come to mind
- http://www.informationweek.com/news/security/showArticle.jhtml?articleID=196603888
- http://www.stock-market-crash.net/barings.htm
- http://www.trutv.com/library/crime/terrorists_spies/spies/walker/1.html

Failure to keep access control as a priority. We have seen hospital guard Jesse William McGraw hacking their IT systems and a system administrator, Danielle Duann deleting the LifeGift organ donor database. It is amazing how many data breaches come down to access control, and this is going to be an even bigger problem with Man in the Middle techniques that render two factor authentication insufficient protection. One New Year's resolution to make is to map out the data flows in and out of your organization and identify the access control points and then ask someone with penetration testing experience how they might defeat our controls. And, don’t forget passwords; we can automate reasonable behavior for the users, but be sure to do an assessment of the passwords on your switches, routers, database and servers.
- http://www.computerworld.com/s/article/9135089/Security_guard_charged_with_hacking_hospital_systems
- http://www.backgroundnow.com/danielle-duann-sentenced-for-hacking-lifegift-organ-donation- center%E2%80%99s-computer-network/
- http://blogs.computerworld.com/node/2957

Not putting enough emphasis on endpoint security, especially in telework situations. Classic anti-virus is at end of useful life and needs to be supported with other technology such as heuristics and whitelist technology. Also, these systems are highly prone to having third party software that is not at the current patch level and have known vulnerabilities. And, since the browser is the source of so many attacks, failure to have updated browsers with virtual wrappers and script management tools means we cannot stop malware if employees are allowed any kind of freedom in surfing the web. Here are some tools to consider for making the endpoint safer:
- http://secunia.com/vulnerability_scanning/personal/
- http://noscript.net/
- http://www.sandboxie.com/
- http://www.coretrace.com/
- http://www.bit9.com/
- http://www.savantprotection.com/
- http://www.tippingpoint.com/pdf/analyst/TippingPoint3048.pdf
- http://www.lumension.com/Legacy_Landing_Pages/141554.aspx?rpLeadSourceId=5000
- https://www.sans.org/webcasts/application-whitelisting-explanation-and-uses-92873
- http://www.sans.org/reading_room/analysts_program/McAfee_09_App_Whitelisting.pdf

Failure to practice defensive banking. It is no secret that organized crime is targeting trying to install credential stealing malware on bank accounts and then remove the money from the account. There are ways to make this attack much harder to do. Give the accountants a computer to only use for online banking; nothing else. Boot from a liveCD before banking. Never open more than one tab when doing online banking. Have your paychecks or revenue deposited into one bank that has written instructions to only allow money to be sent to one named second bank account. Do not allow checks for debit cards for that account. Only transfer the money you need to pay bills to the second account so it the credentials are lost, your exposure is lower.
- http://www.sans.org/security-resources/malwarefaq/zeus-pdf-exploit.php
- http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html
- http://www.fdic.gov/bank/individual/online/safe.html
- http://ezinearticles.com/?Online-Banking---Safety-Tips-For-The-Consumer&id=479412

DNS Security is much more than DNSSEC. We know how important it is because losing control of our domain for even a day would be a huge business disruption, but there are still organizations that have not locked their domain.
- http://www.netmechanic.com/news/vol7/domain_no11.htm
- http://www.eweek.com/c/a/Security/New-Twitter-Attack-Details-Emerge-175634/

Failure to stay abreast of the security vendor space. It takes time and attention to understand who the vendors are and what their product capabilities are. However, it is important; we are all short of people and yet our product choices in some cases put us in an even worse position because they stretch resources even tighter. Examples of this that I have been seeing happen lately include choosing a SIEM to meet log management compliance requirements and not factoring in the level of effort needed to fully configure the device and get useful results from it; and, choosing a DLP solution and expecting that managing the alerts it generates can be one more collateral duty of part of a security person’s time. Also, we need to be careful to choose products that tie identity to activity so that incident response can occur in a rapid and precise manner. If we are already busy, having to match MAC addresses to IP addresses in a DHCP table and then figure out who was logged in costs time and, eventually, leads to not responding to alerts.
- http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1351973,00.html

Failure to manage static host tables.
If this is not a file that we control with our configuration management process, it might be possible for a malicious person or website to install one with bogus entries for sites we trust. However, host tables can also enhance security as the first link shows:
- http://someonewhocares.org/hosts/
- http://www.symantec.com/norton/cybercrime/pharming.jsp

Network engineers that know IOS, but don’t know how to read network traffic. If we do not have people on our staff who can analyze traffic, we could suffer from misconfiguration and attacks that might otherwise be detected, get through; it even happened to the Department of Homeland Security.
- http://www.securitypronews.com/insiderreports/insider/spn-49-20070924DHSBlastsUnisysOverChineseHac k.html

Relying too much on the output of a vulnerability scanner for risk management decisions. We should also be collecting configuration information from the host itself as well as factoring in users' issues (e.g., what can the user see, what can the user do).

Insufficient attention to the information stored on corporate PDAs.
I love the iPhone; once you have used one for a few weeks it is hard to force yourself to use anything else, but it is not clear that it is a good choice for a corporate PDA as it lacks many of the central management and security features available from RIM. Also, you can bet we will see more malicious code in 2010 for PDAs.
- http://www.sans.org/score/handheldschecklist.php
- http://gadgetmania.com/2009/12/a-new-iphone-worm-is-here-and-this-time-its-malicious-war/

Virtualization, an amazing number of organizations seem to go from resisting virtualization to wanting to virtualize everything. I am less concerned about the technical attacks, like escaping into the hypervisor, than the fact that you can steal an entire machine as a file.
- http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1348119,00.html
- http://www.infoworld.com/d/virtualization/catbird-and-mcafee-address-security-in-new- datacenter-145
- http://www.configuresoft.com/virtualization.aspx
- http://www.tufin.com/products_securetrack.php
- http://www.algosec.com/en/index.php

Failure to keep security policy up to date and covering the issues. This problem seems to be getting worse. For a quick look at some of the issues for which you might want policy, visit the SANS policy project. Policy is our opportunity to express the bounds of acceptable activity and also what we want the users to do, to convey our expectations. Of course, policy cannot stand by itself; awareness training about the policy is also greatly needed and in short supply.
- http://www.sans.org/security-resources/policies/

Failure to use cryptography to protect data in transmission. We were all shocked at the story about being able to intercept unmanned aerial vehicle traffic with a $25 dollar piece of software, but before we cut on the Air Force, be sure to spot check your email and instant messenger streams. And, while you are at it, when were the keys last changed in your VPN system?
- http://www.latimes.com/news/nation-and-world/la-na-drones18-2009dec18,0,4801443.story
- http://www.bankersonline.com/technology/gurus_tech021703b.html

Failure to develop local web applications that robustly defend against cross site scripting and SQL injection and their cousins
because the assumption is that only trustworthy internal users will be able to access these applications. And, while we are talking about software: the software that we develop today will likely still be used five years from now; does our software architecture take into account that we might actually be using cloud offerings in the future?
- http://www.coresecurity.com/
- https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200 ^9570_4000_100__
- http://www.qualys.com/solutions/web_application_scanning/
- http://www.veracode.com/solutions

Failure to rigorously detect theft of intellectual property and manage attacks to brand. For starters, put your brand name into Google and see if you see paid ads from a competitor.
- http://www.lewrockwell.com/orig8/bryan8.html


Finally, there are four silent killers, not unlike diabetes or high blood pressure. Not that many incidents get pinned on them, but they are present in a number of security disasters.

Asking security people to wear too many hats. Many organizations try to get by with a single person, or perhaps two persons, doing security, and there is just too much information to know and it changes too rapidly. This may be one of the root causes for the other issues we discuss.

Failure to adopt a project management approach to security. If a lot of security initiatives are talked about, but never brought to closure, you can bet that the security team has become 100% reactive.

Not managing power and cooing. This is not security per se, but it is incredible how many organizations run out of one or the other and have serious availability problems as a result. And, blades probably are not going to make this better unless we really manage virtualization.
- http://www.cisco.com/web/ANZ/netsol/virtualisation/manage_power.html

Firewalls lead to a number of errors and omissions: not being aware of other paths into or out of a network, including phone company modems, wireless, Bluetooth; firewall rulebases not set up properly; and, failure to perform egress filtering. There are several vendors that now offer products to audit your firewall rulebase:
- http://athenasecurity.net/
- http://www.redseal.net/
- http://www.skyboxsecurity.com/
- http://www.fwanalyzer.com/