Network Security Consulting Blog

OK, OK, I promise to move on after writing far too much lately concerning the waves of cyberattacks that are ostensibly coming from China. But I cannot resist writing just once more about this subject because of the huge implications for information security that the attacks that have now targeted the petroleum industry have. You probably are aware of the several day old news that ExxonMobil, Marathon and ConocoPhillips experienced attacks in which the perpetrators penetrated far into their networks where some of the most business-critical information was stored.

Over the years, I’ve done some kind of consulting work for every major petroleum company, and I’ve had a long-term relationship with some of these companies. Additionally, my father spent over 40 years of his career in the petroleum industry. I thus have learned quite a bit about the way this industry perceives and deals with information security risk. Several types of data were compromised in the recently reported attacks, but the most valuable type of compromised data are widely known as “basin seriatim” data. These are (please forgive my gross oversimplification) data that indicate where to drill for oil deposits as the result of using methods such as echo soundings. A petroleum company’s profitability depends to a large degree on ability to find sites that produce high yields of crude oil or shale. Each company performs soundings and other tests and then determines which sites appear to be most promising. Each company next submits a “lease bid” to obtain the right to explore for and produce oil from each chosen site. Because competition for certain geographical areas among oil companies can be extremely competitive, closely safeguarding basin seriatim data against unauthorized disclosure is highly critical from a business perspective. Strong controls against unauthorized access to these data are almost without exception in place on servers that store such data throughout the petroleum industry. Unauthorized destruction or alteration of these data could also be ruinous to a petroleum company, so strong controls to counter these risks are also commonly implemented throughout the industry.

I would rate the petroleum industry as *much* better than average in their practice of information security. Executive management within this industry for the most part understands the nature and magnitude of security risks much better than in most other commercial sectors. Furthermore, defense-in-depth strategies that include multiple layers of technical, physical and administrative controls for safeguarding valuable data and critical business processes are typically used. It is for this reason that the revelation that big petroleum companies have experienced massive breakins and information compromises (including compromises of basin seriatim data) shocks me so much.

What is perhaps even worse is that just like companies such as Lowe’s, TJX, and Heartland Payment Systems, the petroleum industry was unable to discover the waves of intrusions that started in 2008. Instead, U.S. law enforcement broke the news of the breakins to the petroleum companies in 2009. This strongly suggests that although the petroleum industry is using mainstream intrusion detection and intrusion prevention technology, this technology is simply not delivering what is needed from it. This should come as no surprise, as this kind of thing has been happening virtually everywhere for years. The nature of attacks has changed substantially within the last few years, but current “state’of’the’art” intrusion detection and intrusion prevention systems have the same basic detection mechanisms that they have had for years.

Security Information Event Management (SIEM) technology with strong event correlation functionality could and would have been highly useful in finding the attacks. Curiously, when I was in the SIEM industry a few years ago I approached the person in charge of intrusion detection in one petroleum company about the possibility of trying SIEM technology. I got absolutely nowhere—the person with whom I interacted was confident that the mainstream intrusion detection tools he was using were more than sufficient for his company’s purposes.

The message to organizations throughout the world is clear. If the petroleum industry has suffered a rash of such serious security incidents, and if this sector has exemplary security practices (which it for the most part does), no industry sector is safe. The real question now is which sector will be targeted next.

Network Security

What do the Chinese Communist Party and FINRA (Financial Industry Regulatory Authority) have in common? They both want to control and/or censor all communications by their communities. In the case of the Red Chinese, of course, this affects things like whether Tiananmen Square gets sprayed with machine gun fire or Google gets to do business in China without shame. In the case of FINRA in the US, this affects whether registered representatives and their financial firm employers can use social media unfettered. Free speech? What free speech?
Recently, FINRA announced that financial firms are responsible for “monitoring” and “archiving” all communications on social media sites such as Facebook and Twitter by people in their employ, mostly targeting registered representatives, those authorized to trade securities for their firms, their clients, or who advise individuals about securities and financial markets.  In fairness, FINRA’s guidance sounds pretty reasonable: “supervise the use of social networking sites to ensure that recommendations are suitable and their customers are not misled.” And they also state that, “FINRA does not endorse any particular technology to keep such records, nor are we certain that adequate technology currently exists.” OK fair enough. But what to do?
This reminds me of deliberations I participated in back in the mid-1990s in which the security and operations people in regulated financial firms were told to “archive everything forever,” as a kind of “shot across the bow” by regulators frozen in the headlights of the exponentially growing phenomenon called The Internet. No known technology then satisfied “archive everything forever.” But that didn’t stop the regulators. There has always been a requirement to archive communications made on paper. Later, it was realized that a lot of faxed communications might be bypassing postal mail-based controls. Later still, recorded phone lines were required (creating kind of a “hot line” class of phones within trading rooms – if you needed to make a personal call, better use a pay phone or a big, clunky cell phone like the ones used by the “LowScore Band” in those commercials) which generated lots of coping behavior among those who needed to communicate regarding non-firm business. Trouble is, as was well-documented in the original “Wall Street” movie (Oliver Stone plans to release the sequel to the 1987 classic this year) fraudsters also could still escape monitoring by using the same coping mechanisms. Remember Charlie Sheen breathing into his phone, “Blue Horseshoe loves Anacot Steel”?
This also evokes memories of a case I worked on early in my Wall Street career. A young trader had posted a comment on a Yankees bulletin board (now there’s and arcane term for you in 2010…) in response to an inappropriate posting of a credit card offer on the same board. The credit card offer was not in any way illegal, but it so angered the young trader that he posted an expletive laced rant about how “this board is for Yankees fans,” etc. etc. from his firm email account. We got five or six sternly worded complaints from people, some of whose children were users of the Yankee-fan board site themselves, who were worried that our firm would tolerate such language. OK, personal speech by a trader on his lunch time. But: using a firm-provided and firm-identified email origin. This damaged the firm’s reputation. The young trader even said to us, “I knew I should have waited until I was home,” to make the angry post. He was not surprised to be fired. Fast forward to today, though. The distinction between personal and firm identified email is way fuzzier. Could someone have researched the IP address used for a typical HTTP session and linked the firm with the bad language in the same way? Maybe. Would the firm arrive at the same conclusion about perceived damage to reputation? Seriously open to question. This vivifies the problem regulators face today though it has nothing to do with fraud.
“Archive everything forever” was a great example of the kind of clueless regulation securities professionals have faced for a long long time. Remember, this statement came at a time when Bernie Madoff was probably into his second decade of his little scheme, and the SEC had already conducted its first investigation of Madoff Securities and found nothing untoward. The problem really is, in today’s climate of “get the greedy bankers,” it is likely that regulation designed to prevent fraud will get more draconian and less effective. What’s called for is banks and securities firms to take the initiative and provide tools to their employees and agents to help keep everybody out of trouble.
The answer, I think, is found in emergent information technologies today. Information security has reached a great watershed in its evolution from preventive, inwardly focused tools to externally focused, product and value enhancing tools. I foresee a day when it will truly be possible to differentiate firms by the security they demonstrate, not just dubious self-assertions. In Part 2 of this blog, we’ll develop this idea more completely.

Network Security

I read with some dismay a recent report by Foote Partners that said that the IT and IT security market is not likely to improve from its current dismal state until the end of this calendar year. Let’s face it—the last 18 months have been anything but ideal for information security professionals. I know many highly knowledgeable and accomplished information security professionals who have been out of work for a prolonged period of time now. Some are just about ready to give up—a real shame not only in terms of a psychological perspective, but also from the standpoint that their knowledge and skills are going unused when they could instead greatly contribute to risk management efforts and business enablement within organizations.

As I have said before, a certain amount of whining concerning the status of information security within organizations exists. The reasoning goes something like this: “Information security is really critical given the level of risks that my organization faces, but executive management remains clueless and indifferent about it.” I’ve also previously said that I believe that (as the CISM exam preparation materials state) if executive management does not really understand and value the contribution of information security to a business, it is imperative that the information security manager initiates an concerted effort to educate executives concerning what information security has accomplished and promises to deliver in the future. Doing this is no easy task, as face-to-face time with executive management is generally extremely limited, but somehow “best-of-breed” CSOs manage to succeed in this task.

There should be no mysteries concerning cutbacks in information security staffing. Bad economic times foster cost cutting measures, and seldom is any function or group within an organization spared from them. But then I got to thinking that groups and functions within organizations that are perceived to be extremely valuable from a business perspective generally fare better when it comes to staffing than those that are not. Staffing cutbacks within information security may thus be unusually easy for executive management to make when they do not really understand what information security brings to the table, so to speak. The fact that some of the top information security practices in the world are currently hiring information security professionals instead of laying them off serves as strong proof-in-point.

There is an old saying, one that I do not completely agree with, that goes like this: “Every victim participates in his own victimization.” I wonder to what degree this saying applies to some information security practices today. I wonder how many CSOs have viewed cutbacks as inevitable and, accordingly, have waited with dread until cutbacks have actually occurred in a kind of self-fulfilling prophecy scenario. I wonder how much different the staffing cutback situation in these practices might have been had there been more of an effort to fight the downsizing trend by instead attempting to educate executive management concerning the value of information security to the organization. The task is not by any means easy, true, but the effort is more than justified by the fact that the reward, if obtained, is so great.

Network Security

The word that Google experienced numerous break-ins to its systems spread quickly last week. Not only were numerous Google systems breached, but as considerable amount of intellectual property was also stolen. The attackers exploited a zero-day vulnerability in Microsoft’s Internet Explorer as well as variety of other vulnerabilities. Google was not the only organization targeted by these attacks, however; reports indicate that approximately 30 other organizations (but most probably many more than this) also fell victim to the same type of attacks that started a little over one month ago and ended the first week in January this year.

The most recent round of attacks are really nothing new, and all fingers keep pointing to China as the source of the attacks. Why?

1. Compromised machines sent information gleaned from them to servers in China. The fact that this happened is, of course, no proof that the origin of the attacks was from China, as a group of attackers from another country could have broken into and gained control of these servers. Still, the fact that Chinese servers were involved in the malicious activity is one fact that points to China.

2. Google brought in an information security consultancy to determine what had happened. A consultant from this company reported that the sophistication of the attacks is very high—that the malicious code used in the attacks is far more complex than mainstream attack tools. By all appearances, the author(s) of this code must have obtained financing to be able to obtain the time needed to develop code of this level of sophistication; it is a well-known fact that China has financed such efforts in the past.

3. The malicious code discussed in 2. above incorporated a rarely found algorithm used to determine whether data corruption has occurred when it sends information. This algorithm’s source code has so far been found only on Chinese systems, another fact that implicates China.

4. Google reported that numerous attacks targeted the gmail accounts of human rights activists in China. The Chinese government has carried on a running battle with these activists for years and is highly motivated to find information about them and their activities.

5. Several Google employees with ties to China may have aided the attackers in their efforts. The employees suspected of having done this have had their network access suspended while an investigation is being conducted.

Interestingly, the US government announced that it would lodge a formal protest to China over the break-ins to US systems. Additionally, Google’s initial reaction was to announce that it was considering not doing business in China any more. I doubt whether anything either entity does with respect to China will make much of a difference because China is the proverbial 1000 pound gorilla. It is in many ways the enemy of the US and other free-world countries, yet these countries have a huge potential market in China and they can also obtain very affordable labor there. What everything boils down to is a cost-benefit analysis where the costs (e.g., constant break-ins into US systems, theft of trade secrets by bugging rooms, and more) are hugely outweighed by the benefits (e.g., gigantic sales opportunities and considerably cheaper labor). So, protests or not and threats to discontinue doing business or not, China is firmly in the driver’s seat, something with which the US government and the US commercial sector have had to come to grips.

Here is a final thought—who is the biggest provider of cloud computing services? Google is the correct answer. And the latest round of break-ins was by no means the first for Google. One might thus think that Google might not exactly be a world leader in the practice of information security. So once again we have a great example of just how great the risks associated with cloud security are.

Network Security

From time-to-time I read postings and news items in which someone from some organization named a “center” or “institute” is quoted or a study performed by one of these organizations is cited. For example, I recently saw a news item that stated that a certain institute had conducted a study that indicated that individuals who had certain information security-related certifications had a higher salary than others. I have often wrestled with how credible the various centers and institutes that operate within the information security arena are, so let’s explore this issue for just a little bit.

I have spent a good part of my career in academic institutions. In such settings, the right to have the title of “center” or “institute” in connection with any effort within the institution is generally tightly controlled. For example, suppose that for some reason, I as a faculty member at some university wanted to name my research program something like “Center for Advanced Studies in Information Security.” Unless I had a very substantial program in terms of significant levels of sustained funding, staff, and positive impact upon the scholarly environment, I would be unlikely to be allowed to use such a name in connection with the program.

Reality outside of academic institutions is completely different when it comes to using the title “center” and “institute,” however. There is virtually no validation of any center or institute actually having any implied expertise or functioning at any particular level. So, for example, I could create an entity, the “Schultz Institute of Advanced Research in Information Security,” and unless there were some kind of trademark infringement issue, I could operate under this impressive name until hell freezes over. I could have a staff of one, myself, or, if I were craftier, I could list a staff of ten people, all of whom agreed to have their names listed as a personal favor to me or perhaps in the hope that their professional stock might rise or that they might get some research or consulting work that they might not otherwise have gotten.

As far-fetched as my hypothetical example might seem to you, this kind of thing happens all the time. I was at a conference last spring in which the “executive director” of a fancily-named information security “center” made a presentation, one with which I frankly was not very impressed. I found out afterwards that this so-called center operated out of this person’s house and that he was the only active member of this “center.” Strangely, my initial impression was that this person must have been a very knowledgeable and influential person.

Please do not get the impression that I am saying that every or even most information security-related institutions and centers operate on a “smoke and mirrors” basis. Many of these organizations make substantial contributions to our field. At the same time, however, some very deliberately appear to be much more than they are. So when you read of a study on some information security-related issue, I’d advise you to not accept the reported findings and conclusions at face value. The study may not have been conducted properly, the sample size may have been far too small to allow generalization of the results, the so-called “research team” may have consisted of a single individual who may or may not have had proper credentials for conducting the study, the results may not have been properly analyzed, and the conclusions may or may not be valid. Consider also that the so-called “laboratory” in which data may have been collected may have actually been someone’s basement. Oh, and worse yet, some organization that strongly expected certain results and conclusions favorable to its marketing efforts may have financed the research in the first place.

The bottom line is that you should take names and titles of organizations with a grain of salt. Be skeptical. You can generally trust the very well-established ones such as SRI International and MITRE, and the Rand Corporation, but with the rest—caveat emptor once again applies.

Network Security

The thwarted plane bombing incident last month continues to raise questions concerning flight security measures that should be in place. Already the U.S. government is placing more air marshals aboard international flights coming into this country in an attempt to deter would-be bombers, hijackers, and the like. According to what I have read, most Americans are in favor of this measure. The same is, however, not true of requiring full-body scans of passengers. Heated objections to this measure such as the following are being raised:

1. Full body scanners used by the Transportation Security Administration (TSA) reveal private body parts, a huge invasion of privacy.

2. These devices can store and send images. As such, images of essentially unclothed persons can potentially be obtained by unauthorized persons.

3. These devices can be rendered completely ineffective if someone knows how to tamper with their settings. The fact that many of these devices run on the Windows XP operating system allows for additional ways in which tampering can occur.

I am not comfortable with the fact that the U.S. government has collected all the personal information it has regarding individuals, myself very much included. Although some of this information may be necessary for security purposes, I am quite confident that much of it is not. In theory, U.S. citizens and residents are protected by the 1974 Federal Privacy Act, which was passed in response to growing concern that the US government was about to construct a huge database that made information about individuals centrally available. This law says that a federal agency can collect and store “records” about individuals only when doing so is necessary to do so to achieve that agency’s objectives. Additionally, when records of this nature are created, the agency that creates and stores them must inform the public accordingly, and must suitably safeguard them.

Doesn’t performing, storing and transmitting scans of essentially naked humans violate the Federal Privacy Act? Apparently not. The unfortunate truth is that this statute has proven to be woefully inadequate in protecting any kind of personal privacy whatsoever anyway. Any federal agency can obtain virtually any information about individuals that it wants with only the flimsy justification that it needs this information to do its business. And the U.S. Patriot Act only makes things worse from a privacy perspective. Lamentably, Americans are truly at the mercy of their government when it comes to privacy.

So—when airports obtain more full-body scanners and using these scanners becomes a routine part of the flight safety screening process, what will happen to the images of individuals that the TSA will obtain? I read a posting a few days ago that alleges that the TSA has said it does not intend to retain any such images. I wish I could believe this, but I cannot. If the technology to store and send these images exists, the government will invent some excuse to use it, especially given all the furor and panic over unsafe flying that some people, particularly certain members of the news media, are stirring up. The fact that the government may very well have full body scan images of me at some point in the future greatly troubles me because of the crass invasiveness involved. I fear that book authors Orwell and Huxley may well have been right in their depictions of a world in which individual rights were completely suppressed. But what also greatly troubles me is the risk of full body scan images falling into unauthorized hands. Given the U.S. government’s dismal track record in safeguarding personally identifiable information, data security breaches involving body scan images are inevitable. The agency involved will, of course, profusely apologize, but the damage, the extent of which is potentially so great that it is difficult to truly envision, will already have been done.

There is some hope. If children undergo full body scans, the images obtained will constitute child pornography under current U.S. laws. Perhaps at least children will thus be exempted from the requirement to undergo full body scans at airports. But what about the rest of us? The answer is that it is up to you and me. If enough of us bombard our elected officials, particularly members of Congress, with our objections regarding full body scans at airports, perhaps they will sooner or later get our message and do something about it. One thing is sure, however—if we do nothing, our worst nightmares in terms of privacy infringement are bound to materialize.

Network Security

If you have the same kind of job that I have, airplanes are no strangers to you. For better or worse (more often the latter lately), flying is a big part of life for many people, myself very much included. Part of what I consider unpleasant about flying is the fact that I have to sit very close to someone whom I do not know and who may not be very considerate at all (have you noticed all those uncovered sneezes lately?) for an extended period of time. Additionally, events, sometimes very important ones, transpire while one is in the air. Keeping up with them is almost impossible unless you pay for in-flight wireless services. These services not only help a flyer keep in touch with what is happening on the ground, but also are a good antidote for boredom. And, oh by the way, they also help people to become more productive on the job.
I’ve heard a few information security professionals say that the greatest security risk in using a computer in the air is the risk of a nearby passenger seeing what is displayed on a computer screen. True, this is a potentially serious threat, but what most people do not realize is that if someone uses wireless services in the air, chances are that person will be connected to an insecure IEEE 802.11 something wireless network. Anyone on the same plane with a laptop connection to the same wireless network or a WiFi-enabled phone can eavesdrop on everything that an in-flight wireless user sends or transmits. Consider the risk when there are 400 people on a jumbo jet! But the danger does not stop there—a malicious user can also attempt to access shares or possibly even to logon to any similarly connected system. Additionally, Emagined Security’s COO, Paul Underwood, has seen mindboggling in-flight wireless scenarios. In one of them, a user set up an in-flight wireless connection and then created a proxy to which other users on board could connect!
The point here is that security concerns about using wireless networks should not be limited to on-the-ground wireless networks. The same risks that occur in using such networks also apply to in-flight wireless networks. At a minimum, every user of in-flight wireless networks should apply the following security control measures:
1) Ensure your computer has a properly configured firewall running
2) Ensure that your computer is running anti-virus and anti-spyware, both of which are updated frequently
3) Use VPNs for all communications with your organization’s hosts
4) Use SSL or some other strong encryption method for connections to Web sites and mail servers
5) Check for open shares on your PC; protect shares (minimally with a difficult-to-guess password) if they do.
Or if you do not want to use all these measures, at a minimum connect to a VPN and then launch your email client or Web browser.
Hopefully, this blog entry will change your thinking about risks involved in in-flight connectivity. Assuming that you make changes in your in-flight use of wireless, you next ought to turn your attention to your organization’s information security policy and standards. Do they cover in-flight computer usage? If not, it may also be time to start planning and discussing necessary changes in both.
Conventional computing use involves many risks; wireless connectivity introduces even more. Whether you are using wireless on the ground or in the air, make sure you do not fall victim to wireless attacks.

Network Security

Last week the American Bankers’ Association (ABA) recommended that small and medium-sized business adopt a special security measure, using a dedicated PC for Automated Clearing House (ACH) transactions, to protect against fraudulent transactions. This PC would be considerably safer than a normal one because, according to the ABA, because it would not be used for other purposes such as Web browsing and email, two activities in which the likelihood of a PC being compromised by attackers and malware increases considerably.

The ABA’s recommendation should not be limited to banking transactions, however. Once compromised, a PC should be considered completely insecure and unreliable. The probability of a given PC being compromised is high, especially if that PC has not been hardened. Numerous research studies have shown that an out-of-the-box Windows system connected to the Internet without additional security controls becomes compromised in less than 10 minutes. These considerations virtually mandate using a PC that is not subjected to the multitude of security risks that Web browsing and email functionality introduce only for financial transactions as well as for other more sensitive functions.

Small and medium size businesses can afford to buy dedicated PCs for banking and other business-related functions. A huge problem, however, is that users usually do not have this luxury; having different physical computers for different functions is usually not financially feasible. A college student is, for example, likely to be able to afford only one PC. Fortunately, virtualization technology offers some realistic help for everyday users in that different virtual machines (VMs) can be created for different functions. Two VMs could run Windows 7, but one of them could be used for financial and other transactions, whereas the other could be used for “normal” user activity such as Web browsing. This kind of use of virtualization offers numerous advantages*:

1. Multiple functions can co-reside on a single physical machine, thus precluding the need to buy, set up and maintain a second one.
2. Each of the VMs could be rolled back to a known good state every time the physical machine is booted. If a VM were compromised, it could be restored to a previous, uncompromised state during boot.
3. If a standard configuration for VMs were prescribed by an organization’s standards, every new VM could be built according to these standards. Each VM would thus have a uniform configuration throughout the organization, thereby helping ensure that uniform security-related settings would be in place everywhere.
4. The ABA could design and build a “Gold Standard” VM to be used throughout the banking industry. This VM would help organizations achieve desired levels of security without having to allocate resources to determine desirable settings.

Virtualization is not very perfect from a security point of view. One of the greatest concerns is that all virtualization products have vulnerabilities that, if not patched, can result in numerous undesirable outcomes, one of which is the possibility (in certain virtualization products) of a perpetrator who gains privilege access to a guest VM being able to obtain privileged access to the host VM on the same physical machine. But assuming that risks inherent in virtualization are properly mitigated, virtualization can and does provide protection against fraudulent banking transactions as well as other types of incidents.

There is also another “poor man’s solution” for users to consider—using one browser (IE, Google, Chrome, or…) for financial transactions and other more sensitive purposes, and then a completely different browser for all other purposes. The virtualization solution I have proposed is really better from a security standpoint; if someone running as a privileged user uses a particular browser that has a cross site scripting vulnerability to connect to a malicious Web site, the game is over. Using a different browser for other functions will do no good if the operating system itself is compromised. But using different browsers is also a much more manageable solution for everyday users.

The ABA deserves considerable credit for its initiative in making such a good recommendation. The big question is whether banks will accept and implement it. After all, you can lead a horse to water, but you cannot make it drink…

* – Phil Hoffman deserves credit for informing me about virtualization benefits that I had not previously considered.

Network Security