Monthly Archives: June 2014

SearchSecurity – On prevention vs. detection, Gartner says to rebalance purchasing

28 June 2014

On prevention vs. detection, Gartner says to rebalance purchasing.

In this post Eric B. Parizo, Executive Editor for TechTarget’s Security Media Group, makes clear that the effectiveness of traditional, signature-based protective technologies like intrusion detection and prevention or antimalware will significantly decrease in future.

Gartner’s Adaptive Security Architecture (ASA) is a new approach for defense against targeted attacks. ASA is a re-active defense strategy based on continuous monitoring and analytics, and should be complemented by traditional, signature based pro-active technologies.

Ths ASA approach has one small(?) weakness: In the time between an attack, its first recognition and the implementation of protection measures we are left defenseless! This time shut be kept as small as possible to prevent greater damage.

In my opinion, there is a third, recommendable way: Micro-Virtualization

Micro-Virtualization is a new approach for defense against, not only targeted, attacks that irons out the weaknesses of the ASA approach. An e-mail client or an internet browser session is completely isolated from other tasks and the operating system. Only those data required for successful execution of the task (Need-to-Know principle) are loaded into the isolation container.

In the case of an attack only the data inside the isolation container is affected and on session end the malicious code is destroyed with the isolation container. This feature makes Micro-Virtualization a perfect complement for ASA and the traditional signature-based approach.

For more details about Micro-Virtualization please see www.bromium.com.

How to secure business critical data? – U.S. Customs and Border Protection shows the direction!

26 June 2014

Reflections, Boston 2013

Reflections, Boston 2013

Last year we spent our vacation at the U.S. East coast. We started in Boston and headed north to Acadia National Park, a really wonderful place for German tourists.

Vacation in the U.S. is for Europeans a somewhat strange experience. You have to take some hurdles before you finally arrive at your destination.

First of all your eligibility to travel in the U.S. is determined. All Visa Waiver Program travelers have to get a travel authorization via ESTA (Electronic System for Travel Authorization). If ESTA rejects your application you have to apply for a VISA. It would not have been possible to step on-board the plane in Düsseldorf without a valid travel authorization.

But authorization via ESTA is not the final permission to enter the United States. In our case the U.S. Customs and Border Protection officers in Atlanta determined the admissibility during the intermediate stop.

This is an easy to adapt security concept for business critical data:

[1] Isolate your business critical data from the company network into a Core Data Services Network (CDSN). Figuratively speaking the CDSN is the United States.

[2] Boston is a data service, Atlanta an application or terminal service inside the CDSN. Access to the data in Boston is possible only via the applications provided by Atlanta. The way back to the company network is blocked! Export regulations are fully enforced!

Core Data Services Network Overview

Core Data Services Network Overview

[3] Düsseldorf is the gateway to the CDSN. Access to Atlanta is only possible via Düsseldorf!

[4] An employee must login to Düsseldorf first and open a remote session to Atlanta. On Atlanta he has to be authorized for the applications to access the data in Boston. At least for login to Atlanta a Two Factor Authorization should be in place to prevent eBay like attacks.

Many thanks to the U.S. Department of Homeland Security for this really easy to adapt security concept.

Sometimes you have to export data from the CDSN into the company network. U.S. Customs is involved through export regulations, but this is another story…

Security Think Tank: How to share data securely

21 June 2014

This post of Tim Holman is absolutely worth reading.

Security Think Tank: How to share data securely

Tim presents the elementary basics on the People and Process level for sharing of classified data with trusted third parties. From my point of view these basic principles must be applied for handling of classified data inside a company as well.

In particular for strictly confidential classified information I would strongly recommend to take further actions:

  • Review of all authorizations and permissions with strict regards to the Need-to-Know and the Separation of Duties principle.
  • Reorganization of all filing structures

Both measures can be implemented rapidly and will raise the overall level of security because we know in detail who is authorized to access the information and where the information is stored.

In addition technical measures like an integrated Tagging/DLP solution could be applied to support the employees in enforcing the company’s security policy. In my opinion encryption is  the last line of defence.

UK shoe retailer Office hit by data breach – Will secure passwords make a difference?

19 June 2014

It’s always the same old tune. Immediately after the UK shoe retailer Office announced a data breach on 29 May 2014 the debate on passwords starts again.

In my opinion a statement like ‘…demonstrates just how insecure passwords are’ makes no sense in this case.

It’s far more interesting to know, how the incident could have happen. The information from the Office homepage [4] gives us some hints:

(1) ‘Unfortunately we have been the subject of a security breach resulting in unauthorised access to some Office.co.uk accounts’

(2) ‘Only accounts created prior to August 2013 have been affected, but the information does include name, address, phone number, email address and the password to your OFFICE account.’

(3) ‘Yes – the OFFICE website is safe and secure. The server that was compromised was a server containing no live data and has been isolated.’

From (2) and (3) it is highly probable that in August 2013 Office IT staff created a copy of the customer database on a system that was not connected to the internet. This copy was obviously not sufficiently protected. According to (1) it is very likely that attackers compromised employee login credentials and got unauthorized access to the Office company network.

This is nearly the same attack pattern as in the eBay case some weeks ago. And, just as in the case of eBay, hashing of passwords or encrypting the entire customer database would not have prevented the data breach.

It is the combination of People, Processes and Technology, that makes the world a much safer place. Just some hints…

People

  • Customers: Use strong and site-specific passwords
  • Office employees: Run an awareness campaign with focus on identity theft and how to handle this efficiently

Processes

  • Change processes to protect servers, which store copies of customer data, in the same way as production servers

Technology

  • At least for access to systems storing customer data set up Two Factor Authentication / One-time-passwords

The eBay data breach – Is hashing of passwords the appropriate response?

10 June 2014

The news about the data theft at eBay have almost electrified me. Not due to fears of losing my private data, I am not eBay customer, but the details under which the theft took place are interesting for me from a professional point of view.

My first thought was: This was an Insider Attack!

The IT departments of large companies are doing a very good job in operating the servers connected to the internet. I would have been very surprised about an attack through servers at the company’s border to the internet.

The information published by eBay at 21 May 2014 [1] saved my day:

‘Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network.’

I am not at all surprised that eBay discovered the loss of customer information with a two month delay. According to the Ponemon Study 2013 [2] the average time to resolve attacks by ‘malicious insiders’ is 65.5 days in 2012 (57.1 days in 2011). That fits well even in this case.

But I am somewhat puzzled by the discussion in some blogs whether encryption is the adequate method to protect sensitive and private data from unauthorized access. Hashing is praised as a better method for protecting passwords.

In my opinion this discussion goes hardly far enough. The loss of e-mail address, physical address, and date of birth is to take at least as seriously as the loss of passwords, since this information enables e.g. professionally made targeted phishing attacks. And, as we all know, an experienced hacker can attack even a hashed password, in particular if he has enough time behind closed doors. See [3] for amazing details about cracking of hashed passwords.

Just new technology will not necessarily increase the overall security because the root causes for this data breach are more likely a lack of security awareness and training. Therefore, only the classic PPT approach, which includes People, Processes and Technology, will lead to an increased overall security.
PPT - People, Processes, Technology

PPT – People, Processes, Technology