Monthly Archives: July 2014

Why IT security programs fail

 31 July 2014

If it is about IT security, business people have every confidence in the ability of IT departments that they do the right and important things. To be honest, sometimes I have the feeling, that they do not want to be involved in this security stuff.

‘Just let the nerds add some new high sophisticated technology – and all will end well.’ But, please without any impact on our daily work and to low additional costs.

This ‘not involved here’ syndrome is the main reason why information security programs fail. And, combined with blind trust in technology, things could end worse.

Some weeks ago I read a remarkable statement in post ‘Security Think Tank: Consider security Training before high-end technology’ by Mike Gillespie:

Encryption is not the solution to security, it is part of the solution and always has been. So an employee who does not realise that their device is encrypted basically when it is switched off, may still have very poor security habits, such as leaving a laptop logged on with the lid down, thinking the data is secure because it is magically encrypted.

If Mike Gillespie had one more Dollar to spent in IT, I bet, he would invest this Dollar into security awareness Training.

We need change!

We need Change!

To ensure sustainability, it is very important to get people involved in these IT security topics. As Benjamin Franklin once said: ‘Tell me and I forget. Teach me and I may remember. Involve me and I learn’. Thus, to increase the likelihood of success, IT security programs should always be embedded in a change process.

But Management buy-in comes first! Why?

To stay in the market, with a well respected brand and competitive products, is definitely part of every company’s business strategy. IT is just an enabler for business strategy. IT supports the business groups in protecting the important digital assets and the intellectual property of a company.

Therefore, IT cannot be the driver for a security program. Business must take the initiative and start and manage the program to ensure sustainable change in IT security awareness and behaviour. If a C-level manager could be won as program sponsor, it is very likely that the program’s targets are met.

It’s all about leadership! And Change.

NMH survival strategy

26 July 2014

Business people are quick in demanding the highest IT security standards, but when it comes to the implementation, the security measures should not have any impact on their daily business.

What impact is a just about acceptable? The answer to this question depends on many factors. Moreover, there is no universally applicable answer to this question.

Last week this question came up in a discussion about the impact of protection measures on scientists. My answer was: Lets try the NMH (No Medium High) impact approach.

No impact

Start with protection measures that have no impact on daily work. Many technical measures and few organizational measures could be implemented in the background, in the best case without a downtime.

Present your approach and the measures to the business groups. Show that there is no impact on their daily work. I bet, everyone will welcome this approach. And, if it works, everyone will trust you and you will feel like a super hero.

Medium impact

In the next step develop measures with low or medium impact on daily work. It is very important that this is done in close collaboration with the business groups. This measures are mostly organizational measures or small changes of the way of working, e.g. waiving of USB sticks, encryption of emails if sensitive information is exchanged, or the set up of a data handling policy.

Offer at least equal or better and easy to use alternatives. Agree with the business groups in the set of measures that should be implemented, in the schedule and the remaining risk as well. Make clear that the business groups have to cover the remaining risk! Implement the changes in close cooperation with the business groups.

High impact

Finally, discuss measures that have a high impact on the way of working, e.g. strong passwords, two factor authentication to systems which are used for access to core business data or classification and tagging of data.

If there are legal requirements to implement those measures, that’s a more easy job. Anyway, you have to make the advantages clear! Finally , the business groups have to agree in the set of measures which should be implemented. In the worst case, they take the remaining risk and reject any proposals for high impact measures. If there are no legal requirements that’s ok.

From my point of view with the NMH approach you will get a high level of security without infuriating the business groups too much!

Become a superhero!

A trusted device on a trusted network? A dangerous illusion!

24 July 2014

Some days ago I attended a webinar about Cyber security. While discussing the challenges of BYOD someone stated:

‘In a hyper connected world thousands of trusted devices connect to your trusted company network.’

In my opinion, trusted devices in a trusted network are a contradiction in itself.

Let me clarify this by an example from daily life.

The moment you are connecting with your company owned laptop across the internet to your company network, you lost the game. Even if you use a VNP tunnel to secure the network connection, your laptop is in a potentially insecure state, since likely infected with malware.

Back in the company network this computers state remains insecure because your malware detection system may not detect the malware. Therefore your company network is compromised as well.

That reminds me of the blockbuster ‘Independence Day’ from 1996. The aliens allowed a fighter jet, that was lost fifty years ago, to dock at the mothership. A trusted device in a trusted network! It was the first and last mistake in their life.

The good news are: This laptop is under your control. You are able to reinstall it with a hopefully not compromised golden image.

But in the hyper connected world of the Internet of Things (IoT) and BYOD most of the devices are not under your control. Moreover, they are in a completely undefined security state, with outdated and unpatched operating systems and applications and insecure SSL certificates for communications. Just a giant black security hole!

To master the challenges of  IoT and BYOD, we have to develop completely new concepts for securing  devices, applications and the communication between the devices and the company network. Trust no one!

In the meanwhile we have to do our best to create awareness for the new threats, and to secure the data in the company network.

By the way, the aliens would have done well to destroy the fighter jet!

The neverending local administrative rights story

19 July 2014

Last week I discussed IT security related topics with the computational biology systems group. It’s hard to believe, but most of the scientist work with Linux, most of the time with a bare bash (Bourne-again shell).

What surprised me was that no scientist works with permanent super user rights. Everyone works with a standard user account, but has the option to switch context with SUDO if necessary. Very impressive!

‘Way of working’ is an essential part of every security strategy. Sometimes large security gains could be achieved with small changes to the way of working, at a fraction of the cost of technology based measures.

With Windows users I have endless discussions about the pros and cons of working with permanent administrative rights. There are good reasons for working this way, but as a result, we create a security hole from the size of a barn door that may compromise all other security measures.

On 26 April 2014 Microsoft informed in ‘Microsoft Security Advisory 2963983’ about a critical vulnerability in Internet explorer. In ‘Security Bulletin MS14-021 – Critical’,  published on 1 May 2014, we find some details about the vulnerability and the best reason to end this discussion once and for all:

‘An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.’

Bingo!

Waiving permanent administrative rights must not have serious disadvantages for user productivity. Microsoft implemented a technology similar to SUOD with Windows Vista.

Windows User Account Control (UAC) allows standard users to execute functions where administrative rights are required. If this is the case, UAC prompts for administrative privileges before executing the command.

The solution in just 3 steps:

  1. Communicate the new policy and new way of working to users with local admin rights
  2. Create a local account Useridloc and add account Useridloc to local administrators group
  3. Remove account Userid from the local administrators Group

When UAC requests administrative privileges the user inputs the credentials of Useridloc.

Please note: Since users can re-assign themselves to the local administrators group please audit compliance with the policy.

By the way, if Useridloc is used with runas (the windows command for SUDO), commands could be executed directly with administrative rights.

Welcome back to the comfort zone!

Howto secure business critical data? – The admin challenge or {U} ∩ {A} = ∅

17 July 2014

Unfortunately, sometimes administrative privileges are required for operation of the systems and services inside the Core Data Services Network (CDSN). This is very annoying because administrators are always an inherent risk. To be honest, I look forward to the day when servers could be operated without any system privileges.

Until then, we must try to reduce the risk through consequent application of the Separation of Duties (SoD) principle. Let’s do some basic set theory first.

Let {U} be the set of all employees in the company, {D} ⊂{U} the set of all employees with authorized access to the core data and {A} ⊂{U} the set of all IT Administrators in the company.

The Separation of Duties (SoD) principle requires:

 {U} ∩ {A} = ∅

This translates into the following basic principle:

Employees with authorized access to core business data must never have the privileges for administration of systems and services in the entire company network.

Could a data manager have privileged access with a special account? This question was asked in a meeting some days ago. Although there may be good reasons to do this, the answer is No. Never! Employees with authorized access to data must never have privileged access, no matter what account is used.

Note bene: The SoD principle should be applied to all services at all system, application and infrastructure levels. Let me clarify this by the means of two examples:

  1. Data managers should never have the privileges for account or database administration because this would allow them to grant privileges to themselves.
  2. Terminal service administrators must never have the privileges to configure the firewalls between the CDSN and the company network. This would allow them to authorize other computer for access to the CDSN.

Simple, but effective.

Bromium – The Dawn Of A New Era In Corporate Cyber Threats?

14 July 2014

The Dawn Of A New Era In Corporate Cyber Threats? | A Collection of Bromides on Infrastructure.

Although the picture reminds me of some scenes of Terminator II, Bill Gardner does not announce the imminent end of the world. In this blog post he just creates awareness for a new kind of attacks with may have dramatic impact on businesses.

Fortunately, today’s attackers focus on new market businesses. The impact of a data theft, e.g. loss of reputation or annoyed customers, is costly and exasperating for companies, but not life-threatening. Destruction of data and of backups, as in the case of Code Spaces, might lead in the worst case to loss of business and disastrous effect on customers.

But the expansion of malicious activities to old market businesses, like chemical and pharmaceutical plants or basic infrastructure like national gas or power supply systems, could have  a catastrophic impact on businesses, environment and people.

In addition, a third type of damage, integrity loss, caused by tampering of data, makes things really worse, because this kind of damage is very hard, and often only after several years, to discover.

We urgently need to prepare for the “Maximum Credible Accident!

For a good starting point see Mark Brown’s article “Where should a CISO look for cyber security answers – hardware, software or wetware?”.

Don’t Panic – All will end well!

SearchSecurity: Multifactor authentication key to cloud security success

12 July 2014

Multifactor authentication key to cloud security success

In this great post Brandon Blevins provides a brief summary about the Code Spaces attack, the progression of the attack and the catastrophic consequences for the company and the customers. Moreover, he makes clear that Multi Factor Authentication is an essential requirement for running a successful business in the cloud. With Two- or Multi Factor Authentication in place this attack would not have been possible.

The attack pattern in the Code Spaces case differs only slightly from the patterns in the eBay, Target, and Office attacks. In all cases the attackers used stolen credentials of employees for unauthorized access to the company network and the data.

One Euro Cent Coin

From my point of view, Two or Multi Factor Authentication (MFA) would have prevented most of the published data breaches, irrespective of whether the services are hosted on premise or in the cloud.

Multi Factor Authentication is worth every Cent!

The main difference between the attacks exists in the amount of the damage, in the eBay case data theft and loss of reputation, irreversible destruction and discontinuation of Business in the Code Spaces case.

But a third, more important type of damage must be considered:

Integrity loss, caused by tampering of data.

Small changes to software products, to the formulation of drugs, or a bill of material could lead in the worst case to a catastrophic impact on people, businesses and the environment.

How often does this happen, without you ever noticing?  At this very moment? And, are you able to recognize such integrity losses to prevent larger damage?

We should ask ourselves these worrying questions. The statement “I always call it the Wal-Mart-Target competition … to see who can get to the lowest price and still provide good service. Security is what gets lost” gains a new meaning from the integrity point of view.

I would strongly recommend, that all businesses, in particular in the manufacturing industries and in the pharma sector, should decide about implementing MFA to prevent damage caused by integrity loss.

That will make our world a somewhat safer place.

Will IT security technology solve the Snowden Problem?

10 July 2014

In the year one after Edward Snowden discussions about the why and the how are well under way. In the past month all suppliers of IT security technology made proposals how to tackle the Snowden problem. Additional technology like an integrated Tagging/Encryption/DLP system seems to be a solution to the Snowden problem. But would the data theft have been prevented by such a solution?

Since Snowden had legitimate access to classified information the answer is: Definitely Not!

We have to dig somewhat deeper into IT security concepts to get to the root of the problem.

The big questions are:

  • Why has an employee with legitimate access to classified information the right to create copies of this information?
  • Why is he authorized to bring the information outside the organization?

The concepts and processes for handling of classified information were designed more than 40 years ago and remained nearly unchanged over the years. Because technology developed rapidly during this time we face a constantly increasing gap between the technology used for attacks and the concepts we use to secure our information.

Although we patched our outdated concepts and processes with advanced technology during the years, we never got the most of this new technology. In a poorly designed environment even the best technology will deliver poor results only.

In order to bridge the gaps the entire system and process architecture must be re-designed from scratch. The Separation of Duties principle and the Principle of Least Privilege must be strictly applied to the very last detail during design, and state-of-the-art technology must be used for implementation.

But we are so busy firefighting with new technology that we have no time to make strategies.

What might have stopped Snowden? I think a more fine-grained authorization concept, designed in strict application of the Separation of Duties principle, would have prevented the data theft.

Sounds easy, doesn’t it?

SearchSecurity.com: How to Thwart Privilege Creep with Access Reviews

5 July 2014

How to Thwart Privilege Creep with Access Reviews

In this E-Guide from SearchSecurity.com, industry expert Peter H. Gregory talks about privilege creep and the concepts to solve this problem.

The accumulation of privileges is bad enough but, things turn really bad if privilege creep undermines the Separation-of-Duties (SoD) or Four-Eyes principle. In this case employees could grant themselves unwanted privileges which could result in serious compliance problems.

When employees leave their job or retire we face a similar Problem. In the best case HR promptly notifies the IT group to deactivate the employee account. But privileges are very often excluded  for fall-back purposes because it takes a long time before a successor is fully able to work. In the worst case, if you are in a hurry, all those messy privileges are just copied without any review.

A regular review of privileges is the best measure to tackle these problems. Even manually reviews could be implemented with moderate effort. A IAM solution with direct link to the HR system is the definitely the best approach for a large company.

In addition, I recommend to expand job profiles by security profiles. When a new employee starts his work, the job related security profile could be easily implemented and thus privilege creep prevented.

Security profiles must be maintained to track changes in the job profile. A security profile comprises all roles and privileges to all applications, systems and information an employee needs to do his job.

In addition, the employee orientation plan must be expanded by information security related topics. Create awareness and train employees how to adequately respond to information security related incidents will raise the overall security Level.

Howto secure business critical data? – Build an effective data export control system!

3 July 2014

In post How to secure business critical data? – U.S. Customs and Border Protection shows the direction! I introduced the Core Data Services Network (CDSN) where business critical data is isolated from the company network.

One-Way traffic sign

Source: Wikipedia

The network connection into the CDSN is implemented as a one-way connection. Except of infrastructure services (e.g. Directory Services) the firewall at Atlanta blocks all outgoing traffic, which makes data theft nearly impossible. For advanced security levels even the infrastructure services should be provided from the CDSN.

Unfortunately, we have to exchange data with the CDSN. Again, the U.S. Government shows the direction by the means of export regulations. For details please see Overview of U.S. Export Control System.

In our case a Core Data Exchange Service (CDXS) is set up inside the CDSN on server Miami Beach. Users of the Atlanta Application Services could copy business data to Miami Beach, but are not authorized to intiate the transfer to Frankfurt from inside the CDSN.

The data from Miami Beach are provided to the users in the Company Network exclusively through the Frankfurt data exchange Services.

CDSN-Overview with CDXS

Core Data Services Network Overview

The data transfer is governed by a process with clearly defined roles and responsibilities. It’s this process that makes the difference. The technology used is standard windows technology, no rocket science!

First of all we have to define an new  role Data Exchange Manager (DXMgr). Only DXMgrs are authorized to copy data from the Miami Beach Core Data Exchange Service to the Frankfurt CDXS. The DXMgrs must never have access to the data as a Data Manager (DMgr) and a DXMgr must never initiate a request for data from the CDSN.

Data Exchange Workflow

Data Exchange Workflow

(1) The DXMgr takes the request for data from an authorized employee (Requester), checks whether the request is valid and (2) forwards the request to an employee with role Data Manager (DMgr).

(3) The DMgr validates the request, connects to the Atlanta Application Services, creates the requested data and copies them to the Requesters write-only inbox on the CDXS at Miami Beach. During this process the data is encrypted with the key of the Requester.

(4) Back in the company network the DMgr sends a notification to the DXMgr. The DXMgr connects to the Frankfurt CDXS, copies the data from the Miami Beach CDXS to the write-only inbox of the requester on the Frankfurt CDXS and deletes the data from Miami Beach.

(5) Finally, the DXMgr notifies the requester to check and empty his inbox on the Frankfurt CDXS.

Sound’s easy, doesn’t it?

This home-made solution, based on standard Windows features like shares, mapped network drives and finegrain acl, is somewhat complex to set up and to maintain. I would recommend to use a secure and user-friendly ad hoc file transfer solution which is easier to manage.