Tag Archives: Data Isolation

Sony-pocalypse is still stuck in my mind

13 December 2014

The more technical details about the Sony attack come to light, the more restless I become. Although the attacker delivered a high sophisticated piece of code, the impact of this attack would not have been such serious without the unintended help of the Sony users and IT groups.

Samuel Gibbs writes in theguardian ‘While security analysts have said that preventing sophisticated and well-funded cyber criminals from breaking into a company is very hard indeed, researchers have criticised Sony Pictures for its poor data security, which allegedly saw login details stored in unencrypted spreadsheets.’

That’s really bad! And particularly critical in the case of functional accounts or global admin accounts.

Another large weak spot, users who work with administrative privileges or accounts, was exploited for the initial attack.

The big question is: How could we make an attackers life more difficult?

Just a few suggestions:

  • Never use an account with administrative rights for daily work. This also applies for members of the IT groups. Administrators should work with standard user accounts, and switch to privileged accounts if required.
  • Never use the same accounts and passwords for administration of services like email or database server systems and workstations. Even if a workstation account is compromised the server will stay safe.
  • Never use the same functional accounts and passwords for workstations and servers. Functional accounts are often used for managing services of third-party vendors, e.g. the anti-malware systems. Unfortunately these accounts must often have administrative privileges. Different accounts and passwords for workstations and servers will prevent the spread of malware to servers if e.g. the workstation account is compromised.
  • Never use the same functional account for multiple services. Mind the isolation principle!
  • Service specific functional accounts should be defined locally, and only on systems where the services are hosted.
  • Use strong passwords with length > 20 chars only. This is in particular for functional accounts no problem because the passwords are not very often used.
  • Decide about implementing Two Factor Authorization.

That’s it for today, and for this year. I will take a Christmas break.

Christmas Trees

A merry Christmas to you all
and the best wishes for health, happiness
and prosperity in the New Year.

How to secure business critical data? – U.S. Customs and Border Protection shows the direction!

26 June 2014

Reflections, Boston 2013

Reflections, Boston 2013

Last year we spent our vacation at the U.S. East coast. We started in Boston and headed north to Acadia National Park, a really wonderful place for German tourists.

Vacation in the U.S. is for Europeans a somewhat strange experience. You have to take some hurdles before you finally arrive at your destination.

First of all your eligibility to travel in the U.S. is determined. All Visa Waiver Program travelers have to get a travel authorization via ESTA (Electronic System for Travel Authorization). If ESTA rejects your application you have to apply for a VISA. It would not have been possible to step on-board the plane in Düsseldorf without a valid travel authorization.

But authorization via ESTA is not the final permission to enter the United States. In our case the U.S. Customs and Border Protection officers in Atlanta determined the admissibility during the intermediate stop.

This is an easy to adapt security concept for business critical data:

[1] Isolate your business critical data from the company network into a Core Data Services Network (CDSN). Figuratively speaking the CDSN is the United States.

[2] Boston is a data service, Atlanta an application or terminal service inside the CDSN. Access to the data in Boston is possible only via the applications provided by Atlanta. The way back to the company network is blocked! Export regulations are fully enforced!

Core Data Services Network Overview

Core Data Services Network Overview

[3] Düsseldorf is the gateway to the CDSN. Access to Atlanta is only possible via Düsseldorf!

[4] An employee must login to Düsseldorf first and open a remote session to Atlanta. On Atlanta he has to be authorized for the applications to access the data in Boston. At least for login to Atlanta a Two Factor Authorization should be in place to prevent eBay like attacks.

Many thanks to the U.S. Department of Homeland Security for this really easy to adapt security concept.

Sometimes you have to export data from the CDSN into the company network. U.S. Customs is involved through export regulations, but this is another story…