This article on physorg.com was posted a little while ago and gives an excellent example of how important it is to stay paranoid (or develop a healthy sense of it). In short, a photograph of physical keys can be used to duplicate them. All that is required is a shot showing all of the details, which can be snapped at quite a distance with the right lens. While it definitely is more of a threat to residential-grade stuff than Medeco government/military-grade locks, it's a great example that threats are everywhere. It's important to always assume every part of your organization is vulnerable to some extent, and to plan for it. Doing so will ensure that you are considerably more prepared for the time when (not if) something fails.
You might have noticed our new web site and its central flash animation. At the conclusion of each round of frames, we declare the following:
Compliance is just the beginning!
Know your enemy. Know your weaknesses. Have a plan.
Behind these seemingly simple statements lies a lot of thought. Firstly, we talk about compliance. By definition, compliance means that you comply with standards. These standards are set up as a bare minimum operating level for any given industry so that all the players meet some standard set of rules and can work together based on them. With cars, it's state inspection. With food preparation, it's health inspection. With any structure, it's building code. In every one of these, the bare minimum is almost always just that, and the gross majority strive to be better. If your car only barely passes inspection, it's likely not very safe or efficient. If your food was cooked in a kitchen that got the lowest allowable score on a health inspection, there's a good chance that you'll be sick in the near future. If your house only meets building code minimums, it likely won't hold up very well in a wind storm.
So, given that compliance is just the bare minimum, and that the bare minimum is not something you should be aiming for, why is it that so much effort is spent in the financial industry on being compliant? Almost all of the security breaches in recent memory and likely in to the future have been and will be at organizations compliant with security requirements. Compliance is a minimum, and the minimum is never good enough when you're dealing with other people's money. Striving for compliance is like trying to come in last place.
Real security should be approached just like all other parts of the business. You need to have a metric, you need to measure it, and you need to manage it. In security, the metric is risk, and it is measured against cost and the risk mitigated. That's the theory anyways. In reality, it's so much more than just cost vs reward. Something we try and make clear to our customers is that there is a balanced security level for every organization, system, and situation. It is reached when security reaches a level where it complements all other parts of the business and is maintainable.
In the end, your goal should be security, not compliance. Compliance is a byproduct of good security practices and good corporate stewardship.
Many months ago, we started looking around for a platform on which to build our new Persistence™ service. We were looking for something that had scanning appliances which connect back over a secure tunnel (SSL/SSH, certificate-based) and have no listening ports. With this scheme, there would be no listening ports, and no obvious way to attack the boxes we deploy to client networks. These appliances would also need to have multiple interfaces (VLAN and physical), because the appliances aren't exactly cheap, and I think it's just dumb to have redundant hardware sucking electricity where it's not necessary.
So, as many in the IT and security fields know, it's bad practice to have any one device touching more than one network. The exceptions to this rule are usually security devices like firewalls and IDS sensors, all of which need to be specially hardened as any one vulnerability would go against the point of having multiple networks to separate groups of devices. In the process of evaluating devices from all the top vendors in the arena, I set up a test network on which to run each of the platforms. As part of this testing, I wanted to be sure that straddling a firewall and connecting to several network segments wouldn't be an issue. As it turns out, one of the boxes I tested had an issue. (As I'm under NDAs with pretty much every company I dealt with, I'm not going to comment on which product had the issue. I have been told that a patch is on its way and will hit in several weeks.)
The device in which I found an issue did meet all of my criteria. It had almost zero footprint on the network. It communicated only in encrypted tunnels, which were outbound from the appliance only. It had no listening ports. However, what I did find is that the device responded to ICMP pings (standard echo request/reply). I can see where this functionality would be useful for the end users, but from the standpoint of super-hardening, it should be disabled, or at least have an option to be disabled.
The specific flaw I found was that the OS's kernel didn't perform proper source checking on packets. For example, if interface 1 is on 10.1.1.0/24, and interface 2 is on 10.2.2.0/24, it should drop packets claiming to come from 10.2.2.2 which arrive on interface 1, and vice versa. Failing to do this, the device I was testing happily replies back out the other interface. Spoofing packets from both directions allows us to set up an ICMP tunnel, over which we can move just about anything. Unless the backbone is set up to detect excessive ICMP traffic (monitor port + IDS, or switch-based IDS), or if the traffic needs to pass over standard security devices (an upstream firewall/IDS/IPS/router), this would be pretty difficult to track down. Most organizations I've been in do not have the infrastructure to watch for this kind of tunneling when it is used specifically to bypass the firewall.
This attack isn't exactly l33t or hardcore, it's quite basic. It's unfortunate that some of the basics do get missed when most attention is paid to higher level attacks and other threats, but it does happen quite often. Fortunately, the vendor had an excellent response in terms of time and quality, and hopefully will give me many discounts in the future for doing some QA work for them ;-).
For everyone within an hour or so of the Lehigh Valley area, I'll be speaking at an upcoming seminar being held by Records Management & Archiving in Easton. Also speaking will be representatives from FireLock, ComTec, and Berkheimer. Overall, the seminar has a theme of Disaster Recovery and Prevention.
The following speakers will be speaking on the following topics:
- Frank Nacci, Nacci Printing - Personal experiences in disaster recovery
- Tom Tripodi, Berkheimer Outsourcing - Efficiency and security of document scanning
- Jason Thacker, White Badger Group, Inc. - IT security, Q&A
- Hugh Smith, FireLock and Megan Povenski, ComTec - Fire safety and proper media storage
- Bill Magerman, Records Management & Archiving - Disaster recovery, Security, Business Continuity
- Ed Rossner, Records Management & Archiving - Wrap-up and Q&A
The important information:
Date: Wednesday, June 11th, 2008
Time: Registration and refreshments at 2:15pm, program starts at 2:45pm sharp
Place: Records Management & Archiving main office
2711 Freemansburg Ave.
Easton, PA 18045
Refreshments: Light refreshments during registration and seminar, networking reception after presentations at 5pm.
If you would like to attend, please RSVP to info@recordsmanagementpa.com, or call 610-253-2753 and ask for Ed Rossner or Bill Magerman.
I just came across this article announcing Schlage and Z-Wave releasing a wireless door knob/lock. I'm honestly in shock. Given the history of very breakable security measures seen in supposedly secure wireless protocols (802.11a/b/g/n, WEP, WPA, LEAP, Bluetooth, etc), I don't see this as being any sort of good idea. As far as I know, there are no current security issues with Z-Wave's technology. Then again, I haven't heard of anyone actually taking a close look at it. I can virtually guarantee that once one of the many wireless security experts out there decides to break it, it will happen quickly.
While most of you might be thinking that I'm a nut for blasting this without first trying it myself, but there is a reason this is a bad idea. It comes down to forensics and liability. Suppose someone breaks in to a house protected by one of these units by exploiting the wireless controller. Aside from a bunch of missing stuff, there is no evidence that someone actually broke in. Even in the best cases (excluding some bumping), a picked lock will suffer irregular scratches inside the keyway. Brute force entry has obvious tell-tale signs. Wirelessly hacked locks would likely not be able to be discerned from ones that were simply left unlocked, or ones that had malfunctioned. When it comes to getting your insurance company to cover that, they'll likely laugh at you and refuse to reimburse you for losses.
In short, this sounds fun for keeping the kids out of the utility closet, or perhaps for some other hobby use, but don't use it to protect ANYTHING important.
We were recently featured in a short video for Wall Street West, which is an initiative here in Eastern PA to set up an emergency backup for the real Wall Street in NYC.
Anyway, the video doesn't exactly go in to any sort of detail... on anything... but it's still a reasonably good showing for White Badger Group. Here's the link to the page with all the videos for the different regions, and here's the video for Lehigh Valley, which is the one we're in. Enjoy.
Paranoia
Every good security professional has a healthy respect for the unknown, which usually is tagged as paranoia. An appropriate amount of paranoia in the right area leads to being quite effective in securing the network you're in charge of. The key is education. This doesn't mean that you need a degree in watching over your shoulder, but you should know what to be afraid of, and how to make sure you know if/when trouble is happening.
Listening to a recent Pauldotcom podcast, the point was made that most people don't really get serious about securing their code or systems until they've personally been attacked. The other side of this is that actually doing some of the attacking and seeing it work firsthand usually has the same effect. As such, it's important that all IT professionals get that experience some time in their careers.
I find it very interesting how human psychology impacts the information security industry. To me, it seems very straightforward. You have something of value, bad people want it, you need to protect yourself. There's nothing outlandish or new there, that concept has existed since the beginning of life. But somehow, despite our advanced intelligence and civilized society, we all seem to have a default naiveté when it comes to information and IT security. I suppose this effect also occurs elsewhere, such as when a person doesn't regularly wear a seat belt until he/she has been in a serious car accident.
Given the above, it's not difficult to understand why FUD-style (fear, uncertainty, doubt) marketing is necessary and does work. Placing someone in a scared mode is an incredibly effective method for switching them from actively opposing security to actively embracing it.
To be an effective information security professional, what you need is a balanced, aware, and fact-driven sense of paranoia. A proper balance is struck when your paranoia drives you have a constant need for security while not blinding you to the reality of your environment. As such, you need to be incredibly aware of the organization you are working within. While security is important, it needs to coexist with functionality, usability, and visibility, while also making the political, budgetary, and regulatory parts of the equation work. Because paranoia is a 100% emotional response, it's important to keep it properly in check. All decisions need to be passed through a filter of reasonability and facts, so that you don't spend all of your resources defending unevenly against the threat that scares you the most.
I think all good security professionals possess the right kind of paranoia that drives them to stay effective and not become stagnant or complacent. I personally think every IT professional would do well to acquire a bit of the paranoia. While this usually comes as a result of a negative experience, it can also be had by way of a class with hands-on hacking. However you get it, your effectiveness and career will benefit greatly, as will the security of everything you touch.
The server on which this blog is hosted, like the blog itself, is an experiment and exercise for me. I very foolishly made some changes to the server which totally hosed it, resulting in the down time over the last week or so. I've learned my lesson, and am better for it. I'm sure it's not the last time I'll screw up, but future mistakes will hopefully be less disruptive because of the measures I've put in place.
Compartmentalization
Anyone who knows me will be able to attest to the fact that I have at least a touch of the OCD. Most of those people will probably tell you it's more than just a touch. In any case, I like things to be neat and orderly. When looking at networks and security, this usually translates into splitting up an otherwise monolithic network into smaller, more manageable chunks.
If you look at the design of a submarine, the vessel is divided into many different compartments, usually grouping like functions into a single physical space. Between all of these sections there is a thick barrier with heavy doors which can be locked down at a moment's notice. Why is that? Well, if they spring a leak somewhere, the Navy prefers that the entire crew doesn't drown.
The same principal should be applied to most business networks. Splitting things up along the lines of security, functionality, and physical location can yield a much more secure and manageable network. If it's done right, it will be transparent to everyday business, but be a serious barrier to anyone attacking the network. It will also make monitoring of network traffic much easier, as all traffic traveling between segments will be traveling across a device which should be able to do some accounting and reporting.
In my personal experience, I've seen absolutely enormous (>6000 hosts) networks set up as a single, switched subnet. The more average case usually involves 100 or so devices total, and sometimes multiple locations. Whatever the size or configuration of the network (aside from the really small <10 devices networks, of course), there is usually some split that can be made to improve it. At the very least, I push customers to move administrative interfaces of all devices that have them to a different network. Every network I've ever run in to has at least one device with a web or telnet administrative interface on its internal network. Most IT managers never think that the secretary or the accounting guy will ever want to or be able to do anything with those interfaces. The issue is, that if an attacker manages to get inside, those administrative interfaces are up for grabs along with everything else. Furthermore, if someone on the inside stumbles across one which isn't properly secured, malice isn't required to cause some serious down time.
When performing a vulnerability assessment on your organization and network, it is very typical to consider only the inbound attacks (even those coming from the inside). However, it is critical to consider what would happen should an attack be successful. What if every other layer of defense failed to block or even notify you of an attack. What keeps an attacker from moving around within your network and further compromising your organization once on the inside? Well, a properly segmented network can help there. If traffic between segments of your network are limited only to what is needed, it is considerably less likely that an attacker will be able to attack or move any data between segments. Furthermore, if all segments connect only through a firewall with an IDS/IPS, there is a much higher chance of catching the attacker traversing segments.
The down side of segmentation is that it requires a fair amount of work up front, and it forces you to know everything about your network. The latter isn't really a down side as I see it. But it does mean extra work, and extra work is generally considered a bad thing in the IT world. As network devices go, midrange UTM-type firewalls with 8 interfaces or more aren't very expensive ($3000-4000) when compared to other network devices, but they will provide you with more visibility and security than pretty much anything else.
In pretty much every assessment I've done, and a good deal in day-to-day life, I see a disparity between physical security and information security. While I could ramble endlessly about monolithic networks and their evils (especially the irony in locking servers in a secure room, while leaving access to the same network open in a totally unsecured room), I'm going to talk today about cameras.
Closed Circuit TV (CCTV) systems installed in most banks and other facilities are there to catch thieves with guns and ski masks. They can and do serve other purposes, like accounting for everyone entering/exiting a building, and watching accident-prone areas, but for the most part, they're only there to try and get a shot of a robber's face good enough to put on the evening news.
In this day and age, while there is still a significant amount of robbery at gunpoint, there are much more costly thefts and intrusions that need to be watched for by CCTV systems. I can't tell you how many times I've been in some financial institution (as a customer, not doing work for them) and been left alone in a room with a network-connected PC with full access to the rear of the machine. Furthermore, because of the camera coverage in the building being geared heavily towards the lobby, I was unwatched.
Given this level of access, one could easily use a pocketable USB device (a USB hacksaw, for example) that would steal credentials and leave an agent capable of stealing even more data, all without the victim organization knowing.
According to this article about bank robbery, the average bank robbery costs about $25,000 when it is all said and done (including turnover, lost time, etc.). The average ID theft usually ends up costing between $90 and $305 per record, according to this page. This can vary wildly based on how high- or low-profile the incident is. If we were wanting to make it an average, let's say that 5,000 records were lost (that's a very conservative size for a small bank or credit union). That would be between $450,000 and $1,525,000 in total cost for that breach. A bit of a difference, huh? Now, imagine the public backlash at an organization that just "let" someone walk in and take data, versus the relative empathy the organization would receive because of losses due to gun-wielding robber.
So, given the absolutely enormous difference in the financial damage able to be done between the two attacks, why do financial organizations not seem to take the more costly attack seriously? Well, the big reason is lack of knowledge. Despite cybercrime and hacking being buzzwords in today's society, most of the defensive effort goes into antivirus and perimeter security. My experience in performing security assessments for these organizations says that they rarely have a thorough and consistent approach to security. A secondary reason is inertia. It's the same reason that banks still have large vaults, despite their most valuable items being in the server room. It's just that financial institutions have a long history of needing physical security to stop intruders with guns, jackhammers, torches, and crowbars, but have relatively little history in dealing with thieves bent on stealing data. Displaying a large number of cameras in the front lobby can often deter an attacker before anything happens.
Given all of the above, what should your cameras be looking at? Well, here's a quick list:
- All major entrances to the building. You need to be able to account for everyone entering and exiting your facility in order to narrow a suspect list given a breach.
- Everywhere that customers normally go. This is not limited to the lobby. There should be camera coverage of all side offices, conference rooms, and other places customers are taken regularly. Furthermore, once these places are defined, customers should be kept out of all other areas.
- Areas surrounding the building. For attacks that happen wirelessly (and shame on any financial institution employing wireless to begin with), attackers are likely to sit in parking lots or on the sides of streets to do so.
- Last, but not least, areas with servers and infrastructure devices should be covered. These devices are the core of everything you do, and having physical access grants you a ton of opportunity to steal data.
Additionally, physical considerations need to be made for all computers and network jacks in the areas where customers are allowed. Computers need to be hidden or turned away from places where customers sit, preventing them from accessing the ports where USB devices or keyloggers could be installed. Network jacks should be completely disabled (unplugged from the switch, not just disabled in configuration), or placed on a separate switch for a guest network.
Of course, many of the attacks mentioned above (except the ones with guns, naturally) can be mitigated using good policy and configuration. For example, the USB hacksaw attack is ineffective if autoplay is disabled. It is also considerably less effective if the account currently logged in is running under limited permissions. USB-based attacks are even less effective if the ports are disabled altogether. Other, more common-sense solutions for these problems include simply not allowing customers to be alone in offices. In my experience, the person who was assisting me kept having to leave in order to go to the copier/printer which was located down the hall.
