Compliance is Just the Beginning

Posted on July 31, 2008 by White Badger

You might have noticed our new web site and its central flash animation. At the conclusion of each round of frames, we declare the following:

Compliance is just the beginning!

Know your enemy. Know your weaknesses. Have a plan.

Behind these seemingly simple statements lies a lot of thought. Firstly, we talk about compliance. By definition, compliance means that you comply with standards. These standards are set up as a bare minimum operating level for any given industry so that all the players meet some standard set of rules and can work together based on them. With cars, it’s state inspection. With food preparation, it’s health inspection. With any structure, it’s building code. In every one of these, the bare minimum is almost always just that, and the gross majority strive to be better. If your car only barely passes inspection, it’s likely not very safe or efficient. If your food was cooked in a kitchen that got the lowest allowable score on a health inspection, there’s a good chance that you’ll be sick in the near future. If your house only meets building code minimums, it likely won’t hold up very well in a wind storm.

So, given that compliance is just the bare minimum, and that the bare minimum is not something you should be aiming for, why is it that so much effort is spent in the financial industry on being compliant? Almost all of the security breaches in recent memory and likely in to the future have been and will be at organizations compliant with security requirements. Compliance is a minimum, and the minimum is never good enough when you’re dealing with other people’s money. Striving for compliance is like trying to come in last place.

Real security should be approached just like all other parts of the business. You need to have a metric, you need to measure it, and you need to manage it. In security, the metric is risk, and it is measured against cost and the risk mitigated. That’s the theory anyways. In reality, it’s so much more than just cost vs reward. Something we try and make clear to our customers is that there is a balanced security level for every organization, system, and situation. It is reached when security reaches a level where it complements all other parts of the business and is maintainable.

In the end, your goal should be security, not compliance. Compliance is a byproduct of good security practices and good corporate stewardship.

Posted in Security Articles | Tagged | Leave a comment

Beware the Mighty ICMP

Posted on July 1, 2008 by White Badger

Many months ago, we started looking around for a platform on which to build our new Persistenceā„¢ service. We were looking for something that had scanning appliances which connect back over a secure tunnel (SSL/SSH, certificate-based) and have no listening ports. With this scheme, there would be no listening ports, and no obvious way to attack the boxes we deploy to client networks. These appliances would also need to have multiple interfaces (VLAN and physical), because the appliances aren’t exactly cheap, and I think it’s just dumb to have redundant hardware sucking electricity where it’s not necessary.

So, as many in the IT and security fields know, it’s bad practice to have any one device touching more than one network. The exceptions to this rule are usually security devices like firewalls and IDS sensors, all of which need to be specially hardened as any one vulnerability would go against the point of having multiple networks to separate groups of devices. In the process of evaluating devices from all the top vendors in the arena, I set up a test network on which to run each of the platforms. As part of this testing, I wanted to be sure that straddling a firewall and connecting to several network segments wouldn’t be an issue. As it turns out, one of the boxes I tested had an issue. (As I’m under NDAs with pretty much every company I dealt with, I’m not going to comment on which product had the issue. I have been told that a patch is on its way and will hit in several weeks.)

The device in which I found an issue did meet all of my criteria. It had almost zero footprint on the network. It communicated only in encrypted tunnels, which were outbound from the appliance only. It had no listening ports. However, what I did find is that the device responded to ICMP pings (standard echo request/reply). I can see where this functionality would be useful for the end users, but from the standpoint of super-hardening, it should be disabled, or at least have an option to be disabled.

The specific flaw I found was that the OS’s kernel didn’t perform proper source checking on packets. For example, if interface 1 is on 10.1.1.0/24, and interface 2 is on 10.2.2.0/24, it should drop packets claiming to come from 10.2.2.2 which arrive on interface 1, and vice versa. Failing to do this, the device I was testing happily replies back out the other interface. Spoofing packets from both directions allows us to set up an ICMP tunnel, over which we can move just about anything. Unless the backbone is set up to detect excessive ICMP traffic (monitor port + IDS, or switch-based IDS), or if the traffic needs to pass over standard security devices (an upstream firewall/IDS/IPS/router), this would be pretty difficult to track down. Most organizations I’ve been in do not have the infrastructure to watch for this kind of tunneling when it is used specifically to bypass the firewall.

This attack isn’t exactly l33t or hardcore, it’s quite basic. It’s unfortunate that some of the basics do get missed when most attention is paid to higher level attacks and other threats, but it does happen quite often. Fortunately, the vendor had an excellent response in terms of time and quality, and hopefully will give me many discounts in the future for doing some QA work for them ;-).

Posted in Security Articles | Tagged , | Leave a comment

Upcoming Seminar

Posted on June 3, 2008 by White Badger

For everyone within an hour or so of the Lehigh Valley area, I’ll be speaking at an upcoming seminar being held by Records Management & Archiving in Easton. Also speaking will be representatives from FireLock, ComTec, and Berkheimer. Overall, the seminar has a theme of Disaster Recovery and Prevention.

The following speakers will be speaking on the following topics:
Frank Nacci, Nacci Printing – Personal experiences in disaster recovery
Tom Tripodi, Berkheimer Outsourcing – Efficiency and security of document scanning
Jason Thacker, White Badger Group, Inc. – IT security, Q&A
Hugh Smith, FireLock and Megan Povenski, ComTec – Fire safety and proper media storage
Bill Magerman, Records Management & Archiving – Disaster recovery, Security, Business Continuity
Ed Rossner, Records Management & Archiving – Wrap-up and Q&A

The important information:
Date: Wednesday, June 11th, 2008
Time: Registration and refreshments at 2:15pm, program starts at 2:45pm sharp
Place: Records Management & Archiving main office
2711 Freemansburg Ave.
Easton, PA 18045
Refreshments: Light refreshments during registration and seminar, networking reception after presentations at 5pm.

If you would like to attend, please RSVP to info@recordsmanagementpa.com, or call 610-253-2753 and ask for Ed Rossner or Bill Magerman.

Posted in Corporate Announcements | Tagged , | 2 Comments

Wireless Web-Enabled Door Locks?!

Posted on May 19, 2008 by White Badger

I just came across this article announcing Schlage and Z-Wave releasing a wireless door knob/lock. I’m honestly in shock. Given the history of very breakable security measures seen in supposedly secure wireless protocols (802.11a/b/g/n, WEP, WPA, LEAP, Bluetooth, etc), I don’t see this as being any sort of good idea. As far as I know, there are no current security issues with Z-Wave’s technology. Then again, I haven’t heard of anyone actually taking a close look at it. I can virtually guarantee that once one of the many wireless security experts out there decides to break it, it will happen quickly.

While most of you might be thinking that I’m a nut for blasting this without first trying it myself, but there is a reason this is a bad idea. It comes down to forensics and liability. Suppose someone breaks in to a house protected by one of these units by exploiting the wireless controller. Aside from a bunch of missing stuff, there is no evidence that someone actually broke in. Even in the best cases (excluding some bumping), a picked lock will suffer irregular scratches inside the keyway. Brute force entry has obvious tell-tale signs. Wirelessly hacked locks would likely not be able to be discerned from ones that were simply left unlocked, or ones that had malfunctioned. When it comes to getting your insurance company to cover that, they’ll likely laugh at you and refuse to reimburse you for losses.

In short, this sounds fun for keeping the kids out of the utility closet, or perhaps for some other hobby use, but don’t use it to protect ANYTHING important.

Posted in Commentary | Leave a comment

White Badger Featured in Wall Street West Video

Posted on May 8, 2008 by White Badger

We were recently featured in a short video for Wall Street West, which is an initiative here in Eastern PA to set up an emergency backup for the real Wall Street in NYC.

Anyway, the video doesn’t exactly go in to any sort of detail… on anything… but it’s still a reasonably good showing for White Badger. Here’s the link to the page with all the videos for the different regions, and here’s the video for Lehigh Valley, which is the one we’re in. Enjoy.

Posted in Commentary, Corporate Announcements | Tagged , | Leave a comment