Data Protection for Virtualized Servers

I am recording a webcast live next Wednesday. It's free and only requires a short pre-registration.

Data Protection for Virtualized Servers

How many manhole covers are in San Jose, CA?

From the Mercury News:

John Britton, a spokesman for AT&T, said it appears somebody opened a manhole in South San Jose, climbed down eight to 10 feet and cut four or five fiber-optic cables. Britton also said there was a report of underground cables being cut in San Carlos.
AT&T's contract with the Communication Workers of America expired at 11:59 p.m. Saturday, but Britton said "we have a really good relationship with the union" and that negotiations continue between the two sides.

It's my understanding that a single cut in one location would not cause the outage we recently experienced. There would need to be two or more cuts at strategic locations to cause an outage to cell phone, land line, and emergency services.

Knowing which manhole covers to open would require very specific knowledge of the Bay Area fiber infrastructure.

Securing the Dynamic Data Center

I am recording a webcast live today. It's free and only requires a short pre-registration.

Securing the Dynamic Data Center

Conficker and April 1

Well, here’s the Wikipedia entries that got me thinking:

As a countermeasure, ICANN and several TLD registrars began in February 2009 a coordinated barring of transfers and registrations for these domains”

Variant C contains code to sidestep these countermeasures by generating an expanded daily list of 50000 domains across 110 TLDs. This new pull mechanism, however, is disabled until April 1

I’ve also been following the work at SRI regarding this threat.

Even 1 million Variant C infections results in potentially 50 billion whois queries.

I think Wednesday is going to be a slow day on the Internet.

Heartland Breach

Summary:

• Level 1 credit card processor fails to prevent data loss effecting hundreds of millions of transactions.
• Attacker installed tools on Heartland server, inside the PCI trust path network
• Tools “sniffed” transactions and sent data to system(s) outside North America

“Heartland has said intruders broke into its systems sometime last year and planted malware that they used to steal the card data. The number of compromised cards still isn't known. But Heartland processes more than 100 million transactions per month.”
- Banks, customers feel the fallout of the Heartland breach. 2/2/2009. Jalkumar Vijayan, Computer World, Security.

Breach analysis:
Root cause includes but is not limited to the following:

• Failure of host based intrusion prevention system (HIPS)
• Failure of network based intrusion prevention systems (IDP)
• Failure of configuration management, to detect changes to host and network configuration
• Failure of separation of duties and detection of abuse or escalation of privilege
• Failure to segment the processor network and enforce a zone of trust

In summary, Heartland failed to properly implement and enforce defense-in-depth, network segmentation and separation of duties. Remember, Heartland is a level 1 PCI processor and was required by regulation to get this right. This means Heartland's auditors failed.

Solution:
Catbird directly addresses all of the above, except for HIPS. HIPS requires an agent on every end-point, this is not a component of our architecture, which is agent-less by design. Our customers are able to implement and enforce defense-in-depth using Catbird TrustZones™ security policies, virtual infrastructure configuration management and virtual machine tracking technologies. These technologies include but are not limited to:

• Policy and detection templates for IDP, to monitor and control network flows between zones and intra-machine flows inside a trust zone
• Policy based configuration monitoring and enforcement using session blocking and quarantine, including quarantine of virtual machines
• Monitoring of virtual administrator activities and enforcement of dual controls for virtual machine connection to network zones
• Catbird TrustZones monitor and enforce network segmentation within and between machines on any network, VLAN or port group
  

In summary, proper deployment of Catbird TrustZones technology would have detected and prevented a data breach like the one that occurred at Heartland.

Guardians? What Guardians?

Yesterday, the New York Times covered the recent arrest of Bernard L. Madoff.

Madoff, a prominent Wall Street Hedge fund manager, has admitted to running a $50 Billion Ponzi scheme.

While law enforcement has been quick to react, the revelation came when Mr. Madoff confessed to an associate. While rival Hedge fund managers had been suspicious that Madoff's results were too good to be true, THE REGULATORS HAD NO CLUE.

Years ago, there were many warnings on and off the Hill. Regulators, economists and many others sounded the alarm that allowing an entire financial industry to exist without regulations was a bad idea. However, the standard responses were: regulations are bad, the market will police itself, we can trust our Hedge fund managers. Well, look at what has happened. AIG failed to accurately assess and hedge their risks. Dozens of financial institutions have gone under and hundreds more are at risk. Hedge fund managers have admitted to running a crooked game.

The lesson is clear, systems and the people who work within them are not self-policing. Shocker. I am sure Machiavelli and Juvenalis are laughing at the continuing naivete of the human race.

Now, right now, we have a very similar pattern emerging in information technology. Institutions around the world are virtualizing like crazy. IT is deploying the vast majority of these virtual infrastructures without any of the protections I recommend here. PCI, HIPAA, SOX, you name it, these IT Groups are putting sensitive data about you and me, valuable data worth billions of dollars is at risk.

Where are the Guardians?

The Guardians are out to lunch, they missed the memo, they drank the Kool-aid from the platform vendors.

People like myself, Chris Hoff, Greg Ness, Ian Pratt, Brandon Baker and many others are sounding the alarm.

It's time for the Guardians to get to work. It's time for the IT security team to get off their butts and start addressing this issue.

Michael

Registrar's are still a weak link

Very nice article on the hack against Check Free here.

Current theories center on the likelihood that a Check Free employee got suckered by a phishing or straight-up social engineering attack.

I'm going to hazard a guess that this was a spear-phish or more targeted form of attack. A quick search of Linkedin, Facebook and other social networking applications finds a treasure trove of CheckFree/Fiserv employees.

It's a small step to go from these links to a targeted attack against Fiserv IT staff.

However, as the article notes Fiserv was not the only target in this attack and Financial Institutions (FI) are dangerously reliant on a single registrar.

My recommendations:

1. FI's and others must monitor and protect themselves from domain hijack -- I recommend Pharming Shield.
2. Get social networking applications out of the data center, IT personnel must not use corporate resources (including email) to access these sites
3. The Financial Industry is at risk from a single-point of failure at Network Solutions. This must be addressed through community efforts and directly by the platform providers.

Happy Holidays!