I am recording a webcast live today. It's free and only requires a short pre-registration.
Securing the Dynamic Data Center
Tuesday, March 31, 2009
Monday, March 30, 2009
Conficker and April 1
Well, here’s the Wikipedia entries that got me thinking:
I’ve also been following the work at SRI regarding this threat.
Even 1 million Variant C infections results in potentially 50 billion whois queries.
I think Wednesday is going to be a slow day on the Internet.
As a countermeasure, ICANN and several TLD registrars began in February 2009 a coordinated barring of transfers and registrations for these domains”
Variant C contains code to sidestep these countermeasures by generating an expanded daily list of 50000 domains across 110 TLDs. This new pull mechanism, however, is disabled until April 1
I’ve also been following the work at SRI regarding this threat.
Even 1 million Variant C infections results in potentially 50 billion whois queries.
I think Wednesday is going to be a slow day on the Internet.
Tuesday, February 3, 2009
Heartland Breach
Summary:
Breach analysis:
Root cause includes but is not limited to the following:
In summary, Heartland failed to properly implement and enforce defense-in-depth, network segmentation and separation of duties. Remember, Heartland is a level 1 PCI processor and was required by regulation to get this right. This means Heartland's auditors failed.
Solution:
Catbird directly addresses all of the above, except for HIPS. HIPS requires an agent on every end-point, this is not a component of our architecture, which is agent-less by design. Our customers are able to implement and enforce defense-in-depth using Catbird TrustZones™ security policies, virtual infrastructure configuration management and virtual machine tracking technologies. These technologies include but are not limited to:
In summary, proper deployment of Catbird TrustZones technology would have detected and prevented a data breach like the one that occurred at Heartland.
- Level 1 credit card processor fails to prevent data loss effecting hundreds of millions of transactions.
- Attacker installed tools on Heartland server, inside the PCI trust path network
- Tools “sniffed” transactions and sent data to system(s) outside North America
“Heartland has said intruders broke into its systems sometime last year and planted malware that they used to steal the card data. The number of compromised cards still isn't known. But Heartland processes more than 100 million transactions per month.”
- Banks, customers feel the fallout of the Heartland breach. 2/2/2009. Jalkumar Vijayan, Computer World, Security.
Breach analysis:
Root cause includes but is not limited to the following:
- Failure of host based intrusion prevention system (HIPS)
- Failure of network based intrusion prevention systems (IDP)
- Failure of configuration management, to detect changes to host and network configuration
- Failure of separation of duties and detection of abuse or escalation of privilege
- Failure to segment the processor network and enforce a zone of trust
In summary, Heartland failed to properly implement and enforce defense-in-depth, network segmentation and separation of duties. Remember, Heartland is a level 1 PCI processor and was required by regulation to get this right. This means Heartland's auditors failed.
Solution:
Catbird directly addresses all of the above, except for HIPS. HIPS requires an agent on every end-point, this is not a component of our architecture, which is agent-less by design. Our customers are able to implement and enforce defense-in-depth using Catbird TrustZones™ security policies, virtual infrastructure configuration management and virtual machine tracking technologies. These technologies include but are not limited to:
- Policy and detection templates for IDP, to monitor and control network flows between zones and intra-machine flows inside a trust zone
- Policy based configuration monitoring and enforcement using session blocking and quarantine, including quarantine of virtual machines
- Monitoring of virtual administrator activities and enforcement of dual controls for virtual machine connection to network zones
- Catbird TrustZones monitor and enforce network segmentation within and between machines on any network, VLAN or port group
In summary, proper deployment of Catbird TrustZones technology would have detected and prevented a data breach like the one that occurred at Heartland.
Friday, December 12, 2008
Guardians? What Guardians?
Yesterday, the New York Times covered the recent arrest of Bernard L. Madoff.
Madoff, a prominent Wall Street Hedge fund manager, has admitted to running a $50 Billion Ponzi scheme.
While law enforcement has been quick to react, the revelation came when Mr. Madoff confessed to an associate. While rival Hedge fund managers had been suspicious that Madoff's results were too good to be true, THE REGULATORS HAD NO CLUE.
Years ago, there were many warnings on and off the Hill. Regulators, economists and many others sounded the alarm that allowing an entire financial industry to exist without regulations was a bad idea. However, the standard responses were: regulations are bad, the market will police itself, we can trust our Hedge fund managers. Well, look at what has happened. AIG failed to accurately assess and hedge their risks. Dozens of financial institutions have gone under and hundreds more are at risk. Hedge fund managers have admitted to running a crooked game.
The lesson is clear, systems and the people who work within them are not self-policing. Shocker. I am sure Machiavelli and Juvenalis are laughing at the continuing naivete of the human race.
Now, right now, we have a very similar pattern emerging in information technology. Institutions around the world are virtualizing like crazy. IT is deploying the vast majority of these virtual infrastructures without any of the protections I recommend here. PCI, HIPAA, SOX, you name it, these IT Groups are putting sensitive data about you and me, valuable data worth billions of dollars is at risk.
Where are the Guardians?
The Guardians are out to lunch, they missed the memo, they drank the Kool-aid from the platform vendors.
People like myself, Chris Hoff, Greg Ness, Ian Pratt, Brandon Baker and many others are sounding the alarm.
It's time for the Guardians to get to work. It's time for the IT security team to get off their butts and start addressing this issue.
Michael
Madoff, a prominent Wall Street Hedge fund manager, has admitted to running a $50 Billion Ponzi scheme.
While law enforcement has been quick to react, the revelation came when Mr. Madoff confessed to an associate. While rival Hedge fund managers had been suspicious that Madoff's results were too good to be true, THE REGULATORS HAD NO CLUE.
Years ago, there were many warnings on and off the Hill. Regulators, economists and many others sounded the alarm that allowing an entire financial industry to exist without regulations was a bad idea. However, the standard responses were: regulations are bad, the market will police itself, we can trust our Hedge fund managers. Well, look at what has happened. AIG failed to accurately assess and hedge their risks. Dozens of financial institutions have gone under and hundreds more are at risk. Hedge fund managers have admitted to running a crooked game.
The lesson is clear, systems and the people who work within them are not self-policing. Shocker. I am sure Machiavelli and Juvenalis are laughing at the continuing naivete of the human race.
Now, right now, we have a very similar pattern emerging in information technology. Institutions around the world are virtualizing like crazy. IT is deploying the vast majority of these virtual infrastructures without any of the protections I recommend here. PCI, HIPAA, SOX, you name it, these IT Groups are putting sensitive data about you and me, valuable data worth billions of dollars is at risk.
Where are the Guardians?
The Guardians are out to lunch, they missed the memo, they drank the Kool-aid from the platform vendors.
People like myself, Chris Hoff, Greg Ness, Ian Pratt, Brandon Baker and many others are sounding the alarm.
It's time for the Guardians to get to work. It's time for the IT security team to get off their butts and start addressing this issue.
Michael
Tuesday, December 9, 2008
Registrar's are still a weak link
Very nice article on the hack against Check Free here.
Current theories center on the likelihood that a Check Free employee got suckered by a phishing or straight-up social engineering attack.
I'm going to hazard a guess that this was a spear-phish or more targeted form of attack. A quick search of Linkedin, Facebook and other social networking applications finds a treasure trove of CheckFree/Fiserv employees.
It's a small step to go from these links to a targeted attack against Fiserv IT staff.
However, as the article notes Fiserv was not the only target in this attack and Financial Institutions (FI) are dangerously reliant on a single registrar.
My recommendations:
Current theories center on the likelihood that a Check Free employee got suckered by a phishing or straight-up social engineering attack.
I'm going to hazard a guess that this was a spear-phish or more targeted form of attack. A quick search of Linkedin, Facebook and other social networking applications finds a treasure trove of CheckFree/Fiserv employees.
It's a small step to go from these links to a targeted attack against Fiserv IT staff.
However, as the article notes Fiserv was not the only target in this attack and Financial Institutions (FI) are dangerously reliant on a single registrar.
My recommendations:
- FI's and others must monitor and protect themselves from domain hijack -- I recommend Pharming Shield.
- Get social networking applications out of the data center, IT personnel must not use corporate resources (including email) to access these sites
- The Financial Industry is at risk from a single-point of failure at Network Solutions. This must be addressed through community efforts and directly by the platform providers.
Wednesday, November 12, 2008
Virtual Security and Compliance Webcast
Monday, November 10, 2008
Risk mitigation for virtual infrastructures
Virtualization in the Data Center introduces the following: (skip down below)
| EFFECT | RISK | |
| 1. | Flattens infrastructure and networks | Unauthorized network access or communication |
| 2. | Adds new operating system and infrastructure layers | Denial of service and data security breach due to software defects |
3. | Collapses roles and increases privilege of administrators | Escalation of privilege, abuse of privilege |
| 4. | Increases transience, mobility and frequency of change within the data center | Misconfiguration, server sprawl and data security breach |
- Virtual machine (VM) hosts, clusters and data centers reduce the logical and physical segmentation of systems and networks. This flattening exacerbates the risk of unauthorized access due to reduced visibility of events on the virtualized network.
- The Hypervisor is a new operating system, which along with hypervisor and virtual infrastructure management tools increases the defect, vulnerability and attack threat surface of the data center.
- Like the introduction of DBAs for SQL databases and Domain Administrators for Window’s systems, Virtual Administrators have privileges that allow them to bypass existing controls and effectively access underlying systems and data at the hardware layer.
- Servers are now files. Virtual machine mobility, snapshots, roll-backs and other features of virtualization have magnified the rate of change within the data center. This increase in operational velocity leads to increased risk of configuration error, capacity failures and for a security breach due to incorrect configuration or a lapse of controls.
Mitigation: implement increased monitoring and access controls for each virtualized access layer and network. Monitoring must correlate virtual infrastructure management, network traffic, security events and validation of intra-VM access control policies.
Mitigation: incorporate all new software and management layers into your vulnerability management system (VMS). The VMS must be mandatory and integrated with automated discovery and validation of virtualized infrastructures.
Mitigation: implement compensating controls to log and audit all Virtual Administrator activities. Introduce dual controls and separation of duties for critical functions. You must deploy tools to perform continuous validation of these secondary controls to detect and prevent abuse of privilege. This will also reduce the risk from virtual machine breakout and hyperjacking.
Mitigation: extend configuration and life-cycle management processes to track virtual machines. These processes must be effective regardless of the mobility and non-linear attributes of virtual machines. Configuration management tools must enforce mandatory controls and support correlation of virtual and physical infrastructure configuration attributes – extending from virtual machine internals to external network access layers. Monitor and audit direct access to virtual machines files at the operating system and storage access layers.
Subscribe to:
Posts (Atom)