Enterprise Security Blog: March 2009

« February 2009 | Main | April 2009 »

March 2009

March 31, 2009

Internal Auditor on SOX Compliance

This is an exerpt from guidance provided by an internal auditor to C level managers in a company that recently acquired Intellitactics SAFE to improve efficiency of compliane and enforce policy controls.

Allows real time monitoring of compliance with the Company’s IT policies via automated setup of parameters such that violations can be addressed on a timely basis.

Of the nine fundamental controls presented in the white paper, we would directly benefit from seven.

Unauthorized privileged access rights – This will detect changes to application and database access rights and log those violations;

Data Theft and Leakage – This is an area that is an issue especially within the Leads application. It will allow real-time monitoring of this type of activity;

Unauthorized User Account Access – This is another area that occurs on a fairly routine basis; especially with sharing of user ID’s and passwords;

Violation of Password Policy – Again, sharing of passwords has been a routine issue as well as non supported password change notices. It will assist in notifying individuals that it is time to change passwords in those applications / databases that don’t support automated change password notifications;

Unsanctioned and Illegal Activities Using Corporate Resources – This logs website activity not only by accesses through our normal internet connections but also connections made using Company equipment via dial-up. An example is an occurrence of a night employee dialing out to the internet and surfing pornography sites. This activity would be immediately detected.
Inadequate Access Administration – This will permit the Security Department with monitoring capabilities for user recertification when an employee is moved from one job function to another. Additionally, this will aid security in ensuring that when an employee leaves the Company access to all databases and applications associated with the employee are removed on a timely basis.

There is significant benefit to aiding compliance with our 404 Controls in the areas of Security, Operations and Change Management.

Security – The Company has 19 key controls that are executed on a regular basis. Of these 19, Intellitactics will permit automating 11 of these controls (58%) and providing supporting data on a real-time basis.

Operations – Logging of system and application / database backups will provide real-time logging of each occurrence to support the key control for this area.

Change Management – Logs violations of Company policies regarding change management and logs activity of outside vendors (and internal employees) that are in the system either moving applications to production or patches for errors in particular areas of our applications / databases.

Audit Benefit – Will speed the audit team effort in securing data requests for executing tests on the general IT controls and 404 key controls. Reports will be available almost immediately without have to contact multiple individuals to secure.

See SAFE - a next generation log and event management appliance - in action and learn how SAFE simplifies compliance with SOX and other regulatory standards.

Posted by Pam Casale at 12:15 PM in compliance | Permalink | Comments (0) | TrackBack (0)

March 30, 2009

Security – it’s a jungle out there!

From the deak of Warren Axelrod: Is the best security like a chameleon or a snake? In Florida at the beginning of March, the BITS/FSTC Summit provided several good sessions, in particular a presentation by James Kittridge, the COO of Card and Payment Solutions, Wachovia Corporation.

One of the several metaphors that Jim used in his talk was that of the chameleon, known for his ability to recede into the background by camouflaging itself in an instant. By blending into its surroundings, the chameleon can surprise its next meal and hide from predators at the same time.

Ideally, Jim claims, information security should have the same characteristics as the chameleon. It should be unobtrusive to the customer, but ready to pounce on the bad guy trying to get in.

There is on drawback to “chameleon security”, and that is if it’s invisible it loses the valuable deterrence factor. Deterrence is about letting the potential attacker know that “you must not mess with me!” Like the rattle of the rattlesnake and the bright coloring of poisonous mushrooms and frogs, deterrence stops attacks from predators and warns innocent creatures to stay away so they aren’t innocently harmed.

When it comes to security, I can make an argument for the snake and the chameleon. Ideally, security is unobtrusive and just does its job day in and day out, protecting authentic customers and fending off the bad guys. But sometimes deterrence makes sense in order to discourage the potential evildoers, and to warn those without evil intent that if they succeed in what they are trying to do, either innocently or intentionally, bad things will happen to them.

Nature uses both camouflage and vibrant warnings. Each has its place and each is effective in its own way. So it is with security. Threats that are “in the zoo” can easily find themselves “in the wild.” It’s a security jungle out there.

Posted by Sunil Bhargava at 08:00 AM in enterprise security management | Permalink | Comments (2) | TrackBack (0)

Technorati Tags: FSTC, security, Wachovia

March 25, 2009

It B-SIMM-ply Marvelous!

Application security is important for so many reasons. Now we know that many applications that we’re using during a work day were built before cybercrime was such a “profession” or a “temptation”. Some of our customers are systematically looking at every application that could potentially expose their organization to unnecessary risk and “retrofitting” those applications. Our friend, Warren Axelrod, a long time crusader for safer applications told us about a report that shines a much needed light on secure application development and testing. Here’s a summary of the report and directions on how you can get a FREE copy.

From the desk of Warren Axelrod: On March 4, 2009, an eminent team of application security experts published the “Build Security In Maturity Model” report, which is available free at http://bsi-mm.com/ The authors, Gary McGraw, Sammy Migues and Brian Chess, are well known for their pioneering work and many publications in secure application development and testing. The report describes the results of a survey they conducted among nine companies with leading-edge application security practices and how they matched against a framework and maturity model that the authors had developed. There will be many lessons to be learned from this report, among them being the practices to which practically all of the leaders subscribed. These practices, in abbreviated form, are:

· Build support throughout the organization

· Meet regulatory needs or customer demand with a unified approach

· Promote culture of security throughout the organization

· See yourself in the problem

· Create proactive security guidance around security features

· Build internal capability on security architecture

· Use encapsulated attacker perspective

· Demonstrate that organization’s code needs help

· Provide a solid host/network foundation for software

· Understand the organization’s history

· Meet demand for security features

· Review high-risk applications opportunistically

· Use operations data to change development behavior

While we must not pretend that every organization can or even should achieve excellence in each of these key areas, it serves us well to know what others are doing with respect to application security, particularly when going for those budget dollars. Why not present your manager with a copy of the report and let him or her know that you are ready, willing and able to have your organization rank among the best in the business when it comes to secure software?

Posted by Sunil Bhargava at 03:51 PM | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: application security, build security in, secure application development, secure application testing

HIPAA - Are You at Risk?

Blumenthal got the job and it's time to get serious about HIPAA - if you aren't already monitoring information security controls.

The feds are coming. How do we know? In July 2008, the Department of Health and Human Services fined Providence Health System $100,000 for security lapses. Then CVS was hit for millions in February. And, as of January, 2009, the department had issued 47 corrective action plans. With the appointment of David Blumenthal as the National Coordinator for Health Information Technology, we don't expect this pace of enforcement to slack off. Are you at risk?

All eyes are on health care - what it costs, who is insured, what will be the future of health coverage? Conservative sources site the costs associated with information management to be partially responsible for the cost of healthcare. That makes it a tough time to be spending on security information management - but the costs associated with non-compliance and the risks to patients makes a good argument for process oriented investment in information security.

Electronic and digital management of patient health records is on the horizon. Smart providers are starting now to digitize patient information, store it safely, secure the networks that send data between providers and insurers. It's time to look at processes and technology required to manage day to day security operations to strengthen defense and comply with regulatory standards. Learn more about HIPAA information security and see Intellitactics SAFE - the right sized appliance that provides everyday compliance with HIPAA and PCI.

Posted by Sunil Bhargava at 06:00 AM in compliance | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: compliance, David Blumenthal, health information technology, HIPAA, Intellitactics

March 23, 2009

Visa's Heart to Heart[land]

Sunil Bhargava with Warren Axelrod: On January 27, 2009 we posted “Sophisticated Criminals Attacked Heartland” and the subject was the data breach involving Heartland Payment Systems.In that post we told how Heartland’s CFO claimed that the problem was due to the sophistication of the attackers. Since Heartland was supposedly compliant with PCI-DSS (Payment Cards Industry Data Security Standard) requirements, we questioned whether PCI standards are adequate. This was a topic we also addressed in the January 22 post, “Heart[land] Attack.”

Visa, which is one of the organizations that developed the PCI-DSS (along with MasterCard, American Express, Discover and others), is reported by Linda McGlasson with Bank InfoSecurity to have removed both Heartland and RBS WorldPay from the list of compliant service providers. Visa has told both companies to take immediate action to achieve an acceptable level of security. Additionally, Visa is reaffirming the need to comply with standards with other payment processors.

In a letter to banking institutions, Visa apparently said that Heartland must implement “more stringent security assessments, monitoring and reporting.” In our January 22 post, we recommended that the involved parties should “consider … implementing extensive monitoring, analysis and reporting.” Did we call it, or what?

It is easy to criticize the payments processors for not implementing strong security measures, and one could also fault Visa and the other PCI-DSS creators for producing inadequate standards and not enforcing those standards. However, to be fair to all parties, attacks are indeed becoming more sophisticated and insidious and it is increasingly difficult to erect adequate defenses. It is certainly a challenge to try to outwit and outmaneuver the fast-moving, well-funded and very competent attackers who are highly motivated to reap the rewards of identity theft and fraud.

We have to realize that standards, from whatever source, will always lag threats and be difficult to enforce. However, in their defense, standards issuers should still be taken seriously and the standards should be met. It is necessary, but not sufficient, to comply with standards. In order to have a strong security posture, one needs to exceed given standards.

To their credit, Visa has responded, albeit in a “closing the barn door after the horse has bolted” manner. In subsequent posts we will discuss the four points in the call-to-action that Visa included in a presentation developed for its road show, which are again worthy … but will they do the job?

Posted by Sunil Bhargava at 06:07 PM | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: data breach, Heartland, PCI Compliance, Visa

Cybercrime Victims

You might be surprised to know that the bad guys have a new target - small and medium size businesses that are taking risks with your simply aren't secure - despite guidance provided by the PCI Security Standards.

It's a little shocking to find out that there is a huge technology gap between the big money banks and small retailers who may be just getting into online transactions. Large enterprises are sitting behind years of security spending and compliance efforts, while small and mid-size businesses are more vulnerable. At the Visa Security Summit, which took place here in Washington, DC on Friday, March 19 Charles Matthews, president of the International Council for Small Business was on a panel when he said that small businesses are looking very enticing to computer criminals and hackers. He shocked the audience with some facts: 1/5 of small businesses don't use anti-virus (WHAT?!!), 2/3 don't have a security plan and 60% don't use encryption on wireless links (YIKES%$^&(**&!!)

Chris Gray, on the same panel and director of innovation at the Canadian Chamber of Commerce, reported that 85% of the fraud he sees occurs in small and medium-sized businesses. We see this as well; higher incidence of fraud in small and mid-size businesses compared to the number of high profile breaches.

Reading these stats, I asked myself - well what about PCI? Aren't companies engaging in payment card transactions, regardless of size, required to comply with PCI standrads? And I answered my own question. Even the bigger companies are negligent in some areas of PCI. Even companies that have passed a PCI audit have found themselves embarassed by a very public data breach. The controls suggested by PCI are in some cases difficult to implement. Putting that aside, too many companies are focused on the audit and not on making the standards are part of daily operations.

So what can these organizations do? There are alternatives to ever taking possession of critical data. One large Canadian retailer we know, spent several hundred thousand dollars rewriting some applications to ensure they never possessed the sensitive data. Instead they pass this information to a card processing bank and they manage the service level to ensure against identity theft and fraud. Their ROI determined that making application changes was a better investment than taking on the standards themselves. There are managed service providers who have the expertise to partner with small companies and there are vendors like Intellitactics offering solutions that are right-sized to every budget. Every company should have the same protection at a price they can afford.

Posted by Sunil Bhargava at 05:16 PM in compliance | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: compliance, Council for Small Business, cybercrime, PCI, security threats, SIEM, Visa

March 18, 2009

Monocultures Like Google - Good or Bad for Security

From the desk of Warren Axelrod

Back in the day it was controversial to state that a system monoculture is not a good thing. A report, “CyberInsecurity: The Cost of Monopoly” , by Bruce Schneier, Dan Geer, and others claimed that a system monoculture was bad for security. At that time we were concerned that Microsoft software on so many PCs meant that virtually the whole PC population was vulnerable to the same viruses, worms, etc.

Now in an IEEE Security & Privacy article entitled “The Monoculture Risk Put into Context”, Cornell professors Fred Schneider and Ken Birman suggest that the popular thinking stating that software monocultures are ‘exceptionally vulnerable to malware outbreaks’ is an oversimplification and [is] misleading.

Larry Dignan in his blog post, “Google’s flub: Do we have a Web monoculture too?” , disagrees. He recounts how a recent event, attributed to human error, resulted in Google listing the entire Web as malware, effectively making Google unavailable to its customers. The post suggested that, even if we don’t believe that Google is a monoculture yet, it might well soon be one. His recommendation is that one should diversify services so as to reduce the risk.

So – what do I think? The issue of a Web monoculture is much broader than Google regardless of how dominant Google becomes. The issue demanding attention is sustaining the availability of the Internet. Even if you agree with the popular notion that the Internet is diverse and designed to be self-healing, a really effective Web-wide denial-of-service attack or breaks in undersea cables might seriously compromise the availability of internet service for large swaths of global users. We are becoming increasingly dependent on the Web for news, communications and commerce. As the dependencies increase, the option of reverting to other backup systems diminishes.

My bottom line: There are security and availability issues associated with dependence on monocultures. The appropriate response is for security teams to recognize the real dependencies rather than agonizing over monoculture subsystems. Let’s not be distracted by events that are threatening but not entirely capable of demolishing service. Let’s focus on potentially demolishing events, such as critical infrastructure failures, and work on them.

Posted by Sunil Bhargava at 06:00 AM in enterprise security management | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Google, internet availability, security, system monoculture

March 17, 2009

Are You Feeling Lucky on This St. Patrick's Day?

Whether or not you have the luck of Irish on your side - you can't count on luck to secure critical informaiton assets.

Regulatory standards, like PCI DSS, and internal policies dictate or suggest controls that are a bit more reliable than luck. At Intellitactics we recommend EVERYDAY COMPLIANCE to secure information and ensure you are audit ready any day of the week. Unlike those fickle leprechauns, this is the kind of luck you can count on!

From all of us at Intellitactics, we wish you safe travels on this St. Patrick's Day and may you find security and peace of mind at the end of your rainbow!

Posted by Sunil Bhargava at 06:00 AM in compliance | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: compliance, information security, PCI

March 16, 2009

ID Theft on the Rise - What A Surprise!

From the desk of Warren Axelrod: Mark Twain popularized the quote, “Lies, damn lies and statistics.” which was originally attributed to Benjamin Disraeli. This is what comes to mind after reading the Federal Trade Commission’s 100-page Consumer Sentinel Network Report for 2008. Available on February 26, 2009, the report focuses on ID theft, primarily because id theft accounted for 26 % of all the complaints received in 2008 by the FTC. The FTC categorizes ID theft as one of many subcategories of fraud; fraud represented 50% of all the cases. Unfortunately, the report all but ignores other subcategories.

What the numbers do illustrate is that from 2000 to 2008 the number of fraud cases has gone up by a factor of six, and the ID theft number has increased tenfold. But in the most recent years, the fraud number has increased more than the ID theft number. The overwhelming conclusion is that both numbers are increasing at a rapid pace and that’s not a good thing.

Here’s where the media coverage starts to distort the statistics: among the cases of id theft, the largest group experiencing ID theft is the 20-somethings and the conclusion, which may be incorrectly drawn, is that individuals in their 20s are less careful with their personal information. Another, possibly more reasonable conclusion is that 20-somethings have online bank accounts and engage more in e-commerce and may potentially be more vulnerable? This conclusion paints a different picture with the same statistics. The bottom line from where I sit: ID theft is a criminal activity and it’s growing – despite the efforts of IT security to date. There’s no arguing that ID theft is very much an IT security issue, because IDs are often stolen via phishing, pharming, direct attacks on databases, and various forms of data leakage. No matter how you interpret the 2008 report, security professionals have much more to do in order to reduce the reported increases in ID theft.

To read what Intellitactics recommends on Preventing Data Loss and ID Theft read 9 Ways to Prevent Data Loss

Posted by Sunil Bhargava at 03:15 PM in enterprise security management | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: data loss prevention, FTC Consumer Sentinel Report, ID theft, information security, Warren Axelrod

March 15, 2009

"Just Logs" is SO OVER!

SANS Annual Log Management Survey Results are in!!

And there are a few surprises. SANS will be unveiling the results of the survey at the Annual Log Management Summit taking place in Washington DC April 4-6, 2009. All Intellitactics guests get a 10% discount.

If you can't make the event there will be a webcast on April 7 featuring Sunil Bhargava, CTO for Intellitactics, and other security experts. There are a few surprises so be sure to register for webcast or come to Summit in Washington DC. Be the guest of Intellitactics for LUNCH and LEARN on Monday, the 5th and hear first hand from customers and security engineers how to prevent data loss. Schedule time for the panel discussion where SIEM users like ABN Amro (now Royal Bank of Scotland) shares the secrets of log and event management success. It's going to be a great event!

Remember to register for the webcast to get your free summary of the survey results and see what everyone will be talking about in April!

For more information on getting a 10% discount for the Summit, or free Lunch and Learn at the Summit or registering for the webcast on survey results contact Intellitactics.

Posted by Pam Casale at 07:03 PM in log management | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: information security, Log Management, SANS

Enterprise Security Blog