Category: Digital Forensics
Is your Security Policy up to date?
It seems that every day we see a story in the news about an organization that has been affected by a data breach. And it also seems that these organizations may not have been maintaining a secure infrastructure with which to protect their data. Although this may seem illogical, this is often the case. An organization may have the stoutest and layered defense in place, but a well targeted attack, or “spear
phishing” attack can bypass these controls quickly and easily. Since a task as simple as opening a malicious file in an email can compromise the data of an entire organization, this highlights the importance of an organization’s overall information security policy, specifically any administrative controls that may be in place.
These spear phishing attacks will often target specific individuals within an organization with emails that appear to be legitimate. If these email messages look authentic enough, they will often entice the recipient to open a malicious attachment, disguised as a legitimate document or spreadsheet. Once this is done, the attacker may potentially gain access to the recipient’s computer or beyond.
In this day and age, ensuring that your employees are knowledgeable and up to date on relevant security policies and procedures is critical to the reducing the risk of targeted attacks within your organization. This should begin with basic messaging to your employees that outlines your security policy, including acceptable use criteria and specifically outlining what to watch for in a potentially malicious email. In addition, annual or semi-annual testing or certification will also help to ensure that your employees are made aware of your security policies and have confirmed this knowledge.
This may seem like an overly simple and meaningless task, but it’s one that is often overlooked. While logical controls, like your firewalls, routers and IDS/ISP devices, will hopefully mitigate the majority of questionable messages and traffic patterns into your organization, knowledgeable and vigilant employees are often an important last line of defense in protecting your organization’s information assets.
Data Breach Disclosure Laws Are Now Long Overdue
Ah, Europe – why do its citizens seem to have to wait forever for action to be taken on issues that seem obvious to everyone else? While they may take some solace from the overdue departure of Signore Silvio Berlusconi (although I’m sure they will miss his ‘unique’ brand of humour – what a card!) it seems they will have to wait longer than expected for the right to find out if their personal information has been compromised.
Earlier this month, the European Commission (EC) announced that it was delaying the release of a new version of its Data Protection Directive – originally scheduled for mid-November – until the end of January 2012. When released, the legislation will install a welcome ‘mandatory data breach disclosure’ ruling across both public and private sector organisations, requiring them to report any breaches to relevant regulatory bodies, such as the UK’s Information Commissioner’s Office (ICO), as well as inform affected individuals. The ruling is expected to have global implications, as the law is likely to also cover non-EU companies that store data on European citizens.
Laws enforcing mandatory data breach disclosure are now long overdue in Europe. Such legislation is already in place in the US, and our recent research shows that the majority of the UK public are dissatisfied with the minimal consequences UK organisations face when they jeopardise sensitive data. 83 percent of the 2,000 UK consumers we surveyed support compulsory data loss disclosure legislation and the delay means they’ll have to wait even longer before this governance is in place.
With an unprecedented number of high profile data breaches occurring in the past year, this will no doubt be a huge frustration to the UK public, who are more prepared than ever to take drastic action against organisations that lose data. Our survey found that 26 percent of respondents were adamant they would never have anything to do with organisations which had lost data as a result of cyber crime, a rise of nine percent when compared to similar LogRhythm research conducted in 2010.
Once mandatory data breach disclosure laws are enforced, organisations will find they need to develop a much deeper insight into the activity taking place across their networks. This is because they will be required to generate accurate notifications which will specifically identify who and what has been compromised. This has been a particular problem in the US, and many companies are forced into issuing blanket breach notifications, which may even overstate the severity of the incident, due to a lack of visibility into their IT systems.
Solving this problem depends on organisations making better use of the log data generated by IT equipment. Both investigating breaches after they occur and detecting them beforehand depend on systems that can automatically collect and analyse 100 percent of log data in real-time. Only this approach can provide the forensic insight required to truly understand how threats penetrate systems and compromise data. With data breach incidents reaching an all-time high this year, it is clear that traditional perimeter security solutions are an inadequate defence. Organisations now require the traceability provided by continuous log data analysis to identify anomalies, formulate damage limitation strategies and generate accurate breach notifications.
However, organisations should not wait for new legislation to obligate them into gaining a better understanding of the IT estate. The high proportion of the UK public in favour of mandatory notification tells us a lot about the lack of trust that exists when it comes to an organisation’s ability to defend against cyber attacks, and when asked if organisations are doing enough to secure customer data, 81 percent did not believe this was the case and that more needed to be done. Clearly it is best practice to be constantly aware of the smallest changes that occur across organisations’ IT systems, which will help to ensure major breaches do not occur in the first place.
Unfortunately online threats are becoming ever more sophisticated and harder to identify. If only IT systems wore undesirable activity as a badge of honour like Italy’s departing premier – it would certainly make the CIOs job a lot easier!
New Threats, New Acronyms: from APTs to AETs
Over the last few months, you’ve barely been able to open a newspaper without reading about the massive hacks affecting high target brands, such as RSA, Lockheed Martin and Mitsubishi Heavy Industries (to pick out just a few from a very long list). While differing in detail, these breaches have all been characterised as Advanced Persistent Threats (APTs), the acronym of the moment in the security industry.
Although they vary greatly in their tactics, APTs generally look for sophisticated ways to exploit vulnerabilities, often compromising multiple systems or processes in order to reach their ultimate goal. The ‘advanced’ comes from the fact that they require considerable planning and financing, and are typically undertaken by highly skilled cyber-criminals. They are ‘persistent’ because they repeatedly attempt to compromise multiple systems in order to obtain access to their intended victims, trying hundreds, thousands or even millions of combinations.
However, even though the APT is a relatively new concept, a new type of threat is now beginning to attract attention that is more complex still.
Attacks using Advanced Evasion Techniques (AETs) are in many ways the same as APTs but their modus operandi is to not to get detected at all, and they do this by reacting to the IT infrastructure, constantly morphing and masquerading in order to avoid identification. Basically, they are a lot sneakier.
AETs are used in particularly high stakes games. For example, the disruption caused by them could even (as with the case of the Stuxnet worm) threaten lives. Hackers employing these techniques are likely to belong to highly motivated outfits, backed by serious money and/or political clout.
While the emergence of even more sophisticated and serious cyber-threats makes for depressing reading, you can take consolation in the fact that an effective security management policy can defend against both types of threat.
These policies should include better staff training for all employees (case in point is the RSA breach, which was traced back to a malicious email sent to just four of the company’s employees), helping organisations to better identify and stop ‘doorknocking’ by unauthorised users. Education obviously needs to be coupled with the best possible perimeter defences.
However, far too many organisations think that training and perimeter solutions equal an adequate security policy. By taking this approach, and neglecting their internal systems, they are potentially exposing their soft underbellies.
The monitoring of log data generated across the whole organisation, in order to identify and instantly respond to suspicious activity, is a key layer in the defence against APTs and AETs. What’s more, this data can also be used to conduct post-event forensics, giving organisations the intelligence needed to ensure they are better prepared for the next attack… whether that attack is an APT, an AET, or whatever the acronym generator churns out next.
Gaining Visibility Through File Integrity Monitoring
The recent admission by Stanford University’s Hospital (http://www.nytimes.co /2011/09/09/us/09breach.html?ref=us) that 20,000 emergency room patient records were publicly disclosed is a great reminder of how important file activity monitoring is. The information considered most sensitive and dear to companies is often sitting on file servers. If you don’t have good visibility into who is accessing and copying files, you don’t stand much of a chance in identifying inappropriate use before it becomes a breach. In the event a breach does occur, how reliably and quickly can you ascertain when, how, and by whom? Auditing file access is certainly a good start but auditing systems can be configured incorrectly and/or compromised. For servers housing sensitive data, the best measure in gaining trusted visibility into file access is to deploy independent File Activity Monitoring technology.
New Data Breach Study Shows Over 806.2 Million Records Disclosed, Estimated Cost of $156.7 Billion
In Digital Forensic Association’s report The Leaking Vault 2011, they estimate data breaches cost organizations over $157 billion dollars between 2005 and 2010 with the theft of over 806.2 million records. Additionally, these are low estimates given incidents are under reported, many reports did not include financial lost estimates, and the estimates did not include any financial ramifications beyond the actual data lost (impact to customers, interruption to productivity, impact to IT, etc).
The report acknowledges that criminal or malicious motivation in attacks makes for more expensive breaches and that the incidents of malicious insiders are increasing.
This brings up an interesting recommendation from the report, “The most important recommendation for this vector is know where your data is” (emphasis theirs).
Given the financial motivations behind a breach and the methods used to gain breach, this most sensible recommendation is to protect the target. This runs counter to most security practices to build protection around the network perimeter. Digital Forensic Association is recommending a step beyond best practices for a layered security approach. Even the report admits “This can be an enormous job for a large complex enterprise, but you must start somewhere”.
- What is considered valuable data to your enterprise?
- Where is this valuable data stored?
- Who should have access to this data?
- Who has access to this data?
- How can you track access?
Access logs are a critical part of recognizing who and when sensitive data has been touched, whether it was just looked at, copied, moved, or changed. However the collection of access logs will not protect the target. In fact, even with a log management system you may not even know you were breached. When a “bad guy” accesses sensitive data, they generally do not use a “bad guy” account. So they are going to use the account of someone who already had access. So the more interesting question is:
- Can you spot irregularities in access patterns?
What is an irregularity? Did a trusted account with correct credentials access your network from a location you do not normally operate in (China, Ukraine, Venezuela, etc). Or perhaps a trusted account logged in from a secure company location, but is also logged in from an external location. Is a trusted account with correct credentials using applications not normally used or sending traffic to locations not normally sent? Lastly, how could you detect these types of anomalies are occurring and take immediate if not automated action?
Whether through malicious code, insider threat, or external hack, breaches can occur to even the smallest companies and the financial motivation to do so is ever-growing. It is more important to begin a holistic, layered security method that takes into account not only detection of known malicious code or activity, but the recognition of threatening anomalous behavior.
LogRhythm wins "Innovator of the Year" from SC Magazine. "This is not your father's log manager."