This same article also highlights a recent study by PwC that “found 43 percent of global companies think they have an effective information security strategy in place and are proactively executing their plans.” Another interesting finding in this report was the number of respondents that have “confidence” in their plans. “Seventy-two percent of the more than 9,600 security executives…report confidence in the effectiveness of their organization’s information security activities… (a number that) has declined markedly since 2006.” This figure, in my opinion, shows that even the large organizations, as much as they may feel prepared, really are not too confident in their security preparations.

Maybe their lack of confidence comes from the large number of data and security breaches that are reported every day. In addition to these breaches are numbers that are behind them. Another study from the Ponemon Institute, sponsored by Symantec, found “that the average cost of a data breach increased by seven percent to $7.2million in 2010-with the most expensive data breach jumping 15 percent over the previous high to a whopping $35.3 million.” In addition, the study calculated that “the average data breach cost per individual compromised record is $214.” This is a staggering figure when you look at many of the breaches that have been reported, in most there are hundreds of thousand s of records lost each time. Multiply these numbers by $214 and the fines and associated fees per breach will climb quickly.

With these numbers in mind, this goes back to my original point, that only 27 percent of small business owners value security enough to have an outside company come in a test their security. Taking into account that many small organizations may not have the capital available for such security or “penetration” tests, it also begs the question, “Will they have enough capital to cover the fines and other fees associated with a data breach ($7.2million in 2010)?”

That’s great and makes it much easier to grant this type of access, but what if I want the User accounts defined in this group to be restricted to certain event logs only? This too is possible, but you need to remove the SID of the local Event Log Readers group. The command-line utility called “wevtutil” allows this to be performed. And not all Event logs are readable, such as any of the “Application and Service” logs, until access is granted to the Event Log Readers group. The wevtutil command allows this to be performed as well.

When using the wevtutil command, you will want to first view the “channelAccess” string:

wevtutil gl security ;”gl” means “Get log configuration information” and displays the channelAccess string as noted below.
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0×5;;;BA)(A;;0×1;;;S-1-5-32-573)
The value of “(A;;0×1;;;S-1-5-32-573)” is what grants (A = Allow) read (0×1 = Read) access to the Event Log Readers group (SID = S-1-5-32-573). Append similar strings to the channelAccess string to grant read access to a specific SID.

To remove read access from the Event Log Readers group, execute the following command:
wevtutil sl security /ca: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0×5;;;BA)
Note the removal of (A;;0×1;;;S-1-5-32-573).

While SDDL entries can appear to be “confusing” they are also a useful place to verify access to specific event logs for troubleshooting purposes.

So “keys to the kingdom” don’t have to be delegated if time is taken to address the specific access requirements in your organization.

Industrial espionage is nothing new.  Nations have always sought to bridge technology gaps by acquiring what others possess.  With the rise of the Internet, it just became so much easier.  Gone is the need to bribe an employee, embed a spy, break into a site.  Simply compromise a password, login, and go to work.  When you have a 100s or 1000s of highly trained electrical and computer science engineers at your disposal, what chance does an unprepared adversary have?

Should we really be surprised – especially those of us who grew up in the cold war – that Nations would aggressively compromise corporate and agency network in support of their own economic interests?  As a patriot of my country, I have to wonder how many US corporations are breached and leaking right now?  I’m afraid the number would be appalling – it is likely very high.

US corporations and agencies (and those of our allies) must become more diligent and vigilant in their approach to network security monitoring.  The perimeter simply cannot hold, cyberthreats will find a way in.  When they do, the ability to detect and quickly respond is paramount.  The leaking can be stemmed but only when appropriate resources and effort is invested.  Until then, the wake up calls will continue to get louder.

I added a disclaimer that I work for a vendor in this space, but I feel the need to add SIEM to the discussion. As many have pointed out there is no magical bullet single technology for defending/recognizing 0-day attacks, but a mix of incorporating the right technologies and processes to a comprehensive security strategy. Having worked for multiple security technologies in the past, I believe it would be a mistake not to incorporate a SIEM solution to have better clarity and prioritization around events including 0day. The issue with many security analysts today is not the lack of security information in their environment, its about seeing through the clutter to recognize the priority events that require action. I believe SIEM solutions are best positioned to provide this level of information to an organization based on its ability to collect from multiple security, network, and host-based sources with the ability correlate across silos to recognize patterns, anomalies, or highly suspicious behaviors that may indicate 0day infection.

So how can you best protect your company from these USB-related nightmares? If your company has absolutely no need for USB flash drives in the workplace, then – of course – they can be banned entirely. In many situations, this isn’t very practical. Instead, try these options:

1. Disable autoplay/autorun for all USB and CD/DVD drives. This will prevent malicious programs from automatically executing – on your network.

2. Consider updating your software. A Microsoft blog post (http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx) states that “Windows XP users were nearly 10 times as likely to get infected by [Autorun malware] in comparison to Windows 7.” Why? Windows Vista and Windows 7 have features which provide more protection against autorun’s ability to spread malware.

3. Consider encrypting all company-owned flash drives.

4. Enforce (or develop) USB flash drive-related policies. Also consider mentioning the dangers of USB flash drives in company training. No matter how technology-savvy your employees may seem, no company is immune to human error. The Department of Homeland Security (http://gcn.com/articles/2011/06/30/dhs-test-found-thumb-drives-disks-network.aspx), for example, found that 60% of USB drives (deliberately planted in places like federal agency parking lots) were inserted into company computers after they were picked up by unsuspecting workers. This number skyrocketed to a whopping 90% when the USB drives had the Department of Homeland Security logo. Many times, your biggest weakness might not be a malicious insider, but an employee who simply doesn’t understand the potential security risks of their actions.

5. Lastly, give Data Loss Defender a try. This is a little-used tool in LogRhythm which can help you monitor and/or prevent the use of USB flash drives (as well as CD/DVD drives).
From Deployment Manager, select:
Tools —> Administration —> Data Loss Defender Policy Manager. From here, you can create a policy which can monitor or eject certain media.

To enable the policy, click on the System Monitor Agents tab, double-click on the agent, and select:

Endpoint Monitoring tab —> Data Loss Defender tab —> Enable Data Loss Defender

After restarting your agent, your policy will be enforced. You should start seeing logs which show the connecting of USB drives…

…and any data which may have been copied to the device:

If you’ve enabled the eject feature, you’ll also receive a confirmation of the ejection:

With these tools, as well as the help of policies and procedures which spell out the proper use of these devices, you’ll be able to take another step closer to a safer corporate network.