Category: General
Data Breach Disclosure Laws Are Now Long Overdue
Ah, Europe – why do its citizens seem to have to wait forever for action to be taken on issues that seem obvious to everyone else? While they may take some solace from the overdue departure of Signore Silvio Berlusconi (although I’m sure they will miss his ‘unique’ brand of humour – what a card!) it seems they will have to wait longer than expected for the right to find out if their personal information has been compromised.
Earlier this month, the European Commission (EC) announced that it was delaying the release of a new version of its Data Protection Directive – originally scheduled for mid-November – until the end of January 2012. When released, the legislation will install a welcome ‘mandatory data breach disclosure’ ruling across both public and private sector organisations, requiring them to report any breaches to relevant regulatory bodies, such as the UK’s Information Commissioner’s Office (ICO), as well as inform affected individuals. The ruling is expected to have global implications, as the law is likely to also cover non-EU companies that store data on European citizens.
Laws enforcing mandatory data breach disclosure are now long overdue in Europe. Such legislation is already in place in the US, and our recent research shows that the majority of the UK public are dissatisfied with the minimal consequences UK organisations face when they jeopardise sensitive data. 83 percent of the 2,000 UK consumers we surveyed support compulsory data loss disclosure legislation and the delay means they’ll have to wait even longer before this governance is in place.
With an unprecedented number of high profile data breaches occurring in the past year, this will no doubt be a huge frustration to the UK public, who are more prepared than ever to take drastic action against organisations that lose data. Our survey found that 26 percent of respondents were adamant they would never have anything to do with organisations which had lost data as a result of cyber crime, a rise of nine percent when compared to similar LogRhythm research conducted in 2010.
Once mandatory data breach disclosure laws are enforced, organisations will find they need to develop a much deeper insight into the activity taking place across their networks. This is because they will be required to generate accurate notifications which will specifically identify who and what has been compromised. This has been a particular problem in the US, and many companies are forced into issuing blanket breach notifications, which may even overstate the severity of the incident, due to a lack of visibility into their IT systems.
Solving this problem depends on organisations making better use of the log data generated by IT equipment. Both investigating breaches after they occur and detecting them beforehand depend on systems that can automatically collect and analyse 100 percent of log data in real-time. Only this approach can provide the forensic insight required to truly understand how threats penetrate systems and compromise data. With data breach incidents reaching an all-time high this year, it is clear that traditional perimeter security solutions are an inadequate defence. Organisations now require the traceability provided by continuous log data analysis to identify anomalies, formulate damage limitation strategies and generate accurate breach notifications.
However, organisations should not wait for new legislation to obligate them into gaining a better understanding of the IT estate. The high proportion of the UK public in favour of mandatory notification tells us a lot about the lack of trust that exists when it comes to an organisation’s ability to defend against cyber attacks, and when asked if organisations are doing enough to secure customer data, 81 percent did not believe this was the case and that more needed to be done. Clearly it is best practice to be constantly aware of the smallest changes that occur across organisations’ IT systems, which will help to ensure major breaches do not occur in the first place.
Unfortunately online threats are becoming ever more sophisticated and harder to identify. If only IT systems wore undesirable activity as a badge of honour like Italy’s departing premier – it would certainly make the CIOs job a lot easier!
On Its Three Year Anniversary Conficker Still a Top Threat
Recently I was asked to speak about the prevalence of the Conficker worm. I initially scoffed at the idea, remembering that Conficker was discovered in November 2008, and the vulnerability it used to spread was patched by Microsoft in October of the same year…ancient history in the security world. However, after just a little research, I found AV vendors are still considering it to be one of the most prevalent pieces of malware out there.
How can this be? The vulnerability Conficker used to spread was patched 3 years ago! Every AV vendor I know of has been able to detect and remove the worm since then. Many have even issued “Conficker Removal Tools” to assist in the event a system gets in a state where standard AV isn’t working properly. So why is Conficker still a problem?
It really comes down to fundamental security practices (or should I say lack of fundamental security practices). The early variants of Conficker spread by exploiting a vulnerability in the Windows Server Service, then downloading a payload from a remote site. The worm continues to spread via this method, but also by attempting to execute copies of itself on ADMIN$ shares on computers visible on the network, launching a dictionary attack if the shares are protected. In addition, copies are saved to removable media devices and spread via AutoRun.
Any organization with a basic patch management program and AV strategy, both very standard things to have in a defense arsenal, should be protected against Conficker. However, with an ever-expanding mobile workforce, many organizations are losing control over systems connecting to corporate networks, which might be one of the reasons older malware such as Conficker are still prevalent. Even home users that don’t have corporate resources should be running one of the free AV products, and have Windows Updates enabled to ensure their systems stay patched.
So that covers the “now.” What about when the next worm that hits, one that utilizes a zero-day vulnerability that by definition isn’t yet patched, and unlikely to be picked up by many AV engines? This is where SIEM can help. Instead of worrying about detecting the exploit itself, a SIEM can look for general worm-like behavior. Worms are noisy. Once a host is compromised, the worm will continue to try to spread to other hosts on the network, as outlined above. By utilizing advanced correlation rules against this rather noisy activity, specifically rules that target internal network activity, a SIEM can alarm on worm-like behavior, even if the exploit being used to spread the worm is unknown.
Tags: conficker, malware, security, siem
Where is YOUR line drawn?
I had a busy weekend. I was recovering my elderly mother’s email account from a spam bot, while at the same time containing her stress levels about the safety of her associated PayPal, Amazon and eBay credentials. This proved a troublesome affair – particularly considering I only just managed to intercept the backdoor account that the script was trying to put in place.
I tried to keep in mind that this kind of attack is not personal. How could it be? It’s just a script, right? Well, then I was talking to a friend about the situation and I realised that my much beloved mother was as defenceless in the face of this assault as she would have been in the face of an actual armed physical assault. To an able bodied person with a sufficiently foolhardy nature, physical assaults can be challenged. Similarly, a cyber-theft to a technically competent person is typically more inconvenient than actually costly.
However, to someone who doesn’t know to immediately check the backdoor accounts for a hijacked identity, or to get a password reset sent, then this sort of thing could rapidly degenerate into a seriously injurious affair, both in terms of the stress and the cost. However, even with all those factors in mind, I see this sort of crime in the same way as I see street theft. It’s just villainy. Nothing personal, and just the way that undesirables make money.
However, I found my limit after the recent hacking of the Sesame Street channel. This was where hacking for the nobility of the art, or to illustrate to people what was possible in the face of lax security was forgotten. This was just vandalism – and particularly damaging and ill-informed vandalism too. Whatever your feeling is about pornography, you’ll hopefully agree that posting it to a channel where the median age visitor is 8 years old crosses a line.
But what can we take from this? Given that the internet is peppered with people who would do this sort of thing, what safeguards were in place to stop them? Consensus suggests that the channel concerned had a weak password. In this instance, is there anything to be gained from ultimate culpability for the channel administrator? Probably not this time, but if it happens again, then that’s a different matter.
We need to learn these lessons once, and learn them well. Safeguards are available in the form of quality SIEM solutions and a raft of best practises that underpin internet security. Everyone – particularly those responsible for what reaches young eyes – needs to make use of them.
The Benefits of Logging Disk Space Warnings or Errors
Disk capacity requirements will vary depending on the purpose of the associated system and applications utilizing the storage space. When there is no longer any free disk space available, the effect can be minor to border-line catastrophic. And a catastrophic failure usually means that no remote access can be made to free up storage space and any resident applications will most likely be negatively impacted the inability to write disk. These types of situations can be caused by a number of circumstances and should be monitored from an operations, audit, and security perspective. Most environments will be a mixture of operating systems and devices and some may not provide this type of monitoring “out of the box”, requiring a third-party add on or a scripted process.
With Windows distributions (and some Linux), free disk space can be monitored and logged for subsequent alerting. Below are references to what needs to be configured to monitor disk free space.
Windows:
Open the registry, navigate to the following key and edit to define the specific percentage (DWORD value) of free disk space available before the OS writes to the SYSTEM Event log:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DiskSpaceThreshold
The default value (even if this parameter isn’t defined) is 10%.
NOTE: This will only be logged once until free space is made available and will log again if it drops back below the defined threshold.
Windows 2003 can also be set to log to the SYSTEM Event log when the percentage of free disk space falls below a defined threshold value (in MBs).
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\LowDiskSpaceMinimum
The default value is 400 MB. This will log frequently until free space is made available and above the defined threshold.
Linux:
Depending on the various make/distributions, this is typically done via a scheduled script that will perform this validation and if need be log to syslog or send a mail message to an appropriate recipient.
The process to perform this is typically a scheduled CRON job that executes a Perl script to assess the free space of the mounted disks. The script is usually named “diskcheck” and is configured by editing the file located here: /etc/diskcheck.conf.
Regardless of what operating system or device, if it’s possible to monitor the amount of free disk space and log the event, it can potentially remove the need for time-consuming recovery efforts. This frees up IT and support resources and ensures a high-percentage of uptime and system/application availability.
New Threats, New Acronyms: from APTs to AETs
Over the last few months, you’ve barely been able to open a newspaper without reading about the massive hacks affecting high target brands, such as RSA, Lockheed Martin and Mitsubishi Heavy Industries (to pick out just a few from a very long list). While differing in detail, these breaches have all been characterised as Advanced Persistent Threats (APTs), the acronym of the moment in the security industry.
Although they vary greatly in their tactics, APTs generally look for sophisticated ways to exploit vulnerabilities, often compromising multiple systems or processes in order to reach their ultimate goal. The ‘advanced’ comes from the fact that they require considerable planning and financing, and are typically undertaken by highly skilled cyber-criminals. They are ‘persistent’ because they repeatedly attempt to compromise multiple systems in order to obtain access to their intended victims, trying hundreds, thousands or even millions of combinations.
However, even though the APT is a relatively new concept, a new type of threat is now beginning to attract attention that is more complex still.
Attacks using Advanced Evasion Techniques (AETs) are in many ways the same as APTs but their modus operandi is to not to get detected at all, and they do this by reacting to the IT infrastructure, constantly morphing and masquerading in order to avoid identification. Basically, they are a lot sneakier.
AETs are used in particularly high stakes games. For example, the disruption caused by them could even (as with the case of the Stuxnet worm) threaten lives. Hackers employing these techniques are likely to belong to highly motivated outfits, backed by serious money and/or political clout.
While the emergence of even more sophisticated and serious cyber-threats makes for depressing reading, you can take consolation in the fact that an effective security management policy can defend against both types of threat.
These policies should include better staff training for all employees (case in point is the RSA breach, which was traced back to a malicious email sent to just four of the company’s employees), helping organisations to better identify and stop ‘doorknocking’ by unauthorised users. Education obviously needs to be coupled with the best possible perimeter defences.
However, far too many organisations think that training and perimeter solutions equal an adequate security policy. By taking this approach, and neglecting their internal systems, they are potentially exposing their soft underbellies.
The monitoring of log data generated across the whole organisation, in order to identify and instantly respond to suspicious activity, is a key layer in the defence against APTs and AETs. What’s more, this data can also be used to conduct post-event forensics, giving organisations the intelligence needed to ensure they are better prepared for the next attack… whether that attack is an APT, an AET, or whatever the acronym generator churns out next.
LogRhythm wins "Innovator of the Year" from SC Magazine. "This is not your father's log manager."