Category: Security
Just The Facts – It’s When, Not If
Following the significant shift in the cyber threat landscape, the mindset of information security professionals has changed substantially. Eighteen months ago, most reasonably funded information security groups felt that the tools, processes and people they had in place were fairly strong relative to the risks and threats they were designed to address. As such, most felt that, while by no means bullet-proof, their defenses were likely to keep the bad guys at bay and targeting more vulnerable organizations. Oh, what a difference a year and a half makes.
The rapidly maturing cyber crime economy and supporting supply chain have led information security professionals to realize that the bad guys are getting more sophisticated and more numerous at an accelerating pace. Since this time last year, most InfoSec pros have accepted the idea that “It’s when, not if” their organization will experience a breach. While this mentality seemed to be pervasive as we approached the end of 2011, we wanted to put some hard numbers to it; Just how exposed do organizations believe they are? To answer that question, we conducted a survey of over 200 information security professional on their organizations’ Cyber Threat Readiness. The results, while not surprising, are alarming and reflect the need for better detection and response capabilities: to know sooner when breaches occur and to be empowered to respond faster and more effectively when it happens.
82% of respondents stated they have firewalls in place and use anti-malware/anti-virus 
solutions, but 75% said they lack confidence in their ability to detect activity commonly tied to breaches and cyber crime (e.g., to know when credentials or hosts are compromised). The bright spot in the survey results is that organizations taking steps to deploy technology such as NGFW and SIEM to improve their visibility and response capability were twice as likely to be confident in their ability detect cyber attacks and breaches.
You can check out the Cyber Threat Readiness survey results for yourself in today’s press release. And as you’re reading the results and considering the scenarios to which most organizations are blind, answer the question “Would you know if…”.
Security Not a Top Priority for Many Small Businesses
I recently found an article that outlined a study about cyber security and small businesses. In the study, by Newtek Business Services’ Small Business Authority, it was discovered that “just 27 percent of small business owners have had an outside party test their computer systems to ensure that they are hacker-proof…” I found this to be a relatively shocking number, but one that is believable in today’s tough economy. It would seem that most small organizations would be watching every penny and often during that type of number crunching, Information Technology and I.T. Security budgets are often the first to
get cut. Security has always been one of those items that, to most organizations, has been a hard sell to upper management, particularly if that organization has never experienced any sort of security or data breach. Security budgets are often looked upon as, “Why are we spending so much money on something that may happen.” Until an organization is hit, it is often a tough sell for many to pass a decent security budget.
This same article also highlights a recent study by PwC that “found 43 percent of global companies think they have an effective information security strategy in place and are proactively executing their plans.” Another interesting finding in this report was the number of respondents that have “confidence” in their plans. “Seventy-two percent of the more than 9,600 security executives…report confidence in the effectiveness of their organization’s information security activities… (a number that) has declined markedly since 2006.” This figure, in my opinion, shows that even the large organizations, as much as they may feel prepared, really are not too confident in their security preparations.
Maybe their lack of confidence comes from the large number of data and security breaches that are reported every day. In addition to these breaches are numbers that are behind them. Another study from the Ponemon Institute, sponsored by Symantec, found “that the average cost of a data breach increased by seven percent to $7.2million in 2010-with the most expensive data breach jumping 15 percent over the previous high to a whopping $35.3 million.” In addition, the study calculated that “the average data breach cost per individual compromised record is $214.” This is a staggering figure when you look at many of the breaches that have been reported, in most there are hundreds of thousand s of records lost each time. Multiply these numbers by $214 and the fines and associated fees per breach will climb quickly.
With these numbers in mind, this goes back to my original point, that only 27 percent of small business owners value security enough to have an outside company come in a test their security. Taking into account that many small organizations may not have the capital available for such security or “penetration” tests, it also begs the question, “Will they have enough capital to cover the fines and other fees associated with a data breach ($7.2million in 2010)?”
The Weakest Link in Phishing Attacks
Enterprises today are most vulnerable to phishing exploits at the user level. Understandably, users are an easier target than the other hardened, internet-facing systems in any enterprise. Phishing campaigns are getting more sophisticated and frequent, with greater effort being focused on making the information in the emails more and more believable – even targeting specific people within an organization. Thus, users are growing less and less capable of discerning legitimate email from phishing campaigns.
This video describes the steps enterprises should take to catch these types of exploits before any data gets moved out of the network. These guidelines include, but are not limited to:
- Educate users
- Assume a user in your organization is going to get exploited
- Maintain visibility — look for activity you’re likely to see AFTER the exploit happens
- Identify and target “attractive” data in the enterprise
- Focus on the activity in-and-around “attractive” data
- Move out from this central location, monitoring & investigating accounts and users accessing “attractive” data
- Set up baseline monitoring
- Watch for anomalous activity (after hours, simultaneous authentications from multiple locations, etc.)
- Watch for activity that occurs AROUND the potential exploit.
In short, focus on attempting to find the activity AROUND the exploit, rather than soley focusing on the exploit itself.
Is your Security Policy up to date?
It seems that every day we see a story in the news about an organization that has been affected by a data breach. And it also seems that these organizations may not have been maintaining a secure infrastructure with which to protect their data. Although this may seem illogical, this is often the case. An organization may have the stoutest and layered defense in place, but a well targeted attack, or “spear
phishing” attack can bypass these controls quickly and easily. Since a task as simple as opening a malicious file in an email can compromise the data of an entire organization, this highlights the importance of an organization’s overall information security policy, specifically any administrative controls that may be in place.
These spear phishing attacks will often target specific individuals within an organization with emails that appear to be legitimate. If these email messages look authentic enough, they will often entice the recipient to open a malicious attachment, disguised as a legitimate document or spreadsheet. Once this is done, the attacker may potentially gain access to the recipient’s computer or beyond.
In this day and age, ensuring that your employees are knowledgeable and up to date on relevant security policies and procedures is critical to the reducing the risk of targeted attacks within your organization. This should begin with basic messaging to your employees that outlines your security policy, including acceptable use criteria and specifically outlining what to watch for in a potentially malicious email. In addition, annual or semi-annual testing or certification will also help to ensure that your employees are made aware of your security policies and have confirmed this knowledge.
This may seem like an overly simple and meaningless task, but it’s one that is often overlooked. While logical controls, like your firewalls, routers and IDS/ISP devices, will hopefully mitigate the majority of questionable messages and traffic patterns into your organization, knowledgeable and vigilant employees are often an important last line of defense in protecting your organization’s information assets.
Enhance your audit trail logging with TCPWrappers
TCPWrappers performs access control for supported applications when making connections over a network. It also logs this activity to syslog, enhancing the audit trail for hosts running TCPWrappers.
While most UNIX-based distributions these days already come with TCPWrappers, there are some circumstances where one or more servers do not have this feature. If you discover that this feature isn’t installed or utilized, you should consider adding it to ensure that your audit trail logging to syslog is capturing these log messages.
TCPWrappers uses hosts.allow and hosts.deny to control what user, hosts, and/or IP addresses or networks can establish a connection to the respective service/daemon and this activity is logged to syslog. Some programs weren’t compiled to support TCPWrappers and others originally didn’t but have now adopted this functionality.
The severity and facility are all configurable via the main configuration file or within the 2 access control files noted above. The logging level and facility can be set for all services or individually.
Besides logging all the interesting messages, there is a simple and nifty way to monitor access attempts when the service isn’t enabled. That is to have the service/daemon referenced, but to execute /bin/false so that the access attempt is logged, but nothing is executed or no connection is established.
If UNIX-based systems are a part of your critical/sensitive infrastructure, review each system for the existence of TCPWrappers. If it doesn’t exist you should consider adding it and if it does, make sure that all programs that can use TCPWrappers are configured to do so. And, of course, now that this information is logged to syslog, ensure you review these logs for any security, audit, or operational activities that require extra attention or analysis.
LogRhythm wins "Innovator of the Year" from SC Magazine. "This is not your father's log manager."