Category: Uncategorized
Decade-Long Nortel Breach Signals Ongoing Threats in Cyber Espionage
The Wall Street Journal is reporting that Nortel Networks was breached for over a decade with hackers (thought to be Chinese) enjoying unrestricted access. This is the latest reminder (see Symantec, Mitsubishi Heavy Industries, RSA and Northrup Grumman, and the United States Chamber of Commerce) of how vulnerable corporations and agencies seem to be when it comes to nation state sponsored cyber espionage. It is also a stark reminder of how a basic compromise (stolen credentials) can become an expansive and stealthy breach across a broad corporate network.
Industrial espionage is nothing new. Nations have always sought to bridge technology gaps by acquiring what others possess. With the rise of the Internet, it just became so much easier. Gone is the need to bribe an employee, embed a spy, break into a site. Simply compromise a password, login, and go to work. When you have a 100s or 1000s of highly trained electrical and computer science engineers at your disposal, what chance does an unprepared adversary have?
Should we really be surprised – especially those of us who grew up in the cold war – that Nations would aggressively compromise corporate and agency network in support of their own economic interests? As a patriot of my country, I have to wonder how many US corporations are breached and leaking right now? I’m afraid the number would be appalling – it is likely very high.
US corporations and agencies (and those of our allies) must become more diligent and vigilant in their approach to network security monitoring. The perimeter simply cannot hold, cyberthreats will find a way in. When they do, the ability to detect and quickly respond is paramount. The leaking can be stemmed but only when appropriate resources and effort is invested. Until then, the wake up calls will continue to get louder.
Protecting Your Company from the Dangers of USB Drives
Everyone knows how commonplace USB flash drives are today, so it comes as no surprise that they’ve become a fixture in workplaces around the world. However, in the face of potential malware and other insider threats, such as data loss or tampering, it may be time for stricter policies on their usage. After all, removable thumb drives may have been responsible for malware as infamous as the Conficker and Stuxnet worms—and there are always newer, more dangerous threats evolving every day. This should be disturbing for a number of reasons. Not only do you have the aforementioned threat of all sorts of malware (which will inevitably lead to a loss of time, money, effort, etc.), but the company’s reputation is also at stake. A study done by the Ponemon Institute (http://www.darkreading.com/security/attacks-breaches/231901835/study-how-data-breaches-damage-brand-reputation.html) showed that a data breach can cause a brand’s value to plummet by 12 to 25 percent.
So how can you best protect your company from these USB-related nightmares? If your company has absolutely no need for USB flash drives in the workplace, then – of course – they can be banned entirely. In many situations, this isn’t very practical. Instead, try these options:
1. Disable autoplay/autorun for all USB and CD/DVD drives. This will prevent malicious programs from automatically executing – on your network.
2. Consider updating your software. A Microsoft blog post (http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx) states that “Windows XP users were nearly 10 times as likely to get infected by [Autorun malware] in comparison to Windows 7.” Why? Windows Vista and Windows 7 have features which provide more protection against autorun’s ability to spread malware.
3. Consider encrypting all company-owned flash drives.
4. Enforce (or develop) USB flash drive-related policies. Also consider mentioning the dangers of USB flash drives in company training. No matter how technology-savvy your employees may seem, no company is immune to human error. The Department of Homeland Security (http://gcn.com/articles/2011/06/30/dhs-test-found-thumb-drives-disks-network.aspx), for example, found that 60% of USB drives (deliberately planted in places like federal agency parking lots) were inserted into company computers after they were picked up by unsuspecting workers. This number skyrocketed to a whopping 90% when the USB drives had the Department of Homeland Security logo. Many times, your biggest weakness might not be a malicious insider, but an employee who simply doesn’t understand the potential security risks of their actions.
5. Lastly, give Data Loss Defender a try. This is a little-used tool in LogRhythm which can help you monitor and/or prevent the use of USB flash drives (as well as CD/DVD drives).
From Deployment Manager, select:
Tools —> Administration —> Data Loss Defender Policy Manager. From here, you can create a policy which can monitor or eject certain media.
To enable the policy, click on the System Monitor Agents tab, double-click on the agent, and select:
Endpoint Monitoring tab —> Data Loss Defender tab —> Enable Data Loss Defender
After restarting your agent, your policy will be enforced. You should start seeing logs which show the connecting of USB drives…
…and any data which may have been copied to the device:
If you’ve enabled the eject feature, you’ll also receive a confirmation of the ejection:
With these tools, as well as the help of policies and procedures which spell out the proper use of these devices, you’ll be able to take another step closer to a safer corporate network.
The Audit Trail
The audit trail is the system’s, or at times an application’s, log data. Syslog or Windows event logs or application database tables usually contain this data. It used to be considered “noise” or an unnecessary processing burden. With regulatory and compliance requirements mandating that this “audit trail” be reviewed and maintained (i.e., retained for a specified period of time), SIEM vendors are faced with questions such as “Do we keep what we have or enhance the audit trail to better support our target markets?”. And since the former solution is generally the easiest, that seems to be the most frequent choice that organizations are making. After all, why change what is “working”?
So why aren’t compliance mandates being applied to vendor products? Specifically the audit trail subsystem, which is lacking in most SIEM solutions. When reviewing a SIEM (or any other compliance-related product), don’t overlook this aspect and don’t simply believe that all is good because they “support syslog”. Vendors should ensure their audit trail/log data is readable by almost any means. That it includes the who, what, why, where details, that almost all logs can be tied to a user account vs. system/application account. Moreover, the auditing subsystem should allow for granular tuning to log all or only what is necessary.
Standards for events and log formats are somewhat taking hold, but it will be some time before everyone is on board and adopts this into their products. Some of the above can be achieved through pre-process filtering via scripts or robust syslog daemon, but there should be an “Audit Trail Minimum Requirements Standard” that ensures that any product that has this “seal of approval” can and will log exactly what is needed to better support compliance and simplify the requirement to periodically review these audit trails.
EC data protection directive and ongoing breaches show a new approach to IT security is needed
Following my last blog on 01/12/11, the latest European data protection guidelines have finally been revealed and make interesting reading. After some extended debate, the EC data protection directive proposals were made public on Wednesday of last week and have garnered a great deal of media attention. Organisations will have two years to implement them once they are formally adopted by the EC.
Coming from New Zealand I find it fascinating to observe the trials and tribulation involved with implementing European-wide directives. Initial delays to publication were reportedly caused by internal disagreements over issues such as the classification of different types of data. Since being made public the proposals are continuing to prove divisive and have been subject to external criticism. The Information Commissioner’s Office, for example, has announced that it would like to see a number of issues re-examined, including the retention and processing of special or sensitive categories of personal data and the requirement that organisations obtain prior approval for certain types of processing.
So what do the new guidelines entail? One of the biggest changes is the introduction of data breach notification obligations similar to those already in place in the US. Failing to alert both the relevant supervisory authorities and seriously affected individual
s to a breach in a timely (the proposals suggest within 24 hours) or complete fashion could result in fines of up to two percent of current revenues.
The main problem many organisations will face in trying to fulfil these obligations is the lack of visibility into IT systems – a shocking number simply don’t have the capability to drill down and monitor network activity in granular detail. In the US this has led to incidents of ‘over-disclosure’, when companies have found themselves forced into issuing blanket notifications, which may overstate the severity of the incident – because they just can’t accurately identify what the breach entailed.
In the face of increasingly sophisticated attacks and growing network complexity, running an IT estate in this way is irresponsible. The new breach notification laws have now made it untenable. In order to protect both reputations and the bottom line it is essential that every piece of data generated by IT is both collected and analysed on a continuous basis. Only by employing a Protective Monitoring approach will organisations acquire the deep insight and traceability required to connect seemingly unrelated incidents and remediate threats in real-time.
Unfortunately the repeated breaches of 2011 and ongoing ‘hacktivist’ activity suggest that data breaches are now an inevitability that we all have to face up to. Rather than keeping threats out, IT security will need to adjust its approach to one that prioritises the detection and remediation of threats before they have a chance to do any damage.
So, what do you think about the new proposals – much needed reform or unhelpfully over-prescriptive? Let us know your views and how you plan to deal with new data breach notification legislation in the comments.
The Weakest Link in Phishing Attacks
Enterprises today are most vulnerable to phishing exploits at the user level. Understandably, users are an easier target than the other hardened, internet-facing systems in any enterprise. Phishing campaigns are getting more sophisticated and frequent, with greater effort being focused on making the information in the emails more and more believable – even targeting specific people within an organization. Thus, users are growing less and less capable of discerning legitimate email from phishing campaigns.
This video describes the steps enterprises should take to catch these types of exploits before any data gets moved out of the network. These guidelines include, but are not limited to:
- Educate users
- Assume a user in your organization is going to get exploited
- Maintain visibility — look for activity you’re likely to see AFTER the exploit happens
- Identify and target “attractive” data in the enterprise
- Focus on the activity in-and-around “attractive” data
- Move out from this central location, monitoring & investigating accounts and users accessing “attractive” data
- Set up baseline monitoring
- Watch for anomalous activity (after hours, simultaneous authentications from multiple locations, etc.)
- Watch for activity that occurs AROUND the potential exploit.
In short, focus on attempting to find the activity AROUND the exploit, rather than soley focusing on the exploit itself.
LogRhythm wins "Innovator of the Year" from SC Magazine. "This is not your father's log manager."