Friday, May 27, 2011

More on the state of IT security

In my last post I touched on the various threat vectors and some ways that might prove effective in addressing them.  Late today (5/28/2011), I learned from the MSN site more details of the level of the RSA break-in (http://www.msnbc.msn.com/id/43199200/ns/technology_and_science-security) and discovered, to my dismay, that what I had feared, but not voiced, had in fact proven true.  It appears that not only cell phone tokens were taken, but enough information to invalidate the two factor security devices that are used by many large defense corporations and also by some banks for wire transfers.

These devices provide a new password when prompted that is only valid for 60 seconds (typically) to minimize the possibility of an intruder with a valid user ID from hacking an account.  Unfortunately, we now have proof that this solution no longer provides a safe method of securing information.  We only know for sure that Lockheed Martin was hacked other contractors and banks that use this technology aren't talking at this point.

As I see it, we are left with only two high security solutions, and only one which is valid for external access.

For internal access:
  • Require simultaneous log in by two users with IDs and passwords at the same station.  One should be from the security dept and the other the user.  
  • Logs need to be kept and stations visually monitored.  This should be used for all administrative log in needs and restricted to visually monitored stations. 
  • Everyone on site should be required to carry a picture ID that can be checked on demand by security. 
  • Validation against a protected isolated security server should be required for both user IDs used at login and for the ID cards carried by all personnel.
  • All maintenance processes need to be carried out by a two man team.
For external access:
  • Use a token device (like RSA provides) in addition to Biometric checks which are verified against a copy in a protected isolated server system. 
  • A call back from security  with a series of personal information questions and answers required.  In addition. a voice comparison and stress analysis could be done. 
  • This would tighten things up a bit, but is still not a guarantee. Fingerprints can be lifted, voices recorded, et al. 

Rant time
In truth, there is no security other than eternal vigilance... and that takes money, intelligent, alert security and admins, and responsible management.  CEOs and CFOs need to hire the best (not cheapest) IT people and enough of them that they aren't sleep walking through their shifts.  It would also be a good idea to listen to them rather than to the salesman who is trying to sell them the latest, greatest solution.  You can now see where that leads.
Posted by at No comments:
Labels: ,

Monday, May 23, 2011

On the state of IT security - Inhouse and in the cloud

I am sure that most of you who read this somewhat irregular column are by now quite familiar with the recent rash of security breaches (Michaels, Playstation Network (Sony), and RSA to name a few).

What this leaves us all with is the continuing quandary of how to keep these people out.  So I think today that I will address several of the most common vectors and some possible ways of dealing with them. 

  • Brute force attack
    • Technique - These are generally massive and rapid fire attempts, often from multiple apparent sources which pound a service with login attempts.  The goal is quite simply to try every possibility until a working access is obtained.
    • Possible solution - track all login attempts, after 3 retries, reroute attempts from this source IP to an alternate site which accepts after a random number of rejections, and drops the hacker into a honeypot while notifying security and doing a backtrace.  Also, increase the minimum amount of time between those first 3 attempts for an IP (say about 5-10 seconds).
  • Break the service
    • Technique - hacker tries to break the service to obtain administrative control.  Buffer overruns are the first choice here.
    • Possible solution - Only one here.  Spend the time and the money to do testing for this.  Make sure your programmers address any conceivable error condition (default handling is fine as long as it is handled).  Better a user gets thrown out then the service be compromised.  Don't rush an installation and don't rush the coders.  Make the coders check their code and then have an independent team confirm it.
  • SQL Injection
    • Technique - override an SQL query into a database by commenting out the balance of a query in a web page/form and inserting your own.
    • Solutions
      • Don't put direct queries in the web form
      • Validate all fields, discarding any inappropriate characters (then start tracking the session) and drop the hacker into the honeypot and begin tracing.
      • Again testing is imperative.  Also best practices (Model View Model, etc.) can reduce this.
      • Lastly don't rush the coders.  And test for this vulnerability.
  • Bad Users
    • Techniques
      • Passwords or user ids written down, in docs on unsecured laptops, phones or PDAs
      • Cruising bad websites
      • Clicking on e-mail links from people you don't know or you were not expecting.
      • poor helpdesk or security desk training.
      • poor security implementation.
      • poor management.
      • Use of USB flash drives
      • Permitting non-company computers on the corporate network.
      • Of all of these, poor corporate management is the most flagrant and costly and is implied by all the preceding points.  If upper management doesn't follow appropriate security practices, it's hard to enforce it on the worker bees.
    • Solutions
      • Management must get serious about security.  This means developing and enforcing a corporate policy.   To include:
        • Training for all new employees
        • Retraining once per year (minimum)
        • Requiring managers to be aware of what their employers are doing on their computers (which is why they are called managers)
        • Failure to comply needs to be a mandatory dismissal.
      • To avoid the bad websites, threats from personal e-mails and non-company computers, allow people to bring there laptops from home and provide them with a public access.  While this may cost the company a couple of hundred dollars per year, it is nothing compared to the cost of single virus outbreak or hack.
      • While USB drives are incredibly convenient, they are also the biggest new vector for hackers, as they pretty much bypass all security external to the attached computer.  Easiest course is not to use them and block users from using them (easiest way is to disconnect the motherboard USB connectors and then lock the computer case).  However, if you do decide to permit them, then they should be serialized, tracked, audited and erased and returned to the available bin.
  • Outsourcing, public cloud computing/fired employees
    • Technique - Typically, a recently fired employee decides to get revenge by breaking their old employer's systems - and you get caught in the crossfire (Zodiac Island - loss of an entire year's worth of shows).  And/or the hosting company is less than stellar in their retention and backup policies (same case). 
    • Solutions
      • Use in-house or a private cloud solution where your own team can verify that things are running properly.
      • Verify that the hosting company is following through on backups and retention.
      • Test your backup schemes regularly (once a week at least of practical.  You don't have to check everything every time, but hit everything at least a couple of times a year - frequency to be based on data importance and its frequency of updates.
      • Use more than one hosting entity for backups (e.g. use IBM and Sungard for replication sites).
      • Research your hosting provider, get customer references, and don't use a lowest cost service.  You get what you pay for.
      • When you let someone go, remove and verify removal of their access before letting them leave the building (under escort).  Also make sure that you get back any company owned equipment.
  • Corporate/Nation State/Terrorist/ hacking
    • Technique - All of the above.  These people have the best hackers that money can buy and lots of bodies to throw at cracking your systems.
    • Solutions
      • Apply all the solutions above.
      • Have your firewalls and services tested regularly (at least once per year or update).
      • Don't take any vendor's word that their product will keep you safe.
      • Employ multiple security solutions that protect you in multiple ways.
      • Spend the money to acquire good IT professionals (as opposed to the cheapest) and enough of them that they aren't sleepwalking through their work day (no more than 50 hours per week, and with an average of no more than 42 hours - tired people miss things and if they do it is your fault not theirs).
      • Consider implementing 2/3 factor security for all in-house and agent logins
This is just what I can think of off the top of my head.  I am sure that there are additional vectors that I have missed.  Before you dismiss this as being too costly and resource intensive, consider what the cost would be if you were hacked and either sued, or lost critical data (e.g. financials, bank accounts, A/R).  If someone in upper management complains, ask them if they would be willing to take financial and possibly criminal responsibility for any lapse.  Then get their response in writing for the inevitable event.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)