Posts Tagged ‘Hacking’

What security lessons can we learn from RSA SecurID hacking?

Thursday, May 26th, 2011

Month after RSA was hacked , the World is still in disbelief that one of the oldest and trusted security companies has been hacked. Some RSA SecurID customers had to switch to different authentication solution concerned about the breach, and remaining customers are still worrisome what more breaches could be resulted from RSA hacking.

So as hackers took away RSA data in this security incident, what lessons can RSA and companies take away from it?

Lesson 1: Identify and encrypt and protect valuable information asset
Always know what you need to protect, and always prepare for the worst for the valuable assets.

Even though EMC RSA has not disclosed the complete listing of data loss, RSA SecurID Seed Records were reportedly stolen, and apparently not encrypted and usable by hackers for token prediction. If these sensitive records were encrypted and protected with appropriate level of security such as dual-control and authentication, it would not have caused as much outcry for an encryption company like RSA.

Lesson 2: Employee training and awareness on the email security and phishing
RSA hacking is a result of Spear-phishing that employees were sent emails to their company email addresses and tricked into opening an email attachment of a spreadsheet containing a zero-day exploit that installs a backdoor. It is known that emails have been primary phishing vectors. Even though sometimes it is legitimate to provide company email address to business partners, employees should be trained and aware that company emails should be considered as valuable information that needs to be protected from un-authorized use or misuse, which including not providing company emails on social web sites or un-solicited parties. If hackers had not able to send emails to company addresses, hacking might not as easy.

Needless to say, employee awareness of various phishing schemes and social-engineering is also necessary.

Lesson 3: Ensure the effectiveness of the firewall and perimeter protection
In RSA hacking, the backdoor (Poison Ivy variant) was installed on the compromised PC and reached out from inside to the outside (outbound) for the command and control rather than being operated from outside (inbound). The attacker then was able to use FTP to transfer password protected RAR files from the RSA file server to an outside staging server at a hosting provider.

It is apparent that RSA may not have firewall in place or the firewall rules are not implemented properly to prevent unauthorized outbound connections. It indicates how important it is to review the perimeter devices (firewall and/or routers and/or IDS) configuration and rules for the effective protection.

Lesson 4: DLP needs to be in place and effective
Data should have been protected with proper DLP mechanism on the perimeter to prevent FTP or HTTP upload from internal hosts to external hosts, or at least alerting on the abnormal transfer.

Lesson 5: Malware detection and employee awareness
It is apparently that RSA failed to detect the malware in the email attachment, and employee was not aware of the risk opening un-recognized external email attachment. With the popularity of malware in many hacking incidents, it justifies that malware detection and prevention to be in place, and employees need to be educated to avoid being victim of malwares. Research on the potential malware polymorphism or variants could provide advantage to enhance company’s defense of malwares beyond known exploits.

With all said, despite all the security hardware and software and training in place, there is always chance that hacker can cause some breach somehow some way, thus effective security intrusion detection and monitoring is demanded. It is not clear how RSA detected this APT-type SecurID hacking, but network IDS or host IDS will help security analysts to identify breaches. SEMS or SIEM will be able to provide easier correlations among different systems if relevant events are captured and aggregated into SEMS. Hopefully someday RSA will tell the story how the hacking was detected and prove to the world the values of security devices and software, so that companies will continue to buy EMC/RSA security product with some faith on the security of the company that was once well respected.

Tags: , , , ,
Posted in Security Incident | No Comments »

Thoughts on Verizon 2010 Data Breach Investigations Report

Sunday, August 1st, 2010

On July 28th, 2010, Verizon Investigative Response Team (Verizon IR) and United States Secret Service (USSS) released 64-page “Verizon 2010 Data Breach Investigations Report”. After reading the report, I feel that this is a very informative report, and would like to highlight and comment on a few top findings that of especially interesting to me. Obviously my comments will only represent my own opinion and based on my personal experience in the info sec field, and could be biased.

Here are my highlight and comments on the report.

1. Data collection and aggregation

According to the report, the data used in this report is aggregated from Verizon 2004-2009 paid forensic investigation for the confirmed breaches, and 2008-2009 USSS cases involving confirmed organizational data breaches. While the report provides valuable insight into the data breach landscape for the recent years, it will be even better for the report to aggregate the same period of 2004-2009 USSS cases so that the report is more reflective of five-year data breach landscape, or if only using 2008-2009 data, the report would be more accurate for the one-year span. Nevertheless, the report is still an excellent mining of aggregated data by the collaboration of both organizations.

2. Top findings on the attacking vectors

The report finds that 70% of data breach is resulted from external agents, and 48% are from insiders. One interesting point to note that is insider attack has increased by 26%. The significant increases of inside threat indicates that internal control should get more attention, due to the enormous inside information that insider can obtain and use for the attack. Internal information asset and employee is suppose to be “trust-worth” and any suspicious act can easily be “justified”, making internal control and monitoring is more challenging than for external systems or people.

3. Top findings on how the breach happened

The report finds that 48% data breach involved privilege misuse (+26%), and 40% resulted from hacking (-24%). The use of stolen credentials was the number one hacking type in both the Verizon and USSS datasets. Next comes the backdoor exploitation and SQL injection. Recall that in 2005-2006 Wal-Mart breach, attackers used stolen ex-employee VPN login credentials to get the access, and not only one ID but one ID after another, indicating that company’s access control policy was not in place or not executed well enough. As an analyst who has supported various authentication systems and database systems and applications, I would say access control and authorization is simple in principle but difficult to implement and maintain, especially for the big companies. The issue is not that people do not know how authentication or authorization works, but because the company may have many different systems, different organizations, and different level of access requirement, not only it is difficult to design and implement fit-all solution, but even after the solution is in place, as time goes on, the requirement changes, but it is difficult to change the design, and as a result, the authentication Ids may stay forever, and authorization could be beyond what is needed and not updated or deleted in time. Once attackers have some way knowing about these Ids, it is an easy game for the attackers. The report highlighted that the importance of proper maintenance of authentication system and access control. User credential and authorization is always the first door to secure for any information asset.

Not surprisingly, the report also finds web applications hacking and database server attack has the highest percent of breaches and percent of records in term of attack pathway. Due to universal accessibility of web applications and its connection to the backend database, it remains to be critical to secure web application and databases and implement monitoring to contain the web attacks and database hacking such as SQL injection.

4. How the breach is detected

The report finds that 61% were discovered by a third party, and 86% of victims had evidence of breach in their log files, with 96% of breaches were avoidable through simple or intermediate controls. This may have indicated that for the entities involved in the data breach, the effectiveness of the breach monitoring and detection still yet to be improved, may be by allocating more resources, enhance employee event analysis skills, and improve the monitoring processes.

5. Two interesting points from the report

I found two points from the report are especially interesting. One is that the report finds that “encryption is useless”, because “Attackers are adept at maneuvering around a strong control (like encryption) to exploit other points of weakness”. I’m not into this finding, because even though given enough skill and time, any encryption system can be broken into, nevertheless encryption remains one layer of defense in protecting valuable asset. In some cases, hacker may get around the encryption, but in most cases it is still one effective countermeasure to the attackers, especially for those hacking relying on sniffing the data. Like what happened in the WWW-II novel “Top Secret”, encryption may not be strong enough forever but the time to break the system sometimes is more critical than encryption itself, the time to get around the encryption is dependent on the links outside of encryption itself. The breach through other weak links has no correlation with the effectiveness of the encryption. It simply means that breach can happen through non-encrypted links.

Another interesting point is that cyber gang has been increasingly using Digital Currency. Since money is simply a token of exchange, I’m impressed by the creativity of the hacking community. After all, they need to find an innovative way to make a living too.

6. Summary

Overall I find Verizon 2010 data breach report is excellent, it has highlighted the importance of protecting user credential and control the access privilege, and protecting the web applications and databases. It emphasized the importance of effective monitoring and log analysis and PCI compliance, and has a good point of filtering outbound traffic for data protection.

With all the numbers and points in the report, prevention of data breach still relies on the overall company security posture. As always, the security is as strong as the weakest link. To me, the strongest and weakest link is the people who protect the information asset. People can use or misuse technology, and can develop robust process or fail to follow the best process. The security of the information asset is ultimately dependent on the skill and ability of the team on the job to implement technology and process, and diligently follow through the processes. Best employees are always the best security for the company.

p.s.

For readers who have not had chance to read the report, the original full report is available with below link:
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf



Tags: , , , ,
Posted in Data Protection, Database, Technology | 39 Comments »

Improve ROI for deploying Intrusion Detection/Prevention System

Sunday, January 17th, 2010

Because of regulatory and compliance requirement from Act such as Sarbanes-Oxley, PCI, GLBA, FISMA, HIPAA, companies need to deploy Intrusion Detection and Prevention System, i.e., IDS/IPS or IDPS, and demonstrate to the Federal auditors that company data security is monitored and breaches are detected and acted.  The importance of IDS and IPS has been highlighted after some well-known incidents, such as Wal-Mart 2005-2006 Intrusion and recently Comcast DNS highjacking, DDOS to Google, Twitter and Facebook.

Deployment and operation of IDPS is different from other enterprise security product such as firewall, in that it involves data analysis phase before and after the deployment, and the effectiveness of the IDPS or ROI highly depends on interactive alerts tuning and data analysis techniques.

To achieve the best ROI of deploying IDPS, following needs to be considered.

1. Choose between IDS and IPS.

IDS product typically operates in passive monitoring mode, and does not interfere with production traffic,  though it requires manual action to analyze and stop an intrusion.  IPS typically installs inline on the network throttle point, and can automatically detect and block intrusion.  However due to the high false positive rate, caution needs to be taken for deploying IPS on critical networks.  Some vendors such as Sourcefire, Tippingpoint offers appliance that can operate in both IDS and IPS mode.

2. Choose between NIDS and HIDS

Network Intrusion Detection System (NIDS) monitors network traffic by aggregating network traffic, versus Host Intrusion Detection System (HIDS) is installed on the individual host as part of the end-point-security.  Best to deploy both to have visibility to both network data and host data for correlation.  Needless to say, for large enterprise, deploying and support large number of HIDS is quite a challenge and costly, so it is recommended for deploying on just some critical hosts.  Small companies can go with just HIDS.

3. Choose where to deploy NIDS

NIDS is important perimeter security device.  One critical decision for NIDS deployment is to decide whether deploying it outside or inside of the firewall.  This will not only affect the scope of intrusion data collected but also NIDS management.  If deployed outside of the perimeter firewall, NIDS can monitor all the outside traffic but in the meantime potentially introduce more false positive events.  It is like hanging an alarm outside of the door, and anyone walking by could potentially trigger the false alarm.  Also, the management of the IDS will need rules configured on the firewall behind it.  Deploying inside of the firewall has the benefit of only monitoring the traffic that passes by the firewall, potentially significantly cut down the noisy data for intrusion analysis.  It also has the benefits of avoiding the hassle for firewall rules maintenance.  Deploying inside of firewall focuses on catching who breaks the door, downside is that you will not always know who is knocking the door, if you care.

4. Implement effective data capture and analysis techniques

ROI of IDPS highly depends on the effective data capture and analysis.  Most often, IDPS captures too much noisy data (false positive) with real Intrusion lost in the noise.  Without effective data capture and analysis technique, analyst will waste time filtering false positive and potentially misses the true Intrusion, or not catch it in time.  It is also boring for Analyst to eyeball massive IDS data.  It is important to configure IDS signature to capture the data that are related to network environment and the important business traffic.  OLTP Databases such as Oracle have good utilities that can be used to manage and mine those data sets to convert data into meaningful information.  For critical intrusion events, it typically requires bottom-up analysis technique, but for general analysis of large data sets, top-down mining tool will be helpful.

In summary, deploying of IDPS should be part of the enterprise defense-in-depth strategy.  Company’s internal and perimeter networks and external threats need to be evaluated to test/choose the right IDS/IPS vendor product (Enterasys, Sourcefire, TippingPoint, to name a few).  Based on the company policy requirement, choose to deploy the IDPS inside or outside of perimeter firewalls.  Based on the IDPS product features and nature of environment network traffic, implement effective signatures or baseline for data capture, Intrusion alerting, and data analysis.  Data mining techniques and OLTP database tools are highly recommended to assist identifying true Intrusion pattern from massive network traffic data.





Tags: , , , , , , , ,
Posted in IDS | 206 Comments »