Security

Security Trend and Integration

2009-11-03T01:10:00.000-08:00

In last 15 years, security has changed drastically. Initially security was focused on Operating System and its patches. Windows NT Operating System + IIS 4.0 webserver spelled disaster in default configuration. By default everything will work and for security you need to run the hardening script. Advent of Internet brought altogether different perspective and outlook to the word stealing !
With this technology someone in Russia can hack in to the servers in US via some zombies sitting in Germany. To prevent the attack from Internet , Firewall was developed. Best practice for firewall was to allow required protocols and services and deny everything else. Deny ANY ANY was catch all rule for every firewall.
As time went by hackers became more sophisticated and there came the whole new level of attacks with Firewalk and specially via TCP and IP fragmentation which could bypass the firewall. Also for the allowed services there was no security , some one can easily exploit bug in IIS, if Port 80 was allowed.
If you have Unicode vulnerability on IIS, then sure enough, Firewall (Stateful or packet filter) will allow directory traversal and if IIS root is in the same logical drive as the system root , one can get the shell of remote machine.
Hence the advent of IDS and IPS technology to thwart these attacks on the allowed services and protocols.
Soon Hacker realized that Firewall and IPS both has some inherent vulnerability in its protocol stack specially with IP Fragmentation(Overlapping fragments) which can bypass the IPS and Firewalls. Many tricks were identified , and papers were written on IPS evasion techniques one of the paper was eluding IDS by Thomas H. Ptacek and Timothy N. Newshamand . Based on this paper Dug Song wrote Fragroute.
Soon Whitehat realized that IPS is not Nirvana and we required something more than IPS and Firewall.
Some key security players came with concept of security closer to host to avoid the typical issues with Network based security devices. Hence the Start of AV+ Hostbased IDS/IPS+Firewall.
If you look at the product set all the security products, except for firewall, came with the approach of identifying all the bad things which is infinite in number, on the other hand firewall denied all the bad things except for few allowed trusted sources and protocols.
Network based or Host based, except for firewall technology, all the other technology was based on Signature or behavior or some hybrid approach (combination of both) to identify malicious intent.
While Whitehats were busy securing OS and networks with these technologies, suddenly Web 2.0 and new application based attacks were identified like XSS, SQL injection and Cross-site request forgery on the application server side.
Clients became more and more powerful , technologies like AJAX, Java Script, Activex on the client side created whole new category of vulnerabilities which is client side vulnerabilities and were hard to detect with the scanners.
To reduce such attacks Application Firewall, IPS with appropriate application vulnerabilities signatures and protocol decode capabilities were introduced to the market.
For client side vulnerabilities scanner started adding the checks to identify key vulnerabilities in MS Office, Web browser and other client side and P2P applications.
Soon everyone realized that this is not enough, and came Application Whitelisting technology, which is based on the concept same as of the firewall, to allow known application to execute and disable execution of any other applications/code.
As I said before, conceptually we are back to square one ! Same concept as of the firewall where everything started , Allow required service and Deny everything else, this time its on the host for applications !
We took complete 360 degree turn and we are back to the same point.
As you can see the clear trend of Network to Host.
Firewall-->IDS-->IPS-->Application Proxy.
On Host, AV-->Firewall -->IDS/IPS-->Application Whitelisting

Soon another paradigm was introduced by DLP players, of Data centric Security and new gadgets were introduced for IT, to prevent unauthorized malicious or unintentional data leakage.

However question is if you have all these technology to secure your data, how do you integrate and identify trend in order to pro-actively identify the threats?

Integration between these technologies is must! All the security products in the organization should create this huge ecosystem , with ability to share information and alerts and learn from the information and alerts. This is organization wide Integration which is must in todays challenging and evolving technology space.

While Organization wide integration is great, I am envisaging the Inter Organization Information Sharing, Like blackhat contribute and support each other in the community, whitehat should have some way of sharing their data between organization which allows them to better prepare for the threats.
Having said that we are not too far away from it, I believe cloud computing will allow us to do just that !
Only time will tell....

Proactive and Reactive approach to Risk

2009-02-21T18:38:00.000-08:00

Proactive and reactive approach to Risk ….

Everybody is joining the bandwagon of ITGRC or GRC, if you are database Security Company or networking Product Company, all of them have their messaging around compliance. Compliance is small piece of the big picture, in my opinion big picture is RISK which drives G and C.
Risk is what we want to manage and will decide our survival. I may be all compliant, and still have lot of Risk unaddressed or at unacceptable level.
Risk is relatively new concept to IT and CISO/CIO has started understanding this concept but still we are light years behind financial risk managers who has very good understanding of risk and its different models (don’t look at financial stocks right now to prove me wrong ;) !!! )
I am sure you get the point, when financial industry has been using risk since last 100 odd years versus IT has started using risk in last 5 years or may be decade before.
Just like controls risk identification can be proactive or reactive in nature. This is not a debate about which one is better, we need both. By very nature of risk assessment, it is future prediction based on certain parameters which is nothing but “Perceived Risk”. Other is your reactive approach to risk which is backed by hard to refute numbers, for example Anti Virus incidents in last 1 year or emergency change management which can be directly correlated to Network Downtime. Based on these numbers you can associate new risk or change the existing risk and controls mitigating the risk. This is very powerful autonomous system. Perceive Risk is nothing but what you are afraid of and reactive approach will be what you should afraid of !!! This self correcting system will improve over time and will self adjust it self, its not perfect but its very powerful and effective. There is always systemic risk ! Anyone in wall street today knows about this risk , there is always a risk of system failure and no one is saved from that, since you are part of the system unless you change or create your own system, then you have some control over system risk. Like any thing in life this system is also not flawless and has its own risk, but this approach is defnintely better than just risk identification and assessment in board room for few hours.

Question is how to get the reactive risk numbers? Its simple, most of the organization has Security and networking product implemented. Only required thing is product to collect the numbers from these silo solution and provide the trending. Based on trends and threshold one can definitely identify what you should be worried about, again in financial world these people have been doing this for years with VIX index, S&p 500 , Unemployment numbers and so on, some of them are leading indicators of things to come or some of them are lagging indicators .

Apply same concept to IT and you will get similar indices for your environment, which is true only for your environment and business, since business objective for every company is different their risk appetite will obviously be different.

Risk is such a fascinating topic, which involves, imaginations, math( discrete probability in math class remember ? ), Business and strategy !! Haven’t seen any topic covering so much of depth and breath.
Proactive and reactive is just the nomenclature assuming you are identifying risk after something has happened versus you identifying the risk before something !
However continuing from my first blog, business has all the rights to take their chances and accept the risk in order to achieve their business goals as long as Risk is acceptable. Million dollar question is who will decide what is acceptable? And what is acceptable risk ? May be good topic for my next blog….till then ….Keep watching DOW ;) Risk may reduce and then its time to buy :)

Is fully Compliant = Good Security ?

2007-08-22T22:31:00.001-07:00

Buzz word IT-GRC , who doesn't know about it !! 17 billion dollar market as per Gartner report.
You must be wondering what is this GRC acronym stands for ? why people are talking about it ?

I would like to take this opportunity and dwell a bit in to IT-GRC and express my thoughts on this market. Let me answer the question what GRC is , G stands for Governance, R stands for Risk and C stands for Compliance, as easy as it sounds...well not really !:).

Why people are talking about GRC ? Simple because Government and Compliance industry combination have created havoc for institution specially for finance and medical insurance companies in US. Regulations like SOX, HIPAA, GLBA, FFIEC BASELII ,PCI and what not !!! Every country has its own standards, Europe will have its own version of SOX and HIPAA . To comply to this regulation smart marketing people came up with Frameworks, Initially BS-7799 now ISO -27001, COBIT and now I am hearing ITIL , all claiming to be master framework which can manage other frameworks regulation and standards. Each framework has its certification from which they create revenue.

All the regulation and standards has one thing in common , Due care/Due diligence, Which means there is sufficient effort to prevent something catastrophic from happening and if fatal event happenes then organization is ready for the same. Also it takes in to account that Risk to the business is known and either it is accepted or mitigated or transferred.

However , these giant frameworks and strict regulations are good to have but as they say "Everything in Excess is Poison". Too many regulations and too many framework will create chaos for the management and last but not least too many threats and vulnerability and hence too many RISK. Hence there is a need for GRC which can manage these many compliance to regulations.

If we see current scenario, compliance is merely a tick mark against the requirement. Do You have IDS? Yes ...complied ! woohoo ... Well if Auditor is good he might get in to the details of log management , sometimes they do but at the end of the day BufferOverflow in .dll sounds like latin to Auditor. He will see a process, is this bufferoverflow mitigated?, and my worry is most of compliance auditors doesn't have the expertise to question the mitigation efficacy !

Million dollar question if I am completely compliant to say PCI regulation does it mean that I am secure ? More often than not , answer is no. original scope of regulation is to strengthen security but the results are totally opposite !! In the burden of so many regulations, security takes the backseat ! Multiple issues, Internal security guys are loaded with too many regulations, External auditor can not be expert in all the areas, and if you go to Defcon you will realize that no matter what you do , you are always hackable ! so why create strict regulation to compliance , its better to provide some leeway to the companies in midst of so many regulations.

We have seen so many hacking incidence in the past , TJ MAX, and similar and Monster being the recent.

We will continue to be like Ostrich and will be happy looking at all the compliance reports and sending them to management to make them happy but at the end of the day it takes single Security breach to break that myth.

Finally you are as good as your people. You make sure that people has required ethical and technical skills and you should be good ! No compliance standard or regulation can beat the security that you get from your loyal employees !