Solutionary Minds - Your Information Security Blog Source

Doomsday Prepper Security –It’s the end of the world as we know it

Doug Picotte — Fri, 24 Feb 2012 16:31:00 GMT

I have recently been watching the National Geographic TV series, “Doomsday Preppers”. For those unfamiliar with the term “prepper”, it refers to individuals or groups that are preparing to survive various doomsday scenarios. These doomsday scenarios include everything from weather related disasters, to economic collapse, all the way to Electromagnetic Pulse (EMP) disruptions due to solar flares or atmospheric nuclear explosions. Working in the information security space, I could not resist comparing the prepper approach to data security preparation and best practices.

Risk Assessment –What is the threat?

On the TV show each prepper focused on different threat. Several segments focused on economic collapse that resulted in hyper inflation and shortages of basic supplies. As the threat was defined, the prepper created a survival plan. This included food and water stockpiles, defensive strategies, and a detailed evacuation or “bug out” plan. Each scenario of impending doom included its own survival strategies, or mitigating controls. This is where I can draw some similarities in the data security space. Before we can protect any assets, we first need to identify the asset and its associated value to the business. From there we can create a strategy to protect, monitor, alert, and report on any malicious activity associated with the asset. Part of good security planning is figuring out what you need to protect and what you want to try to protect against.

Visibility and Defense in Depth

In one of the segments on the show the individual was placing “trip wires” at various points on the perimeter of his property. This would provide advanced warning of any intruders attempting to steal his supplies. I could easily relate that strategy to Intrusion Detection Systems at the perimeter (and internal locations within) the client network. There was another segment where the individual placed barbed wire at the perimeter of the property. This person also had dogs for additional protection, and lastly fire arms as the “final defense” mechanism. Now I may not be able to make a connection to the “final defense” mechanism in data security, but I certainly can connect “defense in depth” strategies to this approach. Basic defense in depth methodology suggests implementing multiple security measures in “rings” to surround the critical assets to the organization. But in information security we replace the layers like barbed wire with a screening router, firewall, IDS, IPS, HIDS, hardening, monitoring, et al. It’s just that our “Incident Response Teams” are usually not armed.

Hope for the best, plan for the worst

The last part of the show I enjoyed was when the “experts” rated each Preppers overall survival plan by category (food storage, bug out plan, defense strategies, and back-up plan). This would be an interesting exercise in itself – having the ability to truly rate the effectiveness of your controls. I know some might find the show a bit extreme, but it certainly highlights the need to be prepared from a survival perspective, and in our case, a security perspective.

Until Next Time

Thanks very much for reading my friends. Until next time, and as always, ride safe, crank up the tunes, and stay secure!

Technology Rewind: CS 240: Systems Principles, in the Old Days

Jon Heimerl — Tue, 21 Feb 2012 19:07:00 GMT

In college, I took a required Computer Science class called “Systems Principles”. My professor started the class by listing out the seven key components in a successful system/program development process:

1. Requirements
2. Specifications
3. Design
4. Development
5. Test
6. Test
7. Test

Back in the Stone Age we did not worry so much about intrusion testing applications to help ensure that they could not be attacked from the outside world. In that context, our world was easier. I mean, my first full program was on about 3500 punch cards – it didn’t quite fit in one card box. Yes, I said “punch cards” and "card box". I did not say a full function text editor written in Algol, Fortran, and PL/I. This sounds terribly archaic, but it taught me great habits. I would take my card deck to the window in the computer lab, and they would read the deck, then return it. I could get a listing in a few minutes, or my program would actually run sometime in the next 12-15 hours. The process was a pain, but it absolutely forced you to be disciplined.

The professor normally assigned a project on Monday, and it was due Wednesday. You could usually get in two runs by Wednesday, but if you were really lucky, really fast, and went in to the computer lab at like 3:00 Tuesday morning, you might be able to get in three runs. You did not have time to waste debugging crap – you just had to get it right, and get it right now. Every time you ran your job after Wednesday, your maximum score dropped a full letter grade. If you wanted an A, you could only count on being able to run your application twice. You simply had to figure out ways to improve the chances that your application was not only error-free, but error resistant.

Read the rest of my article at SecurityWeek.com.

Why I Love My Job

Jozef Krakora — Tue, 14 Feb 2012 15:19:00 GMT

Many years ago, when I first began working in computer security, I was excited and invigorated by its technical challenges. Whether it was the challenge of understanding how encryption algorithms work, how SSL handshakes work, or how many levels of technologies and networks collaborate where security is relevant, I loved the complexities. No other field made me as curious. Security spans all platforms and dimensions: hardware, operating systems, programming languages, networking protocols, applications, people, companies, countries and even planets. It’s relevant everywhere and requires broad and deep understanding.

Then, for a few years, I began to lose interest. Companies I worked with often purchased and implemented security because they “had” to, due to some regulatory compliance driver that threatened them with fines. They didn’t care. They just wanted the cheapest solution, and didn’t seem to recognize security as critical to their company’s success. Were they right? A company’s priority is, and should be, about selling products and providing services, so it can deliver profits to its shareholders. Our economy and society depend on it. In the mind of a business, security was an annoying overhead, with no clear value-add to its product quality, sales numbers or bottom line profitability. Sadly, where security clearly appeared was as an added expense on the income statement under IT.

I became disheartened. But should I have been? What company could sell products if their website was not safe? What consumer would use their credit cards anywhere, especially online, if they didn’t trust the store or site? What company would do business with another company or country if they could not keep track of inventory and sales? What country would not care about the power plants and power grids that its economy and population depend on? Despite these questions, I became disillusioned. But something inside of me didn’t let go.

Times have changed. These days, I see articles almost daily about cyber threats against large organizations, and their impact or risk at the national and global level. Investment banks’ board rooms equipped with wonderful video conferencing systems are vulnerable. Large scale retailers with millions of credit card numbers are exploited and consumers lose trust in them. Many of America’s power plants and essential infrastructures are controlled via computer networks and systems that are often quite old and at significant risk of being hacked. Today, Obama is aware, congress is aware, and thanks to reliable media sources such the New York Times, we are aware of what security means to our societies and economies.

I’m glad I followed my intuition and didn’t lose hope. First, working in information security continues to be challenging and intellectually stimulating as technologies evolve. The computing power that has been moving from the mainframe, to the desktop, and now to the pocket, still needs to be secure, and makes our work even more complex and interesting. Second, more and more companies and governments recognize security as critically important to their profitability, success and citizens’ well being. They are no longer looking to buy the cheapest solution to avoid fines. They are trying to do the right thing and be responsible. That puts my conscience at ease. Finally, helping grow and advance the mission of an established Managed Security Service Provider whose DNA is hardwired to do right by its customers and ensure their business critical operations are secure, is simply, a thrill.

bash_history=/dev/null - not the droids you need

Rob Kraus — Tue, 07 Feb 2012 16:18:00 GMT

Recently I was reviewing exploit code we had identified as part of a privilege escalation attack against a UNIX-based server. There were certainly a lot of interesting things in the exploit code, including shellcode, assembly language instructions and funny hacker “l33t sp3ak” comments, but one thing that always sticks out for me is, the attacker hiding their tracks.

In particular, the following code caught my eye:
if(pid == 0) {
char *args[] = {"/bin/sh", "-i", NULL};
char *envp[] = {"TERM=linux", "BASH_HISTORY=http://blog.solutionary.com/dev/null", "HISTORY=http://blog.solutionary.com/dev/null", "history=http://blog.solutionary.com/dev/null", "HISTFILE=http://blog.solutionary.com/dev/null", "HISTFILESIZE=0", "PATH=http://blog.solutionary.com/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
execve("/bin/sh", args, envp);
}

The above code is run as part of the exploit. In short, it sets the environmental variables for commands executed on the UNIX command line to go to /dev/null.

/dev/null is a *nix interface that acts like a black hole, so no data is actually stored or written to the file. In this case, it means anything the attacker types in the command line during his attack is never logged, since, instead, it goes to the “black hole” of /dev/null. Like a Jedi mind trick, this technique has been used for years, and is still used today due to its effectiveness.
What does this mean to you? Well, imagine your organization was compromised and during the investigation you suddenly find that you can no longer see what the attacker was doing? Did he access sensitive data? Did he add user accounts via the command line? Did he use that system to pivot to others?

This is the equivalent to locking the door on a busy Mos Eisley street – visibility is lost.
Depending on the skill of the attacker and exploits used, it is also possible to remove all logs generated during the attack, but in many cases the previous example is typical.

Point: It is important to always make sure systems are prepared for attacks. Hindsight is something that educates us all; learn from previous experiences and prepare for the worst. Ensuring a proper event-logging environment is implemented can preserve visibility and really help your organization during incidents.

Some good guidelines to follow to keep visibility within your network:

•   First and foremost, make sure you are logging security events
•   Ensure events are logged to a centralized logging server
•   Make sure all log sources and servers are time synchronized
•   Review logs on a regular basis
•   Implement policies and procedures to handle security events if (when?) they do arise

We have a great year ahead of us; let’s make the most of it. Please stop by and say ‘hello’ if you run into us at any of the conferences this year.

See how Solutionary managed security services based on the patented ActiveGuard® Security & Compliance Platform combine security intelligence and expertise to provide visibility and threat response.

It's Not Paranoia If They Really Are Out to Get You

Jon Heimerl — Mon, 06 Feb 2012 19:38:00 GMT

We cannot be perfect. We can only be smart. We try to follow the rules and be as thorough as we can, and we hope for some luck.

I grew up as a self-proclaimed cautious lad. Like most kids, I got in my share of trouble, but less so than most of my peers. 10 years of doing mostly systems engineering in the federal government, coupled with the safety and security training I received there, served to engrain my paranoia. Sometimes the paranoia is unjustified, and I feel foolish. Yet, good peripheral vision and situational awareness enable me to see things many people do not.
I got on a flight the other day. As I waited in the line at the counter to check my bag, the guy in front of me set his wallet down on the counter. Then, he bent over and wrote out two luggage tags and clipped them onto his bags. His wallet sat on the counter for a good 65-70 seconds, and even without my glasses I could see an American Express card, and what I am pretty sure was a Citibank Visa. The wallet could have disappeared in seconds.

At the airport, I made it through Security with no problem, but as I walked toward my gate, I noticed an open door on the other side of security. As I walked past, I glanced into the open door, and realized I could see what looked to be a break-room. Anyone could have walked in the front door, through the break room, and out the back door, completely bypassing security. I got the strangest look from the TSA agent when I asked him if they meant that room to be open on both sides, but he did go into the room - presumably to close the door.

Read more of my latest Security Week article here.

Turn Security to 11: Get the Extra Push You Need With an MSSP

Joseph Blankenship — Thu, 26 Jan 2012 14:48:00 GMT

You may be asking yourself what information security and managed security service providers (MSSPs) have to do with “going to eleven”. It’s all about getting an extra security push when you need one.

Fans of the 1984 movie “This is Spinal Tap” will recall Christopher Guest’s character, Nigel Tufnel famously saying, “these go to eleven” as he proudly showed off his special Marshall guitar amps. Seeing how most amps only go to ten, he was proud to show off how he could go to eleven anytime he needed “That extra push over the cliff”.

Let’s not bother with the fact that the amp manufacturer could have made the volume at ten louder (as Rob Reiner’s character points out in the movie); it’s the fact that when Nigel needed an extra boost, he could go to eleven on his amp.

As a security professional, what do you do when you need to “go to eleven”? Let’s say that your company has a malware outbreak or is the victim of a malicious attacker or APT. In the vernacular of the Ghostbusters, “Who you gonna call?”

Many times, IT and security teams are already stressed and overworked before disaster strikes – they are already playing at ten. If they need that extra push, or some extra security expertise, they often have to look outside the organization to find it. This is especially true with more focused, specialized companies, or with SMBs.

With an MSSP, that extra push, the extra 1 on the volume knob, is already there. MSSPs, like Solutionary work as an extension of the internal team, providing security intelligence, visibility and knowledge. During a security incident, the MSSP works with the client team to identify and remediate the issue. The client team is not left on their own to fend for themselves. After all, even the best bands have a strong team of people behind them to make them sound great and to make sure the show goes off without a hitch.

See how Solutionary managed security services based on the patented ActiveGuard® Security & Compliance Platform combine security intelligence and expertise to provide complete solutions for your organization.

Insiders or Outsiders?

Jon Heimerl — Tue, 24 Jan 2012 14:33:00 GMT

Being a security geek, I was talking about Internet Security with a friend, and they asked me “What was the biggest break-in that you personally worked on?” That is actually an easy question. I worked with a company that had fallen prey to a series of attacks that included a literal infestation of dozens of servers across several geographic locations. Despite our guidance, they felt that they could not really take their environment off line to purge their environment, so last I heard, some years later, they were still fighting off re-infections.

But, maybe that was not the real question. As far as we were able to tell, the attackers were using the servers as bots and storage. We were never able to tell that they had actually stolen anything, or cost the company anything other than time, and considerable bandwidth. So, maybe the real question should have been “what was the worst security incident with which I had ever been involved?”

Well, that is an easy question too. It was a case of internal fraud. An employee was generating fake invoices and approving payments, to the tune of millions (and millions) of dollars. Millions. And the fraud were found by accident. Another employee was tracking down a mis-paid invoice, and literally stumbled across a series of invoices. He recognized the address, and absolutely knew that there was no such company at that address. A little investigation showed that the same person had submitted and approved every invoice, and when they added up the amounts organizational management nearly stroked out. Immediate account revocation and termination followed, with charges were filed pretty much the same day.

The issue was not a “break-in”, but an internal abuse of authorized access. “They” tell us that we should worry more about internal threats than we should the wily hacker. No one wants to. We don’t want to think that the guy we sit next to, that we eat lunch with, that we argued over resources with, that we held the elevator door for, is “the bad guy”. They might be. They probably are not, but they might be. And we have to keep that in mind when we look at our environment, because we really do have to worry about the internal threat.

Keep that in mind, and try to make it to our January 24 eSymposium on Insiders with access.

The Sheep That Turns Into a Wolf - Insider Threats

Erik Barnett — Mon, 23 Jan 2012 16:27:00 GMT

Your friend or not your friend, this is the new question, when dealing with insider threat. Often times when you hire a prospective employee, you are putting a level of trust in him or her. This trust is similar to the trust you would put in your own family. Within that trust boundary you are relying on the employee to perform their job to the best of their ability, much like we instruct our kids to do the same in life. However, the similarities end there, and new dynamics are introduced, including the psychological unknown of people.

“With great power comes great responsibility”, a quote from Spider Man’s Uncle Ben, is an understatement when we are talking about these same employees that we empower. We give them user names, passwords, guides to the infrastructure, and the knowledge on how to accomplish various tasks. We do all of this with the perceived confidence that the employee will do the right thing, be ethical, and not go outside of what has been instructed.

It’s the psychological unknown of the employee that is the “X Factor” in all businesses. Although we would like to think we hired a good employee, there are things outside of our control that can change the same good employee to suddenly go bad. The triggers are plentiful given today’s economic situation. This could be money, family, stress, etc. Many things can trigger your employee to start doing malicious things with the power they acquired.

In 2008, www.cert.org conducted an Insider Threat Study titled “Illicit Cyber Activity in the Information Technology and Telecommunications Sector”. Within the report, they looked at 52 specific insider threat incidents that were carried out by 57 insider threats between 1996 and 2002. The stats are as follows: 24 out of the 52 were purely sabotage; 11 out of 52 were intellectual property theft; 8 out of 52 were fraud; 6 out of the 52 were a combination of sabotage and intellectual property theft; the remaining 3 were a combination of fraud and intellectual theft.

In the same report they looked at the motive of the insider threat. What were the variables that these people used to justify their malicious actions? Their key findings provided some interesting thoughts around the why and most importantly some prevention methods.

•   38% of those insider threats had prior arrests
•   73% of those insider threats explained a negative work related event trigger their actions
•   76% of those insider threats planned their malicious actions in advanced
•   50% of those insider threats had authorized access to the systems/network at the time of the incident
•   74% of those insider threats took steps to hide themselves and mask their activities
•   80% of those insiders were caught only through manual detection of a system experiencing anomalies or failures.

The outcomes of these actions are far more devastating than the dollar amount tied to fixing what can be fixed. While you can fix a server, it is much harder to fix the reputation of the company, reputation of your department, and the reputation of yourself as a hiring manager. You simply can’t prepare for everything regarding the employees you trust. There are, however, some prevention methods to help minimize the likelihood of your company becoming a victim, and possibly losing millions in the process.

Formulate a strong screening process for those positions that require such great powers. Depending on the sensitivity of the position, you may need to implement several screens for the duration of the employee and his/her position. Don’t be afraid to include liberal background checks for those key employees.

Enforce separation of duties and least privilege. No one should have all the keys to the kingdom. One man IT shops are cheap and inexpensive, however they can cost you your entire company.

Log, monitor and audit employees’ online company activities. Ensure you also have someone “watching the watcher”. No one should be an exception to this rule.

Monitor and react to suspicious or disruptive behavior, regardless of how insignificant it may be. If you collect enough crumbs, you will create a cookie.

The most important step of all is to know your employees. If you honestly know your employees you increase the chances that you will be able pick up on any “psychological unknowns” that may suddenly appear. We all show signs one way or another, and react accordingly.

One Word – “Patches”

Vincent Ragosta — Tue, 17 Jan 2012 20:12:00 GMT

I can picture the scene in my head. A wise, time-tested senior security administrator takes the newly hired junior administrator aside and states in a firm voice, “One word – patches.” We all know that patching is a necessity, but how many of us audit all of the software on every system to ensure it is running the most up-to-date version? Deploying patches in a sluggish manner can turn a healthy system into a ticking time bomb.

We see some interesting things in our Security Operations Center (SOC). Monitoring devices across several clients lends us a bird’s-eye view of activity propagating across our client base. Lately, the SOC has noticed an increase in some remote code injection scans, which involves sending code to a poorly written application to perform malicious activity. These scans have targeted an AWStats vulnerability in versions prior to 6.3 (CVE-2005-0116) and phpThumb version 1.7.9 (CVE-2010-1598). Something should stand out in those CVE numbers—the year! The AWStats vulnerability was first reported in 2005 and the phpThumb vulnerability in 2010. One can only infer that running these scans is still “profitable” for whatever malicious entity is behind this activity. In other words, there are still enough unpatched, vulnerable systems running old versions that are ripe for exploitation.

There truly is no excuse for not patching software, especially software running on publically accessible systems. So why are organizations not patching? While it at first may appear to be complacency, some system administrations are reluctant to patch because they adopt the mentality of “if it’s not broken, why fix it?” However, taking the time to patch while the system is still functioning healthfully can save time and stress by avoiding attacks and vulnerabilities. Further, patches should be implemented in a timely fashion. Our fabled time-tested security administrator knows the value of patches, but perhaps due to long held dogma, still insists on testing patches before deploying them. This may be a grave mistake. Any time spent testing a patch increases the window of opportunity for an attacker to find a vulnerable system and exploit it.

So, stay abreast of any patches that are available for the software you utilize and deploy them as quickly as possible. If you are not keeping on top of your patches, someone may knock on your door and remind you.

Sandwich Hack: Extra Cheese, Hold the Credit Card Data Please

Doug Picotte — Fri, 06 Jan 2012 14:11:00 GMT

I often wonder when I give my credit card to the restaurant server or kid behind the fast food counter, if my credit card information is really being protected. You always hear the horror stories of the service employee who is copying the credit card information in the back room that will later be used in some fraudulent way. For as little as $25, anyone can buy card scanners that either stand alone, or easily connect to an iPhone or other smart device. This brings me to today’s subject. You may have recently heard of a security incident involving a high profile sandwich shop chain that resulted in the loss of credit card information. I won’t disclose the name, but we can all tell by the picture below. This incident involved about 150 sandwich shops and over 80,000 customers.

Low Tech Sandwich Making (and Hacking)

Just as sandwich making is “low tech”, so were the alleged hacking methods of our eastern European friends. (The US District Court in New Hampshire has indicted four Romanian individuals in this particular case). The attack was simple. Scan for low hanging fruit, brute force login to the vulnerable POS system, install malware and extract the credit card information. Once the credit card information was gathered, they simply used the stolen data to produce fake credit cards and proceeded to go on a spending spree. The remaining black market value of the data was sold off to other hackers.

Hacking Details (Secret Sauce)

Targeted Port Scans:

The hackers performed targeted port scans looking specifically for remote facing POS systems that had remote desktop services enabled. This of course is a huge “no no” in terms of both PCI compliance requirements and general security best practices. This service should be disabled in most cases. At a minimum the systems should have enabled two-factor authentication and encryption.

Brute Force Login:

Once the vulnerable systems were identified, the hackers needed to simply login to compromise the system. It still amazes me how many times default passwords are unchanged or changed to obvious words such as “password”, or “qwertyui” or “12345678” because they might be easier to remember (and, unfortunately, easier to guess).

Malware Installation:

Once the system was compromised, the hackers installed key logging and back door utilities to gather the credit card information. Apparently, they also installed software to prevent any further security updates.

Credit Card Data Extraction:

One interesting piece here was that the hackers employed ‘FTP Dump” sites to store the stolen data. In this case there was cooperation from the FTP Dump vendors as part of the investigation.

The Bottom Line

Apparently, the franchise owners in this case were provided security guidelines to prevent this type of incident. Unfortunately, it appears that these guidelines were mostly ignored by the franchise owners. I chalk this up to the age old saying; “I am a (insert business type here), who would want to steal anything I have?” This may have all been avoided by following some basic security practices:

•   Understand the true value of exactly what data you have in your environment (i.e., credit card data)
•   Determine the compliance standards that are appropriate to that data and your business
•   Perform a compliance based gap assessment of your environment
•   Remediate any gaps associated with the assessment
•   Avoid a “checkbox” security compliance approach –be honest with yourself about the real world threats and how they may affect your business
•   Blend a reasonable risk based security best practices approach along with compliance requirements applicable to your business
•   Do not develop a false sense of security that the hackers don’t want what you have

Until Next Time

Thanks very much for reading my friends. Until next time, and as always, ride safe, crank up the tunes, and stay secure!

Happy New Year!

Solutionary Marketing — Fri, 30 Dec 2011 14:48:00 GMT

Happy New Year from all of us at Solutionary!

Jon Heimerl put together a few points that should be on your compliance checklist in 2012. Check it out below and cheers to a safe, secure and Happy New Year!

Important Compliance Considerations Looking into 2012

1. No compliance regulation requires it, but one of the most important things you can do to help improve your compliance is perform a Business Impact Analysis, or an Information Asset Inventory, or whatever it is you want to call it. The goal is to identify all of your organizational information: what information you have, where it is, and exactly what that information is. To understand your compliance requirements you have to fully understand whether or not the information you have is PHI, or private financial information, or covered by some other regulatory requirement.

2. Assign clear compliance responsibility to a specific authority within your organization. And, along with that responsibility, don't forget to give them the authority to actually meet those goals. Make sure everyone in your organization knows who owns compliance. Make sure those people are fully trained so that they are truly qualified to actually manage the compliance process. Understand that no one person can truly understand all compliance requirements of a complex organization, but you must identify what your specific compliance requirements are, and ensure that you have appropriate compliance expertise.

3. Manage your other resources. In these times of limited budgets and shrinking staff, it is more important than ever to effectively manage your resources. Identify and keep your key staff. You are better off keeping good, knowledgeable staff than you are trying to find new staff, unless the people you have just don't cut it. Make sure they get training and other benefits that help keep them at your organization, keep them engaged, and keep them happy.

4. Pay attention to need-to-know and privileged user access. If WikiLeaks and the Occupy Movement show us anything, they show us that there are many people who are unsatisfied with the status quo. Regardless of their exact motivation, there will be people who gain unauthorized access. You should be checking your authorized access to make sure they are truly appropriate, and make sure that people do not have excess access. On top of that, you should be monitoring employee access and checking access logs.

5. Take the results of your BIA and, to the extent possible, isolate your compliance systems. If you can segregate your PHI systems from other systems, do so. If you can segregate your credit card information from other systems, do so. If you can isolate the systems that control your compliance data, it potentially simplifies the scope of your compliance efforts, and consequently, simplifies your compliance.

Read more of Jon's compliance thoughts in a recent Dark Reading article.

New Toys...New Vulnerabilities

Rob Kraus — Thu, 22 Dec 2011 20:58:00 GMT

During this holiday season many of us will likely exchange really cool gifts with friends, co-workers, and family. Some of us will be lucky to receive some of the latest advances in technology, such as iPads, smart phones, computers, and anything else you can think of with blinking lights and promise of hours of enjoyment. Let’s face it, it’s a time of giving and a great time to reward ourselves and each other for all the great work we did in 2011.

If you’re like me, there is nothing more fun than ripping off the wrapping paper and getting right into playing with some of these fun electronic wonderlands. However, I am cursed with always thinking:

“Cool new iPad; wonder what version of iOS it is running?”

I guess it is just part of being in the information security industry and part what keeps me diligent about staying secure.

I can’t help but think how many people around the world will be opening brand new computers and devices on Christmas day and jumping right on the information super highway. I also can’t help but wonder how many malicious attackers are lurking in the shadows to take control of those systems.

For those of us who battled in the department stores on Black Friday went home, wrapped gifts, and put them under the tree, great job! But now it’s about 30 days later and these new gems will be unwrapped and enjoyed.

Unfortunately, security and newly discovered vulnerabilities don’t take vacation. Over the last 30 days there have been quite a few new vulnerabilities identified in some of the toys we may be receiving over the holidays.

Conclusion: Many of the gifts you may be receiving this holiday are probably about a month behind on security patches. In some cases, your new toy may be immediately susceptible to attack due to these missing patches (Isn’t security stuff fun).

Some good guidelines to follow:
•   Take a few minutes to enjoy your new toys
•   Check to see if it is up to date for security patches
•   If the product is capable, enable automatic updates
•   Follow product recommendations for using security options it may have available

Solutionary wishes all of our clients and blog followers a happy holiday season. Stay safe and let’s ring in the New Year with best wishes to our friends, family and fellow mankind.

Solutionary in Leader's Quadrant for MSSPs

Solutionary Marketing — Mon, 19 Dec 2011 15:53:00 GMT

The Solutionary team is proud to have earned a position in the Leader’s Quadrant for MSSPs. It’s rewarding to attain industry recognition for what Solutionary clients have known for years – that Solutionary delivers leading managed security services, based on our patented, industry-leading ActiveGuard® platform and backed by our team of certified security experts.

For more information about this announcement, read the press release or download the full report.

In a world populated by cyberthieves, hacktivists and advanced persistent threats, you need a security team that can watch your back, giving you the visibility and security intelligence you need to protect your enterprise.

Paranoia or Prudence? Don’t Give Google the Keys to Your Wireless Network

Jose Hernandez — Thu, 15 Dec 2011 15:44:00 GMT

As a way to improve location based services for applications like Google Maps, Google started implementing WIFI positioning. WIFI positioning uses nearby WIFI access points to help triangulate the location of a user’s device. Some of these include devices we use everyday, such as iPhones, iPads, Kindles, tablets, and laptops. I assure you, the list goes on and on.

WIFI positioning was implemented to help locate devices where GPS and cell tower signals are weak. In order for WIFI positioning to work Google needs to collect the SSID and MAC address of any broadcasting Access Point. This information is collected using Google Street View vehicles that drive around taking pictures for Google maps.

In theory this sounds like a good idea, and it can help applications better pinpoint the location of user devices. WIFI positioning was not a big deal until Google confirmed it was mistakenly collecting payload data from Open WIFI access points with their Street View cars. This revelation was not a big surprise to me because open access points do not encrypt data and therefore the data can be sniffed by anyone.

This is the part of the blog where I recommend you start wearing your tin foil hats. Waiting for a plane in Pittsburgh I started looking for an application setting on my android phone. While checking through my privacy settings, I stumbled on the Backup and Restore setting that was enabled by default on my phone. This backup agent stores Android settings, application data, and… wait for it…WIFI passwords to Google servers. So, if Google saw your WIFI network while taking photos for street view, and you connected to that same WIFI network with your Android phone, Google now has all the information it would need to gain access into a person’s private home network or even a corporate network. The user only has to connect to the Access point with their android device and the credentials will be cached in the phone that in turn will be backed up to the Google servers. To be fair I only checked this backup agent with my Android phone that is running version 2.3.6, the backup agent settings may very well have changed in later version of the Android OS.

So if you are a paranoid person like myself these are some of the things you can do to help mitigate your paranoia.

•   Change the SSID name of your wireless router and append the words “_nomap”. Doing this will stop Google from including your Wireless Access Point in its location database.
•   Uncheck the backup and restore setting in your android phone.
•   Change the password in your router since the old password is probably stored on one of Google’s servers.

Okay, maybe that isn’t so paranoid…

Is the Sky Falling? Ten Security Wishes for the Holidays

Jon Heimerl — Tue, 13 Dec 2011 14:51:00 GMT

What are 10 Things that Should be at the Top of Everyone’s Wish list for the Holidays?

Overall, it has been a rough year for information security in the world. We ended 2010 with WikiLeaks, and it continued into 2011, supported by the disclosure to WikiLeaks of classified government material and confidential internal use only corporate information. This trend of intolerance with the system calmed through much of the summer only to resurrect itself in the form of the anti-establishment “Occupy” movement later in the year. While the Occupy movement is not itself a cyber-security worry, it does highlight that people have a considerable dissatisfaction with the status quo and are looking for change – and unmoderated change is usually not exactly good for the efficiency and security dynamics of any organization.

We’ve heard more about Stuxnet, and seen new viruses – I just picked off a copy of a Trojan Dropper last night, reading security news stories (an executable stored in Explorer temp files – cool). We’ve seen Apple systems exposed to attack. We’ve seen corrupt applets running on Android – I’m not quite ready to say I have seen Android hacks or viruses in the wild. I have seen rampant loss of control over the permissions requested by Android widgets on install (Google Maps, you really need access to my private phone information, read and write access to my contact information, along with the ability to make phone calls and record audio? Really? Update fail.) We’ve seen zero day vulnerabilities in widely used applications and services. We have seen literally millions of healthcare records breached. We have seen huge companies get breached, resulting in days and weeks of outages, and probably billions of dollars spent in recovery and rebuild. We found that an unauthorized user can access sensitive functions on an iPhone by using Siri. Should we be surprised that web-enabled printers can be attacked remotely? We have had drone hacks, ATM scammers, phone hacking and nude photos galore (so to speak). And that is just the tip of the iceberg. Sometimes it seems like the sky is falling.
Sometimes.

A friend of mine asked me a couple weeks ago, “So, with all these things going on, how do you do everything that you need to be safe?” That is a hard question. Everything?
A complete list of everything an organization should do to make itself safe would literally fill books. So, instead, if you want to take the right steps to being secure, and being compliant where appropriate, what are the 10 things that should be at the top of everyone’s wish list for the holidays?

What are the 10 things that should be at the top of every organization’s wish list for the holidays?

1. I wish for a complete BIA (Business Impact Analysis). You have to know what you have before you know how to protect it. I won’t dwell on this other than to say that if you answer these four questions and you are working on your BIA: a. What is your most critical data? b. What systems, databases, and applications support that data? c. What regulatory requirements am I required to d. What would the impact on your organization be if that data, or supporting systems, was lost or compromised (and released to the public)?

Read the rest of my Security Week article here.

Is Your IT Infrastructure Naughty or Nice?

Joseph Blankenship — Fri, 09 Dec 2011 14:58:00 GMT

Ho ho ho! 2011 has flown by like St. Nick’s sleigh. Christmas carols are ringing in the air, and children’s thoughts are fixated on Santa Claus and gifts appearing under the tree.

As one of my favorite Christmas songs, “Here Comes Santa Claus”, played today, it occurred to me that there are some interesting parallels between Kris Kringle and MSSPs. Before you stop reading this blog and click away, please give me an opportunity to explain.

According to legend (this is absolute fact if you are under the age of 8), Santa Claus keeps tabs on every little girl and boy in the world, keeping a list of who’s naughty and who’s nice. The legend goes on to say that elves are deployed in homes all over the world to assist St. Nick with the task of monitoring the children’s behavior.

I picture jolly old Santa sitting in his workshop at the North Pole, sipping hot cocoa, as the reports come in from elves all over the world. He makes his list, carefully considering how to treat each individual incident that’s recorded. I’m guessing that he keeps all of these reports for future reference and maybe even does some trending to see how some children are progressing or regressing over time. Even Santa Claus has compliance concerns.

Similarly, MSSPs like Solutionary deploy log collectors at all of our customer locations to monitor the behavior of applications, databases, operating systems, network devices, firewalls and security systems. We collect logs from all of these, then send those logs off to be analyzed. When we see a device that’s demonstrating some bad behavior, analysts in our Security Operations Centers (SOCs) take remediation steps to address them. We keep running lists and signatures of exploits, malware and malicious hosts, using that data to protect our clients. Also like Santa Claus, we evaluate the incoming log information to help determine if they indicate something naughty, or something nice. Lastly, we retain the log data we receive and use it to provide reporting and forensics.

Of course, neither of Solutionary’s SOCs are located at the North Pole. None of our analysts come sliding down chimneys with presents or sit on shelves in data centers to do the monitoring, and we don’t rely on reindeer for transportation. An analogy can only go so far, after all.

Paraphrasing the words of that jolliest of elves, “Secure infrastructure to all, and to all a safe night.”

Common Sense Security Logging

Doug Picotte — Fri, 02 Dec 2011 21:31:00 GMT

The amount of log volume produced by security devices, servers, network devices, applications, and databases can be staggering. In the past, our log volume monthly processing statistics were in the millions. Fast forward to today and beyond, and we are talking about processing billions of log messages in a given month for a single organization. Just imagine the size of log file that is created by a Fortune 500 organization just during the course of normal operations. Now multiply that in times of heavy load, like a retail or travel operations over the holidays. Or try to imagine what those logs look like in a crisis such as during an active cyber attack or a DoS attack.

The key, of course, is to find the proverbial “needle in a haystack” that we can translate into an actionable alert for our client base. Recently there has been much discussion about log volume, and what type of logs we should be looking at for clients. As you can imagine, many log messages produced by devices are not security specific messages. Fortunately we have created over 80,000 rules within our ActiveGuard platform to help discern between log messages of interest, and those without a direct security implication.

To log, or not to log -that is the question

I would like to mention a few security logging best practices that we have found to be the most effective when searching for that “needle” in the haystack. We welcome any additional comments you may have regarding this subject.

Server OS Logging:

In the case of Windows server OS event logging, we recommend enabling the Security, System, and Application event logs. (Solutionary provides comprehensive device logging configuration guides as part of the service delivery) If the server is subject to PCI compliance for example, then the following Audit Policy settings and the associated security setting would be recommended:

•   Account Logon Events –Success, Failure
•   Account Management –Success
•   Directory Service Access –Success, Failure
•   Logon Events –Success, Failure
•   Object Access –Success, Failure
•   Policy Change –Failure
•   Privilege Use –Success, Failure
•   Process Tracking –Failure
•   System Events –Failure

Keep in mind that server logging requirements may be different for each client depending on their environment and compliance requirements. Solutionary works with each client to understand their specific logging requirements, and make the appropriate logging configuration recommendations.

Firewall Logging:

In the world of firewall logging, we are looking at a number of security specific messages including attempts to secure privileged access to the firewall for example. We are also looking at outbound connects to known bad IPs as this may be an indication of a potential malware outbreak. There is, however, little to no value from a security perspective in logging the following messages:

•   Successful connection creations and deletions
•   UDP connection slot between two hosts created and deleted
•   Address translation slots created and deleted
•   ICMP Echo Reply
•   ICMP Host Unreachable
•   ICMP Echo Request

The bottom line is it is imperative that the correct logging be configured for each device being monitored. Solutionary has extensive experience in providing the correct logging configurations to effectively find “the needle in a haystack”, meeting organizational goals, while also meeting any compliance objectives the client may have. I will continue to expand upon this topic in future blogs. I also welcome any additional comments you may have on this subject.

Until Next Time

Thanks very much for reading my friends. Until next time, and as always, ride safe, crank up the holiday tunes, and stay secure!

Security Cookbook

Vincent Ragosta — Wed, 30 Nov 2011 14:54:00 GMT

Many of us in the security field most likely pine for a cookbook of security—a magical tome you could flip through, implement, and magically be more secure. Unfortunately, the complexity of the systems we have created makes such a possibility a distant reality. Despite our best wishes there is no magical cure-all to fix all of our security woes. However, there are some simple concepts that can be utilized to strengthen your security posture. So, in the spirit of the holidays I’ve chosen three of my favorite security “sprinkles.”

1) Deny outbound connections from the DMZ
The purpose of the DMZ should be to serve requests from outside the network, whether this be for email, web, etc. Generally speaking, the computers in the DMZ should not be initiating their own outbound connections and any such connections would merit scrutiny.

2) Perform egress filtering
We often think of using firewalls to restrict what type of traffic enters the network. However, we should be equally concerned with what is leaving the network. Only traffic destined for sanctioned ports and/or IP addresses should be permitted to leave the network. Additionally, any outbound traffic with a source IP that does not originate within the network indicates possible IP spoofing. Be a good Internet citizen and block such invalid packets from leaving your network.

3) Restrict administrator access
Administrator access should be granted with discretion. This includes local administrator access on a Windows machine. Being lax with administrative access may reduce some support overhead, but the risk due to malware infection and other compromises increases.

Feel free to share some of your own security “sprinkles” with us via the comments. Happy

Holidays!

The Common Sense App has been removed from the App Store!

Court Little — Mon, 28 Nov 2011 21:47:00 GMT

Security can be a complex business, but often times it boils down to good old fashion common sense. It's never a good thing to implicitly trust anything or anyone; I don't care the type of business! Any business can be hacked! Shocking I know (Stay with me, this gets better, I hope). But one thing I have found is people sometimes compromise their own good security principles because they completely trust that business. But sometimes companies who we do trust don't practice common sense security, that’s when it’s even more bizarre. Let’s illustrate both of these principles in action.

Recently, a friend of mine - we shall call him Ohsnap – looked at his credit card and noticed a bunch of fraudulent charges. Ohsnap investigated and realized that all the fraudulent charges are tied to his Apple iTunes account, which somebody used to purchase apps. So he does the usual things: he canceled his credit card, canceled his iTunes account and started the grieving and anger management process. Me, being in the security business, gets the inevitable call, HOW DID THIS HAPPEN TO ME?!?!?!?!?!?!?

(Note* Before any Apple fan boys jump all over me, Google search for Apple, iTunes, Account, Hacked, Compromised, and you can read about account compromises and malicious apps for hours…many of which are on Apple’s own forums) See:

http://www.tuaw.com/2011/06/08/itunes-fraud-surge-hits-gift-card-balances-paypal-accounts/

http://www.appleinsider.com/articles/11/01/07/hacked_apple_itunes_accounts_sell_in_china_for_pennies_on_the_dollar.html

http://www.consumeraffairs.com/computers/apple_itunes.html

As a side note, while there are certainly documented cases of fraudulent apps (even some shockingly admitted by Apple) which have caused account compromises, I'm sure Apple doesn't want to acknowledge that apps can be dangerous, bad for business, but its definitely an issue. A couple interesting things surfaced as we started investigating the vulnerabilities. First, by and large, Apple passive aggressively blames the user and directs them to change their passwords in the stock form letter you get, advising you to check for viruses and heavily implies that the cause of all of your woes was the fact that your own computer was hacked. I get that. I'm sure, by and large, a good guess would be that the majority of account compromises come from compromised PCs or Macs and hopefully, the least amount are coming from malicious apps. But that’s where Apple really stumps me on the common sense meter.

If someone has hacked your iTunes account either via your PC or an app then guess what? They probably have access to your iTunes account! Especially if it came through your PC! Many of the malicious apps seem to be apps that abuse the in app purchase process to fraudulently purchase apps so it’s not clear if they’re actually accessing your credentials or just using your already established iTunes login.

So, one of the most logical first steps to help preserve your private information and credit card or PayPal account is to disable your iTunes account, but at some point you will want to re-enable your iTunes account. Probably. This sounds logical, or maybe you don't, and you want to go try someone else’s service. Apple lets you know when you disable your account that to re-enable your account here is what you have to do:

When you wish to re-enable it, please reply to this email with the following information:
1) The complete billing address listed on the account, and

2) One of the following:
- The order number of your most recent authorized purchase
- The name of any item you've purchased using this iTunes account

Ok that’s great. But if a hacker has access to someone’s iTunes account and clicks on Store - View My Account every single thing they ask for is on that one page! Think about that. I'm a hacker. I steal someone’s account. Mr. User disables the account. As the hacker, in all of 1 second I can capture all the required information from Apple to re-enable the account.

Really! COME ON MAN!

As a security geek, I think their process is actually really astonishing.

The funny thing about Ohsnap’s situation is that he did have a pretty bad password. He knew better, but rationalized that because this was Apple they are secure (It's Apple!!!) and because he frequently logs in from his iPhone or iPad, he wanted something somewhat easy to type. Who wants to type in a 12-digit password with specials, numerics and lower and upper case on an iPhone frequently? Because that extra 3 seconds is a real kick in the pants, right? So he made the bone headed move and kept his password iPhone friendly. Still, his password wasn't something that would be guessed and odds are it was stolen from some other means, so, really, if it was even 50 characters it wouldn't have mattered so much (A theme you see echoed repeatedly when reading about Apple account compromises).

So I decided to conduct a highly scientific statistical analysis of a dozen, or maybe it was more (certainly enough to make a statistician roll over in his grave) like 15, people at my local 5pm happy hour for my thorough blog research. Guess what? The majority of people who used an iPhone admitted that their iTunes password was significantly weaker than most of their other passwords. And again, none of them felt worried by it because it was with Apple, and none of them had ever heard of Apple getting "breached" or having issues.

Trust can be a bad thing and can make people quickly and easily stop using basic common sense security.

In this day and age of high tech security good security does often boil down to common sense (Apple seems to need a small dose of it). Don't trust big brother to protect you and don't compromise your own security because 3 seconds is too valuable to you. Just play one less Call of Duty match tonight and you'll have saved all the time it takes to use complex password for the rest of 2011 & 2012 & 2013.

Happy Thanksgiving!

Solutionary Marketing — Wed, 23 Nov 2011 19:44:00 GMT

From,

Solutionary Minds

Hardening Applications Is Not That Hard

Rob Kraus — Fri, 18 Nov 2011 19:26:00 GMT

Recently, I had the pleasure of working with an organization doing a terrific job at hardening their network against attacks.

Servers locked down. Check!

Routers and switches secured. Check!

Clear-text protocols disabled. Check!

Applications secured. Whoops!

Company policies dictated strict adherence to National Institute of Standards and Technology (NIST) guidelines for hardening infrastructure, operating systems, and effective and secure use of protocols. This is a good start and helped the organization build secure software images for many of their desktop and server deployments.

However, after closer review, the organization had issues with deploying applications with the same amount of rigor.

Why?

Perhaps they did not pay as much attention to build and deployment standards for the critical applications they implemented. No policies or procedures were developed to ensure applications undergo the same meticulous method of prepping for deployment as the operating systems are subject to.

The point?

The organization took a lot of time to put together a great program for hardening infrastructure but forgot to include guidelines for secure application deployment.

That sounds complicated you say? In some cases it can be, but in many cases it is just as simple as asking. Many software vendors have already addressed security, at least to some extent, and developed secure configuration guides for their customers.

Contacting your vendors and asking if they have guides to ensure applications are configured and deployed securely can significantly reduce vulnerabilities in your environment. And, this isn’t just application settings, but may also include configuration guidelines for supporting servers, databases, firewalls, and other associated systems.

Some good guidelines to follow:
•   Ensure corporate policies include directives for hardening applications.
•   Consult your software vendors to determine if they can provide a secure configuration or hardening guide
•   Ask vendors about secure configuration guidelines before purchasing their product
•   Ask vendors how they handle distributing updates addressing vulnerabilities found in their applications

Helpful links:

http://csrc.nist.gov/publications/PubsSPs.html
http://www.nsa.gov/applications/search/index.cfm?q=secure%20configuration

Raising Your Personal Defenses Against Credit Card Fraud and Identity Theft

Jon Heimerl — Wed, 16 Nov 2011 15:45:00 GMT

Active and Passive Monitoring are Critical in Your Defense Against Credit Card Fraud and Identity Theft

I normally write about organizational security, but this is as good a time as any to be selfish and talk about us consumers. After all, it is the holiday season, and credit card use is up. People are out more often, using their cards in public, and online shopping is expected to rise again. So, do credit cards give us pause?

Identity theft. Credit card fraud.

It seems, these days, like we should not be talking about “if” we are a victim of credit card fraud as much as “when.” A personal scanner costs less than $100. An attacker can attach a scanner to a Smartphone and begin using the card number before the victim even leaves their table at the restaurant. RFID scanners are in the wild. If you have a credit card with an RFID chip, an attacker can simply walk by you and potentially scan your credit card information right out of your purse or wallet, and you will never know. Online stores are attacked, along with banks or clearing houses and credit card information is stolen. It almost seems like fake scanners are everywhere, and you pretty much have to check every time you buy gas to try to make sure that there is not any extra gear hanging on the pump. Locally, we even had a scanner with a built-in cell phone, so the attacker could get card information from their scanner remotely.

Read the rest of my Security Week article here.

What, Me Worry?

Jon Heimerl — Fri, 11 Nov 2011 16:28:00 GMT

I am not an obsessive-compulsive worrier. My Grandfather once told me that you have no right to complain about something if you can do something about it. Don’t complain about your job; get a new one. Don’t complain about the traffic, take the bus, and so on. (Its ok to complain about the weather though, since you can’t really do anything about that.)

Sometimes a little worry is okay. If I am a business, I should be worried about my client data. I should worry that client data is safe and secure. I should worry that corporate data is safe and secure. I should worry that I am making the correct decisions for the organization and any shareholders, and that I am doing the right things to grow the company. I should worry that I have created a safe work environment, free from harassment or discrimination, and free from threats of physical harm. As a business, I should probably worry about a lot.

Unfortunately, businesses really do not have control over some of these things. Yes, the business can obviously make planned business decisions based on business intelligence as well as market and consumer information. And, yes, a business can do much to control its environment to make the business a safe and secure place. But, in the end, the business relies on many things outside of its control.

The business has no control over a new vulnerability being discovered in Windows, or in Flash, or in Safari. The business has no control over the new exploit that has been distributed that breaks SSL. The business has no control over the new toolkit being distributed by some hacker group. To some extent, the business is at the mercy of the Internet.

You try to re-establish control in two ways:

1. First, you understand what exists in your environment. You understand your systems, operating systems, applications, and their associated patch levels. This starts with an asset inventory or Business Impact Analysis. And, you keep up on new patches and updates with every single system, application, and database you have. You have to understand what you have in place and keep track of threats to your environment.

2. Second, you have to watch your environment. Active monitoring of your external and internal environment does not guarantee you full control, but it improves control over what you have, and it improves intelligence about those systems. Knowing that a new port has opened up on your external firewall is pretty handy. Knowing that two systems that never communicated before are suddenly communicating heavily – that is pretty handy too.

To help put “worry” in perspective, for November 11, let’s worry about our troops serving overseas, and hope they are safe, so that someday they can come home and complain about the weather or traffic.

Metagoofil

Jose Hernandez — Thu, 10 Nov 2011 18:38:00 GMT

Rob Kraus and I presented on the topic of Client Side Attacks at the Hacker Halted Miami conference last week. We had a great time in Miami meeting lots of security folks and listening to many interesting talks. The main reason we had such a great time was that the conference was very well organized and all the personnel working behind the scenes knew how to put on a great conference. Back to my point, our presentation went over well with the audience and we received a lot of positive feedback. However, there was one part of the presentation that drew a lot of attention from the audience. The audience was very interested in a tool we refer to in our presentation called Metagoofil from Edge-Security. Since it was a topic of interest I decided to blog about what this tool is and how we use this tool in our information collection phase of many of our assessments.

Metagoofil is a metadata analyzer and information collection tool. Right about now you are probably asking yourself what is metadata? Well, Metadata is commonly described as data about data. Many applications store potentially sensitive information about the creator of the document. For example PDF files store a lot of interesting metadata about the author of the document but here are some of our favorites data fields.

•   Creation Date – Date the file was created
•   Author – Author of the Document
•   Created with – What application created the original File (powerpoint…etc)
•   Produced by - What application converted the file to a PDF (Foxit PDF Creator)

So what can attacker do with this information? Well with the information collected the attacker can collect potential usernames, and learn what applications users have installed in their computer. The attacker can then craft a very targeted phishing campaign using the information gathered. Metagoofil has the ability to use the Google search engine, which is where the “goo” in Metagoofil comes from. This is what separates Metagoofil from the rest of the tools available which extract data from files in an individual basis making metadata information gathering a slow and time consuming process. This greatly simplifies the task of gathering intelligence on a target. Once you have a potential target domain e.g., (www.microsoft.com) Metagoofil performs several Google queries looking for specific file types.

Using the results from the Google queries Metagoofil then downloads all files found and performs metadata extraction on all the files. After the metadata has been collected the tool creates a report that lists identified users, e-mail address, software found, and servers found.

This information can be invaluable in planning follow-up attacks, including targeted technical attacks and social engineering attacks. Metagoofil saves a great deal of time and is a great addition to penetration tester toolkit especially in the information reconnaissance phase of assessments.

Balancing Risk and Reward in Information Security: Are you Willing to Spend X to Avoid Y?

Jon Heimerl — Tue, 08 Nov 2011 15:07:00 GMT

Balancing Risk and Reward in Information Security: Are you Willing to Spend X to Avoid Y?
My daughters tell me that I am too careful and I over-think decisions. I research a car before buying, and build a spreadsheet that includes things like warranties and total cost of ownership for a year. I think, however, that I am just practical.

We make decisions every day, balancing risk and reward, deciding on a particular course of action. Much of the time, we make decisions unconsciously. You decide to speed, accepting the increased risk of accidents and tickets. You decide to eat that fast food burger, accepting the health risks. You decide to smoke, accepting the risk that it causes cancer and a host of other illnesses. The forecast says that it might rain, so you throw an umbrella in the car. Me? I bought a half dozen umbrellas just so I could keep at least one in each car, and another couple in the closet, just in case. Call me risk averse.

Information security is the same way. In the end, how good your security is all comes down to your risk management strategy. This is how well you identify, then manage risk and potential risk in your environment. The real question about risk is “how something can hurt me?” The real question about managing risk is “how many resources (time, energy, hours, focus, funds, etc.) am I willing to spend to make the risk hurt less, and, of course, how much less pain am I willing to tolerate?” This is a risk/reward model, or maybe cost/benefit, and it often it boils down to ROI. Are you willing to spend X to avoid Y?

You can handle risk management in several ways:

1. Accept risk. Determine that the risk of something happening is acceptable, and that if “the bad thing” happens, that it is okay. I continue to accept the risk that my stupid Sunbeam toaster will burn my toast about 30% of the time. Eventually, I will refuse to accept this risk any longer, and buy a new toaster. But for now, I accept the consequences that I either remain vigilant enough to pop up my toast or that I have to throw in another slice of bread.

Read the rest of the my article at SecurityWeek.com.