IT Account Monitoring Control with C24

April 29, 2013

By coincidence, Verizon’s Data Breach Investigations Report (DBIR) for 2012 was released this week along with the results of our Privacy Survey. So it’s a good  time for a quick tour of the state of the breach. In reviewing this latest DBIR, much has stayed the same. However, Verizon’s report emphasizes two key points that caught my attention: 80% of breaches could be easily prevented with two-factor authentication; and it still takes months for most breaches to be discovered.

As in past DBIRs, hacking and malware again make it into the top threat categories, and the difficulty level of the hack-craft employed is still very primitive. This is a polite way of saying that vanilla password cracking—guessing or re-using credentials—is by far the most popular way to pass through the security gate. According to Verizon, this particular type of attack accounted for four out of five breaches involving  hacked data.

The solution is, in Verizon’s words, “to overthrow single-factor passwords” with a new king, two-factor authentication. Varonis is also hoping that TFA will gain the throne.

There are some encouraging signs, however. In our just-published Privacy Survey, over 47% told us they use multi-factor authentication for their personal email accounts. If this trend can carry over to corporate email and intranet access, then we may finally see a dip in these low-skill, but still very effective, password-based hacks.  It’s a stat will check again next year.

Another critical point made by Verizon is that companies must think beyond prevention, and come up with a second line of defense involving rapid discovery and response. Prevention is still important, but no security barrier is hack-proof.

They note that for most breaches the lag between the initial hack and the first action is far too long: 67% of incidents take several months to be discovered.  And perhaps even more dispiriting is that companies more often than not—about 70% of the time—find out about breaches through their customers and third parties (law enforcement, government agencies) instead of their own IT departments.

The obvious (and depressing) brick-and-mortar analogy?  A jewelry store owner puts a toy lock on the door, fails to install an alarm system, and then waits for a customer to say that the diamond ring she was interested in is not in its case anymore.

I’ll end this post with a link to the SANS Institute’s security controls, which were mentioned in the DBIR and which we also recommend as well. The Account Monitoring Control is a good starting point in any breach mitigation program.

The principle in account tracking and auditing is simple to state, but practically impossible to implement efficiently with standard techniques: monitor who is accessing file data and alert administrators as soon as unusual patterns of behavior are detected, likely indicating a breach-in-progress.

And by the way, I just happen to know of software that efficiently handles this problem.

Image credit: Paligari

Related articles

1 Comment | Application Hosting, Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , | Permalink
Posted by david ricketts

Increasing Militarization Of The Internet

March 6, 2013

The rise of Stuxnet, Flame, Gause, the Olympic Games operations and Shamoon have all shed light on the issue of nation-state driven cyberwarfare and cyberespionage activities. Now that we are in cyberspace, we have another domain for humans to occupy and dominate, according to Ed Skoudis, founder of Counter Hack Challenges.

Skoudis told RSA Conference 2013 attendees that he worries about some of the risks of taking action over the Internet. Many of the nation-state driven activities could have a tremendous impact on the private sector, he said. “It could have a cascading impact,” he said. “It is possible that every cyberaction could cause bigger problems than people think.” Some of the techniques outlined by Skoudis and Johannes Ullrich, chief research officer at the SANS Institute are not new, but they are being ramped up by cybercriminals to become a serious problem.

Here’s a look at the five most dangerous new hacking techniques that concern top security experts Ullrich and Skoudis.

Rise Of Offensive Forensics

Anti-forensics is the process of cybercriminals getting into a targeted environment and hacking the forensics tools themselves. Offensive forensics is taking forensics techniques and analyzing file systems and memory in-depth then combing them for information assets and extracting them.

Mis-Attribuiton

The industrial processes used to build Stuxnet and other malware provides unique fingerprints for malware analysis investigators to categorize it. Coding styles down to machine level language can indicate a specific threat actor. A nation-state backed cybercriminal that doesn’t want to get noticed may place phony clues in malware to shake off investigators, Skoudis said. The catastrophic attack on Saudi Aramco via Shamoon infections on that company’s workstations had some technical information that made investigators think it clearly wasn’t the work of a nation-state. But, researchers at Kaspersky Lab provided evidence linking some specific characteristics to the Flame malware, an cyberespionage attack toolkit.

Computer Attacks Resulting In Kinetic Impact

Historically we have worked to protect PII and PHI, bank records and trade secrets, but companies haven’t had a good track record, Skoudis said. But, attackers are now targeting physical infrastructure such as industrial control systems and SCADA systems.

“Some of it is just mischief, but it could be a harbinger of much bigger things to come,” Skoudis said. “We are rapidly moving into the area where cyberattacks cause kinetic impact.”

Smaller systems are now at risk, such as automobiles, water distribution systems and traffic light control systems, which have buffer overflows, SQL injection flaws and other coding problems that can be exploited, he said. Attackers can infiltrate the devices and gain command and control of the infrastructure.

Large Scale DDoS Attacks

U.S. banks have spent a lot of time investing substantial resources to defend distributed denial-of-service (DDoS) attacks. They are simple and don’t require a lot of resources.

While the attacks are not new, businesses and attackers have been playing a cat and mouse game, said Johannes Ullrich, chief research officer at the SANS Institute, told RSA Conference attendees. Attack tools are getting better at tricking DNS anti-DDoS defenses, he said. Attacks are getting larger, up to over 40 gigabits per second. The attacker only needs 2,000 bots to carry them out, Ullrich said.

Password Breach, Password Leaks

The advice given to organizations is to salt and hash passwords, but the process of salting and hashing only slows an attacker down, Ullrich said. Dedicated password crackers only cost a few thousand dollars, he said. For now user education and better protection of databases that contain passwords is the only answer. Until an alternative to the pass phrase emerge, the problem will persist. Two-factor authentication is expensive and used by only a small percentage of security-minded organizations, Ullrich said. Some experts are looking to the smartphone as an authenticator, but token stealing malware, as evidenced by the Zitmo/Eurograbber Android Trojan, defeats SMS-based tokens and will likely continue to be a target of attacks.

Thanks to The Threat Vector:

http://thethreatvector.wordpress.com/2013/03/05/increasing-militarization-of-the-internet/

 

3 Comments | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Richard Stiennon on Packet Capture

July 30, 2012

by David Gibson

About a decade ago I was fortunate enough to take a course at SANS on using Snort and tcpdump, taught by Stephen Northcutt, Judy Novak, and Marty Roesch. It was hands-down one of the best courses of any kind that I have ever taken and I’d recommend it for anyone remotely interested in network security. (Note to Stephen: It really works. I did actually jump up and down in my hotel room while reciting the tcp flags, and just like you said, I have never forgotten them).

I was reminded of my experience at SANS when I read the Forbes article by Richard Stiennon about the criticality of packet capture (Is Packet Capture Critical? Heck Yes.) Richard discusses how in the aftermath of the RSA breach, with an audit trail of network activity (and the attackers’ encryption keys), “They were able to de-crypt the network traffic they had recorded, leading to sure knowledge of the severity of the breach.”

Unfortunately, not all organizations have adopted fundamental auditing controls for critical infrastructure—network, file systems, email, etc. As an example, in our recent survey on the state of data protection, less than 20% of organizations claimed to monitor all access to critical collaboration infrastructure (File shares and SharePoint). Auditing activity (network and otherwise) represents an enormous opportunity for organizations to not only improve their response to a breach, but to better prevent them (or stop them in action) through automated analysis.

Being without an audit trail is like flying blind. Once I had learned to read and interpret network traffic, I never wanted to be without good auditing again. Not only is auditing an imperative for security, it is a pre-requisite for better management. For example, packet capture is critical for debugging or figuring out what the heck is eating up your bandwidth. On the data side, an audit trial helps figure out what data is active or stale, who (if anyone) is using it, and who it may belong to.

In IT and security, we will always have days where we ask, “What happened?” An audit trail and people that know how to read them are our only hope in being able to know what happened, and our only hope in learning how to prevent it from happening again.

For more information about Varonis please visit http://www.c24.co.uk

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 753 other followers