There probably isn’t a more consistent theme we write about than the alignment of IT security with business goals: Understand your business first, then build your security empire to support and protect the business; lofty goals and heady stuff for sure.
I’m as guilty as anyone of writing stuff centered on the notion of alignment. But maybe that’s too abstract a notion? Maybe it’s the word “goals” that’s off? Maybe we should be writing about the alignment of security with business mandates? The goal of the majority of, if not all, businesses is to make money. And IT security leaders certainly don’t call the shots inside an enterprise. You’re told what to do, what to buy and when to buy it. If your CIO or CFO says your top priority is SOX compliance, guess what’s at the top of your to-do list every day?
It’s easy for journalists or industry experts, like last week’s panel at InfoSecWorld, to wedge ourselves onto a lofty perch atop that ivory tower and pontificate about what those who hold actual enterprise security management titles should be doing with their programs, policies and buying decisions. But how often is it realistic for a CISO to march into the CFO’s office, stomp their feet and hold their breath until they turn blue or until the CFO signs off on a major overhaul of the perimeter security investments someone else made 10 years ago?
Ideally, those things should be overhauled because they don’t work anymore. But the Titanic couldn’t turn on a dime 100 years ago, and neither does big business today. Other priorities that make money get the attention of business decision makers before budgeting for the latest and greatest security widget is stamped “approved” by the CFO or CEO.
Taking shots at security managers who are handed a budget that essentially maintains the status quo does nothing to advance the industry. Taking shots at security managers who have no choice but to listen to auditors first does nothing to advance the industry.
Ideally, yes, alignment of security and business goals is awesome. You do need to know how and why your business makes money. You do need to prioritize your efforts in that direction. You do need to understand who your adversaries are and what tactics they’re using to penetrate your defenses. But at the end of the day, if your boss tells you do something that keeps you from being idealistic, that doesn’t necessarily mean you’re not a leader or not a good security manager. It just means you’re employed.
BOSTON — Privacy is a fog rolling in over the land. That’s how Jeff Northrup, IT director of the International Association of Privacy, described personal information privacy during his presentation at the SecureWorld conference last week. The fog is thick over some countries, especially in Europe, and rather light over the U.S., but that will change soon. Northrup advised IT professionals in the U.S. to draw a map through the fog now to avoid crashing into problems and penalties later.
Evidence of a rapidly changing data privacy landscape is plentiful. The Obama administration just released its U.S. Privacy Bill of Rights, which would grant individuals more control over how their information is collected and managed, and increase transparency in privacy policies. Many observers believe it has a good chance of becoming law. Also, the FTC recently slapped Google and Facebook with penalties after users complained of privacy abuses; Google will now undergo 20 years of independent privacy audits, and Facebook may face similar chastisement from the FTC.
These incidents are just a few of the signs that security professionals need to amp up privacy projects before their organizations run afoul of current or future U.S. data privacy laws. Where to start? Northrup suggested organizations take an inventory of every piece of personal information it collects, and note why it is collected and where it is stored. This can be a daunting task, but many organizations already have some of the pieces in place as part of their compliance programs or DLP projects. Any information that does not have a clear business purpose (and the marketing team’s desire to send email blasts to a million relative strangers does not count as a “business purpose”) should be deleted or stored only on an as-needed, transient basis.
By taking steps toward greater transparency and giving users more control over how their information is used, organizations will be better prepared to navigate out of the fog.
Another day, another security information and event management vendor acquired. Well, O.K, the deals aren’t that frequent, but standalone SIEM vendors have become popular acquisition targets. On Tuesday, TIBCO Software announced that it inked a deal to acquire SIEM vendor LogLogic.
Last fall, IBM bought SIEM vendor Q1 Labs and McAfee acquired NitroSecurity. SolarWinds, an IT management software company bought TriGeo, a SIEM provider that targeted midsize companies. In 2010, HP bought Arcsight and Trustwave acquired Intellitactics.
The TIBCO-LogLogic deal is a bit unusual – TIBCO is an integration software company and an unfamiliar entity in the security market. Palo Alto, Calif.-based TIBCO said the deal will expand its operational intelligence offerings while giving customers the ability to monitor threats, assess risks and address threats. The company is also describing the deal as a big data play.
“Enterprises must be able to analyze big data, including machine data generated from across their various systems, to gain comprehensive, real-time insights into critical business questions relating to compliance, security and operations,” the company said. “LogLogic will build upon TIBCO’s proven capabilities in event processing and in-memory analytics.”
San Jose, Calif.-based LogLogic touts its ability to provide SIEM and log management capabilities in a single architecture.
SIEM suppliers such as HP and IBM have been talking up the technology’s future as providing analytics and a comprehensive view of an organization’s threat environment. Time will tell if their efforts – and now TIBCO’s – will pan out.
It’s becoming a pretty safe bet that the reported Global Payments credit card security breach isn’t the only big breach out there. Visa and MasterCard, without naming Global Payments, reported a payment processor had been popped between Jan. 21 and Feb. 25. Global Payments Chairman and CEO Paul Garcia, however, said yesterday that his company discovered the hack in early March and that’s when it reported the breach to law enforcement and hired outside security help.
Likely there’s another shoe to drop. Brian Krebs has been killing it on this story, and he wrote yesterday on his blog and was quoted in an ABC News story that his initial report that 10 million payment records had been stolen could have been about a breach at another processor that has not been disclosed yet. Only 1.5 million have been attributed to the Global Payments breach so far.
Clearly, we’re not past the big data breach. Clearly, PCI DSS continues to be a joke and a money pit that isn’t about security, but at a minimum, point-in-time compliance.
Over the weekend, Visa and MasterCard delisted Global Payments as PCI compliant, which indicates something nasty is going on with this breach behind the scenes. Maybe there isn’t another processor involved but deeper penetration into Global Payments that isn’t being reported until investigators say so. Martin McKeay, a former PCI QSA, has a good blow-by-blow into what happens to card data from the time it’s swiped, and how it moves through merchant and processor networks. There are plenty of places where data is exposed and security can fall down, and processors such as Global Payments have to continuously check these access and egress points, not just when it’s time for the PCI auditor to show up.
Other processors have been delisted; Heartland Payment Systems and RBS WorldPay in 2009 and CardSystems, which soon after went out of business in 2005. Global Payments said the reported breach (it says only Track 2 data has been stolen—account numbers and encrypted PINs) has been contained and no fraudulent transactions have been reported. Yet there’s a specter hanging over this story and Global Payments. Chances are, they’re not out of the water yet and should it fall, a la CardSystems, it’s another reminder that basic security measures still count, and hiding in the weeds hoping not to get hacked is a fool’s errand.
ORLANDO – If you’re currently evaluating mobile device management software you may want to stop and instead conduct a thorough assessment to figure out your exact requirements before making that investment. In fact, two security experts at the 2012 InfoSec World Conference and Expo here in Orlando say some enterprises may not have an immediate need to buy a mobile device management (MDM) platform. In-house capabilities, such as Microsoft Exchange Active Sync (EAS), provide a foundation for mobile device protection and can already use certain Apple iOS and Google Android device security features.
There’s a trade-off, explained Lisa Phifer, owner and consultant of Core Competence Inc. EAS is severely limited in the control it provides to employee-owned devices. If all the organization needs is to enforce password and PIN length and have remote wipe capabilities for iOS devices, it works. Android capabilities are even more restricted, Phifer said. Depending on the Android firmware version and the carrier limitations placed on devices, companies may have the ability to use EAS for remote wipe, resetting the device to the factory default condition and enforcing the use of a device password.
During a session here in Orlando, Phifer and Diana Kelley, a consultant with Security Curve, demonstrated mobile device platforms from AirWatch and Fiberlink. The two platforms are one of dozens of mobile device management vendors vying for the attention of enterprises looking to gain visibility and control – some semblance of security to the whole bring your own device (BYOD) movement.
Kelley said early adopters of MDM platforms sometimes are convinced to buy and deploy it, but then suddenly realize they don’t know how to manage the tool or exactly what they want to get out of it. These enterprises sometimes lack any formal mobile device security policies or sometimes they’re mismatched, she said. Senior-level executives have few restrictions on their devices, while sales staff and other employees are given device limitations. Ultimately, an attacker will find a weakness, she said.
So what exactly are the benefits of an MDM platform? MDM tools can help bring those policy mismatches in line by managing what users require the most restrictions based on their role. They provide a common management umbrella for device diversity; they typically can embed additional security capabilities onto the device such as a third-party VPN, antimalware or a secure data container. They can also help monitor and enforce security policies – but those policies have to be well defined and communicated to employees, Kelley said. Let people know what the penalty is for violating that policy.
MDM platforms can also create a framework for the enterprise to provide troubleshoot, support and expense management capabilities. Self-service portals controlled by the enterprise enable employees to use certain trusted apps.
I think Phifer summed up mobile security well: It’s about managing the corporate assets on the device, not necessarily the device itself.
This week I was researching the current state of the SIEM market, and I was pleasantly surprised to see the progress that has been made in many SIEM products.
If you’d asked me about SIEM products a few years ago, I would have said they were irritable, accident-prone giants. They took up a lot of time and money as administrators struggled to customize their policies and clean up the messes made from too many false positives.
But this week I found out the giants have grown up and calmed down. Administrators say the interfaces and wizards are a lot easier to use, and automated threat responses have become more reliable, doing the job they were meant to do.
They’ve scaled down, too. SMBs are finally able to take advantage of SIEM functions with lower-priced products (albeit with lower capacity, too). Other SMBs are getting their SIEM benefits through managed services.
Of course, there’s still plenty of room for improvement. Jessica Ireland, an analyst at Info-Tech Research Group, says vendors are working to integrate SIEM with GRC and security infrastructure products. If they succeed, they will go a long way toward helping us react to threats ever faster and more precisely.
I hope SIEM vendors will proceed with caution and not let SIEM platforms get out of hand again by trying to do too much. I’d hate to see those cumbersome giants come back.
Cloud computing breaches often are a topic that comes up in conversations at conferences. Organizations need to prepare for the complications that will come if their cloud provider is breached, legal experts warn. However, there’s little data on breaches involving cloud providers, at least that’s public.
The 2012 Verizon Data Breach Investigations Report (DBIR) (.pdf) tries to offer some insight on cloud computing breaches. The company – which expanded its cloud services by acquiring Terremark last year — notes there are many definitions for what constitutes cloud, making it difficult to figure out how cloud computing factors into data breaches. But in an interview, Christopher Porter, a principal with Verizon’s RISK team, told me the DBIR defines the cloud as something that’s externally located, externally managed and externally owned.
“In the past year, there were several breaches of externally hosted environments that weren’t managed by the victim,” he said. “We didn’t see any attacks against hypervisors. It’s really more about giving up control of your assets as opposed to any technology specific to the cloud.”
For cloud proponents, the DBIR’s observation was proof that cloud computing services are secure. However, cloud computing risks involve more than the hypervisor. Giving up control of your assets – and not controlling the associated risks, as Verizon notes – is what makes organizations queasy about cloud services.
According to the Verizon DBIR, 26% of breaches involved externally hosted assets, while 80% involved internally hosted assets. Forty-six percent of breaches involved externally managed assets (compared to 51% internally managed assets). The report notes this is the third year the company has seen an increase in the proportion of externally hosted and managed assets involved in data breaches. Porter said the increase is mostly due to economic issues; more organizations are moving to the cloud for the cost savings.
Social networking security threats have taken a back seat to mobile security and targeted attacks directed at corporate networks in recent years. But there is news of two new Facebook attacks targeting users to spread spam and malware, and ultimately steal personal information, including account credentials.
A rogue Facebook application that lures the victim into using it to discover who has viewed their Facebook profile, has been detected on the social network. The application asks permission to access the profile and once granted, it begins posting to the victim’s wall, without explicit permission according to security firm Sophos.
The second Facebook attack is targeted at Brazilian users of Facebook. It uses malicious Google Chrome extensions that it presents as a tool to change the Facebook profile color or provide virus removal. Like the attack documented above, the tool can gain full control of the victim’s Facebook account, posting messages to spread spam and malware, according to a researcher at Kaspersky Lab.
The attacks are a reminder that enterprises need to have a social networking policy in place and should educate users about phishing and other threats designed to gain access to their Facebook account. If cybercriminals are attempting to steal account credentials from Facebook users, it’s very likely that a certain percentage of pilfered passwords are used for multiple accounts, including access to the victim’s corporate network.
Tom Cross, manager of threat intelligence and security on IBM’s X-Force team, told me it’s likely that well-funded and organized cyberattackers use social networks to design targeted social engineering attacks against enterprises. “You could get a comprehensive picture of an organization,” Cross said, by just examining an employee’s Facebook profile.
In addition, IBM’s 2011 X-Force Trend and Risk report, issued last week, found automated attacks moving to social networking platforms. “Frauds and scams that were successful years ago via email found new life on the social media forums,” according to the report. Attackers are designing phishing campaigns, typically phony friend requests, made to look like they were sent from social networks.
Malicious activity on Facebook is being constantly monitored by security vendors and Facebook’s internal security team, but attackers are still slipping through. Last October, Facebook released security data (.pdf) that shed light into malicious activity on the network. The company said it classifies 4% of the content shared on Facebook as spam. Of the spam, a tiny percentage is being used to direct users to malicious websites. Facebook says one in 200 users experience spam on any given day.
The most telling of all the statistics released by Facebook: About .06% of the more than 1 billion Facebook user logins each day are compromised. That means that 600,000 Facebook users have their accounts compromised each day. Facebook doesn’t define a “compromised account,” but acknowledged to Ars Technica that the statistic stems from accounts that are blocked if Facebook is not confident that the true owner logged in. They were likely the victim of a phishing scam, the Facebook spokesperson said.
Few people probably realize that Facebook offers a one-time-password service to users as well as an ID verification service that will send a text message to verify that the user login is genuine. Websense is one of several security vendors that partners with Facebook to provide URL filtering. The company also sells a Defensio Facebook monitoring service, kind of a content filtering engine that can detect spam and malicious content posted to an account.
Charles Renert, the new head of the Websense Security Labs, told me that most attackers are sticking to email, using it as a lure to send victim’s to malicious webpages. But phishing is shifting to Twitter, Facebook and other social networking platforms. Malicious links posted on Facebook lure the victim into thinking it’s a popular viral video, but then redirects them to a website hosting malware. Other links are less malicious, but still objectionable, Renert said. They send victims to spam sites peddling porn, pharmaceuticals and other items that the victim didn’t intend to see, he said. “They’re exploiting the trust element,” Renert said.
Those of you clamoring for Internet service providers to get proactive about security and malicious activity on their networks got a win late last week from the Federal Communications Commission. The FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) got unanimous support of its U.S. Anti-Bot Code of Conduct for Internet Service Providers from most of the leading ISPs.
Known as the ABCs for ISPs, participation is voluntary for the providers who must take “meaningful action” in the education of users in botnet prevention, botnet removal, detection of botnet activity on an ISP network, notification of customers of suspected infections, providing information to customers on how to remediate botnet infections, collaborating with other ISPs around botnet activity, and sharing experiences around the FCC’s code of conduct.
AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable, T-Mobile and Verizon agreed to the code of conduct. Their acknowledgement, or concession, of the problem is a nice public step forward here. There have been many arguments pro and con regarding ISPs and security, and countless debates as to whether an ISP should provide a clean pipe.
ISPs clearly are in optimal position to see malicious traffic, but there’s a slippery slope choking off what an ISP believes is malicious traffic—what’s the impact on legitimate traffic caught in the crossfire, performance of services and cost, for example? Some ISPs sell security services too, raising conflict of interest issues. And then there are the net neutrality folks who protest an ISP’s ability to restrict access to content or impact network performance by throttling traffic for some and ratcheting it up for others, for example.
The code of conduct solves none of these riddles, but at least it moves the conversation forward without legislation. FCC Chairman Julius Genachowski has been vocal about an industry response to botnets. According to Arbor Networks’ Atlas service, for the 24-hour period starting last Wednesday, there were 951 attacks per subnet carried out over TCP Port 80 (http) and another 284 over TCP Port 445 (used for Microsoft Server Message Block service), accounting for 69% of attacks. Botnets are responsible for denial-of-service attacks, attacks on the DNS infrastructure, Internet routing attacks, spam campaigns and other malware attacks.
ISPs, to their credit, have been better about security. Comcast, for example, has fully implemented DNSSEC for its customers and it is part of the provider’s Constant Guard service. John Schanz, executive vice president of Comcast National Engineering and Technical Operations in Security and Privacy, wrote in a blog post: “The Code recognizes that the entire Internet ecosystem has important roles to play in addressing the botnet threat and ISPs depend on support from the other players like security companies and operating system vendors.” PayPal, Microsoft, Symantec and the Online Trust Alliance also took part in developing the code of conduct.
Nothing in the code of conduct, however, really suggests ISPs do much more today than what Comcast and others are already doing—namely monitor, notify and recommend remediation. ISPs still won’t take meaningful action about botnet removal without being forced to, and that’s a lot of lobbying down the road. Stay tuned.
Cloud outages are always big news – and for good reason, because they usually affect many people. Last month’s Microsoft Azure outage was no exception. But at least Microsoft appears to be trying to learn from its mistakes.
The software giant released detailed findings of its root cause analysis of the Azure outage earlier this month, and said it would to use lessons learned from the incident to improve its cloud service. The analysis, posted by Azure engineering team leader Bill Laing, provides a detailed description of the Leap Day bug that triggered the Feb. 28 outage. The analysis was prefaced by an apology and an offer of service credits to customers, and included a description of the steps Microsoft is taking to improve its engineering, operations and communication in the wake of the outage.
“Rest assured that we are already hard at work using our learnings to improve Windows Azure,” Laing said.
Microsoft’s plans include improved testing to detect time-related bugs, strengthening its Azure dashboard, and improved customer communication during an incident.
Kyle Hilgendorf, principal research analyst at Gartner, said he was impressed with the level of detail in Microsoft’s analysis.
“I encourage all current and prospective Azure customers to read and digest the Azure RCA [root cause analysis],” he wrote in a blog post. “There is significant insight and knowledge around how Azure is architected, much more so than customers have received in the past.”
The 33% service credit offered by Microsoft, he added, is becoming a de facto standard for cloud outages. “Customers appreciate this offer as it benefits both customers and providers alike from having to deal with SLA claims and the administrative overhead involved,” he said.
In a previous blog post, Hilgendorf summarized Azure customers concerns after the outage. Customers told him Microsoft’s communication during the outage was lacking; the company needed to be more transparent, and they were looking into options for protecting themselves against future outages.
So while Microsoft is applying lessons learned from the Azure outage, it appears Azure customers got a harsh reminder of the need to plan for service disruption. At last year’s Gartner Catalyst Conference, Richard Jones, managing vice president for cloud and data center strategies at Gartner, advised attendees to prepare for cloud failure by planning for resilience into their cloud infrastructure and services. Experts have also said organizations need to plan for outages in their cloud contracts.
“Cloud outages are a sad and unfortunate event,” Hilgendorf wrote. “However, if we learn from them, build better services, increase transparency, and guide towards better application design, then we can make something great out of something bad.”