Login  |  Register  |  Contact
Saturday, March 07, 2009

Friday Summary, March 6 2009

By Adrian Lane

With Rich pretty much out of commission this week and my very last minute preparation for Source Boston underway, this week’s post with be a short one. Plus I need to install the current Mac OS X patches and reboot all of the computers in the house. That little bouncing icon is finally going to get it’s way. On that note, has anyone out there ever looked at the viability of polluting the Apple downloads? Every time I click one of these I am always uncertain why I trust it or how I could verify the contents if I really wanted to. But at the moment, that sounds like too much work to investigate. Perhaps I should simply remain happy and ignorant of the process.

Webcasts, Podcasts, Outside Writing, and Conferences:

  • Nothing. Nada. We have been oddly absent.

Favorite Securosis Posts:

Favorite Outside Posts:

  • Adrian: Thank goodness Mike Rothman wrote this, with typical humor and eloquence, to capture the essence of the recent Visa press releases and associated Network World article. We are all trying to decipher what exactly they are telling us, and speculating that there is a lot they are not telling us. No way I could have been this fair and even-handed.
  • Rich: Pass.

Top News and Posts:

Blog Comment of the Week from Stiennon:

One question: Is she a Parrot Head?

Congrats Rich and Sharon!

She will be … we have tickets to go next weekend!

–Adrian Lane

Friday, March 06, 2009

Director of National Cyber-Security Center Resigns

By Adrian Lane

A couple days ago I posted some thoughts on Data Security and the US Government, how I perceive the role of Cybersecurity, and what I suspected would be a difficult challenge as the Cybersecurity team was set up at cross-purposes with the intelligence community. Today the Wall Street Journal released an article on the resignation of National Cybersecurity Chief Rod Beckstrom. In a case of “even a blind squirrel occasionally finds a nut”, my estimate of internal conflict appears to already be going on. In his resignation letter, Mr. Beckstrom stated that the “NSA currently dominates most national cyber efforts” and “The intelligence culture is very different than a network operations or security culture”. The WSJ focuses on privacy and separation of power issues with additional comments from Mr. Beckstrom: “the threats to our democratic process … if all top level network security and monitoring are handled by any one organization”.

The resignation letter has a different feel and focus, pointing out that there was a general lack of support for the NCSC, and the specific ways Beckstrom feels his organizations was subjugated. If you have interest in this subject, you will want to read his resignation letter, as it contains more information. It also lists a couple methods by which the NSA can subtly (sneakily?) affect the effectiveness of Cybersecurity efforts that I did not mention in my post. Quite frankly I am surprised that the National Cybersecurity Center could somehow manage to only get 5 fully funded days of operation, but if true, this demonstrates the challenges faced by NCSC.

This could get ugly unless both sides understand that each organization can benefit the other, and realize the goals and agendas do not necessarily need to be at the expense of each other. Concessions have to be made, otherwise this is an expensive and ugly turf war and the entire security problem- which is quickly becoming a US government security problem- continues to fester.

–Adrian Lane

More on PDF /JBIGS2Decode Issue

By Adrian Lane

Via Slashdot, I just ran across Didier Stevens post on how to automate the JBIG2decode vulnerability in PDF documents. There is a video on the site where he runs through three scenarios to exercise the vulnerability - Manually starting up Reader, viewing a thumbnail PDF, and then automatic execution by simply visiting the page with the malicious document through Windows Explorer Shell Extensions, and shows you the results in the debugger. It’s worth the view.

When you install Adobe Acrobat Reader, a Column Handler Shell Extension is installed. A column handler is a special program (a COM object) that will provide Windows Explorer with additional data to display (in extra columns) for the file types the column handler supports. The PDF column handler adds a few extra columns, like the Title. When a PDF document is listed in a Windows Explorer windows, the PDF column handler shell extension will be called by Windows Explorer when it needs the additional column info. The PDF column handler will read the PDF document to extract the necessary info, like the Title, Author.

I also ran across another technical analysis here. As you don’t need to do anything other that drop onto an infected site, this is a pretty serious issue. There is supposed to be a patch available later this month. The more I look at this, the more I think it may be a good idea to disable Reader until there is a patch. There are some instructions on how to do this on the PC Mag site, and some additional information you might find helpful as well.

–Adrian Lane

Source Boston Next Week

By Adrian Lane

I am going to be in Boston Tuesday through Friday at the Source Boston event that runs March 11th through the 13th. I am presenting on Encryption and Enterprise Data Security on Thursday afternoon right after Jeremiah Grossman. This is my first Source Boston event, so I am looking forward to it. Let me know if you are going to be in town!

I imagine that things will be fairly quiet on the blog next week. With Riley conducting an aggressive sleep deprivation campaign against Rich, I don’t think we are going to see or hear much from him, but I will continue to post on what I hear from the conference.

–Adrian Lane

Gmail CSRF Flaw

By Adrian Lane

Yesterday morning I read the article on The Tech Herald about the demonstration of a CSRF flaw for ‘Change Password’ in Google Mail. While the vulnerability report has been known for some time, this is the first public proof of concept I am aware of.

“An attacker can create a page that includes requests to the “Change Password” functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker,” the ISecAuditors advisory adds.

The Google response?

“We’ve been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user’s password within the period that the user is visiting a potential attacker’s site. We haven’t received any reports of this being exploited. Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue. We always encourage users to choose strong passwords, and we have an indicator to help them do this.”

Uh, maybe, maybe not. Last I checked, people still visit malicious sites either willingly or by being fooled into it. Now take just a handful of the most common passwords and try them against 300 million accounts and see what happens.

How does that game go? Rock beats scissors, scissors beat paper, and weaponized exploit beats corporate rhetoric? I think that’s it.

–Adrian Lane

Wednesday, March 04, 2009

My Perspective on Data Security and the US Government

By Adrian Lane

During the recent podcast I did with Rich, I made a couple throw-away comments about the selection of Melissa Hathaway as cybersecurity advisor. A lot of ideas went into those comments and a few articles that I have read that brought to the fore several issues I have had ideas rolling around in my head for the last couple of years. In fact I have written this post a couple of times over the last year and deleted it because I thought it would be perceived as too political. My goal is not political commentary rather trying to provide perspective about the evolution of data security, but sometimes the two are linked so tightly together it is difficult to fully separate.

The subject I want to discuss is the general state of basic underlying security of our electronic infrastructure, and the role that the government plays in Cyber Security. What got me going on this subject yet again was several articles that I ran across in the last month. The first was an article referenced by Bruce Schneier’s blog on The Register that talks about the NSA’s attempt to eavesdrop on Skype, which I am not sure they confirmed but highly believable. The second is the appointment of Melissa Hathaway, and while it is only being hinted at in this piece by USA Today, her comments indicate efforts at odds with other US intelligence organizations. The final article that urged me to rewrite this post was the following piece on Wired’s Threat Level Blog that the NSA wants to oversee cybersecurity.

There is a strange push and pull going on here, because part of our government wants our entire electronic infrastructure to be both secure and private. They recognize the the Internet is a huge global marketplace for science and commerce, and is often leveraged by public entities as well, therefore it is in our best interest to have it secured to protect citizens & organizations alike. This is echoed in Hathaway’s comments. Conceptually this would reduce fraud globally, which costs companies billions of dollars every year. On the other side of the coin, strong electronic security makes intelligence gathering through eavesdropping difficult to impossible, and often requires secondary assistance to gather (insider cooperation, back doors in code and devices, cracking, etc) the same information, only at a higher cost.

So what’s the problem? Good security on communications and infrastructure worldwide makes intelligence gather much, much harder. The people I have spoken with who have worked for or with US & British Intelligence organizations all share the same view that a secure communications infrastructure is facing stiff challenges from within our own government. A few years ago, Mr. Stephen Squires, who is/was at the time Chief Scientist for HP, spoke at Stanford Luncheon I attended about the evolution of computer security in the US. In a nutshell, he felt that cryptography would have solved most of the issues of privacy and security we have today, and today’s vendors with their point solutions were less than Band-Aids on gunshot wounds. Encryption could have easily been built into routers, phone switches, Ethernet cards and the like to ensure safe data transmission. Encryption could have been built into business applications to offer considerably higher security for data in motions and data at rest. He went on to say this was “discouraged” in various direct and indirect ways by our own government. He cited many examples of influence; the way bids are done, project specifications, funding, public-private partnerships, and most notably, US export controls on cryptography. A decade ago this was a common topic most of the crypto guys I have had the pleasure of meeting, and they were mostly frustrated by the US’s unwillingness to have all data and communications encrypted and secured.

For those of you not familiar with what I am talking about, in the mid-90s, you could obtain cryptographic algorithms in papers and textbooks, but if you shipped encryption technology, you were going to be brought up on charges for illegal disbursement of munitions. When I got my first real job involving security, I had to be careful that I did not accidentally include a foreign national on the “CC:” line of an email that included the Blowfish variant we were working on as I could have been arrested. It’s code, for &!^@ sake! But the US Government was quite serious about this and has hindered the deployment of some security technologies on national infrastructure as well as allowing exportation, and have done little to lead in an area where they are in a perfect position to set an example for private industry. I am not sure what degree the majority of security professionals out there understand how rabid our government intelligence agencies are about encryption, but many historians view US victory in WW2 was due in large part to breaking the Japanese encryption codes, as well as the British efforts to reconstruct the Enigma cipher. While these are nice historical references, few are aware of more recent cases with the British in Falklands war and governments in the middle east were breached by the ability to break or bypass cryptography. This lesson is not lost on the Intelligence community, and who I would expect nothing less than to look for any advantage they can get.

What is good for business security is considered bad for our spies. The concept from the governmental perspective was the benefits that the US Intelligence Services derive from lax security and encryption was a huge competitive advantage, so impediments into quality encryption technologies being widely available was to be discouraged. And when I have this discussion with people, they are usually thinking about Echelon, or the PROMIS variants that perform data analysis, but just two angles of using intelligence. We read all the time about Chinese or Russians breaking into US Government computers; is there some compelling reason to think this is not going on in the other direction? Another way to think about this: You’re the IT manager for the government of Derka Derkastan, and you install a bunch of Kludgy Corp software and “proprietary” cryptographic systems. You have in essence done a favor to every intelligence organization who wants to know what you are up to. Security may be good enough to keep “Script-Kiddies” at bay, but not professionals. And today, all commerce on the Internet is under attack from professionals.

As a science, we know how to develop encryption technologies that work. And encryption is very well suited for solving several security and privacy issues in communication, authentication, data storage and so on. In many cases where we see data breaches, the use of the technology has either been misapplied (trying to solve the wrong problem), sloppily applied (bad execution), or inconsistently applied (some parts of the infrastructure, not others). Don’t get me wrong, I am not saying Cryptography is a panacea that solves all security ills. It is just one link in the chain and needs the support of good access controls, assessment, key management and auditing technologies as well, but good crypto solves a lot of critical issues!

So do I think data security is still hampered by part of the US Government? Yes, I think there is evidence to support this. But now that the US Government is a participant in the banking and global finance industries through recent (ahem) investments, it will be interesting to see if they put serious efforts into data security as fraud will be costing them billions of dollars. When I see the Cyber Security advisor make statements that they are going to “fix critical infrastructure networks against on-line threats”, followed by the NSA “wanting to control Cyber-Security”, I know the political jockeying has only just begun. I worry because the NSA’s charter is not the promotion good data security. Hathway’s challenge is not finding technology and methodologies to secure the infrastructure, because we have most of that today. It is an issue of wide-spread adoption, and her challenge will be getting that adoption in the face of conflicting agendas. We are at a time when we need to “raise the bar” when it comes to security of our infrastructure, meaning systems that are beyond trivial to break, and that means a more strategic approach than vendors and corporations have been willing to take thus far.

–Adrian Lane

Tuesday, March 03, 2009

The Nugget has Landed

By Adrian Lane

Securosis has expanded. Just got an email from Rich:

“Say hello to Riley Marie Mogull. 6lbs 15oz. Sharon made it without meds- she’s my hero”

Rich, on the other hand, needed sedation. Help me congratulate Rich and Sharon on the arrival of their first child!

–Adrian Lane

Cash Only

By Adrian Lane

Off-topic post …

My wife is constantly reading about the banks and lending institutions, and likes to read to me every gory detail she learns. Occasionally I do listen. About a month ago she made the comment “If the banks do go under, we’ll have to go back to cash. That will be strange.” I thought about it for a while and I realized just how true that was. I seldom carry cash. I do a lot of my shopping on the Internet. Can’t really do that with cash very well. I used the credit card for everything … even the occasional Starbucks triple-shot-Hoff-inspired-venti-iced-coffee-with-splenda-shaken-not-stirred gets a credit card swipe. Then my wife says “Let’s see if we can go for a month without spending on the credit card. Just cash!” Being the contrarian that I am, I decided “What the heck, let’s try it.”

We failed miserably.

The whole thing about spending cash is you have to go somewhere and get cash before you can spend cash. An important small step. We had a minor medical emergency and we were not about to slow down and get cash first. When you take enough out to cover expenses, the bank teller’s get weird and antsy like you are doing something wrong. Trying our best, by the end of the month, we looked at the results, and we were only 60% credit card, 40% cash by dollar amount. But overall, our spending and it was down quite a bit. While we hear about how much easier psychologically it is to spend money when it’s not cash, I see just how true that is. Either you reel yourself in because you are not sure you have enough cash on you, or you feel a little more attached to the money that the concept of money and hold back on some purchases that are not necessary. So we are going to try it again this month, and we think we can reverse this to 60% cash, 40% CC.

I have never been mugged. I have never had my wallet stolen, and I am not really worried about carrying some cash around. I have had fraudulent charges on my credit card, more than a dozen times, and I am constantly worried about my bill having bogus charges. I usually state that the reason I use credit cards so much is that I have reduced risk. Lost or stolen, I am only liable for $50.00. Airline tickets and hotels are a nightmare without a credit card. And I would never buy something on line without the ability to shield myself from bogus merchants. But my perspective has changed that, given most common situations, cash has a lower risk than credit and changed my behavior in a positive way.

It’s been an interesting experiment, and I think we are going to keep doing it for a while.

–Adrian Lane

Saturday, February 28, 2009

Friday Summary: Feb 27, 2009

By Adrian Lane

It’s Friday again and time for the summary. It’s been a yin & yang kind of week for me, with mixed blessings and curses all around.

On the down side, Friday is always the day for bad news. It’s the day that Fannie Mae, Countrywide and others announce impending disaster so as to lessen the impact on the market. I just have to wonder if they learned that from Office Space. Based upon what I am seeing in the press, and some things here in Arizona, this Friday will be no exception as I expect there to be another big bank announcement. Four friends have lost jobs in the last week and are struggling to find any work, and I am going to have to help a friend move this weekend because their house is going back to the bank. One person I know had someone access their bank account with a fake ATM card, and my next door neighbor got a call Tuesday from Wells Fargo as someone was trying to make a “Phone Cash Advance” on their account. And yet another indication that the system is broken is the credit shell game, with Experian no longer willing to sell credit scores to consumers. Technically, they were not doing it before, but when pushed to sell consumers the real FICO scores, instead of the “FAKO’s” they have been providing, they decided to bow out. Should we just go back to cash? That would solve a lot of problems.

On the positive side we here at Securosis are in a very good mood and have high hopes for the future. Principal among the reasons for this is we are officially on “Nugget watch”, or rather we are waiting for the little Mogull to arrive soon. Mom is in good health and spirits while Rich is furiously decorating, arranging and preparing for the arrival. Male nesting … it’s simultaneously cute and sad to watch. But I have to say, the baby’s room looks great! Stay tuned as I will post something as soon as I hear more news.

I had several conversations with different SIM/SEM vendors this week and I view the changes as positive. It’s no longer “Gee, look at all this neat data we have” nor trying to convince customers how great aggregation is (gaak!), and more about using that data to solve business problems and building some intelligence into the products. Rich and I are seeing some very cool things happening around encryption and key management that should make a lot of people very happy, and we will begin the encryption series we promised in the next couple weeks. And it looks like Motorola found some loose change under the couch, spinning out Good Technology to Visto; Visto should be able to put the technology to good use. That’s all positive! Rich & I are both wrapping up a couple of interesting projects and about to commence on new ones as well so things are busy. I am even starting to get excited about going to Source Boston and seeing a bunch of friends. Maybe we will even get to see where Mr. Hoff lands!

Rolling into the weekend I am focused on the positive, so here it is, the week in review:

Favorite Securosis Posts:

Favorite Outside Posts:

Top News and Posts:

Blog Comment of the Week:

Allen Barronov on Will This Be The Next PCI Requirement Addition:

If you are putting money down I’ll take you up on it let me just get some poor sucker’s credit card details in case I lose.

On a serious note: DLP is very reactive.

One advantage is that your CEO doesn’t have to say (quoting from Bob Carr) “we were alerted by Visa” which sounds very weak and can really be read as “we had no idea that people stole information from us until someone else told us about it”. This is apparently quite normal.

Proactive is to analyse the entire PCI process from start to end and secure it accordingly.

A few companies that I have had the privilege of working for have firewalled their “process network” off from their main business network. The reason to do this is really to protect availability. If a virus hits the business network then the (real) money making part of the business can still function - there may be pain but the gadgets still get made/gathered/fixed/etc.

A payment processing business should think: PCI transmission is different from the normal network traffic and they should separate it accordingly. If Sue from Accounts gets a virus on her PC, it should not impact on PCI processing in any way (CIA).

I really like DLP but it is not a cure for bad network design.

I guess the answer is layers. Good network design (based on Business Processes) with DLP to catch the drips.

“You know what else everyone likes? Parfaits.” Donkey in Shrek.

Now, I am off for some more stealth photography.

–Adrian Lane

Friday, February 27, 2009

Netezza Buys Tizor

By Adrian Lane

While both Rich and I predicted this would happen, I admit I am still slightly surprised: Netezza has acquired Tizor for $3.1M in cash. Netezza press release here, and While I do not see a press release issued from either vendor xconomy has the story here. Surprising in the sense that I would not have expected a data warehousing vendor to acquire a database monitoring & auditing company. My guess is it’s the auto-discovery features that most interest them. But like many companies that provide data management and analysis, Netezza may be finding that their customers are asking for security and even compliance facilities around the data they manage. In that case, this move could really pay off.

I am certain that they were hoping for more, but $3M in cash is a pretty good return for their investors given the current market conditions and competitiveness in the DAM market. While it is my personal opinion, I have never considered the Tizor technology a class leading product. It took them a very long time to adapt the network monitoring appliance into a competitive product that met market demand. Their audit offering was not endorsed by companies I know who have evaluated the technology. They had some smart people over there, but like many of the DAM competitors, they have struggled to understand the customer buying center and have lacked the laser focus vision of some of the vendors like Guardium have demonstrated . But they have made consistent upgrades to the product and the auto-discovery option last year was a very smart move. All in all, Netezza is getting value, and the Tizor investors about $3M more than they would have gotten a few months from now.

I have to admit that my timing of these events has been wrong … I thought that this transaction would have happened at/by the end of last year, and I am waiting for more still. But the DAM vendors who are not profitable have a huge problem that move to quickly and you kill your value. Move too slowly and you are out of business. Sometimes the due diligence process takes a while.

Check back later as I will update the post as I hear more, of if Rich weighs in on this subject.

–Adrian Lane

A Very Revealing Statement by the PCI Council

By Rich

I was getting a little excited when I read this article over at NetworkWorld about how the PCI council will be releasing a prioritized roadmap for companies facing compliance. It’s a great idea- instead of flogging companies with a massive list of security controls, it will prioritize those controls and list specific milestones.

Now before I get to the fun part, I want to quote myself from one of my posts on PCI:

Going back to CardSystems, a large majority of major breaches involve companies that were PCI compliant, including (probably) Hannaford. TJX is an open question. In many cases, the companies involved were certified but found to be non-compliant after the breach, which indicates a severe breakdown in the certification process.

Now on to the fun (emphasis added by moi):

Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.

What a load of shit. With the volume of breaches we’ve seen, this either means the standard and certification process are fundamentally broken, or companies have had their certifications retroactively revoked for political reasons after the fact. As I keep saying, PCI is really about protecting the card companies first, with as little cost to them as possible, and everyone else comes a distant second. It could be better, and the PCI Council has the power to make it so, but only if the process is fixed with more accountability of assessors, a revised assessment/audit process (not annual), a change to real end-to-end encryption, and a real R&D effort to fix the fundamental flaws in the system, instead of layering on patches that can never completely work.

You could also nominate me for the PCI Council Board of Advisors. I’m sure that would be all sorts of fun.

Seriously – we can fix this thing, but only by fixing the core of the program, not by layering on more controls and requirements.

–Rich

Thursday, February 26, 2009

Workers “stealing company data”?

By Adrian Lane

Just ran across this article on workers “stealing company data” on the BBC news web site. The story is based upon a recent Ponemon study (who else?) of former employees and the likelihood they will steal company information. It turns out that most of those polled will in fact take something with them. The Ponemon numbers are not surprising as this tracks closely with traditional forms of employee theft across most industries. What got me shaking my head was the sheer quantity of FUD being thrown out with the raw data.

A “surging wave” of activity? You bet there is! And it tightly corresponds to the number of layoffs. I am guessing when I say that the point Kevin Rowney of Vontu Symantec was trying to make is companies do very little to protect information from insiders, especially during layoffs. But the author make it sound as if insider theft is bringing about the collapse of western civilization.

What I don’t believe we can do here is try to justify security spending by saying “Look at these losses in revenue! They are staggering! Were getting killed by insider theft!” These companies are in trouble to begin with, which is why they are laying people off. Ex-employees may be taking information because their accounts are still active, or they may have left with it at the time they were fired. But just because the employee walked out with the information does not necessarily mean that the company suffered a loss. That data has to be used in some manner that affects the value of the company, or results in lost sales. And the capability for ex-employees to do this, especially in this economy, is probably going down, not up.

The employee who has backup tapes in their closet may dream about “sticking it” to their former employer, but odds are high that the information they employee has will never result in the company suffering damages. Heck, they would actually have to land a new job before that could happen. I know some HR reps who probably envision their ex-emplyees contacting their underground ‘connections’ to sell of backup tapes, but how many employees do you really think can carry this off? You think they are going to sell it on eBay? Call a competitor? We have seen how that turns out. No use, no loss.

I had a very strong work ethic. The problem was my ethics in work.

There is also a huge double standard here, where most companies propagate the very activity they decry. When I worked at a brokerage, it was one of our biggest fears that an employee would steal one of our “books of business”, taking it to another brokerage, and when I first learned about the difficulties in protecting data from insiders and enforcing proper use. On the flip side, it was expected every broker that interviewed had their own “book of business”. If they didn’t, they were ‘losers’ or some other expletive right out of Glengarry Glenn Ross. Having existing relationships that could immediately bring in clients to the organization was on eof the top 5 considerations for employment. Most salesmen, attorneys, financiers and executives are considered not just for the skills they possess, but the relationships they have, and the knowledge they bring to the position. That knowledge is typically in their heads, rolodexes and their iPhone. I am not saying that they did not have paper or electronic backups as well, as 15% of the respondents admitted they did. My point is companies cry foul that they are the the victims of insider theft, but in reality they fired or laid off an employee, and that employee took a job with a competitor. I have trouble calling that an insider attack.

–Adrian Lane

Wednesday, February 25, 2009

Top 10 Web Hacking Technique of 2008

By Rich

A month or so I go I was invited by Jeremiah Grossman to help judge the Top 10 Web Hacking Techniques of 2008 (my fellow judges were Hoff, H D Moore, and Jeff Forristal).

The judging ended up being quite a bit harder than I expected- some of the hacks I was thinking of were from 2007, and there were a ton of new ones I managed to miss despite all the conference sessions and blog reading. Of the 70 submissions, I probably only remembered a dozen or so… leading to hours of research, with a few nuggets I would have missed otherwise.

I was honored to participate, and you can see the results over here at Jeremiah’s blog.

–Rich

Is There Any DLP or Data Security On Mac/Linux?

By Rich

Had a very interesting call today with a client in the pharma research space. They would like to protect clinical study data as it moves to researcher’s computers, but are struggling with the best approach. On the call, I quickly realized that DLP, or a content tracking tool like Verdasys (who also does endpoint DLP) would be ideal. The only problem? They need Windows, Mac, and Linux support.200902241153.jpg

I couldn’t remember offhand of any DLP/tracking tool (or even DRM) that will work on all 3 platforms. This is an open call for you vendors to hit me up if you can help.

For you end users, where we ended up was with a few potential approaches:

  1. Switch to a remote virtual/hosted desktop for handling the sensitive data… such as Citrix or VMWare.
  2. Use Database Activity Monitoring to track who pulls the data.
  3. Endpoint encryption to protect the data from loss, but it won’t help when it’s moved to inappropriate locations.
  4. Network DLP to track it in email, but without the endpoint coverage it leaves a really big hole.
  5. Content discovery to keep some minimal tracking where it ends up (for managed systems), but that means opening up SMB/CIFS file sharing on the endpoint for admin access, which is in itself a security risk.
  6. Distributed encryption, which *does* have cross platform support, but still doesn’t stop the researcher from putting the data someplace it shouldn’t be, which is their main concern.

While this is one of those industries (research) with higher Mac/cross platform use than the average business, this is clearly a growing problem thanks to the consumerization of IT.

This situation also highlights how no single-channel solution can really protect data well. It’s the mix of network, endpoint, and discovery that really allows you to reduce risk without killing business process.

–Rich

Saturday, February 21, 2009

Will This Be The Next PCI Requirement Addition?

By Rich

I’m almost willing to bet money on this one…

Due to the nature of the recent breaches, such as Hannaford, where data was exfiltrated over the network, I highly suspect we will see outbound monitoring and/or filtering in the next revision of the PCI DSS. For more details on what I mean, refer back to this post.

Consider this your first warning.

–Rich