Securosis

Research

The Irish Government Needs Database Activity Monitoring

Over at BoingBoing they have a couple of articles describing how Irish government employees are abusing their access to government systems for personal gain. Everything from idle curiosity about a neighbor, to aiding and abetting burglary. I normally scoff at vendor press releases that jump on the latest media exploitations stories, but in this case I’m going to do it for them. This is, flat out, the poster child for database activity monitoring. As I described in my introduction to the technology, one of the use cases is to create separation of duties by allowing someone to do their job while looking for unusual activity. If nothing else, you could create audit reports that allow managers (or security administrators) to see all the records a particular employee accessed in a given day/week. Perfect? No. Effective? Yep. You’ll need a Database Activity Monitoring tool, and not something that just collects access logs, since you want to see the actual SQL transactions. If the application uses connection pooling to connect to the database, you’ll either need one of the tools that monitors application activity and correlates it with the database, or some sort of identifier in queries to trace which user is submitting the query (something I’ll talk more about in a later post). I’m more than happy to give the Irish government discounted rates if they’d like me to fly over and help fix this problem. My email is posted on the blog. Share:

Share:
Read Post

Understanding And Selecting A DLP Solution: Part 6, Central Administration, Policy Management, and W

Welcome to the second to last post in my series on DLP. You can find the other parts here: Part 1, Part 2, Part 3, Part 4, Part 5. In this post we’ll be covering the major features of the central management server. Our final post will cover recommendations for evaluating and selecting the best tool for your environment. As we’ve discussed throughout this series, all current DLP solutions include a central management server for administering enforcement and detection points, creating and administering policies, incident workflow, and reporting. These features are frequently the most influential in the selection process. There are a lot of differences between the various products on the market; rather than trying to cover every possible feature, we’ll focus on the baseline of functions that are most important. User Interface Unlike other security tools, DLP/CMP tools are often used by non-technical staff ranging from HR, to executive management, to corporate legal and business unit heads. As such the user interface needs to account for this mix of technical and non-technical staff and should be easily customized to meet the needs of any particular user group. Due to the complexity and volume of information a DLP solution may deal with, the user interface can make or break a DLP product. For example, simply highlighting the portions of an email in violation of a policy when displaying the incident can shave minutes off handling time. A DLP user interface should include the following elements: Dashboard: A good dashboard will have user-selectable elements and defaults for technical and non-technical users. Individual elements can be enabled or restricted based on user and group. The dashboard should focus on the information valuable for that user, and not be just a generic system-wide dashboard. Elements should include number and distribution of violations based on severity and channel and other top-level information to summarize the overall risk to the enterprise. Incident Management Queue: The incident management queue is the single most important component of the user interface. This is the screen incident handlers will use to monitor and manage policy violations. The queue should be concise, customizable, and easy to read at a glance. Due to the importance of this feature we will detail recommended functionality later in this post. Single Incident Display: When a handler digs into a single incident, the display should cleanly and concisely summarize the reason for the violation, the user involved, the criticality, the severity (criticality is based on what policy is violated, severity on how substantial the violation is), related incidents, and all other information needed to make an intelligent decision on incident disposition. System Administration: Standard system status and administration interface. Includes user and group administration. Hierarchical Administration: Status and administration for remote components of the DLP solution, such as enforcement points, remote offices, and endpoints. Reporting: A mix of pre-built reports and ad-hoc reporting. Policy Creation and Management: Next to the incident queue this is the most important element of the central management server. It includes the creation and management of policies. Because it’s so important, we’ll cover it in more detail later. A DLP interface should be clean and easy to navigate. That may sound basic, but we’re all far too familiar with poorly designed security tools that rely on the technical skills of the administrator to get around. Since DLP is used outside of security, possibly even outside of IT, the user interface needs to appeal to a wider range of users. Hierarchical Management, Directory Integration, and Role Based Administration DLP policies and enforcement often need to be tailored to the needs of individual business units or geographical locations. Hierarchical management allows you to establish multiple policy servers distributed throughout the organization, with a hierarchy of administration and policies. For example, a geographic region can have its own policy server slaved to a central policy server. That region can create their own specific policies, ignore (with permission) central policies, and handle local incidents. Violations are aggregated on the central server while some policies are always enforced centrally. The DLP tool must support the creation of global and local policies, assign policies for local or global enforcement, and manage multi-regional workflow and reporting. DLP solutions also integrate with enterprise directories (typically Microsoft Active Directory) so violations can be tied to users, not IP addresses. This is complex when you realize you’re dealing with a mix of managed and unmanged (guest/temporary) employees without assigned IP addresses. The integration should tie DHCP leases to users based on their network login, and update to avoid accidentally tying a policy violation to an innocent user. For example, one product in an earlier version would keep a user associated with an IP address until that address was assigned to another user in the directory. One reference almost fired an employee because a contractor, not in Active Directory, was the next person to use that IP and committed a policy violation. The tool tied the violation to the innocent employee. The system should also allow internal role based administration for both internal administrative tasks, and monitoring and enforcement of users. Internally, users can be assigned to administrative and policy groups for separation of duties. For example, someone can be given the role of enforcing any policy assigned to the accounting group, but not administer the system, create policies, see violations for any other group, or alter policies. Since your Active Directory might not fully represent how you’d like to divide up monitored users, the system should also support groups and roles for dividing up employees for monitoring and enforcement. Policy Creation and Management Policy management and creation is a critical function at the heart of DLP solutions; it’s also (potentially) the most difficult part of managing DLP. The policy creation interface should be accessible to both technical and non-technical users, although heavily customized policies will nearly always need technical skills to define. For policy creation, the system should let you identify the kind of data to protect, a source (if needed)

Share:
Read Post

Metasploit Includes Exploit For iPhone 1.1.1- Using Same Vulnerability As Jailbreak

H D Moore published details on exploiting the iPhone today using the same vulnerability as the jailbreaks/unlockers. It takes advantage of a vulnerability in the libtiff library for processing TIFF image files. The exploit is now in Metasploit, which means someone with only the technical skills of an ex-analyst can exploit you via email or a web page with a special image file. Apple will hopefully patch this quickly. The bad news is that it will kill all current attempts to load custom applications on the iPhone, but since it’s now remotely exploitable the risk outweighs the reward. Libtiff is a common library and this vulnerability was not unknown. This demonstrates a big problem in locking down a popular system like the iPhone or the Sony PSP- the same techniques needed to customize the device can often be used to exploit the security. For a wildly popular device like the iPhone it seems to make sense to open it up to legitimate, safe developers. This also proves that the excuse of locking the system down to protect the phone network (AT&T) is total bollocks, since it’s far from a perfectly secure system to start. Yes, I’m biased- I want custom apps on the iPhone I’ll probably eventually buy. Doesn’t mean I’m wrong… Share:

Share:
Read Post

Trust Your Tools. Use Your Head.

This weekend I was doing a little electrical work at my house, which is probably the riskiest area of Do-It-Yourself home repair. You only need to cross a couple of live AC wires once and see the “pop” (and smell the ozone) before the point hits home. In my case, I was installing a bunch of new light switches for a home automation project (dual-mode mesh network, if you care about those sorts of things). In the process I’m fixing some screwed up wiring installed by the builder; mostly three-way circuits they set up wrong. I was getting ready to work on the only four-way in the house (that’s when you have 3 switches controlling one light) and cut the power at the circuit breaker. Each of the switches was in multi-gang boxes with other switches controlling other lights, so I had to kill all those circuits as well. From what I could tell, all the power was off and it was safe to work. But being the paranoid that I am, I also checked with the AC indicator on my multimeter. I just press a button, wave it over a switch or outlet, and if it’s live the multimeter beeps. And beep it did. Despite killing (I thought) all the lighting circuits for the first floor of my house, one switch was still hot. I then started the methodical process of hitting the rest of the breakers to find the right one. About thirty minutes later I’d killed power to just about my entire house and still couldn’t find that damn circuit. Staring at my breakout panel (a second panel with the arc fault protection circuits for the bedrooms) I noticed two unlabeled breakers, figured out one of those was what I needed, and got back to work. In this case my instincts told me the circuit was safe, but my detection tool dissolved that particular illusion. In other cases, especially with my crappy stud detector, my tools are often wrong and my instincts are right. I guess it’s all a balancing act. Now I just need to figure out how to get my alarm panel to stop beeping randomly at me. Something about losing power really pissed it off. Share:

Share:
Read Post

Securosis Now Protected With Quantum Cryptography

October 12, 2007, Phoenix, AZ Securosis, the world’s leading security blog, is proud to announce that it is now being protected by quantum cryptography. “After reading about Swiss officials using quantum cryptography to protect ballot results entered by hand we realized that this advanced technology is now ready for mainstream adoption,” stated Rich Mogull, Founder, CEO, and fun-guy-but-not-that-kind-of-fun-guy. “We feel that quantum cryptography is the ultimate data protection technology and the best way to assure that our blog posts are not tampered with until we post them on our remotely hosted WordPress blog.” Securosis has installed a fiber optic connection between their authoring system and posting system to support the new security program. Although posts were previously authored and posted using the same MacBook Pro, a second machine was needed to create the fiber connection required for the quantum cryptography. The two systems are located on the same desk with the fiber connection completely visible. The fiber line is under constant observation using video surveillance to further hamper tampering, but the recordings aren’t reviewed to avoid quantum effects such as the observed systems switching places or becoming “strangely attracted”. “We can now be assured that our posts maintain both their confidentiality and integrity during the development process, until they are posted unencrypted over the public Internet. We felt this was a far better investment than renewing our expired SSL certificate.” Securosis evaluated a number of competing technologies, including checksums, hashes, and TLS, but concluded that quantum cryptography was superior because it used the word “quantum”. “History has shown, as documented in Star Trek, that anything quantum has to be better. It’s a totally cool word and scientists are really into it, so it has to be more secure.” Share:

Share:
Read Post

Securosis Announces Increase In Cybercrime

October 12, 2007, Phoenix, AZ Securosis, L.L.C., the world’s leading provider of security consulting services, announces that cybercrime has reached record levels since the dawn of history. “Cybercrime continues to increase at a staggering rate,” says Rich Mogull, Founder, CEO, Jedi, and part-time neurosurgeon. “Losses are higher this year than at any time in history. We highly advise companies to immediately engage with us at non-discounted rates to assure they are protecting their children and stopping terrorism.” About Securosis Securosis, L.L.C. is the world’s leading provider of IT security consulting services and impractical security dribble. Securosis’ customers include all of the Fortune 1000, most major governments, and a few minor religious institutions. Securosis helps customers achieve compliance with all international laws and defend themselves from all known zero-day attacks while leveraging synergies through thought leadership. We’re really smart- give us money or we’ll scare your grandma. Share:

Share:
Read Post

Symantec to Acquire Vontu (According To InfoWorld)

Remember this post? If InfoWorld is accurate, Symantec will announce next week that they are acquiring Vontu. This would be consistent with the industry rumors that inspired my earlier post. I have no inside knowledge of this deal. The article states: Security software giant Symantec is preparing to announce an acquisition of Vontu, one the largest remaining independent providers of data leakage prevention software, which is used to control the flow of sensitive information across corporate networks. Multiple industry sources have confirmed to InfoWorld that Symantec will soon announce a buyout of Vontu, perhaps as early as next week, which will significantly further the trend of consolidation that has played-out in the red-hot DLP (data leakage prevention) space over the last year. … Sources said that the proposed deal will have Symantec paying $300-$350 million for privately-held Vontu, whose revenues are estimated at roughly $30 million per year by some industry analysts. Symantec and Vontu representatives declined to comment on the reported acquisition. This is a far more significant deal than McAfee’s acquisition of Onigma. Between Symantec, Websense, and EMC/RSA I think McAfee is now in the weakest position for DLP among the larger vendors. Since it’s late on a Friday, and the deal isn’t confirmed yet, I’ll save full analysis for next week. I think this is positive for Vontu and I hope that Symantec keeps them as independent as possible internally, similar to the Brightmail acquisition, and in opposition to most of their buys. It’s also positive for the remaining independent DLP players, especially Reconnex and Vericept. More next week… Share:

Share:
Read Post

Understanding And Selecting A Database Activity Monitoring Solution: Part 1, Introduction

Database Activity Monitoring may not carry the same burden of hype as Data Loss Prevention, but it is one of the most significant data and application security tools on the market. With an estimated market size of $40M last year, and predictions of $60M to $80M this year, it rivals DLP in spending. Database Activity Monitoring also carries the best DAM acronym in the industry Sorry, couldn’t help myself. DAM is an adolescent technology with significant security and compliance benefits. The market is currently dominated by startups but we’ve seen large vendors starting to enter the space, although products are not currently as competitive as those from smaller vendors. Database Activity Monitoring tools are also sometimes called Database Auditing and Compliance, or various versions of Database Security. There’s a reason I’ve picked DAM as the second technology in my Understanding and Selecting series. I believe that DLP and DAM form the lynchpins of two major evolving data security stacks. DLP, as it migrates to CMF and CMP, will be the center of the content security stack; focused on classifying and protecting structured and unstructured content as it’s created and used. It’s more focused on protecting data after it’s moved outside of databases and major enterprise applications. DAM will combine with application firewalls as the center of the applications and database security stack, providing activity monitoring and enforcement within databases and applications. One protects content in a structured application and database stack (DAM) and the other protects data as it moves out of this context onto workstations and storage, into documents, and into communications channels (CMP). Defining DAM Database Activity Monitors capture and record, at a minimum, all Structured Query Language (SQL) activity in real time or near real time, including database administrator activity, across multiple database platforms, and can generate alerts on policy violations. While a number of tools can monitor various level of database activity, Database Activity Monitors are distinguished by five features: The ability to independently monitor and audit all database activity, including administrator activity and SELECT transactions. Tools can record all SQL transactions: DML, DDL, DCL, (and sometimes TCL) activity. The ability to store this activity securely outside of the database. The ability to aggregate and correlate activity from multiple, heterogeneous Database Management Systems (DBMS). Tools can work with multiple DBMS (e.g., Oracle, Microsoft, IBM) and normalize transactions from different DBMS despite differences in their flavors of SQL. The ability to enforce separation of duties on database administrators. Auditing activity must include monitoring of DBA activity, and solutions should prevent DBA manipulation of and tampering with logs and activity records. The ability to generate alerts on policy violations. Tools don’t just record activity, they provide real-time monitoring and rule-based alerting. For example, you might create a rule that generates an alert every time a DBA performs a SELECT query on a credit card column that returns more than 5 results. Other tools provide some level of database monitoring, including Security Information and Event Management (SIEM), log management, and database management, but DAM products are distinguished by their ability to capture and parse all SQL in real time or near real time and monitor DBA activity. Depending on the underlying platform, a key benefit of most DAM tools is the ability to perform this auditing without relying on local database logging, which often comes with a large performance cost. All the major tools also offer other features beyond simple monitoring and alerting, ranging from vulnerability assessment to change management. Market Drivers DAM tools are extremely flexible and often deployed for what may appear to be totally unrelated reasons. Deployments are typically driven by one of three drivers: Auditing for compliance. One of the biggest boosts to the DAM market has been increasing auditor requirements to record database activity for SOX (Sarbanes-Oxley) compliance. Some enterprises are required to record all database activity for SOX, and DAM tools can do this with less overhead than alternative approaches. As a compensating control for compliance. We are seeing greater use of DAM tools as a compensating control to meet compliance requirements even though database auditing itself isn’t the specified control. The most common example is using DAM as an alternative to encrypting credit card numbers for PCI compliance. As a security control. DAM tools offer significant security benefits and can sometimes even be deployed in a blocking mode. They are particularly helpful in detecting and preventing data breaches for web facing databases and applications, or to protect sensitive internal databases through detection of unusual activity. DAM tools are also beginning to expand into other areas of database and application security, as we’ll cover in a future post. Today, SOX compliance is the single biggest market driver, followed by PCI. Despite impressive capabilities, internally-driven security projects are a distant third motivation for DAM deployments. Use Cases Since Database Activity Monitoring is so versatile, here are a few examples of how it can be used: To enforce separation of duties on database administrators for SOX compliance by monitoring all their activity and generating SOX-specific reports for audits. If an application typically queries a database for credit card numbers, a DAM tool can generate an alert if the application requests more card numbers than a defined threshold (often a threshold of “1”). This can indicate that the application has been compromised via SQL injection or some other attack. To ensure that a service account only accesses a database from a defined source IP, and only runs a narrow range of pre-approved queries. This can alert on compromise of a service either a) from the system that normally uses it, or b) if the account credentials are stolen and used from another system. For PCI compliance you can encrypt the database files or media where they’re stored, then use DAM to audit and alert on access to the credit card field. The encryption protects against physical theft, while the DAM protects against insider abuse and certain forms of external attack. As a change and configuration management

Share:
Read Post

Off Topic: Whoa- This Is Worse For The Record Industry Than Pirating Ever Could Be

As my readers know, I’m not the biggest fan of consumer DRM. I hate being treated like a criminal when I’m not, and I don’t believe anyone has the right to control more of my systems than I do. Something about my security being compromised to provide better security for some corporate entity whose products I may or may not purchase just bugs me. A while back I posted how the Barenaked Ladies distribute their content without DRM. Not for free, but once you buy it you’re free to use it as you wish. I like that. Now, thanks to TechCrunch, we learn that Madonna is leaving the record labels and working with Live Nation to distribute content directly. Nine Inch Nails, Radiohead, and a few others are also jumping the record label ship. Yahoo! Music stated they won’t distribute music with DRM. With MySpace and other social networking sites for promotion, low-cost digital distribution of content either directly to consumers or through online stores, and general frustration and anger with record company pricing, practices, and treatment of artists, it’s hard to see how the companies will survive. It won’t be an immediate death- years if not decades, but now that some of the biggest names in the business are running into independence the writing is clearly on the wall. And the record companies can take their damn DRM with them. Now it’s time to get cracking on the MPAA… Share:

Share:
Read Post

On Trust

I was reading a post over at Layer8 and it got me thinking about trust. Shrdlu attended a talk by Larry Ponemon where he took away this little tidbit: The trust given to an organization depends not only on how well it protects information, but also on how transparent it is. A long time ago I spent some time thinking about trust and digital relationships. I broke it down into three components: Intent, Capability, and Communications: Intent: How an organization (or person) intends to act within a relationship. This is their true intent, not necessarily what they communicate as their intent. For example, we collect credit card data solely to perform online transactions, and will protect it from unauthorized disclosure. Capability: Does an organization have the capability to meet its intent? For example, does it collect card numbers and only use them for transactions, but use security which could not stop a targeted attack? Communications: Does an organization effectively and accurately communicate its intentions and capabilities? If any of these factors fails, so does trust. Let’s look at some examples in the security world. Some vendors, I don’t even need to bother naming them, make outlandish claims about the security of their products that do not reflect reality. Then, when breaches occur, they spin the facts rather than admitting to an honest mistake. Result? No one trusts those vendors anymore. I remember our home town bank as a kid. We’d walk in and it was all marble and stone, with a huge walk-in vault surrounded by guards at the far end. Placing the vault where customers can see it doesn’t improve security, but it clearly communications of a capability to protect your money. These days, no one cares. Why? The world changed and with the FDIC and electronic banking we are far less concerned about a bad guy with a mask stealing our money. Heck, they could steal the entire bank, foundation and all, and we still wouldn’t be out a dime. Breach disclosure is another example of trust. If a company loses my personal information and clearly communicates how it was protected, how it was lost, and a reasonable plan for preventing a recurrence, I am not very likely to leave them. If, on the other hand, they attempt to cover it up, shift blame, or clearly lie about their intent or capability to protect my information, I am far more likely to switch to another provider. A privacy example? Years ago I cancelled my Amazon account after they changed their privacy policy and started sharing my data. The policy in effect when I signed up stated my information would be kept private. They then summarily changed it without my permission. They clearly either lied about, or changed, their intent, and lost me as a customer. It took me 5 years before I bought from them again. It’s very simple: trust is built on what you intend to do, your ability to do it, and your ability to communicate both. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.