// >> General

While watching TV today two completely different shows on TV made me think of information security issues and our shortcomings when it comes to data. The first was related to national security where a guest on Campbell Brown on CNN was discussing the successes and failures of our national intelligence agencies. The guest stated we were gathering 1.something billion communications (think email and phone calls) per month and that we don’t have the ability to analyze all that information. After getting my fill of the news I switched over to a cable channel playing Fletch, the 1985 comedy starring Chevy Chase as a reporter following a story. In one scene Fletch is performing some research on his subject. He and his assistant are shown using a microfiche machine looking through old news articles. For those too young to understand please see (http://en.wikipedia.org/wiki/Microfiche). He then goes to the hospital to find medical records on his subject and on the desk in the records room, replete with a bumper sticker that says “I heart my computer”, is a lone computer in this room full of shelves of files. He accesses the green screen and pulls the needed information and the story moves on. What made me think of security is that prior to this past decade we suffered, as Fletch does, with a lack of readily searchable and available security information *think logs. Today we suffer just as the intelligence agencies do in that we have more information than we know what to do with. *think poor guy who has to read the logs. We have gone from “I can’t find it because I don’t have the information” to, well, “I can’t find it because there is too much information”.

As a example, SIEM systems today work to some extent. While they all claim to work perfectly with all types of sources the claims often stray somewhere from worthless to somewhat helpful in reality. Again, just like our issues of today and too much information, we often miss attacks or warning signs due to a lack of correlation of the right kinds of information. These systems take in log files and spit back out alerts fired off via email. This made me think of an issue that has long bothered me…why can’t these systems take data and make it actionable through visual representations versus an email? Why can’t we take all of the traffic logs of our egress devices (i.e firewalls, web proxies, etc.) and represent the data in a visual pattern? Maybe as spheres of different sizes placed on a map that represent sources and destinations, or port and protocol combinations. While we’re at it, why can’t we represent ALL security data visually? To highlight the difference between visual and non-visual representation think of a doctor reading an x-ray film. While it may be beneficial for you to hear it described as “your ulna, which is next to the radius, and connects your hand to the upper arm via the humerus, has a hairline fracture approximately 3 inches above the wrist bone” wouldn’t it be better if he showed you the x-ray and pointed to the site and said “right there, your bone is broken”?

One other unexplored area, which is understandable given that we rarely know how to analyze the data we do have, is in access recertification. In case you’re not familiar, recertification is the process of certifying that an account, or individual, needs a certain level of access within an application or system. For example, a clerk may need the ability to cut checks up to a certain dollar amount while anything over that amount requires the next level of “supervisor” access. While we have systems that facilitate this process by providing detail on current access levels and a nice web interface none of these systems use actual log data to help a “certifier” make a decision. Wouldn’t it be interesting if a manager could certify a person’s level of access, but also have the knowledge of what levels of access or systems that individual has used in say the past month or year? It may be easier to understand what levels of access individuals need if we could simply point to the analysis of the logs and say “that user has not logged into this system, although they have access, in the past year”? Then, let’s make that a visual representation…

Just a thought.

The well known practice and art of providing controls at multiple layers of the infrastructure is nothing new to those involved in the protection of information. As a general rule in defense-in-depth one must assume that at least one layer of the security architecture will fail. The follow-up question is, then what? How well will the systems and data be protected if we lose one layer of control? The current threat environment must also be taken into account when answering that question. Organizations have risks because of the way in which they operate IT, the industry they are in, and the business model they follow. A small manufacturing firm has a different threat and risk profile than a large multi-national bank. But I ask the question, given the advances in technology, is your CIO keeping up? Does he or she understand that security controls are layered with some overlap for a specific purpose? Do they understand the specific risks in their own organization and why the controls were chosen in the first place?

Take for example the use of anti virus. Almost all organizations use AV in some way to protect their systems from the latest malware, virus, and worm threats. But given that new malware threats seems to be growing at an alarming rate that can be directly attributed to the maturing cybercrime organizations run out of Russia, HK, and Eastern Europe and their ever increasing return on investment (run more like businesses than chop shops it seems). Symantec alone counted a 200+% increase in newly detected malware threats from 2007 to 2008. Can your AV keep up? Or better yet, how effective has it been over the last 6 months?

If you said you had an additional layer of security you need to apply to protect your systems, would your CIO understand the difference between policy-based controls that rely on the monitoring of the interaction of system process and applications with the operating system itself and that of AV? If they don’t they may likely fall into the category of answering all questions with, “but we use AV”. I’d question how many of those answering this way understand how effective (or ineffective) their current AV is. If they don’t understand the answer to that question they will likely make the fatal mistake of relying on an out-dated technology (AV) that is ineffective at stopping the new and growing malware threat, rejecting new technology that they don’t understand.

As a side note, infections today seem to come from users browsing the web. And this doesn’t have to be browsing to “suspect” or non-business sites as many mainstream web sites have been compromised over the past few years. The security breach that is self-inflicted is always the hardest to live with as a security professional…all the while knowing you could have done something to stop it if only your CIO could keep up with current security threats and technology.

No, this isn’t an article about Amsterdam. So I was cleaning out an old hard drive and came across a paper I wrote a while back on Microsoft password hash passing attacks using gsecdump and msvctl. While the paper is a bit dated you’ll get the idea of how these tools work and see the results of trying this out in a test environment. The paper is here.

I promised myself I would post more often to the site…but it looks like that didn’t work out so well. Since I have some time while I’m rebuilding my test lab at home I thought I’d quickly write something about the state of information security. I’ve had some time recently to attend conferences and CISO roundtables where various topics were discussed. That fact and based on some recent strategy project work I’ve noticed the same emerging theme…IT IS ALL ABOUT THE DATA.

Starting with the most recent event, I attended the local FBI Infragard meeting in Chicago where one of the presentations discussed a new Senate bill (SB 1490) being introduced that would preempt the state laws around security controls and breach notification. While the bill apparently needs some work I found the requirements around the “minimum” security controls that need to be in place most interesting. While I think the requirements are quite vague and wording such as “A business entity shall implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards” doesn’t exactly tell us anything we didn’t already know, the bill heads in the right direction. Paraphrasing, it states we as a business must design a system to protect the DATA based on risk.

The reason I bring this topic up is that we, as information security professionals, often get caught up in protecting the network layer as opposed to the data layer. Why? Because the data layer is messy, hard to control, and contains structured data (pulled from applications) and unstructured data (think random file shares). Who owns it may be a mystery and even if we identify an owner sometimes we don’t know how sensitive or critical the data may be (i.e. lack of data classification).

So if I posed the question, what are the most mature controls of your information security program what would you say? I almost can’t stop from answering firewalls, AV, IPS, and vulnerability management. Vary rarely can an organization answer data loss prevention, data classification, encryption controls around sensitive data, and even incident response or forensics. Why? Because it is messy.

Going back to meetings, the meeting prior was a CISO round table event at Washington University in St. Louis. The topic was about unstructured data and how various organizations were dealing with the issue. The overriding theme of course…it is messy. Unstructured data lives in file shares, both one’s you know about and those you do not, and contains everything from benign information to your organizations most critical information assets. One of the presentations was a vendor, Varonis, who has a tool to identify and detail who has access to unstructured data. While I can’t speak for the tool the concept is interesting and shows that some organizations get it, but need some technology to assist their data classification and access control needs. Again, the topic of data is messy. We’d like to talk about the cool new SIEM appliance we just put in, or how our IPS is blocking the advances of organized cybercrime…not so much when it comes to the actual data we are charged with protecting.

Please don’t read too much into my statements and think I’m against the commodity security controls at the network layer. It would be foolish to ignore these controls as they do serve a purpose in protecting our systems and networks. However, if you haven’t’ started then I’d urge you to examine the data you’re attempting to protect and see if you could answer these simple questions: Where is your most sensitive data? Who has what level of access to that data? And the last time it was accessed what did the person do with it?

As hard drives become larger in storage capacity, the areal density (amount of bits manufacturers can stuff on the physical platter) needs to increase as well, which introduces more noise when reading data.

A consortium of hard drive manufacturers (IDEMA) are now pushing to increase the sector sizes from 512 bytes to 4096 bytes. This change means faster seek times and larger capacity.  The downside translates to more slack space, but with larger hard drive capacity does it really matter?  Probably not to the consumer, but it’ll be interesting to see how much more time this will add to forensics work.

Link to a IDEMA’s whitepaper for more detail.

No, this isn’t a post about using a Bic pen to pick a Kryptonite lock off of a bike. I ran into a problem in that I had an older Kryptonite lock stuck on my bike for the past 3 years. No key, bike shop was no help, Bic pen doesn’t work. My main issue is I paid extra for an aluminum-frame Trek in order to save on weight, and here was this 5 lb. lock stuck, banging around in the carrier, adding unnecessary weight to my ride.

First, do not try to use a standard hacksaw blade. Second, if you’re thinking about bolt cutters you’ll need a pair with 4′ handles and a 300 lb. guy to snap through the metal. I found a simple solution, assuming you have 20 minutes, 1 hand cramp, and about 200 calories to spare.

You can cut through the lock using a standard hacksaw, but you’ll need to change the blade out for a carbide grit rod saw. I used one from Stanley, 10″, Home Depot for $4.48 as seen below.

10\

20 minutes later your lock should look like this:

I know this may seem obvious, but you’ll probably want to cut the lock off from the “lock” side near the base as it is easier to grip while you hack away at the metal. As an alternative, a Dremel tool and a diamond cutting disc will also do the trick. My lack of a corded Dremel and the fact that it was $21 for one disc (and I had to hope one did the job) I went the manual route.