Vulnerability Sites ---- revisited

Several weeks ago I posted a list of sites and links where threat and vulnerability information can be gathered from.   Since then I have again had the privilege of running a number of scenarios through my threat process model and want to up you on the applicability of the links I provided.

My recent research confirmed the format of http://www.securityfocus.com where you can search via drop downs.  For example you select Cisco, then all Cisco products are presented and you can select the product in question.   If the product has versions, you may also select that.   I also visited the Cisco website to search for vulnerabilities on their Nexus 7000, although several showed up, the site doesn’t tell you directly that a fix has been released.  

http://web.nvd.nist.gov  also served me well, but you must know exactly what you want to search for vs. the menu options of the securityfocus site.

For operating systems, such as Windows 2008, the NVD site works very well for searching.  It will list all the vulnerabilities and provide a link to the vendors site, in this case to Microsoft Technet and the 2008 security bulletin.

For other situations such as VMware ESXi or a Belkin router, I would continue to use the NVD site to search for vulnerabilities and visit the vendor site if more information was needed regarding patch status.

Until next time…

~Skeeter

Controlling Privileged Access

First, I define privileged access as anything above what the standard user would get?  How do you control privileged access?   Do you allow your Linux system administrators to have the root password?   Do you Windows administrators have the password for a system account with admin privileges?  Or maybe they have domain admin rights assigned to their personal account.

A while back I attended a presentation about for a product that stores the passwords for accounts…the assumption is that all privileged accounts would be stored in this solution along with the passwords.  This system is also capable of being integrated with AD and your ticketing system so when a user needed the password, the system would check to make sure there is a valid ticket (incident or change request) and that the requestor is also in the right AD group.  This security solution will also change the password after a set amount of time from when the password was retrieved.   This would seemingly prevent the user from reusing the password for an unlimited about of time.

While I can see why management and Internal Audit would love this solution….on the surface it meets the compliance requirements for controlling access and assists with the change management process.  This system is also very useful in storing passwords that don’t get used very often, thus making sure they are available in a business continuity situation.   However, does it help a company be secure or does it give a false sense of security?    

What are the actual actions performed when the password is retrieved?   The IT guy could retrieve the password and make any change under the guise of whatever the Incident or Change ticket talked about.   Every environment has those system accounts where the password is never changed.  These accounts tend to have a high level of privileges and everyone on the team knows the password….so no trouble ticket is required to use these accounts.   I could go on and on, but you get the point.

What is the solution?  So will argue that the administrators need admin privileges all the time….it is their job.   I don’t necessarily disagree with that.   I believe the solution lies in monitoring what the privileged accounts are doing.   Implementing one of the solutions that monitors key folders, directories, and files for access and modification is also needed.   

Until next time…

~Skeeter

Data Protection at all Levels

We all know that we need to protect the employee and customer data from unauthorized access.  We also are aware that there are many rules around the storing and transmitting healthcare and credit card data.  Most of us have went to great lengths to put security controls in place on our Production environments to protect this sensitive data in accordance with applicable policies, rules, and regulations.

What have you done to protect the data on your non-production networks?  If you have a test / QA environment that is used for functional, security, and user acceptance testing, what data is being used to ensure testing is against the “exact” data that is in Production?   Some enterprises might use an extract of the data from Production in lower landscapes for their testing.  Are all of the same security controls in place in the test / QA environment?  Or have the controls around privileged access been relaxed to make it easier for testing?   Or maybe you have password standards (probably relaxed) in the test environment? 

What about the development environment, I am guessing the security controls are even more relaxed for DEV.  The developers probably have access to just about everything and are able to manipulate the security controls to make their job easier.  Where did the data come from that they are developing against?   Was it copied straight from Prod or was it scrambled?   Or maybe if you are lucky, the developer just created their own data to use.

I understand the need to use properly formatted data…..but if you are going to use any sensitive data from the Production environment (include employee database for a HR system, sensitive company for an ERP system, customer data for customer relationship database, etc….) make sure it scrambled in some manner to make it seem that it is just random data.    Also, don’t allow the key security controls to be removed in the lower landscapes, make the developers and testers understand the need for the controls.

Until next time…..

~Skeeter

Threats, Vulnerabilities, and News…where do you get your infomation?

As all Information Security professionals, I have my favorite feed, blogs, and sites I visit for my security news. Before I conclude this blog I will share mine.   However, where do you go for your intelligence related to threats and vulnerabilities?   This would be the sources that give you the technical details, usually always in a standard format that the subscribers have come accustomed to.

For vulnerabilities, since CVE (Common Vulnerabilities and Exposures) is the standard tracking of issues with software, every Information Security professional should subscribe to a source that disseminates new CVEs.   One such source is to use the RSS feed from the National Vulnerability Database (http://nvd.nist.gov/).   Although if you don’t have lot of different operating systems and software applications, they volume may be too much to digest.

Cert (http://www.kb.cert.org/vuls/) also provides a rss feed that will supply identified vulnerabilities.  Another source our team uses is http://www.securityfocus.com/ and don’t forget http://www.us-cert.gov/ or http://securityfocus.com.  Usually after a vulnerability has been identified for a system I oversee, other sources, such as the vendor’s website, will be reviewed for additional information.  If the vulnerability looks like it may be high risk, don’t be afraid to question you customer representative from the company.

For general news and opinions of breaches, threats, and vulnerabilities I have several sites I visit daily (usually while I am eating lunch):

• Dark Reading (http://www.darkreading.com) – they have cover a wide range of IT areas and have a good group of contributors
• SANS (http://www.sans.org/newsletters/) – their newsletter provides a high-level recap of the top security stories for the week
• InfoSec Island (http://www.infosecisland.com/) – a good collection of blogs.  Pick a couple of follow
• Computer World has a Security Manager blog that is ghost written.   Although not news, I do enjoy reading the issues this manager is having.
• PaulDotCom (http://www.pauldotcom.com) – I try to listen to their pod cast every week as they have some very good guests and the staff is very knowledgeable.  And I never miss John and his latest episode of Hack Naked TV.   The site also has a ton of helpful technical information  (yes, I may have saved the best for last)

Once you find a couple of good sites, share them with another Information Security professional, I am sure they will share a new site with you.

~Skeeter

Where Work-Life Balance Meets Information Security

With people being more connected with their job through laptops, tablets, smart phones, etc… it seems that more companies are worried about work life balance.  Some companies may define work life balance as giving employees more “privileges” with their company-owned computing assets.  By privileges I mean that they may allow the employees to do more with the company owned laptop or loosen the restrictions on what websites can be visited on the company network.

For example, some companies may let employees check personal, web-based email while on the company’s network.   Other companies may allow employees to visit Facebook while others block it. As companies come to expect employees to be connected 24/7 to work, I understand the need to allow employees some freedom at work to get away from the daily grind for a few minutes.  But allowing the freedom comes with some risk, and that risk needs to be discussed before the decisions are made.

By allowing employees to visit Facebook, the company has opened up a new attack vector into the company’s network.  Before opening it up, maybe a company needs to evaluate the reliability of their desktop protection software or look at a solution that will detect malicious traffic at the network border.  The same issues are present if a company allows employees to check personal email at work.  Additionally, if the connection is SSL, is the company going to break the SSL connection and monitor the traffic? What traffic is off-limits to monitoring?  What websites will be blocked and does the proxy server / service have a good track record of classifying websites? I suspect the HR and Legal will want to weigh in.  

I am not saying what is right or wrong, but management must include Information Security in the discussion prior to making decisions based on what is allowed on the network and what employees can do on their company-owned computing devices. 

Until next time...
~Skeeter

Bring Your Own Device - what's the big deal?

So Alice went out and bought herself an iPad for her birthday and now she wants to connect it to the network.   Employees will continue to bring their own devices to work and they want to connect them to the corporate LAN.   Don’t try to ignore it and bury your head in the sand because it isn’t going away.

If you haven’t done so yet, you better get some procedures developed or you will be playing catch up.  First, you need to decide what the Bring Your Own Device (BYOD) means in your environment.  Does it include only tablets and/or Smartphones?  Or are you going to allow laptops?   Just remember the line between tablets and laptops from a year ago is not the same line and is getting blurrier as I type this blog.    What data are you going to allow access to…email only or access to backend systems?   These are the decisions that need to be made and implemented via your policy with very few (preferably none) exceptions.

If you are going to allow tablets and smartphones access to data other that email, how are you going to manage the devices?  If your users want access to the data, they will need to give up some of their “ownership” of their devices.  You will want to be able to ensure password protection, remote wipe, certificates, and some sort of encryption on their device.  If they don’t agree to these requirements, don’t let them on the network. 

Another option, especially if you are going to allow BYOD laptops is to utilize virtualization.  Creation of virtual desktops for these users and allow the device to connect to a virtual desktop environment.  Most are configurable to control which services are or aren’t available…i.e. USB, drive mapping, etc…

You must also make the decision on what level of support your organization is going to provide.  If they parameters are identified up front, a lot of “un-forecasted” man-hours could be spent on troubleshooting user issues.  Also identify what operating systems will be acceptable and allowed to connect to the network.   For example, do you allow IOS devices, Android, Blackberry, and Windows Phones, or do you limited it to a smaller subset of devices?  What about laptops…Windows (all versions or just Win7), Mac, Linux?  

As you can see there are many decisions that need to be made and you must have management agreement.   One thing to remember is don’t back yourself into a corner that will force you to accept additional, unneeded risk in the future.  For example, make sure the controls you implement will adequately protect your most sensitive data because whatever your backend systems are, you can bet that the vendor is going to develop an app that will allow access to that system. 

~Skeeter

How welcome are your guests?

When Joe the salesman from Pete’s Software Palace shows up at the guard desk (because I know you have one) and is signed into the system and is asked to have a seat until you come to get him.  Is there a wired network connection in the lobby that would allow Joe to sniff your network?   If there is, you should probably disable the port for that specific jack.

After you come and get Joe and you go meet several other people in a conference room.  Joe says he needs Internet access; is his only option a wired network or do you have a guest wireless network?   The preferred option should be a wireless guest network, segregated from the corporate wireless network.   Additional controls could include a daily, rotating password that only employees have access to, thus requiring a vendor or contractor to get the password from an employee.   This ensures that someone at your company will know that they are connected to your guest wireless network.

If your company has fast, reliable corporate wireless network, another sound practice is disable unused wired ports in conference rooms.   Many times a vendor or contractor will be left alone in a conference room; the disabling of excess ports will help reduce the risk to the network.  

I will leave you this week with a couple of wireless network thoughts….what type of authentication to you require for your laptops to connect to the corporate wireless network?   If you are not requiring some type of machine authentication, you are at risk for access point spoofing.   How do you handle the ad-hoc networks your corporate laptops have previously connected to?  These are usually from traveling (i.e. hotel, airports, etc….) and they will continuously send out a signal looking for their respective network.  Another opportunity for access spoofing. Finally, How far does your wireless network extend outside of your building?

~Skeeter