CA Community






This Blog
Syndication

December 2010 - Posts

WikiLeaks – More Views on What Went Wrong

Published: December 20 2010, 01:23 PM | 1 Comment(s)
by Sumner Blount

I happened upon an interesting blog recently, "WikiLeaks: Stronger Access Mgt. Needed," by Eric Chabrow that considered the role of ineffective access management in the WikiLeaks debacle. Merritt Maxim has also posted some interesting blogs on this topic, including, "We have seen the Security Enemy and it is Us."  

Chabrow's blog also references an interesting study by the Ponemon Institute, sponsored by CA Technologies, "Security in the Trenches."  One of the more interesting findings of this study was the people on the "front lines of security" tend to see higher risk of security breach (such as information loss) than their superiors did.   These IT security folks understand the challenges of protecting key applications, systems, and information, and tend to have a more nuanced and often pessimistic view of the overall security of their infrastructure than the upper level executives do.   The lesson of this study is that all levels of the organization (from HR to IT and Senior Mgmt) need to be involved in an honest evaluation of the effectiveness of any given set of IT security controls.  And if audits uncover control deficiencies, organizations must be committed to fixing these as expeditiously as possible.

But, getting back to WikiLeaks....We could debate for days the true causes of this security breach.  Clearly, there was no effective access governance system in place that would prevent this person from gaining access to such a huge number and wide variety of confidential documents.  In addition, there were no controls over what could actually be done with the documents once they were obtained.  An effective data loss prevention system could probably have prevented most or all of those documents from being emailed inappropriately to someone outside the military.  An automated and effective procedure for analyzing access event log files, or file transfer logs, might have been able to either recognize the problem or highlight an area for further manual analysis.  In short, there is plenty of blame to go around in terms of non-existent or ineffective controls on access to information and its use within this particular military system.

This experience is a very painful national lesson as to the requirements for strong security and control across not only identities and access, but also information use.   First, there must be up-to-date, widely communicated, and attested-to information use policies.  Users must know instinctively what they can and cannot do with the information that they access.   Granted, in the WikiLeaks case this would not have prevented this breach.  Still, in many organizations information use violations occur simply due to lack of knowledge or understanding on what the policies proscribe.  Next, there should be technology in place to prevent or detect certain policy violations.  In most cases, users cannot be trusted in all cases to abide strictly to your information use policies, whatever they may be.   Just because someone needs access to a given document or collection of information, that does not ensure he or she won't use that information in a way that violates policy and is damaging to an organization.  Finally, there should be periodic or continuous auditing of access event logs to look for suspicious activity that might precede a breach.  This will not prevent it in all cases, but could detect it soon enough to minimize the impact.

Share this post:  
Tags: , , , , , ,
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

US Government and Computer Hardware-A Tumultuous Relationship

Published: December 15 2010, 02:48 PM | 1 Comment(s)
by Merritt Maxim

 As part of the ongoing WikiLeaks fall-out, the US Defense Department has issued a Cyber Control Order that instructs military personnel to "...immediately cease use of removable media on all systems, servers, and stand alone machines residing on SIPRNET."  Given that much of the data in WikiLeaks originated in SIPRNET, this order is a natural reaction.  For readers interested in how SIPRNET functions, this article provides an excellent overview.

This order prohibits usage of any removable media (such as USB thumb drives or CDs) on all systems and threatens court-martial for any military person who uses such removable media.  This move appears drastic but not surprising, given the urgency to minimize further WikiLeaks type incidents.  The problem is that this order will not completely prevent future insider attacks and threats.  The ban prevents one attack vector, but it leaves other attack vectors open.  For instance, insiders could email documents to themselves and if they possess a smart phone and download those documents onto the removable media of the smart phone at a later date.  Or they could email content to a Gmail or Hotmail account. 

The US Government has had a difficult relationship with computer hardware.  Twenty years ago, a US government lab auctioned off a 5-ton out-dated Cray Supercomputer for $10K as salvage office equipment.  The government neglected to remember that the Cray contained at least $25K in salvageable copper and 24-carat gold (gold was used on the circuit cards because it is an excellent conductor), enabling the buyer to make a nice profit.

More recently, the Office of the Inspector General audited NASA and found that the NASA improperly disposed of hard drives and other computer media. Some of the drives containing sensitive data may have been sold off to the secondary market.  This provides another data point that prohibiting removable media does not solve the insider threat.

The purpose of this blog is not to show how many other mechanisms could work to subvert the removable media ban, but merely to demonstrate that organizations of all types must get serious about mitigating security threats and understand a step such as banning removable media does not solve the insider problem.  Organizations could look to solutions like DLP that can classify data and detect and prevent moving data to a USB drive, while still allowing the USB drive to function for legitimate business purposes.

Share this post:  
Tags: , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

Insider Theft: WikiLeaks is not the only newsworthy breach

Published: December 09 2010, 04:58 PM | no comments
by Merritt Maxim

Lost in the high profile media attention around WikiLeaks is the simple fact that WikiLeaks reflects a common security risk all organizations face - the threat from insiders.  While the sensitive nature of the WikiLeaks data has resulted in more media attention, the reality is that insider attacks are happening all the time.  Case in point is this week's story that the SEC has charged an employee of a Delaware law firm and his brother-in-law with insider trading.

At first glance, this appeared to be a plain vanilla insider trading case (like this one) in which an insider has access to confidential information and shares it with a relative or associate to generate profits.   Note, fans of Oliver Stone's "Wall Street" should still check out that vanilla insider trading case.

As I read the SEC lawsuit, I saw that this case was a bit different.  The insider charged in this case was the law firm's IS Manager and Security Officer whose functions included "... to maintain the security and confidentiality of the Law Firm's electronic files, as well as to maintain the security and confidentiality of any information to which he had access in his capacity as an employee and/or representative of the Law Firm."   Furthermore, the lawsuit indicates that the suspect was "...required, annually, to certify his compliance with all of the policies and procedures set forth in the Law Firm Manual." 

On the surface, the employer had hired a responsible employee who managed IT security and agreed to follow all the company's policies and procedures.  In reality, the employee was allegedly using his position to collect confidential information and rubber-stamping his acceptance of the policies.  And evidently, the firm's auditing of the security officer's actions was either non-existent or incomplete.

This story should be a reminder that regardless of your organization's line of business, you are still susceptible to an insider attack and that vigilance is required at all times.  It also shows (unfortunately) that even those with security roles may even be possible culprits.  And once again, it demonstrates the importance of implementing appropriate security controls like identity and access management - and in this case privileged user management - to help mitigate the insider threat.

I encourage readers to look at CERT's website.  They have excellent research on insider theft and their blog has good insights on motivations behind insider theft.

Share this post:  
Tags: , , , , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

Security―An Essential Prerequisite for Success in Virtualisation

Published: December 03 2010, 11:44 AM | no comments
by Shirief Nosseir

To coincide with the results of a new independent study conducted by KuppingerCole on behalf of CA Technologies, here are five key security recommendations to help counter organizational concerns regarding Hypervisor Privileges and Data Sprawl in virtual environments:

1) Support both physical & virtual environments with a unified approach and solution

2) Control Data sprawl

3) Manage privileged users

4) Administer security management as an integral part of infrastructure and service management

5) Maintain compliance

View the following video to find out more about these recommendations and the results of the survey that was conducted in 15 countries in over 330 organizations across Europe and the US.

Share this post:  
Tags: , , ,
Leave a comment

 

By: Shirief Nosseir
With a degree in computer science and business administration, Shirief brings business and technical know-how to his role on the EMEA Security Management team. As he interacts with many organisations and experts in the field, he is able to understand their experiences and challenges and help devise...
Read More..

We Have Seen the IT Security Enemy and It is Us

Published: December 02 2010, 04:12 PM | 2 Comment(s)
by Merritt Maxim

In the 20-plus years that I have been affiliated with the infosec community, one constant has been the consistent claims that the majority of computer crimes are caused by insiders. 

It may be my naturally cynical nature, but I have been somewhat dubious of these claims from vendors and analysts.  My skepticism may be derived from the fact that many infosec surveys rely on organizations to self report and they may be loathe to admit insider theft (or may not even know that they have insider theft).  The result is that it is hard to determine how prevalent the insider problem is.  I do not doubt that the insider theft is a real and legitimate security problem; I just have a hard time accepting this in light on the ongoing high profile outsider attacks. 

However, the ongoing media stories of high profile data leaks such as WikiLeaks (and their newest revelation that they have data from US financial institutions) has erased my skepticism and proven once and for all that the insider threat could very well be the biggest security problem facing organizations in all sectors.  There are three converging external factors that are making the insider threat even more acute.

  • Data storage costs are essentially zero. At the Gov Security Conference in DC, Bruce Schneier made an excellent point that because of declining storage costs, it is cheaper and easier for organizations to just store and archive everything rather than try to examine data and determine what should be saved or deleted. This means that all data is online or accessible someplace, so if malicious insiders can find it, they can get it. This is unlike 5-plus years ago when documents or drives were actually shredded or destroyed.
  • Increased distribution of workforce and data. People are much more distributed now, accessing data over multiple channels (wifi, smart phones, broadband wireless, Ethernet). Plus, the data no longer resides in a single monolithic mainframe but can be distributed across thousands of servers around the globe. These factors make it increasingly difficult to track the data, let alone protect it.
  • Inadequate protections against internal threats. Many organizations still focus on protecting the network perimeter which is necessary for protecting against malware and botnets. But these same organizations often do not apply the same vigilance when protecting their internal networks. Administrator passwords are left as default values, data is not properly categorized and stored, employee roles and entitlements are not managed effectively, to name a few gaps.

The reality is that solutions from many vendors to mitigate the insider threat have existed for some time.

An effective deterrent against insider threat should comprise the following:

  • Identity Governance - Identity governance is all about automating user provisioning and application access based on each user's relationship and role with your organization - whether they are employees, contractors, customers or business partners. These solutions provide numerous operational benefits, but the main one is to reduce security risk by ensuring insiders cannot access systems they should not.
  • Data Loss Prevention (DLP) - As critical data migrates from centralized, controlled environments to desktops and distributed servers, DLP can discover and protect this sensitive data wherever it is located and used across your organization, reducing the risk of malicious and accidental disclosure.
  • Privileged User Management - Privileged users possess a powerful level of access that if not controlled or monitored, could lead to disastrous consequences. As a result, organizations need to consider how to allow privileged users to carry out their job without the compromising their organizations data. A complete solution must include privileged user password management, fine grained access controls, and privileged user auditing and reporting.
  • Log Management - A common finding in cases of insider threat, is that evidence of the problem existed before actual exfiltration occurs. Monitoring logs for indications of malicious insider activity, is a very effective weapon for detecting anomalous behavior and can greatly assist in the investigation and forensics of potential breaches.

At a minimum, organizations should deploy at least one of these tools, but for stronger protection against insider threats, all these solutions deployed together would comprise the strongest defense.

Share this post:  
Tags: , , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

More Posts