Web Analytics

If You Cannot Prevent It, Detect It: Why Defense In Depth Works

by Michael A. Davis on January 8, 2012

As audit season is finally over, (over 65% of all our assessments and audits happen in Q4) we finally have a chance to grab a cup of coffee and look back at a couple trends in 2011 that we think separate the best teams from the worst.

First, we need to discuss how we measure the quality of a security team. At Savid, it is pretty simple. Since we perform to assess security programs at organizations, if we got access to something we shouldn’t have, it counts as an intrusion in our books.

Most reviews of look at what went wrong because it’s harder to learn from the successes. So let’s get the major failures of 2011 out of the way and then let’s talk about what our best clients did to prevent us from breaking in. Overall, most of the security programs we assessed had issues. However, 2011 was the worst we have ever seen in terms of the depth and breadth of issues – even though the majority of the security programs we tested were in with regulations such as , , and .

Ok, so with that out of the way, what did the best security teams do to prevent our from breaking in?  One Thing: . 2011 was the first year where we saw significant advancements in deployments among our clients. For example, we saw a noticeable increase in proper system hardening (using standards such as CIS and NIST) and reduction of excessive permissions that stopped our attacks cold.

Properly deploying defense in depth can be the distinction between a requiring notification or a simple documented incident. The difference between the two for some organizations could be millions of dollars. Oh, and it also has a side effect of making most malware non-functional by preventing the malware from creating temporary files, accessing DLLs, etc. Remember, an attacker can’t exfiltrate data if the exfiltration tools won’t run!

So, how did the defense in depth stop our hacking? Most of the time we were able to get entry into a server or application but because of defense in depth we weren’t able to leverage that entry for any gain (such as privilege escalation, intellectual property, or personally identifiable information). For example, if we got access to an application via injection, we weren’t able to execute any commands on the server because the server was hardened to prevent usage of xp_cmd and the service account had no local permissions on the box to do anything other than access the database files and folders. Another example is when we got access to a Linux system running a custom PHP login system via an upload vulnerable and a PHP Shell script. The hardening of Apache and the file system prevented our low privileged web server service account from reading local files, creating files, etc. Essentially, the account we got control of was useless and the attack vector wasted our time and effort.

Wasting an attacker’s time and effort is exactly what you as the defender want to do. Every minute an attacker is stalled or delayed is more time for your detective controls such as IDS/IPS, Logging, or even Tripwire like defenses to detect an attack. We recommend that every have a simple theme: If You Cannot Prevent It, Detect It. Leveraging defense in depth provides additional detection points along the attack path. Every time a low privileged user attempts to access the Accounting Share – detect it. Every time a server in your DMZ attempts to connect to a server in the internal network (which should be blocked by the firewall) detect it and respond to it. These are all indicators that the server is doing something it shouldn’t.

Our number one recommendation when deploying defense in depth with proper detection controls is the use of fake records – commonly called “”. For example, if you have a public web application that has access to an internal database server through a firewall, place a fake record in the database using a randomly generated 30-64 character value. This record has no value and should never be accessed via normal web application use. If your firewall, web filter, or DLP system ever sees this traffic move across the network – something went wrong and you need to find out why.

Every year Verizon releases their Data Breach investigations Report and year after year they mention the same problem: The time between a breach occurring and detection of the breach is too long, sometimes it takes years! So this year, add some more defense in depth controls to your security program and watch how quickly it helps reduce the impact of a .

Email This Post Email This Post Print This Post Print This Post

Tagged as: application security defense in depth, Data Breach, defense in depth, ethical hackers, ethical hacking, GLBA, HIPAA, honeytokens, PCI, prevent breach, Security controls, SQL, SQL injection

{ 0 comments }

How To Stay Safe While Shopping Online

by Michael A. Davis on January 8, 2012

Stay Secure When Shopping OnlineAs we all know, is nothing new but as its popularity continues to grow so does the malicious threats that can occur during your shopping experience.  That is why we want to provide you with some reminders and tips on how to make you’re a safer experience.  We also encourage you to share these tips with your family who may make online purchases too.

There are a few simple precautions you can take to further secure yourself before you make your online purchases.  First make sure you have a web filter in place that will warn you of suspicious websites. Keep your web browsers up to date too. Often times the site you are shopping on is legitimate but if your computer is infected with keyloggers and other malicious viruses you can run the of your data being stolen.

It is always best to shop at familiar websites but if you are looking at products or services from an unfamiliar sight do a little research before you begin; find out what other consumers have to say about the store or seller.  Epinions.com and BizRate.com give customer evaluations that may help you determine the legitimacy of the company.  It is also a good idea to review the website for the and or approval icons.  Be sure to click those icons to ensure that they take you to those accredited sites and that you can find the companies name within their listings. Often times harmful sights will display the graphic with no link so be aware.

Remember, before entering your personal data and credit card information check the connection of the website out to make sure it is encrypted. The URL will start with (http“s”) and also look for the padlock icon in the address bar or right corner of the window.  Be aware of any warnings that your computer gives you regarding the certificate of the site, when in doubt find somewhere else to shop.

Keep in mind when choosing a payment method it is always best to use if it is an option, that way your credit card and bank account information will not be shared with the merchants and sellers. will also protect you against fraudulent charges and if there are problems with your purchases. Once your purchases are made it’s always a good idea to check your bank accounts and credit card statements to ensure the proper amount was charged; if the charges are wrong contact the website where your purchases were made immediately along with calling your  Credit Card Company to inquire about a “charge back”.

We hope that by keeping these tips in mind that you will continue to enjoy shopping online and are more secure in doing so.

Email This Post Email This Post Print This Post Print This Post

Tagged as: bbb, credit card, credit card data, ebay, Electronic commerce, fraud, online shopping, paypal, TRUSTe

{ 0 comments }

Cloud Encryption – How To Securely Use The Cloud

by Michael A. Davis on January 8, 2012

Gartner, the largest IT research firm in the world, is predicting that 2012 will be the year that more than 50% of Global 1,000 companies store customer data in a public cloud – a 30% increase from 2011. Of course, these firms have and regulatory concerns which should make you ask how are they putting potentially into a public cloud? Sadly, the answer isn’t some amazing new technology it’s actually technology that was developed in Egypt circa 1900 BC – encryption.

Encryption As A Service (EaaS) or “” as it is commonly called is being used by more and more global firms to enable them to leverage large public cloud vendors such as , , and even DropBox. Cloud encryption isn’t really new, it hit the industry scene in 2008 but more vendors, lower prices, and simpler implementation capabilities has put it into the list of “technology to learn about” for most CIOs and CSOs. Let’s discuss how these cloud encryption services work.

First, there are multiple types of cloud encryption. Some vendors offer encryption for virtual machines that run at cloud providers such as Amazon’s EC2 or Rackspace. Other cloud encryption vendors provide application level encryption by being an API proxy. For example, services such as SalesForce and Apps instead of storing a number in plaintext in a field at SalesForce.com, the at your company’s data center encrypts it first and SalesForce.com stores the encrypted value instead of the plaintext. Lastly, some cloud encryption vendors provide file based encryption where individual files are encrypted and the names encrypted instead of encrypting the actual storage.

Regardless of the cloud encryption approach, you might notice a trend. Cloud are really just “cloud” versions of the same technologies that have been in use at data centers worldwide such as Full-Disk Encryption, , and . The difference is that these cloud encryption vendors solve one problem that plagues organizations – staying up to date with the data sources and destinations the encryption technology works with. No more having to rewrite an application because SalesForce changed their API, the cloud encryption vendor does that for you.

The majority of failed encryption deployments we analyze fail because of key management. This problem is still in cloud encryption and may even be worse depending on how many cloud vendors your organization uses; however, most cloud encryption solutions allow you to use your own keys and most allow you to use your own key management system.

So what’s stopping you from moving to the cloud if you can simply encrypt any sensitive data that will go in and out of the public cloud? Our research from over 500 security professionals within the US shows that while cloud encryption greatly decreases the of using cloud services it does not change the fact that most organizations don’t know what data needs to be encrypted or even where that sensitive data is! While not a requirement, those firms that implement data centric security find it much easier to move their data to the cloud so perhaps you can use that cloud project as a reason to move to data centric security.

Email This Post Email This Post Print This Post Print This Post

Tagged as: Amazon, cloud encryption, database encryption, encryption proxy, encryption technologies, file encryption, salesforce, sensitive data

{ 0 comments }

Confirmation Bias – Why Your Security Metrics Suck

November 16, 2011

Risk Management is essential to a proper security program yet many organizations struggle with implementing risk management. Savid advises companies around the world and are frequently asked what risks really matter. Should we be worried about a zero-day attack? What about all these mobile devices? Many CISOs get caught up in the risk management process [...]

Read the full article →

The 2011 Holiday Tech Gift Guide!

November 16, 2011

Well who better to ask about tech gifts or gadgets than the tech guys themselves? Here at Savid we are always interested in finding the coolest and latest tech gadgets out there. So to help you out this holiday season we have put together our 2011 Holiday tech gift guide to help you with your [...]

Read the full article →

Risk Management and Asset Allocation – What you can learn

November 16, 2011

We have all seen the graphs, three pies:  one marked aggressive, conservative, and moderate. Usually associated with 401K or IRA accounts, these graphs show an allocation of various assets in order to meet a specific return level given a certain amount of acceptable risk. You pick one and the company handles the reallocation and dirty [...]

Read the full article →

How to hack a Facebook profile? Attack Content Distribution Networks

June 22, 2011

As the clouds continues to roll in, (Sorry, I had to…), we are learning of more attacks being successful against organizations such as Google, Facebook, and others. The latest is from a security researcher, Christian Heinrich, located in Australia. He reverse engineered the algorithm Facebook uses to access your personal photos. Since Facebook is a [...]

Read the full article →

Application Security Risk Management – Episode 1

May 6, 2011

A new video from Tony Czarnik, our Security Practice Manager! This two part video series will discuss what application security is, how to identify application security flaws and how to build an application security program specific to your organization while reducing operational costs and staff requirements. Watch the Video >>

Read the full article →

Sony didn’t have log management either?

April 26, 2011

While reading through the blog post that discusses how Sony’s Playstation network was breached, was I the only one that noticed that playstation network usernames AND passwords were stolen. Perhaps they left out the specifics but, why were the passwords stored using encryption thereby increasing the amount of time and effort required to decrypt the [...]

Read the full article →

Risk Assessments Define Your Security Policy

April 26, 2011

It is not possible or sensible to protect all information, regardless of sensitivity, with the same maximum level of protection. And there is no cookie-cutter, one-size-fits-all approach to creating a security policy since every business has unique risks and places different values on different kinds of information. This is why an individual risk assessment must be performed. Once this has been determined, a security policy can be crafted based on protecting information based on its value and risk unique to that organization.

Read the full article →

← Previous Entries