Image via Wikipedia
You don’t need a 6th sense to detect when a fellow IT security pro is engaged in a hot project, like implementing a defense in depth strategy, DLP tool or a PenTest project, when for 10 hours a day they can role play as a nefarious, ethical hacker. They spring out of bed without an alarm, their ipod rocks as they think of their project on the way to work, and usually work while others sleep. And as they sense the success of their project is in reach, there is a gleam in their eye like Melvin Purvis knowing Dillinger will be at the Biograph theatre that night. Yes, that’s you. The details are different, but you act with the same focused purpose when you are engaged with a hot project.
Unfortunately, “productive you” has been dulled by the recession. You look at the clock. It’s 9:03- Your hot project lost budget. 9:07- You start to feel like you’re just hanging out at the office, daydreaming about the receptionist or what you’re going to do this weekend. 9:13- “Will I be the next budget cut?” Or maybe you’re forced into endless, mindless, maintenance and you begin to feel like the same worthless, infinite loop that “victim you” is attempting to debug. Maybe you’ve become a cash cow and you’ve lost touch with the leading edge you once steered like a snowboard. If you resent, but resemble this description, STOP. It’s time to wake up the “pro-active you”.
Learn and Grow. It even sounds healthy and positive, like water and sunlight to a plant. I’m not going to try and talk you out of investing in night school, but you don’t need money, homework and someone else’s schedule to learn. There’s a lot of negativity about our current economy. Want a silver lining? There has never been a time when you and I could take advantage of the plethora of free information for educational purposes as we can today. Think about it. “How would you like your free industry knowledge, miss? For here (seminar)? To go (white paper)? or delivered into cyberspace (webinar)?”
Complimentary subject matter expertise and contributing back to the community are key foundational components of the Savid Technologies business model. In my Security Practice Manager role, I am deep into developing an immense library of IT security and compliance literature. It’s already pretty solid. Savid’s Marketing team, in conjunction with our Web Development team, has created an easy and efficient self service system for your convenience. Just check it out at www.savidtech.com. Look for new, relevant and insightful information every month on technology, methodology and industry metrics. On our website, you can also view the upcoming complimentary, educational events, or download our informative whitepapers. If what you are looking for is not there yet, just contact Kelly or Angela in Marketing (877-307-0444). They’ll hook you up with free industry knowledge, for here, to go, or delivered into cyberspace. I will also make time to discuss IT security with you. If I don’t know it, I will connect you with the right resources.
One last note. Consider attending our monthly Chicago IT Security Meetup. Next meeting’s topic and registration can be found at: http://www.meetup.com/The-IT-Security-Group-of-Chicago/. I gotta go now and finish my week’s work; I’ve got a long list of research topics for Saturday morning.
Security Spending seems to be prioritized by Flipping a Coin
My latest DarkReading article just went live over the weekend. Read the full issue at http://www.informationweek.com/drdigital/jan11/
In this month’s issue I talk about some side research I conducted that came out of my 2010 Strategic Security Survey, which is how CISO’s make their decisions. For years, CISOs have had their go-to sources for cyber intelligence: vendors, newsgroups, NIST, CVSS, etc. At some point, though, the “log management syndrome” kicks in, where you’re overwhelmed with threat noise and unable to prioritize. What then? I talked with Fortune 500 and Fortune 5000 CISOs about their trusted sources and found out how successful CISOs filter out the racket and decide where to direct resources.
What did I find? Without a logical way to prioritize security spending, you may as well be flipping a coin. Yet I found that’s exactly how some CISOs do business. Time to get rational by using the 5 tips I give in the article.
Verizon Business Christian Moldes as a great post about Plane Crashes and Security Breaches and how they are very similar. He hits it right on the head! During our engagement wrap-up meetings where we explain the various potential scenarios an attacker can use to break into a client’s network we are always asked to put a specific ranking on a specific risk. I argue that that almost doesn’t matter because normally the big breaches are not from a single vulnerability but many chained together.
Christian quotes Malcom Gladwell, and says:
The typical [plane] accident involves seven consecutive human errors.
When we work with clients we normally see that breaches are caused by a chaining of at least three errors: exploitation of a vulnerability, then a mis-configuration is used to find a privileged account user name and password, and then data is found on the network somewhere it wasn’t supposed to be that the privileged account has access too.
Even with many controls in place you cannot always prevent a security breach. This is the exact reason why we recommend that incident response policies and processes (Which should be tested like you test your Disaster Recovery processes!) should be the FIRST THING you implement when building a security program at an organization followed by detective controls such as logging to detect a breach as soon as possible.
Whenever executives discuss IT and cost cutting, invariably two topics come up: Virtualization and the Cloud. Don’t even get started on the topic of the cloud, and the chance for rain. Virtualization is a good topic to discuss since some items may be unfamiliar to you (especially those in the SMB).
By now, most companies have adopted, or at least looked into, overhauling their IT infrastructure with virtualization solutions. Virtualization is said to reduce costs, simplify management and scalability, and limit the toll computing has on the environment. Since 2005, virtualization software has quickly changed the landscape of enterprise computing.
For those unfamiliar with the concept, virtualization involves abstracting computer resources by combining several physical systems into virtual machines on one powerful system. Virtualization consolidates underutilized hardware, such as servers, storage devices, and network resources, virtually partitioning it for multiple machines.
The reason virtualization has become such a favorable trend in IT computing is probably because the advantages are so easy to grasp. First of all, the physicality of managing hundreds of machines is simplified while allowing for a scalable infrastructure. Plugs and cables do not have to be rearranged every time there is a change in hardware. This reduces the workload of the system administrator. Virtualization allows hardware resources to be pooled such as sharing storage or network bandwidth, so hardware does not go underutilized. Less hardware means less energy costs, both to run and to cool. Altogether, these advantages lower the costs for infrastructure, hardware, power, and cooling.
You’ve probably had the green benefits of virtualization stressed to you. According to VMware, for every server virtualized, you can save about 7,000 kilowatt hours, or four tons of CO2 emissions, every year. Virtualization can cut the power demand of ten machines down to one and save almost 80 percent on an electricity bill. VMware even has a green calculator on their website which allows you to see your virtualization benefits in terms of energy savings, cost reduction and environmental impact. A quick calculation shows that virtualizing 200 servers is the equivalent of planting 4,000 trees.
Of course, businesses are more concerned with reducing costs than reducing the size of their carbon footprints. With this in mind, there are a few disadvantages, or at least pitfalls, that may be created with a switch to virtualization.
But there is a down side – it is likely that performance degradation will occur when switching to a virtualization infrastructure if the virtual infrastructure was not properly architected. (which seems to be the case all too many times we get involved). In most organizations there is often a lack of tools and expertise available to monitor and analyze virtual environments to find and correct issues that affect performance. A study by Aberdeen shows that enterprises that had an 85% success rate in identifying performance issues in a physical environment, now only have a 37% success rate in a virtualized one. Also, improved response time for managing business-critical applications fell from 67% in a physical environment to 39% in a virtual one.
Many enterprises find that there is a tradeoff between decreased staffing and power costs and less than optimal performance. Sometimes this means that the advantages manifested by virtualization are less than expected so ensure you have adequately measured the minimum performance requirements for your infrastructure before you go run off and virtualize everything.
Although I think DDoS extortion is declining due to the rising lucrative ransomware and scareware tactics, DDoS extortion remains interesting to me due to its sheer supervillainary. (plus the stories sound cool when you tell them). I was giving the example to a CSO I met today and after telling the story he asked, “How do I survive a DDoS Extortion Attack”, so here is how:
Businesses hit with these attacks have almost no reprisal to fight back and even have a disincentive to alert authorities who could work to defend against them.
DDoS, distributed denial of service, extortion occurs when a hacker threatens to utilize a vast botnet of many infected computers to bombard a single target online. By using up the target’s resources to accommodate the botnet traffic, legitimate traffic is unable to access the site, causing a denial of service. This prevents businesses from using their website, which may be integral to their business operations.
Before the DDoS attack, the extortionist will contact the site webmaster and offer to spare them from the attack for a payment. If the payment is not made by the given date, then the attack begins and the price usually increases.
Companies have three ways to retaliate: pay the attacker, use DDoS protection, or go to the authorities. Unfortunately, most companies choose to simply pay the attacker since it is the easiest and least expensive way to fix the problem. This only emboldens these kinds of attacks, causing more extortion on other companies.
It is possible to use DDoS protection to block bots, but in the extortionist will warn that if such an attempt is made then they will only increase the number of bots attacking the website, making it much more expensive to deal with.
Going to the authorities can be so ineffective that extortionists will not even discourage their target from doing so. Extortion attacks usually come from other countries, usually Eastern Europe, where the FBI has little recourse. Furthermore, businesses are afraid of reporting the crime because it could damage their brand if it got out that they were helpless against extortionists. This makes it harder for any countermeasures to be developed since it is impossible to tell how often extortion occurs, how much money is extorted, and who are the targets of extortionists. According to experts, every online gambling site is paying an extortion, usually around $40,000.
For these, reasons too often companies will simply remain quiet about the extortion and pay their fee. The ransom is much less than the costs incurred from a denial of service attack. Sometimes, the extortionist even gives their victim the opportunity to pay for an attack on a competitor. Why not? It gives the victim a chance to level the playing field and the extortionist a chance to make even more money.
The best way to combat attacks like these is for businesses to put aside competitive differences and share their information regarding security and cyberattacks with industry peers and law enforcement authorities. But that’s never going to happen and businesses are likely to continue to fight an every-man-for-themselves battle.
Until then, it’s up to companies to build up internal protections and beef up their security to protect against botnet attacks. Also, if this ever starts to happen to your business you can always contact me and I can see how I can help!
Part of my daily role as CEO at Savid Technologies iss to work with Small and Medium businesses and one of the quesiton I commonly get is about outsourcing. How can we outsource effectively? Or, what else can we outsource in addition to IT, etc so I thought I would give a small primer on multiple vendor outsourcing.
Now, as businesses grow, their vendor management process also increases in sophistication, and some company’s tend to transition from using a single outsource provider for application development to using multiple vendors. This multisourcing approach utilizes different vendors who specialize in different areas of application development and testing.
While I often hear relentless praising for the multisourcing approach, we should not forget that it does come with its own set of trade-offs and potential problems. Here I will examine the pros and cons of multisourcing:
+ Gain access to experts in their particular discipline. The most obvious advantage is the ability for you to leverage the expertise of vendors specializing in different disciplines. For example, you may use a vendor specializing in development and another specializing in testing. By using multiple vendors providing their unique expertise, you gain access to a wider pool of knowledge and skill than you would when only using a single vendor.
+ Save Money. Using specialized outsource providers means tapping into a smaller market with lower costs and less turnover than larger providers. A small, specialized firm can offer more expertise at a single discipline and for at less cost.
+ Higher quality assurance. The division of outsource providers establishes an independence between the different disciplines that should yield a higher quality result. For example, a testing vendor can provide honest insight about the developed software’s quality since they were not responsible for developing it. In this way, multisourcing creates a system of checks and balances that promote quality and lower risk of problems.
Now before you run to reassess your vendor management structure with multisourcing capabilities, you’d better first keep in mind these possible negatives:
- Increased vendor management. Onshore employees will have to manage, organize, and coordinate the output of the multiple outsource providers. Without a single outsourcer providing a turn-key solution, your company will have to use its own time and resources to manage the project each step of the way.
- Multiple vendor relationships. With the additional expertise of multiple outsource providers comes the management of additional vendor relationships. Communications suffer without a single point of contact, making it more difficult and time-consuming to on your end to manage and maintain vendor relationships.
As it goes with everything in the IT world, whether single-sourcing or multi-sourcing is right for your company depends on a set of individual circumstances, including the size and scope of needs of the company. It’s up to you to consider the pros and cons of each vendor management structure and be aware that there is no magic bullet solution.
A new lawsuit by the Free Enterprise Fund going to the Supreme Court soon challenges the constitutional validity of a certain provision in the Sarbanes-Oxley Act.
The lawsuit claims the Sarbanes-Oxley Act violates constitutional requirements since it gives the Public Company Accounting Oversight Board regulatory powers over the accounting industry, and yet its members are not appointed by the President. They argue that this is a violation of the separation of powers specified in the constitution that leaves the President with insufficient control over what could be considered an executive function.
But to me it sounds like a technicality; pointed at those clamoring for the downfall of SOX. Since SOX lacks a severability clause, if the lawsuit prevails then the entire Act would be thrown out, not just the part about PCAOB appointees. This is probably what the Free Enterprise Fund is planning on.
Opponents of Sarbanes-Oxley are many and they’d love to see SOX thrown out. Ron Paul, to name one, argues that SOX compliance gives U.S. corporations a competitive disadvantage with foreign markets. Both foreign an U.S. firms that do not wish to endure the intrusive compliance regulations of SOX are deregistering from the U.S. stock exchange. This is understandable since the costs SOX imposes have averaged at $5.1 million in compliance costs. The year after it became law, the number of companies de-registering from the stock exchange tripled.
The Act also seems to discourage the initial public offering market from growing. Startups can hardly afford the SOX compliance costs in order to quality for stock market registration. But without investors these companies don’t have much of a chance to grow.
On the other hand, many of these companies fleeing from stock exchange registration because of SOX may have something to hide. In those cases, SOX is doing its job of preventing companies that employ crooked accounting practices from swindling mom and pop investors.
It remains to be seen how the Supreme Court will rule on the lawsuit and, if the lawsuit prevails, how it will end up reforming all aspects of the Sarbanes-Oxley Act.
Not too long ago, I discussed speed-sourcing as a viable alternative to the traditional slow-poke method of vendor selection and approval. But I neglected to mention some of the more sordid suspicions against consulting firms that advocate speed-sourcing. This is all just speculative rumblings from those in the industry, not to be taken as fact. But I will share with you some of the suspicions about the “speed sourcing scam.”
The scam is perpetrated between the consultants and the vendors at the expense of the client. The consulting firm makes vendor or supplier recommendations to the trusting client to speed up the outsourcing process. But these vendors really have under-the-table deals going on with the consultants. These consultants lie to the client and say the vendor is qualified and offers a competitive rate. Or they offer a potential pool of vendors from their proprietary “center of expertise” – all of whom are in cahoots with the consultants. They will even provide stock RFP responses from by the supplier. The client doesn’t know any better, which is why they rely on a consulting firm in the first place.
The consultants are paid based on how fast the vendor and client are able to make a deal. Thus we have what they like to call “speed sourcing” – some nice jargon for the smoke and mirrors act.
Of course, the vendor may be wholly incapable of delivering what the client asks for, especially if they are overloaded with deceitful consultants referring work to them. But why should the consultants care if they already made the commission?
By hiding behind a make-believe trend these consultants could be greasing their palms. But this is all speculation at this point, possibly a security expert’s inherent paranoia. I couldn’t find one reported case of this happening online. But just because it hasn’t been caught and reported yet, doesn’t mean it isn’t happening. Just something to keep in mind when working with your consultants and your vendors.
About $5. That’s how much your malware infected computer, or botnet, is selling for at the moment if you live in the US – but its stock could go up or down. It’s worth $10 if you live in Australia.
Although I didn’t get enough time to put this report into my new book, Hacking Exposed: Malware and Rootkits, it is very interesting. Everyone is talking about this new report from the Finjan Malicious Code Research Center and it’s a doozy. The report reveals a highly organized and sophisticated trading platform for cybercriminals called the Golden Cash Network. The Golden Cash Network gives anyone the ability to buy or sell malware infected computers by the thousands – as well as provides an exploit toolkit with obfuscated code and an attack toolkit to distribute malware.
Say, for example, you want to advertise to thousands of users, or steal their identity for whatever insidious purposes. Golden Cash makes it easy for you. Just select the country and how many PCs you wish to control. You can even specify the geographical area, and avoidance of firewalls or AV solutions. Once you place your order, you are given access to detailed instructions on what you can do with your new botnets and how to do it. The whole ordering process is done through simple, elegant, and easy to use forms – you’d almost think you were ordering from Amazon.
But what if you’re not an expert cyber criminal? Can you still get in on the Golden Cash Network?
Absolutely, Golden Cash’s partner program makes it easy to contribute to their collection of botnets for easy cash. Golden Cash again provides detailed instructions on how to distribute the Golden Cash bot into legitimate websites by using Iframes or inline frames. These frames points to a malicious website that infects visitors with malware that is already integrated into the Golden Cash platform.
Depending on a number of factors, like geographic location, the value of botnet PCs constantly goes up or down in value. Users try to buy low and sell high. It’s just like Wall Street.
Finjan’s report concludes by describing how botnets are no longer a “one-time asset for an individual cybercriminal.” Now they have “evolved into a digital asset that cybercriminals can trade online – over and over again!”
