What's Happening in Information Security

Protecting information assets and critical infrastructure is increasingly challenging. There is no silver bullet and we've written several times about the role a SIEM solution can pay in defending against attacks. Everyone in the security community agrees that proactive applications of new technology and processes is essential to strengthening cyberdefense. 

I wanted to share a comprehensive research report sponsored by McAfee. You know that 
Intellitactics SAFE is a McAfee compatible SIEM featuring bi-directional integration with McAfee ePO. This research exposes some startling facts and gives you access to leading edge strategies to protecting critical infrastructure.

The survey data paints for the first time a detailed picture of the way those charged with the defense of critical IT networks are responding to cyber attacks, attempting to secure their systems and working with governments.

Highlights from the report include:

* Sixty-one percent of attacks on critical infrastructure include service disruption
* One in five critical infrastructure entities reported being the victim of extortion
* Nearly a third of those interviewed suffer large scale DDOS attacks multiple times each month, and nearly two thirds of those attacks impact operations

Download this report and then see how Intellitactics as a McAfee ePO partner can improve security effectiveness and the efficiency of security providers.


 

I find that most enterprises do not think about SIEM as a forensics tool. They think of it as a log aggregator or as a compliance engine and yet, given the increase in data issues we have today (which is only the tip of the iceberg), enterprises need to find a way to be smarter about their own internal investigations before they bring in law enforcement or pay costly consulting fees. 

It turns that that some SIEM solutions enable an enterprise to do all the precursor of an investigation without making its employees feel like they're being watched and without the hassle and time of an intensive forensics process. By setting appropriate policies, a SIEM device could easily help an enterprise determine if inappropriate behavior is going on. An employee could be monitored until reasonable evidence existed and then if necessary the machine could be commandeered.

Frost & Sullivan believes that a solution like Intellitactics ISM provides enough flexibility in its policy creation engine to allow enterprises of all sizes perform the kind of preliminary investigations needed to determine if a next step is necessary. Intellitactics has the ability to tie user identity to actions allowing for easy monitoring of sensitive data and can provide critical data at the fingertips of an incident response team or law enforcement should a breach be criminal in nature.

In the highly electronic world we live in today, the ability to conduct initial investigation is going to become second nature to enterprises. There’s too much data to try and run to law enforcement at every suspected infraction. SIEM will prove an invaluable tool in the initial evaluation of actions or an incident – helping to determine whether an incident occurred and if the corrective action is a human resources issue or a criminal one.

For more about the New Forensics listen to Rob's podcast!
Tell us if you're using your SIEM for forensic investigation. Comment NOW!

Fully capable SIEM solutions play many roles in enterprise security management. Rob Ayoub with Frost & Sullivan thinks there's a role for your SIEM solution during preliminary investigation.  

WELCOME ROB AYOUB - GUEST BLOGGER!

From the desk of Rob Ayoub:  A recent conversation at an ISSA meeting went something like this
 
“Rob, I don’t know what to do. I have a guy that might be stealing my customer lists and reselling them but I don’t really know.  Part of me wants to grab his computer and image the drive, but my guys aren’t really trained to do a real forensic investigation. Also, I’m afraid that if I imaged his machine, it would leak out and our employees would suspect that we were watching their every move.” 

Wow!  Talk about a situation with no easy solution. I think that many enterprises, especially mid-size ones are struggling with similar issues these days. 

Do you grab an employee’s computer one night and use a tool like EnCase to try and find the information? Maybe you just grab the computer and tell the employee they’re under investigation – raising alarm amongst all employees that they’re being monitored. How do you justify the time needed to perform an investigation. What if you’re wrong and the employee is innocent?

One of my favorite books is Cliff Stole’s classic novel The Cuckoo’s Egg. That was an unquestionable example of an intrusion that required a full-blown investigation and intervention by authorities. However, you don't want to subject your organization to something like that unless absolutely necessary.

Digital forensics used to be solely the realm of the FBI and other government agencies. Even today, most forensics tools focus on cleanup and investigation. It’s a lengthy process:

•         Traditional forensic tools require imaging a hard drive. In addition to that, the exploratory process is complex and finding information is analogous to finding a needle in a stack of needles.  

•         If a forensic investigation turns into a legal proceeding, then the investigation comes into question. This means that IT needs to be trained on the proper handling of a forensics investigation.

•         Many enterprises just want the flag raised, alerting them to possible problems. They don’t want to dive into employees personal machines. 
 

PCI DSS compliance is largely concerned with who has what access to cardholder data. Dom explains the steps they take with clients to ensure clarity on access and how to manage access.

Dom gives you practical advice - like narrowing the scope of the technical environment by using segmentation, administratvie access controls and levels of authentication and permissions within applications.

Listen to 56 Words on PCI Compliance featuring STI Group and Dom Genzano. Read about Everyday Compliance  and what you can do with Intellitactics SAFE.

Experienced emergency relief and humanitarian agencies caution that after the initial outpouring of support for Haiti from all over the world the challenge is sustaining interest and support in the long term rebuilding of Haiti. So much to do! Returning to some semblance of normalcy, rebuilding an infrastructure to support the Haitian people – one can only hope that post earthquake Haiti will be better . Warren Axelrod, a frequent contributor to What’s New In Information Security sent us this post.

From the desk of Warren Axelrod: The top priority in Haiti is to save lives. But once the heroic efforts of the first responders are over, the enormous task of rebuilding the country structures and infrastructure for the survivors will begin. There will be the clearing of debris and rebuilding homes, places of business and government infrastructure – a slow return to normalcy.

Thousands will be buried anonymously, leaving families and government entities without confirmation of their identities Millions of records may have been irretrievably destroyed; the task of recovering and reconstituting public and personal records will be next to impossible.

Like others I am donating and praying for the lives of the Haitians. But, I can’t push entirely from my mind the ramifications and repercussions that result when we fail to protect information assets like personal records. Prisoners have most likely escaped and will quickly assume new identities. Health records, insurance records, proof of ownership as it applies to real estate and personal property are gone leaving the living in a difficult position to prove who they are, what they own. Leaving Haiti for other countries will be impossible without personal identification.

From the perspective of enterprise security management I think we can agree that  contingency  planning for catastrophes is entirely different from regular continuity and recovery planning. It is necessary to think out of the box and to establish procedures to protect sensitive information, which account for the types of losses sustained by the citizens, businesses and government agencies in New Orleans, Indonesia, Kobe, and now Port-au-Prince.

As history has shown, catastrophes hit random places at random times. It’s impossible to predict where or when they will strike.- the one thing we can count on is that disasters happen. So some measure of preparation iis in order.

Should there be some mammoth repository for electronic copies of vital information for everyone on the planet? It would be a monumental task not to mention the security and privacy issues. But the project is worth considering. The database would be enormous … it might be an interesting challenge for “the Cloud”!

Join us and donate to the American Red Cross or consider making a donation to LIONS Clubs International Fund. The LIONS donate more money to disaster recovery than any other philanthropy in the world.

Brought to you by SANS:  SANS, the largest most trusted source of information security training and certification in the world, created the SANS Analysts Program in which SANS instructors and analysts create comprehensive industry reports on critical IT security topics.

If you thought your IT budget was under attack it wasn't your imagination. Couldn't find the budget for a SIEM solution or PCI-DSS compliance solution? There was a decline in IT spending of 8.2% in the US and 8.9% worldwide according to Forrester Research. But there is GOOD NEWS for 2010: IT spending in 2010 should increase 6.6% in the US and 8.9% globally. The percent increase equates to $1.6 trillion!! That’s a lot of software and hardware. 

Forrester says the rebound in IT spending is based on "smart computing" in which more aware technology is combined with advanced analytics. Smart computing includes virtualization and unified communications. Andrew Bartels, principal analyst with Forrester, predicts that “. . .smart computing will kick off a six or seven year cycle of IT growth, investment and innovation. . . " and “. . . marks the beginning of this next phase of technological advancement.”

Spending on IT outsourcing is expected to grow 7.1% and spending on software is expected to grow 9.7%.  Regionally Forrester is predicting 11.2% rise in technology purchases in Western and Central Europe with purchases in Canada growing 9.9%.

We hope you’re expecting the same good news for spending in your organizations. In 2009, we talked to many of you who lost funding for special security projects; lost headcount that limited your ability to put new safeguards into place.

If PCI DSS compliance is at the top of your priority list for 2010 - here’s some good news! With our partner Quest Systems, for as little as $1500 a month, you can have an enterprise class PCI DSS Compliance solution like Intellitactics SAFE on premise and have the same operational control as organizations with a 24x7 SOC.   You get the reports you need and dashboard views of key compliance measures. Intellitactics SAFE not only improves assessment readiness, it provides you the essential capabilities to improve security efficacy and reduce the cost of compliance.

How close are the Forrester predictions to your 2010 budget – comment now. Learn how to get more from your SIEM solution – read  Everyday Compliance.

There’s been a lot of predicting going on with the advent of 2010. Right after the terrible earthquake in Haiti- a lab in California predicted that there’s a 99.5% of an earthquake with a 6.5 magnitude along the San Andreas Fault in southern California. That’s a pretty safe prediction – based on history and science. This prediction is different from predicting that an earthquake would destroy Pittsburgh, PA – where I don’t think there’s ever been an earthquake of any note before.

I’ve been following the predictions about security. One prediction important to a SIEM solution vendor like Intellitactics is the prediction made by the 451 Group that many of the security activities in 2010 will be defined by regulatory mandates such as PCI DSS, HIPAA/HITECH and others. This means that from the smallest to the largest organizations there will continue to be preoccupation with compliance. I wish we could predict that everyone will embrace PCI DSS compliance software to finally move beyond assessment readiness to remediation of assessment findings – but I’m not that bold!  

Nobody is predicting that energy around PCI DSS compliance will evaporate. What we see is that those organizations that were paying very little attention to security are now doing it ONLY because of PCI. In fact it seems that some organizations are basing their entire security strategy on PCI DSS instead of ISO, ITIL or some other best practice framework. We make this a little easier by aligning best practice controls to regulatory standards. It’s like putting a serving of vegetables in Manwich or fruit juice. If you don’t like the taste of the framework – you get your daily allowance whether you like it or not.

PCI DSS compliance may equal security for more organizations by the end of 2010 – there’s a prediction similar to an earthquake in southern California in the next 30 years.

Curious about PCI DSS Compliance software? Check out Intellitactics SAFE. Do you have a prediction for 2010 or beyond – share it here.

I’ve been following Robert McMillan’s coverage in Computerworld of Google’s disclosure that Google and a number of other companies including Adobe Systems were the target of cyberattacks potentially ordered by the Chinese Government. The Chinese cybercriminals were trying to steal the email records of political dissidents. This highly visible cybercrime underscores the importance and difficulty of protecting information assets and implementing threat detection systems.

The attacks came within hours of Google hosting a closed-door symposium on circumventing censorship. Soon the company's enterprise security management team realized that it was dealing with more than just a few hacked workstations. McMillan reports that Google suggests that the attacks were a  “state-sponsored corporate espionage campaign that compromised more than 30 technology, financial and media companies, most of them global Fortune 500 enterprises.”

Hillary Clinton, speaking as the US Secretary of State, said that coordinated hacking campaigns like this “raise serious concerns” and that "The ability to operate with confidence in cyberspace is critical in a modern society and economy."

Sources familiar with the situation say that the attacks exploited an unpatched bug in widely used software and were able to gain footholds in these companies and siphon out valuable intellectual property.

Disturbing to me is that the goal of the attackers, according to Google’s Drummond, was accessing the Gmail accounts of Chinese human rights activists. China is a powerful global economy with a culture and value system very different from our western culture. Without criticizing the way the Chinese government harasses segments of their population or chooses to restrict and limit their rights, this is a good example of how their behavior is impacting my rights. I’m a google mail user in my off hours and the fact that an attack, potentially ordered by the Chinese government, puts my privacy at risk is troubling.

What do you think? Is it possible to determine the absolute source of attacks in order to prevent cyber attacks from Chinese cyber criminals in the future?

For those of you that get up everyday thinking about enterprise security management systems and the challenge of protecting information assets you can imagine the pressure that Howard Schmidt must be feeling. Warren Axelrod wraps up the series on Howard Schmidt in the final post of the series. 

From the desk of Warren Axelrod:  Howard Schmidt has had the experience of evangelizing The National Strategy to Secure Cyberspace, which was published in February 2003. I attended one of the many town hall meetings that he conducted. It was a brave attempt, but the Bush Administration did not give the strategy the support needed to effect the changes outlined in the report. I believe that this lesson may well have been learned and hope that this time around there will be support from the top.

From my personal experience of the past 15 years, during which I testified before Congress on cyber security, co-founded the Financial Services Information Sharing and Analysis Center (FS-ISAC), participated in the development of the FSSCC (Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security) Research Agenda for the Banking and Finance Sector, and have been active in a number of public-private-academic initiatives, the task is much greater than merely developing a plan and trying to persuade various players to collaborate in effecting that plan.

With some 85 percent of the critical infrastructure claimed to be in private hands, we need to effect programs in which the private sector will do their full share in protecting the infrastructure. Moral suasion will only go so far. It needs resources and commitment to get it done. Yes, we need to rebuild much of the decaying physical infrastructure, but we should be spending much more of the government’s “Stimulus Package” on the cyber side. This will also create jobs, as Andy Kessler so well points out in his Op-Ed piece, with the title “Put Down That Shovel,” which appeared in the December 26-27, 2009 issue of The Wall Street Journal. Mr. Kessler suggests increasing the reach of the country’s wireless networks, laying more fiber cables, and the like. He does not mention cyber security efforts that would provide the protection and resiliency that we need to continue to prosper in a virtual world. But I would certainly add it to the list … at the top!

My hopes and expectations are that Howard Schmidt understands all of these issues and, through his experience (both positive and negative), knows how to get things done. He needs President Obama’s direct, active and strong support to implement measures that may well be unpopular and will certainly be costly. But we can no longer afford to be reactive, because we know for sure that the hackers are already working on the next version of attack.

Howard has a difficult and arduous set of tasks ahead of him. He brings to it both successful and failed attempts to get the job done. He has surely learned from these and understands what does and does not work. It is so important that he gets total support from every involved constituency and that he is given the opportunity to pull it all together and make it happen. We all owe him this … and we owe it to ourselves. 

What do you want to tell Howard Schmidt - comment here.

From the desk of Warren Axelrod:  Perhaps the real problem with advocating cyber security measures is that fear of a cyber event is much less horrific in people’s minds than a physical terrorist attack in which individuals are injured or killed. It is extremely difficult to convince policy makers and those controlling the purse strings that the economic impact of a major cyber attack might be far greater than for a physical attack, and understandably so. In this regard, the new national cyber security coordinator has his work cut out for him.

I think that it is very important to recognize that Mr. Schmidt’s position is that of a coordinator, not a “czar.” That is to say, he is tasked with bringing all the various pockets of expertise and capability together to address the challenge of protecting the Nation’s critical cyber infrastructure. The expectation of previous incumbents in the so-called cyber security czar role was to have the power and the resources to effect progress in the back-sliding effort of the United States in protecting its cyber environment. However, the resources lie elsewhere, as was graphically depicted in Rod Beckstrom’s leaked letter of resignation, which you can read at http://epic.org/linkedfiles/ncsc_directors_resignation1.pdf 

In short, Mr. Beckstrom expressed disappointment that he was unable to assemble a large enough group to achieve what he believed he had been expected to accomplish.

Given that the now-defined role of Cyber Security Coordinator is one of bringing together all the various interests and capabilities within and between government and the private sector, I happen to believe that Howard Schmidt is particularly well qualified for the job.

More than anyone else whom I know, Howard has experience in many segments of the public and private sectors in many roles and with varied responsibilities. His résumé is outstanding in this regard. Not only has he actually worked in the private sector, for Microsoft and eBay, but he has experienced first-hand a White House role (along with Richard Clarke). In addition, he has served the information security profession well as a leader of organizations such as the ISSA and ISF. There is no question in my mind as to his outstanding commitment to the information security profession and the protection of the Nation’s cyber infrastructure.

Imagine a systematic way of securing the enterprise or protecting information assets. Could it be that enterprise security will always be reactive? Is it far fetched to think that proactive practices to protect information assets might be the norm in the future?  Warren Axelrod shares some insights on cybersecurity, Obama's new cyber chief - Howard Schmidt and his hopes for Schmidt, and the impact he can have on security programs across the board. This is the first of a two part feature from the desk of Warren Axelrod: 

If the recent airplane terrorist incident is any indication, we continue to forge ahead with our security programs, in both physical and cyber worlds, with our eyes and minds concentrating on the rear view mirror. Consequently I was pleased to see that the December 29, 2009 New York Times featured an Op-Ed article, “After Eight Years, Terrorists Still Fly,” by Clark Kent Ervin (any relation to Superman?). As Mr. Ervin, who was Inspector General for both the Departments of State and Homeland Security, aptly states with respect to airline terrorism:

“We always seem to be at least one step behind the terrorists. They find one security gap … and we close that one, and then wait for them to exploit another. Why not identify all the vulnerabilities and then address each one before the terrorists strike again?”

This is at least equally the case with cyber security. My co-editors, Jennifer Bayuk and Dan Schutzer, and I drew attention to this in our book, Enterprise Information Security and Privacy (Artech House, 2009). The book is featured in the Intellitactics podcast “Busting Security Myths” available at www.intellitactics.com/int/research/podcasts.asp. My favorite quote, which was used in the book, is by Marshall McLuhan, who said:

“Our Age of Anxiety is, in great part, the result of trying to do today’s job with yesterdays tools and yesterday’s concepts.”

So what does this all have to do with Howard Schmidt?

Howard was appointed to the role of Cyber Security Coordinator by the Obama Administration on December 22, 2009, following a prolonged search beginning on May 29, 2009. On that day President Obama announced the position in a much-heralded speech on cyber security. While I don’t have any inside information on this, I would guess that some of the delay resulted from having to decide whether the cyber security position should report to the National Economic Council (NEC) as well as to the National Security Council (NSC).

I was pleased to see that the eventual position does not matrix report to White House economic advisor Larry Summers, head of the NEC, since I (as someone with a Masters degree in economics) question whether many economists really understand information technology and security issues. However, it should be noted that, in a December 21, 2009 article in The Huffington Post, with the title “Howard A. Schmidt Tapped To Be Obama’s Cybersecurity Czar,” Lolita C. Baldor reports that “Schmidt will … closely support the National Economic Council on cyber issues.” The article also points out that Larry Summers reportedly preferred candidate Schmidt.

While we don’t know exactly what the relationship will be, I believe that it is appropriate that the role supports the NEC but is not guided by it. We shall have to wait to see what happens in this regard.

What do you think Howard Schmidt's top priority should be? Check back tomorrow for more on cybersecurity, Schmidt and more.

From everyone at Intellitactics, the SIEM Solutions company,  I'd like to wish you a Happy New Year!

In my family, we have a tradition I'd like to share with you. We're Italian so it includes eating of course, but more important on New Year's Eve we write ourselves a note about the one thing we want to change or that we regret or that we're sorry for from the current year and we ceremoniously throw the notes into the fireplace. We watch all the regret, sorrow and procrastination go up in smoke.

This leaves us with a lightness of being and hope for what the new year may bring. We fill our hearts with second chances and forgiveness. We all sleep well.

Finally we each put a dime on a window sill to bring us prosperity in the new year. So put out your dimes and please accept our warm wishes for a good night's sleep and a little extra cash coming your way to smooth out the rough spots.

As you celebrate the promise of the new year or you celebrate the close of a tough year, be safe. Somewhere, one of us will be toasting you - interested friends, loyal enterprise security management software customers! To life!

 

If you're a parent, you may have used the "Santa's watching" threat to control the excess energy of the children in your home. We used elaborate ploys to distract ours when they were young. These were effective before and after the holiday - remember Santa can come and take back what he brought if they don't persist their good behavior:) This is threat management at its best!

Here are a few of the techniques that worked: