Skip navigation

Geek Speak

10 Posts authored by: mfmahler

“A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted”. - Kevin Mitnick

 

“But evil men and impostors will proceed from bad to worse, deceiving and being deceived”. - 2 Timothy 3:13 NASB

 

 

In the last five posts over the past three months I have explored the topics on Security Management. I touched upon the top three types of threats in the information security - Infrastructure, Application Attacks, and User Attacks. In this last one of my series, I’m going to look back on each post and to reflect on the audience’s feedbacks.

 

INFRASTRUCTURE

Dark Side Of The Encryption

The increasing amount of the encrypted traffic inbound and outbound on the network certainly challenges the visibility and the control of the security management. Some commented that the wonderful defense in depth still had something to be desired due to the nature of the encrypted traffic. I agree that our monitoring technology and techniques will need to evolve, but I believe that there hasn’t been a solution yet. No, inserting SSL Interception will break stuff.

 

It’s Christmas Day. Do You Know How Long You’ve Been DDoS’ed?

Many companies are still unprepared for the DDoS attacks. It’s hard to defend and mitigate massive DDoS attacks solely with the perimeter security equipment. Isn’t it nice that the DDoS attacks can be stopped at the ISP before hitting your door? Some commented that it’s indeed the practice by the companies they knew of or worked for. It won’t be a surprise that a gaming network will be taken offline by DDoS attacks before a major holiday.

 

APPLICATION ATTACKS

OMG! My Website Got Hacked!

Let’s face it. The best designed and most thoroughly tested web applications still have many issues - just look up the OWASP Top 10 lists since 2004. Now we hook these web applications to the public internet, the wild wild web of good and malicious users. Same techniques were used again and again to successfully hack these internet-facing web applications. It’s not a matter of carelessness. In fact, web applications are written by human on frameworks and systems that have vulnerabilities.

 

Almost 17 Years of SQL Injection, Are We Done Yet?

The No. 1 technique that breaks web applications today is SQL injection. It’s not hard to figure out why this 17-year-old technique still cracks modern, well-protected web applications. One seldom finds a useful web site without an input form nowadays. If data sanitization is taught in every programming class, how come security, especially of SQL injection vulnerability, would become an afterthought? And how come there have been increasing number of SQL injection incidents in 2014 and 2015? I am looking forward to seeing the 2016 OWASP Top 10 List; I won’t surprise that Injection is still No. 1.

 

USER ATTACKS

Spear Phishing - It Only Takes One Click

Ah, I like this topic. The reason is, as Kevin Mitnick put it, the human factor is truly security’s weakest link. We had phishing emails against mass audience in large scale campaigns. Now we have increasing targeted phishing, or spear phishing emails against individuals. The scary thing is that spear phishing works. Hey, even the Pentagon was hit by this kind of attack. Many companies started internal “simulated phishing” campaigns in order to increase their employees’ security awareness and observed improving results. However, hackers will still gain advantages from this human factor.

 

 

So, what’s my conclusion? Well, sharpen your information security skills because even though it’s getting more difficult, we are still able to win this loser’s game.

 

It’s been a great pleasure to interact with you on the above topics of the information security in this quarter. Please review my past posts in this series and leave your feedback here or on the individual post.

“Spear phishing continues to be a favored means by APT attackers to infiltrate target networks”. - Trend Micro Research Paper 2012

 

“The reason for the growth in spear phishing: it works”. - FireEye Spear Phishing Attacks White Paper

 

 

One morning, a colleague in my data center network team and I received the following email:

Phishing Email.jpg

I heard my colleague called the Help Desk and reported that he had clicked a link in an email that he thought a possible phishing email a few minutes before. It could be a damaging magical click to my company; it could make my company to the US headline news. But…

 

Two days before my colleague clicked the link on that phishing email…

 

Our Information Security (InfoSec) team coordinated with the Help Desk, Email team, Network Security team (my team), and an outside vendor to create a phishing email campaign as part of the user security education. The outcomes were favorable, meaning there were users beside my colleague failed the test. The follow-up user educations were convincing (of course, for those who failed…).

 

 

Above is an example of Phishing, that phishing emails attack mass audience. Cybercriminals, however, are increasingly using targeted attacks against individuals instead of large scale campaigns. The individually targeted attack, aka Spear Phishing, is usually associated with Advanced Persistent Threat (APT) for long term cyberespionage.

 

The following incidents show that spear phishing has been pretty “successful” and the damages were unthought-of.

 

2010

Employees of more than 100 Email Service Providers (ESPs) experienced targeted email attacks. The well-crafted emails addressed those ESP employees by name. Even worse, email security company Return Path, the security provider to those ESPs, was also compromised.

 

2011

Four individuals in the security firm RSA were recipients of the spear phishing malicious emails. The success of the attacks resulted the access of RSA’s proprietary information of the two-factor authentication platform SecurID by the cybercriminals. Due to the RSA breach, several US high-profile SecurID customers were compromised.

 

2012

The White House confirmed that a computer system in the White House Military Office was attacked by Chinese hackers and that it affected an unclassified network. This hack began with a spear phishing attack against White House staffers and a White House Communications Agency staff opened an email he wasn’t supposed to open.

 

2013

An Associated Press journalist clicked a link that appeared to be a Washington Post news story on a targeted email. The AP’s official Twitter account was then hacked. A fake tweet reporting two explosions in the White House erased $136 billion in equity market value from the New York Stock Exchange index. In the same year, a hacker group in China was said to have hacked more than 100 US companies via spear phishing emails, stealing proprietary manufacturing processes, business plans, communications data, etc. In addition, you remember Target’s massive data breach, right?

 

2014

Unauthorized access to the Centralized Zone Data System (CZDS) of the Internet Corporation for Assigned Names and Numbers (ICANN) was obtained. ICANN is the overseer of the Internet’s addressing system. ICANN announced that they believed the compromised credentials were resulted from a spear phishing attack. By that attack, accesses to ICANN's public Governmental Advisory Committee wiki, blog, and whois information portal were also gained. Again, you still remember Home Depot’s 2014 breach that exposed 56 million payment cards and 53 million email addresses, right?

 

2015

US confirmed that the Pentagon was hit by a spear phishing attack in July, most likely from Russian hackers, which compromised the information of around 4,000 military and civilian personnel who work for the Joint Chiefs of Staff. The hackers used automated social engineering tactics to gain information from employee social media accounts and then used that information to conduct a spear phishing attack.

 

 

How do we protect against and detect the increasing spear phishing attacks? Our beloved Defense-In-Depth comes to our mind. NGFW, IPS/IDS, SPF/DKIM key validations, signature-less analysis services for zero-day exploit detection, IP/domain reputation services, web proxy, and up-to-day client/server patching to name a few. Is the well-built security infrastructure sufficient for spear phishing? The incidents listed above tell us NO. In the case of RSA breach, it only took one out of four individuals who fell to the trap to make hackers happy. So, user education is an essential component of spear phishing defensive strategies. Make smarter users. Remind them not to fall into spear phishing trap regularly and send them mock phishing drills randomly.

 

I won’t ask you to share your spear phishing story. But how does your organization protect against spear phishing? What does your organization provide user awareness and training? Please share. I would like to hear from you.

“After having spent the last two weeks in Asia I find myself sitting in a hotel room in Tokyo pondering something. I delivered a few talks in Singapore and in Manila and was struck by the fact that we’re still talking about SQL injection as a problem”. - Dave Lewis, CSO Online, July 31, 2015

 

exploits_of_a_mom.png

 

 

The following story is based on an actual event.

 

A Chief Security Officer (CSO) called a junior InfoSec engineer (ENG) after 5PM.

 

CSO: “I am looking for your manager. Our main website was hacked…”

ENG: “He left already. No, I heard that people complaint the website was slow this afternoon. The web team is working on it”.

CSO: “I am telling you that our website was hacked! There are garbage records in the database behind the website. The DBAs are trying to clean up the database. We were hacked by SQL injection!”

ENG: “…”

CSO: Call your boss now! Ask him to turn around and go back to the office immediately!”

 

Several teams of that poor company spent the whole night to clean up the mess. They needed to restore the database to bring back the main website.

 

 

In my last Thwack Ambassador post, OMG! My Website Got Hacked!, I summarized the last four OWASP Top 10 lists since 2004. Injection in general, and SQL Injection in particular, was number 1 of the OWASP Top 10 in 2010 and 2013. I predict that SQL injection will still be number 1 in the upcoming report of the OWSAP Top 10 in 2016. Check out this list of SQL injection incidents. Do you notice the increasing number of incidents in 2014 and 2015?

 

It’s another Christmas Day. In Phrack Magazine issue 54, December 25, 1998, there was an article on “piggyback SQL commands”  written by Jeff Forristal under the pseudonym rain.forest.puppy. Folks, 1998 was the year at which SQL injection vulnerability was publicly mentioned, although the vulnerability had probably existed long before then. Almost 17 years have passed since Jeff Forristal wrote his article “ODBC and MS SQL server 6.5” in Phrack Magazine, and still many companies are hit hardly by the SQL injection attacks today.

 

If you want to know more about the technical details of the SQL injection, I recommend you read Troy Hunt’s "Everything you wanted to know about SQL injection (but were afraid to ask)". Then you’ll appreciate the XKCD comic, Exploits of a Mom, that I included at the top of this post.

 

There are a few solutions to combat SQL injection; we may actually need all solutions combined to fight against SQL injection.

 

DATA SANITIZATION. Right. All user inputs to websites must be filtered. If you expect to receive a phone number in the input field, make sure you receive a phone number, nothing else.

 

SQL DEFENSES. As OWASP recommended, use parameterized statements, use stored procedures, escape all user supplied input, and enforce least database privilege. Don’t forget to log all database calls. And not the least, protect your database servers.

 

APPLICATION FIREWALL AND IPS. I agree that it’s not easy to customize security rules to fit your applications. But if you invest in AFW and/or IPS, they will be your first line of defense. Some vendors offer IDS-like, application behavioral model products to detect and block SQL injection attacks.

 

FINDING VULNERABILITIES AHEAD OF HACKERS. Perform constant security assessments and penetration testings to your web applications, both internal and internet-facing. Also, common sense wisdom: patch your web servers and database servers.

 

EDUCATION. EDUCATION. EDUCATION. Train your developers, DBAs, application owners, etc. to have a better understanding on information security. It will be beneficial to your company to train some white-hat hackers in different teams. Troy Hunt made a series of FREE videos for Pluralsight in 2013, Hack Yourself First: How to go on the Cyber-Offense. Troy made it clear in the Introduction that the series was for web developers. You don’t have to log in or register; just click on the orange play icons to launch the videos.

 

 

Do you have any story of SQL injection attack to share? You may not be able to share your own story, but you can share the stories you heard. Do you think that it’s hard to guard against SQL injection attacks and that’s why even many Fortune 500 companies still suffer from the treats? How do you protect your web applications and database servers from the SQL injection threats?

“After all, even the best-designed and most thoroughly audited web applications have far more issues, far more frequently, than their nonweb counterparts”. - Michal Zalewski in The Tangled Web

 

 

The following is a true story.

 

I was looking up future concerts at the Lincoln Center’s website and I was welcomed by the this page:

Lincoln Center Web Site Hacked 1.jpg

 

I (Me) then called the Lincoln Center Customer Service (CS).

 

CS: "Thank you for calling Lincoln Center...."

Me: "I'm glad that you have someone answer this call on Sunday. Your web site was hacked! When I browsed your homepage, it's directed to http://new.lincolncenter.org/live/ and the page was hacked”.

CS: "That’s alright. That is our new site”.

Me: "Sir, this is not right. Your website was hacked! Why don't you see for yourself..."

CS: "No, the website is fine”.

Me: "Sir, the page may be cached on your browser. Why don't you clear your browser cache and check your site again”.

CS: "Oh yeah. You're right. We got hacked”.

Me: "I think you should contact your IT and web administrator immediately. Have a good day. Bye”.

CS: "Thank you. Bye”.

 

Even Google captured the hack that day:

Lincoln Center Web Site Hacked 2.jpg

 

Websites are hacked everyday. With our daily life more and more relying on services on the internet, web application attacks becomes major concerns not only to the application hosts/owners, but also to the application users.

 

The Open Web Application Security Project (OWASP) is an international non-profit organization dedicated to improving security of web applications. Every three years since 2004, OWASP has published the Top 10 Project, the top 10 most critical web application risks worldwide. The most recent one is of 2013 and we expect an updated list in 2016. I summarized the previous Top 10 lists in the following table.

 

OWASP Top 10.jpg

 

Interesting observation from the table above is that injection (no matter of SQL, OS, or LDAP) and cross-site scripting (XSS) have been among the top web application risks for years. The nature of the web applications probably contribute to the ease of hacking with these techniques. So, how do we detect and protect from the web application threats?

 

WILL IPS/IDS BE USEFUL?

No really. Web applications are of OSI Layer 7. While IPS/IDS do have some signatures for web application attacks, in general IPS/IDS are of up to OSI Layer 4. IPSs can be placed as the first line of defense and block the threatening traffic, but they don’t understand web application protocol logic, URLs, or parameters.

 

WEB APPLICATION FIREWALL (WAF)?

WAFs of of OSI Layer 7 and are designed to detect and prevent web-based attacks that IPSs can’t. WAFs are placed inline in front of the web servers and monitor traffic to and from the web servers. WAFs understand web protocol logic, like HTTP GET, POST, HEAD, etc. and also Javascript, SQL, HTML, Cookies, etc. That being said, deployment of WAFs require understanding of the web applications behind them. Customizations of WAF policies are not unusual and WAF administrators need work closely with the web developers. A few years ago my team (network security team) evaluated WAF, but the complexity of building policies for even one web application made my team stop the project.

 

WHAT ABOUT THE DEVELOPERS?

From the OWASP Top 10 lists above, many risks can be considered as developers’ responsibility to secure the applications. Web developers are trained better in securing the codes; for example, the number 1 2004 risk, Unvalidated Input, fell out of the list in recent years. But I think we still have a long way to go for having developers with sound security mindset. I swear that I saw web applications requiring authentication ran on port 80 (HTTP)!

 

How does your organization detect and mitigate web application threats? Do you deploy or manage WAF? Is it a tough job to keep up with the web applications? How much thoughts do your web developers put when they build the applications? Do they have thoughtful security testings?

 

I would like to hear from you.

 

Lastly, I would like to point out that the IBM Security Systems Ethical Hacking team prepared a series of videos a series of videos based on the OWASP Top 10 2013 list. Beware of the marketing of IBM AppScan. But the videos show good examples of those top 10 web application attacks.

Digital Attack Map December 25, 2014.jpg


“DDoS trends will include more attacks, the common use of multi-vector campaigns, the availability of booter services and low-cost DDoS campaigns that can take down a typical business or organization” - Q1 2015 State of the Internet Security Report

 

“Almost 40% of enterprises are completely or mostly unprepared for DDoS attacks”. - SANS Analyst Survey 2014

 

 

In Christmas 2014, Microsoft’s Xbox Live and Sony’s Playstation Network were hit by massive DDoS attacks by hacking group Lizard Squad. Xbox Live and Playstation Network were down for 24 hours and 2 days, respectively. Online gamers were not happy, I’m sure.

 

Earlier this year, GitHub, the largest public code repository in the world, was intermittently shut down for more than five days. The DDoS attacks were said to link to China’s “Great Cannon”.

 

We’ll never stop hearing new victims (or old ones) that are crippled by the distributed denial of service (DDoS). In fact, every new security report states record-breaking number of DDoS attacks compared to the previous one. The latest data shows that there is an increasing number of Simple Service Discovery Protocol (SSDP) attacks. I found this scary - any unsecured home-based device using Universal Plug and Play (UPnP) Protocol can be used for reflection attacks.

 

Did your company/organization suffer from DDoS?

 

How do your organization detect DDoS threats?

 

What DDoS mitigations do your organization implement?

 

 

INFRASTRUCTURE MONITORING AND DETECTION

Studies found that majority of the DDoS attacks were volumetric attacks at the the infrastructure layer. Firewalls, IPS/IDS, NGFW, IP reputation service, should be deployed in the defense-in-depth manner not only to protect an organization’s network perimeter against DDoS, but also to detect any inside-network infected device to launch DDoS against within or outside the organization. NetFlow or any flow-based technology is indispensable to provide visibility of any network abnormality.

 

APPLICATION MONITORING AND DETECTION

Application firewalls, host-based IPS/IDS, application delivery controllers (ADC) provide up to Layer 7 visibility and protection against malicious traffic. And most importantly, don’t forget to patch your systems.

 

SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) AND HUMAN ELEMENT

You feed all the logs, flow data, packet captures, etc. to SIEM, then what? I believe that SIEM is not SIEM without the human element. Even though vendors include many pre-built alerts/reports in SIEM, it’s human that fine-tune to fit an organization’s needs; a lot of man-power. Also, who say that DDoS won’t start from 2AM in the morning? Therefore, 24x7 coverage (think of NOC) is necessary.

 

THIRD PARTY PROVIDER

Recently, we were approached by one of our service providers; they provide Security Operations Center (SOC) services to customers. In other words, they give customers 24x7x365 SIEM coverage. Service providers can also provide automatic DDoS mitigation, upstream blackholing, or even global content delivery network (CDN) services.

 

DDOS FIRE DRILL

Just like organizations performing disaster recovery tests annually or twice a year, annual DDoS tests should be conducted. All IT departments will get familiar with the DDoS incident handling. Also, the organization’s DDoS mitigation weakness can be revealed and improved.

 

 

In the ‘80s Sci-Fi movie WarGames, there was scene in which big monitors in situation room showed traces of global missile attacks. Do you want to see something similar in real life? OK. OK. No missile attacks. Check out the following websites for a taste of current cyberattacks in real time.

 

Cyber Threat Map from FireEye

IPViking Map from Norse Corp

Digital Attack Map from Arbor Networks and Google

“Encryption makes it more difficult for governments and other third parties to monitor your traffic. It also makes it harder for Internet Service Providers (ISPs) to censor access to specific Wikipedia articles and other information”. - Wikimedia blog, June 12, 2015

 

“and that by the end of 2016 65-70% of traffic will be encrypted in most markets”. - Sandvine Global Internet Phenomena Spotlight

 

 

I recently met a bright young man who works for Google in Europe.

Me: It’s nice to meet you!

Him: It’s nice to meet you, too!

Me: I have to say to you that Google’s “HTTPS everywhere” makes my life harder as a network security professional”.

Him: Well… This is the way to make things more secure.

Me: I agree, especially in the user perspectives. But my job is still harder…

 

 

GOOGLE I/O 2014

Pierre Far and Ilya Grigorik gave an awesome Google I/O session to developers, titled HTTPS everywhere, in June 2014. They evangelized that ALL web communications should be secure always and by default, in order to protect users’ privacy. To prevent Man-In-The-Middle (MITM) attacks, all web communications should be secured by HTTPS, which is HTTP over TLS. Pierre and Ilya stated that HTTPS not only would provide encryption of the client-server communications, but also authentication and data integrity. They later demonstrated the best practices of setting up a secure web site and its indexing signals for Googlebot.

 

 

EFF’s HTTPS EVERYWHERE

Google’s increasing use of HTTPS inspired Electronic Frontier Foundation (EFF) to introduced HTTPS Everywhere (with uppercase E in Everywhere) with version 1.0 released in 2011. HTTPS Everywhere is an open source web browser extension for Firefox, Chrome, and Opera. If the target websites support HTTPS, the browser extension automatically makes the web browsing connections to HTTPS. As far as I understand, IE users can install the non-EFF Zscaler Tools HTTPS Everywhere; Safari users need to type https:// manually.

 

 

65-70% INTERNET TRAFFIC ENCRYPTED BY 2016

Canadian network policy control products company Sandvine conducted a study with a North American fixed access network service provider in April 2015 to understand the encryption adoption of the internet traffic. The study found that 29% of the downstream traffic of that service provider was encrypted. The majority of the encrypted source traffic was YouTube and BitTorrent’s traffic followed.

 

For the unencrypted traffic, Netflix contributed 35% share (surprise, surprise, surprise not). This was an interesting finding because in April 2015, Netflix announced in the quarterly earnings letter that it would move to HTTPS to stream movies in the next year, in addition to the existing encrypted log-in and other sensitive data pages. With the Netflix transition to secure content delivery, Sandvine predicted that almost two-third on that North American ISP traffic would be encrypted.

 

More and more web sites are moving to HTTPS. For example, Wikimedia Foundation announced in a blog on June 2015 that it were in the process to encrypt all Wikimedia’s content with HTTPS and that it would use HTTP Strict Transport Security (HSTS) to protect against MITM attacks.

 

 

CHALLENGES OF MONITORING ENCRYPTED TRAFFIC

My team has recently been working on a project to migrate our perimeter firewalls to the Next Generation Firewalls (NGFW). Before we would put them inline, we set them up as monitor mode. What did we observe? Over 95% of our DMZ inbound traffic was encrypted. It’s not a surprise because our company’s website enforces HTTPS connections. About 60% of our outbound web traffic was encrypted. Of course with only monitor mode, our NGFW found ZERO threat from the encrypted traffic.

 

How do you monitor the activities in the encrypted traffic? You may say you can implement SSL Interception. SSL Interception is a beautiful term that we information security use for what we do, but in the end, it’s basically MITM attack (OK, in a white hat).

 

Even though we have the blessing from the executives to implement SSL interception for DLP, IPS, IDS, etc, we certainly cannot provide 100% customer satisfaction to our employees. NGFW and web proxy vendors provide a list of affected applications when SSL interception is implemented. The list includes, Microsoft Update, iTunes Store, GoToMeeting, and Dropbox. Beside high cost (money and man power) of implementing SSL interception for visibility and control, I wonder how many companies are blind to the encrypted traffic on their network.

 

Lastly, I would like to point out that Jacob Thompson of Independent Security Evaluators proposed a method against SSL interception. He demo’ed it at DerbyCon 4 in 2014. My point is that the half a million to a million dollars NGFW/IPS may not be able to give you 100% visibility that you expect.

 

Do you encounter any challenge to detect threats with the increasing encrypted traffic on the infrastructure? Do you have any successful and failure story to share? I would like to hear from you.

"If you know both yourself and your enemy, you can win a hundred battles without jeopardy."

-- Sun Tzu, The Art of War

 

 

Hi there! The past few weeks, as the Thwack Ambassador, I have enjoyed sharing the information security topics that interest me and getting great interactions with you. I have learned a lot from your comments and stories, sometimes fun, too. Who said that Geeks had no sense of humor? I highly recommend you to read kevincrouch4's daydream of syldra in my second June Ambassador blog post, There is No New Thing Under the Sun. What about BYOD?

 

In this last June Ambassador blog post, I would like to focus on the indispensable part of an information security system: You and Me. I'm going to share a few things that can keep us moving forward in this rapidly changing field and that can make us better contribute to the organization we work for.

 

Learn To Be A Hacker

Sun Tzu in the Art of War stated that to know your enemy, you must become your enemy. My employer is supportive in my infosec trainings. I was sent to take incident handling and pentesting classes and I learned a great deal of hacking stuff. I also learned about those hacker communities. You don't have to be a hacker, but you need to know how to protect from hackers. OK, you can call yourself white-hat hacker.

 

Read A Lot

In my early stage of my infosec career, I was captured by Richard Bejtlich's writings on his TaoSecurity blog. All four Bejtlich's books are in my library. There is much information that we need to learn and absorb available in books, web sites, blogs, and forums, etc. Oh, please tell me you read Kevin Mitnick's Ghost in the Wires.

 

Get Informed

I receive email feeds from US-CERT and SANS. My InfoSec Officer gets email alerts from MS-ISAC (Multi-State Information Sharing & Analysis Center). The security vendor specified information is useful, too. For example, the Zero Day Initiative (ZDI), found by TippingPoint, now part of HP, is a great source of information on vulnerabilities and attacks. Now, if Microsoft releases patches out of its regular Tuesday cycle, it will be a really big deal.

 

Keep Learning

I have to confess that the first time I heard MDM was in a vendor luncheon. I encourage you to attend conferences and vendor events. Black Hat is a good conference I think of. There is always something to learn, sometimes with nice meal(s). Also in those conferences and events you will have opportunities to network your fellows.

 

Understand Networking And Other IT Disciplines

I am not talking about Social Networking. I am talking about Networking. Nothing can lie what's on the wire, but you need to understand how stuff on the wire works, like Ethernet, TCP/IP, and higher layer protocols. An understanding of Windows login details will help you figure out the last break-in. And you may have already known that Python is a popular programming language among hackers.

 

Be Willing To Share

I am pretty active on Twitter and I keep Twitter for professional stuff; all personal/family/leisure stuff stays on Facebook. I got a lot of work-related information from my fellow Tweeps and they got from me. It's a win-win for us. You can't fight this infosec battle alone; you need support from your colleagues and other people. Even if you have the honor to work by yourself for infosec in your organization, share what you learned and what you know to others on different platforms, like this Thwack Community. We build up each other.

 

Are you with me in this journey? What's your opinion? I am looking forward to hearing from you.

Enabling NetFlow will give you some insight on what your network actually carries

-- Nicolas Fischbach in Black Hat conference

 

 

Even though we discuss NetFlow in this article, the content also applies to other flow technologies: J-Flow, sFlow, NetStream, etc.

 

In the discussion of my first June Ambassador blog post The Cost of InfoSec Stewardshipjswan provided a great idea of reducing information $ecurity costs: implementing solutions that can be used for multiple purposes. He stated, for example, that NetFlow could be used by multiple departments in an organization like Operations, Security, Networking, and Help Desk.

 

My organization is mainly a Cisco shop, so we implement NetFlow. Since I split my working hours in Network Security and in Data Center / Campus Networking, I have opportunities to use NetFlow as an information security tool and a network performance tool. We, as many organizations, were introduced NetFlow analyzer by different vendors as a security tool. NetFlow analyzer vendors know that many organizations lack in knowledge of what's going on in their network. The vendors also know that by showing the executives the unexpected Top Talkers in the network after one or two days of the POC, the executives will be convinced to pull out the checkbook.

 

The NetFlow solution for security doesn't come cheap. The cost of the NetFlow analyzer is one thing. You need FULL NetFlow, rather than SAMPLED NetFlow, for network forensics. If you have a scale-out network, you'll need multiple flow collectors and in turn you'll need more storage. In the end, it is a good idea to present to the CIO that this solution is multi-purpose.

 

Do you want to hear a true story of the "alternative" usage of NetFlow? A Windows server admin accidentally clicked "Go" in "Default Server" of the Rapid Deployment System. Immediately hundreds of servers were… "defaulted" and started PXE boot. Countless alerts showed up in the NOC monitoring system. Within five minutes, the IT managers of different departments stormed in the poor network manager's office and asked what's wrong the network (pretty common, I guess). Executives commanded to reboot this switch and that router. After the pale-face Windows admin confessed his mistake to the people, everyone didn't know where to start to identify all damaged servers in the next 45 minutes.

 

The NetFlow guy in another office was notified about the incident. He calmly ran a NetFlow report for all PXE boot traffic for the period of the incident. That report saved many lives that day.

 

Does your organization implement NetFlow or any other flow technology for information security?

Is that technology also used for something other than security?

Do you have any story to share?

 

I hope your story is not that scary.

Meanwhile, today’s security teams are grappling with the “any-to-any problem”: how to secure any user, on any device, located anywhere, accessing any application or resource. The BYOD trend only complicates these efforts. It’s difficult to manage all of these types of equipment, especially with a limited IT budget. In a BYOD environment, the CISO needs to be especially certain that the data room is tightly controlled.

 

-- Cisco 2014 Annual Security Report

 

 

A while back I was chatting with my colleague about BYOD (Bring Your Own Device) at lunch. I stated that we would need to pay more attention to the BYOD, as it had started to put more stress to our policy, network, and security. My colleague rolled his eyes and said the BYOD was nothing new; people had been bringing laptops to the company's network FOR YEARS.

 

The next morning, as soon as I saw him, I told him that the BYOD situation was different nowadays. I said that back in the old days, only certain persons brought ONE laptop PER PERSON to our network, but now EVERY person easily would have multiple devices to bring in. I counted mine: a Blackberry, an iPhone, an iPad, and a MacBook Pro. That colleague had the same number of devices, but lucky he left his iPad home for his son, so he brought in one less that day.

 

Many organizations has found that the wireless subnets that were designed a couple years ago always ran out of IP addresses; they have to constantly expand the wireless network scope. Not only the sudden increase of the number of devices in the network troubles the organizations, but also the organizations realize that they have to face the challenge, the complexity, of securing the network and their valuable data from the mobile devices. The traditional NAC doesn't seem to be able to handle this new trend. MDM comes into the picture, but is it mature enough?

 

According to the data of the mobile OS market share, Android currently dominates the market, followed by iOS. The problem is that a large percentage of Android devices still uses outdated releases. These devices are subject to security vulnerabilities. The information security of many organizations are solid and well-protected from outside but really weak from inside. Now more and more vulnerable devices are brought directly to the inside network. I'm sure you get the picture.

 

Does your organization face the same challenge? How does your organization protect itself from the BYOD? By both policy and MDM? Do you think the current MDM solutions are good enough?

 

I am looking forward to reading your stories and comments.

"Five billion years and it still comes down to money." -- The Doctor

 

 

Hello Thwack, this is Gideon Tam again! I was one of the Thwack Ambassadors for the month of January, 2014. Back in January we had great discussions and comments on the topics of the Log & Event Management in the General Security & Compliance area. If you haven't seen those discussions, here are the links to them:

 

To Log Or Not To Log: That Is The Question

Don't Panic and Know Where Your Logs Are

So Good They Can't Ignore SIEM

Winning The Loser's Game of Information Security

 

In the last discussion, Winning The Loser's Game Of Information Security, we generally agreed that the information security would not be a losing battle at all, even though information security breaches made to the headline news all the time (you might receive an email from eBay for changing password last week). Endurance and persistence, my dear fellows.

 

Recently we planned to replace our current internet perimeter firewalls with the New Generation Firewalls. The price quote we got after a few negotiations still popped out our eyes. This made me think of:

 

Is it possible to lower the cost of the information security?

 

In January we talked about that SIEM didn’t come cheap. Remember S in SIEM is $?   We also discussed the defense in depth. All these come with a huge price tag. Yes, we can cut some corners when IT budget permits, but we can only cut that much. If we are able to reduce the costs of information security equipment, what about the costs of the storage to keep the data in order to be HIPAA or PCI compliance?

 

Thanks to Steve Jobs and Jeff Bezos, we now face new IT challenges: BYOD, public and private clouds, etc. All the sudden we need to implement security measures that we haven’t done before. Of course, vendors help us by providing their awesome solutions and in turn we help them with higher budget.

 

You may say that we can save by using the open source projects/softwares/applications. I have some open source applications in my environment. I’ve found that it takes quite a bit of manpower to start, implement, and maintain systems with the open source applications. My colleagues and I have been thinking to replace those systems with vendor solutions. And open source is open source. For example, remember Snort -> Sourcefire -> Cisco?

 

To me, it’s very hard to drive the information security cost down. I, of course, will do my best to keep the expense as low as possible. But I’ll also provide information to the CIO to talk to the CEO and the CFO to request more funding. What do you think? If you don’t agree with me, it is perfectly fine; I want to hear from you and learn from you. Please drop some thoughts, comments, and feedbacks here.

Filter Blog

By date: By tag: