IT Security 2.0

Friday, 09 October 2009

Cloud-based Data Leak Detection complements Data Leak Prevention - Monitoring P2P Networks

Can you imagine your Data Leak Prevention system not being perfect? Is there value in a service that scans P2P networks looking for leaked data that eluded your Data Leak Prevention (DLP) controls?

Tiversa offers such a service. In an example of the value of their service, according to a Washington Post article, they claim that "the personal data of tens of thousands of U.S. soldiers - including those in the Special Forces - continue to be downloaded to unauthorized computer users in countries such as China and Pakistan..."

On a separate, but possibly related note, there was an Ars Technica article last last week on a bill working its way through Congress called the "Informed P2P User Act." From the Ars Technica article:

"First, it requires P2P software vendors to provide "clear and conspicuous" notice about the files being shared by the software and then obtain user consent for sharing them. Second, it prohibits P2P programs from being exceptionally sneaky; surreptitious installs are forbidden, and the software cannot prevent users from removing it."

It's clear that P2P represents risks that can be reduced by both technical and legal means.


Posted at 09:26 PM in Breaches, Data Loss Prevention, IT Security 2.0, Privacy | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

Thursday, 01 October 2009

Block Facebook?

I just received an email advertisement from a "Web 2.0 security" vendor recommending that I use its product to block the evil Facebook. This is rather heavy handed.

Sales and marketing people want to use Facebook to reach prospects and interact with customers.
Sure there are issues with Facebook, but an all-or-nothing solution does not make sense. A more granular approach is much better. I discussed this issue recently in a post entitled, How to leverage Facebook and minimize risk.

Posted at 09:29 AM in Application Security, IT Security 2.0, Risk Management, Security Policy | | Comments (1) | TrackBack (0)

Technorati Tags: ,

Monday, 21 September 2009

Empirical evidence shows that the top cyber security risks are related to Web 2.0

Every consultant and vendor has a theory about the top cyber security risks. But what's really going on? SANS has the answer. Last week they released their analysis of threat and vulnerability data collected from 6,000 organizations and 9 million systems during the period from March 2009 to August 2009.

SANS says that two threat types dominate the analysis, both of which are tied to Web 2.0:

  • Threats associated with people using Web 2.0 applications, i.e. their workstations' vulnerabilities that are not patched and are exploited when they visit web sites.
My take: While the hype around NAC has definitely waned, the importance of comprehensive and continuous end point discovery, vulnerability analysis, configuration compliance checking, and patching at the application level as well as the operating system level is increasing.
  • Organizations' Internet-facing web sites remain vulnerable to threats like SQL Injection and Cross-Site Scripting.
My take: It's clear that using a rigorous Software Development Life Cycle process is just not getting the job done. Web application firewalls are a must have.

Posted at 05:16 PM in Application Security, IT Security 2.0, Risk Management | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

Thursday, 17 September 2009

How to leverage Facebook and minimize risk

Marketing and Sales teams can benefit from using Web 2.0 social networks like Facebook to reach new customers and get customer feedback. It's about conversations rather broadcasting. So simply denying the use of Facebook due to security risks and time wasting applications is not a good option, much as in the 90's denying access to the Internet due to security risks was not feasible.

IT Security 2.0 requires finer grained monitoring and control of social networks like Facebook as follows:

  1. Restrict access to Facebook to only those people in sales and marketing who legitimately need access.
  2. Facebook is not a single monolithic application. It's actually a platform or an environment with many functions and many applications, some of which are pure entertainment and thus might be considered business time wasters. Create policies that restrict usage of Facebook to only those functions that are relevant to business value.
  3. Monitor the Facebook stream to detect and block incoming malware and outgoing confidential information.

Palo Alto Networks, which provides an "Application/User/Content aware" firewall (is that a mouthful?), appears to be able to provide such capabilities. Perhaps we might call it a Web 2.0 network firewall.

Is anyone aware of another firewall that can provide similar functionality?

Posted at 04:47 PM in Application Security, IT Security 2.0, Network Security, Web 2.0 Network Firewalls | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

Monday, 14 September 2009

Two more high profile Web 2.0 exploits - NY Times, RBS Worldpay

Two more high profile organizations have succumbed to Web 2.0 based exploits, New York Times and RBS Worldpay. These highlight the shortcomings of traditional IT security. I have no doubt that both of these organizations had deployed traditional firewalls and other IT Security tools, yet they were still breached by well understood exploit methods for which there are are proven mitigation tools.

I discussed this issue, Web 2.0 requires IT Security 2.0, at some length recently.

The current RBS Worldpay problem was merely a hacker showing off a SQL Injection vulnerability of RBS Worldpay's payment processing system. Late last year RBS Worldpay suffered a more damaging breach involving the "personal and financial account information of about 1.5 million cardholders and other individuals, and the social security numbers (SSNs) of 1.1 million people."

The New York Times website itself was not breached. A third party ad network vendor they use was serving "scareware" ads on New York Times site. Martin McKeay points out on his blog:

"it appears that the code wasn’t directly on a NYT server, rather it was served up by one of the third-party services that provide ads for the NYT.  Once again, it shows that even if you trust a particular site you’re visiting, the interaction between that site and the secondary systems supporting it offer a great attack vector for the bad guys to gain access through."

On the other hand, the average user coming to the New York Times site is not aware of this detail and will most deservedly hold the New York Times responsible. Web sites that use third party ad networks to make money, must take responsibility for exploits on these ad networks. For now, as usual, end users have to protect themselves.

I recommend that Firefox 3.5 users avail themselves of Adblock Plus and NoScript. Adblock Plus obviously blocks ads and NoScript by default prevents JavaScript from running.

What's particularly interesting about NoScript is that you can allow JavaScript associated with the site to run but not the JaveScript associated with third party sites like advertising networks. Based on my reading of Troy Davis's analysis of the exploit, if you were using Firefox 3.5 and running NoScript with only New York Times JavaScript allowed, you would not have seen the scareware ad.


Posted at 09:35 PM in Breaches, IT Security 2.0, Malware, Secure Browsing | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

Tuesday, 08 September 2009

If Web 2.0, then IT Security 2.0

McKinsey's just released report on its third annual survey of the usage and benefits of Web 2.0 technology was enlightening as far as it went. However, it completely ignores the IT security risks Web 2.0 creates. Furthermore, traditional IT security products do not mitigate these risks. If we are going to deploy Web 2.0 technology, then we need to upgrade our security to, dare I say, "IT Security 2.0."

Even if Web 2.0 products had no vulnerabilities for cybercriminals to exploit, which is not possible, there is still the need for a control function, i.e. which applications should be allowed and who should be able to use them. Unfortunately traditional security vendors have had limited success with both. Fortunately, there are security vendors who have recognized this as an opportunity and have built solutions which mitigate these new risks.

In the past, I had never subscribed to the concept of security enabling innovation, but I do in this case. There is no doubt that improved communication, learning, and collaboration within the organization and with customers and suppliers enhances the organization's competitive position. Ignoring Web 2.0 or letting it happen by itself is not an option. Therefore when planning Web 2.0 projects, we must also include plans for mitigating the new risks Web 2.0 applications create.

The Web 2.0 good news - The survey results are very positive:

"69 percent of respondents report that their companies have gained measurable business benefits, including more innovative products and services, more effective marketing, better access to knowledge, lower cost of doing business, and higher revenues.

Companies that made greater use of the technologies, the results show, report even greater benefits. We also looked closely at the factors driving these improvements—for example, the types of technologies companies are using, management practices that produce benefits, and any organizational and cultural characteristics that may contribute to the gains. We found that successful companies not only tightly integrate Web 2.0 technologies with the work flows of their employees but also create a “networked company,” linking themselves with customers and suppliers through the use of Web 2.0 tools. Despite the current recession, respondents overwhelmingly say that they will continue to invest in Web 2.0."

The Web 2.0 bad news - Web 2.0 technologies introduce IT security risks that cannot be ignored. The main risk comes from the fact that these applications are purposely built to bypass traditional IT security controls in order to simplify deployment and increase usage. They use techniques such as port hopping, encrypted tunneling, and browser based applications. If we cannot identify these applications and the people using them, we cannot monitor or control them. Any exploitation of vulnerabilities in these applications can go undetected until it's too late.

A second risk is bandwidth consumption. For example, unauthorized and uncontrolled consumer-oriented video and audio file sharing applications consume large chunks of bandwidth. How much? Hard to know if we cannot see them.

In case we need some examples of the bad news, just in the last few days see here, here, here, and here.

The IT Security 2.0 good news - There are new IT Security 2.0 vendors who are addressing these issues in different ways as follows:

Database Activity Monitoring - Since we cannot depend on traditional perimeter defenses, we must protect the database itself. Database encryption, another technology, is also useful. But if someone has stolen authorized credentials (very common with trojan keyloggers), encryption is of no value. I discussed Database Activity Monitoring in more detail here. It's also useful for compliance reporting when integrated with application users.

User Activity Monitoring - Network appliances designed to monitor internal user activity and block actions that are out of policy. Also useful for compliance reporting.

Web Application Firewalls - Web server host-based software or appliances specifically designed to analyze anomalies in browser-based applications. WAFs are not meant to be primary firewalls but rather to be used to monitor the Layer 7 fields of browser-based forms into which users enter information. Cybercriminals enter malicious code which, if not detected and blocked, can trigger a wide range of exploits. It's also useful for PCI compliance.

"Web 2.0" Firewalls - Next generation network firewalls that can detect and control Web 2.0 applications in addition to traditional firewall functions. They also identify users and can analyze content. They can also perform URL filtering, intrusion prevention, proxying, and data leak prevention. This multi-function capability can be used to generate significant cost reductions by (1) consolidating network appliances and (2) unifying policy management and compliance reporting.

I have heard this type of firewall referred to as an Application Firewall. But it seems confusing to me because it's too close to Web Application Firewall, which I described above and performs completely different functions. Therefore, I prefer the term, Web 2.0 Firewall.

In conclusion, Web 2.0 is real and IT Security 2.0 must be part of Web 2.0 strategy. Put another way, IT Security 2.0 enables Web 2.0.


Posted at 11:11 PM in Application Security, Compliance, Database Activity Monitoring, IT Security 2.0, Network Security, Risk Management, User Activity Monitoring, Web 2.0 Network Firewalls, Web Application Firewalls | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

« Previous

About

Subscribe to this blog's feed

Recent Posts