Verizon Business Christian Moldes as a great post about Plane Crashes and Security Breaches and how they are very similar. He hits it right on the head! During our engagement wrap-up meetings where we explain the various potential scenarios an attacker can use to break into a client’s network we are always asked to put a specific ranking on a specific risk. I argue that that almost doesn’t matter because normally the big breaches are not from a single vulnerability but many chained together.

Christian quotes Malcom Gladwell, and says:

The typical [plane] accident involves seven consecutive human errors.

When we work with clients we normally see that breaches are caused by a chaining of at least three errors: exploitation of a vulnerability, then a mis-configuration is used to find a privileged account user name and password, and then data is found on the network somewhere it wasn’t supposed to be that the privileged account has access too.

Even with many controls in place you cannot always prevent a security breach. This is the exact reason why we recommend that incident response policies and processes (Which should be tested like you test your Disaster Recovery processes!) should be the FIRST THING you implement when building a security program at an organization followed by detective controls such as logging to detect a breach as soon as possible.

Whenever executives discuss IT and cost cutting, invariably two topics come up: Virtualization and the Cloud. Don’t even get started on the topic of the cloud, and the chance for rain. Virtualization is a good topic to discuss since some items may be unfamiliar to you (especially those in the SMB).

By now, most companies have adopted, or at least looked into, overhauling their IT infrastructure with virtualization solutions. Virtualization is said to reduce costs, simplify management and scalability, and limit the toll computing has on the environment. Since 2005, virtualization software has quickly changed the landscape of enterprise computing.

For those unfamiliar with the concept, virtualization involves abstracting computer resources by combining several physical systems into virtual machines on one powerful system. Virtualization consolidates underutilized hardware, such as servers, storage devices, and network resources, virtually partitioning it for multiple machines.

The reason virtualization has become such a favorable trend in IT computing is probably because the advantages are so easy to grasp. First of all, the physicality of managing hundreds of machines is simplified while allowing for a scalable infrastructure. Plugs and cables do not have to be rearranged every time there is a change in hardware. This reduces the workload of the system administrator. Virtualization allows hardware resources to be pooled such as sharing storage or network bandwidth, so hardware does not go underutilized. Less hardware means less energy costs, both to run and to cool. Altogether, these advantages lower the costs for infrastructure, hardware, power, and cooling.

You’ve probably had the green benefits of virtualization stressed to you. According to VMware, for every server virtualized, you can save about 7,000 kilowatt hours, or four tons of CO2 emissions, every year. Virtualization can cut the power demand of ten machines down to one and save almost 80 percent on an electricity bill. VMware even has a green calculator on their website which allows you to see your virtualization benefits in terms of energy savings, cost reduction and environmental impact. A quick calculation shows that virtualizing 200 servers is the equivalent of planting 4,000 trees.

Of course, businesses are more concerned with reducing costs than reducing the size of their carbon footprints. With this in mind, there are a few disadvantages, or at least pitfalls, that may be created with a switch to virtualization.

But there is a down side – it is likely that performance degradation will occur when switching to a virtualization infrastructure if the virtual infrastructure was not properly architected. (which seems to be the case all too many times we get involved). In most organizations there is often a lack of tools and expertise available to monitor and analyze virtual environments to find and correct issues that affect performance. A study by Aberdeen shows that enterprises that had an 85% success rate in identifying performance issues in a physical environment, now only have a 37% success rate in a virtualized one. Also, improved response time for managing business-critical applications fell from 67% in a physical environment to 39% in a virtual one.

Many enterprises find that there is a tradeoff between decreased staffing and power costs and less than optimal performance. Sometimes this means that the advantages manifested by virtualization are less than expected so ensure you have adequately measured the minimum performance requirements for your infrastructure before you go run off and virtualize everything.

Although I think DDoS extortion is declining due to the rising lucrative ransomware and scareware tactics, DDoS extortion remains interesting to me due to its sheer supervillainary. (plus the stories sound cool when you tell them). I was giving the example to a CSO I met today and after telling the story he asked, “How do I survive a DDoS Extortion Attack”, so here is how:

Businesses hit with these attacks have almost no reprisal to fight back and even have a disincentive to alert authorities who could work to defend against them.

DDoS, distributed denial of service, extortion occurs when a hacker threatens to utilize a vast botnet of many infected computers to bombard a single target online. By using up the target’s resources to accommodate the botnet traffic, legitimate traffic is unable to access the site, causing a denial of service. This prevents businesses from using their website, which may be integral to their business operations.

Before the DDoS attack, the extortionist will contact the site webmaster and offer to spare them from the attack for a payment. If the payment is not made by the given date, then the attack begins and the price usually increases.

Companies have three ways to retaliate: pay the attacker, use DDoS protection, or go to the authorities. Unfortunately, most companies choose to simply pay the attacker since it is the easiest and least expensive way to fix the problem. This only emboldens these kinds of attacks, causing more extortion on other companies.

It is possible to use DDoS protection to block bots, but in the extortionist will warn that if such an attempt is made then they will only increase the number of bots attacking the website, making it much more expensive to deal with.

Going to the authorities can be so ineffective that extortionists will not even discourage their target from doing so. Extortion attacks usually come from other countries, usually Eastern Europe, where the FBI has little recourse. Furthermore, businesses are afraid of reporting the crime because it could damage their brand if it got out that they were helpless against extortionists. This makes it harder for any countermeasures to be developed since it is impossible to tell how often extortion occurs, how much money is extorted, and who are the targets of extortionists. According to experts, every online gambling site is paying an extortion, usually around $40,000.

For these, reasons too often companies will simply remain quiet about the extortion and pay their fee. The ransom is much less than the costs incurred from a denial of service attack. Sometimes, the extortionist even gives their victim the opportunity to pay for an attack on a competitor. Why not? It gives the victim a chance to level the playing field and the extortionist a chance to make even more money.

The best way to combat attacks like these is for businesses to put aside competitive differences and share their information regarding security and cyberattacks with industry peers and law enforcement authorities. But that’s never going to happen and businesses are likely to continue to fight an every-man-for-themselves battle.

Until then, it’s up to companies to build up internal protections and beef up their security to protect against botnet attacks. Also, if this ever starts to happen to your business you can always contact me and I can see how I can help!

Part of my daily role as CEO at Savid Technologies iss to work with Small and Medium businesses and one of the quesiton I commonly get is about outsourcing. How can we outsource effectively? Or, what else can we outsource in addition to IT, etc so I thought I would give a small primer on multiple vendor outsourcing.

Now, as businesses grow, their vendor management process also increases in sophistication, and some company’s tend to transition from using a single outsource provider for application development to using multiple vendors. This multisourcing approach utilizes different vendors who specialize in different areas of application development and testing.

While I often hear relentless praising for the multisourcing approach, we should not forget that it does come with its own set of trade-offs and potential problems. Here I will examine the pros and cons of multisourcing:

+ Gain access to experts in their particular discipline. The most obvious advantage is the ability for you to leverage the expertise of vendors specializing in different disciplines. For example, you may use a vendor specializing in development and another specializing in testing. By using multiple vendors providing their unique expertise, you gain access to a wider pool of knowledge and skill than you would when only using a single vendor.

+ Save Money. Using specialized outsource providers means tapping into a smaller market with lower costs and less turnover than larger providers. A small, specialized firm can offer more expertise at a single discipline and for at less cost.

+ Higher quality assurance. The division of outsource providers establishes an independence between the different disciplines that should yield a higher quality result. For example, a testing vendor can provide honest insight about the developed software’s quality since they were not responsible for developing it. In this way, multisourcing creates a system of checks and balances that promote quality and lower risk of problems.

Now before you run to reassess your vendor management structure with multisourcing capabilities, you’d better first keep in mind these possible negatives:

- Increased vendor management. Onshore employees will have to manage, organize, and coordinate the output of the multiple outsource providers. Without a single outsourcer providing a turn-key solution, your company will have to use its own time and resources to manage the project each step of the way.

- Multiple vendor relationships. With the additional expertise of multiple outsource providers comes the management of additional vendor relationships. Communications suffer without a single point of contact, making it more difficult and time-consuming to on your end to manage and maintain vendor relationships.

As it goes with everything in the IT world, whether single-sourcing or multi-sourcing is right for your company depends on a set of individual circumstances, including the size and scope of needs of the company. It’s up to you to consider the pros and cons of each vendor management structure and be aware that there is no magic bullet solution.

A new lawsuit by the Free Enterprise Fund going to the Supreme Court soon challenges the constitutional validity of a certain provision in the Sarbanes-Oxley Act.

The lawsuit claims the Sarbanes-Oxley Act violates constitutional requirements since it gives the Public Company Accounting Oversight Board regulatory powers over the accounting industry, and yet its members are not appointed by the President. They argue that this is a violation of the separation of powers specified in the constitution that leaves the President with insufficient control over what could be considered an executive function.

But to me it sounds like a technicality; pointed at those clamoring for the downfall of SOX. Since SOX lacks a severability clause, if the lawsuit prevails then the entire Act would be thrown out, not just the part about PCAOB appointees. This is probably what the Free Enterprise Fund is planning on.

Opponents of Sarbanes-Oxley are many and they’d love to see SOX thrown out. Ron Paul, to name one, argues that SOX compliance gives U.S. corporations a competitive disadvantage with foreign markets. Both foreign an U.S. firms that do not wish to endure the intrusive compliance regulations of SOX are deregistering from the U.S. stock exchange. This is understandable since the costs SOX imposes have averaged at $5.1 million in compliance costs. The year after it became law, the number of companies de-registering from the stock exchange tripled.

The Act also seems to discourage the initial public offering market from growing. Startups can hardly afford the SOX compliance costs in order to quality for stock market registration. But without investors these companies don’t have much of a chance to grow.

On the other hand, many of these companies fleeing from stock exchange registration because of SOX may have something to hide. In those cases, SOX is doing its job of preventing companies that employ crooked accounting practices from swindling mom and pop investors.

It remains to be seen how the Supreme Court will rule on the lawsuit and, if the lawsuit prevails, how it will end up reforming all aspects of the Sarbanes-Oxley Act.

About $5.  That’s how much your malware infected computer, or botnet, is selling for at the moment if you live in the US – but its stock could go up or down.  It’s worth $10 if you live in Australia.

Although I didn’t get enough time to put this report into my new book, Hacking Exposed: Malware and Rootkits, it is very interesting. Everyone is talking about this new report from the Finjan Malicious Code Research Center and it’s a doozy.  The report reveals a highly organized and sophisticated trading platform for cybercriminals called the Golden Cash Network.  The Golden Cash Network gives anyone the ability to buy or sell malware infected computers by the thousands – as well as provides an exploit toolkit with obfuscated code and an attack toolkit to distribute malware.

Say, for example, you want to advertise to thousands of users, or steal their identity for whatever insidious purposes.  Golden Cash makes it easy for you.  Just select the country and how many PCs you wish to control.  You can even specify the geographical area, and avoidance of firewalls or AV solutions.  Once you place your order, you are given access to detailed instructions on what you can do with your new botnets and how to do it.  The whole ordering process is done through simple, elegant, and easy to use forms – you’d almost think you were ordering from Amazon.

But what if you’re not an expert cyber criminal?  Can you still get in on the Golden Cash Network?

Absolutely, Golden Cash’s partner program makes it easy to contribute to their collection of botnets for easy cash.  Golden Cash again provides detailed instructions on how to distribute the Golden Cash bot into legitimate websites by using Iframes or inline frames.  These frames points to a malicious website that infects visitors with malware that is already integrated into the Golden Cash platform.

Depending on a number of factors, like geographic location, the value of botnet PCs constantly goes up or down in value.  Users try to buy low and sell high.  It’s just like Wall Street.

Finjan’s report concludes by describing how botnets are no longer a “one-time asset for an individual cybercriminal.”  Now they have “evolved into a digital asset that cybercriminals can trade online – over and over again!”

If you run an IT organization and have not had a chance to look at the new Federal IT dashboard, take sometime today and look at it. The transparency that our new Federal CIO, Vivek Kundra, built is great! We, the American People, the investors if you will, are now able to see the performance of our investments in the US government. I have always touted transparency for IT and now project by project, each CIO within the government is required to report progress on all of their projects to the public.

Amazingly, Vivek only gave the CIOs 30 days to get their information up to date and even more importantly, since the IT dashboard obtains its information from the Office of Management and Budget (OMB), the agency CIOs have to not only update the information but update it through the proper channels for it to be placed into the dashboard.

With one simple portal, Vivek has increased the use of the standardized project management frameworks in place throughout the government, increased the accuracy of information, and has helped create a sense of urgency and fiduciary responsibility for each agency CIO because their performance is now open for all to see. Similar to posting your review for all to see on the company bulletin board, we have advocated that public access to information increases the chance that an employee will “do the right thing” For example, we recommend that when you are starting to deploy change management processes internally that any person that bypasses the change management controls and introduces an outage have their picture posted on a company wiki, sharepoint portal, etc as the “wild wild west cowboy” that “caused the problems”.

A little bit of public humiliation may be just what we need to get the governments IT projects back on track! Some examples:

• 49% of the VA’s IT projects are behind schedule
• 41% of Department of Homeland Security projects have “significant concerns”
• The Smithsonian Institution receives $60M and the majority of that investment goes to IT Infrastructure Maintenance
• The DoE has had an almost 50% decrease in IT spending since 2002

Oh, and in case you were wondering…many(over 30%) of the governments IT projects are behind or in need for serious help.

Check out Tim O’Reilly’s blog post about the Federal IT dashboard for more information on how it was constructed and how it receives data.

TAO Security, Richard Bejtlich’s excellent blog on digital security, posts a ficticious but all too real budget for a black hat. The point of Richard’s post is that

… for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack.

This is a bold claim and one that I support 100%. I told some of my colleagues at McAfee years ago that we may see a situation in the near future where a talented penetration tester will have to make a choice in working for company A or company B where the only difference between the two isn’t the benefits, salary, or health care but the “evilness” of the company. With so much money being made in the blackhat world, the scenario Richard portrays is entirely real.

Consider this:  A hacker finds a security hole on your website that exposes hundreds of thousands private customer data including names, emails, and even passwords.  The hacker does not steal this information.  Instead, he quietly alerts you via email; but at the same time he makes the security vulnerability public information on his blog.

Do you: A) Thank the hacker for bringing the security vulnerability to your attention?  Or, B) seek legal action against the hacker who damaged your company’s reputation by alerting the public about your sloppy security?

This is the controversy surrounding “HackersBlog.org” – a blog where anonymous hackers alert the public about security vulnerabilities.  Each blog entry lists the site hacked, how the data was captured, and what private information is accessible.

The site made its first splash when a Romanian hacker named “Unu” hacked the databases of Kapersky – ironically, one of the leading companies in the security and antivirus market.  “Seems incredible but unfortunately, its true,” writes Unu, “Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.”

The next target, which occurred the very next day, was BitDefender – another antivirus software company.  Unu used an SQL injection to show how data could be easily extracted.

In an official statement, Kapersky denied the attack was successful.  BitDefender called the hack an attack and portrayed it negatively even though “the action did not intend to steal information but simply show a vulnerability.”  Usually when sites are hacked, the companies are left scrambling to put out the public relations fires.

So, alerting the website via email about the found vulnerability?  That sounds white hat enough.  So why expose the flaw to everyone publicly on the Internet and wreck the reputation of that company?  “If we just send an email, without making it public they would fix only that parameter that we announced,” says Unu, “and it is possible [for there] to be others too.”

It seems that HackersBlog owes its allegiance to the public and not to the companies who allow for these breaches in security.  “I’m not a criminal, I [am] not a burglar,” says Unu, “You do the work of a [pentesting firm] that could test the security of the site or [sic] server at the request of the owner. The difference is that the firm makes this for a big sum of money, a very big sum of money, and we do it as a hobby, for pleasure, free, and most of the times we do that much better, but we don’t even get a simple ‘Thank you.’”

Leave me a comment and let me know what you think about this Hacker Blog site!

I am reading Warren Buffett’s Biography Snowball on my Kindle2 and it has been a great read so far. Buffet and his best friend, Charlie Munger, are amazing businessmen. I am about 30% through the book but I have noticed that the majority of Buffett’s early successful investments might be because of the fact that information was not as easily available as it is now.

For example, the death of Michael Jackson was spread throughout the Internet within minutes of the information being posted. Google went down, CNN was down, as was the LA Times websites because so many people were looking for the latest information. The velocity and availability of information today is amazing. With so much information available, is it possible for a another “kid from Omaha” to be able to find the gems of undervalued stocks that no one else sees? In the 1960′s Buffett was visiting companies, researching, and making moves based on information that although public, no one was able to easily find.

With everything being one search away, will we still have the capability to profit from the difficulty of finding information? I don’t have the answer but it makes me wonder about the availability of data within our organizations. As Searching becomes the new process to find information, enterprises will start deploying search engines internally that index and find data throughout the enterprise network.

Once that happens it will be a sweet pot of gold for an attacker =)