Interesting report from Verizon that a friend sent me.

Verizon Business Data Breach Investigations Report - The 2008 Data Breach Investigations Report offers an objective view of data breaches directly from the casebooks of their Investigative Response team. More than 230 million records compromised over the four year period are represented – including about a quarter of publicly disclosed data breaches.

Verizon analyzed thousands of data points from over 500 investigations world wide – including many never publicly reported. Here are just a few of their findings:

* 87% of cases could have been avoided with basic security measures.

* 66% of cases involved a system that the organization did not even know contained sensitive data.

* 39% of the breaches involved business partners.

* Breaches involving partners increased five-fold from 2004.

Data Breaches

* 73% resulted from external sources

* 18% were caused by insiders

* 39% implicated business partners

* 30% involved multiple parties

How the breaches occurred

* 62% were attributed to a significant error

* 59% resulted from hacking and intrusions

* 31% incorporated malicious code

* 22% exploited a vulnerability

* 15% were due to physical threats

What commonalities exist?

What was common?

* 66% involved data the victim did not know was on the system

* 75% of breaches were not discovered by the victim

* 83% of attacks were not highly difficult

* 85% of breaches were the result of opportunistic attacks

* 87% were considered avoidable through reasonable controls

“2004 through 2007, 90% of the vulnerabilities exploited (leading to a breach) had patches available for at least 6 months prior to the incident”

I will be speaking on the professional development trends in malware at the annual NetSecure conference put on by IIT. Hopefully some of the readers can make it out. It is a great event. The info is below:

IT Security and Forensics Conference and Expo
http://www.cpd.iit.edu/netsecure08
Wednesday, March 26, 2008
Illinois Institute of Technology in Wheaton, Illinois

Join us for NETSECURE’08: The 6th Annual IT Security and Forensics Conference and Expo. This multi-track technical conference is attended by 200+ IT professionals and will promote the open exchange of IT security and forensics information. Register now at http://www.cpd.iit.edu/netsecure08

Current Conference Presentations Include:

* “Annual CompTIA security research: Trends and strategies for information security” Carol Balkcom - CompTIA

* “Cellular Wireless Key Managament” Alec Brusilovsky - Alcatel-Lucent

* “Microsoft Security - Growing up and Enterprise Ready” Cordell Crane - Microsoft

* “Microsoft Security - Hands on approach with tools for Threat Modeling, Code Review and Discovery” Ken Anderson - Microsoft

* “Professional Development Trends within Malware” Michael Davis - Savid Technologies

* “Network Security: What You and Your Skills Are Worth” Bob Fanelli - Robert Half Technology

* “Securing Windows - A Monumental Task?” Mike Fekety - Performance Technologies

* “Building a Secure Storage Internet” Chris Gladwin - CleverSafe

* “Do the Work Once: Harmonizing Compliance and Security Objectives” Bonnie Goins

* “The Role of Penetration Testing in Security Audits” Jeff Groman - Akibia

* “Penetration Testing: Let me probe your ports” David Kennedy - SecureState

* “Combating Insider Threats on Databases” Carl Kettler - Application Security, Inc.

* “Computer Security at Fermilab” Frank Nagy and Tim Rupp - Fermi Lab

* “Building a Linux Custom Firewall” Venkat Nandam

* “Security and Control Issues within Relational Databases” David Ogbolumani - SunGard

* “Data: How much is there, and where is it at?” John Pascoe - FBI Regional Computer Forensics Laboratory

* “Best security practices for Voice Wireless LANs” John Poust - IEEE ComSoc

* “Virtualization Security and Best Practices” Rob Randell - VMware

* “Out-Of-Band authentication using a real-time, multi-factor service model” Andy Rolfe - Authentify

* “Fighting Spam: Tools, Tips, and Techniques” Brian Sebby - Argonne National Laboratory

* “SSH” Hemant Shah

* “Multi-Factor Authentication Solutions: An Overview of Regulations, Vulnerabilities, and the Latest and Best Authentication Options” Bob Thompson - Catalyst

* “A New Model for Business Contingency Operations” Raymond Trygstad - Illinois Institute of Technology

* “Identity and Access Management” Kevin Wang - Crowe

Details:

Date - Wednesday, March 26, 2008

Attend - $95 (includes breakfast, lunch, cocktail party, and conference tote bag and materials)

Exhibit - $325 (includes 2 free attendees)

Sponsor - $300-750 (includes 1-2 free attendees)

Register - www.cpd.iit.edu/netsecure08

Location - Illinois Institute of Technology’s Rice Campus in Wheaton, Illinois

Sponsors Include:

High Tech Crime Network (HTCN), Authentify, Inc., Microsoft, onShore Networks / Fortinet, SunGard Availability Services, IBM Rational, Project Leadership Associates, Robert Half Technology, Other World Computing, SecureState, CTH Technologies, Inc., Security Services & Technologies, Catalyst Technology Group, Inc., Equivus, W.W. Grainger, Inc., CIMCO Communications, CIMCOR, Inc., Hegemony Consulting, Neohapsis, Inc., X-Ways Forensics, CompTIA Security+ Certification Program, Savid Technologies, Inc., ChicagoCon / The Ethical Hacker Network, UniForum, IEEE, and CPD.

Here is a great quote from Dan Geer, VP and Chief Scientist at Verdasys, that my friend, Shane Macaulay, recently emailed me:

“The central truth is that information security is a means, not an end. Information security serves the end of trust. Trust is efficient, both in business and in life; and misplaced trust is ruinous, both in business and in life. Trust makes it possible to proceed where proof is lacking. As an end, trust is worth the price. Without trust, information is largely useless.”

Dan is right on as usual. I am constantly preaching to our clients and to audience members when I speak about the security “process”. Like trust, security is a process not a single event. In life, I don’t believe anyone simply decides they trust someone and then always trust that person implicitly, rather, they constantly test and verify the trust and ensure it is still as high as it was before.

This process, applied to IT Security, is why we need to have metrics and plans in place within an enterprise. Enterprise security teams must Trust but Verify.

Many people thing that the majority of the malware on the Internet comes from so called “bad” sites such as porn, gambling, dating sites, etc causing what is termed a “drive by download” where an unsuspecting user visits a site that looks legitimate but it actually silently downloads and installed malware on the PC. A recent Google report shows that it isn’t just porn sites that are causing malware drive bys.

Niels Provos, a friend and great researcher, posts on the Google Online Security Blog that of the 7 million URLs they searched and cross referenced within DMOZ (an open directory of website), every DMOZ category contained a malicious website that did a drive by download. That’s right, attackers realize that people look at more than just porn on the Internet and have adjusted their sites to cater to pretty much any type of content.

Why is this important? Well it goes to show you that limiting Internet access(read web content filtering) to your corporate users based on a couple simple categories isn’t going to prevent malware from firing a drive by on one of your workstations. You still need to implement a defense in depth strategy and have other technologies helping prevent the drive by malware attack.

Source: http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html

I saw this image on Veracode’s blog and is very true! Sadly though, many managers take the number of WTFs, start yelling WTF (Who the F**k), and placing blame rather than realizing that it is usually the process and lack of developer education that causes problems not the developer themselves. I have seen that when an effective Secure SDLC is implemented and blame is not thrown around, you really do get a reduction in security bugs.

Source: http://www.veracode.com/blog/?p=77

My post last week about Iron Mountain losing a backup tape from GE Money and losing the information on 650,000 consumers wasn’t the full story. Robert McMillan, IDG News Service, announced today that 230 different retailers had information on the tapes and it has been confirmed the tapes were not encrypted. There is just no excuse for lacking backup encryption in enterprises today.

If you don’t have backup encryption right now, stop what you are doing and get your Backup Admin in your office and get a project plan together to get encryption on your backups.

From where we are sitting, things are changing. IT buyers are starting to understand that what technology needs to “support” is the fastest and most efficient way for the company to create and deliver value.   It’s not enough for developers to know how the tech tools work; they need to be able to connect with the managers who decide the value the tools should be used to create.  IT projects on this landscape have some distinctly different characteristics than they did in the era of “back-office big iron.” Below is an incomplete list of some of these characteristics.  If you have ideas or additions to this list, please send them over.

• Connect, don’t build – Back in the day, there was really a decision to be made about whether to build new functionality in-house or to buy a package and customize. That’s occurring much less now, given the proliferation of special-purpose software engines, stacks, connectors, config templates, etc. available on the network.  Microsoft is not the only giant to have decided that the future is not software-AS-a-service, but rather software-AND-services, sometimes a little thicker on the client, sometimes on the server.  The emerging default strategy is becoming “connect, don’t build.”  As high-speed network connectivity has become more ubiquitous and reliable, this strategy is taking root in some expected places (Amazon’s S3 storage service; SalesForce App Exchange) and in some not so expected places (Amazon’s Elastic Compute Cloud, where processing itself can be scaled up or down as needed).

• There is no perimeter – If you question whether the behavior preferences of knowledge workers today are really all that different from the era of back-office “big iron,” look at the discipline of data security.  Back when accessing remote files or logging into your desktop remotely was still slightly exotic, strengthening the “perimeter” of the infrastructure made some sense.  But now, with workforces more dispersed, applications themselves decentralized, near-real-time data feeds informing corporate dashboards with timely performance stats, how would  you even define “inside” and “outside?”  

• Iterate – Software companies certainly didn’t invent the concept of launching 80% (60%?) products and iterating their way to full-featured releases, but they may have  perfected it.  Now that  so much business innovation is offered and delivered (and consumed!) via technology, corporate reputations rest not just on launched products, but on their whole  value-creating mechanism itself – how fast do they correct minor flaws, what is their response to customer service issues for their product, how respectful are they of their own installed base of previous versions, etc.   Iterative loops minimize the errors in the final software; the emerging best practice for large-scale projects is to build the project plan as a series of small pilots, for exactly this reason. In many cases now, iteration is largely done “without a net.”  Releases that might once have stayed in private beta for months are now released to carefully warned enthusiasts, and passion drives the feedback loops. Ever noticed how long a new Google app is “in beta?”   

• Insulate – Really the watchword of data security in this age of content-led innovation.  This is what replaced the concept of perimeter security – “jacketing” the content itself with access provisions, permissions, encryption, proprietary formatting, etc that protect it from falling into the wrong hands at the wrong time, in the wrong form, for the wrong duration.

• If you cannot prevent it, you must detect it – The essential follow-through of any data technology professional today.  Not every threat can be identified and not every breach proactively defended.  What can occur, though, is intelligent and creative sensing of intrusion, with or without disturbance, and protective isolation of the most sensitive data.

What IT Consulting learning are your feedback loops bringing you?  Come to http://www.whatevercompliance.com/it-consulting/the-next-threshold/  and add them to the list.

GE Money just announced that Iron Mountain, the leader is off site backup storage, lost one of their backup tapes. It wasn’t checked out of Iron Mountain but they can’t find it either…oops. An oops that could cause some pain for potentially 650,000 people. Naturally, GE says there was no indication of theft or fraudulent activity and they don’t mention if the tape was encrypted or not. (I am guessing not).

GE Money is saying that SSN’s, Credit Card information, address, and more could be on the tape. GE is going to pay for a year of credit monitoring for all of those they think might be on the tape.

I wonder how their Risk Assessment meetings went at GE…”We don’t need to worry about encryption, we ship our backups off-site to Iron Mountain.”

Many of the customers affected were J.C. Penney customers, a clothing retailer that relied upon GE Money to implement their credit card delivery and processing. Penney will receive some bad press about the incident and it wasn’t even their fault.

Hey, at least it wasn’t as bad as the TJ Max breach right?

I have been an avid user of Desktop Search tools since their inception in 2003/2004. I have used Lookout, Google Desktop Search, MS Desktop Search, and now a user of X1. These tools have gotten progressively better over the years with the exception of Google Desktop Search which was built to destroy hard drives as it does nothing but thrash your hard drive.

For example, I have 4.5 GB of email. I pretty much save everything and use search to retrieve emails. I don’t organize very much except in high level buckets like Company name etc. I had to move from Microsoft’s Desktop Search, which is integrated into Vista, to X1 because the indexing was severely slowing down my laptop. A 5400RPM hard drive that is constantly being accessed is death to a power user like myself. X1 though seems to handle things VERY well and integrates into Outlook with the use of an integrated tool bar. (FYI, go get X1 if you haven’t tried it yet)

I recommend Desktop Search to everyone because it allows you to stop focusing on “where to place this email” to “what was the content of the email about”. Searching for partial phrases, parts of attachments etc, that your mind remembered from months ago will find the email thread in less than a second. An amazing time saver.

Why is this important? It got me thinking that Desktop Search is a great example of the move to content from rigid structure. Google is the leader with their “we want to index everything” approach to business and you can see how it is paying off financially but introducing many security related concerns. Security is going to move into this content focused world as well. The next few years we will see more application “vulnerabilities” that are exploited by social engineering the user (which is a content change right) such as malware and phishing do than bypassing of a program’s structure such as a buffer overflow. The ability of an application to contain Malicious content will become the vulnerability.

Malicious content, sadly, is much harder to detect than a structure violation. Structural violation can be compared against a baseline or standard where anomalies are easily seen. Malicious content, however, is all about intent - something that humans have had a hard time analyzing for thousands of years. You may think some content is malicious and others may not so who gives the deciding vote?

The Indexing and Searching of Content is changing the world and you should start recognizing the high risks of the content within your applications, databases, and file servers.

I commonly am asked questions such as “Do you prefer COBIT or ITIL?” or “We really like the benefits of framework X but there is so much more readily available for Y, what do you think?”

In 2007, the Global Information Security Survey, which represents 5,555 overall respondents covering all regions of the world had the following to say:

It looks like ITIL is out on the top. I think this mostly due to the fact that ITIL has a lot of literature available in the market and there are many people that have used it so it is easier to implement for some organizations.

Source: CSO Magazine