Categories
The Hitlist: Vendor Review
Month: May 2014
Categories
The Hitlist: Compliance
The Hitlist is a new series where we will attempt to provide a quick list of security considerations for a particular technology or initiative within an organization. Our first post will be on compliance. What we mean is if your organization is attempting to become compliant to an industry standard or regulation, these are things that will have to be considered and more than likely implemented across the board for things such as PCI-DSS, HIPAA, ISO27k, FISMA and more. Here is the hitlist for things to consider when planning to meet a compliance standard:
1. Patch Your Stuff
Everyone hates having to patch their servers and network devices every month or so. This might be one of the most basic security requirement maintaining network security. You must patch not only operating systems, but also software applications such Adobe and Java. We often see anywhere from 20-60% of the vulnerabilities on a network as critical or high and usually 50-80% of those are either Microsoft, Java and Adobe. If you don’t do this on a regular basis, it’s time to start.
2. Risk Assessment
How do you know what to protect if you don’t know where your risks are? A risk assessment will evaluate your biggest gaps and your biggest liabilities. This will allow your organization to focus its efforts where the most impact can be made quickly.
3. Data Classification
You need to know what your data is and where your data is. If only a small portion of your data contains sensitive information, then all of your data doesn’t need to be under the same scrutiny. You need to identify what the sensitive data is so that you can identify where that data is. Once you know where it resides, then you can put controls and processes in place to protect it. Additionally, it is essential to have policies and procedures in place so that all this information is documented.
4. Network Monitoring/Testing
Many compliance standards require annual penetration testing and vulnerability assessments. Additionally tools should be in place to monitor the network in real time: antivirus, intrusion detection/prevention (IDS/IPS), enterprise class firewalls, Data Loss Prevention (DLP). The extent of the required real-time monitoring will vary on the budget of the organization, the requirements of the compliance standard and the type of data being protected.
5. Data Encryption
Do you have sensitive data? It needs to be encrypted now. Whenever it moves (email, ftp, file shares) that communication needs to be encrypted. Whenever it’s at rest (USB drives, file shares, desktops, mobile devices) it needs to be encrypted, no exception. Industry standard, strong encryption is the only sure way to make sure that if portable media is lost or stolen, prying eyes can’t read the data.
6. User Training
Most standards require annual security training. It is also just a good practice for any organization. How many of your users can recognize a phishing email? How many users have their guard up for a phone call asking them to give up sensitive information? Users need to good reminders on basic security tenants.
7. Authentication
Why lock your doors if the key is hanging on the wall? Not only to strong and unique passwords need to be enforced (this includes the C-suite), but 2 factor authentication needs to be strongly considered, especially for access to sensitive data. If 2 factor authentication is available, then the complexity requirements on passwords can drop a notch (that doesn’t mean 6 characters, no special characters). An ideal corporate authentication strategy for standard users would be 8-12 characters, numbers, letters, special characters, and a password history of at least 10 in addition to 2 factor authentication. For users with direct access to sensitive data or with technical administration roles the requirements should be stricter.
8. Separation of Duties
Have you ever seen the movie where they are about to launch the nuclear missiles and it requires a code and 2 keys? They do that so that no single person can launch a nuclear missile. The same is true for network administrative. Your network admins should be using their standard user accounts for performing administrative functions. They should have separate accounts used for remote access, email access, and workstation access from the accounts they use to manage the network. There are exceptions based on the magnitude of the operations (adding users, joining a computer to the domain, etc). I have seen too many organizations where a system administrator has a standard account that is a member of the most privileged groups in the domain and also uses that account for remote access.
9. Centralized Logging
This one isn’t a requirement for all standards, but it is for some and it is essential to know what is happening in your network. Centralized logging can allow you to find information about a security incident without having to go look through 15 different sources. Additionally, there are tools that allow an organization to add analytic and correlation to those logs that provides intelligence on top of the logs. What if you could know if a user account was attempting to log into your network from multiple cities or countries? This is how you can reduce the mean time of 87 days until discovery of a breach to just a few days.
10. Physical Security
If you have everything else buttoned up, but leave the back door open, it doesn’t matter. You need to be able to know when people come and go, you need to be able to see when people come and go, and you need to know where your assets are. Electronic key cards, video surveillance, and asset management are essential to a robust network security program.
11. Auditing
You can theorize about how good you are, you can make educated guesses, and you can read a bunch of studies, but until you have a third party measure your compliance against your policies and your standards you won’t know. Most standards require for ‘periodic review,’ but put it this way, how will you ever know if you are compliant without having someone look?
The Trustwave Global Security Report for 2014 was recently released. There are a number of very useful and insightful statistics in this report, which we can corroborate, based on our assessments of numerous organizations’ networks. We wanted to highlight a few of these statistics below:
Top 10 Internal Network Penetration Test Vulnerabilities
– which include weak passwords, shared accounts, and unencrypted storage
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
Top 10 External Network Penetration Test Vulnerabilities
– which include default SNMP strings and weak passwords:
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
Top 10 Web Application Vulnerabilities
– including path traversal, authentication bypass, SQL injection, unencrypted pages and XSS, just showing that the OWASP top 10 is alive and well
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
Passwords were the cause of a compromise 31% of the time
– it’s time to start upping the requirements for password length and complexity
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
Criminals relied most heavily on
Java applets as a malware delivery method
– Java and Adobe often have the top number of vulnerabilities when we assess an organization. Patch schedules for these products are essential.
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
71% of victims did not detect a breach themselves
– who wants their client notifying them of a breach. It’s time to implement defense in depth strategies with IDS/IPS protection and SIEM solutions
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
67% of victimes were able to contain a breach within 10 days upon discovery, however, the median number of days
from intrusion to detection was 87
– organizations just need to know it happened; in general they can handle the situation well once they know
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
Top Intrusion Indicators Include:
anomalous account activity, unexplained or suspicious outbound data, new and/or suspicious files dropped, geographic anomalies in logins, registry changes, log tampering, anti-virus tampering, services added/stopped/paused and more
– learning to recognize these signs or implementing tools that correlate these types of events can help in self detection
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
Over 13 client side zero-day vulnerabilities
were actively exploited in 2013
– again, it is essential to have a patching procedure
for third party plugins and apps
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
78% of detected exploits were Java related
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
Botnet analysis showed a continuing trend of using common and compromised passwords across multiple sites
– consider auditing for passwords that should not be allowed in your organization
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
Microsoft SQL Server was the only database that did not experience any known vulnerabilities in 2013
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
Android and iOS both had a number of vulnerabilities
– don’t assume that something is more secure based on social stigma, make sure all of your mobile devices are managed
[av_hr class=’short’ height=’50’ shadow=’no-shadow’ position=’center’]
In conclusion, I suggest everyone take a look at this report and take note of some of the recurring elements in any of these reports. Organizations need stronger passwords and they need to patch their stuff. Those two steps alone will mitigate a number of risks.
You can download the full report here.
A study published by Ponemon Institute, and sponsored by IBM, purported that the average total cost of data breaches increased 15% in the last year to $3.5 million, or $145 per record containing protected information. The study included participants from 314 companies in at least 10 countries. There are a number of key facts that the study shows regarding reduction factors in the cost of a breach, as well as factors that increase the cost. The study found that appointing CISO, maintaining a business continuity management program, and developing an incident response program can reduce the cost per record of a data breach. It also discovered that, on average, over the next two years, organizations have a 22% chance of a breach of 10,000 or more records.
Change in cost per record based on organizational factors.
The study found that Only 38 percent of companies have a security strategy to protect its IT infrastructure, while 45 percent have a strategy to protect their information assets. Considering that the study also found the highest percentage of breaches was due to malicious or criminal attack, it would seem that organizations may need to rethink their budgets.
The industry where the breach occurs also has a direct affect on the cost. Heavily regulated industries, like healthcare, had the largest cost per breach. The overall average cost of the breach was $145/record.
At first glance, the report appears to address what we all already know, but I think it does a good job at pointing out some key pieces of information: Where should I spend my money? Where should I focus my efforts? Am I at risk? I believe it is worth a read.
Critical Updates: 3
Important Updates: 6
Of the 3 critical updates, all three are likely exploitable according to Microsoft. Our recommendation is to install all three patches, one of which is the recent out-of-band patch for the Internet Explorer zero-day. Note: Some of these updates do require a restart.
Some of the vulnerabilities, such as one for Microsoft SharePoint Server, have a more limited scope than those targeting IE, such as the updates that address memory corruption vulnerabilities in Internet Explorer. These are more likely to be exploited and will impact many more devices.
For more information: https://technet.microsoft.com/library/security/ms14-may
Ebay will be forcing users to change their passwords later today, according to their announcement. According to the announcement, employee credentials were stolen and used to access internal databases containing “customers’ name, encrypted password, email address, physical address, phone number and date of birth.” The theft was not discovered until a couple of weeks ago even though it took place nearly 2 months ago. This is another example of why proactive log monitoring and correlation is essential for organizations with any type of sensitive data. As the data breaches continue, Target is quickly finding itself among company.
Ebay says that passwords were encrypted, but as the breaches have continued to pile up, we have seen time and time again organizations’ definitions for encrypted passwords are loose at best. We have no choice but to assume the passwords are compromised. Not only should people change their eBay password, but the passwords for any other accounts that use that same password.
“Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.”
Users need to be vigilant for phishing emails purporting to be from eBay and make sure of the legitimacy of the email.
UPDATED: 7/1/2014 Apple has released iOS 7.1.2 which is supposed to resolve the issue where a user can access unencrypted mail attachments. We recommended updating all Apple mobile devices as soon as possible.
It was reported a few days ago by Andreas Kurtz, that since iOS 7.0.4 and including the most recent Apple iOS 7.1.1 email attachments using the native mail clients are not encrypted. He was able to access these files even though the device’s disk is encrypted. What does this mean for compliance? How many users are emailing patient information (HIPPA), finance data or other protected data thinking that their devices are encrypted and the data is protected?
I have reached out to a number of MDM vendors to find out if there are any known mitigation techniques. I will update this post once I have them. For now the only suggestion I have heard or have come up with is to stop using any native clients. I am trying to confirm if containerization resolves the problem.
RECOMMENDATION: Require and enforce passcodes of at least 6 characters on an iPhone, especially in a corporate environment. If you are sending or receiving sensitive information, do not use an iPhone 4, for which a method to jailbreak without a passcode is available.
UPDATED: I have received word from one vendor that containerization will solve the problem. I have not tested this myself, but I assumed it would be the case since the containers are not utilizing the native client. This could be a huge issue for organizations that use MDM solutions that do not use containers.
UPDATED 5/9/2014: Apple released a statement reported by iMore, “We’re aware of the issue,” an Apple spokeswoman told iMore, “and are working on a fix which we will deliver in a future software update.” This is well and good, but considering Apple’s history for fixing patches, it could take some time to release the fix. Additionally, security researchers, Adam Engst and Richard Mogull, suggested that the scope of the vulnerability is limited. According to their article, physical access to the device is required, which we knew, but with a strong passcode the device would still be protected because the passcode would need to be known before the data could be accessed. This is good in theory, but in practice, most consumers that I know do not utilize a passcode, and many organizations lack an MDM solution. Of those that do have an MDM solution, very few require PIN codes over 4 characters which still makes the device very susceptible to guessing.
UPDATED 5/21/2014: Proof of concept reported for untethered jailbroken iPhone 5c running iOS 7.1.1 via CNET
