J Wolfgang Goerlich's thoughts on Information Security
Learning the wrong lesson from DigiNotar

By wolfgang. 23 September 2011 12:51

DigiNotar declared bankruptcy this week, following a high profile attack that lead to malicious certifications being issued. Some five hundred certifications were issued, for everything from Google, to Twitter, to Microsoft, to the entire *.com and *.org namespace. Major browsers quickly removed DigiNotar's root from the chain, thus protecting folks from these rouge certifications. And then DigiNotar was no more.

People are already saying this proves that IT security breaches put companies out of business.

I believe that is the wrong lesson.

Let's take four companies with high profile breaches: DigiNotar, Distribute.IT, Sony, and TJXX. DigiNotar went bankrupt. Distribute.IT? Shuttered. Sony is back to business (handling it with an update to their SLA.) TJX is unaffected.

So why did TJX survive? At first, this does not make much sense. But consider the attack as it relates to impact to the organization's mission.

TJX is in retail and has reasonably deep pockets. The attack did not so much as ruffle its ability to sell product. Save for a dip during the fall out from the attack, TJX did not suffer economic harm.

Sony is in the business of providing access to its services. Though the attack was not necessarily about availability, the attack severely affected Sony's ability to reach the customer. They have deep pockets, however, and are making their way back. The reasoning behind the service level agreement and terms and conditions agreements is to minimize the cost exposure of future breaches.

Distribute.IT was in the hosting business. Their job was to keep other companies sites online, available, and protected. The attack was an availability attack that was made worse due to mismanagement of data backups. Distribute.IT, without the cash reserves and without any means to get back to business, was dead in the water.

The attack on DigiNotar struck right at the heart of their business. The mission of a certificate authority is to safeguard certificates and ensure issuance only to legitimate entities. We are talking about reliability and authenticity attacks against a company that markets a reliable and authentic security service. Further, due to DigiNotar's limited reach (fewer than 2% of SSL hosts), there was little risk for the browser makers to remove DigiNotar's root.

The lesson here is security controls must be framed within the context of the organization's mission. Breaches can be weathered if the impact is low or in an area outside the core mission. Security breaches only put companies out of business when controls are not appropriately geared to the organization and when the financial impact is serious.

Tags:

Operations Security | Risk Management | Security

Cord Blood Registry breach - encryption controls and media controls

By wolfgang. 11 March 2011 17:45

Backup Files Put Database Information At Risk
Cord Blood Registry breach a cautionary tale in the need for encryption, key management, and secure physical transport of database back-up media.

Kelly explains that step No. 1 to keep this database information secure is implementing strong encryption practices and key management. J. Wolfgang Goerlich, a network security manager at a financial services firm, concurs. He says the risk of misplaced backup information is at the top of his list of worries.

"Encryption is the No. 1 control to prevent scenarios such as the Cord Blood Registry breach. Encryption does require time for configuration and ongoing maintenance, but it has a very low fixed cost," Goerlich says. "In the Cord Blood Registry scenario, three areas that should have been encrypted: the laptop hard drive, the database backup file, and the LTO4 backup tapes. If encrypted, the stolen media would be all but useless. The personal information of 300,000 people would be unreadable and unrecognizable."

He also believes organizations need to do a better job instituting tape media procedural controls as well. "These ensure that the storage tapes are transported in a manner that is physically secure. From the initial reports, it looks like Cord Blood Registry did not have these in place," he says. "A solid procedure would prevent transporting sensitive backup tapes using an employee's vehicle and prevent leaving those tapes unattended in a parking lot."

Tags:

Encryption | Operations Security | Physical Security | Security

Google and China, Internet Explorer and Aurora

By wolfgang. 19 January 2010 18:06

Google’s announcement that it is pulling out of China over continued hacker attacks has highlighted problems in Internet Explorer. Wired has an article in which Dmitri Alperovitch says of the Google attacks: "We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack."

 

McAfee’s CTO blog breaks it down further and gives the name Operation Aurora to the attack. Technical details on "Operation Aurora" exploit and payload are on McAfee Labs Blog. McAfee will be hosting a webinar on Thursday to discuss the exploit and attack. Meantime, for those of us who like to play with Aurora, HD Moore recreated the exploit for Metasploit.

 

One concern that I have is script kiddies downloading and running the exploit across anything they can get their hands on, particularly in light of the press.

 

I wager many of you (like me) have to use Internet Explorer for business purposes. So please note that the current "Aurora" public exploits do not work if you are running IE8 with DEP enabled. If you are running older versions of IE, you might consider upgrading while Microsoft prepares the patch.

 

There is rumor that the exploit could be modified to bypass DEP. Such a modified exploit is currently not publically available. It will take some time before a modified exploit to be developed, which should give Microsoft time to patch.

Tags:

Operations Security | Security

Matriux - Penetration Testing from Hyper-V

By wolfgang. 13 December 2009 20:18

Matriux is a vulnerability assessment / penetration testing Linux distribution. The team's beta release was the beginning of this month, and I have been playing around with the distro for the past couple weeks. What can I say? I am a sucker for Latin motto's ("Aut viam inveniam aut faciam" or "I shall find a way or make one") and for cleanly laid out VA/PT toolsets.

The bonus, for those running Hyper-V, is that Matriux is a Kubuntu based and comes with the Jaunty kernel (2.6.28-13-generic). Setting up a Hyper-V security appliance is as simple as creating a vm, using the legacy network adapter, skipping the hard drive, and booting off the downloadable ISO. Matriux works right out of the box within Hyper-V.

You can compare this to the Slax VA/PT distros, which do not support the network adapter. Often times, these distros do not even support the mouse. Using the Matriux Live CD in Hyper-V is a breeze. For an environment to support a demo or an occassional vulnerability assessment, you cannot ask for more.

If you are doing regular assessments, there are a couple limitations with Hyper-V. The legacy network adapter performs at 100 Mbps (significantly slower than the 10 Gbps speed of the standard network adapter.) The Live ISO is read-only, too. The mouse integration is present, but it is not the seamless integration one is used with Windows vms. Oh, and the mouse integration does not work when connected to Hyper-V over RDP. To get full functionality, you will need to install Matriux into a vhd and install the Hyper-V integration components.

The Jaunty kernel does not support integration. You have two options: (1) downgrade Matriux's kernel to 2.6.18 and install Hyper-V's integration components; or (2) upgrade Matriux to the Lucid kernel (2.6.32-7) and enable the Hyper-V GPL code. Option (2) provides faster performance and is in-line with the Matriux planned Beta 2, but it does not support the full mouse integration.

Detailed steps for both options are in the links above. For those who want to skip to the chase and simply try out Matriux under Hyper-V, I have done the steps for you. You can download the security appliance from SimWitty's website. Enjoy!

Matriux beta (0.9.4) with 2.6.18-6 kernel
Matriux beta (0.9.4) with 2-6-32-7 kernel

Thank you to the Matriux team for a smooth, well done security distribution beta. Thanks goes, too, to Tom Houghtby for providing the Linux knowledge and guidance that made the integration possible.

jwg

Tags:

Hyper-V | Operations Security | Security | Virtualization

Concluding Information Security for Intellectual Property

By wolfgang. 29 April 2004 05:42

We have been looking into intellectual property law in brief this month, with an eye towards IP as a part of security. This series kicked off when The Copyright Society of the USA declared April as Copyright Awareness month. If you missed the beginning of this series, follow the "Intellectual Property" tag to view all of the articles.

To continue to safeguard information assets, information security practitioners are obliged to expand beyond the traditional technical controls. The information assets we protect flow over various networks and persist for decades. These properties will be outside of the professional’s direct control more often than not. Therefore, additional controls such as those afforded by intellectual property laws have taken on new significance.

At the same time, consider the ease in which intellectual property laws can be violated. The violations are typically, though not always, by digital piracy through copyright violations. Organizations such as the Recording Industry Association of America (RIAA) and Motion Picture Association of America (MPAA) have stepped up their prosecutions of individuals and organizations for such theft. This creates a climate wherein the information security professional must not only protect his technology from attack but also from misuse, particularly misuse leading to violating other’s IP rights. Knowing the laws and communicating the laws (in policy and training) is crucial in mitigating the risk of lawsuit.

In summary, today’s environment places new demands on information security. New skills are needed. A working knowledge and understanding of intellectual property laws is a critical component in a securing an organization’s information technology.

Tags:

Operations Security

Engaging with the business on Intellectual Property issues

By wolfgang. 26 April 2004 06:58

To provide security over intellectual property, the information security team must interact with several departments within the organization. The responsibility encompasses defending the organization’s intellectual property and shielding the organization from legal liability from misusing others’ intellectual property.

A common governance model relies upon data classification, data owners, data custodians, and security professionals. Executive management provides sponsorship of the classification process and designates the responsible parties. As part of data classification, the type and nature of the intellectual property must be decided. The data owner (typically, mid-management) is responsible for the decision of the type of data and the value of the data.  The data custodians (typically, information technology team) is responsible for maintaining the data and its associated controls. Information security is responsible for designing the controls and auditing the technology team to ensure the data is protected.

As part of designing the controls, the security practitioner must be apprised of the legal mechanisms in which content can be protected. A basic understanding of IP law and the data classifications provides a framework for the security team to engage with the legal team on how the company’s IP can be protected. The IP can then be protected as it is published and distributed beyond the organization’s network systems.

Knowing the existing laws also comes into play when protecting the organization from intentional or unintentional infringement. Due care and due diligence must be demonstrated. Administrative and technical controls must be deployed. By engaging with human resources team, the information security team can provide employee training and explain in lay terms the employee’s rights and responsibilities with respect to other’s intellectual property. By the same token, technology must be deployed to detect and prevent piracy and digital theft. Demonstrating that the organization has taken these steps is crucial in situations that end up in court, where intent and diligence will be considered.

Tags:

Operations Security

Avoiding infringement: Trade secrets

By wolfgang. 23 April 2004 09:22

With competition between firms, there exists a pressure to obtain a competitor’s trade secrets to either defuse the competitor’s advantage or to build an advantage for the organization. The information security professional must ensure that the organization’s equipment is not used for corporate espionage. There may be extra pressure on the professional to either turn a blind eye to such illegal activities, or (given the technological prowess of white hat hackers) to facilitate the illegal activities. Performing illegal activities for an employer does not shield an employee from prosecution. Such pressures must be avoided. 

Ideas and innovations can be legally gleaned from existing products. Organizations have legal methods at their disposal. Products can be reverse engineered to determine how they work. (The reverse engineering cannot be used to circumvent protection mechanisms according to the DMCA, however.) The Uniform Trade Secrets Act (1990) states that reverse engineering is permissible providing the “acquisition of the known product” are by “a fair and honest means, such as purchase of the item on the open market.” It is possible to purchase a software package or piece of equipment, take it apart, and determine the ideas behind its design and production.

Another option for obtaining trade secrets legally is to use a clean room technique. Here, a team is provided very specific requirements and source information. They work in a dedicated and isolated space to ensure that existing secrets are not used in reproducing the work. The key here is documenting the inputs and outputs of the team. “Records of the clean room development are saved to demonstrate that trade secrets were independently developed and to refute any claims that a work was copied. (Stim, 2001)”. This provides some level of protection, but clean room is not a defense in “doctrine of equivalents” cases.

References:

Stim, R. (2001). Intellectual Property: Patents, Trademarks, and Copyrights, 2nd Edition. Albany: Delmar.


Tags:

Operations Security

Avoiding infringement: Patents

By wolfgang. 21 April 2004 05:40

Avoiding infringing on other organization’s patents are conversely easy and difficult. For the most part, the day-to-day activities of a firm will not run into patent infringement. Business methods and processes, as discussed earlier, are un-patentable. It can be difficult to avoid the “doctrine of equivalents” should the organization be producing goods, as there is a gamut of patents that have been registered.

The division responsible for developing the goods is equally responsible for avoiding patent conflicts. The effort is largely comprised of informal searches and formal searches of the patent database. The effort begins with an informal web search on UPSTO for comparable ideas and products. Once found, note the claims and ensure that the organization’s product is not substantially equivalent to those claims. If any patents are found or if there is any doubt as to whether infringement will occur, a patent attorney should also be engaged. The patent provides the formal search and review. At this point, if one or more patents are being infringed upon, then the attorney and the organization can proceed with negotiating a license with the patent holder. If not, then the organization can proceed with the product production.

Tags:

Operations Security

Avoiding infringement: Copyrights

By wolfgang. 18 April 2004 04:54

There have been some discussions as to an organization’s responsibilities for enforcing copyright protections and preventing digital piracy. The Digital Millennium Copyright Act (DMCA) includes a safe harbor provisions that shield service providers from fines if their networks are used for digital piracy. A comparable safe harbor does not exist for organization’s private networks. Thus, the first area to secure is the network against it from being used to breach copyright. Due diligence applies again insofar as an organization must demonstrate an active security program with regular reviews. Many commercial firewalls can be configured to block software that facilitates piracy. From an administrative perspective, the organization’s acceptable use policy must explicitly forbid violating the intellectual property rights of others using the organization’s technology.

As part of the information security education program, copyright and fair use can be explained. Copy writers and the creative staff must understand how they can reuse text from copyrighted materials without opening the organization to liability. Application developers must understand the differences in software copyrights and respect the various licenses when making derivative works. Systems engineers must understand how software licenses allow and restrict use, and follow these licenses when deploying software onto the organization’s equipment. The legal and information security departments can perform subsequent audits to ensure that people are aware of the laws and the policies, and are taking appropriate steps to respect other’s property.

Tags:

Operations Security

Avoiding infringement: Trademarks

By wolfgang. 17 April 2004 04:45

When designing trademarks, the organization has a responsibility to ensure that the new mark is not infringing on an existing mark. There was a case in 1998 where Tommy Hilfiger was assessed for damages on the “Star Class” trademark. Hilfiger had his attorney perform a search of federally registered marks, but failed to search state and common marks. This lead to damages as Hilfiger was not shown to have performed due diligence in the duty to search. New trademarks – whether it is a product name, service name, slogan, domain name, or other initiative – should be thoroughly researched to ensure that there is not a use in the federal or state registration systems, or in the commons.

When reusing another organization’s trademark, reasonable effort should be put forward to use the exact mark and include the ™ trademark symbol as appropriate. Many firms have restrictions on how their logo and mark can be used (for example, on a partner’s website or a business card.) These restrictions must be researched and understood. In doing so, an organization can avoid accidental misuse of another firm’s IP.

Tags:

Operations Security

    Log in