Tuesday, January 30, 2007

Spotting System Intrusions a Big Challenge for IT

Lag between breach at TJX and its discovery isn’t a surprise, execs say

Jaikumar Vijayan    January 29, 2007 (Computerworld) --

Protecting corporate systems against intruders isn’t easy. But detecting a breach that has actually happened can sometimes be even harder, IT managers and analysts said last week in the wake of the high-profile data compromise at The TJX Companies Inc.

The system intrusion at the Framingham, Mass.-based retailer occurred last May but wasn’t discovered until mid-December — seven months later. TJX publicly disclosed the breach two weeks ago.

In a similar incident at Ohio University, a server break-in that exposed the personal data of about 137,000 alumni went unnoticed for more than a year before being discovered last spring along with several other security breaches.

The gap between the intrusion at TJX and its discovery isn’t entirely surprising, given the myriad ways attackers can gain access to systems and then conceal their tracks, said Drew Maness, a senior security strategist at a large entertainment company that he asked not be named.

“The reason it’s so difficult [to discover a data breach] is because it can come at you from any angle,” Maness said. “With physical security, it’s very rare that someone breaks in through a side wall on the eighth floor. With computer security, they come in through that side wall.”

To quickly and consistently detect such intrusions, IT managers need to be able to collect and analyze literally every transaction flowing through their networks in real time, according to Maness. “You’ve got to know what every single packet on the network is doing, where it’s coming from, where it’s going and which ones are bad,” he said.

That can be a huge challenge, considering the sheer number of transactions and the terabytes of storage space required on a daily basis to store log data about all of them, said David Jordan, chief information security officer for Virginia’s Arlington County. It also requires comprehensive modeling of typical network behavior enterprisewide so any abnormal activity can be pinpointed, Jordan said.

Few Existing Products

For now, at least, there are few out-of-the-box products that can help companies do end-to-end log collection and real-time data correlation and analysis, said Amer Deeba, vice president of marketing at Qualys Inc., a vulnerability management services provider in Redwood Shores, Calif. And the cost of custom-building such capabilities can be prohibitive, added Deeba.

But there are some tools that IT managers can use to address parts of the challenge, Deeba noted. For instance, several logging and monitoring tools are available for quickly detecting unauthorized database activity.

USEC Inc., a $1.6 billion energy company in Bethesda, Md., uses an appliance from Guardium Inc. to monitor the activities of the administrators who manage the Oracle and SQL Server databases underlying its financial applications. The Guardium device can detect unauthorized changes and other policy violations that could affect the integrity of USEC’s financial data, said CIO David Vordick.

The technology also enables USEC to monitor compliance with Sarbanes-Oxley financial reporting regulations and provides the company with a real-time security-alerting capability, Vordick said.

Accor North America, a Carrollton, Texas-based operator of hotel chains such as Red Roof Inns and Sofitel, is using an appliance from Imperva Inc. to detect unusual database activity as it occurs. Such tools let companies move from a “passive security” model to a more aggressive one, said Jaimin Shah, a senior security engineer at Accor.

Being able to do the same kind of monitoring of all network and system assets could help companies detect suspicious activity more quickly, Shah said. “The problem is that monitoring generates a tremendous amount of logs,” he said, adding that “getting the right information as quickly as we can” is a challenge.

Vendors such as LogLogic Inc. are beginning to offer more efficient ways to sift through log data, Maness said. But he still expects it to take up to 10 years to develop true end-to-end capabilities for tracking networks.



Vista Shows Better Security Than ...

Mark Hall


January 29, 2007 (Computerworld) ... Mac OS X does. That’s the view of Max Caceres, director of product management at Boston-based Core Security Technologies, which develops network- penetration testing software called Core Impact. Caceres says that Microsoft Corp. uses more advanced security techniques in Windows Vista than Apple Inc. uses in its operating system. Mac OS X “is still a little immature in terms of security compared to Vista,” he contends.

CACERES: Vista is sound on security — on paper, at least.

“On paper, Vista is more sound.” As an example, Caceres points to the way Vista handles memory management. Information stored in RAM, he says, is “randomized, making it more difficult to exploit.” That’s not the case with the Mac software, according to Caceres. But, he adds, Apple’s Unix roots, more frequent operating system release cycle and apparent indifference to backward compatibility make the Mac “well positioned to change its security model real quickly.” Plus, he notes, security threats are a market share issue. As long as Windows dominates the desktop, he predicts, it will attract most of the malware.

But how long will that dominance persist? Mac unit sales jumped 28% last quarter, according to Apple, while PC sales languished in single-digit growth, according to everyone. Although the Mac’s market share remains anemic compared with that of Windows, Apple’s hardware is showing up more often in businesses. Mitchell Ashley, chief technology officer at Latis Networks Inc.’s StillSecure operating unit in Superior, Colo., says his company’s Safe Access network access control software has always had to deal with Macs. But recently, that has changed from the occasional encounter to an everyday occurrence. “Today, it’s a requirement for global network access control [tools] to manage Macs,” Ashley says.

Security show may end in tears for...
... the bad guys. Heading to the RSA Conference next week in San Francisco? Expect to find enough new products to make a black-hat hacker weep in despair. Take PacketSentry 2.2, a software upgrade that San Jose-based PacketMotion Inc. plans to add to its security appliances early next month. According to Bob Pratt, PacketMotion’s director of product marketing, the upgrade lets you get policy-based alerts about actions end users take on specific files. For example, you can be notified if anyone tries to delete .xls files in a given directory during the run-up to a quarterly financial report. The PacketSentry devices, which start at $45,000, also collect file access histories and store them in an Oracle database for audit uses.

Steve Roop, vice president of marketing at Vontu Inc., says that in a recent survey he commissioned Forrester Research Inc. to conduct, 52% of 151 security decision-makers at large companies reported that their organizations had lost confidential data via insiders using removable media. To help put a stop to that, San Francisco-based Vontu will add an Endpoint Monitor feature when Version 7 of its namesake software ships in late March. You’ll be able to see who copied what information when, and where it went. Vontu can fingerprint content for protection, and Version 7 will let you keep track of double-byte code files with Asian-language data. Pricing starts at $25,000.

Wasim Ahmad, vice president of marketing at Voltage Security Inc. in Palo Alto, Calif., says his company’s product line “eliminates the whole rigmarole of complexity” around encryption tools.

PacketMotion's appliances keep tabs on what users do with files.
PacketMotion's appliances keep tabs on what users do with files.

At RSA, the company will announce the Voltage Security Network, which businesses can use for on-demand e-mail encryption for $95 per user annually. Voltage Security also has boosted the scalability, authentication, management and reporting features of SecureMail, its flagship encryption software. And by summer, it plans to release an offering called the Data Protection System for companies that need to encrypt data for service-oriented architecture applications.

Just WHOIS the owner of...
...that Web site?


If you use the WHOIS command on the Internet, you’ll likely learn the to answer to that question. But if the Internet Corporation for Assigned Names and Numbers (ICANN) follows the advice of the Electronic Privacy Information Center and other privacy advocates, it will adopt a new registration policy called operational point of contact, which restricts the data available online. Frederick Felman, chief marketing officer at MarkMonitor Inc. in San Francisco, thinks that would be a big mistake. Felman says ICANN should adopt a special- circumstances policy that permits only people with legitimate needs, such as homes for abused women, to mask their Web site ownership and contact data. He argues that WHOIS is a vital tool for quickly shutting down malware sites and protecting users from phishing attacks.

Getting Certified and Just a Bit Certifiable

C.J. Kelly


January 29, 2007 (Computerworld) I recently attended CCSP boot camp. I was there for a very specific purpose. No, two very specific purposes. Like most people in attendance, I wanted to achieve the Cisco Certified Security Professional certification, but I also wanted in-depth training on the technologies that my staff deploy and I manage.

Technical boot camps are grueling. Classes normally begin at 8 a.m. and end at 8 p.m. We started at 7:30 a.m., worked through lunch and finished after 8 p.m. At the end of the training, I was physically exhausted, but my mind felt invigorated. One thing that kept me going was thinking about how privileged I am to have had the opportunity to receive this level of training. Usually, technical managers aren’t sent to technical training. But as I have said before, I believe that the best technical managers are both people-savvy and technically proficient enough to keep things on track. And I am very fortunate to work for someone who understands and supports that idea.

I hold several certifications in addition to my formal education, but in the past, I chose the self-study route. Boot camp was all new for me.

Almost Derailed

On the long flight home, I had time to think about boot camp vs. self-study using textbooks or online programs. I have always preferred self-study, which suits my particular learning style very well. I have an almost photographic memory, read very fast and grasp concepts quickly. I don’t necessarily need interaction with other students or an instructor — in fact, I find it distracting.

But just before I went to boot camp, I completed an online training program to master the prerequisites for the CCSP, and distractions nearly derailed the process. I have no complaint about the quality of the online program. It included information presentations, online “step into the lab” demonstrations, flash cards and several variations of what the real test would be like. My life is crazy busy, so even though I took several full days to do the online training from home, I still found myself constantly interrupted.

For most people, blocking off the time you need for online training is the biggest obstacle. You have to open up your schedule and set aside the time for training; trying to do it piecemeal as time allows just won’t work. If this means closing your office door, do it. If it means working from home, do it. If it means going to the public library to get away from phones and pagers, do it. You have to manage the interruptions.

This same advice holds true for self-study offline. And because you don’t have an online program to guide you in what to study, you have to know what kind of materials to buy. For its own certifications, Cisco offers plenty of resources on its Web site. In fact, I ended up supplementing the online training with other self-study tools.


Boot camp is an immersion method. Distractions such as cell phones and pagers are discouraged. (I was surprised that laptops with Internet access were allowed.) There isn’t much socializing. Most people went from hotel room to boot camp and back to hotel room again with very little in between. The schedule is physically draining; my lab partner was very late on about the third day, citing complete exhaustion.

Nonetheless, the training was excellent. The instructor was not only very capable, but also a security consultant in real life, with day-to-day experience in the technologies we studied. Far from being distracted by the other students, I found myself relieved that there were like-minded people around to discuss issues with.

I would have to say that boot camp did the job. Of course, it’s expensive. Even though my state agency got a discount, the training for one person ran between $8,000 and $9,000, and that did not include airfare, meals or lodging. It did include vouchers for the five exams required to pass the CCSP certification test.

But some people drown when they’re immersed. Your brain can easily get overloaded when you’re trying to cram technical information into it for 12-plus hours a day. I survived it

, but boot camp isn’t my preference. Would I do it again? Yes, and in fact, I intend to soon. So, managers who are considering training options for their employees should definitely consider boot camp seriously. For some people, it will be the only way to give the work at hand the necessary focus. (Others, like me, may do very well with self-study, so don’t overlook that option.)

And shipping your employees off to expensive off-site training sends them a message loud and clear: You value them. Some managers worry that a big training investment could go to waste, since the employee could take his new skills and find a better-paying job. But my experience has been that making investments in people fosters loyalty. Expansive thinking on your part leads to expansive thinking on your employees’ part. You want that.

Certification training raises another issue. There’s a lot of talk that certifications don’t deliver a lot of value. But in my mind, certification training, and especially security certification training, is a way of making sure that every aspect of security has been covered. It’s the equivalent of requiring someone to have a college education as a job prerequisite.

Sure, certifications don’t guarantee you anything. But they do give you a high level of confidence that the person sitting in front of you knows the basics and can perform them well. I agree that experience trumps certifications any day of the week, but I look at certifications as a quality seal. And that’s good to have under any circumstances.


Bankers Association Says Stolen Card Data Was Used in Purchases

Jaikumar Vijayan    January 29, 2007 (Computerworld) -- Credit and debit card numbers compromised in the security breach at TJX have been fraudulently used in at least three U.S. states and two foreign countries, according to a group that represents Massachusetts banks.

The Massachusetts Bankers Association (MBA) said that as of last Wednesday, card numbers taken from TJX’s systems had been used to make fraudulent purchases in Georgia, Florida and Louisiana, as well as in Hong Kong and Sweden.

Both MasterCard International Inc. and Visa U.S.A. Inc. declined to comment on the MBA’s claims about fraudulent uses of card numbers. TJX officials didn’t respond to requests for comments about the reported misuse of card data.

In addition, the MBA said it is “strongly” pushing for state legislation that would require credit card firms to quickly disclose the source of a retail data breach. MasterCard, Visa and other card companies typically don’t divulge that information to card-issuing banks when notifying them of security incidents.

Daniel Forte, the MBA’s CEO, said in a statement that the credit card companies also should hold the source of a breach financially liable — especially if the retailer was storing card data in violation of the Payment Card Industry (PCI) Data Security Standard.

TJX hasn’t disclosed what information was compromised. But according to the MBA and other financial industry sources, the retailer appears to have been storing account numbers, expiration dates and other so-called Track 2 data taken from the magnetic stripe on the back of cards. Keeping such data is forbidden under PCI.

The fact that Track 2 data likely was among the compromised information is disappointing, said Ryan Fisher, senior risk manager at Madison, Wis.-based CUNA Mutual Group, which insures about 5,500 credit unions. He also said there is “a certain level of disappointment” that credit card companies haven’t been enforcing the PCI standards more effectively.


Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc