The Risk Team had a rare face-to-face meeting this week. The meeting is perhaps why we feel out of touch. Clearly we missed how the very existence of a nation that survived a civil war, two world wars, Category 5 hurricanes and a magnitude 9.2 earthquake is threatened by cybercrime— how could we possibly  miss that one? Or how “potential infections,” and hotspot use contradict Peter Steiner’s foundational principle of the Internet that has stood since July 5th, 1993. Say what? One criminal will be off the city streets , and that’s great, but he’s still one guy—we missed how it’s deserved all the ink and electrons it’s consumed. We’re so out of touch; that instead we’ve been keeping an eye on Risk Team alumnus Roger Thompson’s report of attacks exploiting a recent, unpatched Internet Explorer vulnerability. And we’re watching for follow-ups to F-Secure’s report of malicious RTF files using threat of a law suit as bait to seduce users into clicking.

A blog post by the incurably brilliant Rich Mogull started off a discussion about innovation and compliance in InfoSec.  The gist of the argument on twitter was this: regulatory compliance in Information Security stifles innovation.

The reasoning offered is that if we have to spend a significant part (or all) of our budget simply to prove some level of diligence, there’s precious little left over for innovatation in defense of the enterprise.

On a fundamental level, it’s hard to argue with the economics of this, particularly if the risk tolerance of the organization is honed to react towards the impact from regulatory fines vs any other real or hypothesized forms of loss.  But in my mind, the economic consequences of a regulatory focus only touches upon the most miniscule of the issues facing the innovation landscape.

(more…)

The following post is the second part of a blog entry that was posted on this site on March 10, 2010.

The problem with traditional Identity Proofing

Prior to provisioning any type of electronic identity credential we must develop a level of assurance that the individual is in fact, whom they assert themselves to be. This level of assurance must be equal to, or higher than, the credentials level of assurance.

Most people would suggest that in-person identity proofing is the top of the ladder.  I would suggest they are naive.  Remember Frank Abagnale Jr., the subject of the movie “Catch me if you Can”? He successfully perpetrated fraud as a airline pilot, the Chief  Resident Pediatrician, Assistant District Attorney, and cashed over $4M in fraudulent checks in over 26 different countries and all 50 states . When finally apprehended by the FBI he was 19 years old, and the WWW hadn’t been invented yet. But then who would expect airlines, hospitals, governments and banks to be good at in-person identity proofing?

Today the cost of successfully impersonating another US citizen is about $15,000. For that price you get a Passport and Drivers license that can pass all visual and electro-mechanical inspections and 3-4 working credit cards. Will they let you spoof a bio-metric verification? No. But that just means the savvy criminal will select the identity of someone with no registered biometrics, which are typically fingerprints obtained through government employment or a criminal record – that leaves about 90 percent of the population.

(more…)

As many of you know, we released the Verizon Incident Sharing framework a couple weeks ago. The framework has 4 main sections: Demographics, Incident Classification, Discovery and Mitigation, and Impact Classification. The Incident Classification piece makes for a particularly interesting mind map that you can view here and play around with if you like.

I have included a little background on the Incident Classification section below (This is all in the main framework document, so if you’ve read that, you’ve read the following).

This section translates the incident narrative of “who did what to what (or whom) with what result” into a form more suitable for trending and analysis. To accomplish this, VERIS employs the A⁴ Threat Model developed by Verizon’s Risk Intelligence team. In the A⁴ model, a security incident (or threat scenario) is viewed as a series of events that adversely affects the information assets of an organization. Every event is comprised of the following elements (the 4 A’s), which provide the top-level structure for metrics in this section.

• Agent: Whose actions affected the asset
• Action: What actions affected the asset
• Asset: Which assets were affected
• Attribute: How the asset was affected

(more…)

In hindsight, this would have been a good week to catch our breath with some vacation, as little changed in the risk environment.  The latest IE vulnerability has yet to manifest itself as a more significant risk.  Prior to his arrest, a man laid-off from an Austin, Texas car dealer broke into a system used to immobilize cars with overdue loan payments.  Over a period of 5 days he immobilized 100 autos.  One hundred.  Wow, let me catch my breath.  Vodafone ‘fessed up to distributing malware accidentally on 3,000 smartphones, perhaps on their micro-SD memory cards.  Oh my.  DealsDirect.com.au, Oz’ largest online bargain shopping site became the latest victim of a banner advertising partner spreading malvertisements on popular, legitimate sites. CanSecWest is next week in Vancouver.  Good people share security information there.  Unfortunately the headlines next week probably won’t reflect that.  Catch your breath while you can.

A new vulnerability in Internet Explorer already in use for targeted attacks leads this week’s Risk intelligence summary.  Exploit code has been published and a Metasploit module makes weaponization trivial. Verizon Business customers should pull out their “MS out-of-cycle patch” response plans as this seems ripe for their twelfth incident.  February’s Adobe Reader vulnerability is also being used in targeted attacks.  Patching vulnerabilities in Brightmail, OpenView and OpenSSL, all infrastructure, should be planned.  March’s Microsoft Tuesday came in the form of security bulletins for Excel and Windows Movie Maker, but only enterprises at risk to targeted attacks via Excel need to deploy these patches. The good guys made inroads against the Zeus gang, but a broad Koobface attack on Facebook users Thursday evening to Friday may have been the gang’s answer, if one accepts our assessment that they are closely related. After all the bluster of RSA two weeks ago, we were back to confronting real problems over the last week.

by Christian Moldes

In Outliers, Malcom Gladwell analyses how plane crashes are the result of a combination of errors. I found this analysis very interesting because of the similarity with most security breaches. A brief excerpt of his book:

“Plane crashes rarely happen in real life the same way they happen in the movies. Some engine part does not explode in a fiery bang. The rudder doesn’t suddenly snap under the force of takeoff. The captain doesn’t gasp, “Dear God,” as he’s thrown back against his seat. The typical commercial jetliner – at this point in its stage of development – is about as dependable as a toaster. Plane crashes are much more likely to be the result of an accumulation of minor difficulties and seemingly trivial malfunctions.

The typical accident involves seven consecutive human errors. One of the pilots does something wrong that by itself is not a problem. Then one of them makes another error on top of that, which combined with the first error still does not amount to catastrophe. But then they make a third error on top of that, and then another and another and another and another, and it is the combination of all those errors that leads to disaster.”

Security breaches happen exactly like that. They are the result of a combination of minor or seemingly insignificant errors. Let me illustrate this. A few years ago, a merchant suffered a breach, and its case is one of the best examples for this topic. Their e-commerce website was developed in-house but some of the components had been developed by a third party. The application had been thoroughly reviewed for security vulnerabilities and none had been identified as risky. However, one of the components was not reviewed, it was added a few days after the application review had been completed, and since it was not related in any way with payment transactions, it was deemed as non-critical.

(more…)

Focus on the human subject – the beneficiary of technology

We’re pretty good at dealing with everything from the digital perimeter through to the protected resources the person wants to access. But the big problem, the very old problem, that we’ve made little progress in solving, is reliably and confidently authenticating the person to the digital perimeter. Let’s keep in mind the kind of attacks on information systems that we see everyday, the vast majority of them are attacking the human being through some form of impersonation.

My thesis would be that we have extraordinary existing technology for securing everything within the digital workflow, but we are unbelievably immature in our current approaches to securely connecting the human being (the physical world) to the digital world.

99% of protected resources still rely on Username/Password as the means for authentication of a human being. Let’s be clear about this,  Username/Password does not authenticate a human being, it authenticates a directory entry.

We can talk about End-to-End trust forever, but until we can effectively manage the identity risk of human beings using Information Systems, the weakest link will continue to be end-user authentication and it will continue to be the primary focus of attacks.

(more…)

Microsoft announced they would issue two security bulletins patching eight vulnerabilities next week. Microsoft will not be patching a newly reported vulnerability in VBScript, known as “the F1 hole,” and the wailing of banshees has begun. The signal-to-noise ratio from the RSA Conference was about as bad as we expected. iSec jumped on the APT bandwagon and Damballa seems to have jumped off, while the Risk Team continues to watch unconvinced by either.  A strong signal came from Panda reporting on the Mariposa botnet takedown, while Trend issued a new Zeus report and Byron Achohido did two reports on Koobface, all worth careful scrutiny.

Issues with ASLR, DEP and RSA authentication are irrelevant to risk for the foreseeable future, but fueled the Sirens into competition with the banshees. Activists mounted DoS attacks between Korea and Japan.  A faint bright spot near the Conception catastrophe was that it occurred more than 1,000 miles (1600km) from the Pan-American submarine cable’s landfall in Arica, Chile. Last week we prompted for stilts and hip waders, but earplugs are now also part of the uniform of the week.

I am so done!  It’s time to go back to working at a gas station, my first job.  Whiplash and the Advanced Persistent Threat (APT) have terminated my InfoSec career.  Here’s why:

The week began with this announcement via The Register, “Most businesses are defenseless against the types of attacks that recently hit Google and at least 33 other companies….” “Defenseless!”  Goodness gracious, ABANDON SHIP!  But then I thought, “maybe the reporter just misinterpreted the primary source.”  So I downloaded the report from iSec, and their disturbing conclusion has the same ring of finality, “even most Fortune-500 companies will not be able to assemble security teams with the diversity of skills necessary to respond to this type of incident.  It is extremely unlikely that SMBs will be able to properly prepare for these threats.” Then I checked to make sure Verizon is in the Fortune-500, and then I started to look for some hemlock.

Don’t you see?  It’s hopeless.  Time to give up.  Richard Bejtlich says, “get the divers out of the water,” and there are only two companies up to the task of fighting an APT.  Hey, I don’t work for either of those, therefore, I’m just not capable of helping my customers secure their information.

(more…)

Many of you who read our blog regularly are familiar with our ‘Data Breach Investigations Report’.  We hope that you’ve found past reports informative, useful, and above all, actionable.

The production of the DBIR has been driven by our desire to help solve what we see as two of the most significant problems facing our industry:

1. Uncertainty due to the lack of data
2. Equivocality due to the lack of a common framework

Basically, we believe that until we can all be on the same page regarding what terms mean and why those terms are useful, we’re going to have a problem creating meaning from any data we *do* get.

One of the reasons we feel that the DBIR is so useful is because it translates the incident narrative (the attacker did this, then that, then the other thing) into a data set.  To accomplish this translation, we used a set of metrics developed internally. Think of it as a framework of incident elements we believe will, when gathered consistently, help people better interpret data and manage risk.

Today we’re making a version of that framework, the Verizon Incident Sharing Framework (VerIS), available for you to use.

(more…)