A few lessons for us infosec professionals from this:
First: The definition of insiders expands as businesses continue to outsource functions which used to be done in house.
Second: Vendor Risk Management programs need to pay special attention to law firms. These guys are like companies’ confessors; we tell them all of our deepest secrets and rely on them to keep things secret.
If you are going to use Infrastructure as a Service providers like Amazon, make sure that the people using them take the time to learn about and use the security features. Amazon provides the means to store data securely and has a wealth of documentation on security best practices. Having a breach due to an improperly configured S3 bucket is amateur hour, folks.
When acquiring new companies, especially small ones, security due diligence needs to be job one. Finding out where sensitive information is stored and how it is protected is a must.
Know your third parties (and those of your acquisitions) – FedEx blamed the breach on an un-named third party. Remember – you can outsource the function, but you cannot outsource responsibility for security. When doing an acquisition, look at the list of every vendor that the target company pays and figure out which ones might be holding data.
I have been through the acquisition process a few times in the past ten years – identifying show stopper issues during due diligence is important, but it is vital to keep the process going after the deal is done. The more you dig into the security of the acquired firm, the more “interesting” security issues you will find.
It sometimes seems to me that a lack of data is not the issue when patrolling your networks for signs of evil badness… it is quite the opposite – operating systems, security logs and other sources are drowning us in data which we don’t leverage. This talk from DerbyCon 2015, “Intrusion Hunting for the Masses – A Practical Guide” really opened my eyes to a number of ways to leverage data that we already have to look for signs of sophisticated intrusions early in the kill chain. If you manage infosec for your organization or are in the bad guy hunting business, I highly recommend this information and idea packed 45 minute talk by Dave Sharpe (@sharpesecurity). I love stuff like this – you don’t have to make huge investments in new hardware or software to do this kind of analysis and the potential payoffs are pretty big. Best con-talk I have watched in a long time.
On June 16th, 2015, I was privileged to participate in a panel entitled “The Practitioner’s Perspective on Cybersecurity” at the SmartBrief Cybersecurity forum, held at the New York Yacht Club. At this event, co-sponsored by SIFMA, I and a panel of other financial services security professionals bloviated on the challenges facing us today.
Here is a 15 minute “highlights reel” from the panel…
And here is the full discussion, which ran approximately 45 minutes…
The participants were:
Al Berg, Chief Security and Risk Officer, Liquidnet Holdings Inc.
Robert Cornish, Chief Technology Officer and Chief Information Security Officer, International Securities Exchange (ISE)
Boaz Gelbord, Chief Information Security Officer, Bloomberg LP
George Rettas, Managing Director and Chief of Staff, Global Information Security Department – Information Protection Directorate, Citigroup
Moderator: Sean McMahon, Senior Finance Editor, SmartBrief
What security people need to understand is that the end users are not the problem. The end users are our customers (and one of the main reasons we have jobs). The problem arises from the increasing sophistication of attackers and their tools and ruses. In the olden days (a couple of years ago), we could arm our users with easy ways to recognize and avoid phishing (hover on the link and see if it matches the text) and social engineering (no, the Nigerian prince does not want to give you his money). Since then, the attackers have been getting better and better at their jobs. They send very professional looking email and social media bait which is very hard to distinguish from legitimate emails. They do their homework, mining social media for personal and business information to make their clickbait more convincing. End users receive hundreds of emails every day and they just don’t have the time or expertise to always avoid the bad stuff.
I am still a big proponent of end user education and awareness – it will help users avoid the “low hanging fruit” type of attacks and for some users, it will provide them with clues which can raise their suspicions about more sophisticated attacks. It has a great return on investment for just about every organization.
We have reached an inflection point in the “endpoint wars” – we need to provide users with solutions which are better at spotting and preventing the sophisticated attacks for them. Organizations need to beef up their email security, adding things like pre delivery attachment analysis, real time checking of clicked urls at both the time of message delivery and user action and sandboxing tools (EMET is free and pretty effective).
End users are not stupid. They simply have different priorities than security people and are trying to keep up with an ever expanding flow of information every day. We have to step up our efforts to protect them, not call them a problem. That’s what we get paid for.
There are a number of web based tools that allow you to safely analyze the behavior of potentially malicious files safely. My personal favorite is Malwr.com, which provides detailed analysis of just what a piece of malware tries to do when run in a sandboxed environment. Malwr presents its findings as a detailed report explaining what processes are spawned, what files and registry keys are written and what network activity happens when the malware runs. This is a great tool for those of us whose budgets don’t include funds for maintaining our own malware analysis labs. For those with some more resources, you can run the same software that malwr.com uses (the open source Cuckoo malware analysis suite) on your own site.
I recently saw a video from Security BSides DC 2014 in which Craig Fields, a malware/forensics analyst from DefensePoint, demonstrated a new tool to make reading reports generated by malwr.com easier. MalwareViz takes the URL of a malwr.com report and uses the data in the report to create a more visually oriented diagram of just what a particular piece of malware is doing, which can be really useful in explaining things to non security focused folks.
It is important to remember that malware authors are getting smarter and smarter – in some cases, malware will check to see if it is being run in a sandboxed virtual machine. If so, the malware stops executing and the analysis doesn’t see the bad behavior which will occur during a real infection. So, a negative result from the sandbox is just one (albeit generally a strong) indicator of whether a particular file is malicious.
When previously undisclosed vulnerabilities in the Drupal web content management system used by many large companies to manage their web sites were announced, hackers were busy exploiting those weaknesses within hours. This incident highlights the bind that security people and system administrators are increasingly find themselves in – we need to patch critical vulnerabilities quickly to protect our systems from compromise, but rolling patches out without proper testing can also lead to downtime (witness Microsoft’s recent run of faulty security patches). Having the skills to mitigate vulnerabilities while patches are tested and rolled out is a something we need to cultivate as security pros.
A security vulnerability in the way that online storage provider DropBox (and possibly rival Box) handles links to shared files caused some documents (which were supposed to be viewable only people designated by the file owner) accessible and available to web site owners using Google’s visitor analytics and advertising tools. The rival online storage firm which found the issue claimed to have reported the problem (which gave access to sensitive files like mortgage documents and tax returns) to Dropbox last November. Dropbox fixed this issue, which it insists is a feature rather than a security flaw, this past Monday.
This issue highlights the need to make encryption of files and data stored on cloud service providers with keys stored on the user’s local system simple enough for non technical folks. The solution also needs to be able to support sharing of encrypted files securely with a third party or with other cloud services you authorize. If cloud providers can get this right (no small feat), living your life in the cloud will truly be ready for prime time.
Some solutions which currently exist:
Boxcryptor is a software solution which sits on top of Dropbox and other storage providers and automagically encrypts files as they are sent to and received from the cloud. They provide secure sharing as well as mobile apps for the major platform. Of course, since Boxcryptor is an overlay to services like DropBox, using this product would break the integration between DropBox and other cloud apps.
There is at least one consumer usable provider (SpiderOak) which currently claims to offer this type of Zero Knowledge Encryption.
The real answer to the issue of cloud encryption lies in having the encryption built in to the platforms in a standard and interoperable way. C’mon cloud vendors, you can do it!
When the researcher reported the issue to Apple, he was told that they were aware of it but had no date for a fix.
This is why I continue to recommend that corporate users stick with containerized solutions for their iOS and Android mobile users. Consumer level mobile devices are not designed with the level of security appropriate for business (especially in highly regulated industries like Finance and Health Care). Yes, it would be nice to use the native apps on personal devices to deliver corporate data from an ease of use point of view, but if your users are carrying around sensitive information in their email attachments, you have to consider the risk of an adversary extracting that information from the device relatively easily.
Apple really dropped the ball on this one. They were not up front with their users regarding the loss of a key security feature and didn’t give them the chance to make an informed decision based on that information. Not cool. This incident underline’s Apple’s lack of commitment to and understanding of the corporate market. If they want to be a corporate player, they need to step up and accept the responsibilities that the role entails – otherwise, stop trying to do things half way, guys.