Intent, Opportunity and Capability (week 12)

If someone asked you who Harold T. Martin III was would you know? What about Edward Snowden? Most people know the latter individual. These 2 people do have something in common; Snowden ‘took’ a huge cache of classified documents and fled the United States in 2013. Martin on the other hand is in custody as of right now, arrested in August of last year for allegedly stealing classified material which was found in his home and car. In Martin’s case, some of the material he took, like the NSA-developed exploits, ended up being published online.

Image Courtesy of beforeitsnews.com

The debate is still on whether he published them or he was hacked and someone else published them. What these 2 contractors have in common is that they both worked for Booz Allen Hamilton, a well-known and established government contractor; nothing against Booz Allen, just the case of bad apples falling from their tree.

The National Counterintelligence and Security Center (NCSC) defines insider threat as “…when a person with authorized access to U.S. Government resources, to include personnel, facilities, information, equipment, networks, and systems, uses that access to harm the security of the United States”. While the NCSC’s definition focuses on the U.S. Government, the same logic can be rightfully applied to private corporations with the key takeaway being, these people have ‘approved’ access and knowledge of your system. Kind of tough to catch the insider threats then… wow! How do I know Joe Blow from accounting has no malicious intent when he reads the company’s financials or what Jane Doe from IT is intending to do with the firewall policy report. We simply can’t. Intent is something that can’t be measured.

The threat triangle states that 3 things have to be present for the threat to materialize; Intent, Opportunity and Capability. If any one of those elements is missing, the threat may not materialize. Of the three, intent is the intangible element. You can measure whether someone is capable of doing something, you can measure what your security landscape is therefore determine what opportunities may be present in terms of security gaps/lapses, but you can’t measure whether someone is intending to commit a crime. We can speculate based on other factors like debt issues, personal problems, negative emotions towards the company; but all these are at best simply guesses or speculations. The focus, therefore, should be on opportunity and capability when are crafting an insider threat mitigation plan.

In conclusion

As noted by the Snowden-Martin case, even the best of the best can and do experience cases of insider threats. Every company has their ‘secret-sauce’ and none wants their proprietary advantage or whatever keeps them at the top of their food chain exposed to the public. Many companies would fold if their trade secrets got publicized. Think about what Pepsi would do if Coke’s ‘recipe’ got publicized or what Bing would do if Google’s search engine algorithms were readily available for the public to scrutinize. The insider threat is surreal and can cause a lot of damage to a company. Every company should pay attention to their ‘approved’ humans and invest in controlling both external and internal threats accordingly.

Resources for Planning using NIST SP 800 Series (week 10)

Just like any other aspect of an organization, for the Information Security Program to be successful, planning is required. With proper planning, the business can be able to succeed in meeting its overall business objective as it can map out the issues that may affect its day to day operations like adhering to industry standards and regulations.

The U.S. Department of Commerce has an agency that publishes guidelines and recommendations that can be adopted by organizations to meet their Security Obligations. This agency, National Institute of Standards and Technology (NIST) uses three Special Publication (SP) subseries to publish reference material regarding computer, cyber, and information security guidelines and recommendations. 

The three are as follows:
SP 500, Computer Systems Technology – Started in January 1977 and is a more general IT subseries used by NIST to cover broad topics.

SP 800, Computer Security – Started December 1990 and is NIST’s primary mode of publishing computer, cyber and information security guidelines, recommendations and reference materials.

SP 1800, NIST Cybersecurity Practice Guides – Started 2015 as a complement to SP 800. It’s more focused and covers Cybersecurity challenges in both the public and private sectors.

About the Special Publications (800 Series)
Focus will be on the SP 800 series which is a set of publications that describe the United States Federal government computer security policies, procedures and guidelines. In her article, NIST 800 Series, Margaret Rouse (2006) states that the NIST 800 Series publications cover NIST-recommended procedures and criteria for assessing and documenting threats and vulnerabilities. Under SP 800 Series, many publications have been documented from its inception in 1990 to the latest release (a draft) SP 800 -178 dated December 2, 2015. 

As an organization plans its Information Security Program, some of these documents can be adopted. 

NIST Special Publication 800-122 – Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

“With the increased use of computers for the processing and dissemination of data, the protection of PII has become more important to maintain public trust and confidence in an organization, to protect the reputation of an organization, and to protect against legal liability for an organization”. (McCallister, Grance, & Scarfone, 2010)

This document provides guidelines for a risk based approach to protecting the confidentiality of PII. PII can be described as any information that can be used to identify an individual; Full Names, SSN, ID numbers just to mention a few can be considered PII. SP 800-122 states that organizations should identify what PII data exists within their systems, only retain PII data on a as needed basis, categorize the PII data based on confidentiality impact levels and apply safeguards, develop an incident response plan in case of a breach and ensure that there is cohesiveness between the different responsible parties/departments including the legal counsel.

NIST Special Publication 800-163 – Vetting the Security of Mobile Applications 

The current trend in many organizations is to allow for mobile work capabilities and with this new open business world, mobile applications have become increasingly popular. SP 800-163 authors Quirolgico, S., Voas, J., Karygiannis, T., Michael, C., & Scarfone, K. (2015) state “such apps have increased productivity by providing an unprecedented level of connectivity between employees, vendors, and customers, real-time information sharing, unrestricted mobility, and improved functionality”. The downside to this trend is that app developers do not always have security in mind when building their applications. This publication acts as a guide for helping organizations develop a plan for vetting mobile applications through the app acquisition stage all the way to its adoption or rejection phase.

Conclusion

The National Institute of Standards and Technology (NIST) SP 800 series guides can assist an organization plan the development of an Information Security Program at an organization. These documents although mainly targeted at Federal institutions and its affiliates, can prove to be valuable to any organization. One example is in regards to protection of PII data. Just in June of 2015, the Office of Personnel Management (OPM) was breached and PII data was exfiltrated from its systems. All organizations have PII and if OPM (a government agency) was breached, then ‘civilian’ organizations should rethink their current setup (if any) and adopt some of the guidelines listed out by SP 800-122. Also with the current advancements and changes in how we work, things like BYOD, Wireless technologies, working from Home, organizations need to follow more structured and proven guidelines when it comes to protecting their information, assets and people. Using the SP 800 series documents might just ease the adoption of such security measures even in the civilian world. 

References

McCallister, E., Grance, T., & Scarfone, K. (2010). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). Special Publication 800-122. 

Quirolgico, S., Voas, J., Karygiannis, T., Michael, C., & Scarfone, K. (2015). Vetting the Security of Mobile Applications. NIST Special Publication 800-163. 

Rouse, M. (2006, May 1). NIST 800 Series. Retrieved December 19, 2015, from http://whatis.techtarget.com/definition/NIST-800-Series 

Intrusion Detection Systems (week 9)

You are watching your favorite news channel and the breaking news for that day is about a ‘bandit’ who broke into a 7-eleven store and made away with a case of warm beer. Reports state that the unidentified hoodlum used a bat to break the glass door which triggered the alarm and as he rushed into the store to grab his loot the camera recorded his every move. The picture is a little bit blurred but you can identify him if you knew him. The local PD is appealing to the community to help apprehend the suspect. Now to link that story to what intrusion detection systems (IDS) are; the alarm system that went off after he broke the front door and the CCTV that captured the burglars every move can be considered intrusion detection systems. The alarm detected the break in and the CCTV captured the burglary. Both systems only ‘detected’ and ‘recorded’ but did not stop the burglar from breaking and entering. The local PD used one of the detection systems (cameras) to try to resolve the case and the convenient store owner and possibly law enforcement were notified of the break in by the alarm going off. 

IDS Depiction Photo: Courtesy of IBM Systems Magazine

So the definition of an IDS is a system that flags all anomalies or suspicious activity that are deemed harmful to the network or devices being monitored. SANS Critical Security Control number 12 (CSC 12) talks about boundary defense and one of the line items under this control is deployment of Intrusion Detection Systems (IDS sensors). IDS looks for anomalies within traffic and reports or alerts on the observed ‘issues’. 

IDS can be classified into 2 categories based on how they are deployed; Host Based Intrusion Detection System (HIDS) or Network Based Intrusion Detection System (NIDS). 

HIDS is when the system is deployed at the host level (endpoint) for example on workstations while NIDS is when the solution is deployed at the perimeter level for example at the demilitarized zone (DMZ) or edge of the network. NIDS yield more false-positive alerts due to the way they work; they attempt to read the network activity pattern to determine what is normal and what isn’t.

Whether a system is deployed at the host or network level, they both analyze traffic based on either signature or anomaly (patterns). Signature based analysis entails pattern matching. The IDS may have predefined signatures that are matched against the observed traffic and if there is a ‘hit’, the system will flag that traffic as bad. The signature match may be known malicious IP addresses or domains, malicious files, web requests just to mentions a few. The downside with this technique is that if there are no matching signatures as with the case with zero day exploits (newly discovered, unpublished), the system will miss it. Regular updates are required with this technique to ensure that the system is covering most types of attacks out in the wild. The advantage with the technique is that it is not resource intensive and apart from the regular updates does not require much maintenance. A well-known open source IDS solution that utilizes signature based techniques is snort. With snort, you can subscribe to receive regular updates that are pushed to the system to correct existing signatures (if needed) and add any new alerts that may have come out.

Anomaly based (aka behavior-based) works by first establishing a baseline and then generating alerts whenever this set baseline is breached. Anomaly based technique is good for detecting any new threats like the zero day exploits that signature based techniques miss. Problem with this technique is that it requires a lot of processing power since it is constantly trying to compare the current activity to the baseline. It is also prone to a lot of false-positive triggers in environments that experience a lot of changes.

Current IDS systems seem to utilize both analysis techniques to maximize the effectiveness of the system. The systems have signatures saved in its data bank and also monitor the traffic to capture any trends that may appear to form an anomaly based on the baseline. This type of system is more resource intensive but is more efficient in comparison to systems that only employ one technique.

Conclusion

Both Host and Network based IDS systems provide a level of protection that can be beneficial to any organization. Some cons of one system can be counter-measured by deploying the other system as a complement. For example, a NIDS may not be able to view encrypted traffic traversing the wire but a HIDS may be able to as the host will expose the already decrypted traffic to the host based IDS. If possible, a business would be better off deploying both solutions as a security in depth strategy. In cases where budget does not allow, a small business should deploy a network based IDS and then eventually add a host based system if possible. The network level intrusion detection system provides a much broader coverage for the entire business at a cheaper cost as opposed to the host based system which may require more sensors being deployed at the host level. With a network based system, the sensor(s) can be deployed at the entry point and this will cover all traffic (outbound) from the internal network and also inbound traffic from the external world.

As with any IDS solution, the ultimate effectiveness of the chosen solution be it host or network based, depends on human interaction and action.

References

The CIS Critical Security Controls for Effective Cyber Defense Now. (n.d.).

     Retrieved February 21, 2016, from sans.org website: https://www.sans.org/

     critical-security-controls

Security 101 at Home (week 8)

Just like most of the millions of computer users out there, I’m positive, if you peruse through my personal computer, you may run into some personal information saved there. Before the introduction of computers and its saving capabilities, people saved important documents in files locked in file cabinets either at home or at work. Now that computers are available to most individuals, these physical storage (file cabinets) have converted to hard drives on computers. Due to the convenience, like many others, I am guilty of readily embracing the change and ‘sadly’ saving information that may be critical to my personal life and definitely my families too. The only advantage I can say I have is that the information is not all saved in one place and it would take some digging around to gather the information.

Having a wife and kids in the household means that multiple users have access to the files and information on the computer but the extent to which they have visibility varies. If this information was lost, it would not be as detrimental since I still believe in the traditional way of having a hard ‘paper’ copy of important documents. I can probably get away with this until when the entities I deal with decide to go all paperless. If on the other hand, the information was somehow compromised, then some personal information may be obtained and the extent of the damage would only be dependent on the motives of the attacker. I have also backed up the content of the computer in case of data loss.

It is scary thinking about what information can be retrieved from our personal computers. To try to minimize the risks, I adhere to some basic security practices like password enforcement. Having multiple users in the household means creating different user accounts to worry about and with kids, if not monitored, the extent of exposure is immense. For any activity that requires administrative privileges, a password is required. The kids are also not allowed to download or open any windows that have not been sanctioned by us, the parents. The kids use the guest account when using the computer. We also limit the usage of the computer to certain times and they are mostly allowed some free reign on the gaming console and tablets which don’t have any personal information. 

The steps or precautions I mentioned above are all educational and policy related measures but on the technology aspect of protecting personal information, I ensure that all systems in the house are patched and up to date. All computers have a paid anti-malware software installed on them which is, in my opinion, slightly better than free versions which may miss some signatures or have a delayed span between signature updates. The subscription is up to date to ensure updates are downloaded as they become available. Not many people know that Windows provides a firewall; I also have this enabled in addition to the firewall capability of the anti-virus software. For online protection, the anti-malware software provides protection. 

To ensure the weakest link doesn’t fail us, I constantly remind my kids and wife the importance of being aware of their surroundings and being vigilant when on the net.

In conclusion, 

I don’t think there is anything wrong with saving personal information on a computer; we just need to take extra precaution of ensuring this information is not compromised. My plan is to always save personal information on an external hard drive and only expose it to systems that are connected to the internet when I need to view that information.   

Why Cybercrime Awareness is Important (week 7)

Cybercrime photo: Courtesy of State of Jersey Police

Cybercrime is any crime that involves a computer and a network whereby the computer may be used to commit a crime or the computer may be the target of an attack. Interpol classifies Internet-related crimes as either advanced cybercrime which involves attacks against the computer hardware/software and cyber-enabled crimes which is the traditional crime being conducted with the aid of a computer.

IT professionals should be concerned with cybercrime because of the impact it has on our day to day life. Although there are a lot of devices connected to the Interconnected networks (Internet), it’s foundation is considered shaky. 

Cybercrime affects the entire society given that the Global Economy is dependent on the proper working of the Internet. Dependence means a vulnerability which can be exploited. Attackers are known to use encrypted methods to communicate amongst each other which makes it difficult for law enforcement to intercept their communication. The Internet also provides a wealth of information for hackers and cyber-terrorists to reference for different cyber-attack methods. This means that hacking pranksters who cause annoyance by taking down popular web sites and also professional hackers who are employed by criminal organizations and rogue states can easily look up how to attack an organization and get the information from the Internet easily. 

Critical infrastructure like the power grid, transportation, financial institutions are at risk and there is no capability to identify where the threat will come from and when it will even take place; the anonymity of the attacks make the battle tougher. Shutting down the power grid, the command and control center, attacks on Federal agencies are just some of the acts of cyber-terror that can be propagated. Terrorists using physical threats like bombs and also information warfare to disrupt emergency response services cause double the havoc.

Cyberattacks on the financial sector can cause the same damage as an actual physical attack on the infrastructure. Some of the major computer facilitated crimes that hit the financial sector include Web auctions, General merchandise frauds, Internet services, pyramid money laundering schemes, credit card fraud, advance fee loans among many others. These same crimes have long been propagated via wire fraud where attackers call up victims to try to con them into a bad deal, but now they are through the Internet as well.

To counter law enforcement, criminals are using police scanners which can track law enforcement activities. These helps them avoid detection and the can also intercept intel and communication that can be used to evade capture.

Conclusion

The Government cannot address cybercrime alone and it seems as though the criminals are always one step ahead in the game. Including teams like Systems Engineering and Technical Assistance (SETA) should be a common theme as the private sector has a wealth of information and they can bring a different angle and ideas to the table when it comes to trying to stay ahead of attackers. Preventing cybercrime is an all-inclusive game given that the criminals always seem to be one step ahead of the good guys. 

Firewalls, Patches and System Updates (week 6)

A firewall is a system designed to prevent unauthorized access from one point to another within a network and can be implemented as hardware or software components. Firewalls are considered gate-keepers and if setup and configured correctly can be vital in stopping a lot of potential threats. A good example would be setting up Geo-blocks for next generation firewalls if a business does not conduct any business transactions with foreign entities. Having the firewall in place instantly blocks traffic from outside the United States.

Patch Tuesday: Courtesy of Windows10update.com

Patches and Updates

If you are in IT, you should know about the infamous ‘Patch Tuesday’. This is when (second Tuesday of the month) Microsoft releases patches. As much as this is a known date, most organizations still don’t push out the patches and updates as they are released to the public. Patching and ensuring that systems are up to date is crucial in covering known vulnerabilities and having security updates current. Patching however is not always smooth sailing. Microsoft’s regular “Patch Tuesdays” have led to “Recall Thursdays,” with various patches breaking Office, affecting the functionality of Windows and even resulting in complete system crashes and the dreaded Blue Screen of Death (Shinder, 2015).

To ensure that patches and updates don’t break systems, we need to establish change control polices which should include testing the patches in non-production environments before deploying. Despite the issues that can come about from system patches and updates, the pros far outnumber the cons and systems should always be kept current. In cases where the systems cannot be updated due to some business reason, isolating those systems is advisable to prevent exposing the business to risks.

Protection against threats

Simply propping up a firewall and ensuring systems are patched and up to date is not the end of securing networks. Security needs to be approached from a multi-tiered layer. Some attacks tend to focus on the weakest link in the system; humans. A well-known avenue of this exploit is via email scams such the Nigerian (419) scams which many people fall for and lose fortunes chasing more fortunes. Phishing emails are used to compromise personal information from unsuspecting users. Counterfeit software gets installed on our systems and tracks our every move.

The Web is full of booby traps everywhere we turn or click. Malware, adware, Trojans, viruses, the list is endless. Seems like the only way to stay safe is to operate in a vacuum but for the many businesses and individuals who don’t have this luxury, steps need to be taken to at least stay safe while connected to the world wide web. Anti-malware, anti-viruses and verifying software and hidden add-ons before installing is one way of protecting ourselves from these threats.

References:

Whitman, M., & Mattord, H. (2014). Introduction to the Management of Information Security. In Management Of Information Security (Fourth ed.). Cengage Learning.

Finley, K. (2014, June 6). Online Security Is a Total Pain, But That May Soon Change. Retrieved December 6, 2015, from http://www.wired.com/2014/06/usable-security/

Shinder, D. (2015, January 14). Patch or Not? Weighing the Risks of Immediate Updating. Retrieved December 6, 2015, from http://www.windowsecurity.com/articles-tutorials/misc_network_security/patch-or-not-weighing-risks-immediate-updating.html