Is It Warfare or Something Else?

The term “warfare” – when talking about information warfare or cyber warfare – is somewhat misleading.  The term “warfare” indicates a conflict between governments, nations, or at least corporate entities.  The problem I have with using this term in this context is that it implies that the average individual is not at risk or affected.

The amount of data about the average person that is now stored on government, corporate, or social sites, servers, and databases is astonishing; while no one entity may have the entire puzzle, many have pieces.  Retailers collect information on what you buy and how you pay. Creditors collect information on your assets, debts, and credit ratings.  There is all kinds of stuff “out there” – Just do a simple Google search and you will find information that may surprise you…

https://www.mindpointgroup.com/wp-content/uploads/2014/08/Impact-of-Cyber-Attacks-on-the-Private-Sector.pdf

That being said, information warfare affects everyone.  Look at the OPM hack – millions of people had detailed and confidential information compromised, along with countless other people who had been interviewed, listed as a reference, or involved in a security clearance review. Data breaches at major retailers, such as Target and Home Depot, have exposed the information of many more.

http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014

Maybe we should coin a new term, perhaps “Cyber Assault” or “Cyber Mugging.”  After all, we are hearing more about direct attacks against private individuals, such as ransomware attacks, where a hacker locks down your computer until you pay them to release it.  This sort of attack really is not “warfare” between large organizations, but an electronic version of extortion and theft that can happen to almost any private citizen.

http://www.trendmicro.com/vinfo/us/security/definition/Ransomware

Standardization... Again!

I know I have beat this horse before, but it amazes me how such a simple concept can be ignored. Recently the Stagefright vulnerability in Android OS version 2.2 and above was announced.  Google has promised a speedy fix to this issue, but it may not be as simple as they say.  Because there are so many vendors and manufacturers – each with their own versions, restrictions, and customizations to the Android OS – a simple patch may not be able to work on many systems.  With 950 million devices affected, how many will not be able to be fixed?

“But because many users are not running the latest version of Android — in many cases because they simply cannot, thanks to restrictions in place by handset makers — the vulnerability is said to affect an estimated 95 percent of Android device owners. That would mean some 950 million Android handsets could be affected by the exploit.”

http://appleinsider.com/articles/15/07/28/stagefright-vulnerability-compromises-android-phones-with-1-text-message-may-affect-950m-devices

In contrast, Apple reports that 85 percent of its users are running iOS 8 or later, 13 percent are still on iOS 7, and only 2 percent are on earlier versions.

I’m not going to debate the merits of Apple versus Android here.  But with a limited set of versions in use, patches, security updates, and fixes are much easier and faster to release.

The same is true in your own environments.  Imagine running several different operating systems, with multiple applications, on disparate hardware platforms.  Now you have to know (and be proficient with) several operating systems, applications, and hardware platforms, and you need to keep monitoring and management in mind as well.

I get it, and I have done it… Installing some lightweight OS and tweaking it until it performs great and is relatively secure sounds good, but multiply that process by hundreds or thousands of systems and the “fire and forget” method of a standardized environment starts to look pretty good.  Less potential for bad press, anyway.

http://www.pcworld.com/article/2953484/android/google-pledges-a-speedy-stagefright-security-fix-for-nexus-devices.html

What is an Enterprise?

Lately, I have been part of an ongoing debate about what exactly constitutes an enterprise, so I thought I would pop over to my Google and settle this conversation quickly… Imagine my surprise when I could find no clear definition. That is not to say that I found no definitions; rather, I found many - most of which do not match each other.

Below are a couple examples of what I found searching the Internet:

“1) An enterprise server is a computer containing programs that collectively serve the needs of an enterprise rather than a single user, department, or specialized application. Historically, mainframe -sized computers have been enterprise servers although they were not referred to as server s until recently.  As smaller, usually UNIX -based servers and Wintel computers have become faster and have been provided with enterprise-wide program management capabilities, they have also  been referred to as enterprise servers.  In this usage, an enterprise server is both the computer hardware and its main software, the operating system.  Examples are Sun Microsystems' computers with their UNIX -based Solaris or Linux systems, Hewlett-Packard (HP) systems, the upper end of Windows 2000 systems, and IBM's iSeries systems (the largest of which is the zSeries 900 -formerly called the S/390 ).

2) Some companies use enterprise server to describe a ‘superprogram’ that runs under the operating system in a computer and provides services for the system administrator and for the business application programs and more specialized server s that run in the computer.  Before this usage originated, such services were sometimes considered part of the operating system itself or came in separate software packages.  Originally, many services provided by an enterprise server tended to be available only on IBM or similar mainframe computers, while less powerful computers ran specialized applications.  As these smaller "server" computers (such as those from Sun Microsystems and HP) became better adapted for business (and recently Internet) applications, the bundle of services required to manage a company-wide set of applications was renamed ‘the enterprise server.’  More specialized servers include the Web server, firewall server, database server, and so forth.”

http://whatis.techtarget.com/definition/enterprise-server

“Definition - What does Enterprise Computing mean?

Enterprise computing is a buzzword that refers to business-oriented information technology that is critical to a company’s operations.  Enterprise computing encompasses all the various types of enterprise software, including database management, relationship management and so on. Enterprise computing is usually seen as a collection of big business software solutions to common problems such as resource management and streamlining processes.

Techopedia explains Enterprise Computing

Enterprise computing is sometimes sold to business users as an entire platform that can be applied broadly across an organization and then further customized by users within each area. This means the analytics, reporting, database management and other applications are standard across the system, while the application packages being used and the data being accessed in each area will be different.  In this sense, enterprise computing is a departure from finding single software solutions to specific business problems, such as inventory or accounting software. Instead, enterprise computing is intended to offer integrated solutions to these problems.”

http://www.techopedia.com/definition/27854/enterprise-computing

In looking at these various definitions, it becomes apparent that enterprise can be defined in multiple ways, either as a server providing an enterprise service or as a suite of management tools (software) to manage the aforementioned servers.  So, which is it?  One or the other, both or neither?

I believe an enterprise to be a set of systems that work together to provide services to the entire organization.  I also believe that to be considered “Enterprise Level,” some sort of centralized management and monitoring needs to be incorporated into the structure.

That’s a pretty plain and simple definition; however, it also highlights a problem that we have in our industry – namely, the lack of consistent terminology.   Remember “The Cloud”?  Ask any vendor what the cloud is, and you will get a different answer from each one.  Ask a Windows admin and a Unix/Linux admin the definition of enterprise, and watch the arguments ensue.  I was told by a vendor that another vendor’s storage solution was not “Enterprise” class storage… Well, go ahead and define that for me.   Each system was designed to be highly available and redundant, so what makes one “Enterprise” and another not?  Stay tuned for continued Enterprise theme on my next blog post.

Emerging Technology and Cybersecurity

As an engineer, I am often asked to research and implement new technologies, and I am frequently surprised by the lack of security awareness from vendors.  Most of the time, the lengthiest part of the entire implementation is getting a new piece of technology through the security process, as the vendors often have little in the way of documentation concerning what is acceptable to close or disable to address security risks.

Now, more and more companies are releasing products as appliances, both physical and virtual, that you just plug into your environment and begin using. This is great from a deployment and management standpoint and is much easier for the vendor to support; however, any unapproved change can cause you to lose support from the vendor.  Surprisingly, multiple appliances from the same vendors will often also have dissimilar configurations and vulnerabilities.  These days, each product is made by a different group within the company, and little to no effort is made to standardize these products.

One product I recently started evaluating consists of eighteen virtual appliances.  All these appliances have the same operating system, but every one of them is at different patch levels, different revisions, and have different services (unused) enabled.  This makes the security process a nightmare – forcing us to:
• Evaluate each appliance and submit a report on each one to security
• Determine exactly what they absolutely require us to fix
• Submit that list to the vendors for permission or assistance to fix
• Wait for their engineers to evaluate the fix
• Fix what is allowed by the vendor (to keep support)
• Submit back to our local security for approval

I would expect this lack of awareness from a startup or newer vendor who may have not yet had to deal with secure environments; most corporate enterprises are more forgiving when it comes to internal security.  But I am seeing this from large longtime vendors who should have security awareness in mind when these products were designed and built.

http://searchsecurity.techtarget.com/tip/Information-security-policy-management-for-emerging-technologies

I understand that some security items may have to be adjusted for functionality; however, I am talking about basic cleanup – Things like unused services still enabled, unneeded ports left open, application or operating systems patches not up to date or at least at the same levels, etc.

Many of the new technologies, and current technologies that we have recently upgraded, are now requiring Internet access to download patches or updates and report health back to the vendor.  This has been true for a long time now, but there was always the off-line option that an admin could use to download the patches and updates for non-Internet connected networks.  Now, I no longer have these options (at least not in an easy way).  This forces me to backdoor the systems to maintain current operations, possibly introducing more security risks, or at least risks for application corruption.

I have said before, and I still strongly believe, that it is much easier to build with security in mind than to try to secure a product that was never designed from the standpoint of security.  With all the reports of data thefts in the news, what company is not concerned with security?  Vendors need to establish security as a key cornerstone of any new product to remain relevant and competitive in today’s environment.

https://www.gtisc.gatech.edu/pdf/Threats_Report_2014.pdf

Datacenter Security - Back to Basics

A few days ago, a situation in a local organization took place where a well-intentioned IT employee caused several thousands of dollars’ worth of damage and hours of downtime.  He was trying to help organize a datacenter and damaged some fiber cables that provide the backbone between two environments.

Immediately, questions were asked.  Why he was in the datacenter unescorted, how did he get access, why was he trying to work on equipment that he had no reason to have access to?  In IT, we put a lot of effort into securing our systems and our networks.  We spend a lot of money purchasing intrusion detection systems, firewalls, anti-virus/malware systems, and so on.

It occurred to me that we often have no idea who is in a datacenter at any given time.  Especially in a large datacenter or an environment with multiple datacenters, several people from different departments, divisions, companies, or workgroups can gain access to the datacenters and everything in them.  Some time ago, I attended a training class for ethical hacking that focused on preventing hacking; several of the methods involved the hacker actually having physical access to your equipment, cables, etc.  I kind of dismissed these threats, thinking that if a hacker had physical access to my datacenter, they would own me; they could just pick up my equipment and take it with them. I still believe that to be true; however, an insider could very well walk out of a datacenter they have legitimate access to with data they don’t.

My first thought was that combos and locks should be installed on all datacenters to ensure that nobody could gain unauthorized access , but what about shared datacenters?  Many equipment racks have locking doors that can be secured to protect the equipment and cabling inside, but most of the racks usually take the same key.

I have worked in datacenters that had card swipes on each rack so that you would be able to access the equipment to which were you were granted rights and nothing more.  A record was also kept of who and when the racks were accessed.  The only down side is that this is another system that needs to be  managed.

Obviously you need to put some trust into who you allow into your datacenter, but accidents do happen.  Most equipment and racks look very much alike, so mistakes can occur.  The challenge we now face is how to defend against and mitigate the risk of unauthorized datacenter access.  I have utilized several shared datacenters, and access to these datacenters was very controlled and limited… but most of the time when I went in there, someone else was there.  I often didn’t know who they were, and they didn’t know me.

There are lots of potential solutions that come to mind, but this just goes to show the importance of the basic physical security aspect of IT – which is, unfortunately, often overlooked when developing layered security and defense-in-depth strategies.

http://www.techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/

https://www.nsa.gov/ia/_files/support/defenseindepth.pdf

http://www.sans.org/reading-room/whitepapers/warfare/defense-depth-impractical-strategy-cyber-world-33896

Big Data, Big Data Loss

More and more we are hearing about people’s personal data being lost by big companies.  Recently Target lost forty million customers’ credit card information and seventy million home addresses.  My first reaction was that I was really glad that I didn’t have any information with Target, but then I got to thinking…  We do shop at Target, and we do use credit cards, so maybe they did get some of my info.  However, as far as we know, we were lucky and were not part of the data breach. Target is in no way the only business to lose personal data, just one of the biggest recently.  A while back I had to do some research on Data Mining and Big Data providers, and this got me to thinking about how to avoid being on the next compromised data list.

http://datalossdb.org/index/largest

http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

So I am a little paranoid by nature, and although I work in IT and am on computers all day most every day, I don’t use one at home for entertainment purposes.  I have no interest in Facebook, Pinterest, Twitter, and so on.  I do occasionally shop online, but only with companies I research first.  I do have a Linked-In account for professional networking and a Google Plus account for school.  I believe that because of my reduced foot print online that I am probably safer than most, but there is still way more information about me out there than I would like.  I was surprised to see that my home address and phone number were easily available for anyone to see, an old Department of Natural Resources accident report was still there from when my boat caught on fire 10+ years ago, a quick search from my home county showed every (usually deserved) speeding ticket I ever had, etc.

Part of this I can understand – Court records are public records, but what could someone do with that information?   Some of the others I can’t – How did my home address and phone number get out there? Turns out companies make extra money from selling your data to these Big Data Providers, who in turn sell it to others.  So when I had my utilities turned on, I paid them to do it… then they got a bonus selling my information to someone else.

Something as small as that seems like no big deal, but when you keep collecting all this information and putting it together, a pretty comprehensive snapshot can be made of someone’s private life.  Put all this information together (home address, phone numbers, contacts, property records, criminal or civil court records, browsing history, shopping habits), and maybe a bad guy can use it for bad purposes.

http://humphreybc.com/post/54668654006/a-few-tips-to-reduce-your-online-footprint

Now we have these Big Data providers collecting and organizing all this data (supposedly for marketing and such), so what happens when they have a breach?  Instead of some customers at Target, it is now anyone who has ever been on the Internet, bought anything online, etc., who is at risk for having their identity stolen and privacy compromised.  The more data they have, the more they can lose.

http://www.nbcnews.com/tech/tech-news/big-data-breach-360-million-newly-stolen-credentials-sale-n38741

Recently in Europe, a law was passed to essentially allow a person to opt out of Google’s data collection and have all data about themselves deleted from Google’s servers, kind of like a no call list for the Internet.  This is a great start, but what about all the others?  How can I opt out, or control what is available?  I really hope some regulations similar to this are enacted in the United States in the near future.

http://www.nytimes.com/2010/05/16/technology/16google.html?pagewanted=all

To Enable or Disable IPv6… Not Really a Question

When implemented, IPv6 will offer several security enhancements and benefits, such as the ability to run end-to-end encryption natively and built-in integrity checking.  The SEND protocol will be capable of enabling encrypted confirmation of the host rendering ARP attacks. The move to IPv6 will also protect from man in the middle attacks.  

http://www.sophos.com/en-us/security-news-trends/security-trends/why-switch-to-ipv6.aspx

While IPv6 will provide many benefits, it also presents several security issues. Most networks are still designed around the IPv4 architecture, meaning all the monitoring and security systems and policies are still focused on IPv4 and will require extensive hardware upgrades to be IPv6 compatible.  The main issue with this is that most enterprises are still not able to monitor or manage IPv6 traffic, and the bad guys are taking advantage of it. Because admins don’t or can’t monitor IPv6 traffic, attackers are using this security loop-hole to attack by tunneling IPv4 traffic inside IPv6, creating malware that communicates with IPv6 or using the auto-configuration capabilities of IPv6 to actually control devices.

The move to IPv6 will be costly, so most enterprises will attempt a gradual migration, replacing older IPv4 equipment with IPv6 compatible equipment.  While this is an understandable and prudent approach, it will also present its own set of issues. When running in a mixed environment, tunnels must be created to allow traffic to transverse both segments of the network. This will open the door for misconfigurations and unintended security consequences.

The lack of understanding with IPv6 will also be an issue. Most admins know it will provide an exponentially larger address pool; however, the details are still foggy. How will this affect how we currently manage our networks? Does DHCP go away? What about DNS? Planning, training, and extensive preparation will be required when migrating.

http://www.techrepublic.com/blog/it-security/ipv6-oops-its-on-by-default/1955/

Most Operating Systems vendors have jumped onto the IPv6 bandwagon with enthusiasm. Now Red Hat Linux, Windows 7 and 2008r2, Apple, and Solaris come with IPv6 enabled by default. This is creating a huge security risk by allowing unmonitored and unmanaged traffic onto your networks. What is worse is that it can be difficult and time consuming to disable it. With Windows there are GPO templates that you can import that will disable it across your domain, but the native solution is to perform a registry hack at each machine. Just disabling it in the network control panel does not completely disable it. Linux, Solaris, and Apple use similar methods forcing you to touch each computer and are very time intensive when you consider the amount of systems you need to configure. Most security experts are now recommending disabling IPv6 until you have the ability to actually manage and use it - Until then, it is an unnecessary risk that can be easily avoided.

http://gcn.com/articles/2013/08/09/ipv6-attack.aspx