The Control Policy Group is a data security consultancy focusing on Central Europe  with  offices in Warsaw, Wrocław and Tel Aviv -  an experienced, independent, multi-cultural and multi-disciplinary force of professional IT, data and  software security specialists.

We help the management board reduce data security and compliance costs, protect customer data and prevent intellectual property abuse.

We use advanced network surveillance and proven security and compliance threat models to give you a precise picture of where your data is going and how much it costs you.

The Control Policy Group provides consulting, investigative audit, training and technology services to clients in bio-pharma, manufacturing, telecommunications and financial services industries.

In Central Europe – call  +48-608-29-3030 and ask for a meeting with one of our senior partners to discuss how we can help you protect your  data and reduce your security costs.

Learn more about our enterprise information protection program.

Learn more about our enterprise software security assessment program.

All in 1 unifies key risk assessment methodologies under one roof with building blocks. for highly cost-effective 3rd Party Information Assurance,

Silos ignore Commonality and cost money – especially when you have to certify that your third party service providers are compliant to standards like PCI DSS

• Most organizations tend to manage in a sliced fashion, focused on meeting the requirements
  of individual regulations as they emerge
• This approach carries significant risk of duplication of efforts and makes it extremely
  difficult for senior executives to invest in People, Technology and Processes
• Senior executives must look for areas of  commonality, conflicts and potential synergy

Register now for this great online workshop with one of the top experts in the field.

Read this excellent post on Israeli Software

The best definition of operational risk comes from Basel II, which defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

Although originally designed for the banking system where regulatory safeguards are designed to  protect against large scale failure of the banking system and the economy; a systematic approach to operational risk management is important for any kind of organization

Basel II defines 6 categories of operational risk and  excludes, for example, strategic risk – the risk of damage to the business from a poor strategic business decision.

1. Internal Fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, corruption and bribery
2. External Fraud- theft of information, hacking damage, third-party theft (including data loss) and forgery
3. Employment practices and Workplace Safety – discrimination, workers compensation, employee health and safety Clients, Products, & Business Practice- market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
4. Damage to Physical Assets - natural disasters, terrorism, vandalism Business Disruption &
5. Systems Failures – utility disruptions, software failures, hardware failures
6. Execution, Delivery, & Process Management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

Make no mistake:

• Today’s most devastating attacks on a business are launched from inside the organization. Competitors and criminals exploit systems and employees in order to access and manipulate customer data, financials, marketing plans and intellectual property.

• Security focus remains on outsiders, despite the fact that insider fraud and data theft are the leading white-collar crimes worldwide. Most firms lack the capability to detect, monitor, quantify and prevent fraudulent events inside their organization.

• Fraud and data theft can be committed through many methods, including mobile phones and the Internet. The difficulty of validating online identity, the speed with which hackers can exploit IT vulnerabilities, the international dimensions of the Web and ease with which users can hide their identity, all contribute to making the Internet the fastest growing area of fraud and data theft.

We believe that security and compliance operations in a company are synergistic.Question is – How can you do it without committing political suicide in your company?

I saw a good example of this last year in an IT security audit we did for a NASDAQ-traded company as part of their Sarbanes-Oxley annual compliance effort.   The VP Global IT was careful to explain to us that our scope of work was the information systems – we needed to look at the three pillars of Information security – confidentiality, integrity and availability. When I asked what about fraudulent use of the line of business applications (they’re a big Oracle Applications user) – he said:

“Oh no – we’ve setup a separate fraud committee, if anything bad happens – it definitely is not my problem.”   I paused for a moment and  thought to myself – this guy is really smart; he doesn’t have responsibility for financial reporting controls – so why should he have any responsibility for the risk damage?

It’s like I learned at Intel – Organizational Politics is not a dirty word and staking at a turf – avoiding turf wars by “segmentation” of the risk – is a very good thing.

Segmentation of risk is a central precept in any risk management activity, not just from the political perspective.  Segmentation allows a company to separate functions on the basis of operational responsibility and need to know.

The International Standards Organization – ISO is going in this direction with a relatively new 55 page standard that was released in June 2008 – ISO 27005. As ISO explains on the ISO 27005 information page:

“ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security.”

We think it is interesting to analyze the causes for this situation

1. We believe that US and EU government regulators are responsible for the focus on the compliance process as opposed to focus on cost-effective risk-mitigation (which does have a common language of dollars and Euros).  It is ironic that regulation which was primarily created for consumer protection has turned into an onerous corporate audit activity far removed from the original charter of protecting customers.

Regulators generally provide a checklist of things companies must do and in the case of Sarbox, a general statement for financial reporting guidelines (section 404 of SOX).   When government uses a regulatory stick with business organizations, we are essentially telling them that research into understanding the root cause of risk, is a non-value-added activity. Ours is not to reason why…

2.  However – there an excellent methodology for understanding the root cause of risk already exists and it is complementary to the compliance process.  The methodology is called threat modeling.  Threat modeling is a mature methodology with implementations from Microsoft and groups like PTA (Practical Threat Analysis) Technologies.

In threat modeling exercises – analysts and business decision makers use a model of assets, vulnerabilities of assets, threats (that attack by exploiting vulnerabilities) and countermeasures (that mitigate threats).   Threat modeling provides a common language that any person working in an organization can understand.

You can download the free risk assessment tool PTA Professional – we’d be happy to hear if you also think that threat modeling is a useful tool for risk assessment. Please feel free to contact us at any time by phone or email.

This article reviews the main areas for concern for protecting information assets from internal threats and vulnerabilities. It starts with an anecdote from an interview with a senior manager and concludes with a recommendation for implementing an approach to protect data directly (as opposed to commonly-used methods that attempt to protect the network and limit user permissions).

The background to problem

We start by sharing an anecdote taking from an interview with a senior manager  at a bank.

…I’m not concerned about data theft. We’ve outsourced our entire IT operation to a big bank’s data center and they’re up to speed on information security. I can always go back to the logs and figure it out if something happens.
Vice President Internal Audit of a private banking institution with $5BN in assets.

Just 2 months later, the “big bank” had a major data theft event. Both banks missed their earnings estimates and took a beating in the market. Today the private institution is trying to break out of their 5 year outsourcing contract.

Data Loss is any unauthorized transfer of valuable information assets – credit cards, customer records, transactional information, source code or other classified information.

Data loss is an internal threat with a strange nature that derives from unexpected actions by trusted insiders and systems in an environment assumed to be secure. For this reason, extrusion prevention requires both management and technology controls.

Management and technical controls for extrusion prevention

Human resources controls

Ensuring employee loyalty and reliability starts with HR, which has responsibility for hiring and guiding the management of employees. High-security organizations (such as? Could you name a few areas?)defense contractors or securities traders add additional screening such as polygraphs and security checks to the hiring process. Over time, organizations may sense personality changes, domestic problems or financial distress that indicate increased extrusion risks for employees in sensitive jobs.

Disconnect #1: HR isn’t accountable for the corporate brand and therefore doesn’t pay the price when trusted employees and contractors steal.

Internal audit

Extrusion prevention needs to be part of an overall internal audit process that helps an organization achieve its objectives in the areas of:

• Operational effectiveness
• Reliability of financial reporting
• Compliance with applicable laws and regulations

Internal auditors in the insurance industry say regulation has been their key driver for risk assessment and implementation of preventive procedures and security tools such as intrusion detection. Born in the 1960s and living on in today’s Windows and Linux event logs, log analysis is still the mainstay of the EDP (What does EDP mean? My guess is electronic data processing) Yes it does – EDP audit is sort of a buzz word I thought – we can use IT audit if you think it is clearer audit. Over the past 7 years our industry evolved to Client-Server computing, XML Web services and converged IP networks. Welcome to stateless http transactions, dynamic IP addressing and Microsoft Active Directory, where your ability to audit network activity depends on which versions of Windows run on your workstations and servers. Offline analysis of logs has fallen behind and yields too little, too late for the EDP auditor!

Disconnect #2: EDP audit have the job but they don’t have the tool.

Physical security

Physical security starts at the parking lot and continues to the office, with tags and access control. Office buildings can do a simple programming of the gates to ensure that every tag leaving the building also entered the building. Many companies run employee awareness programs to remind the staff to guard classified information and to look for suspicious behavior.

Disconnect #3: Perfect physical security will be broken by a Nokia 3650 (cell-phone with camera)

Information security

Information security builds layers of firewalls and content-security at the network perimeter, and permissions and identity management that control access by trusted insiders to digital assets, such as business transactions, data warehouse and files. This structure lulls the business managers into a false sense of security. Let’s not forget that firewalls let traffic in and out, and permissions systems grant access to trusted insiders by definition. Could your explain a little more what you mean here or give an example of what you mean? For example, an administrator in the billing group will have permission to logon to the accounting database and extract customer records using SQL commands. He can then zip the data with a password and extrude the file using a private Webmail account.

Content-security tools based on http/smtp proxies are used against viruses and spam. These tools weren’t designed for extrusion prevention; they don’t inspect internal traffic, they only scan authorized e-mail channels, they rely on file-specific content recognition and have scalability and maintenance issues. When content security tools don’t fit, we’ve seen customers roll out home-brewed solutions with open source software such as Snort and Ethereal. A client of ours recently used Snort to nail an employee who was extracting billing records with command line SQL and extruding the results by Web mail.

Disconnect #4: Relying on permissions and identity management is like running a retail store that screens you coming in but doesn’t put magnetic tags on the clothes to prevent you from wearing that expensive hat going out.

Implementing the controls

To correct the disconnects and protect your digital assets, you need CEO level commitment to management and technology controls. Your company’s management should mandate direct protection of digital assets in addition to conventional methods that protect the network, the servers and control access to resources by users.

• Soft controls – Training and continuous behavior sensing
• Direct controls – Good hiring and physical security
• Indirect controls – Internal Audit

The management controls must be based on classifying your key digital assets in financial terms and what the damage and probability of impact of a threat might be.  The PTA (Practical Threat Analysis) freeware is a great way to do a risk assessment of your digital assets.
Mandate this direct approach independently of privileged system managers, permissions and identity management systems and complex perimeter security systems.

Data loss prevention is a rapidly emerging network security technology area that has matured from simple regex-based Web / email content filtering products into products such as Fidelis Security Systems XPS that perform deep inspection of documents such as Microsoft Word and Adobe PDF with high levels of precision and recall.

Motivation

Network content monitoring is generally used for monitoring of employee or students surfing and filtering out violence, pornography and drug-related content.This sort of Web content filtering became “mainstream” by 2005 with wide-scale deployments in schools and larger businesses by commercial closed source companies such as McAfee and Bluecoat and Open Source products such as Censor Net and Spam Assassin.Similar signature-based technologies are also used to perform intrusion detection and prevention.

However, a new class of content monitoring products has emerged that is aimed squarely at protecting firms from unauthorized “information leakage”, “data theft” or “extrusion”. The motivation for using these products is economic not behavioral; transfer of digital assets by trusted insiders or trusted systems can cause much more economic damage than viruses to a business. Unlike viruses, once a competitor steals data you cannot reformat the hard disk and restore from backup. Companies often hesitate from publicly reporting extrusion events because it damages their corporate brand, gives competitors an advantage and undermines customer trust.

There are two potential “internal customers” for content monitoring in a company – business management (risk management and/or internal audit) and IT infrastructure management.

Senior business management wants to protect their brand by protecting their information assets from criminals, competitors and trusted insiders.There seem to be three schools of thought on this with CxO’s; one common approach is to ignore the problem and brush it under the carpet of compliance monitoring. Another approach is to monitor asset flows without telling employees or the whole world. The smart CEO seems to like an extrusion prevention system as a deterrent and as a way of enhancing the brand (“your assets are safer with us”).Passive content monitoring of asset flows in the network that operates independently of existing I.T systems can be an effective auditing tool for threats to digital assets in any case.Employees and hackers cannot detect a Layer 2 Sniffer device and a Sniffer is immune to configuration and operational problems in the network. If it can’t be detected on the network than school of thought number 2 has plausible deniability.

Firewalls are not enough

Many firms now realize that a firewall is not enough to protect digital assets inside the network and look towards incoming/outgoing content monitoring. This is because:

1. The firewall might not be properly configured to stop all the suspicious traffic.
2. The firewall doesn’t have the capability to detect all types of content, especially embedded content in tunneled protocols.
3. The major of attacks and extrusions are not on the IT infrastructure but on the data itself.
   
4. Most hackers do not expect creative defenses so they assume that once they are in, nobody is watching their nasty activities.
5. The firewall itself can be compromised. As we have more and more Day-0 attacks and trusted insider threats, so it is good practice to add additional independent controls.

Detection, Prevention and Security Management

Detection

Sophisticated incoming and outgoing content monitoring technologies basically use three paradigms for detection:

1. AD- Anomaly Detection – describes normal network behavior and flags everything else
2. MD- Misuse Detection – describes attacks and flags them directly
3. BA – Burglar alarm – describes abnormal network behavior (“detection by exception”)

In anomaly detection, new traffic that doesn’t match the model is labeled as suspicious or bad and an alert is generated. The main limitation of anomaly detection is that if it is too conservative, then it will generate too many false positives (a false alarm) and over time the analyst will ignore it. On the other hand, if a tool rapidly adapts the model to evolving traffic change, then too little alerts will be generated and the analyst will again ignore it.

Misuse detection describes attacks and flags them directly, using a database of known attack signatures and constantly tries to match the actual traffic against the database. If there is a match, an alert is generated. The database typically contains rules for:

1. Protocol Stack Verification– RFC’s, ping of death, stealth scanning etc..
2. Application Protocol Verification – WinNuke , invalid packets that cause DNS cache corruption etc.
3. Application Misuse – misuse that causes applications to crash or enables a user to gain super user privileges; typically due to buffer overflows or due to implementation bugs.
4. Intruder detection. Known attacks can be recognized by the effects caused by the attack itself. For example, Back Orifice 2000 sends traffic on default port is 31337
5. Extrusion detection. Detect unauthorized network transfer of data according to the content itself – for example by file types, compound regular expressions, linguistic and/or statistical content profiling. Extrusion detects functions at a much higher level than an IDS/IPS – since it needs to understand file formats and analyze the actual content such as Microsoft Office attachments in a Web mail session as opposed to doing simple pattern matching of an http request string.

Using a burglar alarm model, the analyst must have deep understanding of her network and what should not happen with it. She builds rules that model how the monitored network should work, in order to generate alerts when suspicious traffic is detected. The richer the rules database, the more effective the model. The advantage of the burglar alarm model is that a good network administrator can leverage knowledge of servers, segments and clients (for example a Siebel CRM server which is a client to a Oracle database server) in order to focus-in and manage-by-exception.

Prevention

Anomaly detection is an excellent way of identifying network vulnerabilities but a user cannot prevent data breach events based on general network anomalies such as usage of anonymous ftp. When it comes to prevention there is also a fundamentalproblem with misuse detection. If misuse is detected then unless the event can be prevented (either internally with a TCP reset, blocking inline or by notifying the router or firewall) – then the usefulness of the devices is limited to forensics collection. An additional hurdle to overcome in the area of prevention of data breach events is performance. The widespread usage of load balancers and multiple IDS servers will not work since packets that compose a client-server application session may be spread over multiple servers and it will be impossible to prevent data leakage since no single server has a complete picture of the entire session.

Management – event analysis and reporting

A SIM (or security information management) system consolidates reporting, analysis, event management and log analysis.There are a number of dedicated tools in this category, Net Forensics is one, but the direction appears to be that the content monitoring system will include its own analytical database of events due the specialized nature of content monitoring and filtering. Note that the management sub-system itself does not perform detection or prevention functions – it manages and receives reports from other system components. A typical architecture has a central SIM (management console) and multiple / distributed sensors that feed events (not raw traffic) into the SIM.

I believe many people involved with IT security have a feeling of frustration that stems from continuously reacting to external forces: spam attacks, spyware attacks, insider threats, analyst reports and new product announcements. What should you do?

Consider the three basic tenets of IT Security

1. Network Security is Warfare, if its “kill or be killed” in the sales department, then why not in IT Security?
2. Most of your information security strategy is reactionary with “Penetrate and Patch” methods
3. Few implementations address the collection of information about attackers

The key Elements in Information Security Strategy

Stop reacting and go back on the offensive, with a proactive security strategy based on control, collection, capture and change:

Control: Managing the access of information to and from the network and systems.
Collection: Gathering information about user habits and systems behavior.
Capture: The capture of information from anomalous events on the network.
Change: Adapt the security posture to meet new situations.

By basing both defensive and offensive tactics on these four strategic elements, you can poractively control who accesses your network, collect information about abnormal transactions, capture anomalous events, and adapt your security posture to meet changing situations.
Traditional Information Security Tactics are Defensive

* Backups
* IDM – Identity Management
* Network Access Control using firewalls/routers
* Host Access Controls
* Intrusion Prevention Systems/Intrusion detection systems
* Inbound content filtering for abusive/malicious content

Offensive Information Security Tactics

* Attacking and auditing your own systems.
* Proactive response to attacks.
* Extrusion prevention
* Honey Pots and Honey Nets.

I’d like to thank Chris Neitzert (Chris[at]Neitzert[dot]com) for his ideas on improving IT security with both offensive and defensive tactics. Download Chris’ well-written article at: Guerilla Anti-Penetration Tactics