Stephen Northcutt, of SANS Institute fame, recently recognized me as a Thought Leader in the area of log management. I’m quite humbled to be included with the likes of Dr. Anton Chuvakin, Jeremiah Grossman, and Ron Gula (among others).
The interview has been posted on the SANS Technology Institute site here. This has certainly made my week 🙂
Recently, LendingTree announced that several former employees may have provided passwords to a handful of lenders which, in turn, allowed the lenders to access sensitive customer information between October 2006 and early 2008. The passwords allowed the lenders to access files that contained sensitive loan request data for LendingTree customers. The loan request data contained such sensitive information as names, addresses, email addresses, telephone numbers, Social Security numbers, and income and employment information.
How was this breach discovered? LendingTree stated that:
Our internal security uncovered this situation. We began an internal investigation and reported it to the authorities. We continue to assist the authorities and are telling our customers as soon as it was possible to do so.
This insider data breach begs the question: “Why couldn’t the employees trading this information have been caught in the act?”
In all honesty, I can’t think of a good reason why they couldn’t have been caught in the act. If proper security safeguards had been implemented this could have all been avoided. What safeguards you might ask?
A proactive data leakage awareness initiative, combined with a well researched acceptable use policy, could have been implemented. Both should detail the acceptable use of company, and customer, information in an easy to follow format. Although it’s been proven, time and time again, that company policies and awareness training will not stop the most dedicated employees from exploiting sensitive data, shouldn’t you explain to your employees how to spot someone not following the policy? It’s in the best interest of most employees to protect their company and customers. Some people might hate their jobs, but the odds are that most employees want/need their jobs and will do what’s right to protect them.
Training, training, and more training. If your security operations staff isn’t properly trained to handle incidents, in a timely and process-driven manner, then you are simply asking for trouble. There are numerous training options available that teach proper incident handling techniques. Everyone involved with handling incidents in your company, from the manager to the lowly security operations grunt, should take advantage of these training opportunities. Here are some words of wisdom:
Based on a 2006 InfoWatch survey on Global Data Leakage, 23% of data leaks are performed with malicious intent. The other 77% results from the actions of undisciplined employees. The bottom line is that you don’t want to focus only on leaks that occurred due to malicious intent. The responsible thing to do would be to ensure that you are watching all sensitive information attempting to leave your network. (Extrusion Detection is not a new idea here people…it’s been around for quite some time now). You might say, “Well that’s a lot of information to watch”, and you’d be correct. Fortunately there are powerful solutions available to help you with your problem.
A properly implemented Security Incident and Event Management (SIEM) solution helps you keep a trained eye on your network. This trained eye can alert the security operations staff of any suspicious, or potential malicious, activity on your network 24/7/365. Being able to correlate and normalize the device (e.g. IDS, firewall, etc.), application (e.g. Microsoft Exchange, Squid Web Proxy, etc.), and operating system (e.g. Windows XP, Red Hat Linux, etc.) logs with collected network level flows (e.g. NetFlow, sFlow, raw packet capture, etc.) provides the security operations staff with a complete view of the network they were hired to secure and protect.
I can only assume that someone had tipped off the folks at LendingTree that in turn, pulled the trigger on the investigation. Unfortunately, by the time they discovered the who and the how the damage had already been done. I hope for the sake of LendingTree, and their customers, a full review of their process and procedures will occur. Additionally, I truly hope that they are able to implement the necessary safeguards to change from a reactive monitoring posture to one that is proactive. If another breach should occur (and the odds are it will), I hope that it doesn’t take another 1.5 years to resolve.
I really apologize for not posting a SBR post since February but I was a touch burnt out. Now that I’m back from vacation, expect to see more frequent posting (I promise this time…no fooling).
Here is the list:
RegRipper – Harlan Carvey has posted several posts lately (here, here, here, and here) about his RegRipper tool. I suggest you check it out.
Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside – I haven’t read through the entire article yet but, from what I did read, it looks quite promising. I may do a full post in response to the key points in the coming days.
The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.
And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.
Expanding Government Liability for Data Breach – I think “damages” are probably due to be redefined.
An interesting decision came down last week by U.S. District Court for the District of Columbia that could potentially change the financial liability of data breaches by government agencies and private corporations. For the first time, the district court held that government employees who claimed that a data breach by the Transportation Service Agency (TSA) caused them harm have a valid cause of action against the government. Recent rulings in state courts have dismissed claims for lack of merit based on insufficient proof of emotional harm or financial damage.
SANS Internet Storm Center Starts Monthly Podcast – Wow this is cool. I’m glad that this is happening.
If you dont have the time or interest to read about the latest IT security news the SANS.org podcast or some of the other security podcasts might help you keep up.
CEH/CPTS Certification != competent pentester – Tools are only good in the hands of people who are trained to use them but tools, combined with experience, will always produce superior results.
Bottom line, tools are just tools, they help humans get jobs done. They aren’t and shouldn’t be the only thing used on a pentest. The other point is experience is king, granted the original poster is getting experience, but giving CORE to a brand new tester is not going to help them get better. there is a reason A LOT of subjects are taught the hard way first then you get taught “the shortcut.” Oh, and passing a multiple choice test is not a real demonstrable measure of ability.
Network IDS & IPS Deployment Strategies from the SANS Information Security Reading Room
Solera V2P Tap – It was only a matter of time until someone invested this. I personally think that this is a great, and very useful, invention.
It looks like Solera Networks built a virtual tap, as I hoped someone would. I mentioned it to Solera when I visited them last year, so I’m glad to see someone built it. I told them it would be helpful for someone to create a way for virtual switches to export traffic from the VM environment to a physical environment, so that a NSM sensor could watch traffic as it would when connected to a physical tap.
What’s new in vulnerability management? – Curious what’s happening with your vulnerability management solution? Have a read.
For too long the vulnerability management vendors have been quiet. In fact the whole sector has taken on the “mature” label which seems to indicate there is no new innovation happening. Recently though we have seen some new announcements in this area. Also, Gartner should have a new marketscope due out soon.
The Top 10 Security Events of 2008 – Were you “where it was at”?
The event season is here, bringing a flood of security-related conferences, seminars, trade shows and other gatherings designed to help business owners and managers learn how to better protect their IT environments. Here’s a quick rundown of the top 10 events coming up in 2008. And check out theIT Security blog for live blogging and event updates.
Windows Server 2008 Security Events Posted – Awesome! Here is the link to the spreadsheet: http://www.microsoft.com/downloads/details.aspx?FamilyID=82e6d48f-e843-40ed-8b10-b3b716f6b51b&DisplayLang=en
Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference.
Check it out in the Knowledge Base.
Even better, they documented all the events in spreadsheet format, and that’s propagating to the Microsoft Download Center. I’ll publish the link when it’s online.
Loads.CC Bot Still Live, Still Targeted – More info about the Loads.CC bot that you should probably check out.
Enough has been written about the Loads.CC team to probably give you enough of a picture that you need to know. Some reports suggested they went away, but they didn’t. They’re still active. See these reports by RBN exploit, CIO magazine, 2-viruses.com, this PC Week article by Scott B, and Adam T for a good background. The team is still quite active.
Fun Reading on Security – 1 – Here’s a pile of Anton’s favorite links over the past few days.
Instead of my usual “blogging frenzy” machine gun blast of short posts, I will just combine them into my new blog series “Fun Reading on Security.” Here is an issue #1, dated April 18, 2008.
The Six Dumbest Ideas in Computer Security – Marcus Ranum takes a run at the dumbest ideas in computer security.
Let me introduce you to the six dumbest ideas in computer security. What are they? They’re the anti-good ideas. They’re the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible – which is another way of saying “trying to ignore reality.” Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don’t fully understand the situation, but other times it’s just a bunch of savvy entrepreneurs with a well-marketed piece of junk they’re selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.
Ned on Auditing – I’m going to add this to my RSS watch list. Perhaps something good will show up from the elusive Ned that will help me out.
I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I’d point you guys there. His recent posts on auditing include a description of how to deploy the special groups logon auditing feature with group policy.