Branden Williams' Security Convergence Blog

Well, it has happened again. I received a rather menacing looking note in the mail today. You know, one of those heavy stock sealed letters that has the perforated edges? Yeah. That kind.

Inside it looks like my information is on a lost tape from a bank. The funny thing is, I don't remember banking with this institution... ever. I have a feeling that one of the brokerage firms I use (or used) was backed by this institution, but nevertheless, I thought of an interesting type of phishing attack that I bet would work. When I looked through this notice, it did appear to have a corresponding breach on PrivacyRights.org. I have already placed my fraud alerts, so I should be good.

But what if it didn't? If I were to target specific individuals (i.e., spear phishing) and tell them that their information was compromised from a large bank and provided a number for them to call for more info, would they readily give me enough information to steal their identity? I think people have started to be wary about clicking on things or giving out information over email, but what about through the mail? Sure it won't have the same reach that electronic attacks will, but how much more lucrative could the loot get?

My thoughts are that it would work remarkably well against those individuals who don't have lawyers reading their mail, and especially some of the elderly population.

Posted by Branden Williams at 08:49 AM | Permalink

Wired reports that a Citibank hack may be responsible for a recent ATM crime spree. Edit: Looks like some arrests have been made! I've discussed issues around hacking ATMs and challenges with skimming in the past, but this one appeared to be pretty lucrative. While bank networks are not impenetrable, attacking endpoints is becoming much easier and more lucrative.

Anyone remember the old days when you had to make sure the ATM you were going to use was real? Speaking of that... Ladies, you should beware of this.

Something of interest to me... As a consumer, do you check your bank statement with all of your receipts? Would you know if money started disappearing from your account in $10-$30 increments? Does the state of your personal financial situation dictate your attention to your bank account? I may be a dying breed, but I have been known to spend twenty minutes poring over a bank statement to figure out where I missed a dime.

Posted by Branden Williams at 07:51 AM | Permalink | Comments (2)

The ISSA has posted the electronic version of the journal, so if you are itching to read what is coming to you via the post, go check it out! My column this month is titled "Don't Get Cyberjacked!"

It may be the first time that the phrase "This ain't your daddy's security incident" and the word "stripper" appear on the same page (or ever) in that fantastic publication. Go check it out!

Posted by Branden Williams at 08:03 AM | Permalink

Monday was presentation day at CSI-SX. I had a decent crowd, for the breakout session! One day, I'll do a talk that is not the last session of the day :)

While I was in between sessions sitting in the speakers lounge, one of the other speakers (I did not catch his name) dropped his computer bag and jacket on the chair across from me. I looked up, nodded, and went back to my work. He proceeded to pull out one of those laptop locking devices that you see at public terminals. You know, the ones you can beat with a toilet paper tube. He then secured the whole apparatus (bag included) to the chair! A conference chair. The ones that weigh like ten pounds.

I was not watching him the whole time, but I did not see him ever leave the room. The room was maybe 100' x 40' and he sat down on the couch less than 10 feet away. What benefit would someone get by "securing" the laptop and back to the chair? Am I not paranoid enough?

Posted by Branden Williams at 10:49 AM | Permalink | Comments (1)

If so, LOOK ME UP! I'm speaking on Monday afternoon at 4pm at the conference. Hope to see you there!

As always, I'll be sending tweets!

Posted by Branden Williams at 10:52 AM | Permalink

Just finished up with the last booth work at the show. Today was fairly slow (as to be expected), though there were still plenty of people coming through. I got to see the VeriSign VIP token work, and that was pretty cool! Hope you stopped by to get your free token!

As I was leaving, the last hunters of conference trinket treasure were hurriedly making the rounds before the expo closed. All in all, quite a show. If I missed you this time, I hope to see you somewhere else soon!

Posted by Branden Williams at 05:01 PM | Permalink

Today has been filled with all kinds of activities, including meeting with some customers and vendors. I just finished the first meeting of the NSS Advisory Group and I am very pleased with the direction that it is heading. I think there is a lot of promise there for helping customers figure out which vendors DO solve PCI issues, and which ones don't.

I will be AT THE BOOTH at 10am tomorrow! Please stop by! I have a pretty "Blog This!" button on (Thanks K-Dog!).

Also you can follow me on Twitter at http://twitter.com/brandenwilliams.

See you there!

Posted by Branden Williams at 03:23 PM | Permalink

(This post is brought to you today by the letter A).

This weekend, I took a hiatus from the computing world and headed down to the family lake house. Time to get ready for summer and clean out all the junk!

Well, not junk, but lots of ladybugs for some reason.

When we arrived home yesterday, I caught up on my personal email, and noticed that someone posted a comment to my personal blog. Like this blog, when someone comments, I get excited since I'm never sure if anyone is reading. (Please leave comments, it makes me feel useful. Just like all the characters in Sodor want to be.) The comment in particular was an attempt to run a SQL Injection attack against my blog software.

Thankfully, it appears that my blog software caught this intrusion, but it left a nice record in my email. Here's what it looks like when someone (or a bot) tries to attack a field.

Bill364367','396455billy@msn.com','','15.13.14.4','2008-03-08 11:08:05','2008-03-08 11:08:05','','0','lynx','comment','0','0'),('0', '','', '', '', '2008-03-09 11:08:05', '2008-03-09 11:08:05', '', 'spam', '','comment', '0','0' ) /* (IP: 46.232.63.181 , titania.nameremovedtoprotect.com)

Names & IPs changed to protect the silly.

So the question is, is YOUR code vulnerable to this type of attack? When is the last time you had an application penetration test or code review performed on your custom code? VeriSign has seen quite an up tick in interest around these services (which we happily provide), though it still seems that most companies really miss the importance of this type of security review. Either it is easily dismissed as too expensive, or companies want to review every piece of code they can get their hands on (vs. a methodical and targeted approach to key apps and an overhaul of the SDLC).

Posted by Branden Williams at 08:35 AM | Permalink | Comments (1)

Evan Schuman (Storefront Backtalk) wrote on Valentine's Day that PCI is not just for payments anymore. Hate it or love it, PCI is a great standard for a baseline of security. You can replace Cardholder Data with just about any type of data you want to protect, and you can establish a minimum baseline that will do a reasonable job of keeping that data protected. Security consultants have been pointing this out for a while.

I think the part of this that is the most telling is that the security and IT programs in some companies are so bad and so far gone, that PCI is what is standing it up. Again, I still believe that the PCI-DSS is a good baseline for companies to start with, but PCI is tailored to the protection of cardholder data (duh). Companies should be taking a broader look at their security and IT postures, extending beyond PCI.

PCI can also be an excellent poster child for building a security program. If you can get it right with PCI first, you can use your experience to extend that program into other areas of the company (take it up a level).

Posted by Branden Williams at 07:14 AM | Permalink

Yes, it's true that part of the reason I was not posting very frequently is because I was running out of ideas. It is also true that I've started following Schneier's blog again. Anyway...

He's got an excellent post with 2 examples of how Social Engineering was successful in the theft of significant sums of money. Security is made up of People, Process, and Technology, and people are almost always the weakest link.

Posted by Branden Williams at 10:28 AM | Permalink

This week, Bruce Schneier blogged about the CIA's disclosure of hacking incidents to public utilities. I've been wary of utilities ever since I learned about SCADA systems, and their implication on security. I've heard about consultants primed with a copy of NMap accidently shutting down large SCADA networks simply because of their age & lack of security.

The thing that is scary is that we have come across companies reliant on SCADA systems for their factories or assembly areas that are also subject to PCI.

Eek!

The good news is that with careful planning and a good network segmentation strategy much of the impact can be reduced.

Posted by Branden Williams at 09:57 AM | Permalink

Todd Wilkens posted about his personal war against Blackberries this month. As a consultant, it is not only hard to conduct meetings (where we are getting paid by the hour) with customers when this happens, but I have been tempted to do the same thing as well! I think we all tune out at some point when it comes to meetings, especially those after lunch ones.

What I'm interested to know is if anyone has ever suffered a breach due to a lost blackberry. With the amount of scrutiny over email these days, I know that some caution is taken. That said, I also know that humans are lazy people and email is very pointy/clicky. I've seen executives forward extremely sensitive information via email to their Yahoo email accounts so they can work on it when they get home.

So as these computing devices get more ubiquitous, how much concern is there really out there related to a data breach, and what measures are you taking to mitigate that risk?

Posted by Branden Williams at 10:47 AM | Permalink

Security is not about compliance, it's about building a good program and governance to protect data. VeriSign announced today in conjunction with BSI Americas that VeriSign will be the exclusive firm to provide ISO 27002 readiness assessments that ultimately lead to certification.

The ISO 27002 standard covers Information technology, security techniques and a code of practice for information security management and allows companies that implement it to first focus on security, and then tweak it to deal with compliance. Enterprises faced with multiple compliance initiatives should first focus on good security practices before pushing compliance. This will set up a foundation to maintain compliance every day.

For more information, see the press release above!

Posted by Branden Williams at 07:18 AM | Permalink

With numerous retailers putting offers both online and in the store, how many of you are making the rush? Maybe because I can remember hitting the mall VERY EARLY in the morning on Black Friday as a kiddo I have never taken part in this. We also have family things going on that day, so it makes it a little bit harder.

My advice to retailers, watch out. As we saw back in July, cards stolen in the TJX breach this year could likely be used on the busiest day of the year. Many years ago, I worked retail and learned to dread the day after Thanksgiving. Even on our busiest times, you could at least walk through the store without having to physically move people out of the way.

With pressure mounting on retailers to deliver big numbers, will they not take a second look at a credit card to help push people through the line? One of the greatest times to use social engineering is when your mark is super busy, and overly distracted. I predict that retailers will see higher amounts of fraud this year for card-present transactions (noting of course that my 2.5 year old son is beating me in the NFL football pool this year, so take my prediction with a grain of salt or two).

And finally, I hope you all have an excellent holiday!

Posted by Branden Williams at 03:43 PM | Permalink

This one still amazes me every time I see it happen. I would think that by now, people would try to understand what they don't know so they can deal with it.

I am dead wrong.

I'd like to reflect back to a conversation I had with an Information Security Director in a prominent company in the transportation industry. The reason why the industry is important here, is we met with this individual after the 9/11 attacks. Most people in the transportation industry were hyper-sensitive to security at the time.

We went in and were pitching enterprise security intelligence services--something that might be relevant to this individual. This individual welcomed us into an office, allowed us to talk about this service for 20 or so minutes, and then looked us in the eyes and said with a straight face...

"This service looks great, but I don't want to know about threats out there because if I know about it, I have to do something about it."

....

I could imagine some guy at a 5 man shop saying that, but this is a major company we are talking here. I don't know if I held it together in front of the individual, but I was shocked to say the least.

This incident relates to the current corporate mindset in many companies today. If I don't know about it, I don't have to do anything, therefore I have plausible deniability. The hard problems are there to be tackled, not ignored. So go get 'em fella!

Posted by Branden Williams at 06:33 AM | Permalink

I recently did some work for a customer that had an interesting perspective on the physical security of devices. We were talking about putting some specific controls in place to hold encryption keys, and when we mentioned that we could put them on little USB sticks (not an HSM, but think like that), they said "Oh, if we do that they will disappear from the stores."

Employee or customer theft of devices sure does not come up as something we deal with every day.

This particular company ran largely a cash-based business, and had a very small group of customers that paid by credit card. They were actually considering completely dropping all credit card acceptance because of the added risk they took on. The nature of this customer's business includes high turnover.

When asking more about the physical security component, they built in some component of "acceptable loss" into any purchase going into their stores. For example, RAM would regularly be stolen out of PCs placed in stores. Part of their decision making process to purchasing equipment was based on how easy it was to steal, and what the replacement costs were. Meaning, they had built in an acceptable loss component into certain purchases for IT.

That was a unique perspective. For them, it is cheaper long term to just buy equipment that is hard to steal than it is to build physical security into pieces of their infrastructure.

Posted by Branden Williams at 06:51 AM | Permalink | Comments (1)

One of the big problems with building a business is ensuring that processes & procedures scale. Information Technology programs are no exception. We spend as much time as we can building in automation such that our precious resources are not consumed repeating a task over and over.

Security is no different.

In fact, there are several tactical security tasks that require strategic planning in order to scale them. For example, patch management tends to be a big issue for many companies, especially retailers. How do I create a system that allows me to do massive patching with limited (if any) downtime? How can I ensure a high rate of success? How do I keep exception management to a minimum?

We work with several large companies that deal with this on a daily basis. Ultimately, when faced with a deadline, companies are more likely to react with a tactical solution (let's hire 100 contractors and go run Windows Update) as opposed to investing the time & money to make a viable long term solution that scales. Cost is definitely an issue, but long term gains are to be had with strategic security and IT planning.

What are some other areas that have issues with scale?

1. Identity Management
2. User Provisioning
3. Hardware Provisioning
4. Software Deployment

Branden says: "Include the ability to scale and meet the needs of the organization's growth for current and upcoming projects!"

Posted by Branden Williams at 06:51 AM | Permalink

This month in Harvard Business Review, we finally get a case study that applies to Information Assurance! "Boss, I Think Someone Stole Our Customer Data" ($4 PDF) tells a story that many CEOs fear, and some can give you a first hand account about--a breach of customer data.

While the case study does speak in some general terms, it is an excellent table-top exercise to run through during your regularly scheduled incident response plan test. This exercise should include various functional groups such as Legal and Marketing in addition to the traditional security or information technology employees. The case study is written in general terms, and can be used multiple times as the law changes.

Posted by Branden Williams at 07:24 AM | Permalink

For our VERY FIRST installment of "What Do Other Companies Do" (WDOCD), Randy Smith has asked the following:

"What specifications do other companies require for Secure Tape Destruction (especially for older tapes that could have pre-encryption account number data). To my understanding PCI does not provide a specification.

Do you feel that standard is OK to relax when all the account number data is encrypted?"

Excellent question Randy! Virtually every company we work with has some sort of destruction policy for media, and it varies from using a bulk eraser, to pulling out the DeWalt and drilling a hole right through it (yes, one company we have done work for does exactly this after a bulk erase), to enlisting a third party media destruction firm, to transferring the media back to the manufacturer for analysis and destruction. A quick search on YouTube will show you many more creative methods to destroy these devices (though not recommended by this humble security consultant).

Specific to PCI, the only destruction standards mentioned are ISO standards that have nothing to do with destruction at all. Slight oversight that we hope will be corrected soon.

What is actually required is some method to destroy the data or media such that the data cannot be recovered. Small tape strips are minor risk, but incineration or shredding seems to be the best method to ensure the data is not recoverable.

For tapes where the account number is encrypted, I do believe a relaxed method would be appropriate. In fact, if you filled a FedEx truck with tapes of encrypted data, and then left it in the open for people to take those tapes, you would not be required under state laws (today) to notify the affected individuals! The card associations might take a different view of this of course.

The answer: For unencrypted tapes, be sure you do a very thorough degaussing before taking them to your vendor for physical destruction. This will ensure that any leftover fragments will not have any data on them to recover. For encrypted tapes, shredding with 3 to 6" tape strips left over should be acceptable.

Thanks for the question Randy! For your time, keep your eyes open for a little gift from us!

Posted by Branden Williams at 10:06 AM | Permalink

Well folks, it's time. Yes, I've been running this blog for a whopping month or so, and I just want to see if anyone is reading. So far, the only comments that have been submitted are those for "Biagra" and some "Hot New Penny Stock" that promises to make me rich beyond my wildest dreams. While those are certainly enticing links, I think we could make this much more productive.

What I'm looking for is to play a game called "What Do Other Companies Do" (similar to "Spin the Topic Wheel" for any P1s out there). Essentially, I'd like you to email questions to TheSecurityBlog@gmail.com asking how other companies address various security practices. For example, "What do other companies do related to code review of applications?" For those of you interested, the short answer is "not much."

There are a ton of good questions out there and we have a ton of inside knowledge we can share, so let's get to discussing!

Posted by Branden Williams at 08:00 AM | Permalink

Going to privacyrights.org will clue you into a large cause of data breaches--the stolen laptop.

This type of incident is a repeated example of why knowing where data lives in your enterprise is so vital. When we are called into a customer for PCI consulting services, rarely do we see a holistic approach to understanding data flows. There are certainly experts who know their part, and 80% of the time they are right on. But they often lack an over-arching perspective of the data flows, and are unaware of data flows that lie outside of their bailiwick. The level of documentation required for overarching visibility is considerable, but it is also extremely valuable. Imagine being able to see the entire picture at once and instantly be able to identify risky areas or understand how a new service or acquisition could compromise security.

Of course, someone violating policy will not show up a formal diagram. How do you protect against the outliers?

Several companies including (but not limited to) Tablus, Vontu, and Verdasys have taken a focus on locating and tracking data from credit card numbers, to personally identifiable information, to intellectual property throughout a corporate network and it's workstations. Using this data in conjunction with that magical map can help point to high risk areas as well as policy violations. This are not the end all solution by any means, as education and awareness can be just as effective from the "honest mistake" type breach. It is a key piece to the Layered Security strategy your company takes.

Why are these tools not the end all solution? This will help prevent the accidental exposure, but will not prevent the sophisticated insider from siphoning this data off site. If data flows are encrypted for example (by say an SSL VPN), many of the data flow analysis tools fall down because they cannot see inside the stream. You can always block all encrypted traffic, but if you allow people to browse out to an SSL site, you may be allowing this data to leave without your knowledge. It also may not cover USB Drives, iPods, or other temporary storage if it it is not mounted at the time of the scans. USB Drives have long been a debated topic for good reasons.

The moral of this story is really beginning to think about the data.

Posted by Branden Williams at 12:11 PM | Permalink