No clue what the source is but if they are right, it is scary: DRG SSH Username and Password Authentication Tag Clouds

Roger

I was reading an interesting article: Forrester Pushes 'Zero Trust' Model For Security, where they mainly claim that you should not trust your internal network – something I am asking for since a long time. However, the conclusions Forrester and me are drawing are slightly different. John Kindervag – the person quoted in the article - claims that you have to do a deep inspection of the network in order to resolve the problem. I disagree for different reasons:

• Privacy: In some countries it might be considered as an invasion of the privacy of an employee if you start to do in-depth analysis of the IP-traffic. It will get even worse if you store  it.
• It might simply be impossible because of the sheer amount of data you have to store and analyze.
• What about encrypted traffic?

To me, there are other approaches we have to consider. First and foremost – and there we still agree – we have to realize and internalize that our network is untrusted or even worse that the Internet is our network. There is no such thing like “internal” and “external” anymore. This is consequences and if you take consumerization of IT into your equation it will get worse. By that I mean the trend that end-users are bringing more and more private devices into our networks to do their job (or who took really a strategic decision to have the iPhone or an iPad in your network?). End-users started to take IT strategy decisions!

What can we do with that? How do we do risk management in such an environment. There is definitely a vision we have to work towards, which is called End to End Trust. Actually Scott Charney wrote a very good paper on that: Establishing End to End Trust. However, that’s a vision – what can you do now?

• Accept the facts above.
• Authenticate not only users, but devices as well. Implement IPSec Authentication. You can look at this here: Server and Domain Isolation.
• Based on that implement Network Access Protection. This allows you to decide whether the devices your information is sitting on are policy compliant.

Like that you can at least enforce that the devices you talk to are policy compliant. What about your information now? How can you implement data classification? You can mark the information in different ways: Flag them, have them in specialized folders, encrypt them, etc. What about the problem that the information leaves the environment it is protected? We need a persistent protection of the information you are dealing with. That’s the reason I really like Rights Management Services and have a hard time understating, why it is not used more often.

And last but definitely not least we need to focus more on managing users instead of devices. To be able to do this, we need sound identity management. This starts with processes (how do you get rid of a user-account if the user get’s laid off? I mean all the user accounts including the cloud-based ones) and technology can definitely support you on that way.

Would this solve your problems? No, but it would definitely significantly reduce the risks. It is all about Risk Management – no?

Roger

I want to start upfront: I do not want to take a position here. I have an opinion as a person in my cultural context but I understand that this opinion is by far not the only one which is right or wrong.

This morning I read this article: FBI Drive for Encryption Backdoors Is Déjà Vu for Security Experts. This is definitely not new and we had it before. If there is a backdoor in encryption for the good guys, there will be one for the bad guys as well. However, if something bad happens to you and you want the criminals to be arrested, you will want the police to have the right means available to track the criminal down and send him/her to prison if necessary. This is kind of a dilemma.

I was once having a discussion with a former police man who said: “We can deliver an almost crime-free society – if we are willing to give up all our privacy.” And the idea is fairly simple: If a crime happens and we could immediately see who did it, the risk of committing the crime is so high, that you probably would think about it more than twice. But this is not what we want. I want my privacy – but where is the right balance? This is a discussion which is fairly old and a discussion which has to be re-visited over time and a discussion which will yield to different results in in different cultures: the US (see the laws after 9/11), in Europe, in the Middle East, in Africa or in Asia – and this is good.

So we have to understand how much privacy we are willing to give up to help the policy to combat child porn, hacking, and other illegal activities on the Internet. It will be interesting to see, where the discussion leads in the US as well as in other countries.

Finally, I am convinced that backdoors in crypto do not help to solve the problem: You will catch the stupid criminal anyway in one way or another without backdoor. The smart one will use a software to encrypt without backdoor and then the whole requirement does not help anymore…

Roger

We are basically asking the industry to follow a Coordinated Vulnerability Disclosure and are therefore not in favor of public vulnerability disclosure as it puts the industry unnecessarily at risk.

Recently there was a vulnerability in ASP.NET publically disclosed. We released an advisory and you should look into implementing the suggested workaround: Vulnerability in ASP.NET Could Allow Information Disclosure.

UPDATE: A very good description by our SWI Team: Understanding the ASP.NET Vulnerability

Roger

This title immediately caught my attention and probably yours as well: How to detect a hacker attack – something I definitely want to know. And then I realized that the article a) is written from a techie and b) does not really cover the attacks I am worried of most. But I will address this toward the end and would appreciate your ideas as well.

If you look at the article, it gives 4 tips:

1. Suspiciously high outgoing traffic for dial-up and ADSL
2. Look out for strange looking files in the root directories of your drives and/or too much disk activity.
3. If your personal firewall is reporting blocking large packets of data from the same IP address
4. A lot of hackers still rely on trojans and backdoors. So, if your anti-virus software starts finding a lot of those, try increasing protection, use an Internet security suite instead of a basic anti-virus

That’s just an excerpt. If I look at my mom and dad – they never look at 1 (I do not do it either), 2 (I would just see it if I would clean up my machine), 3 (It might be in the event log but who is looking at the even log?). 4 is definitely a good thing as we said since ages (actually since Blaster) that there are three things you should do to protect your PC:

1. Switch on your firewall
2. Keep your software updated
3. Install an anti-malware solution and keep it updated (see Microsoft Security Essentials)

If we take it to a company level, the 4 tips about might look slightly different: 1 is network monitoring (if you see the anomalies), 2 is rarely done, 3 is rarely done and 4 again I hope is done.

But what really worries is me are not the attacks we are finding with the 4 tips above. Those are not the ones, which keep me up at night as they are noisy.

What about the stealth, targeted attacks – the real attacks? They do not create a lot of traffic (as the data is slipped out slowly), they hide the files “behind” other files, the use the universal firewall tunneling protocol (called HTTP) to transfer data and the malware they are using is just written for this single purpose: To attack just you!

How do we defend against those attacks? How do we even find them? They will sneak in through social engineering and I have to admit, that I am not clear what we can do against them – really. A few things come to my mind:

1. Risk Management – start with understanding your risk exposure not only from a technical side but who could be interested for what in your environment. How likely are you to be targeted by e.g. industrial espionage?
2. Patch Management – this is for sue. However, the targeted attacks often do not leverage technical vulnerabilities but the user. But staying on the latest versions of all your software is key to defend. This does not only mean security updates but “real” versions as well. If you are still on Windows XP, your risk exposure is significantly higher than on Windows 7
3. Information Protection – the classical encryption does not help here as the malware might impersonate you and then simply copy/past the data or transfer the data in plain text. I think that Rights Management Services could at least lower the risk of data loss.

What else? What do you do? I would be really interested hearing your ideas and approaches

Roger