Wrapping up another Class

As i've stated recently I am currently in a class called current trends in cyber security.  The quarter is over and each of us have worked through a process model.  The point here is to:

1. Describe a threat matrix for a company.

2. Make recommendations on fixing those threats.

3. Present that information to management.

4. Make sure everyone understands the concepts.

That all seems simple enough, but let me give a brief run down of how it all works.  After all what good is cyber security if we can't take something perfectly simple and make it complicated!

I started by thinking through these issues.

1. Where does the analysis fit in the company goals?

2. What hardware and software assets are present?

3. What sources of information can be used to asses threats at H&M.

4. Create an ongoing information gathering process?

5. Gather Analyze and store threat information.

6. Document systems information.

7. Gather Existing H&M Policies

8. Evaluate currently existing threats, and make recommendations.

9. Evaluate impact of controls and reduce threat to acceptable levels.

10. Review and improve the system.

 

Next, I broke the threats present into categories   It was important to note that this was a high level assessment.  Since this process is ongoing the first time you do it you should only show major issues.

Once this is completed I had to put the issues into families.  I chose people, policy, and technology threats.  This seemed logical since most issues can be carved up this way.

Lastly we come up with controls and how to implement them.  

This is a high level overview of what I did for class.  The lessons learned here will apply daily as I consider threats and issues in the Cybersecurity space.

Security Action Plans

As a Security professional I've spent a lot of time considering security problems.  Action plans I suppose are all about what you can do with those problems.  This week I wrote an imaginary action plan.  If you recall I've been working on developing plans for an imaginary company.  This company has no polices or procedures which reference security.  So I proposed some changes.  I am not really going to rehash those changes in this post.  I don't actually think that would be interesting to read.  However, I do want to take a moment to talk about this process.

From my perspective companies are generally accepting of the way things are done.  If a plan for something doesn't exists it means the leadership of the company hasn't acknowledge a need for it.  As a security professional how do you convince a company to spend lots of money and time on solving problems they aren't concerned about?  Obviously you can go to the stand by FUD, but there has to be a better way!  Understanding the risks a business has and proposing solutions is not an IT practice.  This is a business practice.  My imaginary company only engaged services for its security problems after a breech.  That is what it took for them to see the need.  Wait though, we are back to FUD again.  I mean I don't want to constantly try to convince people to do things because bad things can and have happened.

So, here is what I've learned from writing an imaginary action plan.  As a professional, writing an action plan gives you an idea what must happen to solve problems.  It means that you can clearly articulate what is wrong and how to fix it.  Given the correct forum you can argue for the needed changes.  I suppose the question is, how do you get someone to ask the question you have an answer for?  I don't think this is something I can even get close to answering.

Threats, Vulnerabilities, and Risks, Oh MY!

While these terms don’t seem tragic of difficult on their own they are often misunderstood.  To be honest I often use them interchangeably.  So what is the problem right?  I mean why do we have to be exact on this, is the name of the game semantics? 

The reason these terms matter is because they are central to mine and all security professionals understanding of how business, security, and technology intersect.

Threats are things that you don’t want to happen.  They are present in the world around us.  There is a threat you may get into a car accident on the way to work.  There is also a threat that someone may hack into a system at your office.  Of course, there is also a threat a meteor will wipe out your office.  Not all threats are credible.  In other words all decisions can’t be threat driven.

Vulnerabilities are problems which exist.  The fact the breaks in your car may be out is a vulnerability.  The reality that you don’t patch workstations and servers on a business network is vulnerability.  Lastly, the fact that we only watch a small fraction of the space surrounding earth is yet another vulnerability.  Just as you can’t remove all the threats you can’t remove all the vulnerabilities either.

Now enters risk.  Risk is the likelihood that a vulnerability will be realized.  In other words will a threat take advantage of an existing weakness?  So will someone force you to slam on your breaks thus taking advantage of the weakness in your cars break?  Or, will some worker click a Facebook link taking advantage of the lack of patches on their system?  Lastly will some meteor in the area of space we weren’t observing smash into the earth?

So what do you do with this information?  The goal of course is decision making.  You look for the union of Threats, Risks, and Vulnerabilities.

 

The union of these three ideas are the threats, risks and vulnerabilities information security professionals should focus on.  The problem is determining which things fall into which categories and why.

Imaginary Threat Analysis... Who knew it could be helpful.

So how do you analyze a threat from an imaginary company?  That doesn't seem like something that people concern themselves with on a consistent basis.  However, it was something I found myself doing this week.

The part of this I found interesting was after reading all the data from the company I had to come up with a likely scenario.  See the imaginary company had been breached.  They let client credit card numbers into the open.  In my likely scenario, the were breached due to an e-mail scam.  That scam then attached them to a bot net.  Once that happened the people running the bot net were able to determine that CC data was present within the system.  You see where this is going right?  It got be think, how can an organization do anything about this?

 In my opinion most security problems in companies boil down to one of three things.
1. A Policy problem
2. A People Problem
3. A technology problem

Policy Problems
So, my recommendations in the magic scenario mirrored this.  Policies you see can be fixed if the will is present to do so.  The real issue here is that they must originate from the top.  They must explain the will of a corporation to the stakeholders and employees.  A good example of this would be an acceptable use policy.
People problems
These types of problems are solved by hiring qualified candidates.  This may mean background checks and extensive interviews.  It will also mean continuous peer based review.  In addition it will mean that people may need to be let go.  This also takes into account people who mean to do an organization harm.  Controls must be put in place to limit that harm.  The policies should also reflect the reality of employees and harm seekers.

Technology Problems.
These problems are typically solved by people following policies.  Sometimes a new piece of technology may be needed, but sometimes an old piece of technology must simply be utilized.  In my imaginary company the issue here was lack of updates.

As IT and security professionals it is very easy to attempt to fix all problems with technology.  While I am still deciding what I think about all of this, I am attempting to appreciate how difficult fixing security problems can be.

Threat Analysis Sources

I am currently taking a class on current trends in Cyber Security.  One of the question's I’m being asked is to review a list of sources I created.  This list of sources is intended to provide an overview of the numerous threats to the Confidentiality, Integrity, Availability, and Accountability of an information system.  On June 21st of this year I created a post entitled, "Identifying Credible Resources, a how to!”.  This is the list of resources I am currently drawing from.  All of that sounds incredibly formal.  In fact I simply check these sites and resources during the course of my day.  So the question is, can I use these sources in a formal manner?

For the purpose of this post I will discuss my listed sources as they relate to an imaginary company.  So, in this imaginary company I check Bruce Schnier’s cryptogram newsletter.  It focuses heavily on the ongoing saga of Snowden.  Interestingly enough, the Security Now podcast I watched did the same.  This information re-iterates the need to do several things.

1. Train Employees, this ensures employees know the proper whistle blowing techniques.  It also ensures they know what they should have access to.

      

2. Monitor Employees, Look, you can’t trust people.  No matter how well trained they are they can decide to make confidential information public.  This means you have to monitor them.

     

3. Communicate issues with lax access controls to management.  They may decide they do not want to act on recommendations, but they must be informed.

So how does that relate to an imaginary company?  Well in my scenario a company X shall we say needs to justify spending money on a IDS or DLP system.  They have determined that the risk to lost data is high, and that the impact of the loss would be catastrophic.  Reading this newsletter and listening to this blog help me articulate that.

This week I also reviewed Microsoft’s TechNet newsletter.  It would appear that MS13-050 will be coming out this month.  This update will interact with the print spooler.  So, company X uses mostly Microsoft systems.  These systems all print on a frequent basis.  Due to this warning I am able to communicate with the local admin’s in company X about the possible disruption to printing services.  In fact due to this update more extensive testing will be done.  If you haven’t  figured it out at this point, I’m obviously writing this post for an assignment.  The reality of all the sources I listed on June 21st is that I use them frequently.  My I believe however that the list could improve.  As I review specific threats it is likely that I will build a keyword list of resources.  This will enable me to research specific threats as they pertain to various topics.

The Sans Top 20 Control 5 Malware defense

Check this link:
http://www.sans.org/critical-security-controls/control.php?id=5

     Everyone knows they should have Anti-Virus software.  Well, I would hope most people do.  Anecdotal evidence aside, why should people have Malware defense?  Well like anything else I think a discussion of definitions needs to occur.  Now hold on, this isn't going to be some boring list of words.  It's going to be an exciting one!  Malware is really just a catchall term for any piece of bad software.  It's all the viruses, spyware, Trojans, logic bombs, ad-ware, and spyware that exists.  Think of it as software that wants to hurt you and your PC.
   Ok, now that we have defined it what can we do to stop it?  Well the short answer is... not much.  The people who are creating advanced malware are working very hard to do so.  They have access to all the latest software and antivirus software.  In fact they have kits which are intended to help them do this.  You can actually lease time on cloud based services designed to create and distribute sophisticated attacks.  https://blog.damballa.com/archives/tag/cloud.  So if you are still reading you may be thinking, "well that's a lot of doom and gloom."  Well hang in there.

   While sophisticated attacks do exists many of the attacks being used are not.  In fact many of the attacks which occurred last year were unsophisticated. http://blog.trendmicro.com/trendlabs-security-intelligence/how-sophisticated-are-targeted-malware-attacks/  This article discusses this idea.  In addition, for a far more detailed analysis you can check to he Verizon Data Breach Investigation report.  So if the attacks are using known vulnerabilities why can't we just fix them?  In some cases this is due to the vendor not being able to re-work a difficult issue.  However, in some cases it is because the end users need the functionality that is being exploited.  Or, it may be that the flaw is not in public view.

   The answer to all of these concerns is Malware defense.  In a corporate environment have an automated anti-virus solution, monitor that antivirus solution, act on the reports it gives you, update the system, and most importantly educate users about it.  This type of protection can also be integrated into firewalls.  Network monitoring tools can look for known viruses, and bad behavior on a network.  Most importantly have a plan.  What will you do if a system becomes compromised?  Who will you call, where will a replacement PC come from?  More importantly how will you rebuild a server?  How long will it take?  Will you invest in a cleanup and evidence preservation effort?  If you don't have the answers to all of these questions you are like most people.  If you are looking for a place to start read SANS control 5.

   The secret to malware defense is understanding the risk present, proper protection, and a recovery plan.  

Why on earth would I use Microsoft Visio

This week I decided to write about a feature in Visio that I until recently was unaware of.  For those of you who don’t know Microsoft Visio allows users to create and map.  You can map a city, office, network, even a process or idea.  This is very useful.  Interestingly enough it also allows its users to show relationships graphically.  If any of you have ever needed to explain how authentication works on a network the picture will certainly inform the topic.  Here is an example.

______________________________________

____________________________________

In addition to this functionality the product also allows you to diagram a website.  This is a new function I was unaware of until recently.  While documentation is an obvious need in security website diagrams are more directly related.  In order to use this functionality one must select a new Visio document, got to software and database, then select website. (http://office.microsoft.com/en-us/visio-help/generate-a-web-site-map-HP001209112.aspx).  Once that is complete simply follow the import dialogue.  You will put the URL you are looking for in place.  At that point you just hit OK and wait.  Here is an example.

I chose to use Altoro Mutual.  This is demo site setup by IBM.  Security professionals use it to test this type of tool.  http://www.testfire.net/default.aspx

____________________________________

___________________________________

This tool allows the user to map the links and relationships in a website.  From my perspective it shows me hidden links as well as possibly forgotten pages.  This is something anyone who designs web pages should take full advantage of.  It also allows you to graphically illustrate website design.