From the category archives:
SBN
“almost all incidents in which very large amounts of data are compromised involve servers”Most of the valuable data resides on the servers, so you’d expect them to be involved in a high fraction of the breaches.
I think about this in context of a recent trend I have been hearing about regarding the issue of how to secure user devices in a Bring Your Own Device (BYOD) world. Unlike a year ago when security executives were wondering what to do about BYOD, this year, many have embraced BYOD. Further, their attitude is that they don’t want to manage the user devices. They are resigned to this attitude because they don’t have the resources to manage all these disparate devices. Instead they will just put the proper protection and access controls in place for sensitive systems and data. They want to keep Willie Sutton from having access to the bank vault.
Unfortunately, another finding from the DBIR describes a flaw in this approach. The finding is this:
“We all know, of course, that user devices store and process information too. Furthermore, most organizations have a lot more of them than they do servers, and they’re often widely distributed, highly mobile, less restricted, and—perhaps more importantly—controlled by end users (a shudder travels down the spine of all the admins out there). For all of these reasons and more, user devices frequently factor into data breaches in some manner or another and contribute to a hefty chunk of overall data loss.This means that protecting the sensitive data stored on servers also requires that the organization provide for security on user devices, both on and off the network. This also means that the latest trendy network based approaches to detecting malware using sandboxes or monitoring C&C traffic also fall short. They provide no protection of user devices away from the corporate network--when at home, when traveling or at a coffee shop. The only thorough way to protect these devices and not allow them to be the gateway into the most sensitive repositories of corporate data is to have a constantly vigilant presence on each endpoint - the kind of protection that is provided by Sourcefire’s FireAMP product.
Sometimes they are the endpoint from which data is taken, but more often they simply provide an initial “foothold” into the organization, from which the intruder stages the rest of their attack. A common scenario—especially for larger organizations—involves the installation of a keylogger on a workstation or laptop in order to steal the user’s username/password for an internal application server.“
In order to successfully get to the money stored in the vault, Willie Sutton needed to enter through the door and get past the teller. In the cyber world, let’s not leave the door open and the bank unattended.
Since releasing the new Microsoft Security Intelligence Report (SIR volume 12) a few weeks ago, one of the top questions I have been asked is about the new malware infection rate data for Windows operating systems.
Why is Windows XP Service Pack 3’s malware infection rate lower than that of Windows Vista SP1?
There are likely several factors contributing to this trend, but I’ll try to provide an educated guess on some of the contributing factors.
Malware that used Autorun feature abuse to infect systems were especially successful on Windows XP based systems. About a year ago I wrote an article called Defending Against Autorun Attacks in which I outlined what Microsoft was doing to fight these threats and shared some of the preliminary results of these efforts. To summarize, Microsoft released security updates for Windows XP and Windows Vista that hardened the Autorun feature on these platforms the same way it is hardened on Windows 7 by default. Shortly after this security update was released we could see a precipitous decrease of Autorun related malware infections on Windows XP and Windows Vista systems.
...(read more)via the comic genius of Nitrozac and Snaggy at The Joy of Tech™
I was all set to write a post today commenting on Ellen Messmer’s article about Forrester’s picks for winner and losers in security. But that post will have to wait. Instead I am compelled to chime in on the firestorm that Rodger Grimes has ignited with his “firewalls are dead” article of a few days ago.
I didn’t comment on Rodger’s original article because after hearing my friend Richard Stiennon declare so many security technologies dead over the years, one more pundit calling something dead is just not something to get excited over. Lets face it, you know what they say about pundits (or was it analysts), we all have one
But that didn’t stop others from calling Rodger out. My friends at Securois, Mike Rothman in particular had something to say, a few other security bloggers mentioned it, heck even Richard Stiennon on his way down under tweeted on it. But I thought the best response was by my friend and colleague Jody Brazil of Firemon. Now for those of you who don’t know, I work with Firemon so I may be partial to Jody’s view. Truth be told I may have even seen a rough draft of the post and put my 2 cents in before it was published. To me that was a case of enough said.
But now Rodger has come back with another salvo defending his position. After reading it, I can’t help myself. I have to jump in. Besides the fact that I think Rodger is flat out wrong, I feel it necessary to point out some weakness in his arguments:
1. Flat out dismissing firewall mismanagement – Yes it is easy with the stroke of a pen to just discount this very important part of Jody’s original post. But the fact remains that firewall mismanagement is still one of the biggest factors if not the biggest in attacks being successful that a better managed firewall could have and should have stopped. So before dismissing, at least give it its due.
2. The Verizon Report is all about big companies – Yes it is only is based on 855 breaches, but the fact is that almost 2/3’s of those 855 breaches happened at companies with under 100 employees! That hardly qualifies as large enterprise accounts. If you go up to companies under 1000 employees (classic SMB) the number is even higher. So you can’t dismiss the Verizon findings by saying that this only applies to large companies, it is just not the fact.
3. The browser did it, blame the browser – This one reminded me of if we set the firewall to block all traffic, we would not have security incidents. Yes the browser is a nexus for attack, but it is a nexus because it is a fundamental factor in the equation. You can’t take the browser out of the mix and still have an Internet as we know it. So saying it is the browser’s fault and the firewall doesn’t help the browser is just not sound logic. The browser goes with the Internet and it introduces it own set of challenges. Blaming the firewall for not fixing the browser just doesn’t make sense.
4. The human hacking came later – Wrong again. It is the human hacking which comes first. It is the spear phishing or otherwise targeted attack which is genesis of most security incidents. Grimes points to the large AV vendors as proof of his position. Well lets look at the recent Symantec Internet Security report. They clearly show that targeted attacks against humans (by email, twitter or other social media) is a primary vector for many security incidents. At the end of the day, the weakest link is still the person behind the keyboard. Heck after getting rid of the firewall, lets get rid of the people, then we would really be safe. Of course who would use all of those browsers?
5. Firewalls are a victim of its own success – Again the logic here is flawed. Are firewalls the new polio or smallpox vaccine? Have we eliminated the scourge of attacks that firewalls have stopped, so now we can retire them? Of course not. Firewalls (especially well managed ones) are out there stopping garden variety attacks day in and day out. Yes NGFW are an evolution up from what firewalls used to be, but the threats and attacks that firewalls have been stopping for years have not gone away, people like Rodger just take them for granted because firewalls are on call doing their job 24/7/365.
So it is not yet time to give the firewall its gold watch and send it to a condo in Florida. There is still plenty of life and good security left in those boxes and the future for them is brighter then ever.
I would love to discuss this further and invite Rodger, Jody and if anyone else would like to join in to a podcast. Let me know if you are interested!
