Read ‘Em All: Pentagon’s 193 Mind-Numbing Cybersecurity Regs | Danger Room | Wired.com

Read ‘Em All: Pentagon’s 193 Mind-Numbing Cybersecurity Regs | Danger Room | Wired.com.

According to the Deputy Assistant Secretary of Defense for Cyber, Identity & Information Assurance (DASD CIIA) there are 119 different information security documents published by the Department of Defense (including the NIST SP 800 series). DASD CIIA helpfully published a two-foot long chart to help you make sense of it all.

Perhaps they ought to take a look at the SANS 20 Critical Security Controls for Effective Cyber Defense. The whole thing is only 58 pages.

Oracle fixes add to massive patch load expected Tuesday – SC Magazine US

Oracle fixes add to massive patch load expected Tuesday – SC Magazine US.

Of the 81 fixes in Oracle’s quarterly patch release, seven of them are for databases.

The question is how long will it take to test and install these patches? Experience says months. That means your systems will be exposed to these vulnerabilities for months.

I am by no means suggesting you should rush the deployment of these patches. Thorough testing is a must.

The answer is the virtual patching capability of Sentrigo, a database protection solution. In a matter of days, if not sooner, Sentrigo updates their agents protecting your databases with new “vulnerability signatures” that protect against threats looking to exploit the well documented vulnerabilities for which Oracle is providing patches.

In many cases, Sentrigo ships the “vPatches” before Oracle ships their patches.

We recommend Sentrigo as a core component of our next-generation defense-in-depth architecture.

Forrester Pushes ‘Zero Trust’ Model For Security – DarkReading

Forrester Pushes ‘Zero Trust’ Model For Security – DarkReading.

Last week Forrester Research began promoting a new term, “Zero Trust,” to define its new security model. The new model’s underlying principle is “trust no one.” In other words, you cannot trust the servers and the workstations inside your network any more than you could trust external third parties.

Given the nature of the changes we’ve seen during the last 3 to 5 years in technology and the threat landscape, we agree. We have seen a huge increase in what we call “inside-out” attacks where insiders are lured to malware-laden web pages on, for example, Facebook, Twitter, YouTube, and even the New York Times. The malware gets downloaded to the unsuspecting person’s workstation along with the normal content on the web page. From there, the malware steals the person’s credentials to access bank accounts, internal intellectual property, customer records, or whatever the attackers can readily convert to cash. This type of malware is not the traditional single-purpose virus or worm. Rather it’s an agent controlled by remote servers that can modify its functions. These “bots” have gone undetected for days, weeks, months, even years.

From a security perspective, this type of attack looks very similar to a malicious insider, and information security must protect against it along with the traditional “outside-in” attack method.

From my perspective, Forrester’s Zero Trust model and Cymbel’s next-generation defense in-depth architecture are the same when it comes to network security. Our Approach, based on the SANS 20 Critical Security Controls for Effective Cyber Defense, is broader.

However, there is one area where I disagree somewhat with John Kindervag, the Forrester analyst discussing the Zero Trust model, who is reported to have said:

It’s like a UTM [unified threat management] tool or firewall on steroids,” he says. It does firewall, IPS, data leakage protection, content filtering, and encryption with a 10-gigabit interface that separates the switching fabrics for each function.

Gee, how did he leave out packet shaping? I have no doubt that there are vendors attempting to do all these functions in a single appliance, but it reminds me of Network Access Control in 2007. NAC was going to subsume all manner of security functions in a single appliance. The complexity was overwhelming. Furthermore, most organizations really don’t want all that functionality in one box. There is still the need for a defense-in-depth architecture, in our opinion.

Some level of function consolidation is surely reasonable and advantageous to organizations with limited resources, i.e. everyone!! However the expertise needed to develop and advance all of these different functions is virtually impossible to assemble in one company. For example, full packet capture is really about innovative data storage and retrieval. High performance, stream-based, application level, firewall/IPS is about innovative deep-packet inspection combined with clever hardware design. And data loss prevention requires proxies and semantics-based data classification algorithms.

While I am surely not saying that we can achieve nirvana now, the components of Cymbel’s next-generation defense-in-depth architecture can provide major improvements in network security today:

  • Next-Generation Firewall with application- and user-level, internal network segmentation, integrated intrusion prevention, and bandwidth management – Palo Alto Networks
  • 0-day threat and botnet command & control communications prevention – FireEye
  • Cloud-based web and email security – Zscaler
  • Device/software discovery and configuration change detection – Insightix, AccelOps
  • High Performance Full Packet Capture – Solera Networks
  • Layer 2, 3, 4 encryption – Certes Networks
  • User-based, behavioral anomaly detection using net flows and logs plus high-performance event correlation – Lancope

I look forward to learning more about Forrester’s Zero Trust model and working with partners who recognize the new landscape and respond with creative solutions for our clients.



“It’s like a UTM [unified threat management] tool or firewall on steroids,” he says. It does firewall, IPS, data leakage protection, content filtering, and encryption with a 10-gigabit interface that separates the switching fabrics for each function

Windows DLL exploits boom – how to thwart them

On August 23, 2010 Microsoft issued Security Advisory 2269637, warning about a new method of attack based on the standard way Windows finds a DLL called by a program when the program does not specifically define the location. InfoWorld’s Woody Leonhard, among others had an article about this on August 24 – Heads Up: A whole new class of zero-day Windows vulnerabilities looms.

In a matter of days, hackers were publishing attacks against many Windows apps including FireFox, Chrome, Word, and Photoshop. See Windows DLL exploits boom (August 26).

This is just one example of the speed with which zero-day attacks can proliferate. This is a particularly bad situation because just one Windows vulnerability is being used to create a large number of zero-day attacks across a wide range of applications. We recommend organizations deploy FireEye to counter these zero-day attacks.

From an end user perspective, on August 27, Woody Leonhard published a helpful article, How to thwart the new DLL attacks. To summarize, Woody has two excellent recommendations for users:

First, never double-click on a file that’s in a potentially compromised location. Drag it to your desktop, then open it.

Second, make Windows show you filename extensions and hidden files.

Enhanced by Zemanta

MPLS WAN Encryption – It’s time

Is MPLS secure? All the MPLS vendors use the term VPN (Virtual Private Network), implying some level of security. But in reality, MPLS is not encrypted and therefore subject to snooping. But of course, you have no way of knowing one way or the other.

Mike Fratto at Network Computing wrote a nice piece a couple of months ago explaining the situation.

If you talk to the WAN services folks at a carrier, their definition of a VPN will be an overlay network that is carried by another network over shared infrastructure. By the carrier’s definition, a telephone call over a PSTN is a VPN. The carrier definition is very different than the other definition of a VPN as an authenticated and encrypted layer 3 tunnel between two nodes, with one node being a network. The former definition assumes that the carriers employees are trustworthy. The latter definition doesn’t care if they are or aren’t.

In addition, compliance regimes like MA 201 CMR 17 and HIPAA are mandating WAN encryption.

To encrypt MPLS traffic and really all wide area network encryption, we recommend CipherOptics.

Enhanced by Zemanta

A framework to replace PCI?

There has been much commentary this past week about the limited enhancements in the upcoming PCI-DSS 2.0 framework. Martin McKeay wrote a post, How would I write a framework to replace PCI? where he talks about three key principles: (1) Everything flows from policy, (2) Keep it simple, and (3) Concentrate on results, not technologies.

I see it differently. The key principles of the SANS Twenty Critical Security Controls for Effective Cyber Defense make more sense and provide the basis for the Cymbel Approach:

  • Offense must inform defense – knowledge of actual attacks that have compromised systems provides an essential foundation for on which to construct effective defenses.
  • Work from a prioritized baseline of information security measures and controls
  • Most controls must be automated – there is no way for an organization to cost effectively defend itself with manual controls
  • Measure the effectiveness of controls – Automated techniques, where possible, should be used to measure the effectiveness of deployed controls.

Furthermore, regarding policies – you cannot start the process with policies without establishing context first. Therefore we start our processes with Visibility. You can read more about this on the Cymbel Services page.

Stuxnet – Nation-state attacker threatening critical infrastructure?

There has been a lot written about the Stuxnet malware in the last several weeks and rightfully so. Stuxnet not only infects Windows computers which supervise industrial control systems, but then goes on to infect the software running on individual Programmable Logic Controllers (PLCs) which control the actual subsystems of those industrial processes. (Each Windows computer controls some number of PLCs which actually run the industrial processes.)

Therefore Stuxnet enables the attacker to remotely cause an industrial automation system to malfunction. It gets even worse – the PLC malware is hidden in a way that PLC software engineers won’t notice the change! Thus Stuxnet is the first known rootkit for industrial control system.

And the vulnerability Stuxnet exploits was zero-day. In other words, the vulnerability was not known at the time Stuxnet began. Stuxnet was first detected in late July 2010, but now information is coming out that it really started in 2009! Some are saying that the sophistication of Stuxnet indicates nation-state involvement.

You can read more details (depending on how technical you want to get) from CNET, SC Magazine, Symantec, Kaspersky, and Mandiant.

There has always been a lot of talk about the need to protect critical infrastructure. Now we are seeing a real threat which increases the risk of industrial control incidents, and therefore heightens the priority to deploy Boundary Defense Controls in these environments.

Six database breaches during H1/2010 point to needed controls

Dark Reading posted an overview of six database breaches that occurred during the first half of 2010. All of them resulted from lack of controls covered in the SANS Twenty Critical Security Controls for Effective Cyber Defense, the backbone of Cymbel’s Approach to information security and compliance. Here is a brief explanation of each breach and the SANS Critical Controls that would have prevented or at least detected the breach more quickly:

  1. Arkansas National Guard – 32,000 current and former Guardsmen personal information removed on an external disk drive and subsequently lost.
    • Critical Control #15 – Data Loss Prevention, Subcontrol #6 – encrypt hard drives
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – copying large numbers of database records should generate an alert indicating the who, what, and when of the query.
  2. University of Louisville – database of dialysis patients exposed due to lack of password protection of the web application.
    • CC#7 – Application Software Security, Subcontrol #3 – Test web applications for common security weaknesses.
    • CC#7 – Application Software Security, Subcontrol #6 – Software development personnel receive training on Secure Development Life Cycle.
  3. WellPoint – 470,000 customer records exposed to unauthorized users due to insecure web application code.
    • CC#7 – Application Software Security, Subcontrol #1 – Deploy a Web Application Firewall
    • CC#7 – Application Software Security, Subcontrol #2 – Automated code analysis
    • CC#7 – Application Software Security, Subcontrol #3 – Automated remote web vulnerability scanner
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
  4. Virginia Beach Department of Social Services – eight employees and supervisors fired or disciplined for abusing their database access privileges by accessing restricted information about employees, family members, and clients.
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – establish more granular access policies
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
  5. Florida International University – 20,000 students and faculty sensitive records exposed on an unauthorized database in an insecure computing environment.
    • CC#1 – Inventory of Authorized and Unauthorized Devices, Subcontrol #1 – Automated asset inventory discovery system
    • CC#2 – Inventory of Authorized and Unauthorized Software, Subcontrol #2 – Automated software discovery system
    • CC#15 – Data Loss Prevention, Cymbel Extension – Network-based User Activity Monitoring – Anomalous database queries
  6. Lincoln National Corp.– 1.2 million customers’ portfolios exposed due to lax password management and frequent credentials sharing. Some passwords had not changed in seven years!
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #3 – Change passwords at regular 30, 60, 90 day intervals.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #6 – Administrative accounts should only be used for administrative functions.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #8 – No password reuse within six months.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #11 – Two-factor authentication