Lenny Zeltser on Information Security — The Use of the Modern Social Web by Malicious Software

Lenny Zeltser on Information Security — The Use of the Modern Social Web by Malicious Software.

Lenny Zeltser posted his excellent presentation on The Use of Modern Social Web by Malicious Software.

However an increasing number of organizations are seeing real benefits to the top line by engaging in the social web. Therefore simply blocking it’s usage is no longer an option. The InfoSec team must respond to the business side by mitigating the security risks of using the modern social web.

 

IT in the Age of the Empowered Employee

I recently came across this blog post from Harvard Business Review, IT in the Age of the Empowered Employee. The author, Ted Schadler, who recently co-authored a book entitled, Empowered, seems to have coined the term, “highly empowered and resourceful operatives (HEROes).” These people represent 20% of the employees in an organization who aggressively seek out information technology solutions on their own without the IT department’s support.

Schadler recommends managers and IT support HEROes’ efforts:

What caught my eye of course is, “Provide tools to manage risk.” Yes, enable the use of Web 2.0 applications and social networking by mitigating the risks they create. Next Generation Firewalls come to mind.

HIghlights from Sophos threat report

Highlights from Sophos threat report.

The recently released Sophos Threat Report claims that with more than 50 percent of companies allowing free and open access to social networking sites:

  • 67 percent of users were spammed on social networks – double from when the survey began in 2009 (33.4 percent)
  • 40 percent were sent malware
  • 43 percent were phished – more than double from when the survey began in 2009 (21 percent)

The answer is not totally blocking access to social network sites. People in marketing and sales need access, but they don’t need to be playing Farmville. Also totally blocking all aspects of social network sites might create a morale issue.

Anti-virus can play a role, but a defense-in-depth strategy is needed that includes Next Generation Firewalls.

How Will Technology Disrupt the Enterprise in 2011?

How Will Technology Disrupt the Enterprise in 2011?.

Constellation Group’s Ray Wang lists five core disruptive technologies: social, mobile, cloud, analytics, and unified communications.

What’s interesting to us at Cymbel is that each of them require rethinking compliance and security to mitigate the new risks their deployments create for the enterprise. In other words, inadequately addressing the security and compliance risks around these technologies will inhibit deployment.

What are the risks?

  • Social – The new threat vector – the “inside-out” attack, i.e. rather than having to penetrate the enterprise from the outside-in, all a cybercriminal has to do is lure the insider to an external malware-laden web page.
  • Mobile – All the types of attacks we’ve seen over the years against desktops and laptops are finding their way onto smart phones.
  • Cloud – Will you put trade secrets and PII out in a public cloud deployment without protecting them from third party access? How will you verify that no third parties, like the administrators at SaaS companies are not accessing your data?
  • Analytics – Good security technology has only recently taken hold for traditional relational databases that rely on the SQL access language. The new analytics are about new ways of storing and accessing data for analysis. How do you monitor and control access?
  • Unified Communications – Attempting to apply traditional IPSec VPN technology to converged data, voice, and video networks creates unacceptable latency issues and unstable session connections. And MPLS itself does not provide encryption.

Cymbel’s mission is to provide the information security and compliance solutions which enable these technologies. We help our clients rethink and re-implement defense-in-depth.

Darwin said, “It is not the strongest of the species that survive, nor the most intelligent, but the ones most responsive to change.”

As an Information Security and Compliance Solution Provider, we are enablers of technology change.

Enterprises Riding A Tiger With Consumer Devices | threatpost

Enterprises Riding A Tiger With Consumer Devices | threatpost.

George Hulme highlights two technology trends which are increasing enterprise security risks – employee-owned smartphones and Web 2.0 applications including social networking.

Today, more than ever, employees are bucking efforts to be forced to work on stale and stodgy corporate notebooks, desktops or clunky, outdated mobile phones. They want to use the same trendy smart phones, tablets, or netbooks that they have at home for both play and work. And that, say security experts, poses a problem.

“If you prohibit access to the services people want to use for their jobs, they end up ignoring you and doing it from their own phone or netbook with their own data connection,” says Josh Corman, research director, security at the analyst firm 451 Group. “Workers are always going to find a way to share data and information more efficiently, and people will always embrace ways to do their job as effectively as possible.”

To control and mitigate the risks of using Web 2.0 applications and social networking, we’ve been recommending to and deploying for our clients Palo Alto Networks’ Next Generation Firewalls.

Palo Alto posted a well written response to Hulme’s article, Which is Riskier: Consumer Devices or the Applications in Use? Clearly, Palo Alto’s focus is on (1) controlling application usage, (2) providing intrusion detection/prevention for allowed applications, and (3) blocking the methods people have been using (remote access tools, external proxies, circumventors) to get around traditional network security solutions.

We have been big supporters of the thinking that the focus of information security must shift from protecting devices to protecting information. That is the core of the next generation defense-in-depth architecture we’ve assembled.

Corman agrees that the focus needs to shift from protecting devices to protecting data. “Security managers need to focus on the things they can control. And if they can control the computation platforms, and the entry and exit points of the network, they can control the access to sensitive data, regardless of who is trying to access it,” he says. Corman advises enterprises to deploy, or increase their focus on, technologies that help to control data access: file and folder encryption, enterprise digital rights management, role-based access control, and network segmentation.

Having said that, we are currently investigating a variety of new solutions directly aimed at bringing smartphones under enterprise control, at least for the enterprise applications and data portion of smartphone usage.

Easy fix for Firesheep creates a problem for enterprises

Using SSL encryption to connect to social networks like Facebook and Twitter mitigates the risk of your credentials being stolen when you are using public WiFi networks to connect to the Internet. But it creates a problem for enterprises attempting to control the use of social networking because most firewalls and Intrusion Prevention Systems are blind to SSL traffic.

The recent publication of Firesheep, and the subsequent download of over 104,000 copies of the Firefox plug-in in the last 24 hours, highlights this well understood security flaw in the way social networking sites communicate with their users. Firesheep sniffs the WiFi network traffic to capture your user name and the established session ID for any of 26 sites including Facebook, Twitter, Amazon, and the NYTimes. This allows the Firesheep user to access any of these sites as you!! This not only will reveal your personal information to the Firesheep user, but allow him/her to impersonate you.

This article, Firefox Add-on Firesheep Brings Hacking to the Masses, provides a very good detailed explanation of how Firesheep works. The article also describes several readily available tools which enable or force the use of SSL for all traffic to sites that accept SSL. In other words, rather than just encrypting the exhange of identification and password credentials, all traffic is encrypted.

There is no doubt that using SSL is a good privacy protection control. However, SSL encrypted sessions will make it more difficult for enterprises to control the use of social networking because most firewalls and IPSs are not capable of decrypting SSL traffic. In other words, most firewalls and IPSs are blind to SSL traffic. An exception is Palo Alto Networks, the industry leading Next Generation Firewall.

Consumerization and Corporate IT Security

Bruce Schneier’s article last week entitled, Consumerization and Corporate IT Security, postulates that IT security has no choice but to loosen control in response to the consumerization of IT. In other words corporate use of consumer IT products cannot be controlled by IT Security.

Here at Cymbel, we became aware of this issue back in 2007 and began searching for solutions to this issue. There is no doubt that corporate employees must be allowed to take advantage of Web 2.0 applications and social networking. However, the enterprise can surely do this in a controlled manner and provide protection against the risks of using these applications.

Here are four solutions we offer to corporate IT Security to protect the organization while enabling the use of consumer IT products:

Palo Alto Networks provides a next generation firewall designed and built from the ground up to enable controlled use of Web 2.0 applications and social networking and protection against web-based malware. In the last 18 months, they’ve grown from 200 customers to 2,000 and they are now cash-flow positive. I would expect an IPO in the next 12-18 months.

FireEye provides protection against web-based zero-day and unknown threats using heuristics rather than signatures. It minimizes false positives by using VMWare based sandboxes on its appliances to run suspicious executables prior to alerting.

NexTier Networks is the first Data Loss Prevention system that uses semantics to classify documents rather than traditional fingerprinting. Therefore it can protect against malicious attempts at intellectual property exfiltration as well as structured data without massive pre-scanning or pre-tagging.

Zscaler provides cloud-based proxy services for protecting against web and email-based malware without having to deploy any premises equipment. This is especially suitable for organizations with many small locations. Zscaler also provides a lightweight agent for traveling users so their web and email traffic is also routed through their cloud-based service.

In addition, we recommend Sentrigo, a database protection solution, as another layer of our next generation defense-in-depth architecture focused on applications, users, and information.

Enhanced by Zemanta

Taxonomy of Social Networking Data

Bruce Schneier recently blogged about his A Taxonomy of Social Networking Data essay in the IEEE Security & Privacy magazine. There are six categories of data: Service, Disclosed, Entrusted, Incidental, Behavioral, and Derived.

It’s also clear that users should have different rights with respect to each data type. We should be allowed to export, change, and delete disclosed data, even if the social networking sites don’t want us to. It’s less clear what rights we have for entrusted data — and far less clear for incidental data. If you post pictures from a party with me in them, can I demand you remove those pictures — or at least blur out my face? (Go look up the conviction of three Google executives in Italian court over a YouTube video.) And what about behavioral data? It’s frequently a critical part of a social networking site’s business model. We often don’t mind if a site uses it to target advertisements, but are less sanguine when it sells data to third parties.