Archive for November, 2011
“… there are other ways to move from a position of constant and reactive defense to a state of preparedness: sharing our individual experiences. The bad guys are already organized and collaborating effectively on how to compromise our systems; we need to start sharing, and sharing openly.”
How do we beat the bad guys at their game? That’s the question Chris Poulin is asking in this new article for part of his ongoing series at SecurityWeek. The answer? Thinking like your adversary. Well, at least that’s part of it.
In his latest article, “Compromise Full Disclosure: Collective Knowledge Brings Stronger Defense,” Poulin explains how, in order to fight organized cyber attacks, security professionals need to be more organized themselves. This means more collaboration, knowledge sharing and, of course, the adoption of security intelligence. The end goal is to create an environment where breaches and the details of the attack (and not the vulnerability) are shared among professionals so that others can learn from these attack strategies and prevent their own breaches.
Click here to read the full article and share your thoughts about Poulin’s call for more full disclosure.
We recently held a webcast with SANS, featuring a major Q1 Labs customer who is a well-known luxury brand in the retail space. They have been relying on the QRadar Security Intelligence Platform to help them tackle compliance regulations, gain visibility into network devices and system logs, display packet level detail, and provide powerful reporting capabilities.
Let’s rewind a bit and discover why they need a SIEM.
PCI compliance is a driving factor since they are a publicly traded company and host payment information. Beyond that, and the reason why they need a SIEM, is the diversity and size of their network. Their infrastructure is comprised of multiple flavors of UNIX (including HPUX and IBM AIX), Red Hat Linux, and Windows servers; with network devices from Cisco, Checkpoint (firewalls), Solarwinds, and Airwave.
With over 500 stores, a corporate network, and a retail network, they faced a challenge of continuously monitoring for threats and suspicious activities. It was clear to them that simply reviewing logs on a periodic basis was not enough. They needed a SIEM solution to help uncover anomalies on their network in real time.
Of course, you don’t have to wait for each of these series to be released – watch the full webcast now. In the next part of the series, we will see why selecting a SIEM vendor is not an easy process.
Not too long ago, in fact just a few weeks or months back, you couldn’t refresh your browser without a new headline about a breach exposing critical data to attack, leakage, etc. Nowadays, the news is full of other topics, but this does not mean the cyber-threat has been diminished or that these hacks of the week aren’t still occurring. Below is a sampling of the steady stream of security concerns the IBM X-Force has been reporting on:
November 15, 2011: DoS Vulnerability Announced in ISC DNS
A new vulnerability in BIND 9 is being actively exploited, causing DNS servers to crash all across the Internet. According to a release from ISC, “Affected servers crash after logging an error in query.c with the following message: ‘INSIST(! dns_rdataset_isassociated(sigrdataset))’”. Multiple versions of BIND 9 are reported to be vulnerable, ISC is still investigating specific version numbers at the time of writing. Currently no workaround or patch is available, however it is under development. We will continue to monitor this situation and update things once a patch is available. Read More >
November 15, 2011: Operation Ghost Click
Recently the FBI announced details on a two year investigation resulting in the arrest of 6 individuals involved in a massive cyber-theft ring. This ring is reported to have infected over 4 million computers through means of a brand of malware dubbed DNSChanger. DNSChanger works by pointing a user’s computer to a rogue DNS server. When the user attempts to visit popular websites, the DNS server sends back a bogus address, sending the user to a malicious site instead. The cyber ring used this vast network of machines to manipulate internet advertising, bringing in over $14 million. The FBI has published the blocks of IPs involved with this activity and advised people to ensure they have no traffic destined to them. Read More >
The fact that these breaches and vulnerabilities aren’t getting the coverage they once were has me a little concerned. It’s not that we want to see these fear-inspiring headlines every day, but keeping security top of mind for even the general public means that more people are thinking like we do. You have to stay ahead of the threat to be safe, and that’s what you get with Security Intelligence.
Register for IBM X-Force Threat Reports to get access to the latest information concerning cyber-threats and security trends. Learn more about protecting your organization from a breach with this white paper, “5 Practical Steps to Protecting Your Organization Against Breach.”
While some have claimed the warnings about SCADA system vulnerabilities are merely exaggerations and vendor FUD, this talk should be put to rest with the news that a US utility has suffered real physical damage from a cyber attack.
As widely reported, a water pump at a utility in Springfield, Illinois was burned out by a remote attacker repeatedly turning it on and off over a period of months. Certainly not as dramatic as Stuxnet, but effective nonetheless.
How did it happen? The attacker allegedly infiltrated the network of the vendor whose software controlled the SCADA systems, including the water pump. Through this access, the attacker is believed to have gained customer user names and passwords, including those for the Springfield utility, which enabled remote access to the systems.
Reactions to the news range from indifference (it’s just a water pump; there was no disruption of service due to redundant systems; wake me when I should care) to alarm sounding (the vulnerabilities are real; the potential impact significant; the urgency high). At Q1 Labs, our view (and that of our customers!) is that critical infrastructure providers, their vendors and government authorities need to take these risks seriously.
What can we learn from this attack? Here are five lessons:
1. Information security is just as important as physical security. It is obvious now that cyber vulnerabilities exist, can be exploited, and can cause physical damage. But too often information security best practices are ignored. For example, why are SCADA systems even connected to the public Internet in the first place? ICS-CERT has reportedly “received a number of reports from multiple independent security researchers who have employed the SHODAN search engine to discover internet-facing SCADA systems ‘using potentially insecure mechanisms for authentication and authorization.’” This should never occur, but it happens through ignorance of security best practices, limited budgets and good old-fashioned manual error.
Defense in depth approaches should be adopted, and best practices understood and applied. For example, many organizations assume they’re secure because they’ve deployed traditional defenses such as firewalls, antivirus, and identity and access management solutions. This attack shows that these traditional approaches are no longer sufficient; you also need continuous monitoring in order to quickly spot unusual or suspicious activities, because cyber criminals might be using legitimate credentials to access your critical systems.
Utilities and other critical infrastructure providers have no excuses, and there is no “A for effort.” This is not only a national security issue, but also a business continuity and viability issue. If you fail your customers catastrophically, you will find yourself out of business.
2. Rapid detection matters. The breach is suspected to have occurred in September, but was not discovered until November 8. During that time, security researcher Joe Weiss reports, “minor glitches were observed in remote access to the SCADA system for 2-3 months before it was identified as a cyber attack.”
The reason operators typically let “glitches” go by for months is they don’t have an easy way to mine network data. If the utility had centralized logging, data normalization, and simplified searching and data pivoting, its operators would have been able to analyze the data faster, and identify and stop the attack. Instead of wondering how to find the root cause, they could have used a Security Intelligence solution to troubleshoot and explore the forensic data with a single, easy-to-use console.
There were also obvious clues that should have tipped off operators to a potential breach, such as the systems being accessed by Russian IP addresses. A modern SIEM solution would have automatically alerted on anomalous network activity, such as access from outside the US.
3. Assume you are already breached. Although rapid detection is vital for responding to new attacks, you should also assume you have already been breached and are now under covert surveillance or attack. Operation Shady Rat showed that US federal agencies, energy providers and other large sophisticated organizations – let alone smaller businesses – can remain unaware of attacks over a period of years.
Would you know if you were already compromised? Stop wondering, and get to work finding the breaches that likely already took place.
4. Aggressive information sharing must become the norm. Besides highlighting weaknesses in security defenses and monitoring practices, this story also demonstrates the industry’s opportunity for improvement in how it responds to a cyber attack. Although the Illinois Statewide Terrorism and Intelligence Center identified the incident, Weiss points out that “the incident has not been disclosed by the Water Information Sharing and Analysis Center, the Department of Homeland Security’s Daily unclassified report, by the DHS Industrial Control System-Cyber Emergency Response Team or other government and industry security groups.” Thus other water utilities remained unaware of the attack, according to Weiss.
5. The full impact of this breach is unknown. Without falling into hyperbole, one has to consider that the known damage may be just the tip of the iceberg with this exploit. Since “many industrial control systems rely on passwords that are hard-coded, making it difficult to change stolen passcodes without causing serious problems,” are other water utilities – or even nuclear power utilities – exposed to this compromise? Weiss notes that “If this is a [big software vendor], this could be so ugly, because a biggie would have not only systems in water utilities but a biggie could even be [used] in nukes.”
Regardless of whether this incident proves to be a minor blip or the start of a series of attacks on the SCADA vendor’s customers, the lessons it presents are clear. Aggressively protect your critical infrastructure. Focus on both parts of the Security Intelligence timeline: pre-exploit (vulnerability and configuration management) and post-exploit (threat detection, investigation and remediation). Learn from the best practices of California ISO and other critical infrastructure providers that have adopted Security Intelligence.
According to reports here, here, here and elsewhere, the Department of Homeland Security and FBI have announced that the destruction of the Springfield, Illinois water pump was not due to cyber hacking. The DHS announcement reads in part, “After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois. There is no evidence to support claims made in the initial Fusion Center report — which was based on raw, unconfirmed data and subsequently leaked to the media — that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.”
Questions remain about why the Illinois terrorism center reported this as an attack. But either way, the lessons shared here hold true. SCADA system vulnerabilities do exist, can be exploited, and can cause physical damage. The time to strengthen your pre-exploit and post-exploit security capabilities is now.
This story continues to play out in the headlines, with the FBI’s Cyber Division acknowledging that hackers recently accessed the infrastructure of three cities through SCADA systems. As this post notes, the good news is that the FBI’s budget for cyber defense will likely rise over the coming year. The bad news is that although the Cyber Division’s deputy assistant director “expects” the division to double in size within 12 to 18 months, the FBI’s budget request for cyber defense was only 12% higher for the 2012 fiscal year. How much impact will a 12% increase have? Your guess is as good as mine.
What is clear is that the vulnerabilities surrounding SCADA systems are real, and this issue will only become more significant over time. Consider that my first security prediction for 2012.
Last Sunday I was watching football (American football this time) as usual, when an advertisement played for a pizza tracker app. When you place an order with the pizza delivery service, they track the progress of the pizza’s ontogeny and progress toward your maw. I see this as a widget in a larger Football Intelligence dashboard.
What is Football Intelligence? It’s whatever makes your football viewing a successful experience. It includes not only the status of your pizza delivery, but the coldness of the beer and soft drinks; a running status of scores, standing and statistics of other teams in your conference, division, and the league; the amount of snacks per guest, total and remaining—in real-time; and whether the game will run over time and clip your significant other’s scheduled recording of The Good Wife.
The same way Business Intelligence supports better analytics and operational health at the business level, and Security Intelligence provides a real-time view of your current security posture and threats, Football Intelligence gives you a 360 degree view of the convergence of all football-related factors. The goal of all three is to allow you to identify obstacles to success and make informed and timely decisions to keep your business finances, operations, and risk in line with expectations, and your football party on track to keep your friends coming back to your man cave.
What impressed me about the Pizza Tracker is that meaningful telemetry must be fed into the system to provide near-realtime updates to the web dashboard, as well as email and text alerts. I’m guessing the pizza artists press a button when they start to fulfill your order and when it goes into the oven; the driver presses a button when s/he slides it into the stay-warm delivery bag and again when they pull up to your door. There’s room for improvement (and there are claims that the whole application is flawed): edible RFID in the crust to track the pizza through dough tossing and its trip through the oven, and geolocation tracking as the car wends its way toward your front door. And yet there are many data center applications in use by enterprise companies and government that don’t provide events with as much utility.
The point is there’s no dearth of logged events from most applications, but the use cases that employ them don’t always address business needs. It’s relatively easy to create SIEM rules to solve technical problems, e.g., identify brute force password guessing attacks, and those use cases are certainly useful. But the real value comes from giving business stakeholders useful visibility that they wouldn’t otherwise have.
On a side note, here’s an interesting look into the future of the convergence of pizza delivery and information acquisition. Social benefit or invasion of privacy? You choose.