DNS Security

This article, describing how a Brazilian Bank with $27 Billion in assets and hundreds of branches was taken over by a criminal hacking group for a single day in 2016, illustrates the need to secure your web resources all the way back to the registrar.  The undisclosed bank in question had all of its DNS traffic redirected to a clone of the bank’s actual website.  Customers used the site the entire day, entering their password and account information into the fake site – resulting in an undisclosed but likely significant loss of funds for the affected individuals, the bank and the Brazilian government’s insurance fund.

DNS Security is an overlooked component in the chain of digital services required to deliver internet services.  If you are interested in ensuring you maintain control over your domain, you need to evaluate the security of your domain registrar.  Like any other third-party service provider, they need to meet your security expectations.  You need to assess their service offerings and their ability to protect your data.

While not an endorsement on my part, CloudFlare has announced they intend on meeting this emerging market.  They have started offering their services as a Registrar and include a handful of features designed to ensure domains are protected from hijacking.  I assume Registrars will look at these new offerings and see the market opportunities they represent.  Like many other services, until they become commodities, the provider can charge a premium.  I’m hoping these offerings will become ubiquitous and affordable for all website operators.

Until then, you should consider using CloudFlare’s security tool to understand the features you need to enable to ensure your website is secure.

NIST 800-53 Rev 5

NIST intends to roll out revision 5 of the 800-53 standard (FISMA) in 2016.  They want your feedback.  If you (like I) have to endure the implementation of these controls, give them your feedback.  Help your fellow practitioners.

Some interesting elements from the Pre-Draft Call for Comments:

  • Addition of Keywords
  • Addition of hyperlinks to related documents

I really think these are good additions to the standard and hope the body goes forward with their inclusion.

Data Breach Settlement Insufficient

Breaches, breaches everywhere but not a consequence to be found – until now.

Data Breaches Passe

033_target

The Target data breach settlement negotiated by Mastercard has been refused by the three largest participating banks

Data breaches are (almost) no longer newsworthy. Exploited companies publish bland notices to the community indicating a breach has been reported and they are cooperating with authorities. Cyber security experts investigate.  The exploited company publishes the boilerplate list of exploited vulnerabilities. Occasionally a CISO or CIO’s employment is terminated.  And so on.

People complain about credit card interest rates but don’t correlate that experience to data breaches. It turns out a cause of high-interest rates is the result of card issuers recovering the costs associated with credit card data breaches. And guess what? That cost of doing business matters to the card issuers. The tide is turning and the accountability for data breaches is going to shift.  In their own self-interest, the major banks are pushing back – and we will eventually benefit.

Big Banks Push Back

Citigroup, Capital One Financial Corp. and J.P. Morgan Chase & Co. have each rejected the $19 million settlement negotiated on their behalf by Mastercard with Target Inc. More than $350 million has been spent addressing all of the issues associated with the 40 million cards affected by the data breach. An untold number of dollars has been stolen by the thieves associated with the Target breach with an estimated 9 billion US lost to thieves industry-wide last year. Small card issuers receive only pennies on the dollar for their losses.  They get their money after the big firms get theirs.  In that context, it’s not surprising that the major banks behind the card issuers are taking a firmer stand.

But how much is enough and how much can Target afford to spend compensating these firms for their lax controls? At what point does the consequence pass beyond termination of a senior executives employment and affect the stockholders of a company? When they care – we’ll benefit.  Target reported net revenue of 72 billion dollars in 2014.  While the settlement figure might affect stock prices temporarily, it’s not going to have a lasting effect.  Hopefully, the banks can raise the stakes and make the settlement meaningful for Target’s stakeholders – so we benefit.

Anthem

AnthemThe financial industry has been at the forefront of reported breaches for several years – it is where the money is after all.   As the Health Care Info Security site infographic depicts, the pace of breaches in the healthcare industry is picking up.  In my experience, the healthcare market security practice trails the financial market by a large margin.  Speakers will talk about the industry abiding by ‘compliance obligations’ but not addressing security issues.  The cynic in me has a hard time hearing that argument without retorting “you mean you got the auditors to go away by checking a box without addressing the underlying risk”.  I am not surprised to see the volume of breaches in the healthcare industry increasing.

Many of my coworkers are impacted by the Anthem breach recently reported by the company.  After the fact, there’s not much to do other than await a full accounting of how the breach occurred.  Early reports indicate that the credentials of a privileged account were obtained and used to navigate within the Anthem technical environment to locate and secure confidential information.  Commercial cloud storage services were used to push the data outside (or ex-filtrate as they like to say) the Anthem environment.  The company does not believe the loss of credentials was purposeful (not an inside job) but rather the result of a spear-phishing attack.

What lessons can we glean from this event?  Unfortunately, there’s nothing new here.  Absent details, these are the same events that appear to unfold every month.  Administrators, like the rest of us can still be deceived in to clicking on links and/or revealing passwords.  When companies encrypt data, they still provide ready access to accounts with elevated privileges.  And finally, avenues to exfiltrate data are still permitted in companies believing the access is necessary to business functions.

Investigators now believe the hackers somehow compromised the credentials of five different tech workers, possibly through some kind of “phishing” scheme that could have tricked a worker into unknowingly revealing a password or downloading malicious software.

The larger issue is the disproportionate value proposition that exists.  The level of effort invested by these organized crime and nation states greatly exceeds the level of effort most companies are willing to invest to protect there critical resources – there intellectual property and the information entrusted to them by their customers.  Sadly, until consumers step forward and demand changes from their service providers, we will only see companies prioritizing profit over security. It is after all why they are in business.  Until we demand a higher standard – and perhaps even pay for it – we’ll see our credit card, our social security and our other private information shared with people we likely would run away from if we saw them on the street.

Reward companies willing to differentiate themselves based on how they secure your information – or keep doing what you’ve been doing and get more of the same.

Panic in the Cyber Security Industry

Reuters just published a story entitled Analysis: The near impossible battle against hackers everywhere on the current state of panic in the industry.  Earlier this week the security firm Mandiant published their assessment of the state-run hacking program operated by the Chinese government.  It was tempting to pull the entire article as a quote.  The rhetoric in the article reflects a state of panic held by many security professionals:

“They outspend us and they out man us in almost every way,” said Dell Inc’s chief security officer, John McClurg. “I don’t recall, in my adult life, a more challenging time.”

“There is a battle looming in any direction you look,” said Jeff Moss, the chief information security officer of ICANN, a group that manages some of the Internet’s key infrastructure.

“Everybody’s personal objectives go by the wayside when there is just fire after fire,” said Moss, who also advises the U.S. Department of Homeland Security.

“Your average operational security engineer feels somewhat under siege,” said Bruce Murphy, a Deloitte & Touche LLP principal who studies the security workforce. “It feels like Sisyphus rolling a rock up the hill, and the hill keeps getting steeper.”

“I don’t remember a time when so many companies have been so visibly ‘owned’ and were so ill-equipped,” said Adam O’Donnell, an executive at security firm Sourcefire Inc, using the hacker slang for unauthorized control.

“Our biggest issue right now is getting the private sector to a comfort level where they can report anomalies, malware, incidences within their networks,” McFeely said. “It has been very difficult with a lot of major companies to get them to cooperate fully.”

He said what worries him the most is Chinese presence on networks that have no espionage value, such as systems that run infrastructure like energy and water plants. “There’s no intellectual property to be pilfered there, no trade secrets, no negotiating positions. So that makes you frightened because it seems to be attack preparation,” Hayden said.