High-level strategies for defending against attacks to steal identities are twofold: solutions on the back end, and what consumers and business partners can do to protect themselves.

Almost daily, we hear about security breaches with millions of personal data records compromised, requiring companies to notify those affected, and to provide free credit and identity theft monitoring services. Invariably, local newscasters finish their reports advising viewers to “change their passwords.”  Easily said.

There are other things both consumers and businesses can and should do to fight identity theft besides inconvenient password changes.  These mitigating measures involve both the back and front ends of transaction systems.

But how do breaches like those reported happen?

Clearly the bad guys are finding access points to sneak into databases and steal massive amounts of data — sometimes all at once, sometimes in drips and drabs least someone notice the exfiltration of data.

Sometimes the attackers are politically motivated.  For example, there is evidence that recent attacks on JPMorgan Chase originated in Russia in response to financial sanctions imposed on Russia for attacking Ukraine and seizing Crimea.  Other times, it’s simpler criminal activity with the perpetrators motivated to make money through identity theft.

Individuals can take unwise actions opening themselves to attack.  These actions include responding to spam and phishing attacks, or sharing on-line credentials with family members, friends or caregivers, leading to “friendly-fraud.”

Further, when small or medium sized business owners intermingle personal and business accounts, they become bigger targets than ordinary netizens because their accounts are of higher value. One of the biggest consumer vulnerabilities is created through social media behaviors.  I’ve joked about the CIA/NSA-sponsored data collection project called “Facebook” where people willing give up personal information such as full birthday or Mother’s maiden name (hey, she’s a “friend”) which can be used for brute force password attacks or spear phishing.  And then there are LinkedIn and Google+ users who have higher fraud rates than other groups, according to studies by Javelin Strategy and Research.

High-level strategies for defending against identity theft attacks are two fold: implementing systems on the back end, and steps consumers and business partners can and should take to protect themselves.

Back end strategies include Identity and Access Management programs that embrace not only internal users, but also customers and consumers.  Out of band one time passwords (OTPs) using tokens or software equivalents for high value transactions and challenge questions all help.  Biometrics also help mitigate identity theft for account takeover, new account fraud, stolen user names, or criminal payment channels such as counterfeit credit card accounts.

Database Activity Monitoring at the back end can alert if unauthorized inquiries are made against sensitive databases while Data Loss Prevention tools can alert and protect against the exfiltration of personal information.

The most direct product class for fighting identity theft at the back end are Web Fraud Detection solutions. These systems handle transaction scoring, link analysis and correlation analytics that work to verify that traffic is not coming from known threat sources.

These solutions work to verify the user location, what specific machine they’re using based on the endpoint’s “fingerprint,” and examine the types of inquires and transactions being initiated for policy violations. The findings are compared against expectations based on previous interactions with a specific user, or against rules about what behavior is expected.  If something appears out of range, the session can be dropped, or additional information can be requested to verify the user.  B

ecause credit card companies have a vested interest in fighting identity theft and fraud, some have acquired companies with relevant offerings: Accertify (American Express), Cybersource (VISA) and DataCash (MasterCard).  Other providers of Web Fraud Detection products include Silver Tail Systems (acquired by RSA, the security division of EMC), Trusteer (acquired by IBM), Oracle and ThreatMetrix.

So mitigating technologies at the back end can help fight identity theft.  But that’s only part of the solution. Consumers and business partners can set up credit/debit card and bank account alerts to notify about legitimate transactions, and those that are not authorized.  Surveys conducted by Javelin Strategy and Research have found consumers increasingly willing to do this, as part of taking on more responsibility for protecting their on-line activities, supplementing safeguards and loss limits covered under consumer protection rules and regulations.

Another individual response is to use Identity Protection Services (IDPS) such as LifeLock,  EZShield, and services offered by the larger credit bureaus.  There are also companies such as Intersections which market directly to consumers, but also support private labeled services offered by banks or affinity groups such as auto clubs to their customers. IDPS vendors provide a range of services, but some also offer consulting and other services to enterprises to support regulatory compliance both before and after an identity theft breach occurs.

The services provided consumers include monitoring the credit bureaus for inquiries and changes, scanning databases such as court records for errors, shifting through black market and “darknet” bulletin boards for stolen identity data such as credit card numbers, and alerting on any unauthorized change attempts made to sensitive records such as Social Security.

If there is a breach impacting an IDPS customer, resolution services help to recover losses and to protect identity going forward.  This includes assistance in cancelling credit cards, putting flags or freezes on credit bureau reports, aiding forensic investigations, and working with law enforcement.

True,  consumers can do things like cancelling their own credit cards themselves.  But for some, having a service with specialized knowledge backing them up provides a measure of peace of mind.  However none of the IDPS companies can really prevent identity theft.  They can just help make it harder for the bad guys and easier for the victim to recover — but at a cost.

There have been marketing and business practice controversies regarding IDPS.  Regulatory and oversight agencies have fined some providers for signing up consumers against their will and for false promises. Some financial institutions that partnered with IDPS vendors have also been fined and have stopped offering such services.

One common complaint is that a vendor says it will alert customers when a credit check is performed on them but there are numerous instances of IDPS customers making significant purchases, such as applying for a mortgage, buying a car, or getting a new credit card, which require a credit check but the IDPS failed to alert the customer. Accordingly, promises are being made which some of these companies do not fulfill.

Nevertheless, IDPS companies, and knowledgeable consumers who monitor their accounts daily for questionable transactions, are part of a back end/front end strategy for fighting ID theft and the resulting fraud.

CISOs should be aware of the complementary nature of these offerings, as well as Web Fraud Detection and other technologies as they work to combat the increasingly creative bad guys looking to steal identities in order to commit financial and other fraud.

The post What CISOs Must Know About Fighting Identity Theft appeared first on Security Current.

Hey, here’s a good idea: let’s have the part of facilities management that deals with the physical security of the office park, the factory, and the government facility work with the folks that handle IT Security. Let’s put those folks together in a room, see where there’s overlap, eliminate duplication of effort and maybe even save money by flattening the overall “security” management system. It’s all “Security.”   Yeah, that should work. Bring them together.

Oh boy.

Let’s take the way-back machine for some literary perspective. In 1959, novelist and scientist CP Snow delivered his The Two Cultures lecture.  Its central thesis was the breakdown of communication between the sciences and the humanities.  Snow said this was a major hindrance to solving the world’s problems.  He likened it to a rift, a lack of understanding, maybe tinged with hostility, between scientists and literary intellectuals.

Okay, it’s not an exact comparison.  Putting that aside, we hear a recurring opinion that the physical and cyber security communities need to come together, to communicate better, and to leverage what one discipline knows to the other. The problem is that the message usually comes from vendors pushing a “converged” solution.

Let’s face it. The former military or law enforcement types, representing those who patrol the parameter, guard the parking lot gates and supervise visitor check-in don’t have much in common with the geeks from the IT department and vice versa.  The facilities management people handle fencing, building access, foot patrols, keys and locks.  The IT security people run firewalls, intrusion protection systems, the Identity and Access Management systems and all the rest of that “stuff.”

They come from two different cultures, but they have a similar mindset and mission, filtered through risk analysis.

Despite the differences and faulty management thinking that “security is security,” organizations are putting together aspects of physical and IT security.  Good things can come from it,  IF expectations are reasonable.  The title Chief Security Officer (CSO) implies managing ALL security and some companies and agencies have recruited or promoted folks to CSO. The job can be a career stepping stone for someone with the confidence and background to handle it, but it’s a risky step for someone making a power play or for an empire builder.

Unless you’re in a large organization which can support a qualified CSO reporting to a Chief Risk Officer or equivalent, a better alternative is to look for projects which bridge the cultural gap to improve physical plant protection, protect IT resources, protect intellectual property and consolidate compliance and regulatory reporting — while saving money.

Physical and IT security projects usually converge first on access control, be it gated doors or enterprise IT systems. For example someone who hasn’t officially entered the building shouldn’t be able to log on to sensitive applications or enter sensitive locations such as the data center. That seems logical.  But there are challenges.  The directories don’t necessarily synch up with one another, and don’t necessarily identify entitlements, responsibilities and restrictions across domains, requiring directory strategies as well as connectors to consolidated management consoles and reporting systems.

But overcoming such challenges is possible, and the benefits can be significant.  An Identity and Access Management (IAM) system has more value when it can be leveraged, not only through a Physical Access Control System (PAC), but also in other protective projects such as data loss prevention, security incident response and business continuity planning.

To be sure, some organizations need correlation between physical and information technology security more than others. For example, pharmaceutical researchers need to prevent cross-contamination between human and animal research.  Food processing and other manufacturing plants also need tight application and physical access policies due to regulations or separation of duty concerns.

A number of IT security vendors sell PACs themselves or work with partners to bridge the physical and IT access divide through policy-based management and shared directories. We’ve also seen vendor mergers in access control  One company sold electronic locks and bought another bringing identity management solutions to the party.

A number of niche vendors have appeared over the last few years bringing industry sector-specific knowledge of required regulations and reporting mandates along with consolidated management consoles.  Examples include Alert Enterprise (Fremont, CA) and Quantum Secure (San Jose, CA).

But the fundamental problem facing organizations remains bridging the two cultures and getting everyone to get along for the betterment of the company.

Rather than force-fit a CSO on top of the physical and IT parts of security, a federated approach is a better strategy to encourage collaboration to leverage the skills, knowledge and disciplines of both sides of the house for mutual benefit. Collaboration benefits include improved overall security through better communications and cross-training among those responsible, streamlined processes, and better information sharing.

Cost savings are possible by leveraging common infrastructure, policies and staff. Considering both physical and IT security requirements as appropriate can lower procurement costs.  For example, IP-connected surveillance cameras can carry images on the existing corporate network rather than deploy separate cabling or wireless links.

There are challenges based on corporate tendencies to decentralize functions,  diluting the potential value of joint projects.  Vendor selection may be problematic because the market has limited vision in this context.  There are issues in checks and balances: if a theft occurs, will an IT security department “perp” be able to cover up digital forensic tracks?

But the biggest challenges are inertia and overcoming the cultural differences on a personal level. Distrust, fears of being devalued under another department, and other concerns may prevent meaningful discussions and project movement in the first place.

Yet building stronger relationships through joint security projects can bring beneficial results, and the conversation should take place. We should all be able to get along when it comes to securing the workplace.

CP Snow reconsidered the two cultures problem a few years later after his original 1959 lecture.  Contemporaries introduced the idea of the Third Culture, essentially a coming together to reconcile or mediate differences.  The idea of two cultures in security can lead to unnecessary fence building and turf protection.

But just as scientists and literary intellectuals still have differences, today physical security and cyber security remain two cultures – two cultures that  can learn from one another if those differences can be appreciated and the commonality be co-joined to create a third culture which has scope and vision to make good things happen in the realm of converged security.

The post Blending Two Cultures: Management Perspectives on Converging Physical and Information Security appeared first on Security Current.

There is growing concern over the security of SCADA (supervisory control and data acquisition systems), one of the Internet of Things topics discussed at the Amphion Forum conference recently held in San Francisco.

Once upon a time, SCADA systems were based on proprietary operating systems, proprietary protocols and limited connectivity.  Now, many of the controls on critical infrastructure such as power plants, water treatment facilities, process manufacturing and other infrastructure have been migrated onto commercial operating systems,  and are Internet-enabled so they can be monitored and tuned remotely.

Internet connectivity of both newer and legacy platforms has made these systems vulnerable.   The scary scenarios include bad actors causing widespread damage by opening a dams flood gates or causing sewage discharges into drinking water supplies.  It also has been speculated that related  Programmable Logic Controls (PLCs) handling prison doors might be attacked with disturbing consequences.

The most famous SCADA attack to date was the Stuxnet worm which entered the controls of Iranian nuclear fuel processing centrifuges.  They were not connected to the Internet.  Instead, someone plugged an infected USB drive into a controlling PC on the internal network near these devices. The worm searched for specific software running PLCs not only at the nuclear facility, but also at industrial facilities such as power plants.  Aided by updates, Stuxnet morphed into Flame and Duqu and spread and spread and spread, causing fun and games throughout the world.    Stuxnet started in SCADA and grew to create havoc throughout the rest of the IT security world.

Who is responsible?

So  who is responsible for anticipating and mitigating the implied risks at critical infrastructure facilities?   Is it the IT Security manager?  Doesn’t SCADA security belong in the realm of Operational Technology (OT)?  After all, IT Security is busy enough with locking things down in the continuing onslaught of attacks on computing facilities.   Besides,  the folks over in Operations don’t necessarily welcome IT Security encroaching on their domain.  According to Joe Weiss, Managing Partner of Applied Control Solutions (Cupertino, CA), who spoke at the Amphion conference: “The IT world and the OT worlds  hate each other.  And they hate each other more than they hate an attacker.”

Weiss also notes that the cultures of OT and IT Security are different.  “You can’t have someone [from IT security] walk in at 4PM Friday afternoon saying  ‘I need you to shut down now’ without realizing that the lights may go out, or that the refinery may go down.  It’s a completely different mindset  between mission assurance and information assurance.”   Further,  says Weiss, “until you can relate back to why security has impact on what it means to keep the lights on,  or the water flowing,  or the trains running,  they’re not going to do it.  Right now it goes directly against what they’re trying to do.  You’re making life difficult. You’re making it more cumbersome. You’re creating problems.  None of it is linked back to why they should be doing it.”

And so the charter of OT is different than that of IT Security.  What’s their motivation for looking after the security of the systems they manage?   Weiss says that OT staff compensation has nothing to do with security, and security is not compensated for being concerned about  OT security.  Regarding IT security, he says, “they get compensated if they have a firewall up and running.  The fact it could bring down a SCADA system is irrelevant to them. ”  And for operations?  “They just want to keep the lights on. They don’t care who tries to get in.”  Weiss says “Until both sides have compensation  partially tied to the overall outlook, you won’t get cooperation.”

Well, there’s no reason for the two cultures to be antagonistic.   As someone once asked, “Can’t we all get along?”

So what’s the solution?  

Well, you can start by having the security people read a children’s book.  US Air Force Air Force Cyberspace Operations Officer, Adjunct Professor at Utica College, and Director and Founder of the non-profit educational organization hackINT. Robert M. Lee’s illustrated SCADA and Me: A Book for Children and Management  will explain it as simply as is implied in the title.  And then upper management should take responsibility for bringing representatives of OT and IT Security together.  Sure, OT is really responsible for the industrial processes and controls that keep the lights on, the water running and all the rest, but IT Security has that responsibility as well.

That message needs to be re-enforced and turf wars overcome. The two teams need to  identify and codify this as the common mission, assigning staff first in task forces and study groups to scope and prioritize the tasks necessary to mitigate the risks, and work on the cultural and compensation issues, and then to build out as cooperating entities, properly resourced and chartered to keep the lights on,  and to do so safely.

The post Scared of SCADA? Maybe It’s Cultural. Read a Children’s Book appeared first on Security Current.

So, how did you do this year with your security budget requests?  And how does the plan look for next year?  With information security representing a competitive arms race with the bad guys, you want enough funding to insure you are practicing commercially reasonable security, and to support mission critical business strategies.

Many organizations don’t know what a “normal” security budget really is. Some budgets draw down from the overall IT budget on an as-needed basis, while others fund security separately from the IT budget.  Most consultants recommend that the security budget be evaluated as a percentage of the overall IT budget, which may mean massaging the numbers a bit. Generally, the surveys have shown averages in the 1-7% range. However,  security spending varies widely by industry, geography, organizational size and security maturity level, so comparisons to other organizations usually are inexact.  Also, political and cultural differences are factors.  Some organizations are conservative in their approach, and may only buy proven, market-leading solutions through a primary vendor; others maintain “skunk works” where early-stage solutions can be tested.

Identifying the true pro forma security budget for planning purposes is difficult for a number of reasons. What’s included? Is business continuity planning for disaster recovery? How about security compliance and reporting? And how about IT-based physical security such as video surveillance or building access systems?

IT functions, including information security, may be highly distributed and owned by various departments or business units. For example, firewalls may be part of the networking budget. Managed security service provider fees are sometimes woven into the HR budget because outsourcing is seen as personnel additions. Security capital expenses are captured separately from operational expenses. And some security functions, such as desktop anti-malware, are bought by subscription, and may be paid out of the desktop support budget. IT staffers often work on security activities on an as-needed basis, making it difficult to accurately account for security personnel expenses and headcount.

Justifying a security budget may also be tricky. Information security covers three general and overlapping categories. First, there’s the protective and defensive tools such as firewalls, vulnerability management and anti-malware. Second, projects such as identity and access management and secure web development for e-commerce are business enabling and tend to be inclusive rather than defensive. Third are routine security operations such as security performance monitoring, business continuity planning and security patch management. The easiest to justify is protection because no one wants to be blamed for allowing the organization to be put out of business for even a short time, due to a denial of service attack. The best way to justify business enablement security elements is to link the project to cost savings or business initiatives that will increase customer satisfaction and user productivity. Operational expenses can be pitched as the cost of responsibly doing business.

Business units should include specific funding for security evaluation, testing and risk mitigation in all IT project requests rather than assume the security department will take care of it. Finally, when making budget requests, it’s a good idea to estimate the projected value for cost in terms of reduced risk, more efficient compliance reporting, or using projected measurable metrics such as reducing downtime by being able to mitigate attacks faster than before.

There are published surveys from Gartner and others on how much organizations spend on security as a percentage of the IT budget, in terms of cost per employee, by industry, company size and geography. There are also industry forums where CISOs can collegially gather peer expenditures. Projected spending outside surveyed findings may be reasonable, but should be evaluated to determine the reasons for the variance.

Many CISOs face pressure to cut spending. This leads to the game of asking for more than you need. But the more powerful way of justifying a budget request is to articulate that security represents a risk trade-off. When you cut back security, risk increases. Make sure that your organization’s business leaders understand and approve the risk trade-offs inherent in your budget, especially if you are asked to cut essential security processes or tools.

The post How You Should Be Thinking About the Information Security Budget appeared first on Security Current.

In the continuing stream of revelations about reported NSA hacking to protect national interests comes more news. Data moving between data centers operated by the world’s largest Internet email companies allegedly was intercepted and collected for analysis because the encryption protections on the data was bypassed.

The prevailing theories about how the NSA apparently did this varies. Did the NSA receive the decryption keys from the email providers themselves, perhaps under court order? Did the NSA steal the keys? Did the agency use custom built supercomputers to break the keys? Did the NSA use backdoors in encryption chips that they managed to get inserted earlier (remember the Clipper Chip?). Or, did the NSA grab the data before it was encrypted and send it on its way? I offer another theory: the NSA used experimental quantum computers (QCs) to break the keys.  But as with so many theories, there is no proof.

Nevertheless, this leads to a question about the state of the technology when it comes to quantum computing, and more specifically, quantum cryptoanalysis.

Messages or transactions protected with “weak” key encryption can sometimes be broken by brute force attacks. In order to do this, powerful computers, sometimes networked to multiply computing power, jointly work through the key space until the right number or key is found. Increasing key length leads to exponential increases in key strength. “Factoring” is the ability to detect repetitions in vast amounts of ciphertext as clues to the large prime numbers used to encrypt the data. Factoring very large integers isn’t a feasible code cracking technique. Today, this would take multiple lifetimes of the universe to break the protection provided by commercially used algorithms employing recommended key lengths.

Ever faster computers means the key space can be searched more quickly  and the cryptography broken more easily. But because increasing key length strengthens cryptographic protections exponentially, something new is needed, a proverbial quantum leap from today’s computers to those exploiting the strange laws of quantum physics. Researchers first demonstrated that quantum computers could factor numbers far faster than digital computers in 1994. But building a QC isn’t easy.

Quantum computers exploit the counter-intuitive world of the very, very, very small, down to the photon level. They use molecules to represent qubic bits of data, or “qubits” that weirdly can represent a one and a zero simultaneously. A pair of qubits can be 00, 01, 10, and 11 at the same time. This capacity increases exponentially: n qubits can be in 2^n simultaneous states. While a conventional computer can represent 1024 individual numbers with 32 bits of information, a QC can represent over 4 billion numbers with 32 qubits.

Furthermore, any operation performed on a number of qubits is performed on all encoded numbers simultaneously, generating a massive parallel computation in one QC. In a single computational step, a quantum computer with 32 qubits can perform the same mathematical operation on over four billion different numbers. A conventional computer would do this by repeating the same computation over four billion times or using over four billion different processors in parallel. Accordingly, QC processing power can be increased very dramatically resulting in machines operating in the petaflop and exaflop range.

University and national government laboratories have been researching quantum computing for years. D-Wave (Burnaby British Columbia, Canada), born from research at the University of British Columbia, is commercially selling early stage QC.

There are many scientific problems that can be addressed using quantum computing. We expect, but cannot confirm, that interested funding sources for research include intelligence agencies that want to use QCs to decrypt encrypted messages, as well as analyze massive amounts of collected data.

And if QCs can be used to break or decrypt encrypted data, then quantum cryptography will be needed to keep up and protect that data. And so there is a sort of cryptographic arms race underway, albeit in slow motion, hindered by the technical problems involved.

Quantum cryptography research isn’t looking for better encryption algorithms, but rather focuses on Quantum Key Distribution to strengthen encryption. Some approaches are limited in that they require dedicated fiber optic connections for key exchanges, although testing also is being done using satellites and over-the-air links. Companies to watch are ID Quantique (Geneva, Switzerland), MagiQ Technologies (Somerville, Mass) and Australian company QuintessenceLabs Inc., with an office in Mountain View, CA.). While this work would appear secondary to the motivation to decipher secret messages, reported NSA eavesdropping may accelerate interest in both. But keep in mind that potential solutions are immature, expensive and highly complex. It will be many years before either quantum computing, or cost-effective quantum encryption key exchanges, are commercially available.

An effect of quantum computing research is likely to be similar to the effect that recent NSA revelations have had: creating distrust and disbelief that anything can be hidden from well motivated, well funded, interested parties, be they spy agencies or commercial rivals. Companies and government agencies need to convince their business partners that the information they are required to keep secret is adequately protected. One way to provide such reassurance is to demonstrate a realistic understanding of how quantum technologies are advancing.  Furthermore, organizations need to test and re-test the current, and largely adequate, data protection methods used to maintain the privacy of their sensitive data today. Proper implementation is the “key.” Quantum computing and Quantum Key Distribution, while interesting, remain elusively over the horizon.

The post Does the NSA Use Quantum Computing to Break Things? appeared first on Security Current.

Maybe it’s just me, but many market analysts tend to be skeptical about the latest shiny new thing promising the “complete solution” in security and other technology initiatives. Skepticism is fueled by the constant stream of overlapping tools, enhancements and nuanced products promising to do something “more;” but with functionality that ultimately may become features in other products. Some organizations want and need to stay ahead of the adoption curve and pay attention to market moves by new and established vendors.

Security skepticism is found in security monitoring consoles that have been described in derogatory terms as “Yet Another Console/Yet Another Monitor (YAC/YAM).” These assessments require security analysts to sit at monitors, eyeballing the red, green and gray spinning meters, indicators and alarms, looking for trouble.  Such technical talent is in short supply. The enterprise is relying on the sensitive, intuitive capabilities of security operations and threat management professionals who essentially “know” a problem when they see it. But many worrisome events go unnoticed, unreported and unresolved. And then there are the false indicators that may be perfectly fine, but look “funny” and require further time consuming analysis.

Consoles and monitors eventually evolved into Security Information and Event Management (SIEM) solutions. SIEM products themselves are the result of the merger of Security Information Management (SIM) and Security Event Management (SEM) products. SIM software provides after-the-fact reports on things that have happened (often for compliance and forensic requirements.) SEM software works to provide near-time or real-time warnings of abnormalities that may indicate a viral infection, an attempted denial of service attack or other nasty work by nasty digital criminals. SIEMs are fed data from anti-malware, firewalls, authentication gateways, endpoints and other sources to help security analysts make sense of things.  Correlating something bad happening “over here” with something bad happening “over there” may not be easy or even possible.

There have been disappointing SIEM deployments and project restarts.  In some cases, the flaws lie upstream. Anti-malware products that feed the SIEM can miss viral infections, Trojans and Advanced Persistent Threats (APTs) that lodge and spread within the network-computing infrastructure until they launch with a loud and expensive “gotcha!” Malware can invisibly collect user IDs and passwords, or support industrial espionage by stealing proprietary data, and then sending it out under the cover of other intra- and inter-enterprise communications.

The market knows something is missing with SIEM. While security professionals are reluctant to go public about their projects, under the protection of anonymity, we’ve come across some telling tales that validate a market need for something more.  One financial services security manager told us:

“We have a bit of a challenge because SIEM is very much an infrastructure monitoring tool. We’re simply getting data from routers, switches, firewalls, servers, authentication servers, authentication databases and the like and collecting them. We have done some level of correlation, but I would say it’s still pretty much a first generation level. We haven’t gone into any correlation other than suspicious network traffic. We haven’t built any complex use cases yet. This is something we’re looking at either doing ourselves or bringing in a 3rd party.”

And another:

“The SIEM promise is seen as nirvana but doesn’t seem achievable. It’s a lot of work to support the SIEM. We don’t expect the SIEM rules to come from the vendors. Most of the things important to the company and the things to look for must come from people inside the company.”

A number of vendors including Splunk, headquartered in San Francisco, CA, HP/ArcSight, based in Cupertino, CA, and early stage start-ups are working to address the next stage of enterprise security intelligence, based on the idea that there is “big data” within the computing and networking environment that needs to be evaluated for threats and vulnerabilities. Two fairly new vendors are Click Security, in Austin, TX and SMAARTS in San Mateo, CA.* These companies propose to add value to some of the existing approaches, finding flaws in how older solutions handle unstructured data. For example, some use log storage and search to detect and ideally prevent bad things from happening. But because older techniques use stored data and search, there is the opportunity for malware to infiltrate the infrastructure before it can be detected and neutralized. There are necessary limits on what data can be analyzed in a timely fashion. But the market seems to be heading towards streaming, real-time analytics and automated system responses to identified attacks while avoiding both false positives and false negatives.

It may be too early in the game for start-ups to credibly demonstrate that their promises, based on proprietary technology and algorithms, are ready for commercial use. But there does seem to be a market need for solutions that supplement the skills of security analysts who “know it when they see it.” A recent SANS survey found that many organizations are collecting far more information than they can analyze, and that the associations among logged security events are not easily done.

No organization has an unlimited budget. The security “wish list” can be very long and difficult to prioritize. Technologically aggressive organizations and those that cannot tolerate much risk should keep an eye on this evolutionary trend. By instantaneously examining much more transactional and operational data than is handled currently by today’s commercially available SIEM solutions, organizations should be able to advance in their ability to defend their data – and reputations – in the continually evolving threat environment.

*Disclosure:  The author is a market development advisor to SMAARTS.

The post YAC/YAM, Log Management, SIEM and Big Data Security Intelligence appeared first on Security Current.

So whoopie-do, the new iPhone has a fingerprint reader to unlock the phone as a market differentiator,  and to open new authentication applications and developer opportunities – assuming Apple opens up the appropriate APIs.  This is based on the technology  Apple bought last year when it acquired AuthenTec which has encryption technology, fingerprint sensors and identity management software.

And already, hackers, taking a clue from 1970s spy movies, managed to fool the reader using the simplest of techniques: they lifted a registered fingerprint from a drinking glass, presented it to the reader, and voila! You’re in!  (BTW, whatever happened to the requirement it be a “live” finger?)

I’ve long been skeptical of biometrics because of their False Acquisition and False Rejection Rates (FAR/FRR) but the technology is improving.  For example, instead of typing texts or email on my phone, I use voice to text with reasonably accurate results.  Usually.  Such mobile based systems such as the iPhone’s Siri are cloud enabled, using the heavy-duty computing power of the data center in the sky. PC-based systems such as Dragon voice-to-text have been used for quite a few years, also with mixed results.

It’s an open question if smudgy biometric-enabled iPhones or any abused, challenged fingerprint system is going to do the job expected, 100 percent of the time.  Some people don’t have fingerprints that register.  We’ve long seen biometric systems installed for data center access control, but they’ve often fallen into disuse.  And there are those times when the system just doesn’t work as advertised: at a trade show I offered my hand to a palm print biometric identification system. The system simply refused to recognize me after registration. Not very impressive.

Last year, the president and founder of a multi-factor out-of-band authentication company came to the company where I worked to demonstrate his pride and joy solutions. Most of the product/service he showed uses SMS texting and other messaging to a pre-registered cell phone for out-of-band authentication. That went fine.  Then came a test of the voice biometrics option.  The CEO first enrolled his voiceprint and then demonstrated how it worked for accessing a bank account. Then he made a mistake: he challenged the other analysts in the briefing to try to break into the bank account using their own voices. I worked in radio and have an ear for regional accents. I asked a colleague from Chicago to try it since the CEO came from the Windy City and had a distinctive accent. First try: failed. Second try: IN! The Chicago-accented analyst fooled the voice biometric!

Now it’s likely that system sensitivity was tuned low to account for noisy environments, poor quality cell phone microphones and other factors but the episode fed my skepticism on biometrics.

There are going to be exceptional cases, but these experiences and observations underscore the need for backup systems on critical, biometric authentication functions. You don’t want to bet on any one system working all of the time. Always include a back-up. And the back-up of choice for all but the most sensitive of access applications turns out to be the good old UserID and a creative password.

Security mechanisms are not foolproof, and that’s why a layered approach, AKA “security in depth” remains necessary defensively as well as in access control.

The post Skeptical of Biometrics? Have a Backup Plan appeared first on Security Current.

A European judge recently blocked a security researcher’s paper describing how to bypass a car’s immobilizer theft-protection system.

The Next Generation of airline control systems is designed to efficiently improve air travel, but the new system reportedly uses no encryption on its communications links, and is also missing authentication mechanisms meaning false signals could be introduced to create airborne confusion.

And then there is the research by the late security expert Barnaby Jack to hack critical medical devices such as insulin pumps and pacemakers.

These systems – modern automobiles, air control systems, along with power plant controls, sophisticated and connected medical equipment, many household appliances and other devices were once isolated, but now they are increasingly connected and interconnected as part of the “Internet of Things.”   And, like virtually all developments of the past, the focus is on functionality with security being an after-thought.  But now, increasing attention is being placed on securing these things with the publication of white papers, journal articles, as well as focused conferences and focused security solution providers.

Much of the attention on device security is driven by the move to mobility. As employees demand access to tablets and smarter phones for business critical functions, how is security being addressed?  The best approach is to not view wired and wireless as all that different. The variety of channels will continue to trend towards a chaotic, mixed environment that companies and government agencies need to manage.  But focusing solely on mobile devices is a mistake.  Business and control devices such as multi-function printers (MFPs), factory and power plant controls managed by Programmable Logic Controllers (PLCs), smarter and smarter cars, smart homes and electronic, networked locks on doors each have potential risks and vulnerabilities.  And the list goes on.

So why is this important?

Well, because things happen. The Stuxnet worm entered unconnected systems through USB drives to infect software at power plants and other industrial facilities  — and it spread beyond its initial targets. There have been attacks on supervisory control and data acquisition (SCADA) systems.  In theory, an attacker could open a dam’s floodgates or trigger sewage discharges into the drinking water supply. Or maybe prison doors could be opened by organized crime-sponsored hackers, releasing nasty characters or at the very least, putting prison guards at risk.

Some device security concerns relate to network technology such as switches that support VPNs, or which handle machine-to-machine communications. These need to be trusted and protected.  Having compromised security hardware is a double whammy – they’re supposed to protect but if they themselves are vulnerable, well, what good are they?  They also need to be properly identified by digital certificates for software updates and maintenance.

Familiar office machines are also overlooked channels for potential breaches. Multi-function printers (MFPs) handle photo copying, scanning and faxing in addition to printing, but sensitive documents can be left in the tray leading to privacy breaches and the loss of intellectual property.  The integrated memory on MFPs can retain sensitive information meaning disposal needs to be carefully thought through, and since MFPs are on the network, they are vulnerable to remote exposure.

A number of niche vendors have taken a variety of approaches to protecting devices and systems: Industrial Defender focuses on securing industrial controls, Arxan Technologies offers software protection, the Certificate Authorities provide x.509 device certificates, Wave provides embedded device security, and Mocana has developers’ toolkits and has been producing conferences on the topic.

While fighting fires on the front lines of network and application security, security professionals also need to look at how their companies or agencies are evaluating device security, and provide leadership as part of an overall enterprise risk management strategy.

After all, what can happen?  Maybe you don’t want to find out.

The post Securing the Internet of Things appeared first on Security Current.