Codeasaurus Rex

September 7, 2008

Privileged user monitoring in the enterprise

Filed under: Security — Codeasaurus Rex @ 12:09 pm

I just listened to the Tuesday, May 09 2006 webcast entitled “Ask The Expert Webcast: Who’s Guarding the Guards? Employing a Privileged User Monitoring Strategy” on the SANS webcast archive page at

https://www.sans.org/webcasts/archive.php

Too much ground was covered and it could have been better organized, but I’m still recommending this webcast because there were some valuable nuggets of information that I was able to pick out of the torrent of exposition.

I was not aware, for example, that behavioral analysis of database usage is being deployed to identify potential insider abuse like credit card data collection. The webcast also asserted that the majority of serious breaches were committed by employees with five to ten years of service: long enough to gain the requisite levels of experience, trust and privileged access to sensitive–and saleable–data.

What amazed me was the scope of the problem: 300 to 400 billion dollars per year. Now I understand why drug tests and credit checks are becoming part of the IT employee vetting process, though I do not approve. In the final analysis, only the Lord beholds the soul and recourse is had to imperfect substitutes due to the Deity’s lamentable absence from the hiring process

Insider threats to information security

Filed under: Security — Codeasaurus Rex @ 10:24 am

Although most of the information security business seems centered on detecting and intercepting external attacks, dishonest insiders pose a more subtle threat.

A valuable introduction to this topic is the May 3, 2006 webcast entitled “Wednesday Webcast: Web Application Security” on the SANS webcast archive page at

https://www.sans.org/webcasts/archive.php

September 6, 2008

Securing Mobile Access

Filed under: Security — Codeasaurus Rex @ 11:58 am

Exposing a subset of enterprise data and applications anytime, anywhere is a requirement of doing business these days. There are, however, technical challenges to limiting that exposure to authorized parties and protecting against compromised systems they may be using.

This post is to call attention to an interesting presentation by SAN on the implications of mobile access for enterprise security. It is listed as the April 20, 2006 webcast entitled “Part 1: The Mobile User – Secure Access from Anywhere (even the Home PC!)” on the SANS webcast archive page at

https://www.sans.org/webcasts/archive.php

As the first part of a three-part series, it doesn’t provide solutions. It does, however, provide a good summary of the issues that mobile access introduces.

August 21, 2008

Cloud computing or privacy: choose one

Filed under: General, Security — Codeasaurus Rex @ 12:00 pm

The concerns that I’ve had about my own use of third-party-hosted email and CRM have just gotten a shot in the arm by a Security Focus article from Mark Rasch.

As a software developer, I was seduced by the incredible ubiquity and accessibility that browser-based apps provided. Now, however, I’m tending towards the view that if it’s personal, private or sensitive, it doesn’t belong in an electronic medium that was geared from the start towards publishing and not protecting data.

I think it’s time reconsider the tradeoffs of third-party hosting and take control of our own data on hardened server appliances that we own ourselves. As Rasch’s article claims, at least the authorities will need a warrant to seize personally-held data before they pool it for use by any official anywhere for whatever purpose. The protections for my data held by phone companies and ISPs have been under full-scale attack by the government for the last few years, and I don’t expect this trend to spontaneously reverse itself as the price of disk storage continues to plummet.

I therefore predict that there will be a backlash against data-holding service providers in favor of user-owned and user-controlled server appliances simply to escape from the threat of essentially warrantless snooping. Another possibility is to continue to use third party services, but only store encrypted data on them when privacy is at stake: this would require a complete rethinking of the client side and could tip the scale in favor of rich clients.

Read the article here.

July 27, 2008

Phishing email attacks

Filed under: IT Backgrounders, Security — Codeasaurus Rex @ 12:11 pm

I used to think of phishing emails as just more spam. It turns out that they are fundamentally different: whereas spam seeks to sell, phishing seeks to steal. Phishing does share some technical features with spam, but adds layers of deception (even simulating legitimate websites) to commit fraud. Most IT professionals have seen enough phishing emails cross their inbox to understand the material.

This post is to call attention to an interesting presentation by SANS on phishing. It is listed as the October 11, 2005 webcast entitled “Tool Talk: The Anatomy of a Phishing Email” on the SANS webcast archive page at

https://www.sans.org/webcasts/archive.php

Phishing has evolved somewhat since it was originally broadcast. For example, it is now common to hear about spearphishing (more selective phishing) and whaling (highly selective phishing). Whaling is targeted at individuals with high net worth or some other characteristic that makes the ability to impersonate them especially valuable.

Although these phishing variants have become better-known since the webcast originally appeared, I still found it to be interesting and informative.

See the Howto for information on how to access a SANS webcast.

June 28, 2008

Honeypots

Filed under: IT Backgrounders, Security — Codeasaurus Rex @ 8:29 am

A honeypot is a destination on your private network that you don’t use for normal purposes. Any attempt to access it is by definition anomalous and therefore an indication that a security breach of some kind is in progress. This simple idea is what makes a honeypot a valuable network security alarm.

A honeynet is a collection of honeypots, though a single machine and network interface card is sufficient to simulate a honeynet.

SANS provides an informative overview of honeypot/honeynet technology that is interesting whether or not you are personally responsible for network security. It is listed as the December 1, 2005 Wednesday Webcast entitled “Honeypots” on the SANS webcast archive page at

https://www.sans.org/webcasts/archive.php

See the Howto for information on how to access a SANS webcast.

June 24, 2007

Web hosting: who do you trust?

Filed under: CRM, Security — Codeasaurus Rex @ 4:16 pm

Given the massive popularity of web hosting, I think it’s appropriate to enquire about the security of your data in a hosted environment. This is a hot topic with me because I resell web hosting of a popular CRM (Customer Relationship Management) software suite.

First of all, let’s dispense with the easy targets like “free” Google email which is really paid for with your privacy and “unstated or indefinite length of time for data retention, without clear limitation on use or disclosure”.

For details see

http://www.techcrunch.com/2007/06/10/google-rated-bottom-for-privacy/

http://www.law.duke.edu/journals/dltr/articles/2005dltr0014.html

http://news.zdnet.co.uk/internet/0,1000000097,39150936,00.htm

I’m more concerned here with the ramifications of running important parts of your business like CRM (Customer Relationship Management) and accounting on the web.

First of all, why would you do it in the first place?

The advantages are tremendous: multiuser access to your company’s operational data from any computer with a browser and internet connection, 24 hours/day, 7 days/week. Customer management software capabilities formerly reserved for large companies are now available at costs ranging from low to free. You can move a sale towards completion or solve a customer problem any time and virtually anywhere with the complete customer relationship history and contacts at your fingertips. By moving customer data out of Rolodexes and onto the web, more people in your company can instantly assess the state of your relationship with a customer and take appropriate action than when the information is held apart. Also, having all or at least most of the relationship data on the web minimizes the damage when a salesperson or customer service agent leaves: critical account knowledge remains with the employer as long as the web application has been kept up-to-date.

But what are the risks?

Do you trust your web hosting service? Let’s say the hosting service seems on the up-and-up, and has formally promised to keep your data private. If the web hosting service is a serious business service that you pay for and not merely a data-mining front like Google and Yahoo, that’s another point in its favor. Businesses that turn a profit have an important incentive to stay in business; courting disaster by selling customer data and risking employee blackmail or exposure is simply not sustainable. Although it’s not unknown for businesses to behave irrationally, one can have a reasonable expectation that the data privacy promises of paid web-hosting services will be matters of both policy and self-interest.

So much for integrity at the business level. But there is also the employee level: some employees are simply dishonest. Others aren’t normally dishonest, but may nurse a grudge against the employer and rationalize their destructive behavior, especially if there is a dispute about compensation and money is to be easily had for turning over customer data to an interested third party. As a matter of fact, this is the kind of fraud that makes the news nowadays: your data is most exposed when it’s in a honeypot like an account database containing thousands of other accounts with sensitive data like ID coupled with debit or credit card numbers . A laptop goes missing, or an insider simply copies and spirits away an entire database or a damaging portion thereof.

There is no completely effective defense against this kind of fraud. Time-of-sale fraud detection systems will aid prevention, and detection and punishment may deter but when unsuccessful the damage to a company’s good name can range from serious to irreparable. Notice, however, that the honey in our example is sensitive billing data, valuable enough to be stolen whether it is exposed on the Internet or protected behind a corporate firewall on the company’s intranet. This invites us to differentiate between what data is in danger by its very nature, and what data is vitally important to your company but only of marginal interest to criminals.

My claim is that there is a class of data that can be reasonably entrusted to a web hosting company, and customer relationship (as opposed to customer billing) data is often in this class. If you’re a small- to medium-size business, the details of your non-billing interactions with your customers are probably uninteresting to people looking to score data that will facilitate identity theft and credit/debit card fraud.

As a matter of fact, this is the line of reasoning that led me to put my personal CRM on the web. I liked the product so much that I am reselling a hosting service based on it with an emphasis on business continuity and training convenience as my differentiators.

This is important, because just as my customers will entrust me with the safekeeping of their CRM data, I have already entrusted my web host with the safekeeping of my CRM data. My web host claims over 100,000 domains hosted, so the goodwill it stands to lose if fraud should occur is a powerful incentive to police everyone there. I’d very much like to automate the billing, though in keeping with my own advice I’m hesitant to expose sensitive customer ID and billing data on hosting machines in unknown locations managed by unknown admins employed by a company I only know through the Web.

(Don’t get me wrong: so far I’m very impressed with the hosting service and with the promptness and quality of the support from the admins and have no reason to doubt the integrity of the hosting service and its employees, but one bad apple can spoil the whole bunch so I keep my sensitive data encrypted on a USB key!)

I’m currently looking for a billing service that will be big and established enough to have

  1. a reputation to protect fiercely,
  2. its own servers, professionally secured, and
  3. no need for me to store sensitive customer billing data on machines that I don’t directly control, or, even better, no need for me to store sensitive customer ID and financial account numbers at all!

There is always, of course, the option of hosting your own CRM. If your perceived level of risk is so high that you need to take hosting in-house, however, you’ll also want to engage competent IT consultants or staff to lock down the installation with technologies like Virtual Private Networking. I doubt that most small businesses will want to deal with the hassle, though, in which case keeping billing data strictly in-house while reaping the advantages of web-enabled Customer Relationship Management will be accepted as reasonable tradeoffs of convenience versus security.

Even better, keep ID theft-prone data out of your systems altogether by exiling it to a popular payments service that enjoys the general trust of your customers. If you’re a small- to medium-size business, your data becomes much less interesting to criminals, and shifting the burden of trust to a well-known financial intermediary removes an important customer barrier to trying out a new vendor: you.

Powered by WordPress