Security Controls and Lessons Learned from the Financial Crisis

Security Controls and Lessons Learned from the Financial Crisis (IBM)

Bryan Casey 270003BSJV |  Today 10:43 PM | Tags:  financial mortgage security ibm crisis
Comments (0)  |  Visits (61)

You know one of the interesting things I've noticed, and it's not really specific to security, is that the more interconnected the world becomes, the harder it is to find the root cause when something goes wrong.  If we look at the financial/mortgage crisis for example, if you wanted to point the finger at one person or event, could you do it?  I've wanted to for a long time, tracing this chain back to some single point of failure, but it's really not possible.  When something like this happens, where there isn't one root cause, accountability becomes a big mess because everyone can push the problem onto someone else.  The problem is that if everyone pushes around problems, problems never get solved.  So, the way that we need to look at it is that instead of there being limited accountability, there needs to be a lot of accountability. 

This type of complex interconnected failure isn't so different from what we see in the news around data breaches.  People want security to be simpler and they want to find that single point of failure, and sometimes it's there, but often times, it's really not.  Our technology world has grown to become a complex systems of systems where legacy systems are communicating with new systems, the notion of a perimeter is dissolving, new consumption and delivery models are popping up all the time and we have to secure all of this. 

Let's face it, the majority of attacks today don’t operate in little silos.  They can cross users and endpoints, applications, networks, databases, etc.  So despite the fact that you might have different teams responsible for all of these areas of your system, and you might see them as separate, attackers see this as one, connected system.  As a result, when breaches happen, often times it is often a combination of insufficient security controls, problematic policy and even things like a lack of user education. When we live in a world of complex and networked technologies, the notion of a single point of failure is disappearing.

So what do we do about this?  Obviously a layered defense is imperative.  You need to think about your data, how it moves, where it rests, how it gets accessed, which data is most important and how you can apply security controls all along the way.  Moving away from just the technology, one of the other things that people talk about is accounting for the human element in security.  When people are talking about this they are generally referring to the fact that users will click on just about anything, so security has to acknowledge that users are going to constantly put their organizations at risk.  But there's another side of that human element that I think is important, and that is establishing a culture in your organization that security needs to be top of mind, and that everyone is responsible.  Whether you are a developer, a DBA, an executive who might be targeted or an IT manager, security is something you need to consider.  Yes, new technologies will help, but changing culture and process, while never easy, is almost always an essential element of dealing with systemic issues, whether they be financial markets or security concerns. 

The last bit worth acknowledging is the dangers of ignoring something that appears broken, but ignoring it because it hasn’t actually broken yet.  So in this case we’re talking about warning signs around the economy but the market still going up, and IT decision makers saying, "well we haven’t been breached, so we must be secure," regardless of their actual security posture. 

Despite what we would all like, these aren’t issues you can just sweep under the rug and cross your fingers hoping that a problem won’t pop up.  Organizations need to confront these issues. 

Symbio Technologies News: Stateless Computing: The Antidote to WikiLeaks

Symbio our long time partners for Thin Client Solutions:
Stateless computing can help ensure that events like WikiLeaks never reoccur. The key to securing information is to make it physically impossible for people to download it. Then, they cannot remove it from a secure location and share it with others who should not see it.
What makes stateless computing unique is that all data and applications remain on the server. Nothing is downloaded or saved to the desktop, not even IP addresses.
So, if the network used by the army private who gave information to WikiLeaks had been stateless, he never would have been able to burn information onto the CDs he used to sneak material out of the office. 

"Stateless Computing" refers to computing devices that do not store any unique software configuration or state within them. Any configuration necessary comes from outside the device - the device being used solely for its computational resources.
To put it simply, devices that save state need to be maintained - stateless devices do not. Devices that save state can introduce security holes in your network - stateless devices may not.
IT professionals will welcome the reduced downtime, ease of maintenance, and network security that come with stateless devices. Money managers will embrace the vastly reduced total cost of ownership of the network at large and the dramatic impact of money spent on the performance of the network as a whole.
See below for more reasons why we say:

Keep it Simple. Keep it Stateless. Keep it Symbio.

McAfee announces new antivirus developments/ Israel Export Institute Reports

Israeli Exporters Catalog Business Matching Economic & Trade Representatives Israel Trading Companies Geographic Specialization Fields of Specialization List Of Israeli Trading Companies

Aerospace & Homeland Security > News McAfee announces new antivirus developments 19/09/10 Information security giant McAfee's research labs have developed a new antivirus technology, the company has announced. McAfee's new antivirus technology is part of the company's Global Threat Intelligence battle and allows two key solutions to work together to fight extended malware attacks. First, McAfee's researchers can actively search for new online threats by using the millions of computers worldwide that run McAfee software. Secondly, researchers can produce more advanced defenses than the traditional malware "fingerprint." McAfee's labs have seen malware levels hit new records every year – in the first half of 2010, over 55,000 examples of malware were received by the lab every day.

Oracle Buys Secerno, Adds Heterogeneous Database Firewall to Oracle Database Security

On May 20, 2010, Oracle announced the acquisition of Secerno, adding a heterogeneous database firewall to Oracle's industry-leading database security solutions. This combination is expected to further enable customers to reduce the cost and complexity of securing their information throughout the enterprise with a protective perimeter around Oracle and non-Oracle databases.
Secerno's products are expected to expand Oracle's portfolio of security solutions to ensure data privacy, protect against insider threats, and enable regulatory compliance. Together, Oracle and Secerno's technologies are expected to further extend Oracle's comprehensive database security solutions to safeguard critical business information across the enterprise.
The transaction is subject to customary closing conditions and is expected to close by the end of June 2010. Until the deal closes, each company will continue to operate independently.

• Read the press release at Oracle

Microsoft Warns About 17-Year-Old Windows Bug

Microsoft Warns About 17-Year-Old Windows Bug
By Stuart J. Johnston
January 22, 2010

Microsoft acknowledged that a security researcher has located a 17-year-old hole in Windows that could be used to take over a user's system and said it plans a patch.

However, compromising a user's PC would not be easy, requiring physical access to the machine as well as authenticated password access, Microsoft (NASDAQ: MSFT) said in a Security Advisory Wednesday.

The hole, which originated with the release of Windows NT back in 1993 and is present in every 32-bit version of Windows since, including Windows 7, was discovered by Tavis Ormandy, a Google security team member in Switzerland.

Ormandy claimed in a posting to the Full Disclosure security mailing list earlier this week that the hole is in a portion of Windows originally meant to enable NT to run 16-bit MS-DOS applications.

The problem lies in what is known as the Virtual DOS Machine or VDM, which is meant to allow NT-based versions of Windows run 16-bit x86 programs. By manipulating what's called the kernel stack, an attacker can elevate his or her user privileges to an administrator’s level in order to take over the user's system.

Ormandy said that he notified Microsoft of the hole in June but, after receiving no response other than an acknowledgement, decided to publish his discussion as well as a proof-of-concept exploit.

That got Microsoft's attention and, on Wednesday, the software giant released the Security Advisory regarding the problem.

Microsoft noted that the proof-of-concept has not triggered any real world attacks so far. Partly, that is related to the requirement that any attack be carried out locally, not remotely. For that reason, the hole is not as dangerous as most zero-day vulnerabilities. Some Windows users are not at any risk

One piece of good news is that users of 64-bit versions of Windows are not affected. Many new PCs sold today are shipped with 64-bit Windows 7 preloaded, meaning they are not at risk, according to Microsoft's Security Advisory.

Microsoft's Security Advisory contains a workaround, which is to disable the use of the 16-bit VDM. That should have little impact on most users since the feature is rarely used today.

Even Ormandy played down how broad the hole's effect might be.

"The primary audience of this advisory is expected to be domain administrators and security professionals," Ormandy's post stated.

Microsoft normally patches zero-day vulnerabilities as quickly as possible, especially if they critically affect users' security.

For example, Microsoft patched a previously unknown zero-day that surfaced last week in attacks on Google China with an "out-of-band" fix Thursday.

Microsoft said it is working on a patch for the problem but hasn’t decided yet whether it will be released as an out-of-band fix or during a regular Patch Tuesday cycle.

However, since it took 17 years to discover the bug in the first place, and the additional requirement that a hacker be physically in control of a PC being attacked, Microsoft's security response team may view the hole as less likely than most to be seriously exploited.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals

Facebook Boosts Security After Dual Phishing Attacks

Patricia Resende, newsfactor.com Patricia Resende, newsfactor.com Fri May 1, 12:18 pm ET

Facebook has brought in some soldiers to fight the war against malware and phishing scams on the social-networking site. After two different malware attacks this week, Facebook announced it would begin using San Francisco-based MarkMonitor's antifraud services as an additional layer of protection against attacks.

"Our deep commitment to the safety of our users requires a strong proactive security strategy, best-of-breed technology, and active engagement with industry leaders," said Ryan McGeehan, threat analyst at Facebook. "MarkMonitor demonstrated that it understood the complexity of the phishing issue we were facing, so it was a natural next step for us to bolster our own security systems with their anti-malware solution."

Users Victimized

This week some of Facebook's 200 million users were victims of phishing attacks. One attack took control of users' accounts, sending messages to their friends telling them to check out a specific Web site, fbstar.com. The other incident pointed victims to fbaction.net.

Andy Cutler, a partner in Cutler and Company, was not aware his account had been under the control of a hacker until he received several e-mail and text messages alerting him that his account been phished.

"The first thing I did for survival was to go into my Facebook account and change my password," Cutler said. "I just figured if someone hacked my account, I was not going to tear down the page but to change my password, and I did post a notice on Facebook saying I had been phished and apologized."

Cutler's hacker did some damage by sending a total of 19 different messages averaging 20 different people per message. For Cutler it could have been a communications disaster, as he has 495 friends in his Facebook account.

Trust Breached

While the attack didn't cause any major problems to Cutler and his friends, it did hurt Facebook's reputation.

"I tell you what it did do for me -- it put Facebook in a different light for me than other social-network tools," Cutler said. "I'm pretty active in Twitter and Facebook has been a way to keep up with people in my networks, but I have to say I was disappointed in Facebook that this can get through their security system."

Aarin Morrow of Denver thought she was pretty tech-savvy until she became a victim of the fbaction.net attack.

"What happened is a friend of mine was a victim the day before with fbaction.net and I'm very computer tech-savvy and still clicked on it and stupidly logged in," Morrow said. "I said this is weird and e-mailed my friend and asked about the link, and he said he didn't send it."

Morrow became a victim again the next day with the fbstar.com attack. A total of 45 of Morrow's Facebook friends received the message "Look at This," pointing the friends to the fbstar.com Web site.

"What is unfortunate about this is that MySpace got spammed with stuff like this and Facebook never had those problems, but no one is exempt from having this issue happening," she said. "In the future I will be more cautious."

Obligation To Users

"I think FB has an obligation to its users to say please don't fall for this scam," Cutler said. "By allowing the system to be hacked, it created a catch-22 for them. People now have negative feelings toward the company and it impacts the way people view them and their communication because they don't know if they can trust their communication."

This isn't the first time Facebook has had to deal with malware issues. In February, users were dealing with another scam where hackers took control of users' accounts and sent out messages to their friends asking for financial help after being robbed. In some cases, Facebook had to disable the accounts and users had to create new accounts.

"The meteoric success of Facebook makes it a natural target for malware attacks that seek to capitalize on their trusted and recognizable brand," said Frederick Felman, chief marketing officer of MarkMonitor.

"The MarkMonitor technology and 24/7 security operations center are key to helping Facebook fight phishing and malware," said Te Smith, a spokesperson for MarkMonitor.

When MarkMonitor verifies a malicious site, it updates phish-site block lists for its network of popular browsers, security vendors, and e-mail providers. Then it takes down the malicious site to get it off the Internet.

News From Symbio and Argus- Secure Thin Clients.

Argus Systems and Symbio Technologies Deliver the Ultimate MLS Server Security Solution

May 13, 2009--Symbio Technologies (www.symbio-technologies.com), provider of state of the art Stateless Computing Solutions and Argus Systems Group (www.argus-systems.com), provider of Multi-Level (MLS) Operating Systems and Services, today announced their full collaboration to provide MLS server-centric stateless computing solutions. Utilizing Symbio's Stateless Thin Client and Boot Stick solutions, and Argus's PitBull MLS solutions for Solaris 10, users may now work in a totally secure MLS environment, while retaining high security levels at the client side.

The combined solution provides the ultimate package of MLS server security, providing ironclad security at, to, and from the server as well as reducing risk at the client access end points. Attempts at malicious use or access of confidential or secret information is further mitigated by the use of Symbio's stateless solutions, leaving no viable information at the end points where it can be compromised, while Argus's PitBull for Solaris 10 provides the MLS server protection.

Customers will be able to connect to highly secure systems using a number of methods. Existing computing infrastructure such as any desktop computer, laptop, or netbook can be utilized via the Symbio Boot Stick to provide secure Virtual Network Connections (VNC) to the PitBull Protected MLS server. Additionally, thin client desktop solutions from Symbio can be implemented using the same technology. VNC connections can also be accepted by the PitBull protected server via wireless connections. This provides the security of remaining stateless at the client side, protected by Argus's MLS PitBull, all while being fully mobile and without the hassle of being physically connected to the network.

Additionally, customers will be able to retain the highest levels of data security at the source and at the end points, while embracing the future of server-centric computing and the green initiative. The solution provides reduction in total cost of ownership (TCO) through reduced power requirements at the client side, and the reduction of associated infrastructure and maintenance costs of having full systems at the client side. Full leveraging of the combined Symbio and Argus solution will greatly increase information data security, and reduce the costs of maintaining the IT infrastructure.

Argus Systems Group will be at the DoDIIS Worldwide Conference 2009 in Orlando, Florida providing a full working demonstration of the combined capabilities of Symbio's stateless solutions, and Argus's ironclad MLS server security. Come to booth #941 for a demonstration and to get specifics on this exciting new technology.

About Symbio Technologies

Symbio Technologies is a leading developer and marketer of security-centric stateless computing which reduces the complexity and cost of deploying and maintaining networks. Symbio's products are available worldwide through a network of distributors, value-added resellers and integrators in Australia, Canada, Chile, Egypt, Mexico, Pakistan, South Africa, and the U.K., as well as throughout the U.S.

Ehud Tenenbaum at it again???

Israeli hacker suspected of $10m theft

Ehud Tenenbaum, a notorious Israeli hacker arrested in Canada last year in relation to the theft of around $1.5 million, is now suspected of breaking into the systems of four US institutions as part of a global "cashout" conspiracy that resulted in the loss of at least $10 million.

In 1998 Tenenbaum gained notoriety as "The Analyzer" after being arrested following hacks on computer systems used by the Pentagon, Nasa, the Israeli parliament and Hamas.

In August he made the news again as one of four gang members arrested by Canadian police for allegedly stealing C$2 million by hacking the database of a Calgary-based business and loading money onto pre-paid cards.

The gang allegedly compromised the company's computer system and loaded money onto the pre-paid debit cards before withdrawing the cash at ATMs in Canada and several other countries.

He was granted bail by a Canadian court but was detained after US authorities asked for him to be kept in jail while they worked on extradition.

Details of the US allegations have now emerged after Wired magazine obtained an affidavit filed by officials with the Canadian court handling Tenenbaum's extradition case.

According to the affidavit, in January and February 2008 a US Secret Service investigation into a computer hacking "conspiracy" against banks and other firms, uncovered attacks on the systems of Texas-based OmniAmerican Credit Union and pre-paid card distributor Global Cash Card.

The attacker allegedly gained access using a SQL injection before stealing credit and debit card numbers that were then used to withdraw more than $1 million from ATMs around the world.

In April and May 2008, authorities investigated further SQL injection attacks on 1st Source Bank in Indiana, and pre-paid debit card processor Symmetrex, which resulted in losses of over $3 million.

The Secret Service traced the attacks to servers in Virginia acting as a routing point for systems at Dutch Web hosting company LeaseWeb.

Authorities in the Netherlands were asked to track and intercept traffic from three servers, resulting in the discovery of communications thought to be between Tenenbaum - using the e-mail address Analyzer22@hotmail.com - and other known criminals discussing the four hacks as well as moves against "many other" financial institutions.

According to the affidavit, in an MSN instant messenger conversation, on 18 April 2008, Tenenbaum revealed that he was responsible for hacking into the network of Global Cash Card, adding "yesterday I rechecked [Global Cash Card] they are still blocking everything. so we cant hack them again."

He also exchanged over 150 compromised card numbers stolen from Symmetrex.

On 20 April, the affidavit says he received updates on a "cashout" operation, where accomplices used stolen card data to withdraw money from ATMs in the US, Russia, Turkey and Canada, among others.

"Tenenbaum stated that after paying his cashers, he earned approximately "350 - 400," which, based on this investigation, most likely refers to 350,000 to 400,000 dollars or euros," says the affidavit.

Authorities say identifying Tenenbaum as Analyzer22@hotmail.com was surprisingly easy - he used his real name and date of birth to register for the account.

In addition, someone using an IP address registered to Internet Labs Secure, where he was a director, accessed the hotmail account. The address was also used to access the network of Global Cash Card and check and increase the balances of compromised accounts.