Context Security

I have often scoffed at some of the numbers used to cost justify Data Leakage Prevention (DLP) purchases.  While I agree there is a pretty serious need for redoubled efforts at preventing (and moreover detecting) sensitive data leaving an organization’s control, I haven’t found myself persuaded by most of the “studies” that show crazy high $$$/record costs.  Perhaps I am jaded, but often these reports feel as if they were  funded by those with a vested interest in the results pointing in a particular direction (that of “buying our product makes cents” [sic]).

Fast forward to the DarkReading article that I first noticed this past weekend.  In 2008, California passed two laws Assembly Bill 211 and Senate Bill 541, which were aimed at further incentivizing health care providers to ensure the privacy of medical records.  The laws went into effect 01/01/2009, but last week marks the first time that the California Department of Public Health (CDPH) has wielded its expanded power of  fining facilities up to $25,000/per record for allowing unauthorized access to a patient’s medical record.  CDPH has published the details here.

Five separate facilities were fined a total of $675,000.  In total, the confidentiality of 245 medical records were breached.  Although the fines varied (sometimes based on the number of people that accessed the records), in aggregate, that puts the cost/record breached at $2,755. A far cry from the $25,000/record mark (though some instances did receive that level of penalty), but still a substantial cost.  Given the relative low volume (when compared to the numbers frequently seen in credit card breaches), it is hard to anticipate if thousands or tens of thousands of records were breached whether the penalties would remain this high.

While I welcome the increased penalties that might help persuade organizations to make further strides in ensuring the confidentiality of sensitive data, I am worried about the (un)anticipated side effects.  The CDPH has made the sanitized reports available on their website.  One phrase seems to be a fairly common theme, “the facility reported the breach”.  I applaud the facilities for reporting these breaches of medical privacy, but will every facility be so forthcoming given the potential for fines.  Would a private for-profit hospital be hesitant to report the breach of 1,000 records knowing that it could  result in $25,000,000 in fines?  I hope so, but something tells me that not every health care provider would reach the conclusion that self-reporting is in their best interest.  As a parting shot, know what the cost/day fine is if it is found that a facility didn’t report a breach? A hundred bucks…  Seriously?  Not sure a benjamin is a strong incentive for early reporting…

Just wanted to let everyone know that Stephen Northcutt has a quick section by section 1-3 sentence review of the Cybersecurity Act of 2009 legislation (a.k.a Rockefeller-Snowe Bill) that was recently proposed.

http://www.sans.edu/resources/musings/1439.php

I just got my hands on a copy of the bill, and am gonna try to read through it while waiting at the doctor’s office this afternoon…  Hopefully can cobble some thoughts together this weekend.

Even if it doesn’t pass or gets completely rewritten, I expect this bill will be important for our field.

Received an email this morning notifying me that SANS OnDemand is running a special for the month of March.  20% off of any SANS OnDemand class.  As an added bonus, you could have me as your OnDemand Virtual Mentor (ODVM)

Please feel free to leave a comment or email me at seth combined with this domain name.

Seth Misenar

Here is the text of the email, which includes the discount code of  STS_OD

To help you with your training needs, SANS is offering a Spring Training
Special on ALL courses in our extensive SANS OnDemand online course
library. Register and pay now through Thursday March 26th, 2009 and
receive a 20% discount on ANY SANS OnDemand course! Register at
http://www.sans.org/info/40138 and use the discount code "STS_OD".

For group or multi-course training needs, save an additional 10% on our
already discounted SANS OnDemand Flex Passes through March 26, 2009.
Check it out at http://www.sans.org/info/40133.

Not sure online training is for you?  Try any of our OnDemand course
demos at http://www.sans.org/info/40123.

With SANS OnDemand, students receive:
 * 4-months access to our 24/7 online training and assessment system
 * Full set of course books and hands-on CDs
 * Synchronized online courseware and lectures
 * Integrated assessment quizzes throughout the course
 * Access to OnDemand Virtual Mentors
 * Labs & hands-on exercises
 * Progress Reports

In today's economy, travel budgets are very tight and even justifying
money for critical training can be difficult.  Many students have found
SANS OnDemand online training and assessment as a great alternative.  It
allows you to receive the same high quality SANS training while saving
100% of your travel costs.  Furthermore, it allows you to learn without
leaving home or the office. You can train anytime, anywhere!

Check out what a few of our students say about SANS OnDemand...

 "I got more out of this course than I had with any of the other SANS
 classes that I participated in. The quizzes at the end of each
 presentation helped reinforce the information presented.  I couldn't
 fake it.  I had to know it and retain it." - Richard Gancze, OCI

 "It was like having the teacher right there. Having each piece of the
 lecture broken up into little pieces helped me retain the information.
 You guys did an outstanding job creating this program." - Robert
 Urbanowicz, Parkway Insurance Company

 "I have several GIAC certs. My highest exam scores are from when I use
 OnDemand training." - Brad Fulton, SMS Data Products

If you have any questions about SANS OnDemand, write to
ondemand@sans.org or call us at (301)654-7267.

And remember that every SANS OnDemand purchase earns you points towards
future OnDemand training! http://www.sans.org/info/40128

Be sure to tell your friends and colleagues about this great opportunity!

Kind Regards,

Kimie Cabreira
Director
SANS OnDemand

Below is information regarding a webcast I will be leading for SANS on 03/18/2009 at 10 AM EST.  Should be fun.

Build Your Own Army of Darkness: XSS Frameworks for Zombies and Profit

Featuring: Seth Misenar

In this preview to the newly updated SEC542 Web Application Penetration Testing course being offered in Amsterdam, you will learn how build and control your very own zombie battalion/Army of Darkness. The discussion will start with a whizz|bang overview of the new 6 day version of SEC542, and quickly move to XSS Frameworks and, of course, zombies galore. Whether you are excited or petrified by the prospect of zombies, join Seth Misenar for this hour long webcast. As Bruce Campbell/Ash of Evil Dead fame would say, “Groovy”.

Speaker Bios:

Seth Misenar:

When not watching zombie films, Seth Misenar serves as Founder/Lead Consultant for Context Security, which provides information security though leadership, independent research, security training, and security consulting services. His background includes network and web application penetration testing, vulnerability assessment, regulatory compliance efforts, security architecture design, as well as general security consulting. He has previously served as both a physical and network security consultant for Fortune 100 companies as well as the HIPAA and Information Security Officer for a state government agency.

In his former life, Seth received a B.S. in Philosophy from Millsaps College where he was twice selected for a Ford Teaching Fellowship. Also, Seth is no stranger to certifications and thus far has achieved credentials which include, but are not limited to, the following: CISSP, GSEC, GCIA, GCIH, GCWN, GCFA, GHTQ, GWAS, and MCSE credentials. He has previously taught numerous SANS classes including SEC401: Security Essentials, SEC504: Hacker Techniques, and SEC542: Web Application Penetration Testing. In addition to serving SANS in an teaching capacity, Seth also serves as both Virtual Mentor and Technical Director for SANS OnDemand.

Thought some of you might be interested…

Ed Skoudis (of InGuardians and SANS 504/517/560 fame) twitted about the release of 3 new cheat sheets this morning.  The sheets are hosted on SANS website and links to them can be found on InGuardians (http://www.inguardians.com/pubs/articles.html).

Here is the description from InGuardians:

“Ed Skoudis releases 3 new cheat sheets for the most useful Windows command-line tools, Netcat, and other useful attack tools (Metasploit, Fgdump, and Hping). Get ‘em while their hot!”

Links:
Netcat: http://www.sans.org/resources/sec560/netcat_cheat_sheet_v1.pdf

Windows command line: http://www.sans.org/resources/sec560/windows_command_line_sheet_v1.pdf

Metasploit, Fgdump, Hping, etc.: http://www.sans.org/resources/sec560/misc_tools_sheet_v1.pdf

Seth Misenar

SANS posted their log management survey the other day.  If you/your company deals with enterprise log management, then please participate in the survey.  Results will be detailed in April at SANS Log Management and Analysis Summit in DC (http://www.sans.org/logmgtsummit09/).

Here is the link to the survey:

https://www.surveymonkey.com/s.aspx?sm=FCwjvfHzkGml4stgnYQ7rg_3d_3d

Shortly after flipping through Ed’s slide deck for Secrets of America’s Top Pen Testers yesterday, I noticed a fortuitous tool annoucement come across the SANS GIAC Alumni mailing list.  Robin Wood emailed to announce the release of a tool called CeWL: Custom Wordlist Generator (which is of course pronounced ‘cool’).

http://www.digininja.org/cewl.php

CeWL “spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper” (from the website).

Very nice. This tool dovetails nicely with Ed’s first tip from SATPT, “Build Password Guessing and Cracking Dictionaries”.  In fact, it turns out that the tool was based on a PaulDotCom discussion, http://pauldotcom.com/2008/11/creating-custom-wordlists-for.html, which was in turn based upon content provided in Ed’s SEC560: Network Penetration Testing, which I will be teaching in Atlanta in February, https://www.sans.org/atlanta09_cs/description.php?tid=1717.

Wshew…did you follow all that.  Regardless of its origins, CeWL definitely looks like something I will be adding to my tool arsenal.  Check it out.

The folks at Websense Security Labs have found some malware that is leveraging users’ trust in Google to undermine them.  Specifically, Google’s “Sponsored Links”, where folks pay Google for advertising there link at the top for specific search terms.  In Google We Trust…?

A thorough walkthrough can be found at the link below:

http://securitylabs.websense.com/content/Blogs/3264.aspx

In my role as Technical Director for SANS OnDemand, I will now be providing a monthly “article” (or at least some security oriented content) to the new SANS OnDemand Newsletters…  The first Newsletter is below:

************************************************************************
SECURITY TIMES SPECIAL

As a thank you for receiving our SANS OnDemand Security Times
Newsletter, you may take an additional 5% off our listed current
specials through December 26.

For single courses, see http://www.sans.org/info/35939 for our current
offer. Use discount code “T1_add5″ for a total of 30% off any OnDemand
course.

For groups or multiple courses, take an additional 5% off our lowest
listed pricing at http://www.sans.org/info/35944.

Check out our Free OnDemand Demos at http://www.sans.org/info/35949
************************************************************************
WHAT’S UPCOMING?

For courses currently being developed in OnDemand, take advantage of our
30% Development Discount.  For a full list of upcoming courses, go to
http://www.sans.org/info/35954
************************************************************************
EARN REWARDS POINTS

Receive one OnDemand Reward Point for every dollar that you spend for
SANS OnDemand training, including the OnDemand Bundle.  To begin
receiving reward points, visit http://www.sans.org/info/35959
************************************************************************
SECURITY TIP

Whether you are a small Mom & Pop shop or a multinational corporation,
your employees are almost certainly leveraging sites with user generated
content.  User generated content sites (e.g. Myspace, Youtube, Facebook,
Craigslist, Blogger, and Flickr) are routinely in the top 20 most
visited websites.

From a numbers perspective, it goes without saying that your
employees/colleagues/superiors, and likely you, are users of these
popular sites.  Although the most obvious risk posed by employee usage
of these sites is productivity loss [1], perhaps the more serious risk
is posed by the break-neck speed with which these sites are allowing
active user generated content and applications to flourish [2][3].
Therein lies part of the appeal, but so too, some of the risks. In order
for these sites to be useful, users configure their browsers to allow
this content to run virtually unfettered.  However, the risk posed by
active content isn’t the point of this article either [4]…

A somewhat less discussed “feature” of sites containing user generated
content is the significant information disclosure posed by users from
your organization.  Imagine, if you will, that you were being targeted
by an attacker.  Of course, _you_ aren’t being targeted, but just bear
with me… Perhaps you have really done a bang up job hardening your
perimeter, patching systems, etc., such that you feel relatively secure
in your overall security program and architecture.  If an attacker could
find a trusted insider that was willing to disclose details regarding
the products, programming languages, patch levels, etc., in use at your
organization, could it subvert some of those feelings of security?  In
effect, social networking sites are a veritable treasure trove for
attackers wishing to gain this type of intelligence.  What’s more,
sometimes they are able to gain this information without engaging in
even the most rudimentary of social engineering attacks.  For instance,
users with profiles on LinkedIn frequently list their resume, including
both specialties and employers, for the world to see.  This and other
information is like gold to an attacker. This type of information,
coupled with attackers armed with information mining tools like Maltego
(i.e., Rapleaf and Spock transforms) can really lower the bar for a
successful targeted attack [5].

Now that the little thought experiment is over, let’s think about the
primary assumption – you are being targeted by an attacker.  Some of you
fully accept this as a given, but most of you likely dismiss this
without much thought (we are too small, no one has heard of us, why
would anyone come after us).  Well, consider that restaurants in West
Monroe, LA (pop. 12,951)[6] were part of a group of restaurants in
Mississippi and Louisiana targeted by a ring of thieves harvesting
credit card numbers [7].  If something as innocuous as a family owned
diner can be targeted for an attack, then certainly any organization can
become a likely target.

The risks associated with websites, in general, and social networking
sites, in particular, are discussed in several SANS courses available
via OnDemand (AUD507, MGT512, SEC401 and SEC502).  The social
engineering and reconnaissance exposure made possible by these sites is
explored in SEC560.

For more info on these courses, visit:
AUD507: Auditing Networks, Perimeters & Systems
(http://www.sans.org/link.php?id=1032&mid=6)
MGT512: SANS Security Leadership Essentials For Managers
(http://www.sans.org/link.php?id=1032&mid=62)
SEC401: SANS Security Essentials
(http://www.sans.org/link.php?id=1032&mid=61)
SEC502: Perimeter Protection In-Depth
(http://www.sans.org/link.php?id=1032&mid=17)
SEC560: Network Penetration Testing and Ethical Hacking
(http://www.sans.org/link.php?id=1032&mid=937)

Seth Misenar
SANS OnDemand Virtual Mentor

1: “Facebook ‘costs businesses dear’ ” -
http://news.bbc.co.uk/2/hi/technology/6989100.stm
2:  More than 33,000 Facebook applications -
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/23/BU7C11TAES.DTL
3:  More than 400,000 registered Facebook developers -
http://www.facebook.com/press/releases.php?p=48242
4: “Elaborate Facebook Worm Spreading” -
http://www.techcrunch.com/2008/08/07/elaborate–facebook-worm-virus-spreading/
5: “Maltego Part I – Intro and Personal Recon” -
http://www.ethicalhacker.net/content/view/202/24/
6: U.S. Census Bureau, 2007 Population Estimates -
http://factfinder.census.gov
7: “Attacks Continue on Retail Stores, Restaurants” -
http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211201193

Recently read some interesting results of a survey/study carried out by Cyber-Ark… The associated press release can be found here: http://www.cyber-ark.com/news-events/pr_20081201.asp.

Though the headline is _somewhat_ surprising, “…Nervous workers offer to double their hours and reduce their salaries to secure employment”, it is largely innocuous when compared to data that comes to light in the second paragraph.

“When confronted with the prospect of being fired tomorrow ethics go out the door (so to speak), 71% surveyed declared they would definitely take company data with them to their next employer.” (emphasis mine)

Ouch.  71% of seemingly loyal employees would walk away with data, including: “customer and contact databases, with plans and proposals, product information, and access / password codes”

Of course almost every company I have every worked with has had at least some measure of the “that would never happen to me” syndrome.  Some companies would sit back smugly and think that their termination procedures, exit interviews, and general “tight ship” would prevent this potentiality.  Then we read again…

“…more than half have already downloaded competitive corporate data and plan to use the information as a negotiating tool to secure their next post” (emphasis mine)

Rather a scary proposition if you ask me.  We should of course keep in mind that these statistics come from a vendor who has a widget to help with the problem…  Regardless of the numbers, however, in the current economic climate employees have reason to be a bit scared.  When scared, some will have a tendency to act a bit more impetuously than than their reason would otherwise dictate.

I don’t intend for this to be yet another article bemoaning the virtue of DLP solutions.  Honestly, these employees are insiders with access, who are motivated by fear of losing their ability to provide for themselves and/or their families.  I think most of the technical controls attempting to prevent this leakage would be left wanting in the face of a thusly motivated insider.

I honestly think awareness training/reminders are likely the only thing that could be very effective in this situation…  Sadly, the best solution is likely to have a unabashedly solvent company in the first place…