July 2008 Archives

I just read this article about an IRS worker snooping around celebrity tax records.  I must admit that it would be tempting to want to know what the celebrities spend their money on *and* claim deductions for.  But, this is a classic example of when not having proper access controls can get people in trouble.  I am not sure if this person would be doing time if such controls were in place (as the people that want to get into trouble find ways to do just that) but it just might have prevented the personal records of celebrities getting into the wrong hands.  But wait a minute, isn't there a saying in Hollywood that "there is no such thing as bad publicity"?

I'm in London for a very short business trip. I'm spending as much time flying to and from this island as on the ground. In the past two weeks I had several meetings with prospects and existing customers. Overall, Application Data Security is on top of the CIO/CSO/CISO to-do list. In one location, the IT and security teams were asking for my assistance educating the CIO which is reluctant to invest in security. "Let the developers code first and deal with security later" he said.

I wish that I could have used the following in this meeting:

The results winners of the 'find the vulnerability in the programming language textbook" contest were announced. The good news is that security researchers and analysts all over the world were able to detect secure coding flaws found in popular books on programming. The bad news is that many secure coding flaws are found in popular books on programming. Those books are used in universities and training courses all over the world.

This experiment, along with SAN's secure coding assessment  tells us that as an industry, we have a long way to go towards completion of the SDLC vision. Organizations should use extra caution and always devote the necessary resources for application security. 

One of the things I really do love about the Internet is the possibility for sites like RepairPal.com to exist. Disclaimer: this site is apparently run by a second or third degree connection of mine of some sort...I heard about it from a friend that isn't directly involved.  Regardless, I think the site is one of the most useful I've seen in a while.  (Made all the more so as I'm about to take my car in for a major service milestone).

For pretty much any make and model car, the site can give you:

-a range of prices to expect for a repair,

-repair shops nearby to you to complete the repair,

-the type of questions you should be asking about the repair so you know it's done right,

-the ability to rate your quality of service from the shop (a la Yelp, another amazingly useful site IMO),

-and the ability to track your car's service and repair needs on-line.

 

So how do I hook this back to Application Data Security? 

Well, maybe it's a reach, but wouldn't it be great to be able to get this kind of context for security performance and security metrics?  I think comparisons to other organizations, rating vendors, service provides, average time to fix, etc. would be very useful to give us an idea of how we're doing on a variety of fronts.  It also begs the question - is car repair that much easier than information security or does IT security need to mature?

You might have read the Search Networking article about NAC and Server virtualization.  I did. At first I was amused as I know everyone that is mentioned (With some of them I worked  closely along the years, and we meet at least every year to party). But then, after some folks I know asked me to comment, I thought it would make sense to record my thoughts, as the article contains some disturbing "facts" that might cause confusion.

So for the sake of mankind and the security industry, I'll give you my rant on server virtualization alongside feedback on the article. For those who know me, it should not be surprising to find that I have comments on the very first paragraph...

Network security, especially network access control (NAC), is the Achilles' heel of server virtualisation. With virtual servers moving around the data centre, traditional access control is difficult to apply. This can be particularly challenging when organizations need to meet stringent data audit control standards for compliance with payment card industry (PCI), healthcare industry (HIPAA) and governance (Sarbanes-Oxley).


First, I would argue that NAC is all about admission control and as such, it is a client-side solution, to protect the network from rogue and non-complaint endpoints. Then I would add that the PCI standard, which requires organizations to meet stringent data control do not mention NAC at all, but never mind, I'd like to take the high road and focus on the topics discussed. 

The main issue mentioned is that security systems lose visibility into the traffic running across a virtual LAN, which may change as the virtual machines (VMs) move across physical machines. I agree. Virtual systems require us to think differently. For more than two years now, SecureSphere provides VLAN doctoring thus it can protect the virtual systems even when external appliances are used to protect and audit multiple virtual systems (it also includes router, network firewall, IPS, Web Application Firewall). Using the object oriented policy model (in contrast with a traditional security ACL format) also ensures that the physical location of the protected server is not an issue. Add that favorite mode of SecureSphere operation is as a layer two transparent bridge and you have the formula of what the article calls "new thinking."

Trying not to sound like an elitist arse is challenging (I'm not!) but I take it personally when I'm being advised to "think differently." I am !! At any rate, the article does include some good comments about the differences between Imperva as an Application Data Security vendor and the traditional security solutions vendor. I would even agree that in some cases (but not the one mentioned in the article) forcing VM traffic to an external device is not a good approach: Thus, in some cases, database agents are needed to audit activity within the VM. The agents can be installed on a virtual machine in a network agnostic, administrator-friendly, yet tamper evident manner. Such agents must be light and very, very accurate as the impact of false positives on the server itself could be very expensive.

NAC and Client Virtualization is another topic. I'll let the relevant vendors comment.

It is now "official" I'm spending the past week and the next few days at the Coolest place in the Mediterranean.

It's "Home at the end of the world" as Henry Alford wrote.

This weekend a heated debate fired up on the WebAppSec mailing list. Jeremiah Grossman happened to spark it with a merely innocent short question "Anyone want to make an open source WAF fingerprinter?"

Turning the question around as happens in these bonfire circles the basic question becomes whether it is necessary that a Web Application Firewall (WAF) actually hide its identity.

Actually, I don't even grant this a fruitful discussion. Most of the thread participants agree that the worst kind of security is security by obscurity. So having any kind of discussion regarding obscuring the fact that there is a WAF, and which kind of WAF is deployed, is just painfully useless. A security analogy which comes to mind is encryption. It would be as if an e-vendor hides the fact that they use AES-256 for encryption purposes rather than proudly displaying the usage of this standard.

And even more to the point, it is possible to fingerprint any network device, granted that the device is active (and needless to say, an inactive WAF is not a WAF). Which actually means that when the response to a request, or a series of requests, is different than the expected response returning from the target server, then obviously there must be some sort of inline security device. And since devices by different vendors behave differently, then of course it is possible to differentiate between the different devices.

Andres Riancho actually dies the fire somewhat on this one when he provided the algorithms for the detection of the different WAFs.

I guess we'll just have to wait around the fire (-wall) until we get around to those real spooky stories.

 

- Amichai

I am not referring to Obama's statement earlier this month or the upcoming Olympics . I'm excited from what's going on in our market, Application Data Security.  Rich and Adrian name it ADMP, others call it Web Application Firewalls + Database Activity Monitoring aka WAF+DAM.  The events this week are examples of attempted "product grafting" (*) into the Application Data Security space.

Few weeks ago, Fortinet aquired IPlocks and will add Database Vulenerability Assessment to its product line. In my opinion, they will add WAF as well. Also, NitroSecurity acquired RippleTech and will be adding Database Monitoring and log management to its IPS products...going up the OSI stack, trying to focus on the data.

Time will tell if those acquisitions work. For sure it proves that Imperva's vision is becoming a reality.

(*)Grafting means joining parts of two or more plants together so that they grow to be one plant. It takes time and does not always work.




Image source: http://www.robinsonlibrary.com/agriculture/plant/propagation/grafting.htm

I had several posts related to virtual life. But once again, I'm learning that imagination is beyond reality. The guys at Linden Labs worked with IBM on virtual worlds interoperability. It's beyond a release of yet another standard's protocol, as it allows avatars to teleport and move from one virtual space to another. Anyone can understand the gaming benefits, but it also opens new economic horizons, as travelers from one world can now trade with others. I guess that soon we'll see solutions that provide methods to cash non-tradable currencies. (One can also think that IBM will not invest money, time and resources just to study grid computing). 

Maybe, in the future organized cyber crime will go back to its roots and will focus on virtual worlds,leaving us to enjoy the internet. Don't worry about us, there will be still plenty of virtual worlds to protect...   

Video source: Linden Lab blog

I was watching the sky very closely last week and it looks like it is in its place and will not fall after all. It's been more than a week since the PCI 6.6 deadline date passed. Merchants and other institutes try to do their best to meet the different requirements. Now, once this milestone passed, we can focus on some other controversial topics, such as section 3.4.

 

Requirement 3: is all about protecting stored cardholder data. The PCI text adds that

"Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities.

But then it adds:

The MINIMUM account information that must be rendered unreadable is the PAN. If for some reason, a company is unable to encrypt cardholder data, refer to Appendix B: "Compensating Controls for Encryption of Stored Data.

So, Appendix B adds a compensating control. The PCI standard is very straight forward and provides the listing of all necessary controls that can be used to compensate over encryption. Gartner published a research note in late 2006 that describes how solutions like SecureSphere  can be used to compensate for encryption.  (Database Activity Monitoring Is a Viable Stopgap to Database Encryption for the Payment Card Industry Data Security Standard (and Beyond). Gartner ID Number: G00141630).

I wonder why this topic did not receive the same level of public attention as WAF and Code Review for PCI 6.6: Two groups of security experts arguing about best practices with the assistance of the PCI assessors. If I can predict the future I'll say that we'll see more debates there...
 

One of the best things about "strategy" related jobs is the need to seek knowledge and industry perspective. One of the useful methods is reading other blogs. Some, like the Federation of American Scientists Secrecy News brings us interesting stories. One of today's headlines caught my attention: Apparently, the FBI Headquarters is not cleared for classified intelligence. Here's a nice quote from the report:

The Hoover Building does not meet the 
Interagency Security Committee's criteria for a secure 
Federal facility capable of handling intelligence and other 
sensitive information. 

Picture taken from Texas A&M Research Foundation University
source: http://rf-web.tamu.edu/security/Security%20Guide/S5improp/Ci.htm

At least not to an unencrypted laptop device...

The 2^nd quarter of 2008 demonstrates the absurdity of a few lost/stolen laptops affecting thousands of people. Laptops that stolen from Hospitals , Banks, Schools, and government organizations, contained unencrypted private data of thousands of people (employees,  former employees,  students, clients, patients). 

"The computer is password protected" is no longer an acceptable argument to relieve the affected people.  Organizations still are not stepping up to their responsibility to govern the data, and to minimize the damage caused by the loss of laptops.

Take the Stanford University case as an example: 62,000 current and former Stanford employees are affected by this theft. The laptop contained their name, address, phone number, and SSN. Why? Well, according to Stanford's announcement the relevant table was erroneously copied to the laptop.  The University mentioned that its information security policies and guidelines disallow storing unencrypted sensitive data on any unprotected system. This is a pretty restricted policy, but obviously its implementation is not audited.

With today's database activity monitoring and security solutions, It is possible to restrict the types of activities users perform with sensitive data without completely denying access to this data. After all, it is not enough to have a policy that forbids storing of unencrypted data on laptops, but cannot prevent it or at least issue an alert when data is jeopardized. Effective controls can actually detect the move of sensitive records or entire tables across the enterprise and in particular onto end-stations (not to mention mobile ones), giving the organization a heads-up before mishaps take place.  

AT&T stolen laptop is the same story, different organization. Again the data on the stolen laptop included names and SSN of AT&T employees.  The data was not encrypted, and AT&T declares that this is a violation of its policy. But why they are aware of this violation only after the laptop was stolen?

On both incidents the organization claim to have detailed accurate information of the data that was on the laptop, so we can assume that they do have some auditing on their database. Unfortunately, their audit trail does not give them real ability to govern the database on real time, and enforce their security policy. It is only a damage control system that functions after the damage has been done.

- Gal

There's an unusual story in the July issue of FastCompany.com that lets us peek into the world and life of a zero-day trader, which, is actually a security researcher that develops 0days in his free time to found a new company security start-up.

The "concept" of selling zero-days is not new. Some might argue that there's a lot of benefit. Others will claim that it only plays to the hands of the bad guys, legitimizing some of their actions. At any rate, I believe that there is a consensus (IMO :-) within the community that the bad guys have changed their business model. It's not about the fun, fame or glory. They are after corporate assets, live credit card numbers and soon-to-be-victims' identities, not to mention the role of foreign governments and agencies.

The article describes several zero-day exploits in database systems and ERP applications. Scary. Along the years, Imperva's Application Defense Center (the ADC) discovered many vulnerabilities in various systems. Some were very critical and yet we are waiting for the vendors to patch all the vulnerabilities (as listed on our ADC's page, there are several more vulnerabilities that are waiting for the vendor's patches to be released).

So is there a good 0day?
I like to say that "there is always one more bug" and as long as code exists, someone will find a way to break it. Nothing should be considered immune and zero-days (without notifying the vendors that issue the remedy) in general should be considered bad as they expose a weakness without providing a protection. 

Click on the picture to see the good and bad O'Day. From left to right: Aubrey O'Day, Hank O'Day, Tom O'Day

One of the merits of living in the Silicon Valley is being able to exchange ideas, meet the guys that make it happen and live the buzz (or buzz life). In the past year or so, the frequency of the small talks we have around services in the cloud has increased significantly. Take a look at TechCrunchIT and all you see is picture of clouds. Looking back a few years, I was part of a failed attempt to build Exchange as a service and backup as a service in 1998 (Publicom alumni, step up:-) so it was fun to read Rich Tehrani's article yesterday, about the hosted application market, pointing more to the database as a service or platform as a service or application as a service (PaaS, DaaS, AaaS or,  in short *aaS) but unfortunately he wrote only few words regarding security.

As enterprises try to reduce their cost and align computing requirements with actual use and the need to cost-effectively provision database infrastructure to support real time usage, the new *aaS technology and market emerges. Googling for "database as a service" or "platform as a service" will bring many results. Some of the behemoths (Google, Amazon) as well as less established companies such as LongJump offer services that will allow you to leverage the benefits of database in the cloud.

Most offerings lack the same maturity level of security and activity monitoring that in house database deployment offers. The growing adoption of *aaS platforms still does not include many applications that store private data or sensitive information in the cloud. As the demand grows, organizations should pay attention to the level of security and auditing capabilities that they have from the "cloud."