Thursday, December 18, 2014

Banks: Federal/State Rules

No holiday would be complete with out a stern warning to the banking industry from both state and federal regulators, right?  Ho, ho, ho Merry Christmas - can you please assure us that your security controls are in order!

I was going to review Governor Andrew Cuomo's Department of Financial Services as it pertained to "new" security regulations for chartered banks in New York State.  The Superintendent of the Department of Financial Services initiated a press release and letter to chartered New York financial institutions.  After reviewing the memo I concluded that if all companies implemented the items in the Superintendent's letter, the public and private industries would be in a much better place. 

Then late yesterday the FFIEC (federal financial institutions examination council)  OCC (Office of the Comptroller of Currency) spokesman Joel Anderson spoke up.  Mr Anderson responding in a interview in American Banking Magazine stated, "we already do this" and what's going on in New York is nothing new. 

This is what New York DFS said they would look for:

New Rules: NYS
  • Corporate governance, including organization and reporting structure for cyber security related issues;
  • Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
  • Resources devoted to information security and overall risk management;
  • The risks posed by shared infrastructure;
  • Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
  • Information security testing and monitoring, including penetration testing;
  • Incident detection and response process, including monitoring;
  • Training of information security professionals as well as all other personnel;
  • Management of third-party service providers;
  • Integration of information security into business continuity and disaster recovery policies;
  • Cyber security insurance coverage and other third party protections
These are all things we at Integris Security does.

New York State then went on to list more topics which chartered banks in NYS would be expected to furnish.  We list them here for your review:


1.  Provide the CV and job description of the current Chief lnformation Security Officer or the individual otherwise responsible for information security, describe that individual's information security training and experience, and identify all reporting lines for that individual, including all committees and managers. In addition, provide an organization chart for your institution's IT and information security functions.
2.  Describe the extent to which your institution maintains information security policies and procedures designed to address the information security goals of confidentiality, integrity, and availability. Provide copies of all such information security policies.
3.  Describe how data classification is integrated into information risk management policies and procedures.
4.  Describe your institution's vulnerability management program as applicable to servers, endpoints, mobile devices, network devices, systems, and applications.
5.  Describe the organization's patch management program including how updates, patches, and fixes are obtained and disseminated, whether processes are manual or automated, and how often they occur.
6.  Describe identity and access management systems employed by the organization for both internal and external users, including all administrative, logical, and physical controls and whether such controls are preventive, detective, or corrective in nature.
7.  Identify and describe the current use of multi-factor authentication for any systems or applications.
8.  Describe your institution's due diligence process regarding information security practices that is used in vetting, selecting, and monitoring third-party service providers.
9.  Describe all application development standards utilized by the organization, including the use of a secure software development life cycle, and the extent to which security and privacy requirements are assessed and incorporated into the initial phases of the application development process.
10. Provide a copy of, to the extent it exists in writing, or otherwise describe, the organization's incident response program, including how incidents are reported, escalated, and remediated.
11. Describe the extent to which information security is incorporated into the organization's BCP/DR plan, how and how often the BCP/DR is tested, and the results of the most recent test.
12. Describe any significant changes to the institution's IT portfolio over the last 24 months resulting from mergers, acquisitions, or the addition of new business lines.

 Analysis:

It is a positive step forward for New York State Department of Financial Services to require its chartered financial institutions to meet minimum guidelines for the security of its information technology processes.  These security baselines are critically important not just to financial services institutions but to all public and private entities.  Since NYS has published these official rules it should now become the benchmark or de facto standard by which all other organizations are measured against.  These rules are appropriate and an outstanding starting point for any one who is not sure where to start.

The federal government provides an seemingly endless amount of guidance for the protection of information technology assets.  The fed's use the NIST framework and numerous NIST publications to assist everyone involved in the security of IT assets.  The federal regulators have been the go to professionals in the banking space for establishing standards so its not unusual to hear from Mr. Anderson of OCC or any of the regulators who are apart of the FFIEC. 

What is the news with this New York letter?  The federal regulators often calibrate their examinations according asset size.  Thus larger institutions receive more intense evaluation then smaller organizations.  However, New York has a very specific set of rules in which every institution must be prepared to comply with.  This is not a little matter and could have significant cost ramifications. 

Lastly, I have for years heard from administrators, mangers and CISO's who have tried to get budget authority to make the purchases necessary to secure their environments.  I am suggesting that security personnel use the NYS standards to present to CFO's as justification for future purchases.

http://dfs.ny.gov/about/press2014/pr1412101.htm

http://dfs.ny.gov/banking/bil-2014-10-10_cyber_security.pdf

www.americanbanker.com/news/bank-technology/occ-our-cybersecurity-exams-are-plenty-detailed-too-1071708-1.html

http://www.americanbanker.com/

Happy Holiday!



Happy Holidays every one and a healthy and happy New Year! 

All the best


Joe, Phil and Blake

Wednesday, December 3, 2014

The Rear View Mirror

Typical in the information technology sector everyone is always focused on what’s next, the latest, hottest new application, the coolest mobile telephone and of course the work around that just makes life a little easier.  Not to be ignored are all those newly fashioned functions and features. Technology at the speed of life forever changing our lives for the better, right?  Forward looking for ever.

2014 hopefully has hopefully taught us some very important lessons that should not be ignored even if we were not directly impacted.  A look in the rear view mirror can sometimes be very revealing.  We are so focused on what’s coming directly ahead of us that we refuse to see what’s going on right behind us.  So for 2014 let me list a couple of things which could have made this a better year in the security space.

Network segmentation: You can’t get there from here should be the mantra, no? Did we learn anything this past year? Network segmentation is the act or profession of splitting a computer network into subnetworks, each being a network segment or network layer. Advantages of such splitting are primarily for boosting performance and improving security.   Please review a great eWeek article clicking here.

Service Level Agreements: Service agreements are important and a quick web search can be helpful to identify some key questions for developing such important tools for your company. The Outsourcing Center has developed ten key questions for developing effective service level agreements. It’s a solid read and you’ll find plenty of similar research on the web. A service-level agreement (SLA) is a part of a service contract[disambiguation needed] where a service is formally defined. Particular aspects of the service - scope, quality, responsibilities - are agreed between the service provider and the service user. A common feature of an SLA is a contracted delivery time (of the service or performance). As an example, Internet service providers and telcos will commonly include service level agreements within the terms of their contracts with customers to define the level(s) of service being sold in plain language terms. In this case the SLA will typically have a technical definition in terms of mean time between failures (MTBF), mean time to repair or mean time to recovery (MTTR); identifying which party is responsible for reporting faults or paying fees; responsibility for various data rates; throughput; jitter; or similar measurable details. {Attribution: Wikipedia}

Too big to fail: While not at all a technical term your company would do well to heed this warning. No company is too big to fail. No one. In our recent newsletter we talked about the breach of the week. The roadway is littered with companies failing over and over again until everyone in the industry is just tired of hearing of another breach. The breaches become “white noise” a distraction from the good work being performed by many security professionals in the field. Fight complacency, challenge everything and everyone with respect and “ASK Questions”. It won’t make you popular but it will certainly make you a very, very valuable employee.  Please read the ARS Technica article   HERE because it puts good perspective of what can happen after a breach. 

Alarms: Alarms are invitations that are yelling out, “come investigate me” I’m making noise and need your direct undivided attention. Please don’t ignore alarms. The story goes like this: Hey did you hear that alarm go off? Yeah, I’m getting a cup of coffee – you want anything? Hey, maybe I’ll come with you. Great! How many times do we ignore the obvious? Alarms are put in place for a reason to warn us, right? If the alarms are not configured appropriately and are creating noise, then someone has to go in and make a determination to turn them down and accept the consequences or turn them up and act each time they alert. 

Egress Filtering: Is that a freight train of information running out of our company? Egress filtering is protecting what’s going out as well as protecting others from malware coming from inside your own company. In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled. Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network. In a corporate network, typical recommendations [2][3][4][5] are that all traffic except that emerging from a select set of servers would be denied egress. Restrictions can further be made such that only select protocols such as HTTP, email, and DNS are allowed. User workstations would then need to be configured either manually or via proxy auto-config to use one of the allowed servers as a proxy. Corporate networks also typically have a limited number of internal address blocks in use. An edge device at the boundary between the internal corporate network and external networks (such as the Internet) is used to perform egress checks against packets leaving the internal network, verifying that the source IP address in all outbound packets is within the range of allocated internal address blocks. The purpose is to prevent computers on the internal network from IP address spoofing. Such "spoofing" is a common technique used in "Denial of Service" attacks. {Attribution: Wikipedia}

Enumeration: Thanks to Wikipedia we know that Network enumeration is a computing activity in which usernames and info on groups, shares, and services of networked computers are retrieved. It should not be confused with network mapping, which only retrieves information about which servers are connected to a specific network and what operating system run on them. Network Enumeration is the discovery of hosts/devices on a network, they tend to use overt discovery protocols such as ICMP and SNMP to gather information, they may also scan various ports on remote hosts for looking for well-known services in an attempt to further identify the function of a remote host. The next stage of enumeration is to fingerprint the Operating System of the remote host.

We hope that this short laundry list helps each of you.  We understand the complications of local, national and global enterprises.  None of this is easy, but neither is dealing with the stockholders and the media if your company falls victim to a breach or other such incident.

Tuesday, December 2, 2014

Ten Mistakes that Boards Make


Too often we are learning of executive level errors or omissions which cause massive breaches to the data or PI of millions of citizens.  Here's the "Ten Mistakes That Board Make".

         1. Not Asking Questions

2. Failing to Understand the Company and the Risks it Faces
3. Failing to Lead on Ethics and Compliance
4. Not Insisting on a Crisis-Management Plan
5. Speaking out in a Crisis Before the Facts are in
6. Relying on the Wrong Outside Counsel
7. Failing to Understand Attorney-Client Privilege
8. Underestimating Regulators
9. Giving too Much Leeway to Rainmakers
10. Getting Caught Up in the dilemma of False Options
Taken from the magazine Corporate Board Members, an article written by Randy Meyers.
Make Integris Security your Chief Risk Officer (CRO) as the independent keeper of oversight in your corporate enterprise.  It is the job/function of the CRO to keep regulator awareness at a high level and to let the business be in charge of risk management.
Integris Security LLC grew from our passion for protecting our nation’s critical infrastructures and years of providing industry professionals with best of breed solutions, proven best practices and top notch security education. We work tirelessly to nurture our clients’ TRUST. We will work equally diligently to EARN your trust.


Reference: http://operationalrisk.blogspot.com/2014/11/top-ten-mistakes-board-of-directors-risk.html
 

Thursday, November 13, 2014

Hacking With Glue

How Integris Security Automated Hours of Testing With a Single Mouse Click


The recent presentation by Integris Security CTO, Blake Cornell, titled "Hacking With Glue" ℠ has been published. It outlines some software we have been developing for internal use which saves time and increases the ROI for our clients.

"Penetration Testing involves a lot of repetitive manual processes. This includes the execution of a multitude of security tools. These are traditionally executed based upon the analysis of an analyst over the duration of a vulnerability assessment. Automating a heuristic process allows an attacker additional resources for more valuable tasks through the automation of the acquisition, execution and information collection process.

A tool framework was developed by over the last few months effectively gluing over 30 unique security tools together. Each of these tools are selectively executed based of your targets available networked services dynamically.

The tools include a collection of open source, custom and commercial software with varying licensing requirements.

Hacking With Glue ℠"

Hacking With Glue - SMB Cyber Security Solutions
Robots are a hackers best friend.

If you would like access to this software, require our assistance with your own cyber security workflow/pipeline or simply want to see how Integris Security can help you with your cyber security needs then please contact us.

Wednesday, November 12, 2014

53 Million Reasons ... To Tighten Up The Ship

There are 53 million reasons to take another look at the security of your enterprise.  This past week Home Depot advised that the data (P.I.) of 53 million customers was exposed to thieves over the internet.  Home Depot joins the long list of companies that have suffered a breach during 2014.  What can we learn from Home Depot? 

Flat networks don't work.  Network segmentation is part of the answer to ensure that if a break-in occurs your exposure is vastly limited.  Cut them off at the pass and don't let them beyond your first defensive line.  Call us if you aren't sure or just need some clarification 516-750-0478 and we would be more than happy to advise your company.

Thursday, October 9, 2014

Cyber Security Awareness Month

Now not half way into DHS Cyber Security Awareness Month and the industries leading computer organizations in NYC have hit the ground running with their first joint conference, a success,  ushered in without nearly breaking a sweat.

NY Metro InfraGard, ISSA, ISACA, OWASP, Cloud Security and others joined together with over 300 security professionals in Brooklyn, NY at St Francis College.  The lectures showcased outstanding sessions on Active Directory and a number of security and related discussions.
The all day event produced a Women in Security panel as the
afternoon plenary event.

Most attendee's remarked that this was the opening for the 2015 joint Cyber Security Conference which all believe will now be an annual event.  Congratulations to the organizing committee who persisted and stayed on course to make this important event happen.  A big thank you to St Francis College in Brooklyn for moving heaven and earth to make this happen and for being flexible during the days events.

We look forward to seeing more of this next year.

Friday, June 20, 2014

The Future of NYC Is Up For Grabs...


As many of you know last year at the request of every Law Enforcement entity in NYC I was requested to run for City Council.  Why?  Because then NYC Councilman Mark Weprin of the 23rd District where I live lied to police officers at every rank and put them in personal legal jeopardy.

The pivitol campaign issue was all about something called local law 71, the Community Safety Act of 2013.   Former mayoral candidate Bill DeBlasio and City Councilman Mark Weprin of NYC for nine months hammered NYPD and asserted they were out of control violating the rights of everyone out of hand (stopping and frisking anyone in sight).  The law, the NYS criminal procedure law and case law shapes the circumstances upon which search and seizure may occur and when a police officers common right of inquiry for Stop, Question and Frisk can occur.  Local Law 79 on page two for the first time places NYC Police Officers in defined personal legal jeopardy which today NYS Supreme Court Judge Singh just affirmed.  Police Officers will not be covered by the City Law Department which is the usual case for those city workers carrying out their paid function.  Anyone can just file a law suite against a police officer and out of pocket those officers will be force to defend themselves, their families, reputations, estates, assets and more.

The magnitude of this law is far reaching and has with the strike of the pen "handcuffed" the NYPD from conducting even lawful Stop, Question and Frisks for fear of legal jeopardy coming into play.  Anyone, anywhere can choose to sue them personally.  No wonder why shootings in NYC are up 13% for the first six months of 2014 and up 1800% in the confines of the 75th Precinct for the current 28 day period.  Bad law has consequences and if their ever was a bad law with horrible consequences this law is the poster child. Remember as a result of past NYPD activities in NYC over 7700 people are alive today, not from some affluent community but in the harshest places NYC Police Patrol.

Today, Ed Mullins president of the NYC Sergeants Benevolent Association spoke out as a result of a NYS Supreme Court ruling.  Here's what he had to say:

Some Excellent Advice That Should Definitely Be Heeded           [Applicable to All Ranks]

NYPD members can be SUED! - State Supreme Court Judge Anil Singh
By Ed Mullins — Thursday, June 19th, 2014; 4:42 p.m.  ‘Sergeants Benevolent Association E-mail’


On Wednesday June 18, 2014 State Supreme Court Judge ruled members of the NYPD who engage in Stop, Question and Frisk can now be sued in accordance with the provisions of Local Law 71 as passed by City Council. 

Once again I remind each of you, this law impacts your career, family and overall well-being.

As you go to work each day, your only assignment is to return home to your family. The POLITICIANS and the PEOPLE of this city are NOT SUPPORTING you, make no mistake about it!   

Shootings are on the rise and gun arrests are down.  DO NOT jeopardize your safety, careers and pensions!  We are currently exploring an appeal.


Below is a summary of Judge Singh’s decision.

The court made three rulings. First, it ruled that the SBA and PBA had standing to challenge Local Law 71 and had properly brought suit against the City Council on behalf of their members.  Second, it ruled that Local Law 71 is not preempted (and thus not invalidated) by state law, either because the state occupies the field of criminal procedure or because Local Law 71 conflicts with state law.  Third, the court ruled that Local Law 71 is not unconstitutionally vague.

1-      The court determined that the SBA and the PBA had standing to challenge the law because the availability of lawsuits against police officers, including the potential for police officers to be held individually liable for attorneys’ fees and costs that would not be indemnified, was an immediate threat of harm.

2-      The court therefore rejected the City Council’s argument that the harm to police officers resulting from Local Law 71 was speculative.

3-      The court also agreed with the SBA and PBA that the reputational harm that would result from such lawsuits was an injury that could be protected in courts as a matter of law.  The court found that the SBA and PBA as organizations had properly brought suit on behalf of their members, because their mission and core function is to protect the rights and interests of law enforcement officers.
4-      On the issue of whether Local Law 71 is preempted by the New York Criminal Procedure Law (the “CPL”) as an impermissible intrusion into the field of criminal procedure, the court concluded that the two laws exist in two different fields, because Local Law 71 is not a criminal procedure law, but rather a civil rights law.  Noting that other municipalities have similarly enacted laws regarding civil rights, including racial profiling laws, the court observed that Local Law 71 does not prevent police officers from making stops, and that it simply creates consequences for police officers who engage in bias-based activities.
5-      The CPL, according to the court, applies only to criminal prosecutions and procedural rights of defendants.  In effect, the court agreed with the City Council that the CPL governs only matters that occur in criminal court, and found that, because investigative stops occur outside of court, they are not covered by the CPL.
6-      The court further found that Local Law 71 does not conflict with the CPL because it does not place any restrictions on a police officer’s ability to stop, question, and frisk an individual beyond those established by the Supreme Court in Terry v. Ohio and by subsequent related cases.  Instead, the court found, it requires only that a police officer consider an individual’s behavior or other circumstances linking the individual to criminal activity.
7-      According to the court, prohibiting the use of race or another protected characteristic as the “determinative factor” in making a stop is consistent with state and federal law, and a stop that was based on such a characteristic would not satisfy the Terry standard in any event.  Because Local Law 71 does not set a higher standard for stops than what is already required, the court reasoned, it is not inconsistent with state law. Nor, the court found, does Local Law 71’s use of a subjective standard result in a conflict, because, regardless of whether the stop is viewed objectively or subjectively, the same factual basis must exist before the stop can lawfully occur.
8-      The court disagreed with the SBA and PBA that Local Law 71 is unconstitutionally vague.  While the court acknowledged that in some circumstances Local Law 71 operates in a “grey area” because of the lack of definitions of its terms, it concluded that courts and administrative bodies could develop meanings for those terms over time, as cases come before them.  The court also emphasized that the phrase “determinative factor” originates from the NYPD’s own internal anti-profiling policy, and asserted that the NYPD had acknowledged in a FINEST message that Local Law 71 is consistent with NYPD policy and training concerning investigative stops.


Fraternally,
 / s /

Ed Mullins


Elections have consequences and NYC just spent twenty years cleaning up the streets of NY.  Police Officers are humanbeings and as such with guidance from supervisors and Union leadership will find themselves hard pressed to aggressively fight crime in our city especially as case after case winds its way though the courts.  Which NYC Police Officer wants to be the test case to see if he or she acted within the scope of this new law.  We say, few will opt in to make themselves an example for all others to follow.  As such, the NYPD is pulling back and today we can begin to see the results starting to crystallize.  The 75th precinct is notibly one of the toughest places in the City to work.  Crime and violence now are returning to the streets, the City Council is demanding more police officers to patrol the street (the cost of this bad law is already showing), children are stabbed during daylight in elevators, people shot openly in the streets as crime, disorder and fear once again return to NYC.

This is a sad day for the City of NY.


Thursday, June 12, 2014

Careful What You Wish for

Trust is at the core of
Integris Security LLC
Have you ever wondered where to start in securing your computer operations?  Its natural to be concerned and to suffer from some anxiety. Careful what you wish for because when some people apply for CSO, CISO jobs they may suddenly find that they got what they wished for.  Now what?  Where do I start, what comes first, yikes I need priorities, but where?

Integris Security LLC with the help of some of our friends from the NY InfraGard Thursday Conference Call came up with some great resources which you should become familiar with.  We also discussed at some length ISO 27001.  It was the conclusion of the of the callers that the ISO standards are written to be very broad and do not focus the security professional on what needs to be done with any given priority.  The ISO standard could lead you down a road unfocused and without clear priorities of what's really important for your organization.

Here are some focused security and risk management resources:

Security professionals need to have a full understanding of the environment which they are securing.  These men and women need to be able to explain to others why we need this control, that defensive tool, etc...  The security professional needs to be intimately involved with the infrastructure and provide a solid understanding of every facet of the operation.  This work takes dedication - endless time and energy that becomes the life and work product of a CSO/CISO.

CSO's and CISO's would do well to build a set of books which would consist of the environment that they have been hired to protect.  In these books should be the SANS twenty controls.  Each control should be explained in detail and record of examination clearly maintained so that each fresh security face  looking at the systems will not have to hunt for the documentation.  This is part of your audit trail.

Why SANS? The SANS organization has distinguished itself as an expensive but outstanding security organization from which excellence is derived from.  The SANS top 20 security controls are maintained and updated so that security professionals can be assured they are addressing the top known threats.

How can a true security professional even begin to contemplate securing an organizations assets without knowing the environment inside / out?  It is impossible.  If your organization needs assistance in understanding these and other security issues, give Integris Security a call and let's get started today.

Trust is at the core of Integris Security. We can be counted upon to provide you with the services and intelligence to keep your information, systems and institution secure. Call us and let's get to work on improving your security/risk posture.





Monday, June 9, 2014

What's Your Risk Tolerance?


                 Where's your army?

At  Integris Security we're asking the question who do you have protecting  your data and your information?  What's your risk tolerance?

Do you have an army of security professionals that are well trained and well informed?  If you are new to your environment have you conducted a full audit and/or do you have a full audit program in place?  Are you truly ready for a Red Team to come in and test your defenses?

If you're not scanning, testing and performing a critical analysis of your systems, people and workplace, then you just aren't testing and might as well leave the front doors open, leave the userid's and  passwords on the desk all day long and don't purchase another defensive tool. 

At Integris Security we perform system scanning as a good low level way to reveal vulnerabilities and to create of punch list to work on.  We conduct penetration testing because it takes testing several steps deeper and provides a full analysis on what's going on inside your environment.  But while all of these things are good they are really not good enough.  A network topology and architecture review would also be a great start but still not good enough.  You need to understand your risk tolerance.  In order to do this you need to understand your total environment.

An ISO 27001 certification is a top/down inside look at your environment. 


ISO/IEC 27001:2005, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

If you're sitting on a board of a company it should be something you have in your binder and it needs to be maintained annually with weekly, monthly, quarterly, semi annual and annual updates.  This is a fact driven file that all discussions emanate from.  This certification is something every new CEO should be given once the keys to the kingdom are in his/her hands.  Every single discussion concerning future enhanced functions coming into a company need to flow from this certification.

Consider if you would driving a car without knowlege of how much gas you have left, whether or not you know if your signals or headlights are working.  You would effectively be driving blind.  Don't drive blind, know what's going on around you and respect the incredible complexity which is driving your companies profit center.  Become informed, challenge operators on both the security team as well as those on the business team to bring all the facts to the table.  Make an informed Risk Tolerance decision.  

How can you even begin to know your risk tolerance if you don't know what's in your wheel house?  Call Integris Security and let's get informed together. 


Trust is at the core of Integris Security. We can be counted upon to provide you with the services and intelligence to keep your information, systems and institution secure. Call us and let's get to work on improving your security/risk posture.



Friday, June 6, 2014

Blackshades - an international hazard

It is important to note that as I start this discussion readers are reminded that while malware today is portrayed as dangerous, destructive and part of a criminal enterprise viruses, worms and trojans were and sometimes continue to be little pieces of code which help automate things.

The very first virus written wasn't an assault on a major banking institution, rather is enabled a programer to automate repetitive or tedious tasks.

With that said, The FBI has recently reported in a sterilized press release that International Blackshades - has been taken down.  What we don't read in the release is perhaps as instructive as what is placed on paper.  Thus a good reason to dig a bit deeper and try to wrap a little context around all the fanfare.  This isn't about using limited FBI resources on taking down just any cyber criminals.

For those of you who followed me at InfraGard we produced a weekly IGtv program wherein I spoke with security professionals from the world over.  In this weekly Internet show I interviewed a number of professionals from RSA Security's Israel lab.  During these reports and discussions we learned that the world of malware had developed from a freakish once and while mad scientist type of thing to a very purposeful blackmarket type of business operation.  Blackshade is not some backroom mad scientist, rather they are business people selling software and as we will learn much more.  They are careful to insist that those buying their software signoff on a statement of use and legal disclaimers carefully avoiding international and in country laws.  Because they are in fact a software company and a very good one at that, right?

Blackshades develops many different types of software and one that focuses our attention is RAT (remote application tool).  Their are many variations of the RAT and the focus of our post here is the Blackshades NET.  In reseaching Blackshades we found it useful to also take a look at DarkComet, another RAT with some pretty good potential but not nearly as powerful as Blackshades.  However, DarkComent has a history in international affairs which would be useful in reading as we move forward to learn more about Blackshades.  We can see how the development of software has worked its way into State Sponsored Actors.  Recall how Russia used technology to kill communication lines prior to the invasion of Georgia and now the Ukraine.  DarkComet has played a role in Syria.  So pay close attention when we talk about functionality of Blackshades in comparison to DarkComet, it becomes increasing important why the FBI would get involved and purposefully release a sterile press release on the takedown.

Blackshades is distributed through some common social media channels as well as phishing attacks, P2P channels and much more.  All very common and known to the industry.  Its functionality dwarfs DarkComet in comparasion.  As Malwarebytes states:

"The BlackShades web site mentions a lot of the functionality the RAT is capable of, from various system administration functions to surveillance functions and computer security.  It doesn’t actually mention ALL of its functionality, as we will discuss, and I think that they might have a hard time explaining on their website the purpose of some of the following functions."
This software toolkit is explosive and is used to hijack websites with its Ramsomeware which basically locks you out of your site or maybe encrypts everything (no key provided) until such time as you pay the fee.   Another interesting aspect of Blackshades is the Facebook Controller which basically takes over your account and posts for you.  Remember, it is said that one in fourteen people in the world are on FB.  Most FB users aren't aware that "always on" means that if the software is exposed to you even if you are logged off the web and you're still on FB Blackshades will for sure takeover.  Logging in and out is a pain, but in today security environment is a MUST do.  So when a nation state is acting, it uses many channels to build or tare down a point of view, a surveillance, etc.. This tool has built in DDOS and other attack capabilities as well as java exploits.  But more importantly as Brian Krebbs, reported:
“Blackshades was a tool created and marketed principally for buyers who wouldn’t know how to hack their way out of a paper bag,” wrote Brian Krebs of Krebs on Security. “The product was sold via well-traveled and fairly open hacker forums, and even included an active user forum where customers could get help configuring and wielding the powerful surveillance tool.”

As stated in Symantec, the Blackshades tools (rats) are popular with cyber criminals and state actors like Libya and Syria.  For forty to fifty dollars one can aquire a very effective software product which can be very destructive, but a product which has helped underground elements to extract millions of dollars from companies the world over as well as some governments.

In summary, Blackshades is a more nefarious piece of software then its predecessors that infected over 500,000 computers world wide then anyone is letting on and in hindsight the FBI takedown is a signal to those "business people" lookout we're watching and we're on top of it.  Ninety arrests in 19 different counties is telling about the scope and depth.  Uncertain is whether this is nipping at the edges or taking out the C/C capabilities and principles involved.  Most likely the FBI is both happy for the case and noticeably reluctant to say game-over.  This snake will continue to sliver in and out and pick up again under another name with more willing players looking to strike it rich quick.  Malware is no longer the mad scientist, its hit Main Street and the profit center.  Malware is making millions for some of those willing to take the risk of getting caught.  Malware has also made the center stage as a component of state actors.  International cyberwarfare is our now reality and has been for some time now.  If you weren't aware you'd do well to read up.

LINKS:

http://www.symantec.com/connect/blogs/blackshades-coordinated-takedown-leads-multiple-arrests

http://resources.infosecinstitute.com/darkcomet-analysis-syria/

http://abcnews.go.com/Technology/fed-cyber-sleuths-stop-gameover-zeus-cryptolocker-crime/story?id=23964827

http://www.washingtonpost.com/news/morning-mix/wp/2014/05/20/5-scary-things-about-blackshades-malware/?tid=pm_national_pop

More Info:

In the Bureau's custom of sharing the most accurate, vetted information, they updated others today with the latest figures:

Arrests: 103
Searches: 375
Interviews: 163
18 countries involved
Approximate victim computers globally: 700,000

Wednesday, June 4, 2014

Intolerant NYC Council Successfully Handcuffs NYPD - resulting in the return of Crime, Disorder and Fear to the streets of NYC

What's surprising is the NYC Council members don't want to own the result of their actions in passing the NYC Community Safety Act of 2013. In our Queens District, City Council Member Mark Weprin needs to take ownership for a law he personally shepherded into NYC. He and others have now reintroduced Crime, Disorder and Fear on the streets of NYC. The City Council passed this law against the advice and experience of every level of Law Enforcement in NYC - 500 years of experience. But Mark Weprin and the City Council knew better and now they own the results.

Members of the police department have heard him and others in the City Council loud and clear. Police Officers in NYC will be sued personally, their families, homes and incomes placed in legal jeopardy should someone "feel" their rights have been violated.

As we stated in our campaign for City Council with historic low voter turnout and we'll state again here for the record: those least capable of representing themselves, protecting themselves would be hurt first, the poorest of NYC. It pains me greatly to see the crime stats and headlines come true. But it was a predictable reality.

Now the NYC Council needs to take ownership for a VERY BAD law who only lawyers could draw up under a crafty title of Community Safety Act. Very crafty, very tricky, but it is now a loss leader for all who live in NYC.

Stop, Question and Frisk was not a legal problem in NYC, it was very much a management issue. Now the City Council and Mark Weprin own the result. Yes, I'm pushing it because kids just don't deserve the harshness which City Council members just don't seem to get. I take no pleasure in being right, I am sick over the headlines and predictable results.

Shame on the NYC Council for failing to do the hard work in the first instance and that's hold NYPD to account for training and discipline in oversight and hearings. For failing to talk it out with borough and precinct level commanders. For failing to properly educate the public on the real issues.  For the poorer communities of NYC its not about the quality of life, its about surrivial.  


The next time you send the kids out to get ice cream remember the little boy in East New York.  Think hard about who you vote for, elections have consequences.  The security of the people is job one of any elected official.  Failure to provide that blanket of security not withstanding all of the problems should be a basis for forfeiture of office.

Sad, very, very sad, I am distressed for the parents who now have to bury their children. Just incredible....and yes very preventable.  This isn't a Police Department problem, its a failure of leadership by our elected officials right here in NYC.  Hell bent on doing anything they can to get re-elected.



LINKS:


Patrol Borough Brooklyn North

75th Precinct


Tuesday, June 3, 2014

Uncertainty, risky first half of 2014...the year of the hack?

Pushing the buttons of millions of individual Americans is the fact that their accounts have been hacked according to Larry Ponemon at the Ponemon Institute in a study conducted for CNN Money.  Ponemon's study gaged that 47% of adults had their accounts hacked during 2014, which may soon become known as "the year of the hack".  That's just about half of all adults in the United States.

The facinating numbers come at the heals of the Target breach which we have been discussing on this blog and doesn't include the millions in the latest eBay Breach.  Its raining on the American Public as millions of  (PII) records are exposed.  Here are the facts and figures Ponemon and Jose Pagliery of CNN have dug up for CNN Money:

"Cyber attacks are growing so numerous that we're becoming numb to them. Researchers at IT company Unisys (UIS) say we're now experiencing "data-breach fatigue." Even the most recent numbers make for a dizzying list:

More numbing then the facts and figures presented by Ponemon Institute for CNN MONEY is the fact that the industry has not adopted better and well known security practices as a whole.  Need I go on?  For ten years industry has been digging a hole deep in the sand and sticking their preverbal heads in the hole.  See my blog post on accountability.

Let's not blame it on companies looking at profits after all isn't that why companies are in business to begin with.  However we too pause, when companies select tactical gains to satisfy quarterly earnings statements and maybe making themselves look good as opposed to the overall strategic growth and health of a company or corporation.  Read responsibility to share holders, and company employees. To some extent the risk Vs reward discussion will come up and when presented executives will nervously select profits.  Until boards reflect the knowledge, skills and abilities necessary to make both tactical and strategic management decisions we will continue to see the deep decline and clearly the never ending "year of the breach".  Operational executives will respond in kind when Boards of Directors begin to ask the thorny questions which should focus on the strategic growth of the company.  Employees will then be motivated and hear the clarion call from mount high when the CEO comes back from the board meeting and says they want more security and assurance before we can bring that function on board, who certified that code, who tested it and who is taken ownership of the relationship with the software team?

Here's hoping that the second half of 2014 is the year of Board of Directors active and attuned to what is going on not only in the front office but every office.  That function continues to thrive and work closely if not right next to the security team.  That multi-factor authentication is used not just for outsiders, but insiders as well.  That outside relationships are clearly defined and SLA's (service level agreements) are scoped out to protect both the vendor and the company.  That data which can be held in a planet sized computer terminal or a tiny smart phone is protected and preserved because we should all enjoy a level of privacy.   That when we buy the state of the art upstream gadget that detects attacks and when alarms go off and people start screaming at the top of their lungs someone will listen and will have been properly trained on the use of the gadget and that it is properly configured. All very hopeful that the year end will be better than the start.  The future is now before us.  Let's see how we do!

Good luck everyone!

Saturday, May 31, 2014

Lessons from the U.S. Veterans Administration

Government run healthcare is suffering from the stiff stench of reality this week as the Veterans Administration emplodes in a wide scale corruption probe in over 46 different facilities - defining systematic corruption which has infected the entire bureaucracy.  What can we learn?

Audits tell part of the story and so does strong management which not only holds those accountable but is in fact in trenches leadership.  Take a hard look at, "Undercover Boss" and ask yourself if the leadership of the VA had been in the trenches could things have been any different.  Clearly the Administrator of the VA was fighting an uphill battle of liars, cheats, and more.  But "Undercover Boss" makes the point: get out of the office and get into the trenches for a reality check.  Now let's see if our USDOJ follows the Veterans Administration IG's report and starts the most necessary criminal investigations to clean the VA once and for all so that our war heros finally get what they deserve - the best health care known to man.

We talk much in this blog about management and boards of directors.  As we should.  Organizations depend on these fine men and women to do the impossible, to be supermen and women.  But the days of hands off management are long gone.  Whether you are in government or the private sector if you haven't gotten that message its high time you did.  Get out of the office and learn the reality of what is going on in the workplace.

We heard much this week about out dated technology and "scheduling".   We worry, is this a sign of times to come in government run healthcare?  Well, those of us in technology know all too well that technology does a backflip and ten steps forward about every 60-90 days.  So if you're thinking of saving money and leveraging your entire corporation and/or government run agency on shoestring that has a one time techology budget - in the immortal words from Brooklyn, NY - forget about it.

Technology is in the worst case an infant, with an appetite that rivals most young U.S. Marines in boot camp.  Belly up to the table because this infant is going to need your undying attention, your understanding and your coddling every single day of the week.  Budgeting and planning for the unexpected are just another great aspect which many who are so quick to adopt technology and outsourcing with an expectation of saving millions may want to slow down and take a deep breath.  Technology implementations are expensive and those seeking to cut to shortcuts are only doing a royal disservice to their companies and agencies and fooling themselves.  While the passing of timely and accurate information is exciting and used correctly can help you turn on a dime....it comes with a fairly large investment and huge reality check on expectations - but not on the information delivered, but on the intense care and ongoing maintainence to systems, controls and people.

Take a hard look at the Veterans Administration of today and ask yourself Mr/Mrs CEO or Agency head...could this be me?  Do I even have a clue?  We hope this as in any number of cases we bring to your attention help you focus not just on security but the fundermentals of leadership and management.

If you need a trusted source and friendly but well grounded reality check give us a call.  We would like your business, but we're not willing to suffer our reputation just to make a buck.

Trust is at the core of Integris Security. We can be counted upon to provide you with the services and intelligence to keep your information, systems and institution secure. Call us and let's get to work on improving your security/risk posture.






Friday, May 30, 2014

Accountablity: Have you heard the call from Target yet?

At some point Industry across America will face a tipping point.  A point at which lying to the U.S. Congress, failure to comprehend risk,  pointing the finger to someone else just isn't going to cut it.  Those in the front office will be held accountable at some point.  Enter TARGET.

Leadership Failure:
Have you heard the call from Target yet?  Perhaps you should.  The CEO - gone.  The CISO - gone.  The Board of Directors - now facing election could be gone as well.  As they should be for failing the stockholders and trustees for the lack of interest, utter malfeasance of office.  For bringing incompetenance into the forefront this board and others need to tossed.

http://www.computerworld.com/s/article/9248631/Advisory_firm_urges_ouster_of_majority_of_Target_board_members_over_breach_

IT Certification - a farce and failure?
(ISC)2 code of ethics cannons state:

1. Protect society, the commonwealth, and the infrastructure
- Promote and preserve public trust and confidence in information systems
- Promote the understanding and acceptance of prudent information security measures
- Preserve and strengthen the integrity of the public infrastructure

2. Act honorably, honestly, justly, responsibly and legally
- Tell the truth; make all stakeholders aware of your actions on a timely basis
- Observe all contracts and agreements, express or implied
- Treat all constituents fairly.  In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order
- Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort.  Take care to be truthful, objective, cautious, and within your competence
- When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you rend your service

3. Provide diligent and competent service to principals
- Preserve the value of their systems, applications and information
- Respect their trust and the privileges that they grant you
- Avoid conflicts of interest or the appearance thereof
- Render only those services for which you are fully competent and qualified

4. Advance and protect the profession
- Sponsor for professional advancement those best qualified.  All other things equal, prefer those who are certified and who adhere to these cannons
- Avoid professional association with those whose practices or reputation might diminish the profession
- Take care not to injure the reputation of other professionals through malice or indifference
- Maintain your competence; keep your skills and knowledge current.  Give generously of your time and knowledge in training others

Can we honestly believe that (ISC)2 is holding its certified membership to account for its own ethics cannons?   Is this industry grist mill collecting money and not policing its own people?  After ten years of continually failing grades in breaches from every corner of the world one has to ask, is the (ISC)2 operation real, is it accountable?

As industry raced to bring down costs and adopted many Information Technology practices, sought greater input about its clients, its prospects, it internal operations a CISSP or other similarly disignated security professional has been behind the wheel.  Are these people being held accountable?

Securing systems is for sure both an art and science and not to be taken lightly.  Nor is their a silver bullet or magic wand to wave to make things right.  However, CEO's will have to lead, Security will have to be rounded touted by, adopted by, insisted upon by all top management executives.  Audits will have to be conducted to constructively explore where the problems are and when found aptly addressed. Function can take place, perhaps a little slower to give the security personnel the opportunity to explain the risk, so that management personnel can bring it into full view for the board of directors.  These board of directors then have the full responsibility to guide Chief Executives as well protect shareholders from weak operations.  IT systems are difficult, solutions are not always forthcoming.  But clearly in breaches for the past ten years industry has failed the public over and over again.  With no accountability until maybe now.

Thursday, May 29, 2014

eBay: How could you?

Step up eBay, the world's largest online marketplace and the next in a line of the Corporations who may have flaunted the very fact they too are capable of security failure.  eBay is not just another big box retailer, e-retailer, etc...they personify e-commerce, set the standard and are in every predictable way NOT a brick and motor business gone wild for everything online.  eBay is the very house that the internet era caused to be built and was ushered in by the demand for anything, anywhere at any time.

Fast forward to the breach runway from TJ Max, ... Target this year, the runway is littered with one company after the next who mistook market position and financial viability as a surety that they could hide from the reality.   One company, one agency after the next has shown that client data is just not secure, not safe and that the path forward is very uncertain.

To be certain, eBay does a great job of protecting applications.  Today, on a industry conference call (InfraGard: www.nym-infragard.us) known as the Thursday Call application protection was discussed and general agreement that eBay has done an admirable job in application security.  One senior security professional said eBay's problem is simply the M&M syndrome.   A very hard outer shell Vs a soft mushy inside.  Thus you have very predictable outcomes when separation of duties, multi-factor authentication, scaling privilege to those with a need to know and demanding credentials for insiders which should at the very least match those admitted in from the outside.  Ambivalence can not be tolerated when you are in class beyond all others in the online marketplace.  eBay now is set to walk the runway of shame, knowing full well all of this could have been avoidable.

As the walk of shame befalls eBay, responsibility will be fixed upon who?  The Board of Directors who should have been monitoring the effectiveness of operations, audits, etc....most certainly they deserve the lions share of credit....stockholders beware who you vote for and put on the boards of companies who depend on the online marketplace.  Step in the regulators, Connecticut, Florida, etc...UK authorities....eBay just bought itself more lawsuits and official inquiries then it ever would have cost them to to the right thing, the first time.

CEO, COO, CTO, CIO, CFO, CSO, CRO....for sure avoiding the media and taking full responsibility could become downright hostile from the inside.  But each of these people owns a part of 145 million records of their clients being exposed.   As these creatures of the front office prepare to circle the wagons we must comment on the security staff who's job it is to keep the data secure and the fact that only passwords were encrypted.  Thus dates of birth, home addresses and more were left in the open. So how many CISSP's were on staff at Target, TJ Max, others and now eBay?  Will their certifications be revolked?  What liability will they have in failing to do what they swore they would take care of?  Do no harm??

Angry?  Perhaps, not because of any one individuals actions or inactions, but for ten years VERIZON has been publishing the DBIR and has listed over and over again the same recommendations.  Failure to do X will give you Y.  Its not like this is a well kept industry secret and no one knows.  Everyone knows.  Q1 this year was Target, Q2 this year is eBay, next up?

Before Q3 hits call in a security company and get a health check up.  Batten down the hatches and understand the world's wolves are gunning for you.  Make no mistake, size doesn't matter.

LINKS:

http://www.cnet.com/news/ebay-to-face-formal-investigations-over-data-breach/
http://www.scmagazine.com/states-probe-ebay-after-breach-affects-all-its-users/article/348422/
http://www.bbc.com/news/technology-27539799
http://www.theregister.co.uk/2014/05/23/ebay_security_breach_investigations/

Tuesday, May 27, 2014

DBIR 2014 significance?

Hello everyone,

Just a short post on the Verizon Data Breach Investigation Report 2014.  Verizon has done an exceptional job at improving the overall content of their report from the volume side of the house and make no exception the report captures client and other added cohort details.

So what pressing in Verizon's 2014 report?  Why read it, why bother and what's the significance.  The report is chock filled with numerous charts of the garden variety trying to tell the breach story and what some may say is the "same old story".  Just more Verizon investigation numbers added to the base.  

If you just landed on earth and were concerned about security and then focused in on cyber security you might want to scratch your head.  Why?  Well, frankly Verizon has been publishing what some say is in theory the same report year over year (different numbers, greater volume, prettier charts, greater diversity)  but all in all, the same report.

At the end of the day we turned to the recommendations of the report and find that if we looked back five or ten ago nothing much has changed.  

So for 2014 our advice is to look back at the 2009 or 2004 reports and follow the security advice....if for some reason you can't follow the advice, wait another five to ten years and trust me, you'll be hearing the same thing all over again.

For 2014 a ho hum report, pretty cover, nice charts but significance is lost unless your head has been buried in the sand.  In that case, its time to wake up - read and follow the recommendations.  Here are   some classic recommendations, if you see something new and astonishing let me know:


The DBIR is packed with more detailed information and recommendations. But seven common themes are clear:
Be vigilant.  Organizations often only find out about security
breaches when they get a call from the police or a customer. Log
files and change management systems can give you early warning.
  • Make your people your first line of defense.Teach staff about the
    importance of security, how to spot the signs of an attack, and
    what to do when they see something suspicious.
  • Keep data on a‘need to know basis’. Limit access to the systems
    staff need to do their jobs. And make sure that you have processes
    in place to revoke access when people change role or leave.
  • Patch promptly. Attackers often gain access using the simplest
    attack methods, ones that you could guard against simply with a
    well-configured IT environment and up-to-date anti-virus.
  • Encrypt sensitive data.Then if data is lost or stolen, it’s much
    harder for a criminal to use.
  • Use two-factor authentication.  This won’t reduce the risk of
    passwords being stolen, but it can limit the damage that can be
    done with lost or stolen credentials.
  • Don’t forget physical security.  Not all data thefts happen online.
    Criminals will tamper with computers or payment terminals or steal boxes of printouts. 
Let me know your thoughts, but it seems like nothing much has changed and next years we'll be reading about more breaches.

More reading>>>>>>>

http://www.csoonline.com/article/2157453/data-protection/needed-detection-correction.html