Network Access Control Vendors Reviewed

One of the core principles of Information Security is that organizations should have preventive, detection, and corrective controls in place to protect their infrastructure and data. If one looks at annual spending in Information Security it is dominated by preventive controls such as firewalls, anti-spam, and anti-virus solutions. One thing that those solutions have in common is that they all fail. In dealing with many clients we see a lack of detective and corrective tools and processes in place to respond to the inevitable breakdowns that occur because of user errors, zero-day attacks, or sophisticated adversaries.

To get a quick overview of your environment, can you answer questions such as these:

• What devices are on your network?


• Are they compliant with current policies?


• Are there any unauthorized devices (such as tablets and mobile phones) on the network?
  

ForeScout Technologies has a great solution, CounterACT, that is marketed as a NAC (Network Access Control) but provides much more functionality that helps organizations deal with the device on their network. It provides an internal intrusion detection system to identify devices that have gone “rogue” (are trying to spread malware or viruses) through a dynamic “honeypot” solution.

In addition, it can inventory devices to detect when they are not compliant with companies policies, such as not running and AV solution or not encrypted. It also provides corrective controls to warn users and administrators of a potential issue, automate remediation through scripting interfaces, and it can quarantine devices and/or processes that are not supposed to be running.

The Tolly Group has issued a report on behalf of ForeScout that compares the main competitors in the NAC marketplace across 34 different criteria. To access this report please click here. If you would like more information, please reach out to us.

Varonis's new DatAdvantage for Directory Services

The job of securing information continues to get harder. The technology that we are managing is becoming more complicated, the threat vectors are increasing through new channel such as mobile devices, and the adversaries are getting more sophisticated.

One of the most difficult areas to protect is the unstructured data on file servers. I like to use the analogy of bank vaults to describe the file server world. We buy these very expensive bank vaults to store all of our confidential data and we deploy safe deposit boxes (think folders) to allow users to organize and protect that data. The Active Directory groups and passwords are the keys we hand to users to give them access to the safe deposit boxes.

However, with the current technology from the storage vendors the analogy breaks down. Here are some of the challenges:

• We have no log of who goes in and out of the bank vault or safe deposit boxes.


• If someone adds an additional keyhole to a safe deposit box, we rarely know who else is holding keys that will let them in.


• We have no idea how big the boxes are and what is stored in inside of them.


• Companies continue to buy new vaults because there is no easy way to manage the data in the existing vaults.


• And every once in a while, IT people take a door off the safe deposit box to give someone access and because the vault is in the dark, we have no idea that this has taken place.

The Varonis DatAdvantage solution gives us the visibility into who access to the safe deposit boxes, audits what they do with the data stored in them, and provides the tools to increase the security of the vault.

What Varonis is bringing to the table with its new DatAdvantage for Directory Services product is the ability to monitor the people who build and assign the keys to the boxes in the bank vaults. When a new key holder (a user) is created we know that. When a user is assigned keys we have a record of who gave them to him. Varonis has provided the IT professional with a comprehensive set of tools to protect and manage their organization’s unstructured data.

LinkedIn Needs to Add a Warning to its Connection Emails

Like most of us, I receive invitations from random folks on the Internet asking me to connect with them via LinkedIn. In some cases they are from accounts with no connections and no reasonable profile. They are clearly looking for information for nefarious purposes. Yet when the email comes in, this is all that LinkedIn says:

"WHY MIGHT CONNECTING WITH SHAMSODIN KARIMI LASAKI BE A GOOD IDEA?
shamsodin karimi lasaki's connections could be useful to you
After accepting shamsodin karimi lasaki's invitation, check shamsodin karimi lasaki's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future."

What is LinkedIn thinking? Why encourage me to connect with a potential hacker?
Social networks lose their effectiveness when people lose trust in the overall experience and it is LinkedIn's best interest overall the long run to discourage people from connecting with people they do not have a relationship with.

Let's encourage LinkedIn to add a warning to those emails as well. Here is one potential idea.

"WHY MIGHT CONNECTING WITH SHAMSODIN KARIMI LASAKI BE A BAD IDEA?
If you have no freaking idea who LASAKI is, he might be trying to gather personal information from you as part of a plan to launch a spear-phishing attack against you or one of your connections. Building these connections with people you do not know can create risks and privacy concerns in the future."

Tracking AD Groups Changes with Varonis

Varonis DatAdvantage tracks changes in Active Directory group membership by comparing the results of the nightly AD walks. If we want to see the changes that have been made to a user we can use the "1a - User Access Log report." The key filter to remember is that we want to show data from the "History of Differences." This shows the changes that have been picked up by the nightly jobs. Then we need to select the date range that we want to look at.

Then select the "Operation Type" filter. There are two operation types that we can select depending on what we are trying to track:

• Membership Removed


• Membership Added

Add the filter to look only at "Groups" for the Object Type.
The final piece is that the user affected by the change is identified in the "Change Description" field. Use the "Like" operator and remember to enter in the domain name before the start of the user name.

Run the report and you have the answer you were looking for.



Note: Starting in Version 5.6 of Varonis DatAdvantage we also have the "3e - Historical Group Membership" which will display the groups a user belonged to on a specific date. Great report for answering those tricky audit questions.

UCLA Health System Settles Potential HIPAA Privacy and Security Violations

The Department of Health and Humans Services reached it third settlement this year with a healthcare organization for violations of the HIPAA regulations when UCLA agreed to pay $865,000 to resolve charges that employees were inappropriately snooping into the records of celebrity patients.

In the previous settlements of 2011, Massachusetts General agreed to pay a fine of $1,000,o00 and Cignet Health of Prince George's County agreed to a fine of $4,300,000. Clearly HHS is taking these violations much more seriously than had been done in the first 14 years of HIPAA's existence.

Organizations that deal with PHI need to have clearly defined policies and procedures to protect patient data, training to make sure that employees are aware of the rules, and most importantly methods that can be used to monitor that the policies are being followed. If you are the CISO of a healthcare organization you should be asking yourself questions such as:

• Are all of the laptops that access our systems encrypted?


• How do I validate that they are encrypted?


• Are we monitoring access to patient information?


• How do we detect inappropriate access to PHI?

The stakes are being raised and the privacy groups within Healthcare organizations have to respond accordingly.

Zero Day by Mark Russinovich

Of course you can tell by reading this blog that I am not a storyteller; and certainly not a novelist. Therefore I preface this review with that caveat that I could not have written Zero Day as well as Mark Russinovich. Zero Day is a thriller surrounding the release of a set of extremely destructive computer viruses. We track the progress of Jeff Aiken, a private security consultant, and Darryl Haugen, a PhD. Computer scientist from MIT working for the Department of Homeland Security, as they try to identify the viruses, determine a solution, and track down the perpetrators. The main flaws of the novel is that the characters are on dimensional and the book is hitting us over the head with a hammer to indicate the potential devastation that society could face as result of a cadre of determined evildoers exploiting the weaknesses of the Internet and computer systems.

As a technical expert, Mark Russinovich is world famous. He is known to us in the security world as one of the cofounders of Sysinternals; which is one of the key solutions available to Windows administrators everywhere. With this technical background, Zero Day describes how a set of evil actors could technically wreck havoc on the computer systems of America and Europe.
The story is engaging and suspenseful and as someone in the security field, I was interested to see where the story led us. Without the importance of the subject matter, the risks to our cyber infrastructure, the book would not be that interesting. The storytelling and actors is too shallow. We have “obligatory” love scenes and one of the “usual suspects,” a Russian cybercriminal, involved. There is limited character development in the story and the bureaucrat that Daryl reports to is as helpful as our stereotypes of bureaucrats would lead us to believe. That being said, I believe like Mark does that the risks we face are severe and the more coverage that they get the better. With that as a backdrop I would recommend this book.

In my opinion, to learn more about the security implications and the deep impact of the Internet on our society, I would first read Daniel Suarez’s two novel set, Daemon and Freedom (TM). These provide a much more nuanced look at the good and bad associated with the Internet and our dependence on it.

Kingpin

Kevin Poulsen's Kingpin is a fascinating look at the world of cybercrime involving credit card theft and fraud. The story is told from two angles. The first is from the perspective of Max Butler, one of the leading cyber criminals of the last ten years, and the second is from the perspective of law enforcement. We follow the path of J. Kevin Mularski, an FBI agent, who leads the effort to track down and ultimately capture Max Butler.

As “Iceman,” Butler ran Carders Market, an online marketplace for illegal credit card data. The book covers many of the high-level techniques that Butler uses to break into systems, invade Point of Sale Systems, and it includes a solid discussion of how SQL injection is used to steal data. In fascinating detail Poulsen covers how Max uses hacking techniques to take over many of the illegal sites that hackers use to buy and sell credit card information, shut down his competitors, and move all of the traffic over to his Carders Market site.

The dual focus on the criminals and the law enforcement efforts to capture them makes the story a page turner, and it reads like a crime novel. Kingpin also covers some of the law enforcement efforts surrounding, Shadowcrew, the online criminal marketplace that was shut down due to the information received from the combination informant / cybercriminal Albert Gonzalez, who would later be arrested and convicted for the TJX and Heartland Payment Systems breaches. The FBI brilliantly set up a VPN for the Shadowcrew service so that they could tap all of the online conversations and identify the evildoers.

Kevin Poulsen certainly knows the hacker underground, as he was convicted in June of 1994 of several computer crimes and was sentenced to over 4 years in prison. Jonathan Littman covered his Kevin’s exploits in The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen. Poulsen is now a Senior Editor at Wired.com

Poulsen’s first-hand knowledge leads to one of the most interesting facets of the book. At many times Poulsen’s story of Max Butler describes the psychology of Max. He parallels many who are involved in the world of hacking. They are conflicted individuals, with a childlike love of learning and exploration, without the moral tools to stop them from crossing the line into criminal behavior.

The book has the two key elements that I look for: it is entertaining and informative. It is a must-read for those who have an interest in information security and care about the digital economy.