Looking back to the original anomaly alert email, we can see that the count is much higher than all comparisons:

• Like Day, Like Hour
• Like Day,  Same Hour
• Same Day, Same Hour

The email also contains the port information, what action took place and the difference in deviation from the comparisons.  After spending a few minutes identifying the source of the alert, we realized that we could add another statistic to the email alerts.

By hovering over the Query Tool’s source IP addresses, we know that 65.9% of the activity was on one IP address.  So why not take this percentage and include it in the email alerts?

With that said, this feature has been added to the OSCAR roadmap.

Soon all email alerts will contain a statement referring to the percentage of anomalous activity that is identified as being from one source IP.  This will help users determine how they want to address the email.

This is one of the many functions that we have identified as added value to our customers by using the tool ourselves.  We will continue to improve our process and commitment to making log management simple.

By looking at the alert email, we knew that the occurrence was between 9:00 and 10:00 am on a Monday morning.  We also knew which firewall logged the event, and the total number of events that occurred in that timeframe.  This happens to be a fairly large deviation from what is normal.  The count was 24,589 events when the Same Day / Same Hour event is 5,124.

With one click we were able to launch OSCAR, and after entering the log-in credentials, were brought to the Query Tool, which is used to research the logs.

By looking at the graphs on the left of the query tool, we saw an obvious difference between all destinations IPs as well as the source IPs.

Simply hovering over the biggest piece of the source IPs, brings up a box showing the IP address and the percentage it holds over the rest of the sources.  Now the offending IP has been identified.

The same can be done for the destination IPs.  Once identified, the Query Tool can be filtered to show only the offending source IP.  Again, filtering can be done with the destination IP if desired.

Now that the Query Tool is filtered, a right click over a destination IP will bring up a menu with a variety of options.

• Show Raw Event
• Show Port Information
• Show Hostname
• Show IP Information

By choosing Show IP Information, another box will appear with the option of looking up the source or destination IP.  When the  destination is selected OSCAR will request a reverse lookup and display a map with hostname information.

Using this tool enables a user to dig deeper and to see if someone was on a malicious website, or if their computer was infected by malware trying to call home.

So we spent a couple minutes tracking down what happened.  John Verry, Security Sherpa at Pivot Point Security, thought that it may be a tool crawling the Internet so he came over to my desk and said “Are you running a new keyword analysis tool?”

We verified that the source IP matched my machine and that at the exact times OSCAR showed in the Query Tool, I was testing a new tool.

OSCAR is designed to simplify log management for all users.   Yes, OSCAR alerts on anomalous activity and has a query tool for drilling down into log events.  But, as in the example above, OSCAR even helped management improve security awareness since it was a matter of minutes before the activity was identified and verified as a non-issue.

OSCAR really is Security Event Management, Simplified.

As I was reading an email from Verne Harnish the author of “Mastering the Rockefeller Habits”, a quote by a very successful business owner who uses the system really struck me on multiple levels (including running an Information Security Management System),  “Routine sets you free …”

For some reason I tend to view the definition of many, many words as their connotation (subjective cultural or emotional meaning) rather than their denotation (literal meaning).  I have spent the vast majority of my adolescent and adult life looking to shun the “routine”.  To me routine meant rote, mechanical, a grind or a rut.  I preferred to view myself as being spontaneous, creative, and free flowing.

Oddly, my role as an information security auditor has changed the way I look at the word routine. I’m not sure if my connotation has shifted or if I’m now using the denotation, but I am increasingly looking at routine as being more positive in nature (e.g., structured approach, purposeful) and spontaneous as being more negative in nature (e.g., unplanned, improvised, ad-hoc).  More interesting to me is that the perceived “restrictions” of routine and the “freedom” associated with spontaneity are too often just that, perception — and worse a mistaken one.  Following routines positions you to address the basics in a consistent and structured manner that provides you the freedom to be creative and strategic with the less fundamental.  To the contrary, spontaneity often leads to an ad-hoc approach that results in oversights. These can cause challenges requiring extraordinary efforts to remediate as well as challenges in executing on the basics, directly preventing the spontaneity that you are seeking.

From an information security perspective, I think many of our clients share my former thought process.  Mention following a formula (e.g., a back to basics approach that includes log reviews, an SDLC, Risk Management) and you get glazed eyes and a level of disinterest only rivaled by vegans at an all you can eat barbecue.  Mention a “silver bullet” shiny appliance that is this year’s solution to the words “information security challenges” and they are fully on-board.

So I find myself a “routine evangelist”, preaching to the masses to see the light and understand that it is only through a logical, structured and (yes) routine approach that you can simplify the complexities of information security.

I would argue that the “truth” is out there (e.g., NIST, ISO 27001, ISO 27002, HITRUST, OWASP, COBIT, ITIL) when you’re ready for it (a purely unintentional X-Files reference).

For me personally, the last 5 years or so have been rewarding as I continue to evolve my connotation of “routine” from a very negative one to a very positive one.  I only wish that I would have been smart enough to have not waited so long!

These articles have were emailed to us, shared on Twitter @pivotpointsec, Google Plus and read in RSS subscriptions this week.

Calling All Call Centers – Become ISO 27001 Certified

Currently there is no specific standard for IT Security at call centers.  However, in the article on EzineMark, the author wrote how call centers should become ISO 27001 certified and businesses looking to utilize a call center should look for those that are ISO 27001 certified.

As an Information Security Assurance firm who loves ISO 27001, we have to agree with the author.

“Due to the risks of identity theft, call centers have a stringent policy to follow in protecting pertinent client data.”

This is true, as call centers typically have controls in place to mitigate the risk of a potential PII or data breach.

In fact, we have helped numerous call centers develop their ISMS, using ISO 27001/2 as the standard.

“The task of beefing up the security policy doesn’t end with the awarding of the ISO compliance.”

Also true, as the certification requires the call centers to also perform internal audits and 27001 audits on a regular basis.  It also requires that management’s involvement and knowledge of the ISMS.

CIOs And The Priorities

In a recent survey of IT investments from CIOs, 48% of respondents said that Business Continuity is one of their top five priorities and 33% said that IT Security was one of their priorities.

According to the survey, the top five CIO priorities are:

• Business continuity
• Cost reduction
• Improving IT function effectiveness
• Implementing BI
• Information Security

It makes sense for business continuity to be the highest priority for CIOs, however doesn’t IT Security overlap with it?

“Ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management, system backups, change control, and help desk. Business continuity is not something implemented at the time of a disaster; Business Continuity refers to those activities performed daily to maintain service, consistency, and recoverability. – Wikipedia“

For example, systems backups are crucial for businesses to have, but if the controls placed around the backups are not efficient, then there are risks for potential data loss.

One way to mitigate the risk is to perform a Credentialed Vulnerability Assessment against the server running the backups.  By doing so, potential points of attack could be identified and plugged.

IT Security

There are a variety of other security assessments that we can perform that will help you know you’re secure and prove you’re compliant. We have the right combination of Information Security/Compliance domain expertise, technology industry knowledge and experience, and organizational character to help you define and execute on the best course of action. See how we can help.

If the cafeteria doesn’t get its shipment of ketchup in time for lunch – we may have some angry tater tot loving employees (until someone can run to ShopRite). While the lack of ketchup is a “risk”, perhaps even a probable risk, the impact to the business is low, and compensating for the risk or recovering from the risk is relatively simple.

On the contrary, if I’m running the sales force for Merck, and the cloud CRM solution we moved to has a major outage – we are going to have angry employees, customers and shareholders.  The lack of CRM is a notable risk, and although it may not be probable, the impact to my organization could be catastrophic if the outage was extended. Compensating for the risk may be possible (if I understood the risk in advance and planned for it), but fully recovering from the risk will not be possible.

Got an interesting email this morning from a SAAS vendor we are considering using – a few of the excerpts so clearly communicated the risks (and the pain/impact of their realization) I had to share them:

“ Recently, however, we’ve had somewhat more serious outages that have affected a small number of our customers – and that illustrate the darker side of “Cloud dependence”. Basically, the problem was neither with “OurAPP” nor “TheirAPP” (an app we are totally reliant on for OurAPP to function) but with the internet hops between our customers and their servers. A broken or mis-configured router or firewall rule wouldn’t let those customers access TheirAPP servers. For most of our customers, OurAPP is a mission-critical application, so any downtime can be a real problem – especially at the wrong time.  While our team was quickly able to establish that the cloud service was not down and that the client’s data was safe and intact, we found ourselves in a situation that as a solution provider we are not comfortable with: We couldn’t do anything about the problem. We had no control of putting our customer’s systems, which were running just fine, back in touch with their Cloud-served data, which was also running just fine. We were relying on others to correct the glitch in the customer’s pathway to their Cloud services. Naturally, as a Cloud solutions provider we knew that downtime could occur that we might not be directly in control of on behalf of our customers, but this additional level of vulnerability hit like a thunderbolt on several levels – not the least of which was the many hours we spent attempting to resolve the issue and provide alternatives …”

Fortunately, Vendor Risk Management does not have to be rocket science:

• Understand the risks associated with the proposed vendor. Take a “solution” view.  Easiest way is generally to develop a Secure Data Flow Diagram that clearly identifies the information under consideration, and the processes that act on it.
• Analyze the risks and their business impact.  Fundamental risk analysis requires garnering a basic understanding of the vulnerabilities, probabilities and impacts.  In short, how probable is it that threat agents can act on vulnerabilities and what the impact would be.
• Ensure that you look at Sixth-Party Risk.  Notable Third-Party cloud outages (e.g., Sales Force) were caused by their Third-Party outages (e.g., Amazon.).  The easiest way to look at Sixth-Party Risk is to ask for the Third-Party’s Risk Assessment.
• Where residual risk associated with a Third-Party is not acceptable – determine whether you can implement compensating controls to reduce the risk to a level that is.  If not, can I transfer it (to the vendor or an insurance company)?.  If not, time to look for a new vendor.
• Determine how you are going to communicate your risks and security requirements and then SLA/monitor them on a go forward basis.  In short you need to “operationalize” your Vendor Risk Management as part of putting it into place.  ISO 27002 sections 6.2 and 10.2 do a great job of jump-starting this process.

This risk management based approach is core to operating an “Information Security Management System” (the fundamental tenet of ISO 27001).  Without a comprehensive approach of this nature – you too may be sending out a “mea culpa” email to your stakeholders.  Sadly, while it takes years to build a reputation it can only take minutes to destroy one.

Via a client we recently became aware of a British organization called CREST (Council of Registered Ethical Security Testers) that has developed a certification scheme for companies and individual penetration testers that is gaining a lot of traction in Britain.  If you’re not familiar with CREST – it’s worth a look.  The Brits have long been leaders in information security (they are the “inventors” of ISO 27001) so the idea that CREST may gain broader acceptance is definitely feasible.

I recently had an opportunity to speak with David McGuire who runs the Penetration testing practice of one of our competitors, the Veris Group.  David is a very impressive guy, who is currently taking the lead on a potential effort to establish a CREST chapter in the United States.  We had a great discussion and Pivot Point is eager to support his efforts and is optimistic that he has the energy and expertise to make it happen.

Hopefully at some point in the not too distant future my answer will be; “As a matter of fact – we were very recently CREST Certified… “.

These articles have were emailed to us, shared on Twitter @pivotpointsec, Google Plus and read in RSS subscriptions this week.

National Cybersecurity Priorities Matching ISO 27001

Andy Purdy was the acting director of the National Cyber Security Division when George W. Bush was President of the United States.  Now, Purdy is the Chief Cybersecurity Strategist at the Computer Sciences Corp.

In an interview with GovTech, Purdy shared the four cybersecurity priorities that he introduced to improve national cybersecurity.

Now, it may just be my imagination (you never know), but I think Purdy described on of our favorite subjects here at Pivot Point Security… ISO 27001.

Interestingly, the four priorities closely match up to steps in our ISO 27001 Roadmap.

To make it even more interesting. This wouldn’t be the first time that we have seen a local Government agency take the trip to ISO 27001 Certification.

To learn more about the ISO 27001 process, download our ISO 27001 Roadmap.

Be In The Know With The National Cyber Awareness System

The Department of Homeland Security has made it easy for Government agencies and local businesses to be notified of new vulnerabilities and cyber security issues.  The website offers segmented updates: Alerts, Bulletins and Tips.  By visiting each segment, users have the ability to subscribe to a RSS feed or for updates by email.

The DHS has this tool available, and being that it is free, there is no reason anyone should overlook it.  Find out about the latest alerts like:

• Adobe Reader Security Vulnerabilities
• Microsoft’s RDP Vulnerability
• Wifi Attacks
• Apple Flashback Malware

DHS has also included several tips to help understand the risk and how to protect yourself from them.  Of course, if you have questions about specific malware or vulnerabilities you can also contact us and we will gladly offer advice when possible.

See You At New Jersey GMIS

Next week is the New Jersey GMIS conference in Somerset.  GMIS is an event where public sector information technology professionals from around the state come together to discuss, and learn about what is happening in the IT world.

If you are attending GMIS, please stop by our table to learn about the new Security Event Management software, OSCAR and sign up for a live demo (to be held at a later date).

Be sure to ask how OSCAR helped identify ZeuS malware through monitoring Firewall logs, because it’s a really interesting story!

Government IT Security

Pivot Point Security has the right combination of Information Security/Compliance domain expertise, government knowledge and experience, and organizational character to help you define and execute on the best course of action to know you’re secure and prove you’re compliant. See how we can help.

One of the most popular forms of social engineering assessments that we do is Phishing. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Because the risk with Phishing is often so high, testing against it is a good idea – which explains it being the most common form of social engineering we do. I’m always a little surprised by how successful we are when we run a more sophisticated attack. A recent engagement where we conducted a phishing attack as part of a broader due diligence effort for a merger in the pharmaceutical industry really illustrates the value of this type of test.

Our phishing attack was intended to capitalize on the employees of the life sciences firm being acquired knowing that the merger was occurring. We created a replica of the life-sciences company’s website on a highly similar domain. Through Social Media we were able to identify email addresses for approximately 95 of the 120 employees. We spoofed an email from the HR Director to the employees directing them to the website to review some changes to the compensation plan necessitated by the merger. We intentionally did not send the email to 13 employees who we felt would be most likely to identify it as being fraudulent in nature.

Of the 82 emails sent, 27 employees used their domain credentials to log into our spoofed website (these same credentials provided VPN access). This is consistent with other tests over the last few years where we have noted that for organizations without a Security Awareness Training program, ~33% of the employees can be phished successfully.

This particular test also generated an interesting spinoff: It revealed how poor the passwords were.

• 5 of the passwords were the name of the company followed by a number (three were years, one was a birthdate or start date, and one was 1)
• 4 of the passwords were the name of a child coupled with the birthdate or birth year)
• 2 of the passwords were the name of the local baseball team followed by a single number
• 3 of the passwords were references to God followed by a single number

So the Social Engineering exercise pointed out another problem – poor password management. One of the challenges with Windows Active Directory is that it is not simple to enforce “non-easily guessed” passwords and most employees have a preference for “most easily remembered passwords”. If you suspect it’s a problem in your environment – you may want to consider running a password audit. You can pick up a password cracking application and do it yourself or you can hire a third-party to do it.

These articles have were emailed to us, shared on Twitter @pivotpointsec, Google Plus and read in RSS subscriptions this week.

Medicaid Hacked And Needs Antibiotics

Medicaid was hacked and over 181,000 medical records and 25,000 social security numbers were stolen. I was speaking to Marc Silverman when we got the alert about the incident. We had an interesting conversation on the subject. This is what Marc had to say.

“I really wouldn’t want to be in DTS’s shoes right now. It’s bad enough to have any kind of breach, but it’s particularly concerning when one occurs due to a configuration error. Out of the multitude of ways to breach a server, configuration errors are one of the easily preventable attack vectors if you perform vulnerability assessments.

In this case, if DTS did not perform a vulnerability assessment of the server before placing it into production, then DTS’s SDLC is suspect and could be viewed as willfully negligent considering that they are required to comply with PHI laws, especially HIPAA. If DTS did perform a vulnerability assessment, was made aware of the vulnerability, and still went ahead with deploying the server, then DTS is again willfully negligent.

About the only scenario where DTS would not be immediately willfully negligent is if the vulnerability assessment of that server was insufficient in extent and rigor to detect the vulnerability so that DTS wasn’t aware of the issue.

If that is the case, how much do you trust any of the other servers managed by DTS?”

How To Avoid Spending $325K On Hard Drives

A couple years after the BlueCross BlueShield of Tennessee hard drive theft, the Healthcare company settled on paying $1.5 million for the HIPAA violations.

In 2009, BCBCTN had 57 hard drives stolen from a data storage closet in Chattanooga. Adding the extra costs that the company had to spend on the investigation, notification and protection efforts after the breach and the total cost becomes around $17 million.

That makes each hard drive valued at $324,561. Talk about an expensive breach!

What could BCBCTN have done to prevent the breach? Maybe a few physical security tests and better security awareness training could have prevented the drives from being stolen. Or maybe it would have been best to have a Risk Assessment performed (definitely after the breach!)

What do you think? Does that price tag scare you? – because it should!

Healthcare IT Security

Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant. See how we can help.

In order to give the best answer possible, we decided to ask for feedback from a client we helped achieve 27001 certification that happens to be 9001 certified already.

In the response, you will see that having 9001 certification can put a company on the right path, with a head start, towards 27001 – but the road is winding with bumps along the way.

The client offered the following feedback to share with the new company and with our blog readers:

“I’d say it helped us significantly, because some of the requirements are the same in both systems, such as these:

• Documentation Requirements (Control of Documents, Control of Records)
• Management Responsibility (Management Commitment, Resource Management, Provision of Resources, Training, Awareness and Competence)
• Internal Audits
• Management Review
• Improvement (Continual Improvement, Corrective Action, Preventive Action)

With all of these we were very familiar, in principal, and they just needed minor adjustments to address specific ISO 27001 requirements.

However, the danger is that so much apparent overlap might lead you to believe that you’re mostly done already with 27001, which is NOT true (and we found that out the hard way by still having major shortcomings in our Stage 1 – ISO 27001 audit). Most of the work to get 27001 is actually “hidden” in clauses

• 4.1 (General Requirements)
• 4.2 (Establishing and Managing the ISMS)
• Appendix A (Control Objectives and Controls)

It took us a very long time to get a handle on these, because there is a lot of detail required, and a lot of technology to back it up.

In short, having 9001 in place is very helpful, as long as you understand that the core of the work for 27001, the actual risk management and technology piece, has nothing to do with 9001.”

As you can see, our client believes that having ISO 9001 certification helped them in the winding road to ISO 27001 certification. However, the trip had its bumps along the way. With our expertise and help – and their dedication to becoming 27001 certified, the project was a success and they crossed the finish line.