Thursday, August 27, 2009

Hacks, Hackers, Hacking

In comedy, a hack is someone who steals material and re-tells the jokes or rides the coattails of another comedian (I still remember Kenny Bania telling Seinfeld, ‘That’s gold, Jerry. Gold!!)  In Information Technology, a hack can either mean a quick non-standard fix to make something work OR to modify a program to gain access that otherwise would be unavailable.  As an aside, there is a bit of controversy over the term hack/hacker as they have evolved over the years and some don’t like the connection between ‘hacker’ and ‘security cracking.’  Once the mass-media started identifying those who had criminal intents as ‘hackers,’ the general population added it to their vernacular and didn’t distinguish between white or black hats much to the dismay of the computer community.

Now to the numbers.  Even back in 2001, Gartner mentioned that 75% of cyber attacks & Internet security violations are generated through Internet applications.  Today, probably 70% of the attacks are now  hacks specifically targeting Layer 7. Malware is mostly about stealing and harvesting data. During the height of the economic downturn, especially during October & November 2008, the financial crisis was fueling online crime – not to mention the disgruntled workers who had gotten laid-off.  In 2008, Data theft Trojans increased 1,559% and Malware increased 582% with many of the attacks aimed at the energy/oil industry and transportation sector. Yes, we hear about the retail and financial attacks but energy and transportation could be considered infrastructure, to some extent, and those areas are attractive to those who want to disrupt basic services.  One of the best stories I’ve read was from IBM.  Their Internet Security Systems said they were seeing 450,000 web-infecting SQL injections a day.  That’s a lot but not the whole story.  During the first 5 months of 2008, they were only blocking around 5,000 SQL attacks a day.  By June, that number was up to 25,000 a day and just before Halloween, 450,000 SQL injection attempts were made a day.  The June full day numbers were now happening every hour.  The most common ways of delivering malware is either through pdf or flash initiated with XSS or SQL injection.  Jeremiah Grossman of WhiteHat lists his Top Ten Web Hacking Techniques of 2008 here.

2009 brought more focus in the ways ‘hackers’ gain control both due to media coverage of high scale breaches and regulatory compliance deadlines.  SANS published their Top 25 Most Dangerous Programming Errors in an attempt to help both software developers and software customers understand some of the most critical issues facing code development.  The OWASP Top 10 also seemed to get renewed interest even though it’s still the 2007 edition.  (I believe they are working on a v2009 based on the OWASP message site and the working session page).

If all that wasn’t enough, both Cybersquatting and ATM hacks also garnered press. The World Intellectual Property Organization (WIPO) handled 2,329 cases under its dispute procedure for Internet page names and someone even tried to hack the hackers at Defcon last month.  Almost any celebrity death, major sporting event, or any other situation which gains major headlines, can also bring malware.  If you allow remote Tele-worker access, make sure you scan the security posture of their device prior to entry.  Prevention?  Stay up to date on patches, AV/FW definitions, don’t click thru unknown emails & pop-ups but most importantly, be careful out there.


Monday, August 24, 2009

Be Our Guest

MP: (knocks on the door – Waits. Door opens with MA)
MA: (in a deep fatherly voice) May I help you?
MP: ah, Hi, Mr. App…err, sir….um I’m here to see your daughter, Oracle.
MA: Oh you are, are you? Let me take a look at you. (Looks up/down, turns him around) Have you had a cold or flu recently?
MP: No
MA: Do you always have your firewall enabled before entering unknown areas?
MP: Absolutely!
MA: Have you graduated high school & up to date on your shots?
MP: Yes sir! I’m actually attending Jr Community College Institute.
MA: Ok then (calling over shoulder) Oracle, your friend is here.

After that, you don’t know if they are going to the prom, going to a movie, going to the beach or anything and if poor little Oracle is vulnerable, I don’t think any of you want to see Mr. Packet take advantage of that!

80% of NAC deployments are driven by Guest Access.  What once was the main driver, ‘Endpoint Base lining’ now only accounts for 15% of installations which might explain NAC’s downturn.  At first this was going to be a ‘NAC is whack’ post due to interoperability, standards, cost/complexity and so forth but that seems so 2007.  Plus, TCG is trying to push specifications forward.  So instead of ripping on a technology, I wanted to provide some ideas on Guest Access.  Plus, most companies most are now doing ‘Laid-Back NAC,’ since they are not sure what to do if a device is non-compliant.  According to Gartner, only 7% push/enforce device policies but when it comes to querying, checking the device is ‘good enough’ since if it’s not ours, then you must be a guest.  While compliance & protecting intellectual property are important, it’s mostly about the fear of strangers on the network.

Probably the most prevalent way visiting guests get access (internal or outbound) is Wireless.  Most companies have a WiFi AP that is visible to anyone with a radio and the password is freely given out.  Some broadcast SSID while others keep it secret and usually there is a password (not always the strongest or most secret) to jump on the wireless LAN.  Often, 802.1x will do it’s part by authenticating the user and opening a port.  After that, replay the opening scene since there’s no application awareness.  To protect internal resources, IT might VLAN (segment) the Wireless traffic so it is unable to reach internal destinations.  Another easy prevention mechanism is to only allow Outbound HTTP/HTTPS (ports: 80/443) traffic.  For many visitors, this works well since all they needed was the internet anyway; for others or internal employees that need access to internal systems, an SSL VPN can do the trick.  Just treat your Wireless users as any other ‘remote’ user {pdf}.  They have HTTPS access to the internet and all they have to do is type/bookmark the SSL VPN URL.  Host Check……authenticate…and resource assignment gives users internal access.  You could also create a portal page with available systems and depending on the request, force UN/PW then.  You get granular access control, encryption, application awareness (when coupled with BIG-IP LTM {pdf}) and whatever reports/stats needed for management.

IAM or Identity and Access Management is becoming a hot topic both for general access and NAC.  Regulatory compliance, protecting intellectual property, guest access and the fear of strangers are all driving the NAC & IAM intersection.  Who’s on my network, who has access to corporate secrets, are you one of us and how do we report and control all that are great concerns for IT.  As IAM meets NAC, the crossroads needs smarter signals. When adding Identity to NAC, the focus should be on the user rather than device (even though you’ll still probably check endpoint ‘health’) but companies are having some difficulty with role based info/authorization.  This idea is still in the Technology Trigger (early adopter) phase of the Gartner hype-cycle, but they do predict through 2011, 70% of large enterprises will have implemented authentication for all forms of network access.


Wednesday, August 19, 2009

Yelling ‘WebApp Firewall’ in a Crowded Data Center

You've probably seen the statistics: As of January 2009, almost 90% of the 100 to 150 million Websites are still critically vulnerable to attack according to SearchSecurity.  And Web Application Security Consortium (WASC) reports that 87% of Websites are vulnerable to attack.  Reports also indicate that 400+ new vulnerabilities a month are found (and growing) along with the fact that malware on legitimate Websites has doubled in 6 months.  WhiteHat Security notes that at least 70% of the websites it scans has at least one critical vulnerability and another 63% have flaws that need attention with Social Networking sites the most vulnerable.

Some additional stats:

Every 1000 lines of code averages 15 critical security defects. (U.S. Department of Defense)

The average security defect takes 75 minutes to diagnose and 6 hours to fix. (5-year Pentagon Study)

The average custom business application has 150,000 to 250,000 lines of code. (Software Magazine)

Average worldwide cost of programmer = $40 per hour (

Thus, to diagnose defects:

  • 15*1.25hrs*150/40 = 70 weeks.

  • $40 x 40 hrs. = $1600/week.

  • 70 weeks x $1600 = (potentially) $112K per app.

  • WAF = Mitigate now & diagnose when time permits

And to fix defects:

  • 15*6hrs*150/40 = 338 weeks.

  • $40 x 40 hrs. = $1600/week.

  • 338 weeks x $1600 = (potentially) $540K per app.

  • WAF = Mitigate now & fix when time permits

There are the numbers, need I say more?  But of course, I will.  Just installing a Web Application Firewall doesn’t mean you are instantly protected.  There are WAF solutions that have wizards, templates and pre-built policies to help the administrator enable some baseline protection.  BIG-IP Application Security Manager even has Application Ready security policies pre-built for popular applications like OWA, Oracle, PeopleSoft, SharePoint and others.  Select the policy and you are on your way.  Even after creating your policy, whether it be from scratch, a template, live traffic and so forth, you still need to test it, in a transparent non-blocking mode to make sure no false-positives appear and legitimate visitors are able to use the application.  When you are comfortable with the level of protection along with usability, then enable blocking mode.

The challenges can continue.  Often IT staff, particularly network gurus (no offense, to those reading this) are not familiar with application security and Layer 7 focused attacks, let alone the intricacies of the back end applications.   There will probably need to be some coordination/collaboration amongst the network, security and application experts.  Blur the lines between the Compliance minded who look at WAF as an audit pass and the Security minded who really want to stop attacks.  Right now, compliance (especially PCI) is the main driver of the WAF market.  There can also be some hesitancy in placing a WAF in front of web applications due to the fear of effecting their performance.

Speaking of PCI, we’re now seeing WAF integration with application scanning technologies.  For PCI 6.6, this merging brings both the WAF requirement AND the code review requirement together as a combined solution.  Scan the code with the analysis tool to find vulnerabilities and create/adjust the WAF policy to address them.  Best of both worlds as the cliché goes.

Managed WAFs are gaining some traction as many merchants do not have the expertise in house to understand either the types of attacks or ways to protect against them.  There is also an emerging ‘WAF in the Cloud’ trend.  It’s probably still a little early for mass adoption since Security in the Cloud is such a moving target and companies are wary of putting sensitive data in the cloud.  The same data that’s bound to regulatory compliance.  The real barrier for WAF in the Cloud is performance and bandwidth since that traffic might have to make a few passes back and forth.  It eventually will happen (cloud coattails) but with smaller organizations initially.

A couple years back, WAFs were considered new technology.  With PCI and many of the highly publicized security breaches, they became a necessity.  Today, you need to look at a Web Application Firewall as an essential part of the application lifecycle.


#6 out of 26 Short Topics about Security


Friday, August 14, 2009

The Encryption Dance

S-s-s-s  A-a-a-a  F-f-f-f  E-e-e-e  T-t-t-t  Y-y-y-y

You can make the Big S while you sing along.*
Data goes where it wants to, It can leave your trace behind.

Cause the web don’t care and if it don’t care, Well it’s exposing time.

I say, data can go where it wants to, A place where they will never find.

And we can act like we come from NSA, Leave the eavesdroppers far behind.

And we encrypt.  Those things.

We can surf where we want to, Data’s masked and so am I

And we can hide real neat from our hats to our feet,

And surprise ‘em with a ‘Ha Ha’ cry.

Say, they can crack if they want to, if they don’t somebody will.

And if they do break in, the data is encrypted

And they’ll look like an imbecile.

I say, we got data, we got data, Everything’s in our control

We got data, we got data, encrypting it wall to wall

We got data, we got data, everyone check their systems.

We got data, we got data, everyone’s taking a chance

Encryption Dance.

Encryption is a key element in security – both for data in transit and data at rest.  It doesn’t necessarily need to be highly sensitive data either.  Just something you want to keep secret.  I’ve written about encryption a few times, especially in context surrounding high profile image breaches like TJX and Heartland since both those might have been avoided if the data was encrypted.  It’s not as simple as the lyrics depict as Lori points out in this blog.  Sure, there is SSL, HTTPS, IPSec and encrypted drives but it’s difficult to encrypt every piece of data, especially for the enterprise.  In fact, there’s probably some data that doesn’t need to be encrypted.  Which is where a Access Control Policy can come into play.  Depending on the context of the user/device, remote and mobile workers should be connecting via an encrypted tunnel using your VPN – that’s a no brainer.  Depending on the host inspection check, your policy might only allow access to certain resources depending on the device’s posture and hopefully all that traffic is encrypted.  Internal LAN’s are no longer the ‘safe haven’ that they used to be.  Partner’s, contractor’s and even unauthorized employees might have visibility to certain restricted information.  Here again, a policy could be enforced to first, restrict access to certain areas of your network (which many do already) and second, if an authorized employee is grabbing sensitive data, why not encrypt that specific file transmission even on the internal network to thwart any prying eyes or sniffing agents.

As for PCI, there’s already plenty of articles and opinions about it’s current state and effectiveness so I won’t dive in here.  What I will point out is an upcoming deadline that many might be unaware of: The unattended, PIN entry, Point-of-Sale devices.  While the deadline for PCI-DSS has passed, the deadline for PA-DSS entry terminals is next year – July 2010.  That means that most gas station pumps that you use your debit with, are unencrypted today.  There will be a mad rush next year for Fuel Retailers to either deploy an encrypted PCI-compliant PIN entry device inside or an encrypted keypad outside.

Finally, we continue to see data exposures due to stolen or lost laptops.  Here again, depending on your policy, the type of user/device and information accessed (plus other criteria) encrypting the drive to protect against inadvertent exposure is certainly a good idea – along with strict and potential severe consequences if someone does not comply.


*Sung to the tune 'Safety Dance' by Men Without Hats.

#5 out of 26 Short Topics about Security

Wednesday, August 12, 2009, Twitter, Security & You

..or, what I did on my twitter vacation the other day.  This brief break from 26 Short Topics about Security is brought to you by, twitter, security and You.  I’ve been using for a little while both to shorten links and be able to track clicks placed on twitter (and other social sites) – as many of you do.  When the twitter outage hit last week, and many folks found themselves ‘lost’ without it, I decided to review my stats on the links I’ve sent and found something interesting; or frightening.  :-)  (Incidentally, there was a another DDoS attack yesterday that took twitter down for about 20 minutes)

To set this up: as you might know, I cover Security within the Technical Marketing Team (Lori, Alan & Ken round out the TMM group – and we’re all interested in Security) at F5 and usually find 1 or 2 interesting ‘security’ stories that I actually tweet.  In recent weeks it’s been things like Texting Hacks, Hacking Parking Meters, and The Weak link in Security:People, along with my blog, and F5 video and audio updates.  Sometimes I find a slightly weird story like the poor guy who fell into a vat of chocolate.  Now, many of my followers/I’m following are security folks and the exchange of information is awesome.  I often see stories that I probably wouldn't have gotten to as we all try to read the entire internet on a daily basis.

So, as I looked through my entire list of links, one jumped out: Fancy Fast Food.  Makeovers of fast food and as the site says: ‘Yeah, it’s still bad for you – but see how good it can look!’  This link, by a decent margin, was my most popular.  Even the ‘out of’ stat (which is the total of all’s going to that long URL) was close to 8000 clicks!  Conclusion?  Folks want fun fast food, not security.  (tongue in cheek) In seriousness, I think there is a really good piece in the fact that, on a day to day basis, people would rather see what some chef can do with a Wendy’s hamburger or Dunkin Donuts that about security.  That doesn’t mean we’re not interested in security but when you’re immersed in it all the time, a little Daily Distraction is a welcome change.  Helps us clear out those PCI headaches, bloodshot breaches and endless string of Identity Theft incidents.  At first I was a little miffed that what I found interesting wasn't so much to others, but then I realized I had actually found something that everyone found interesting not just the security minded.  And it started conversations – true social media.


  • * No links were used in this blog as to not artificially increase stats

  • * If you’re so inclined – F5 can be followed @f5networks and me @psilvas, a simple url shortener [more]

Friday, August 7, 2009

Decade old Data Centers

Most data centers are now hitting their teens when it comes to age.  How do I know this?  I used to work for Exodus, The Data Center Company back at the turn of the century (actually wearing an old EXDS t-shirt as I write this.)  The ‘heyday’ of the Co-Location.    ‘Daddy, what was the datacenter like when you were a kid?’  Well, we’d find a somewhat remote location and build these massive non-descript buildings, some more that 200,000 sq.ft. all over the world.  The walls were Kevlar lined.  We had multiple internet carriers dropping fiber at all sides of the building along with power from distinct sub-stations.  

exodusvig There were multiple, huge CAT power generators that would kick in to keep the place running during a outage – even had contracts with fuel vendors to replenish the diesel for non-stop service.  We had racks and racks of DL380’s & Sun Sparcs humming throughout the facility, along with the F5 logo lit up in various cages handling load balancing.  The temperature was a constant 72 degrees, with low humidity to keep all that equipment cool.  We had special triggers for the fire spouts, biometric pods (that checked hand print, pulse & weight) to enter the facility, raised floors, guards 24/7, NOC engineers 24/7, off-site tape storage, cameras all over and used to deliver many of the top visited websites.  As many of you know, Exodus collapsed during the dot bomb and the assets were picked up by Savvis, after a brief stint as a Cable & Wireless company.  Many former colleagues still work there and I have a fond memories of that time – plus I learned a ton.  Heck, Disaster Recovery was a huge topic back then!

Today’s data center needs have changed as the requirements have over the last decade.  While Co-Lo and hosting is still big business the data center itself is going through some transition.  Power and cooling that were perfect for the type of equipment being used back then, is no longer sufficient.  While servers have gotten more efficient, they’ve also become more powerful, capable of running multiple virtual instances on a single unit.  Remember when we used to try to put the web server and a database partition on the same server?  Cost/ROI/TCO is much more important now when discussing the data center footprint.  Today Enterprises can choose between housing their own, using a pure hoster/co-lo along with the newly emerging Cloud Centers – or more likely, a mix.  Each has their plus’/minus’ but you can basically go from a fixed price/CapEx/owned facility to a variable pricing/Opex lease.  Some choices are made for SLA’s while others for time to market.  The data center is changing with fewer sites but a more energy efficient, modular design that focuses on consolidation and virtualization that scale.  There are even data center containers being offered by the likes of Sun, IBM and HP.  These ‘pods’ are like those storage units that sit in someone’s driveway except it’s ready to house IT infrastructure.

One of the biggest challenges is the management and administration of the data center.  During my time at Exodus, each server was pretty much a single instance and administration was 1 admin:some servers.  Even though consolidation is happening, now with virtual machines, each of those ‘some servers’ now have 5-8 instances on them.  Admins can face the task of managing more servers (virtual add) than ever before.

Of course, security is a concern in the old white label facilities where walking out with someone’s gear is a great fear.  The newer buildings are becoming even more isolated with lights-out management and no office space.  At Exodus, we used to all have our desks just on the other side of the data center & even had a conference meeting room in the data center.  Ahhh, those were the days.  Network security is also becoming even more important as these facilities tie back to corporate assets, users and a whole host of sensitive information.  Even storage and backup, which used to be done via DAS, SAN or NAS might now be sent over a private cloud or even the public networks.  There’s also the basic security worry of putting critical data in the cloud especially if it is bound by regulatory compliance.   Disaster Recovery is even more critical as more content, tools and systems get pushed to the web.  And lastly, Fast, Available and Secure is always a concern when placing any application on the internet no matter where they reside.


#4 out of 26 Short Topics about Security

Tuesday, August 4, 2009

Remember when we drew big Clouds on whiteboards…

…with the Ace Frehley lighting bolts flying out?  We still draw those clouds but now they are smaller, there are more of them and sometimes hover over a single, private entity.  Well, the Clouds have accumulated and an umbrella isn’t going to help.

Nicholas Carr (author of Does IT Matter and The Big Switch) talks about the notion of the Internet (or Computing power) as a Utility and has compared the cloud transition to the birth of power utilities from the 19th to 20th centuries. Back then, manufactures had to provide their own energy source and many used huge water wagon wheels to generate power. In fact, the top manufacturer at the time had built the world’s largest waterwheel and had a competitive advantage.  Soon, things changed when Westinghouse came on the scene in 1886 and pioneered long-distance power transmission.  As soon as these self-generating sources could now ‘plug-in’ inexpensively, all assumptions changed. The assumption was that this (power) was something you had to buy/build and maintain yourself.  Carr feels Information Technology is next and going thru a similar transformation due to the collapse of efficiency. He notes that, Server Capacity has 80% waste, Storage has 60% waste. and upkeep/maintenance has around a 70% waste. Clouds give the ability to share assets and move to a new level of efficiency, if done right. While the notion of Utility Computing is new; disruptive technologies can move quickly, especially if it’s working well.  There is, of course, alternative views to this idea offered in this article.  It’s an interesting read on the difference between pushing/sharing electrons VS. data along with the ‘trust’ factor.  I don’t think James Urquhart is necessarily disagreeing with Carr but being more specific as to what Computing as a Utility would look like and he correctly points out that, “some have taken electricity as an analogy to cloud adoption to an extreme…” I tend to agree since an industry blessed definition of cloud computing is still evolving & Nick wrote his book over a year and a half ago when ‘Cloud’ was still a nebulous term.  Even today we’re starting to parse parts – Platform, Software and Infrastructure – all as a Service and many are jumping in.

cloud According to IDC, CIO’s choose Cloud services primarily for Ease, Fast Deployment and Lower payments. They avoid Clouds due to Security concerns, Dependability (availability/performance) and Control. Security (or Trust) is usually at the top of surveys (for good reason) but there’s also a sense of not wanted to give up control of specific applications, particularly ones that are tied to certain regulatory governance. The growth anticipated over the next couple years will be in IT Management Apps and Collaborative applications which makes sense.  Cloud is about sharing and collaborative apps are making their way to the cloud, plus IT must have a way to manage all those instances.  The goal, of course, is to Consolidate (reduce costs/improve quality), Virtualize (simplify access/improve end-to-end management) and Automate (speed/predictability & reduce labor) IT into service orientated delivery.

Clouds are not going to replace the old IT model but become another choice for sourcing to IT departments. There will be a mix of on-premise and off/cloud delivery, depending on the application (and several other factors) but performance level assurances (SLA) are very important to the buyer.  Also attributed to ISC, Cloud spending looks modest from 4% of overall IT spending to 9% in 2012 but will account for $42.3 billion with business applications taking 52% of that.


Number 3 out of 26 Short Stories About Security