Our H1N1 Preparedness Plan

On a couple occasions, I have  have offered advice on how to deal with disasters and just yesterday I wrote about Mitigating risks.  Today, I’m deviating slightly from 26 Short – make this #13.5 – to share some of F5’s Emergency Preparedness plans for the possible resurgence of H1N1.  While we often try to give interesting tips, ideas and suggestions to help you and since many of you might be going thru the same exercise, I though I’d share how we are preparing ourselves.  Per usual, this is not to flame the fears already in the media but offer calming assurance that there is no reason to panic.
F5’s main objectives for Emergency Preparedness for Employees is to provide a safe and healthy working environment and to ensure business continuity.  All of us received an email outlining our policies along with a link to an internal portal page dedicated to Emergency Preparedness.  It contains several governmental and informational resources pertaining to H1N1 along with Emergency Hotline Phone Numbers and a short video from HR so we all can clearly understand this particular flu strain and what to do if we contract it.  Each region around the world has a page specific to their needs.  We have also put together a cross functional pandemic planning team that has identified critical business activities, resources and responsibilities to support a pandemic mission along with taking precautions within our own facilities – like simply providing hand sanitizers among other supplies. 
Following tips offered by the Centers for Disease Control, if any of us do get symptoms, one of the primary actions we can take as employees is stay home since the virus appears to be easily transmitted from person to person.  This is to protect all employees.  The great thing is that there are also Work from Home instructions on how to connect remotely using our own FirePass SSL VPN.  We’re already prepared for any increase in needed capacity and have policies in place to check any connecting device, even un-trusted home computers, to ensure internal security compliance.
It’s a comfort to me knowing that my employer is ready for H1N1 and any other emergency that suddenly appears and hopefully a comfort to you knowing that F5 is prepared to still support you even if you experience a crisis.
ps

• #13.5 out of 26 Short Topics about Security
• previous stories: 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Additional note added after posting:
One thing I forgot to mention about Work at Home strategies - Do keep in mind that with the additional workforce potentially using home broadband for work, there might be some capacity constraints on carriers in certain areas of the country.  There might also be some Acceleration solutions, like a WAN Optimization or Web Acceleration that can help with bandwidth reduction. 

Reduce your Risk

As I started this journey 13 topics ago, I mentioned that ‘security’ is really about managing risks and threats.  Most security experts would agree that the only way to be 100% secure is to unplug your units & it’s somewhat foolish to think that you are completely safe across the board.  In #2 of 26 Short, I mentioned a stat that 60 percent of companies had experienced a data breach in last year. However, only a minority of six percent could say with certainty that they had not experienced any such breaches in the past two years.  If you are not in that 6%, you almost need to expect that some sort of malicious activity is always targeting your systems.  In some ways, this helps you prepare and understand your risks.  With that information, you’re then much better able to Mitigate those risks.  Mitigation essentially has to do with having a plan of action pertaining to specific risks.  Often it also gives those involved specific duties (or actions to take) depending on the severity of the event.  According to the Project Management Institute, there are four basic approaches to risk mitigation:

• 1. Avoidance: eliminate the conditions that allow the risk to be present
• 2. Acceptance: acknowledge the risk’s existence but don’t do anything except for a contingency plan if the event happens
• 3. Mitigation: minimize the probability or impact of the risk
• 4. Deflection: transfer the risk somewhere else

Let’s start with end users.  Many think that security is also about keeping the bad guys out.  While that’s true, it’s more about securely letting the good guys in, to the specific stuff they need, depending on the contextual conditions.  A user tries to VPN to your corporate systems but during a host check, your controller notices that the device’s AV software hasn’t been updated in two months.  Are you going to deny access to this authorized user or help them (mitigate) the situation by instructing them to update their files, or better yet, re-direct them to a landing page so they can get updated automatically.  The helpdesk can avoid a support call, plus you educate the user on the AV policy for corporate access.  Also, in regards to end users, if there are signals that a potential disaster is coming – say a storm is bearing down on locations where your remote workers live – maybe try reaching them via Systems Management before they call with no access.  You might be able to route around the situation.
As far as your infrastructure, Mitigations of risks is a daily task.  Firewalls for networks, strong passwords for logons, WAFs for public facing sites (especially ecommerce), access cards for facilities, backups, storage, disaster recovery and the list goes on.  There has been a lot of focus on mitigating DoS attacks recently, due to many popular sites, including Government web applications, having issues….and some having none.  Just last week, The SANS Institute published their Top Cyber Security Risks and as Gideon J. Lenkey points out in this article, at the top they state, ‘Two risks dwarf all others, but organizations fail to mitigate them.’  They were talking about unpatched client software and vulnerable pubic facing web sites.  It’s interesting that while OS patching has gotten better (maybe due to worms & auto update settings), client updates of software applications (like Flash, Java, etc) fall behind.  And it’s those applications that get you in the most trouble!
As a side note, some of the runner-ups for #13 were Mobile, Malware, Monitoring and Man-in-the-Middle attacks.  Since articles appear daily about those topics, I thought Mitigation might be a good since it can help in all those areas.
ps

• #13 out of 26 Short Topics about Security
• previous stories: 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Brought to you by the Letter L and the Number 7

Since I strayed a bit on #11 out of 26 Short Stories, I figured that this entry would be mostly a link-fest – about Layer 7.  A picture is worth a thousand words don’t cha know.  SANS just released a report that says ‘60% of All Attacks hit Web Applications,’ and other research indicates that 70% of all attacks target Layer 7. Today, I thought I would just share a list of common Layer 7 attacks to show the many ways applications can be breached.  List courtesy of Vikram Phatak.
HTTP

• Code Red, Nimda Worms & Mutations
• SQL Injection
• Directory Traversal Attacks
• MDAC Buffer Overflows
• Cross-Site Scripting Attacks
• Chunked Transfer Encoding Attacks

FTP

• FTP Bounce Attack
• FTP Port Injection Attacks
• Directory Traversal Attack
• TCP Segmentation Attack

Microsoft Networking

• Bugbear Worm
• Nimda Worm
• Liotan Worm
• Opaserv Worm

SSH

• Buffer Overflow Attack

SMTP

• SMTP Worm
• MIME Attacks
• SPAM Attack
• Command Verification Attack
• SMTP Error Denial-of-Service Attack
• Mailbox Denial-of-Service Attack (excessive email size)
• SMTP Mail Flooding
• Address Spoofing
• SMTP Buffer Overflow Attacks

DNS

• DNS Query Malformed Packet Attacks (pdf)
• DNS Answer Malformed Packet Attacks (pdf)
• DNS Query-Length Buffer Overflow
• DNS Query Buffer Overflow - Unknown Request/Response
• Man-in-the-Middle Attack

SNMP

• SNMP Flooding Attack
• Default Community Attacks
• Brute Force Attacks
• SNMP Put Attack

MS SQL

• Buffer Overflow attack
• SQL Slammer Worm

ps

• #12 out of 26 Short Topics about Security
• previous stories: 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Related links

• BIG-IP® Application Security Manager™

Keys to the Kingdom

According to various history sites, the earliest known lock to be key operated was from Egypt, some 4000 years ago.  It was wooden and actually used moveable pegs that fell into holes to secure the ‘bolt.’  The wooden key would move the pins back into place to allow the lock to be opened.  And, of course, Caesar is credited with inventing the first cipher.  Ahh, love history and always fun to know where some of today’s technologies came from.
In security, specifically cryptography, a key is a specific number value that when used with an algorithm can encrypt and decrypt a block of data – usually text.  The key length or size, typically in bits or bytes, determines how strong the encryption is and thus how difficult it might be to decrypt.
There is Symmetric and Asymmetric encryption.  With symmetric encryption, only one ‘secret key’ is used on both ends to encrypt and decrypt messages.  This is one of the oldest encryption techniques and can be as simple as shifting or replacing a letter.  This works great if both parties have the secret shared key but it needs to stay SECRET.  The bad side is that it’s just a single key and if someone gets a hold of it, then they can possibly intercept and decrypt your hidden messages.  Key management, such as changing the secret key often and distributing it securely to authorized users can be a challenge.
In Asymmetric encryption, also called Public Key – Private Key cryptography, two keys are used – one for encryption and one for decryption.  The private key is always kept secret while the public key  is out in the wild often in the form of a certificate.  So you can have my public key, in fact I might just give it to you, since that will be what you use to either encrypt a message to me or decrypt a message from me.  It is my private key that will do all the mashing so i can read your encrypted note and respond in secret.  The unique keys are paired and by using the same algorithm we can communicate incognito and no other key (or pair) can decrypt the data.  This infrastructure can also be useful to prove identity and ensure the message has not been tampered.
Then why PKI?  When you send an encrypted message, it is digitally signed with your private key but I’m not standing next to you watching the ink hit the paper.  PKI is what validates trust.  With certificates (your public key) there is usually a Certificate Authority who is essentially a third-party vouch.  Yes you can create self-signed certs but with a Cert Authority, they can verify your identity (or signature) and add their own signature as a stamp of approval.  PKI can store your certificates, revoke certificates, backup/recover keys, time stamp and a bunch of other services.  While public keys are meant to be public, their integrity is essential and PKI can accomplish that. 
Like anything security related, nothing is foolproof.  Secure distribution of keys is essential to prevent Man in the Middle attacks.  You might ask for my public key and I sent it to you, but someone else intercepts it on the way.  They send a forged note to you along with their public key, claiming to be me.  You decrypt the message since you think it’s from me and subsequently send an encrypted note back, but you’ve encrypted it with the interceptor’s key.  They grab it again, in transit, decrypt, keep a copy, re-encrypt with my original public key and forward on.  When I get it, I still believe it came from you and no one’s the wiser.  Simple additions like passwords for private keys or mutual authentication can help defend against MITM among other techniques (pdf).
I realize this was not my usual ‘link-fest’ entry with stats and fun stories, there are a slew of mathematical computations to make this all work and many other components to effective key management and deployment.  But for number 11 of 26 Short Topics, I just wanted to convey that your digital Keys are an integral part of keeping your data secure from eavesdropping and tampering and can verify that you are transmitting it to/from from a trusted entity.  Too bad the trusty TRIX Decoder rings are no longer available.
ps

• #11 out of 26 Short Topics about Security
• previous stories: 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Related links:

• A Short Tutorial on Distributed PKI
• Expect more PKI in 2008
• How to Start a PKI

The Threat Behind the Firewall

I had a different name for this blog entry but just ‘Jump Drive’ is an awful blog title.  They go by many names; jump drive, USB drive, flash drive, memory stick and a few others, but removable media is a serious threat to IT organizations.  Graduating from floppy disks, as early as 2003 articles were warning against the possible threats introduced with these devices – 256Mb for $160 back then – and yet we still see some sort of incident reported almost once a week!  From consultants, to government employees, to Mortgage lenders, to the International Space Station, what used to be a giveaway staple at trade shows, these tiny less-than-two-inch drives can hit and hurt you in a multitude of ways. 

They can infect your Network.  Just last week, the London Council’s systems were infested with Conficker-D due to an employee sticking an infected USB drive into a work computer.  Not only were the systems shut down, including their VoIP, they were unable to process parking tickets, library fines, benefit claims and rent collections.  With system repairs added to that, their bill will eclipse £500,000 ($825,000 USD). 

They can deliver Malware.  As of 2008, 10.3% of malware was delivered by USB storage.  One of the biggest threats here is the AutoRun features on USB drives – just stick it in and the program launches.  One way to get your malware delivered is to just leave a bunch of infected, cool-looking USB drives in the parking lot of the potential victim.  Unsuspecting, curious employees see the drive and wonder, ‘ohh, what’s on this?’  Before they even open email, they’re shoving the unknown stick into their computer to find out.  Mission Accomplished.  It could even happen with your own, purchased jump drive.  Maybe you have some important files that you need while traveling or at a conference and you don’t have (or didn’t bring) your laptop.  No problem, just find the USB port on the public kiosk or partner computer and problem solved.  Not so fast.  Either one of those un-trusted computers could be infected themselves – passing the strain on to you – which eventually makes it’s way onto your unit/network when you simply re-insert it.  USB threats can also come from a reputable vendor with their product documentation. 

They can steal your Data.  With the size and speed of some of the newer USB drives, it’s become fairly easy to quickly copy entire folders or even entire hard drives to a USB stick.  While I don’t touch on it that often, corporate espionage is alive and well especially in today’s economy.  Often due to regulation, companies are now storing much more data than ever before but not protecting or restricting access to that data.  While the spy might be external, insider threats have grown and disgruntled employees have IT departments concerned.  According to a Cyber-Ark survey, “74% of the 200 information technology pros surveyed know how to circumvent security to access sensitive data, and 35% admitted doing so without permission.”  The increased use of personal devices in the workplace also makes it difficult to track where and when data goes.  Earlier this year, the Ponemon Institute found that 88% of data breaches were caused by employee based negligence.  Locking down devices, even within your own office, has become critical.

They can lose your Data.  By the sheer fact that they are small, inexpensive, and we probably have a few extras, losing one of these doesn’t seem like a big deal.  But when a $10 device holds millions of dollars worth of sensitive data, it becomes a big deal.  Just last week in the UK, The Home Office had to revise it’s numbers pertaining to a data loss.  An unencrypted USB stick went missing in 2008 by one of it’s consultants and the new estimate jumped by 250,000 records.  The memory stick is still lost.  A couple others include a worker who copied data (against policy) so they could work at home and lost the stick, which was unencrypted.  Luckily, this one was found since it contained sensitive data on children but the BBC also lost a stick last year that contained kids personal data.  And even 'Dear Deirdre' admitted to losing a memory stick containing the personal matters of her readers.  Ponemon also found that while encryption is used widely to protect data on VPN, file servers and databases, mainframe and USB flash drive encryption are the least deployed applications.

‘Geeze!  But those things are so useful!’  I hear you.  I’m not suggesting eliminating all removable media, like the DoD, but there are a few pointers when they are in use.

Understand the risks involved and communicate to users.  While you might not restrict the use of USB sticks, it might be a good idea to remind your users of the potential perils when using them.

Create a Policy around the use of jump drives.  Maybe only IT provided devices can be used, or only encrypted devices or none at all.  Maybe disable or lock down USB ports on laptops that are connecting remotely.  Disable USB (maybe via Group Policy) on any un-trusted (non-IT) computers requesting access to the network.  Make sure your policy also includes what areas/subnets/VLANs of the network the user can access so sensitive data is not inadvertently removed.

Encrypt the data.  If your users are able to access sensitive data and it’s likely to be copied (for whatever reason), encrypted USB devices are the way to go.  Heck, there are even fingerprint secured USB sticks on the market.

Educate your users.  Educating your crew on all the perils of data security, Data Loss Prevention, how to handle sensitive materials and the ramifications of not doing so, can help.

ps

• #10 out of 26 Short Topics about Security
• previous stories: 9, 8, 7, 6, 5, 4, 3, 2, 1

Dumpster Diving vs. The Bit Bucket

Which is safer – a digital shopping cart or a metal shopping cart?  Most (or many…some?) of us take great care to keep our personal Identity information safe.  We make sure we send sensitive info over an encrypted tunnel, we use strong passwords for our various digital vaults, and other protective measures when navigating the treacherous Internet.  But you might not have known that Stolen wallets and physical documents accounts for 43% of all identity theft (pdf) which means we also need to shred our printed materials.  Many might feel uncomfortable entering their credit card for online purchases but have no problem handing that same credit card to a stranger (who then walks away with it) to pay for a meal at a restaurant even though online methods only accounted for 11% of all Identity Theft.

There were almost 10 million Identity Theft victims in 2008, up 22% from 2007.  A little over 3% of the entire US population was affected in 2008 and if I remember correctly, roughly 7.5% overall have been hit.  The average cost per victim hovers around $500 – not counting time.  2009 is likely to top those numbers with high profile breaches like Heartland’s 130,000,000 credit/debit numbers stolen and the 5,000,000 compromised records from the single Checkfree breach.  Even though Albert Gonzales (also the TJX hacker) is in custody and some 650+ banks reissued credit cards, the damage will continue as this info was still sold to other criminal outlets.  71% of fraud happens within a week of the personal compromise, so you’ll probably know fairly quickly if someone is claiming to be you since the crooks jump on the new data before you have a chance to react.  The scary part is the remaining portion which might bite you 6 months later, when you least expect it.

In the past, getting your identity stolen usually only affected you and your immediate family.  Someone trying to buy something with your credit card and the hassles you must endure to resolve it.  With Social Media, a stolen identity can have ripple effects.  Stories continue to appear of ‘friends’ getting scammed.  The typical ruse occurs when one of your ‘friends’ gets their profile hacked and the impostor pleads for help, usually in the form of cash, to get them out of a sticky situation –  like stuck in a foreign country.  ‘Oh my gosh, my close friend is in a tough spot.  I trust them since they are part of my community and they recently posted that they are having a great time in a far away land.  Better help them out.’  The impostor has already changed the profile password so the real owner is unable to alert their posse that this is a scam, if they even know it’s occurring.  By then, it’s too late.  While not directly Identity theft, digital criminals are scouring social media sites looking for their next heist.  ‘Gee, Sandy posted that she’s looking forward to their trip to the mountains this Labor day.  Looks like I'll be spending my weekend cleaning out their house.’  While I realize it’s fun to share the fabulous vacation you’re about to embark on, but you are also telling the world that you won’t be around.  Ten years ago, we were always cautioned against saying, ‘We’re not home right now…’ on our answering machines.  Better to tell, ‘Can’t get to the phone right now’ and yet we seem to forget that old simple rule when it comes to our social media messages.

While the statistics show that most Identity Theft is due to lost or stolen items, the digital criminals are always lurking and there are some basic old-school rules we can follow to make sure they don’t follow us.

ps

• #9 out of 26 Short Topics about Security


• previous stories: 8, 7, 6, 5, 4, 3, 2, 1