While researching the latest from Storage Networking World I ran into this parody video from truebittv. Pretty funny. Good points about backup. Almost makes enterprise backup look cool and exciting.
Also see:
If you are an executive in government or a tech professional anywhere you better realize how patent trolls are impacting you and your mission
I know you have heard of patent trolls, those sham companies that are created to assert patent-infringement claims to shake down firms for money or other assets. They have been around for a long long time, stifling innovation and removing more value from our economy than the Chinese steal in all their hacking (no kidding, costing the US economy over $29 billion in 2011) .
That is reason enough for you to know of these trolls and oppose them, but as an executive or technologist you need to know more. You should think through the impact that these trolls have on the vendors that supply technology to you. Trolls cost these legitimate vendors money and time and slow their innovation because they have to be fighting off Trolls. And since Trolls cost money it causes the vendors to have to charge you more. And when a Troll wins it can change the support landscape and cause you to have to make decisions over whether you want to partner with a crooked company or find another solution.
Why the introduction to this topic now?
I just read an awesome statement by Rackspace on this topic titled:Why Rackspace Is Suing The Most Notorious Patent Troll In America.
It discusses their response to an action by “Parallel Iron”, which is a troll (Parallel Iron sued several good companies including Qualcomm, Twitter, Rackspace, Groupon, Paypal, Cloudera and Ebay, read their complaint here)
I want to share Rackspace’s response with you. I would also appreciate it if you help get this into the hands of others who need this info. This is important to all of us. Here are some excerpts from the Rackspace post:
Today we drove a stake into the ground in our dogged fight against patent trolls – we sued one of the most notorious patent trolls in America.
Last week, a patent assertion entity (PAE) called Parallel Iron sued Rackspace and 11 other defendants in Delaware for allegedly infringing on a trio of patents that Parallel Iron says cover the use of the open source Hadoop Distributed File System (HDFS). This is the newest in a series of 23 similar suits Parallel Iron has filed in Delaware since last June, which is when Parallel Iron was forced to dismiss an earlier set of lawsuits on another patent it could not enforce. Parallel Iron is the latest in a string of shell companies created to do nothing more than assert patent-infringement claims as part of a typical patent troll scheme of pressuring companies to pay up or else face crippling litigation costs . At least that is what it looks like on the surface.
In actuality, it is a bit more complicated. Our dealings with this particular troll reach back to December 2010 when IP Navigation Group (IP Nav), as agent for a supposedly secret patent owner, now known as Parallel Iron, accused Rackspace of patent infringement. IP Nav told us that they could not divulge the details of their infringement claims – not even the patent numbers or the patent owner – unless we entered into a “forbearance agreement” – basically, an agreement that we would not sue them. IP Nav was worried that as soon as we found out what their patents and claims actually were, Rackspace would sue to invalidate their patents or for a declaration that Rackspace does not infringe. We were unwilling to enter into such a one-sided agreement, so we negotiated a mutual forbearance agreement that required either party to give 30 days’ notice before bringing suit.
IP Nav has used this trick before. Sending a letter like the one IP Nav sent Rackspace – and trying to pressure the target into a forbearance agreement – got IP Nav into hot water with a Wisconsin federal court in late 2011. The court decision, as reported by Techdirt, describes the tactics that IP Nav deploys, and uses literary references to Shakespeare and Chekov to excoriate IP Nav. It even cited the “Duck Test” – if it quacks like a troll, it probably is a troll. Search online for “IP Navigation Group.” You will find that this group’s only business is acquiring patents and suing companies.
Once again, the Duck Test holds true: walking, swimming, quacking, everything. True to form, Parallel Iron sued Rackspace in Delaware without providing any notice, breaking the agreement they insisted upon.
We aren’t going to take it. We have sued IP Nav and Parallel Iron in federal court in San Antonio, Texas, where our headquarters is located (see the complaint here). We are asking the court to award Rackspace damages for breach of contract, and to enter a declaratory judgment that Rackspace does not infringe Parallel Iron’s patents.
For more see: http://www.rackspace.com/blog/why-rackspace-sued-the-most-notorious-patent-troll-in-america/
As a consumer I have always loved Rackspace. You guys always did right by me. I wish you well in this and I feel like you are fighting for all of us. Keep up the good work!
For more see:
The Use of Recorded Future for Cyber Security Professionals
We have previously written about Recorded Future, a fast moving startup delivering predictive signals from the noise of the web. Recorded Future provides a blog that captures several exemplars of their capability and its applicability in many mission areas. One mission area of particular interest in the use of Recorded Future for Cyber Security missions.
Today Recorded Future posted another informative piece on this theme titled: “Improving Cyber Threat and Vulnerability Assessment with Web Intelligence”
Here is an excerpt:
The concept behind Recorded Future is simple to understand (though difficult to implement) and is certainly not based on psychic visions. What the company does is gather content from the open web, filter it, analyze it, and generate predictive signals based on the refined information. Simply put, it is organizing the open source information from the web. For example, it may be useful to understand the social media discussions from a particular area when forecasting a regional election.
Recorded Future for Cyber Security
This kind of technology is very helpful in domains that require attention to and analysis of what is being discussed on the web and how information is linked. From the cyber security point of view, this technology is useful not only for reconnaissance (first phase of pentesting) on a target but also to learn about cyber attacks in the form of malwares, APTs, DDoS attacks, etc.
Examples
Let’s take the example of Java 0-day vulnerabilities. Figure 1 clearly shows the huge amount of mentions of the topic (Java 0-day) during the past year especially between August 2012 and February 2013. This information could be crucial for any corporation using Java in its product development. Based upon this graph they could issue warnings to their consumers to keep their Java versions updated and incorporate other defense mechanisms to safeguard themselves. Similarly, this information is helpful to end users in understanding the risks that a particular technology poses at any given time.
The post also presents an insightful tree map of Ransomeware and ideas for how to operationalize the information.
The post goes on to offer suggestions to Recorded Future on other sources that analysts need to tap into. Since this blog post was hosted on the Recorded Future site I imagine this means they are going to be working on those suggestions.
Please check the post out here: http://ctolink.us/13xJ20D
Related Posts:
An Introduction to Recorded Future: An ability to leverage the predictive power of the web
Did Oracle Just Throw Their Salesforce Under The Bus?
If you are a technologist I hope you love the great technology portfolio assembled by Oracle. It is really something to be admired. And the well engineered optimized configurations of hardware and software like the Oracle Big Data Appliance are so awesome I think most enterprises should get one.
But there are big roadblocks to adopting new solutions from Oracle. Like cost. The perception of many is that Oracle cares more about money than customer missions. Another is what seems to be overly agressive, scary tactics by Oracle that can include launching lawyers at enterprise CIOs. Other impediments, at least from my outside observer perspective, seem to be that the sales force is given uncertain or at times ambiguous goals on how they will be rewarded for selling the more advanced hardware and software solutions.
When you add the above to the fact that the technology domain evolves very very fast it has created some challenges for Oracle success. Enterprise customers have lots of other options now, including building lower cost, highly scalable solutions using the Cloudera Distribution of Hadoop and the many related capabilities the community is providing.
Something else is interesting and makes me scratch my head a bit. According to Reuters (see below) “Senior management assured Wall Street on Wednesday that a worrying 2-percent slip in new software sales was mostly due to a sales force that lacked urgency”.
So, the problem in the minds of some at Oracle is not their high cost, and not the competition, and not their agressive tactics, but a salesforce that lacks urgency.
That may or may not be true. But if you are in the Oracle sales force you may want to think about what a management attitude like that says about what is coming your way from HQ this quarter. Might be good to start thinking through your options now. I wouldn’t suggest you do anything rash in an employment market like this one, but you may want to keep your LinkedIn profile up and be sure you are connected to me there in case you will want to chat with me about options in the near term.
For more info see the following from Reuters:
(Reuters) – Oracle’s severe miss in quarterly sales, dismissed by management as a blip, amplified questions on Wall Street about the business-software giant’s diminishing clout in an industry moving rapidly toward cheaper Internet-based rivals.
Senior management assured Wall Street on Wednesday that a worrying 2-percent slip in new software sales was mostly due to a sales force that lacked “urgency”, something to be addressed this quarter. Many analysts agreed, describing the decline in software and hardware revenues as a speed bump.
Others say the dismal numbers highlight concerns that the strategy championed by the world’s No. 3 software maker, of integrating cloud software with its own hardware for greater efficiency, may not be enough to keep up with a growing number of rivals offering low-cost solutions.
Some worry that Oracle’s era of fast growth and lofty margins, when it could dictate prices because of its premier market position, may be waning.
Aggressive, fast-growing companies like Salesforce.com are now offering competitive products at prices that often undercut Oracle, said Cowen analyst Peter Goldmacher.
“For a long time they’ve held firm on pricing for maintenance, which is their highest margin business, and they’ve really stuck it to their clients,” said Goldmacher. “Now that you have an ever-growing raft of alternatives, more and more traditional customers are availing themselves of those alternatives.”
Shares in Oracle slumped nearly 10 percent on Thursday — their biggest single-day drop since December 2011.
Even though Chief Financial Officer Safra Catz said on Wednesday its salespeople are well on their way to signing deals they missed out on before the February quarter ended, some analysts believe the 35-year old tech company may face more serious problems as upstart rivals challenge its core business.
“Data base revenue, which has been the cash machine of the company, has changed. There are now alternative databases, as well as the cloud,” said Mark Moerdler, an analyst at Bernstein Research. “That pressure is still a tiny bleed, but it is out there and the question is – is it bigger than we think it is?”
An Oracle spokesperson declined to comment.
Awake Yet? The list of cyber security "wake up calls" grows as predicted
There are several certainties in computer security. One is that when adversaries have intent they will always find a way to get what they want. Another certainty is that leadership in government and industry is quick to forget the lessons learned in cyber security, especially those dealing with adversary action. This situation is known as Cyber Threat Amnesia. I believe there are cures for Cyber Threat Amnesia, and I think those cures might come with education, training and awareness, but that is just a theory, one that I hope is tested one day.
Till then, resolve yourself to this observable fact: Our history indicates cyber security events frequently cause action and remediation and those can get widespread attention. But soon after the attempt to remediate, organizations collectively forget about the threat.
Here is an updated list of major events. This is not all major events, just those widely reported to be “wake up calls” for the nation.
- 1970 and 1971 – The Defense Science Board publishes what will be known as the “Ware Report” highlighting the potential dangers to department information in the coming age of connected computing. This report was widely seen as a “wake up call” for computer security and caused changes at institutions like the National Security Agency to enhance the departments security posture.
- Nov 1988 – The Morris Worm was released and propagated throughout internetworked systems including those of the federal government. This “wake up call” resulted in establishment of computer response organizations throughout DoD and also resulted in increased funding for computer security research being provided to academic organizations and institutions. The CERT/CC at Carnegie Mellon University was funded.
- 1995 – The President’s Commission on Critical Infrastructure Protection (PCCIP) was widely regarded as a “wake up call” for the entire federal government and since it was extensively coordinated with industry and academia was also seen as a way forward in cybersecurity for the entire nation.
- 1997 – Deputy Secretary of Defense John Hamre was quoted as saying “Solar Sunrise was a wake up call for DoD.” This activity resulted in increased funding to cyber defense organizations and the creation of a new joint activity called DoD’s “Joint Task Force Computer Network Defense” or JTF-CND (Gourley was first Director of Intelligence (J2) there).
- 1998 Assistant Secretary of Defense Art Money was quoted as saying “Moonlight Maze was a wake up call for DoD.” This activity resulted in enhanced counterintelligence resources and more information sharing across the DoD law enforcement and counterintelligence.
- 2009 Director of National Intelligence Admiral Blair testified that “Buckshot Yankee was a wake up call” for the government. This activity resulted in more awareness and more funding for cyber security throughout the federal government.
- 2010 Deputy Secretary of Defense Lynn writes that “Google’s Aurora attacks were a wake up call for us all.” This wake up call resulted in stronger, deeper coordination across the federal space and underscored need for a DoD strategy.
- 2011 Deputy Assistant Secretary of Defense Bob Butler says “Wikileaks was a wake up call for DoD.” This wake up call resulted in significant activities and planning across the federal space aimed at enhancing security of information from disclosure.
- 2012 Sep, In one of the most destructive attacks against computers noted against any company to date, Saudi state-owned ole company ARAMCO had data destroyed on over 3/4 of their companies computers. The NY Times reports this as a “wake up call” and attributes intelligence officials with that assessment.
- 2012 Oct, South Carolina Gov Nikki Haley announced a massive hack into state websites. The Gov offered the excuse that these attacks are increasingly common. Reporters suggested this be her “wake up call”.
- 2012 Oct, Secretary of Defense Pannetta issues what he said is a “clarion call” for American’s to “wake up” to the growing cyber threat.
- 2012 Nov, Former Director of National Intelligence provides “wake up call” warning of a potential 9/11 type attack via cyber.
- 2012 Sep, Department of Energy issues a report on internal cybersecurity practices. This report by their internal inspector general was reportedly seen as a “wake up call” for the agency’s cyber security group.
- 2013 Jan, New York Times acknowledges hacks into its papers by Chinese sources. This was widely reported as a “wake up call” for security experts in media.
- 2013 Jan, Twitter was hit by a major hack in what security experts called a “wake up call” for the ecommerce and social media community.
- 2013 Jan, Attacks on US banks called a “wake up call” for the industry by cyber security professionals.
- 2013 Feb, Anonymous attacks against Federal Reserve investigated by FBI. Compromise, called a “wake up call” compromised data from the Fed’s Emergency Communications System.
- 2013 Feb, Chairman of the House Intelligence Committee expressed confidence that the hackers recently targeting newspapers and other companies would soon “wake up” Washington on cybersecurity.
- 2013 Feb, Mandiant releases a report exposing one of China’s Cyber Espionage Groups. This report, widely considered one of the best articulations of the threat, resulted in significant positive awareness on the seriousness of the threat and was widely called a wake up call. We believe this is one of the best pieces of cybersecurity research ever produced by an independent company, and we know it is making positive, virtuous change. We hope this goes a long way to really being the wake up call we all need.
Of course the reason to publish this list is not to make fun of people for using the term “wake up call.” The reason to publish the list is to get your brain deeper into the game. Maybe there is something you can do to prevent Cyber Threat Amnesia. Maybe you can suggest action to current community or government or business leaders? Or maybe you can find ways to educate policy makers or Congress or the American public? Or maybe you have other ideas for stopping this madness of forgetting about the threat.
For more on these topics see the CTOvision Guide to National Security Technology and
Great context from Jason Healey on Chinese Cyber Espionage
If you are an enterprise technologist you are probably pretty busy, right? And you are almost certainly numbed by the constant stories of cyber espionage, especially reports of data theft coming out of China. If you have been numbed with all the reporting please shake it off and dive into this current story. Something very important is happening. And it requires the reasoned context of a reputable analyst/thinker. With this post I want to highlight one of the most reputable, professional, powerful thinkers in the cybersecurity domain, Jason Healey.
Jason is the director of the Cyber Statecraft Initiative at the Atlantic Council. He is a founding member of the Cyber Conflict Studies Association and an alumni of the Department of Defense’s first truly joint command organization aimed at defending DoD computers and networks, the Joint Task Force for Computer Network Defense. Jason has spent time working cyber security issues at the White House and in the finance industry. He is also a frequent speaker at event like the FedCyber conference.
When Jay speaks we should listen, and when he writes we should read. So I was excited to see his latest piece which offers important advice on what the US should do about Chinese Cyber Espionage.
We have all known about Chinese Cyber Espionage for a long long time. But the topic has been brought to an even higher focus because of Mandiant’s reporting which proves beyond any shadow of a doubt that the Chinese military, through its unit 61398, is stealing terabytes of information from companies and governments. They are stealing information of value to us and to our economy and in doing so are hurting our economy. We have always known that, but now the proof is there for everyone to see. Here is a summary of this report as articulated by Jason in a recent USNews report:
- Nearly 90 percent of APT1’s operations targeted English-speaking countries, primarily the United States.
- APT1 targets organizations in IT, aerospace, government, satellites and telecommunications, scientific research and consulting, energy, transportation, and other sectors.
- They steal a wide range of information but especially product development and use, manufacturing procedures, and business plans.
- The size and structure of APT1’s operations accordingly implies not a stereotypical hacker group, but a large bureaucracy with dozens, if not hundreds of operators and support staff: fluent English linguists, developers of many variants of malicious software, and more.
- Mandiant observed APT1 connect to their espionage network nearly 2,000 times and over 97 percent of those connections traced directly back to Shanghai and used systems using simplified Chinese.
- Unit 61398 is a known cyberespionage unit, operating in Shanghai against English-speaking targets.
- Accordingly, Mandiant concludes APT1 is Unit 61398, though concedes the other possibility: somehow “[a] secret organization full of mainland Chinese speakers … is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”
Jason goes on to provide more context in his article, titled “How the U.S. Should Respond to Chinese Cyberespionage” including a succinct list of actions I believe strongly the US should take. These are, according to Jason:
- The National Security Council should draft comments for the president to speak against Chinese espionage, as a follow up to his State of the Union speech and recently issued executive order.
- The intelligence community should follow Mandiant’s lead and release its own public reports on Chinese espionage. This should start with an unclassified version of the latest cyber National Intelligence Report followed by details on specific threat actors, especially declassified corroboration on Unit 61398.
- The United State Trade Representative should coordinate unilateral sanctions against companies associated with the People’s Liberation Army, especially those most associated with the General Staff Department. The U.S. Trade Representative should also start building a case with the World Trade Organization, since information of commercial value has been stolen, an approach long favored by Dmitri Alperovitch, senior fellow of the Atlantic Council.
- The Department of State should:
- Formally demarche the Chinese government for more information on Unit 61398 and demand it cease all activity against the United States or face escalating sanctions.
- Place visa restrictions on anyone associated with Unit 61398, based on information from the intelligence community.
- Coordinate action with other targets of Unit 61398, especially the United Kingdom and Canada, who should implement their own visa and trade sanctions.
- Convene an unclassified conference of like-minded nations to discuss policy carrots and sticks to stop this espionage. The conference should include the traditional “five-eyes” allies of the United Kingdom, Canada, Australia, and New Zealand, as well as others targeted by Chinese espionage like Japan, France, and Germany.
Please read Jason’s full report at How the U.S. Should Respond to Chinese Cyberespionage and then do what you can to ensure our government does not just sit by and let this keep happening, which they no doubt will do unless public opinion compels them to take this seriously.
And for more from Jason Healey, find him on Twitter at: @Jason_Healey
Also see:
Important Observations on Pentagon IT from Arthur Herman and John Scott
Today’s Wall Street Journal carries an opinion piece by Arthur Herman and John Scott on the state of IT procurement in the Pentagon. I’m glad they selected WSJ for this piece, since changing the Pentagon system requires awareness and action by a broad range of actors, not just those on the inside or around the DC beltway.
John is a friend known for his focused thought and disciplined writing. He is a pioneer of new concepts and a leader in the open source community. I trust his observations on just about any topic, but found this piece to be especially important.
Here is a few excerpts:
Today’s Pentagon is losing its most important battle, the one for its own future.
The problem is how the Pentagon goes about acquiring the IT and software that modern weapons systems need. If this problem doesn’t get fixed, any hope of building a 21st-century American military will be doomed.
For example, the Air Force’s Oracle ORCL -0.32% -based Expeditionary Combat Support System was supposed to be ready in October 2013. Having spent $1 billion already, it needed another $1 billion just to get to one-quarter functionality by 2020. ECCS was supposed to automate the Air Force’s management of parts and equipment. This inherent complexity of the acquisitions process effectively killed ECCS and led to the rampant cost overruns that also killed the Navy’s DDG1000 destroyer late last year.
The Pentagon acquires IT and software-based systems the way it buys aircraft carriers—as if they were physical items to be forged or welded or mass-produced. The standard procurement cycle is geared around multiyear milestones and intensive evaluation reviews that can take months or years.
The modern software development cycle, by contrast, moves in weeks, days and even hours—because software is a malleable digital item whose only limits are the human imagination.
The DOD’s current acquisition strategy hasn’t caught up or caught on. By treating software as if it were a product instead of a process, our military services are shutting themselves off from the kind of cost-efficient innovation that rules in the commercial software and IT industries. Amazon, for example, can make over 30 changes a week to its portal, from adding simple code changes to new complex features, without a major glitch. Our service personnel know this only too well, when they see how their children’s videogames work better and have more sophisticated apps than the electronic gear they have to use in the field—and at a fraction of the cost.
The Pentagon has tried to go around the problem by buying off-the-shelf software for some systems. But that only postpones the inevitable frustration when it comes time to design software that can integrate those commercial products into warfighting systems. This is what happened when the Air Force tried to create the Expeditionary Combat Support System, which ended up as a $2 billion boondoggle.
Instead, the Pentagon needs a modern software and IT acquisition process that’s as flexible, agile and open-ended as software itself—one that’s geared for Moore’s Law (computing power doubles every 18 months) and Butter’s Law (network capacity costs get halved every nine months) instead of Murphy’s Law.
For the full article see:
Thanks John and Arthur for having the smarts and the courage and sense of what is right on these topics. Please keep up the great writing on this topic.
And to my many friends in DoD working IT issues, please understand pieces like this can be empowering to your activities. You know better than most that changes are needed, and your ideas on how to improve things can help drive that change.
Managing Internal Threats
The following is a guest post by Tom Olzak.
The number of annual security incidents caused by insider threats continues to increase. In The CERT Guide to Insider Threats, Capelli et al writes, “Insider threats are an intriguing and complex problem. Some assert that they are the most significant threat faced by organizations today.” Disgruntled system administrators damage data and systems, skilled professionals steal intellectual property, and inferior employees use information to achieve political or financial objectives for their self-gain. Any of these can constitute a critical national defense breach or breach of public trust.
To defend against the damage or theft caused by insiders, an organization must hold every employee responsible for detecting and reporting both behavior and technical evidence indicating a possible employee defection from policy and compliance. In addition, technical controls can help monitor suspected offenders and the overall network for evidence of criminal behavior.
Behavior Monitoring
In a 2008 article I wrote for CBS Interactive/TechRepublic, I listed employee characteristics that warn of potential defection from organizational and social policy and norms, including:
- Appearing intoxicated at the office
- Actual or threatened use of force or violence
- Pattern of disregard for rules and regulations
- Attempts to enlist others in illegal or questionable activity
- Pattern of lying and deception of co-workers or supervisors
- Argumentative or insulting behavior toward work associates
- Attempts to circumvent or defeat security or auditing systems
In general, any negative change in an employee’s behavior is concerning. Furthermore, actions taken by management can trigger a borderline defector to cross into criminal behavior. For example, an already disgruntled employee might feel justified in stealing and selling intellectual property after being passed over for promotion. Any potential-employees are candidates for additional monitoring.
Terminating an employee is one way to deal with a potential problem. However, we often value employees who are simply going through rough personal times. If terminating an employee is your preferred choice, keep in mind that you need to have attempted to resolve the issues with the employee or have clear evidence of a violation in policy; otherwise the termination can result in a lawsuit. It is often better to remediate than to terminate an employee.
First, we should ensure all employees understand organizational policies regarding the use of information resources and workplace behavior. Second, management should have a clear and fair process for a workplace infraction. The response should match the level of the offense. Furthermore, every employee, without exception, should understand the consequences of defection.
Finally, problem employees will usually not commit an infraction in front of management. This means we must train employees, as well as managers, to detect suspicious behavior and report it to someone higher-up. Since many employees would rather not become personally involved, an anonymous tip line is a possible solution. For example, a large organization for which I worked had a toll-free number any employee could call to report policy violations or any other concern or complaint. In addition, if you don’t want to set up a phone line, you could set up an anonymous website where you achieve the same result. Weekly, a compliance committee met to go over all reports, and there were many. Anything that appeared critical did not wait for the weekly meeting but was handled immediately.
Technical Monitoring
While behavior monitoring can alert us to many possible incidents, it often fails when dealing with network and server administrators who go rogue. We can easily miss behavior signals when an employee does his or her best to hide them. When behavior monitoring fails or is insufficient, technical monitoring should fill the gap.
Non-administrators
For non-administrators, we can control how much information an employee can access (and what they can do with it) by enforcing need-to-know, least privilege, and separation of duties. Organizations enforce all three by properly managed authorization policies and processes.
The first two are closely related. Need-to-know restricts the information a user can access only to that required for daily task completion. Least privilege controls what a person can do with the information accessed. For example, need-to-know might allow me to see electronic information classified as top secret, but least privilege would prevent me from changing or deleting it unless my role in the organization requires it. Together, they strictly limit insider threat damage.
Separation of duties, when properly implemented, prevents any one person from performing all tasks associated with a critical process. To illustrate, separation of duties prevents a software developer from creating malware and placing it in a production environment. In other words, developers should not be able to place their work into production systems.
Next, organizations must control the movement of sensitive information. If not possible using direct means, such as data rights management, then you should use indirect means. One of the most effective indirect monitoring methods is NetFlow analysis. NetFlow, emerging as the IPFIX standard, collects network traffic flow information at various points across the network. Information gathered and aggregated to an analysis and management server provides insight into anomalous traffic flow. If, for example, an employee decides to copy a large number of documents to an Internet location, NetFlow statistics would alert security to unusual behavior at one or more points on the network. This near-real-time identification of technological infractions happening on the network enables the possibility for a quick and effective response: stopping the employee or mitigating their effects on the organization.
In addition to NetFlow, security information and event management (SIEM) provides additional information about anomalous server or network behavior. SIEM solutions gather logs from various devices and systems, aggregating them into a correlation server. An event correlation application then mines unusual patterns or patterns known to be related to malicious behavior. Questionable activity is reported to security via email, SMS, or a Web portal.
Finally, employment termination and job change processes must include immediate revocation of all rights and privileges to previously accessed information resources. During a job change, removing all access and then granting access for the new role is a good approach. Failure to adequately perform these tasks is a significant cause of many insider incidents, especially those caused by administrators.
Administrators
While the previous controls also work for malicious activities by administrators, they tend to fall short. Administrators can alter logs or create backdoor accounts for use after hours or post-termination. Monitoring all employees and using separation of duties can help eliminate these vulnerabilities.
Administrator monitoring must extend to changes applied to special purpose files. One example includes log changes. Operating systems or other third-party solutions can track changes to logs, including who made the change and when. Security teams can identify unplanned changes and respond appropriately. This also applies to other files that might contain critical system management information and applications in the production environment.
In addition to file changes, any creation of a privileged account should raise a warning. For example, one security team ran a script every morning to determine if any accounts had been added to any Windows Active Directory administrator group. If so, the addition was reviewed against change management documentation to ensure it was approved. Any questionable account was removed and the offending employee was reported to his manager. A periodic audit of all privileged accounts, whether disabled or active, is another good way of identifying possible rogue IDs.
Sharing of administrator passwords also requires special attention. Each time a shared admin account is used, log it. Each time an administrator leaves the organization, change all shared passwords. If your budget allows it, consider implementing a privileged password management solution that logs who checks out shared account passwords and changes the passwords after use.
Finally, remember that every employee has the ability to be an insider threat. The most impactful threats are caused by those at the top – managers, administrators, programmers, and security experts. Insider threats are real, and they will eventually cause an incident in every organization. Proper preparation, training, and vigilance can prevent or alleviate related consequences.
Tom Olzak is a security researcher for InfoSec Institute. InfoSec Institute is a security certification company that provides popular ccent training.
For more see:
