Information Security, Privacy and Regulatory Compliance

Someone asked me recently, why did I maintain a blog. Well, here is the answer. I have a blog because there are people out there who have questions. Questions that me and others may consider only need to be quick answers. Quick answers are of course misunderstood or forgotten then asked again. So, rather than giving someone a quick verbal answer, which I'll likely do anyhow, I maintain this to answer those technical questions like how does this or that work. I also maintain it because I like a Soapbox to bitch about things in the industry that continue to drive me nuts =)

The Wiki/Knowledgebase and Project Tracking are up and are under construction. If you are interested in contributing to the various forums or research, feel free to shoot me an email and create an account on the site.

The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

-Keith

ShoeCon 2010:

Date/Locale:
Atlanta, GA September 18th
Wellesley Inn-Atlanta Airport
1377 Virginia Avenue
East Point, GA 30344
(404) 762-5111

If you are interested in speaking at this Conference then we are interested in talking with you. The September DC404 meeting will also be held at the Con.
This is a donation supported event and all the proceeds will go to the Matthew Shoemaker Memorial Fund.
We also need volunteers, donations of swag, time, etc.

The isdpodcast website has made it easy for you to donate to the Matthew Shoemaker Memorial Fund. Anything you can spare would certainly be appreciated.

Call (404) 890-5379 or email isdpodcast@gmail.com us with your questions or comments.

Employee and Employer expectation of privacy has always been a hot topic, of course with the constant changes in technology it can make the enforcement of privacy policies and controls nearly impossible for employers whether they be public or private sector. In a recent article written by Katharine H. Parker in the New York Law Journal, she also touch on this.

As employers literally struggle to protect against the "unauthorized" access, use and dissemination of information I pull out the ShoeWand and deem the greater portions of privacy implementations "not-secure".

Any one who has been reading my blog for awhile now knows I am a strong advocate of proper policy definition, implementation and enforcement. The struggle though is with how employees knowingly and without care will ignore the policies set for by the organizations they work for.

When you, as an employer, develop your policies focusing on both proper use of company resources as well as the CIA (confidentiality, integrity and availability) of sensitive or private information, the policy must be explicit in definition. There can be no room for interpretations or "void for vagueness" statements within the policy. Again, we are focusing on the expectation of privacy here.

Employees must only be permitted to access that information to which is required by their job function. They must do so only from company allocated devices. Access to said information from any non-company issued devices must not be permitted. Accesses must must tracked/audited on an ongoing basis by the security team within your organization.

Any violations must follow a documented procedure for internal reporting and punishment must be both swift and public. By public I mean when employees are discovered attempting to access, or have accessed, information they are not authorized or are accessing information from devices not under the control of the company, it must be made know to the rest of the organization that "we" are monitoring and will penalize through X defined method noted in X document. The enforcement/punishment must adversely impact the individual otherwise the punishment will be ignored.

It MUST also be known to all employees that the company is monitoring and recording all activities and it must be made clear there is no expectation of privacy.

Examples:
1) Employees are accessing external webmail to send internal information so they can "work on it at home".
2) Employees are utilizing company issued portable devices to engage in non-business related activities.
3) Employees bring their personal laptops into the company to perform personal activities while on company time

The network use policy must clearly state that X type of network traffic is permitted, it must also state that the company reserves the right to monitor and record all network traffic it in sole determination deems as inappropriate without the consent or knowledge of the employee.

It must be stated the personal devices are not permitted to be connected to the company network. The company reserves the right to monitor at all times any and all devices accessing the company network as well as record all network traffic from rogue devices without the consent or knowledge of the employees.

Company issued devices must not be permitted to be used as a personal device, the company must reserve the right to locally or remotely monitor all activities and traffic sourced/destined to the company owned device and that the employee may not at any time modify the configuration to disallow authorized internal security personnel access to the device and that such accesses are permitted without the knowledge or consent of the employee. Bearing in mind the potential implications of this type of design, a solid security plan must be properly developed and tested.

At no point should a company ever offer to pay for an employees personal device and expect to retain and degree of control or privacy or the configuration or the information being stored on the device. End of story there, if it is not a company issued device, it should not be used for accessing company information.

If specific employees, or groups of employees, for their job function do not need access to resources external the company; the solution is simple, do not give it to them. Monitor, record and any intentional attempts to circumvent the control must result in immediate disciplinary action by the company.

We are far too lenient in my opinion in this day and age with our employees. While we need to retain a happy and productive work-force, we do not need to allow employees to jeopardize the operations of the company because of unconcerned employees.

For the employers, if your policies are not well defined in that you do not allow X behavior or you do not enforce those policies equally in both monitoring and enforcement. When the day comes that you are called to the courtroom and it is show you selectively enforce the policies, I can assure you that you will lose.

So again:

Develop your policies and procedure
Training your employees at hire and at minimum yearly retrain them
Enforce the policies even upon all individuals within the company.

No one should be excluded, I don't care where they sit in the company.

// -> Rant Off

We had talked about this briefly on the podcast the other night, but I wanted to go into it further. it's one of those subjects that sticks with me...read into that how you want.

First off, to those of you who are reading this that don't know what social engineering is, here is the popular and generally accepted definition from wikipedia:

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

The most basic form of Social Engineering can be viewed as the "breaking the ice" between a man and a woman. Man engages woman and through various discerned observations attempts to discern some information to further the encounter.

Note: If you`re new to the social engineering game, learn to start random conversations with men and women, regardless of how awkward the situation. Once you find you can enter into conversations with ease as well as exit from them with some useful information gleaned, you're on your way. By useful information I do not mean how the current weather is =)

Women are typically better at the social engineering game than men, though some will likely disagree with me on this. That's fine though, disagree and prove me wrong. No guy that I know of can engage an executive in a short skirt, with some stiletto heels and a low cut top at a bar better than a woman. Male social engineers will typically target, if there is a choice, females. Unless the "attacker" is significantly tuned into the social engineering game, males attempting to extract information from other guys is slightly more difficult. Sex sells, so does alcohol...put the two together and it's game over..why do you think strip clubs, pornography and alcohol are still around....

Yea, this should be addressed in training. Though I've found that discussion of sex and alcohol walk a thin line with some entities. Because you know. God forbid the truth be told and we discuss such "taboo" subjects...seriously, get off the damn high horse...

The most common method social engineers will use, is the telephone. This has as of late been coined Vhishing. For the record, I hate the mass media for diluting the common definition and trying to create new coined phrases to address one portion of the social engineering attacks. Doing so only confuses the issue, so to the guy who made the phrase Vhishing..I hope you get a gaping paper cut and someone dumps lemon juice on it. Anyhow, when creating the social engineering defense training program this must be included in it. It must also be included in the organizational operations procedures along with the required methodology for reporting suspicious phone calls. One thing I recommend in my training on social engineering defenses is should any employee on the phone feel a call has become questionable, engage the internal security team. Let them deal with the phone call and have the employee remain on the line in silent mode, acting as on the job training. These types of encounters should also be included in the internal security training.

Training is where it begins, the training has to be realistic though. Chris Nickerson probably gave one of the best realistic training scenario's when he stood on stage and morphed himself though numerous different personalities without any interruption between each transition. Bearing in mind of course that Chris is an exception to the rule and most social engineers are not at that level of manipulation..yet anyhow.

So what is the point of this you're likely asking yourself at this point. We're establishing the framework for the defense. The defense will typically develop itself in some type of training, whether it be formal or informal. In my experience, executives have been the least receptive to this training. Why, because they feel that they are not able to be manipulated due to their intellectual superiority. If you're an executive and you are reading this and you fall into that category; sorry, you are not superior you are just plain stupid. The most receptive to training have been the line level tech support and engineer type personnel. They are also aware they are typically the individuals being targeted.

The telephone was given much press recently with the DEFCON Social Engineering Contest. This was both a success and a failure. The contest itself was a success as it gave further proof that social engineering as an attack vector is still possible, I know..as if this needed proof right..I`m being gentle. The failure however, was not with DEFCON or the contest, but within the Public and Private Sectors in response to this. In speaking with several people about this, there were a flurry of internal communications just before the contest went off. In general, this is what social engineering is, they use a phone..don't release any information. For real...this is not training people. The other failure was there was, at least to my knowledge, no follow-up training. It was more of a yea, it came..it went..status quo..

FAILURE

Email and IM are other popular methods, email taking the most frequent over IM though. Everyone is aware of it, and amazingly many people are still happy to click on that link or open that email attachment. Again, include the attack vector in your training. There is nothing more annoying than that HR executive click on a link to learn to "optimize" his staff, load the java applet which pushes the reverse shell to some system in china. No names here of course...you know who you are...

Face-to-face encounters, in there numerous forms, are by far the most effective next to the phone calls. We are human, we like to interact, we like to be helpful. Hell, I`ll admit it, I got engineering by two guys last week sitting in a room talking techie..of course it wasn't till after we finished the conversation that I said to myself..shit..I got punk'd. Technical security people are few and far between, we love interfacing with others in the field. Don't fall prey, the training should reflect as such. Never release any interesting information, duh..even me. I admit my flaws..can you =) Good social engineers will flourish in the face to face encounters, smooth talking, well versed in various operational functions from accounting executive to janitor..switch your personality on the drop of a dime. In the end, if the identity of the individual cannot be verified, remove them from the facility. You training and procedures should dictate as such. This is also a requirement under several regulations such as PCI^[?].

General conversation is a relatively easy route, especially when targets are more than happy to speak about sensitive information with their colleagues on the phone or on the Metro/Subway. Loose lips sink ships people..seriously close them. Shoulder surfing falls into this as well. If you're reading, writing discussing it in public you're jeopardizing the security of the information. Address it in the training, enforce and reprimand on violations. Social Networking I like to dump in here as well, don't type it if it doesn't belong there. Training to address the insecurities of social networking sites, their lack of security and privacy as well as the vast methods to obtain the information on these sites....train train train..oh, policies covering it and enforcement of those policies.

Piggy-backing is still very popular, even in highly secure locations I've used this very recently. The smoker, the lost-soul, the I lost my card..all must be addressed. The training and policy must reflect the importance. Employee's must learn to confront those who do not appear as an identifiable badged employee, must confront those with no ID, require internal security to be contacted to verify those who fall into the suspicious. Those employee's allowing others to piggy-back must be reprimanded, even terminated. Again, policy is only as good as the enforcement. If your training and policy state one thing, the enforcement must follow or the policy and training are useless.

Dig through the crap, yes I mean that literally. I have on some occasions, prior to giving a training session, went through dumpsters a day or two before the session was to begin and bring with me any interesting information I found. Of course the interesting information ranged from credit card numbers of customers to ACH transaction receipt with the full account numbers tossed right into dumpsters. On other occasions full medical records of patients who have switched doctors. If you were one of those customers by the way..I love you for making my job easy and I hate you for not following your own policies on the proper disposal of information..but I mean that in the most endearing way =) Also, interesting information can include other tidbits like business cards of vendors..

This was not meant to rehash the overabundance of articles detailing common tactics. This is meant as items you need to address, and that I address, in the internal training programs.

Social Engineering Training
-What is Social Engineering
-How does it occur
--Phone
--Email/IM
--Face-to-face
-Internal Security Team Intro and Points of Contact
-Procedure on reporting Social Engineering Incidents to the Internal Security Team

If your internal policies and procedures do not address Social Engineering in its various states, or you do not have internal policies, now would be a good time to start on that project. If you lack the internal policies and are looking for templates, SANS has a template repository online..check it out.

The policies must address what Social Engineering is from a high level as well as the penalties for not complying with the possible. The defined penalties must be both accepted by executive management and enforceable.

The procedures must be explicit in this is what you need to do if you feel you are the target of a social engineering attack. The procedure must of course reference the policy to note the potential repercussions if the employee does not abide as well the potential impact to the organization for non-compliance.

Policies and Procedures are only as good as they can be enforced..and they must be enforced or they are useless. The training must be as realistic as possible and note the importance for compliance with the policies and procedures. Any deviation will result in a failure of a portion or the entirety of the program.

Praise to Sheldon Whitehouse in this article. While not overly technical, it does touch on some important issues from the 10,000 foot view. While the issues he discusses are by no means new, they do however continue to plague the industry as a whole.


Commentary: Cybersecurity Needs Public Notice

I especially love his analogy of how we should treat our computers and network like our cars. Country depending we all drive on the same side of the road, follow basic rules of driving and for the most part we allow for common courtesies. The occurrences of ill behavior are for the most part minimal when viewed in comparison to the overall populous. And of course when we don't obey those rules there is the chance that we will be met with the flashing lights in the rear view mirror, for the remainder of the population, police omnipresence appears to work as intended.

On the flip side, he looks at how we operate our systems. Nice overview, and I`ll add a few comments to it.

Overall written policies, procedures and regulations continue to fail us. It is not because the documents themselves are failing but because of the executive/administrative and enforcement parties responsible for them do not follow through. Anyone who has sat through my classes or speeches knows this phrase all to well, the same others in my field have stated:

-- Any policy and/or procedure that is not backed by the executive or administrative bodies isn't worth the paper it is written on. Any policy and/or procedure that is not enforced on all individuals within said organization isn't worth the paper it is written on.

It does not matter if you have policies and procedures written to address every conceptual risk, if you, or the executives in your organization, are not going to enforce them. Stop writing them and go bury your head in the sand, wait..it's likely already been there so ignore that last sentence.

Basic precautions are great to say you have; yes we have an Anti-Virus (AV) installed on all system, they automatically update, we have NIDS^[?], we have HIPS, we have Firewalls. That's great an all, but while the commercial security vendors are making out on this deal, the public and private sectors are the ones suffering for the true lack of protection. Any signature based software/hardware will only catch approximately 70-80% of the known threats. This of course includes a major portion of the AV, NIDS, HIDS^[?] and HIPS deployments in production. This excludes those anomaly based systems, which are nice but require more manpower to properly use. Due to that, anomaly based systems are rarely placed in production environments.

With those basic precautions there is also the issue of reliance on automated systems to report events. Many of these automated signature based systems are placed into the production environments, never tuned, and simply spew mass amounts of noise to a console that an untrained or under-trained individual sitting at a console is expected to process.

Information sharing has been a hot topic for years. Several private and public sectors have developed lists and groups to better share information amongst themselves. These have fallen into typically two distinct classification, information groups that disseminate verified information or information groups that have either verified, not verified or partially verified the information. Access to these groups ranges from relatively easy to gain access to, to nearly impossible unless you're in the "elite" clique.

Of course, the easier the access to the information, typically the less reliable the information. There is also the chance of disinformation which of course may negatively impact the monetary and operational ability of organizations. I'm not going to go too much into this right now. Brian Martin is working on a paper regarding this so I'll let him have the glory on this topic *waves to Brian*....cough..Starbucks...

A good question that should be posed within the conclusion of this should be, what should the general public be required to report? There seems to be much onus placed on the government to report to the citizens. Why should the citizens not be required, by law, to report incidents of system compromises? Personally, I think there needs to be a state/federal funded group that receive reports of system compromises.

Recommendations:

Information Sharing groups/lists, with verified members, allowing for the dissemination of accurate information. Clique groups are nice to fluff ego's but don't help the overall community. Drop the egotistical bullshit and start helping everyone out.

Reliance on automated signature based systems continue to plague us. While it's nice to have the pretty SIM with with all the pie charts and crap, they typically are not configured to actually generate any useful information such as full packet dumps. I blame this mostly on the fact that training on the underlying systems is severely lacking as well as training on the actually traffic triggered events. Vendors in their default "recommended" configurations do not log all the interesting information, but they can sure spit out a shitload of alarms to make the interface look as though it was worth the 85K it cost the entity to buy it.

The big one is policy and procedure. When I say this I don't target this only at private/public entities with focus on their specific user base. I also target this at the service providers dealing with their masses of customers. If your AUP/EULA states X, and the customers violates X, there must be repercussions for said activity. Same with the private/public sectors, if you have policies and procedures in place and any user, including the executives, violates those rules, there must be swift and open repercussions for those actions. If there are no actions for violating the rules, the rules are useless.

Ok, I'm done ranting for now..only because my nephew just shot water all over my laptop...