GhostNomad.com

The Recap

An unknown male, described as skinny, entered a house through an unlocked front door and then exited through the garage door. He was seen leaving without anything from the home.

The Lesson

Assumptions are a very powerful thing. Many times we mistake assumptions for intuition, the idea that we have a feeling about something. In the end many times that “feeling” comes from us making assumptions based on previous knowledge of similar situations. What I found interesting about this police report was the ending remarks of “seen leaving without anything from the home.” The assumptions is made that this trespasser went into the home with the intention of taking something out. Even if this assumption is accurate, it also assumes that anything of value to be taken can also be seen.

Playing on the assumption the suspect wanted to remove something of value, what could he have taken that is unseen. A major issue todaay is identity theft and all this person had to do was to find documents in the home with enough information to allow him to steal the home owners identity. If not completely steal it, he could have left with enough information that it would be easy enough to socially engineer the remaining information from someone with access to what he needed. Is that all he could have removed from the home without it being seen, in short no.

Lets assume the suspect wanted large items of value in the house, perhaps he could have left with a key, security code, or another method of regaining entry at a less obvious time. Walking out of a house in broad daylight with a TV, computer, safe, or other valuables would possible draw enough attention to immediately alert police. Having access to the home may mean this criminal now knows the families vacation schedule and could return, easily gain access, and leave without notice for an extended period of time.

Lets run another assumption out. Lets assume the intent of gaining access wasn’t to remove something but to place something in the home. Perhaps the residence of the home have some knowledge that is of more value than the contents of the home or the persons identity. We don’t know if this person had proprietary corporate information, or was an influential political figure. Maybe this person is in the middle of a nasty divorce or has a joint business venture that is falling apart. Whatever the reasons, something placed in the home to gain intelligence of the resident may be far more valuable than the contents. Sure we could say if that was the intent the person would likely have ransacked the house to make it look like a robbery and not an information gathering mission. This of course would be making assumptions about the criminal based on patterns of others.

As I said at the begging, assumption can be very powerful and also effective. In information security we have built a large industry around protecting digital assets through “fingerprinting” or “signature” based security. This segment of infosec is important, but it is not the only defense we should have or rely on. It is important we look at all possibilities when it comes to attempted or successful intrusions into our systems. We may think we know why people are attacking our systems and trying to gain access, but if we just go with our assumption there is a good chance we will miss a critical detail. It shouldn’t come as a surprise that digital trespassers and criminals are turning to more complex, multifaceted method of attacking our systems. Once inside our systems they also may go for less obvious targets that could ultimately yield significant gains for them, and losses for our organizations.

We can let the automated systems catch what they are designed to catch, everything else should be left to us as security professionals to follow through and check out. Don’t let assumptions about what has happened jade what is or could happen. In the end it is not just our organizations reputations at risk, it is ours as well.

The Recap

A fight broke out during a card game in an apartment. Two of six men began an argument that resulted in all being involved in a fistfight. When police arrived on man had a bite mark on his bicep, while another had cuts on his head. It is believed brass knuckles may have been used.

The Lesson

So what started out as a fist fight, ended with the use of a weapon that most likely nobody saw coming. In information security we know people are constantly trying to gain access to our organizations assets. What we don’t know is once they gain that access what they may do. Sure we can monitor their activity and get a general idea of what their intentions are, but once inside our system we have no idea what they may unleash. Knowing that unauthorized access to our systems gives attackers the keys to the kingdom we need to make sure we are doing everything we can to prevent that access. This means not only do we need to secure the perimeter, we also need to ensure that information assets within our system are secure. Ensuring development practices embrace secure coding processes can be just as important as making sure our perimeter can turn back a potential attack.

I am guessing in the case of the card game friends are not going to have a metal detector at the door, but we know what our organizations stand to lose so we need to make sure we have taken measure the ensure those brass knuckles are not brought into our systems. The damage to an organizations reputation is a far greater than just a cut to the head.

I have spent the last three “Tips” discussing phases of  an audit, to which I hope you have found some value either now or in the future. Sometimes the more we understand the process the less intimidating it tends to be. I think at this point though it might be good to talk about an important aspect of the auditor’s perspective. Remember the auditor’s purposes is to be an independent verification that what you are supposed to be doing, is actually what is taking place. For a compliance audit that means you have taken all the steps to be compliant. For a financial audit that means your financial statements are a materially accurate representation of your organizations performance. We could go on, but I think you get the point. What you may not understand is what plays on the auditor’s decision to make that determination.

Tone at the Top

Remember, the auditor is coming in to an organization and making a decision based on fact and “auditor’s judgment.” So a key control auditors rely on is something called “Tone at the Top.” Even if they don’t come right out and use that term, it is inherent in some of the tests being performed. Tone at the top, in case you are curious, is the idea management sets the tone for how an organization will perform. If management takes controls seriously and places emphasis on them, so to then will people who are actually executing the controls. On the other hand, if management routinely ask to have controls circumvented, then those responsible for carrying out the controls will take them less seriously. If an auditor determines there is little or no emphasis placed on adhering to a control environment, then what is the point in testing if the controls are operating as intended.

Case in point, Sarbanes-Oxley (SOX) was placed in to law to specifically hold management of publicly traded organizations responsible for ensuring they have adequately controlled environments and have not withheld information that would materially effect the organizations financial statements. Again, I have oversimplified what SOX is, but the point is made. Tone at the top is important because it drives the rest of the organizations direction. What does this mean for you as an auditee? It means you can get controls in place to make the auditors happy, and you can document your systems and train staff on how to implement those policies and procedures, but if you don’t embrace those practices at the top you can’t expect the controls to function properly. In the end it means you have weaknesses your auditor finds and then you have to go through the process of implementing more controls.

So the moral of this tip, in the simplified form, embrace controls as an important part of maintaining your organizations continued operation, not as another check box for the auditors to mark.

The Recap

A woman reported missing cash from her purse. It was unknown when the money went missing or who may have taken it.

The Lesson

Cash is valuable for many reason, but from a criminal aspect it is nearly untraceable. Since cash immediately gives the holder claim to it’s value it is difficult to prove, unless records have been kept, that the cash in your pocket belongs to someone else. Thanks for the lesson on legal tender, right. Well I bring it up because I think it highlights an important aspect of information security. It is one that consumes large amounts of resources while possibly having minimal value in the aggregate. However without this procedure in place, we allow our systems to be as valuable as cash. If you haven’t guessed yet, I am talking about logging.

Without logs we have no way of knowing who has been on our systems, or what they have done. Sure if you turn on all possible logs your are most likely to get a mountain of information that has little or no value. Yet when an incident happens and you need to find out not only how someone gained access, but what they had access, your logs will give you that insight. It is important then that you evaluate what type of logs will help you not only evaluate incidents, but also inform you of potential incidents. Once you know what you need you can not only focus the types of events you want to have logged, but also set your tools to alert you when certain events occur.

Not only do we need to maintain proper logs, we also need to ensure we can trust the logs we are looking at. Having a process to protect the logs is key to trusting what you are seeing. If someone has compromised a system one of the first things they want to do is hide their access, so maintaining logs out of their reach is critical to ensuring your incident response process can properly identify what, where, and when the incident occurred. Depending on how sophisticated the attack is, you may even be able to determine the who.

Having to many logs can be just as bad as not having logs at all. Trying to store and analyze every event our system can log creates an expense that ultimately could be far greater than the loss we may incur. That means  we lose more and may never know what happened. If we don’t want our systems to be the equivalent of cash, we need to ensure we are able to trace how they are being used, or abused.

So hopefully to this point we have gotten you through the anxiety of getting the first call from the auditor. Then as you were starting to freak out we got you moving on making sure your documentation is in order. Despite getting you this far, the fear is creeping back in. You turned over the documents to the auditors, but since then they have been quiet, a little to quiet. Is their silence good or bad. Well lets take a look at what is coming next.

Unless this is just a review of your documentation, the next step auditors will take is to validate the controls you say should be in place actually are in place. Most likely you will sit down with the auditors where they will take an opportunity to ask you questions about controls that aren’t fully documented or that may not be included in documents. Remember, even though auditors are there to test your controls are in place and operating effectively (well, usually) there are controls auditors feel are important enough that you should have them despite your documentation of such controls. The purpose of asking you questions about documented controls has two purposes: 1) to ensure the auditor’s understanding is inline with what was intended and 2) confirm that management and staff are actually aware of what the controls should be. Yup, the first control test is validating staff are aware of controls management says are in place.

Once the auditor’s have identified the relevant controls, they will start requesting information to confirm the controls are in place. What they request depends on the type of controls they are testing. If they are looking at system configurations and settings, most likely they are going to want reports off the system, out of databases, and even network devices. These are fairly easy to obtain because if you are monitoring your system properly you should know how to get to the configuration settings. On the other hand, if the auditor is looking at non system controls like staff training, strategic planning, disaster recovery, you likely will be pulling more documents or emails that support your procedures. What is important to remember when it comes to auditors, even if they like you they will want to ensure the information gathered is actually what is on your system. The best approach you can take when pulling information from systems, allow the auditor to observe your gathering efforts.

This is probably the most intimidating part of the audit, because this is where you find out if all the controls you say you have actually are working. No one wants to be told they are wrong, so the process of waiting to find out what the auditors find in this phase probably is like an eternity. However, if you documented your controls properly then the auditor’s should just be validating you. Going back to the previous Auditor’s Tip about documentation, you can see why it is important not to just make a document for the auditor’s sake. It is important that what you say your procedures are, actually is what you are doing. Also, if your documentation is up to date and accurate you should be able to gather the information your auditor’s have requested fairly quickly.

Although this may be simplifying this phase of an audit, at least it gives you a glimpse into what is happening behind the curtain. If you run through the same exercise before the auditors come knocking, there should be no surprises once they arrive. This isn’t rocket science, just good old fashion process validation.

For many, the commute into work can be a painful process. I know I don’t have nearly the traffic issues as many others, but any extended drive is painful for me. There are many reason we won’t go into here, but inefficient drivers is a big gripe I can address. For example there always seems to be that driver who takes cleared distance way to seriously and ends up letting the rest of the world cut in front of you. But nothing sends me over the edge like the rubbernecker.

If you are not familiar with this term I will explain. Ultimately there will be an accident where there is heavy traffic, and people not involved can’t help but look and stare. This leads to drivers slowing down so they can see if they can have a glimpse of the carnage. Even after these drivers have passed the accident scene they continue to turn there head back to see if they missed any details. Thus their neck is made of rubber. The first problem you can see happening is that all traffic behind the rubbernecker slows down. The second problem, if the driver is looking at the accident and not the driver in front of them they are bound to run into them when the driver in front slows down to rubberneck. It is a vicious cycle.

In information security there are those who want to stop and look at what has already happened and see all the gory details. In doing so, the rest of us have to slow down or come to a complete stop so we don’t cause more problems. Don’t get me wrong, when incidents happen we need to make sure we investigate appropriately. We need to make sure we understand how an attack occurred, and ultimately try to determine if it was an isolated incident or if it is part of a targeted attack. However, we can’t become so fixed on past incidents in so much detail that we forget attackers can, and will change their tactics. Maintaining a proper focus on both the past and the potential future needs to keep us balanced as professionals.

One analogy I like to think of has to do with the stock market. It always seems when you watch analyst on TV or see ads in financial publication they are giving you a tip on what to buy. I was told by a friend who is a stock broker that by the time you get a tip the money has already been made. So it would seem that no matter if it is traffic, investing, or information security, the rubberneckers cause more trouble than there needs to be. The rubberneckers who don’t keep an eye on the risk ahead of them will become the next victim and so will the information security professionals who focus to much on what has happened already. Learning from each incident, but keeping an eye on the road ahead is the best recipe for keeping our systems and thus our organizations more secure.

I often make associations between being a parent and various aspects of information security. You may not always see the connections I see, but once in a while the connection is clear. We decided it would be fun to go for a family bike ride at a nearby park. The path we rode on was an old towpath of the canal systems that ran through northeast Ohio. It was a great location and our destination was a farm right on the trail that we heard had a great farmers market. This worked perfect into our plans to pack a light picnic to eat along the way.

After stopping at the farmers market for a while, we packed up our purchases so we could go and eat lunch. My two older kids watched as we packed the two younger ones into the tag-a-long. As we did this a grandfather aged man walked up to my second oldest and said “I will trade you a goat for your sister.”  My son looked at the man and didn’t respond. The man then said “what do you think, would you like to make that trade.” We waited to see what response my son would have and then he said “no thank you, she is too cute.” The man laughed and indicated my son had made the right choice. He then looked at my wife and said “I travel all over the world taking pictures of kids and I open with this line to break the ice.” Then he looked at me and said “and then I tell them I am like a grandfather so I am ok. You have a great crew here.” My wife and I thanked him, as proud parents do, and then we headed on our way.

After we got back to our car my wife and I talked about the scenario. The man may have been innocent in his intentions, but as a parent it just didn’t pass the sniff test. You know, if it doesn’t smell right it probably isn’t. Parsing what he said made us uneasy, because every red flag seemed to go up. Even if he didn’t have ill intention, he made it a point to say all the things to make a child feel safe around a stranger. Security, weather physical or digital, is security. As a parent I want to protect (secure) my kids and keep them out of danger. The same type of instinct used to protect ourselves and loved ones should be harnessed to protect our systems. If something doesn’t smell right, no matter how innocent it may seem, we should follow our instincts and check things out.

That instinct, our ability to sense when something is not right is what makes an information security professional a unique tool in the battle against unauthorized access. Automated tools can capture the signatures or patterns we know and don’t have the time to constantly monitor. The tool alerts us that we need to look more in depth. Our instincts, experience, and sense of security allow us to go beyond the tools and capture threats yet to be identified. We took the opportunity to discuss with our kids how this could have been used against them by a stranger so they could better protect themselves in the future. We should do the same thing when responding to threats in information security so we can enhance our tools to better protect our systems. We shouldn’t just enhance our monitoring tools though, we should update our end users so they can make better decisions when using our organizations systems. When we all work together we have a better chance of identifying attacks on our defenses, and ultimately become more secure.

The Recap

A highly intoxicated woman was reportedly laying in the public square. Her date called his 81 year old father to drive them home.

The Lesson

Young and stupid, old and wise. Yet, I wonder in this case just how “young” a person with an 81 year old father is, but that would be making an assumption. Any how, in information security the threat landscape is always changing which means we are always looking for new ways to protect our systems. What I find striking is the number of “new” products that a re just a new twist on an old technique. A great example of this seems to be around log analysis. Logs have been around for a long time, the trick always seems to be getting people to review the logs. With the number of events that can be generated you need to be able to look at only those events that are relevant. Of course what is relevant today may not be as relevant tomorrow, thus new methods arise with new names.

I am not comparing new twists on old techniques to drunken middle aged people on a public square. What I am suggesting is that we often over look old methods in favor of new window dressing. The best approach should be, instead of throwing out older tried and tested methods, build our tool sets on top of those methods. The more fancy we try to get with our defenses, the more opportunities we give attackers to use simple attack vectors. Then again, old vulnerabilities never reappear, just like middle aged people dating never have to call their 81 year old parents to pick them up when they over indulge.