The Gear-Myth
So Much Security Technology Yet So Much Risk
(A.K.A. - Why management is surprised when they get hacked)
By John Abraham
At Redspin we have done hundreds of audits. Because of this experience we have found technology alone will not make us secure from identity theft or corporate security breaches so deploying more often gives little more than a false sense of security. No one argues that there is a tremendous amount of advanced emerging and existing security technology available. We argue that this technology will not necessarily be effective in mitigating the risk — not due to technological flaws, but rather a lack of operational discipline. In other words, the problem is not technology but the way it is deployed.
Here are some examples:
1. Firewalls
More than half of the firewalls we review are deployed with flawed configurations. While many of these flaws do not necessarily represent critical vulnerabilities, it is amazing the extent to which this critical first line (and sometimes only line) of defense, is not configured right.
Example: One of our clients had us test the firewall that controls their access to a vendor — a big national bank service provider. This vendor managed the firewall but our client was concerned about the configuration because this vendor had hundreds of clients and if they had had too much network access, then perhaps, so did everybody else. The result was that the bank service provider firewall did nothing. That's right nothing. While the bank service provider only needed to allow its customers access to a few applications, it allowed access to hundreds (yes, hundreds!) of applications. Further, when confronted with this, the bank service provider claimed that it was not a security risk because they had a network security team, ran periodic scans (which generated hundreds of pages of vulnerabilities) and... had a firewall in place.
2. Intrusion Detection/Prevention Systems (IDS/IPS)
An IDS/IPS is a system that monitors network traffic for potentially malicious activity. For example, if it detects a port scan it might send an email to a system administrator (intrusion detection system) or it could configure the firewall on-the-fly to prevent access to the network from the offending IP address (intrusion prevention system). These systems are often implemented as an add-on to a firewall which makes sense since there is typically a firewall sitting between the internal corporate network and the Internet and it is in a position to see malicious traffic such as hackers attempting to access in the internal network. While this is an intuitive place to put an IDS/IPS, most companies have areas of higher risk that are often not the place where they put their IDS/IPS sensors: data breaches from the inside (i.e. malicious or unintentional employee compromises) or from partner network connections (such as a credit card processor) or other business partners. In our experience, most of the IDS/IPS systems deployed are either not configured effectively or do not monitor the highest risk area of the network.
Example: A company with about 100 locations nationwide with an IDS that generates millions (yes, I said millions) of daily alerts because the vendor that installed it did not take the time to fine tune the configuration to tailor the sensitivity level effectively.
Result: the network administrator just ignored them; hundreds of thousands of dollars wasted; executives with a false sense of security.
3. Demilitarized Zones (DMZ)
A DMZ is just a name for a part of your corporate network that is partitioned off from the rest of the internal network — just like a submarine has watertight doors so that if one part of the submarine gets flooded it won't bring down the whole vessel. DMZ's can be used to host dangerous applications such as email or web servers. The logic is that since those servers must allow network connections directly from the Internet, they might get hacked, and if they do, you surely don't want the rest of the network and all of its data to be at risk. However, this primary purpose of a DMZ is not achieved most of the time because the network components used to create a DMZ, such as a firewall, switch or VLAN, are configured incorrectly.
Example: Recently a bank had a web server that got hacked but the impact was minimal because the site did not host sensitive information and was hosted on a DMZ — so no problem, right? Wrong; the DMZ configuration was flawed and once the hacker gained control of the server they had unrestricted access to the rest of the internal network leaving customer's confidential information at risk — time to send out the "oops, we got hacked" letters to customers.
So clearly, the existence of security technology/controls does not imply security. This is a common gear-myth theme — it is not the existence of a control, it is the effectiveness of the control that matters. As it turns out there is no glamour in security as it is not about high technology gizmos as much as attention to detail, about good IT people and operational integrity, where technology is deployed carefully, peer reviewed, managed with a process in an organization run by executives that are aware that the small things matter.
New Red Flag Warnings for Financial Institutions... and Identity Thieves
By Brian Hayes
Identity Theft is on the rise for the first time in five years. Compliance with a new federal regulations called the "Red Flags Rules" will ensure financial institutions are maximizing efforts to combat growing fraud. The Red Flags Rules help financial institutions develop a program that not only prevents Identify Theft, but also prepares them to quickly detect and respond if any fraud occurs.
Identity Crisis
Imagine the following situation — Someone either intentionally or inadvertently discovers some personal information, such as your social security number or bank account number, about you. You may have lost your wallet or perhaps you were the unsuspecting consumer whose credit card information was captured while shopping at an insecure retailer. Regardless, you just got the call. Suspicious charges have been detected on your account and the long process to recovery begins, first with the headache of canceled cards, shortly followed by a potential financial loss, resulting in much time wasted.
And this threat is not going away...
A 2009 Identity Fraud Survey report released by Javelin Strategy & Research indicates that Identity Theft is on the rise for the first time in five years, affecting almost 10 million victims in 2008, a
nearly 22% increase from 2007. While the mean cost per victim is down this year to $500, that leaves financial institutions and their zero-liability fraud protection holding the bill.
To protect consumers and financial institutions, the OCC, FDIC, OTS, NCUA and FTC created the Red Flags Regulations and Guidelines which implements section 114 of the Fair and Accurate Credit Transactions Act of 2003. While the final rules and guidelines went into effect January 1, 2008, mandatory compliance did not start until November 1, 2008.
What are the Red Flags Rules?
While there has been some controversy surrounding the general nature of the Rules, it is important to remember the intent of the law. These rules are designed to better educate the financial institutions and help them develop a program that not only prevents Identify Theft, but also prepares them to quickly detect and respond if any fraud occurs.
What is the significance for financial institutions?
To be compliant, financial institutions must complete a total of seven steps broken into three sections:
Risk Management
| 1. |
The financial institution must periodically review covered accounts it offers or
maintains, which includes accounts for personal, family and household purposes, that permit multiple payments or transactions as well as conduct a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution's previous experiences with identity theft.
|
| 2. |
If accounts were found in step 1, then the financial institution must develop a
written "Program" that identifies and detects the relevant warning signs red flags of identity theft and then have the Board approve the Program. Developing this plan is not as difficult as it sounds as 26 possible red flags have been provided as guidance and have been ordered in the following five categories:
|
| |
a) Alerts, notifications, or warnings from a consumer reporting agency;
b) Suspicious documents;
c) Suspicious personally identifying information, such as a
suspicious address;
d) Unusual use of a covered account; and
e) Notices from customers, victims of identity theft, law enforcement
authorities, or other businesses about possible identity theft in connection with covered accounts.
Note that these red flags are not a checklist, but rather, are examples that financial institutions may want to use as a starting point.
|
| 3. |
The financial institution must then train the appropriate staff to effectively
implement and administer the Program.
|
| 4. |
The financial institution must exercise appropriate and effective oversight of
service providers that perform activities related to covered accounts.
|
Address Discrepancy
| 5. |
A financial institution that requests a consumer report must develop and
implement reasonable policies and procedures designed to enable the financial institution to form a reasonable belief that the
consumer report relates to the consumer whose report was requested, when the financial institution receives a notice of address discrepancy in connection with a new or existing account.
|
| 6. |
A financial institution must develop and implement reasonable policies and
procedures for furnishing to the NCRA an address for the consumer that the financial institution has reasonably confirmed is accurate.
|
Change of Address
| 7. |
If a financial institution is a card issuer, then they must establish and
implement policies and procedures to assess the validity of a change of address if it receives notification of a change of
address for a consumer's debit or credit card account.
|
FTC Delay
The Federal Trade Commission recently announced they will delay enforcement of the Red Flags Rule until August 1, 2009: Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further (FTC Chairman Jon Leibowitz).
For questions about compliance with the Red Flags Rules, contact:
RedFlags@ftc.gov
Or
Senior Policy Analyst Jeffrey Kopchik at (202) 898-3872, JKopchik@fdic.gov
Or
Counsel Richard Schwartz at (202) 898-7424 or rischwartz@fdic.gov
For more information, see:
Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule 16 C.F.R. Part 681 (Federal Trade Commission Rule)
FIL-100-2007, Identity Theft Red Flags, November 15, 2007
FIL-105-2008, Identity Theft Red Flags, Address Discrepancies, and Change of Address Requirements Examination Procedures
Fair and Accurate Credit Transactions Act of 2003 (PUBLIC LAW 108–159–DEC. 4, 2003)
Or Contact A Redspin Security Specialist
Engineer Nathan Drier's Tips
Nate's Top 3 Facts on the Gear Myth:
1. More Gear = More Fear
Paranoia is a building block of any good security professional, and being leary of gear is no different. The more independently configured devices or servers on your network, the bigger possibility of something to go wrong. Take a look at your network and make sure everything has a clear, defined function. Its not all Rocket Science — so take a deep breath, relax, and make some logical decisions. Less gear gives you better insight into your network and streamlines administration.
2. Show Me The Code!
Many vendors' flagship products are based on free, open source projects. If you are looking into new gear — shop around. There are many polished, very mature open source firewalls, IPS's and a lot of software available for free. Both paid and community support is available. Some community support can rival or surpass corporate support! Don't buy the hype that you need that $50,000 dollar firewall.
3. Shop Till You Drop
If you do find the need for more gear, shop 'till the wheels fall off. In today's economy, vendors are bending over backwards to get more sales under their belts. Some time spent shopping competitors, and making it known that you are shopping their competition, will net you big savings. Spend the time to stretch your dollars!
|
