Twitter Change

To get the most from Twitter and True North Security we are moving away from the Ken Pappas Twitter account and have established a specific Twitter account for True North Security.  Follow us now at TruNorthSec

Follow Us Now On Twitter

We have set up a Twitter account so that we may post the latest news on cyber terrorism and cyber threats that may pose a risk to your business.  Follow us here. http://www.twitter.com/Ken_Pappas

Staying Ahead of Network Security Issues

Ken Pappas was interviewed by Enterprise Systems Journal and asked a series of questions regarding new cyber threats and how can security managers stay ahead of it all. Here is the Q & A discussion that we had.

Where should IT focus its attention in protecting network assets, what investments offer the best return, and how can IT to avoid common mistakes when developing its security strategy?

With IT budgets under pressure, it’s difficult to adopt innovative security solutions. We look at where IT should focus its attention, where to make investments, and how to avoid the biggest mistakes IT often makes in developing its security strategy.

For insight and perspective, we turned to Ken Pappas, President and security strategist at True North Security http://www.TrueNorthSecurity.com

Enterprise Strategies: Thus far in 2009, we’ve seen the outbreak of the Conficker worm, continued attacks on Web sites (particularly social networks), and continued network breaches across industries. What do you each see as the top threats to network security for the remainder of the year?

Ken Pappas: More of the same, but more creative and stealthier. Hackers are bright people, they study human behavior and adapt to it. You will see more IP enabled devices that hackers will attempt to break into, not just for data theft but also to disrupt our quality of life.

A recent study from Verizon Business found that more electronic records were breached in 2008 than in the previous four years combined, yet new stimulus legislation is pushing health care organizations to upgrade their medical records to electronic form. How will this affect the security of the health care industry and specifically of the medical records? Won’t this result in increased hacking against hospitals and medical offices?

The finding of more records breached I feel is false. Laws today require companies to disclose breaches; in the past, this was not the case. Nobody knows for sure how many records earlier were breached because nobody was counting. Today our laws mandate they be disclosed, and keep in mind not all records breached need to be disclosed. You need to be over a certain threshold as I understand it.

Will the movement to electronic health-care records increase the likelihood of a record breach? Sure. New regulations are requiring that any network that is connected to or accessing health-care facilities must also have the same level of security within its network. This is a step beyond what we previously had. Although I feel we are on the right track, we are not out of the woods on electronic record breaches. They will still occur.

We’ve seen increased attention geared toward the utilities industry and the new Smart Grid. What are some of the potential outcomes threats pose and how does this affect the larger scheme of things — power outages, government regulations?

I can tell you that the reports of power facilities being breached is news that happened a while ago and that our power grids and the networks today running them are very different. I can’t say more, but I am confident that we are not going to see any major widespread power outages in our future. New government regulations have changed the way our power suppliers run and manage their networks, and we have a lot of smart people managing them.

Threats are coming at IT from all directions.

Yes, they are. An argument exists today around inside versus outside threats. Where are most of the threats coming from? Who cares! The fact of the matter is that threats originate both internally and externally. Security needs to address both.

What should IT’s strategy be to stay ahead of hackers’ next moves and combat all these different entry points, especially given that IT budgets are under extreme pressure lately?

It’s difficult to adopt innovative security solutions when your IT budget is under pressure or when regulations and even your business partners are demanding you have viable security technology in your network.

We understand that older firewall and first-generation IPS [intrusion prevention system] technologies will not protect your networks from tomorrow’s threats. You need to stay current with the newer technologies that are being made available to protect you from tomorrow’s threats today.

Where should IT focus its attention, and what tools are “nice to haves”?

I must admit, IT has a tough job and security needs to be considered at all points in the network, tethered and un-tethered. The “end point” is a blur to many of us. Many devices today connect and access data on our corporate networks. Cell/smart phones are part of the network and IT must consider security in any device to protect its network and its data. Although IPS has been around for about seven years, it surprises me that so many enterprise companies either don’t have one or are still using IDS [intrusion detection system] for security. I honestly can’t talk about any security device or technology that I would consider a “nice to have.” That decision needs to be made by the CSO in the organization.

It has been struggling having to manage a variety of security tools and technologies, but it is tough (if not impossible) to integrate these tools. Can you suggest a few best practices, along with a tangible real world example, of how organizations can successfully integrate these elements to improve security and effectively maximize their investments?

I could not agree more. I have seen a lot of smart security solutions on the market, but they are all stove-piped and none is sharing the information or learning from one another.

I think sharing information is the direction we need to move. The industry needs a Security Eco-System, which is a group of vendors willing to share their logs, alerts and other vitial information with other security platforms in an open format so that one security appliance can learn what another security appliance just learned and possibly take action.

How can IT know it’s getting the most for its money or has made the right investments? Is it possible to over-invest in security?

It’s always possible to over-invest in security the same way it’s possible to over-invest in a car or personal insurance. It boils down to what you are comfortable with and what “risk-avoidance” level are you willing to accept. You can also under-invest and leave yourself open to attacks, business disruption and possible fines.

What are the biggest mistakes IT makes in developing its security strategy?

The biggest mistake I believe IT makes is looking at what it presently has in its networks rather than first identifying what they are trying to protect, then going back and determining if what they presently have in their network for security provides the best level of protection. Back in the early 2000s, the big challenge networks were facing was DDOS [distributed denial of service] attacks. Enterprises went out and bought DDOS appliances. Some companies today still believe their networks are protected because they have this DDOS appliance when, in fact, many new threats have entered the market that a DDOS appliance doesn’t guard against.

Another area I see within enterprises is their security policy and when it gets reviewed. When I am invited to deliver a security presentation, I ask the audience: “When do you update or review your security policy?” Some say annually, others say quarterly. I tell them that’s the wrong approach and that a security policy needs to be reviewed when they read the media about a breach and ask “Can this happen to us? Are we protected? Do we need to modify our policy?”

The other approach is to watch for new products or technologies entering the market. Ask yourself, “Does our current security policy cover this? Will this introduce new threats or ways to gain access that we have not addressed?” This is why assigning a date to reviewing your security policy will not work in today’s market.

What best practices can you suggest to avoid these mistakes?

Talk to your peers in the industry. Get educated on what technologies are working and are not. Firewalls were good in their day, but let’s face it — the hackers have figured it all out and now viruses, Trojans, and malicious content are just flowing in. You need more than firewalls today. If you don’t have security specialist on staff, hire one. The days of anointing someone who has worked in IT and whom you now consider your security expert are over.

I’ve spent time with a number of very intelligent IT staff individuals, and I frequently ask: “How do you know you have not been breached?” These individuals have a false sense of network and data security, relying on a firewall, IDS, or older IPS they may have. Since none of these devices has picked up any malicious content, they think they are covered.

I would caution all IT: don’t get comfortable with what you have. Take a look at newer, innovative technology and refresh your security as often and cost effectively as you can. We know costs are important, and we know that IT’s mantra is (or should be) “Protect Corporate Assets and Data,” but that’s difficult and daunting task when funding is limited.

IT should also not be lulled into thinking they are protected just because they may have received PCI compliance and certification. Look what happened to Hannaford Food Chain! IT needs to be diligent with data security, educating CxO-level management to understand the risk levels if technology is not adopted or implemented in their enterprise.

That was the end of the interview. We at True North Security can assist you with your security challenges. Drop us an email to start building a secure network for tomorrow’s threats today at info@truenorthsecurity.com

TippingPoint Gets Aquired, AGAIN!

We are sure you have all seen the news about how H.P. has acquired 3Com and along with that, TippingPoint. Although since the acquisition of TippingPoint by 3Com back in January 2005 (I know this date because I was on the 3Com due-diligence and acquisition team back then), TippingPoint has repeatedly attempted to fool customers and prospects that they were not part of 3Com and that they were a separate company. That’s strange because I could never find a 10k or any other financial data on a company called TippingPoint.

As a matter of fact, the “company” called TippingPoint ceased to exist after the acquisition by 3Com.
Here comes H.P. to save what is left of 3Com. I felt it was a poor strategy for 3Com to partner when a Chinese company when most of what I believed 3Com’s business was in the enterprise and government accounts. You can’t convince those guys your a U.S. company anymore when you are in bed with the Chinese. AND, it gets even more difficult when you start to sell Chinese made networking gear.

Is anyone paying attention to the news lately about all the data breaches here in the United States? Yup, that’s right, most of them are coming from the Chinese. And you think we want to buy our networking and SECURITY gear from them? Hell no!

I felt TippingPoint started to lose its market lead after the 3Com acquisition and now I predict that H.P. will make TippingPoint more an engineering shop than a full fledged business unit.

It was poor enough that Gartner continued to show TippingPoint as a company on the in-famous Gartner “Magic Quardrant”, when in fact TippingPoint was no longer a company after January 2005. What was Gartner thinking? They don’t.

A trend is clear with the networking vendors of the world. Integrate core added value features into their switches, routers and other network infrastructure so that they can cycle out the older networking grear and convince customers that having it all in one box is the way to go.

I don’t agree. And let me share my views on this.

While in some environments (Small offices, remote locations) it does make sense for what is termed a Unified platform. The All-In-One. However for the medium to large enterprises, networks and its data are more efficient and better protected when security elements become a wrapper around the network infrastructure.

Some suppliers will say you need to protect your network from attacks. This comes mostly from the IPS Intrusion Prevention System vendors, while others say you need to protect your data because after all, isn’t that what we are trying to protect anyways? Not really.

It’s BOTH…..
We need our networks protected from malicious content and rate based attacks. What good is protecting your data when nobody can get legal or legitimate access to it. You need to protect your data from being accessed by unauthorized users or being emailed or FTPed to someone that should not be viewing the documents. Some vendors call this Data Leakage Protection.

So these go hand-in-hand as they say. I am a big supporter of IPS and DLP and feel that EVERY network needs to add these technologies to their networks.

The days of depending on your Firewall to protect your network and your data are OVER. The hackers have figured firewalls all out and today I feel they are in-effective.

Gartner touts about a Next Generation Firewall and the great frontier. I don’t think its going to be anything close to a ‘firewall’ per say, I predict what we are going to see as the next great security platform is something that provides network, data and application protection. You won’t get this in a switch or router, it will be an appliance and will start by providing throughput speeds at 10Gig. The next hop will not be 20 or 30Gig. With bandwidth demands going up at a rapid rate and media rich applications drive this need, it won’t be long that we will require security appliance that hit the 100Gig point.

Will H.P. deliver on any of this? We feel they will be well suited to deliver the all-in-one solutions for the small business users but wont’ be in a position to hit the higher end or the next-generation security appliance as I have outlined.

DOD’s Creation of Cyber Command

Hey I got some input as to what the DoD should be thinking about as they attempt to build out the new Cyber Command. Here are a few suggestions.

First of all what should be the most important initiatives the Cyber Command should look to accomplish by this Fall?

I feel the most difficult to achieve is not the security but rather gaining support and trust of all agencies that will be affected by this. I would aim to first win the support of all agencies and have them become stakeholders in the plan, execution, monitoring and success of the new command.

Do we feel that the Government’s overall cyber security plan is becoming fractured with all of the different agencies (and leaders) with disparate goals or is there harmony between all of the moving pieces?

Hey it’s our government of course! If this is how it’s starting out then each agency is going to have its own mini cyber command and disparate systems once more. This is common within US govt agencies. One of the good things that comes out of this however is that the hackers cannot use the same tactics to gain access to ALL agencies. So following a ‘standard’ for all agencies might not be a bad strategy.

In the end of it all what should be the most important element to the success of Cyber Command? Funding? Clear vision? Resources? People?

I think they are all important but the priority and sequence is most important. First selecting the right people to undertake this task should come before anything else. Then comes the vision, then strategy how to execute then funding.

“Cyber attacks” has been a subject brought up with the Cyber Command and also by the UK’s cyber security head; do we think this should be a prominent and public goal of any government cyber initiative?

Duh what is the Goal? I don’t think anyone has figured this out yet. Hence a vision needs to be made and bought in. What are we protecting and from who? Does data loss not fall under cyber attack? Is the Cyber Command so short minded that they are only thinking of bad guys from the outside? Maybe I am needed in Washington. Obama please call me 😉

And where and what is the most pertinent cyber threat to the United States today?

Depends if you are asking about the ones we hear about or the ones they don’t want use to know about? I’ ve presented at many different forums around the world and my biggest fear is not that a hacker or someone with computer skills is going to steal data, it’s those individuals that can possibly come together, target a country, and take down it’s infrastructure that we have become so dependent on.

The Dod Cyber Command is something we truly believe needs to come together and glad that we have a President that is thinking ahead on this threat.

North Korea Attacks American and South Korea Networks. True or False?

Recent International news ‘claims’ that North Korea WITH the help of China has electronically attacked South Korea and American websites. I use the word ‘claim’ to raise caution that in fact the attacks may not have come from these countries and in fact may have come from other countries or terrorist groups making it appear that the attacks originated from North Korea.

Today hackers can spoof and proxy hop so that a trace back to them would appear they are located in one place but in fact located in another. This brings me back to the movie “Untraceable”where FBI agent Diane Lane is trying to find this killer but cannot trace back to where he is. So this news makes me suspicious as to True or False here.

Our word of caution is just that. Never assume that the point of origin is where a trace route brings you. It might bring you to the other side of the world when in fact it could be your neighbor.

We have to believe these sites all have some form of network security, mostly again depending on firewalls or IDS. We would have hoped that since IPS has been around for almost 7 years that everyone would have deployed one. But then again, not all IPS vendors and coverage is alike. Some have excellent DDOS protection, others have great signatures for a specific threat type.

We would highly suggest that companies that are still on Firewalls or IDS systems strongly consider investigating and IPS. And those that already have an IPS, take a fresh look at the newer third generation IPS systems that have the strongest DDOS protection.

If you need help in determining which IPS is right for your business please contact use at info@truenorthsecurity.com

False Sense Of Security

It’s been fast moving since my trip to RSA Security event in San Fran. Much of my travels have been conducting security presentations to companies of all sizes. What amazes me is the fact that we have CIO’s and CxO’s out there that feel good about the security or lack thereof they have in their networks.

I am finding that CIO’s are relaxed because they passed the regulatory tests or gained certification with a product or technology that barely provides the protection they need for today’s and possibly tomorrow’s threats.

They “Think” they are smarter than the hackers. Believe me when I tell you this but a lot of hackers can run circles around most CIO’s and security guys that I have met.

My point that I am trying to raise and I might not be to clear is that you can’t be comfortable with your network security JUST because you passed an audit. You need to put you heart behind it and really think about how secure you really are. What’s protecting you, firewalls? Good luck with that these days. A cheap, low end UTM device? Good luck with that also. The story goes and it works; “You get what you paid for”. If you went cheap on security, that’s about the level of protection you are going to be getting.

I tell companies all the time. If you have never been breached, brace yourself, you are about to. If you think you would know if you have been breached, think again. I’ve met many companies that have told me they have NEVER been breached. When I work with them and start to place good security technology into their network, Like an IPS, and it starts to discover all the bad stuff running around its network, they freak out! Can you stop that from happening? Well yes I can. Then sweat turns to fear and that’s when they know something bad has been happening all along on their networks without them ever knowing it.

I understand it is difficult to convince CIO’s and CxO levels about the threats that lurk in networks and this is where you need to turn to help. I am available to help you through all this since I have the background and experiences to share. Drop me a line and let’s see how I may be of service to you. info@truenorthsecurity.com

Post RSA Security Show 2009 in San Francisco, Ca

Last week I attended the RSA Security event in San Francisco, Ca. I wanted to give those that could not attend the event this year my perspective on the event and my observations. I have attended the RSA event for more years than I can remember. No I am not one of those geeky types that puts stars on my badge for every year I have attended an event. This was the first RSA event that I was selected from over 2,400 entries to present.

Unlike many of the other speaking hopefuls I selected a topic that I felt would be near and dear to many security experts, that there was truly no silver bullet out there for security. I looked for industry experts to join me on a panel that would be willing to speak about the need of various security technologies and that security products that are simply stove piped in networks today are the wrong way to go. Security and more importantly the things security products ‘learn’ in a network are valuable and have become more valuable to other security products and points in your network. So why is this information being kept within it’s own appliance? All the vendors on the panel agreed to move in a direction of a security eco-system, one that learns and shares from one another. The session was attended by well over 100 people and that’s not bad being at 9am in the morning of the last day of the show.

The session was lead by John Kindevag Senior Analyst at Forrester Research. John and I have known each other over the years and John also recently finished an interesting article titled “If you don’t have an IPS you deserve to be hacked”. Very interesting reading if you can get a copy of it. The panel discussion covered many areas of security. One topic that got the croud engaged and asking questions was around employee rights when employeers wanted to see everything you were doing on that so called company PC. One argument was that indivuduals should use their own PC so that employeers would not have a right to read emails. The audience asked a question on whether the employee feels an employeer should not have a right to check the PC to see if it’s properly protected so that it would not cause harm to the business network or data.

Ken Pappas said it was absolutely fine for an employeer to check a PC to make sure it’s in compliance with company rules and regulations but that it did not have any rights reading emails that were being sent to family members at home. The challenge came about concerning company documents being sent out of the building thru personal email or Gmail systems. Ken said, if you think I am going to risk sending company confidential documents over a company network when I can think of 10 others ways of getting it out of the building then you are looking in the wrong direction.

It was a healthy discussion, one that I think everyone enjoyed.

The show was clearly less attended by the masses but the attendees that did make it to RSA were a higher cabilar and were here on a mission. They were shopping for solutions to business problems, not here to collect give-a-ways.

Something that troubled me was the vast amount of vendors and different types of devices I was seeing for the first time. Now remember I have been in the security space for a while and I thought I had seen it all. One morning at 9am as I was walking the show floor looking at all the vendors (some of which I have never seen or heard of) it dawned on me. I said to myself “I am starting to think that some vendors are starting to make this shit up”! Shocking observation to be making but that is what hit me. Are these vendors truly coming to market with a solution to a problem, or coming to the market with something they hope someone will just buy it.

RSA is not something to miss. To me its the center of the universe when it comes to the who’s who in security and I am glad to have made it and even more happier to have had the privilidge of presenting at it.

The Argument Around Multiple Firewalls

Ah dueling firewalls…. I’ve seen it all. Well maybe not all, or that I really want to.

My good friend Jack Germain of ECT News Network just finished an article on this. Check it out here.

http://www.technewsworld.com/story/66150.html

I can think of at least three good reasons who companies deploy multiple firewalls.

1. No single firewall does everything exceptionally well
2. Multiple Firewalls determine which model should be on top doing the heavy lifting
3. Customers don’t trust a single firewall technology

Let’s face it, no two firewalls on the market today are alike. Some are very good at Denial of Service DdoS protection while others can handle rate shaping or packet inspection better than the other. So depending on the customers application and traffic needs, a different firewall brand might be in order. I would caution users of the dual or quad firewall topology because the more firewalls you put in your network the more difficult it becomes for troubleshooting.

You might have heard me make the statement that I feel firewalls are older security technology and that newer technology like an Intrusion Prevention Solution is the logical replacement.

There are however firewall functions that an IPS still needs to deliver upon in order to become a full fledged firewall replacement. One of the mandatory features is NAT. Most firewalls today provide the NAT function and an IPS does not. A drawback to firewalls today is port 80. With so many newer applications now running through port 80 (Because everyone knows it’s open to web traffic) it makes it impossible for a firewall to inspect, assuming it is legitimate Web traffic. IPS systems inspect EVERYTHING.

Because there is no single device that can do everything equally, customers are settling for a layered defense. The need for multiple security technologies and in some cases dueling firewalls will continue while customers keep looking for that silver bullet, one device that does it all perfectly.

I can hardly wait!

Be Careful For Valentines Cards

Valentines day use to be a time when loved ones would send cards in the mail wishing for a happy Valentines on February 14th. Like so many other things from the past we no longer communicate in a manner like mailing cards or calling people on the telephone for that matter. The Internet has turned us into high speed communication junkies. We send a quick email to someone to remind them to pick up milk on the way home from work. We send a Instant Message to see if you are going to the bar after work or to make sure your picking up the kids at daycare. And now we send electronic Valentine’s cards to our loved ones so they can read while driving into work from their Blackberry. Yes, I do read a few emails while I am driving.

Hackers are very smart individuals. I’ve always said if we can put hackers to good use we might solve a number of problems on our Earth. But hackers will be hackers. I’ve always been fascinated by the cleaver ways hackers have studied human behavior and have adapted their strategy to penetrate our computers to steal personal information.

We have seen hackers disguise email to look like legitimate ‘e cards’ with a URL hoping you would click on the link, launching a Trojan to gain entry into your computer to start sending files to a server somewhere in a foreign country, or YOUR country for that matter.

In 2009, I expect to see even more of this due to our down economy and hackers are growing in numbers and will prey on anyone they can steal from.

I’m asking you to be vigilant when you get email that contains a greeting card, even if it’s from someone you know, even if it looks authentic. DON’T open it. It might not be from who you thought was sending it, it might unleash a program onto your computer that will be difficult to remove or even know its there for that matter.

My advice. Call the person that sent you the e card. Tell them you got the email and you wanted to call and thank them for thinking of you. Let them know that you do not open emails that might contain a program, because you are not sure what its going to do to your computer and that you can’t afford to damage your files, etc. They will understand.

Who knows! Maybe next year your loved ones will send you a Valentines card in the regular snail mail. A blow to the hackers. But like I said earlier, hackers are smart and study what we click and don’t click. They will try something more cleaver next time.