Canaudit Perspective: Volume 11, Issue 4

The Silence of the Stricken
By Gordon Smith (June 2010)

Download PDF of article at www.canaudit.com/Perspectives/Volume11-Issue4.pdf

As my past articles demonstrate, I am very concerned about the changes in the fraud and information theft techniques used to compromise corporate security. In most states, organizations that experience theft of personal information, including name, address, and social security number, must make a public disclosure. My question is: why are there so few corporate breach disclosures? Reading the list on www.privacyrights.org, it is apparent that hospitals, universities, and some government agencies are the primary targets of cyber criminals. Corporations do not appear to be a target, or their security is so effective they are never compromised! Both of these assumptions are wrong. It is my belief that corporations do not want to publicly admit their security failed and they did not protect their clients’ data.

You can bet your bottom dollar that when a corporate entity discovers their network has been breached, they immediately beef up security. Then, the lawyers review the situation to determine if a disclosure is necessary. Were social security numbers taken, along with names and addresses? In most cases, they cannot prove that this data was taken; therefore, they do not suggest a disclosure. I can understand this. Consider that while a network may show some signs of penetration, there may be no solid proof that the network was breached. It is also difficult to determine what data, if any, was actually taken. I suspect that potential breaches are not reported to the organization’s Internal Audit Department. If they were, I think Internal Audit would push for the required public disclosure.

If you have read my past articles (www.canaudit.com/articles.html) you already know that I have been on a crusade to increase information security. Both corporate and national security depends on improving controls over databases, operating systems, networks, servers, and PCs. From our audits, I know that security is not improving. Many organizations are at just as much risk as they were last year. In some cases, security has degraded. So what are we audit and security professionals to do now? Is it time to throw in the towel and admit that our efforts are ineffective? Or shall we renew the security debate by taking a different approach? I suggest the latter.

Since companies seem to be adverse to reporting breaches, this may be a wedge we can use to get them to implement enhanced security. The cost of the Heartland breach was recently updated, now estimated at over $140 million (www.computerworld.com/s/article/9176507/Heartland_breach_expenses_pegged_at_140M_so_far). The TJX breach cost over $200 million. Combining the fear of public disclosure with the financial risk related to a disclosure should motivate management to quickly enhance controls. Based on our work this year, databases remain a serious exposure. Basic controls are just not in place across the various instances of the databases. Once one database is breached, the passwords gleaned can be cracked and used to compromise other, better secured databases.

The audit feature is usually not activated on databases. If it were, we could look for unusual activity or remote or foreign logins. The firewall logs are not very good to detect large outbound file transfers. Since it is difficult to identify when actual files are taken, it is time to change tactics. Honeypots have been around for several decades as a mean to detect an intrusion. A honeypot is a machine with an apparently poorly secured operating system. There should be honeypots placed on both the extranet and intranet. When they are attacked, you will know that either the network has been breached or you have an employee or contractor who is violating security procedures. You can start an incident response and hopefully catch the offender. By tracking the number of incidents, management can be provided with statistics that prove additional funding for security is required.

Trading partner connections must also be monitored. I am very concerned about the interconnectivity of modern networks. Businesses connect to the networks of their suppliers, customers, bankers, and delivery organizations, just to name a few. If one of these entities is breached, it is possible that your network could be the next target. Effectively firewalling trading partner connections is a delicate balancing act. If security is too tight, there could be problems performing business transactions. If security is too lax, your network could be probed or attacked.

The best defense is prevention of a network breach. One method we strongly recommend is to perform daily or twice weekly security sweeps of the entire network to identify poorly secured machines and network devices before they can be compromised. There are a variety of tools that can be used to do this including those we provide in some of our classes. Tools are not the real issue. Many audit and security staff are prevented from running these sweeps by the IT folks and IT management as “they could knock a machine down.” At Canaudit, we have been using these tools for over 20 years, finding issues without affecting network performance or stability. The real reason IT does not want auditors and security staff to run these tools is that they will find serious security risks. This blows away the “we are secure” mantra that we hear echoing around the corporate boardrooms.

Let’s get it straight. Your network is not secure. The only secure network is a network with no users! The machines in your network will be missing critical patches. Others will have simplistic passwords or poorly protected databases or applications. In every network audit, security baseline, or penetration test, we find one or two serious security issues. That is why our best clients have us come in at least once a year to identify the flaws their staff missed. It is not unusual for our team to determine that most of the Windows machines, UNIX machines and mainframes can be compromised.

Now that summer is coming, many auditors and security staff will be taking some well-deserved time off. Well, guess what? The hackers are not taking any time off. In fact, when the cat is away, the mice will play. An article I wrote in late 2008 is as true today as it was then. Hackers do not take vacations (www.canaudit.com/Perspectives/Volume9_Issue1.pdf).

The silence of the stricken is a new phenomenon. We at Canaudit want to ensure that your organization is properly secured and has the required security to defend against the coming attacks this summer. Your network does not have to be one of those that are stricken from cyber criminals in Eastern Europe, Asia, or even from within the United States or Canada. Our teams are available to assist you with security baselines, penetration tests, and IT or network audits. If you are interested in discussing how we can help you enhance your organization’s security, please email me (Gordon@canaudit.com) so we can arrange a time to discuss the right program for your organization.

As always, the opinions in this article are mine and mine alone. Please send me your comments, both positive and negative, to Gordon@canaudit.com.

Audit and Security Services

Canaudit specializes in a variety of information system and technology audits, ranging from periodic network penetration testing to full network and operating system security review. Our tailored audits provide an objective, disciplined, and in-depth analysis to evaluate and improve the effectiveness of risk management, control and security within your organization’s technological environment.

For interest in Canaudit to perform an IT audit for your organization, please email Gordon@canaudit.com or Tamra@canaudit.com, or call (805) 583-3723.

Professional Development

Canaudit provides training for IIA and ISACA chapters, in-house training for corporations as well as public training for all to attend. Our variety of courses offers training appropriate for introductory level employees all the way up to management. Attendees are awarded 8 CPE credits per day. A list of our available courses, course descriptions and outlines can be found at www.canaudit.com/course.html. For more information on upcoming public training and to register, visit www.canaudit.com/seminars.html. Contact Brenna at (805) 583-3723 or Brenna@canaudit.com with questions or to schedule a training event.