Data Loss Prevention

A Tale of Two Security Breaches: Sony vs RSA

By | Data Loss Prevention, Log Management, RSA, Security, Strong Authentication | No Comments

In March, when RSA announced that they experienced a network attack which may have compromised their multi factor authentication systems, it was the attack heard around the world. A few weeks later consumers received notices that email marketing firm Epsilon had also suffered a major breach to the customer information from companies like Chase Bank, Walgreens and TiVo. Even more recently, Sony has been in the news due to attackers to their network which has caused them to completely shut down their Playstation network indefinitely.

These high profile cyber attacks have had varying degrees of severity and impact. From their response time, it would seem RSA was alerted quickly and then responded even faster to minimize their public exposure. While on the other hand, Sony is continuing to find new evidence that their system was breached at least two weeks before they had any idea what was going on. Again, while Sony scrambles to figure out what went wrong and where it started, their Playstation network has been offline for a little over two weeks now.

So, what’s the difference?

I see a few pretty clear messages in these two breaches. While I hate to reference it this way, as a security company, RSA “eats its own dog food”, meaning that they use everything they in turn sell. From log consolidation and data loss prevention to governance risk and compliance, they utilize every product they sell within their own data center. RSA also quickly announced the purchase of NetWitness following their attack, a tool which was instrumental in helping RSA find out what was breached as well as it’s severity.

Why wasn’t RSA able to stop this attack?

My answer is this: the primary fault concerning this particular breach lies in social engineering. Employees clicked on a link they shouldn’t have (and should have known better), and, unfortunately, security comes down to the one variable no computer program can control: human error. Basically, we are the weakest link. Despite being hit by one of most advanced threats the security community has ever witnessed, RSA was able to react to the attack as it was taking place. Generally, with attacks of this nature, it takes companies weeks or even months before they realize that an attack has occurred or is occurring.

Looking at Sony, we see a different story. More than two weeks have passed following discovery of their attack, and they are still uncovering information. They’ve engaged multiple security firms to help them sift through the data, but what is most astonishing is that they have only now realized that they need to hire a Chief Information Security Officer to be in charge of their security infrastructure (That’s right folks, Sony had no one focused on managing and mitigating their information risk). The last thing you want be called in the security industry is reactive.

Now Sony is in the process of implementing defense in depth and doing things they should have been doing all along, like implementing more firewalls, intrusion prevention systems and automated patch management. Sony is big enough that most customers and the general public will have forgotten about this in 6-8 months and they’ll be one of the most secure companies in the world.

But, what about your company?

How much exposure and risk can your company endure? When your customers read the paper or hear on the news that YOU lost their information, will they continue to be loyal? Will they forget in 6-8 months and continue to do business with you? Do you want to take the chance of finding out? If none of the above scenarios appeal to you, then take note of Sony’s reactive response and implement security practices BEFORE a breach—not in reaction to one.

Tape Sucks: Avamar 6.0 Version #tapesucksmoveon

By | Avamar, Backup, Data Loss Prevention, Deduplication, EMC, Replication, Storage, VMware | No Comments

Since its release last week, there has been a lot of buzz around the Avamar 6.0. I am going to take the liberty of reading between the lines and exploring some of the good (but gory) details.

The biggest news in this release is the DDBoost/Data Domain integration into the new Avamar Client binaries. This allows an Avamar client to send a backup dataset stream to a DataDomain system as opposed to an Avamar node or grid. Datasets that are not “dedupe friendly”(too large for Avamar to handle, or have very high change rates) are typically retained for shorter periods of time. These can be targeted to a DD array, but still managed through the same policies, backup and recovery interface.

Client types supported pertaining to this release are limited to Exchange VSS, SQL, SharePoint, Oracle and VMWare Image backups. Replication of data is Avamar to Avamar and DataDomain to DataDomain: there isn’t any mixing or cross-replication. Avamar coordinates the replication and replicates the meta-data so that it is manageable and recoverable from either side. From a licensing perspective, Avamar requires a capacity license for the Data Domain system at a significantly reduced cost per TB. DDBoost and replication licenses are also required on the Data Domain.

There is a major shift in hardware for Avamar 6.0: 

  1. The Gen4 Hardware platform was introduced with a significant increase in storage capacity.
  2. The largest nodes now support 7.8TB per node – enabling grids of up to 124TB.
  3. The new high capacity nodes are based off of the Dell R510 hardware with 12 2TB SATA drives.
  4. To speed up indexing the new 7.8TB nodes also leverage an SSD drive for the hash tables.
  5. There are also 1.3TB, 2.6TB and 3.9TB Gen4 Nodes based off of the Dell R710 hardware.
  6. All nodes use RAID1 pairs and it seems the performance hit going to RAID5 on the 3.3TB Gen3 nodes was too high.
  7. All Gen4 nodes now run SLES (SUSE Linux) for improved security.

There were several enhancements made for grid environments. Multi-node systems now leverage the ADS switches exclusively for a separate internal network that allows the grid nodes to communicate in the event of front-end network issues. There are both HA and Non-HA front end network configurations, depending on availability requirements. In terms of grid support, it appears that the non-RAIN 1X2 is no longer a supported configuration with Gen4 nodes. Also, spare nodes are now optional for Gen4 grids if you have Premium Support.

Avamar 6.0 is supported on Gen3 hardware, so existing customers can upgrade from 4.x and 5.x versions. Gen3 hardware will also remain available for upgrades to existing grids as the mixing of Gen3 and Gen4 systems in a grid is not supported. Gen3 systems will continue to run on Red Hat (RHEL 4).

Avamar 5.x introduced VStorageAPI integration for VMWare ESX 4.0 and later versions. This functionality provides changed block tracking for backup operations, but not for restores. Avamar 6.0 now provides for in-place “Rollback” restores leveraging this same technology. This reduces restore times dramatically by only restoring the blocks that changed back into an existing vm. The other key VMWare feature introduced in version 6.0 is Proxy server pooling – previously, a proxy was assigned to a datastore, but now proxy servers can be pooled for load balancing in large environments.

There were several additional client enhancements on the Microsoft front including Granular Level Recovery (GLR) support and multistreaming (1 to 6 concurrent streams) for Exchange and Sharepoint clients.

All in all, the Avamar 6.0 release provides several key new features and scales significantly further than previous versions. With the addition of Data Domain as a target, tape-less backup is quickly approaching reality.

Photo Credit: altemark

Mobile Protection Cracked: How Your Cellphone Is Threatening Your Personal Data Security

By | Backup, Data Loss Prevention, Security | No Comments

Blackberry’s, iPhone’s, Droid’s, even flip phones, they are devices that have become a part of our daily lives. Within the last five years, the way we use our mobile devices has changed in dramatic ways no one could have completely predicted. We use them to call family, get directions, look up restaurants, watch movies, listen to music, class work and for some, even our jobs depend on the information contained on our mobiles. Something that most of us do not think about is the way we secure our mobile phones, the data on them, and our mobile presence.

Just recently it was revealed that the iPhone has been recording your every move since the day you activated. “Say what?” you say, and yes it is true. This is not the CIA tracking you, it is the simple device you carry around and use for everyday usage. You see, every time you sync or backup your phone to your PC, it uploads the historical data of where you have been to your computer. Does Apple have the right to access that data when you perform a sync to download the latest version of iTunes? You bet it does. Don’t believe me, read the article HERE.

Almost weekly there are stories of identity theft through stolen wallets, credit cards, personal documents that were disposed of improperly and items of that nature. Have you ever stopped to think about what kinds of personal information you have stored on your mobile device? What would happen if someone who was even the littlest bit technologically savvy got ahold off your phone, could they access the most critical parts of your life? Would they have access to the web sites that you use on a daily basis? Would your significant other question those random text messages that you sent to a friend?

Do I keep sensitive information stored on my phone? You bet I do, it makes my day to day life easier. Would I feel comfortable with that data getting lost in case I lost my phone or someone stole it, of course! I take precautions to make sure that the data I care about the most is buried so deep under lock and key; and backed up, that if my phone did disappear, I would be ok with it. So let’s get to the meat, how do I secure my phone and my mobile presence?

The first and most major step is to lock your phone. Set a password and set your phone to auto-lock as quickly as possible. Set your phones text display feature to not display the actual message until you actually select that message. In regards to websites that you visit or applications that you use, turn off the auto-save feature of your username and password. Yes, this will be more pain then anything, but do you want to worry about someone diving into your bank account if they grabbed your phone? Lastly, keep passwords out of plain text areas such as SMS or Notes features that are easily accessible. Download a password safe application to keep such data locked up.

Don’t fall victim to identity theft because you decided to keep your phone unlocked for ease of use. Defend yourself!

Further Reading:

Tracked by Cellphone: The Astounding Arguments of the US Government

iPhone Tracking Sparks Privacy Debate

Droid: Creepy Invasion of Privacy has never Been so Enjoyable

Is Your Boss Watching Your Blackberry?

Photo Credit: Incase.

2011 RSA Conference Rolls Out New Management Tools #datasecuritygrowsup

By | Data Loss Prevention, RSA, Security | No Comments

The older I get, the more I seem to turn into my father. Kids have it easy these days: teenagers and kids alike all have cell phones and text messaging. So when there’s a party, they just send a mass text (or better yet, a post on their Facebook wall) and a good time is had by all.

In my day, you had to be in the right place at the right time. We would ride our bikes around the neighborhood to see what everyone was up to. If we were lucky we would happen upon an impromptu party (or start one). My kids are tired of the tales I tell of how I had to walk to school uphill in the snow carrying my books and baritone saxophone. I’ve found that I have similar stories where it concerns information security and technology.

RSA’s unified eGRC strategy is one of those instances where I think back to when I developed my first information security program. I conducted interviews with business leaders and kept notes on an actual notepad. Some of those notes would make it to an excel spreadsheet and would then lead to the development of policies and procedures created in word documents. These documents would get approved and updated by other people in the organization in one shape or form.

As these documents changed, I tried to keep them in a central location where anyone could find them, but this didn’t always happen. I managed the documents for my group, but other groups such as Human Resources, Finance, etc. had policy and procedure documents that needed to be tracked and updated as well. These documents got scattered throughout the file system along with numerous revisions and made it nearly impossible to discern which files and information was current.

Last year RSA purchased Archer with it’s main purpose to bring order to this process, making it truly centralized and easily manageable for an entire organization. Archer eliminates the need to email a copy of a procedure document to multiple people and get multiple versions back to be reconciled. Archer provides the ability to manage vendor contacts, incidents, and business continuity, all from a single interface.

During the 2011 RSA Conference, many strategic partnerships were announced to strengthen this eGRC platform. (

  • RSA enVision: organizations can centrally collect, correlate and maintain log records in real time from every system that generates logs. This helps to “automate the identification, prioritization and resolution of enterprise security incidents”.
  • RSA DLP: organizations can identify and classify their sensitive information and ensure that it doesn’t get into the wrong hands.
  • McAfee: organizations can proactively identify, track and mitigate critical infrastructure vulnerabilities and security events.

Things just aren’t the same as they used to be. As times go on, security and IT management gets harder. Fortunately, tools are changing with the times to make the work we have to do easier and much more manageable.

Photo Credit: frumbert

Data Loss Prevention (DLP) Technology: The Meaning Behind The Marketing Buzzword

By | Data Loss Prevention, Security | No Comments

The term “Data Loss Prevention”, or “DLP” for short, is being used to universally describe any technology able to detect, and then react to, information matching one or more pre-defined patterns as it traverses network devices, servers or workstations. As is the case with the most promising and well-funded concepts (think “SaaS” or “Cloud Computing”), the term is altogether overused, fairly misleading and, as a result, not completely understood by the overwhelming majority of businesses that would benefit greatly by leveraging the technology within their respective environments.

Read More