Following “The Year of the Breach” IT Security Spending Is On The Rise

By | Backup, Data Loss Prevention, Disaster Recovery, RSA, Security, Virtualization | No Comments

In IT circles, the year 2011 is now known as “The Year of the Breach”. Major companies such as RSA, Sony, Epsilon, PBS, Citigroup, etc. have experienced serious high profile attacks. Which begs the question: if major players such as these huge multi-million dollar companies are being breached, what does that mean for my company? How can I take adequate precautions to ensure that I’m protecting my organization’s data?

If you’ve asked yourself these questions, you’re in good company. A recent study released by TheInfoPro states that:
37% of information security professionals are planning to increase their security spending in 2012.
In light of the recent security breaches, as well as the increased prevalence of mobile devices within the workplace, IT security is currently top of mind for many organizations. In fact, with most of the companies that IDS is working with I’m also seeing executives taking more of an interest in IT security. CEO’s and CIO’s are gaining a better understanding of technology and what is necessary to improve the company’s security position in the future. This is a huge win for security practitioners and administrators because they are now able to get the top level buy-in needed to make important investments in infrastructure. IT security is fast becoming part of the conversation when making business decisions.
I expect the IT infrastructure to continue to rapidly change as virtualization continues to grow and cloud-based infrastructures become more mature. We’re also dealing with an increasingly mobile workforce where employees are using their own laptops, smart phones and tablets instead of those issued by the company. Protection of these assets become even more important as compliance regulations become increasingly strict and true enforcement begins.
Some of the technologies that have grown in 2011 and which I foresee increasing their growth in 2012, include Data Loss Prevention, Application-aware Firewalls and Enterprise Governance Risk and Compliance. Each of these technologies focus on protecting sensitive information to ensure that authorized individuals are using this information responsibly. Moving forward into 2012, my security crystal ball tells me that everyone, top level down will increase not only their security spend, but most importantly their awareness of IT security and just how much their organizations data is worth to protect.
Photo Credit: Don Hankins

UPDATE: The RSA Security Breach, Subsequent Attacks, and the Status of SecurID (Upcoming Webcast June 10th)

By | RSA, Security, Strong Authentication | No Comments

There has been a lot of news this week regarding the RSA breach in March, which has apparently led to an attack on defense contractor’s Lockheed Martin and L-3 Communications. Immediately following the negative press, RSA’s President Art Coviello issued an open letter stating that they have already reached out to “high risk” customers for remediation. For all other customers following best practice guidelines, RSA says they “can be confident in their continued security.”

The attacks appear to be specifically targeted towards defense contractors as a broad scheme to get access to defense secrets and intellectual property. RSA still hasn’t been clear as to what data specifically has been compromised. It’s likely that seed records and the algorithm used to calculate token numbers may have been taken. However, the attackers would still need access to the passwords of particular users who own the token. This tells me there also had to be some malware on end user computers that recorded key strokes and passwords.

[note title=”Webcast June 10th” align=”left” width=”200″] Get up to speed on news from the latest breaches, so you can learn a comprehensive security plan to minimize your company’s risk. Register here. [/note] It looks like RSA will be replacing current tokens and seed records for some customers and will be moving toward soft tokens and more risk-based authentication in the future to limit these types of threats. The strongest benefit is EMC’s ownership of RSA and how seriously they are taking this situation. They have a reputation to repair and  they have the money to ensure that this issue gets fixed. They were already working with Lockheed Martin and it looks like they anticipated some sort of attack. Once they saw the attack taking place, they were able to stop it almost immediately.

In light of this breach, as well as Sony’s major issues, IDS is hosting a webcast with RSA to discuss the current security landscape and recent breaches from RSA, Sony and Epsilon. It is very important to us that you’re aware of how this news in unfolding so that you can do what’s best for your organization to minimize risk. IDS will continue to be your trusted advisor for all things data center and guide you in strengthening your security posture.

While this is bad PR for RSA, it points directly to the reason for our webcast on Friday. SecurID is not (and should not) be an organization’s only line of defense. It is a piece of the puzzle to a full security program, which should include protecting sensitive information while also educating users.

Please sign up for the webcast here.

Photo credit: alvaroprieto via Flickr

Why Data Loss Prevention (DLP) Matters, Compliance Regulations or Not

By | Data Loss Prevention, RSA, Security | No Comments

Working in IT for as long as I have, the general public often asserts that I have magical powers as I excitedly speak technological jargon while their eyes glaze over. I’m sure everyone in this industry has had similar experiences. However, it’s our job to translate our “techno geek mumbo jumbo” into broad terms for everyone to understand. Security practictioners are responsible for giving business leaders the information they need to make decisions to drive and enable their business. CEOs, HR Directors and Finance Managers don’t care about bits, files and unstructured data.

They do care, however, if confidential, non-public information about the organization makes it into the public eye.

What most people don’t understand is that data loss is often accidental and businesses need to implement processes and procedures for educating their employees about acceptable best practices. As much as we’d like to, we can’t stand over everyone’s shoulder to instruct them on when they can copy data to a USB device or email a document to their personal Gmail account so they can work on it from home.

This is where Data Loss Prevention (DLP) technology comes into play.

DLP is used to monitor, identify and protect sensitive and/or confidential data. It’s used to proactively monitor and protect data as it:

  1. Moves through the network (Data in Motion)
  2. Becomes stored data (Data at Rest)
  3. And as it’s being used (Data in Use)

The system not only discovers and classifies sensitive data, but also educates users on how to use company data properly. Plus, it helps to identify potential theft and misuse.

Many companies that I talk to think they only need to consider DLP in their environment if they have compliance regulations to adhere to. Compliance is certainly an important driver for implementing DLP, but it isn’t the only driver.

All businesses have information that gives them some sort of a competitive advantage. How much is this information worth? How much damage would be done if it got into the hands of a competitor? I usually find out pretty quick when we do an evaluation and the IT director and CIO see what’s actually leaving their network.

Here’s a 3-minute video I made with our marketing team on behalf of a customer who showed it as his organization’s annual company-wide meeting, in order to explain and demo DLP technology.

A Tale of Two Security Breaches: Sony vs RSA

By | Data Loss Prevention, Log Management, RSA, Security, Strong Authentication | No Comments

In March, when RSA announced that they experienced a network attack which may have compromised their multi factor authentication systems, it was the attack heard around the world. A few weeks later consumers received notices that email marketing firm Epsilon had also suffered a major breach to the customer information from companies like Chase Bank, Walgreens and TiVo. Even more recently, Sony has been in the news due to attackers to their network which has caused them to completely shut down their Playstation network indefinitely.

These high profile cyber attacks have had varying degrees of severity and impact. From their response time, it would seem RSA was alerted quickly and then responded even faster to minimize their public exposure. While on the other hand, Sony is continuing to find new evidence that their system was breached at least two weeks before they had any idea what was going on. Again, while Sony scrambles to figure out what went wrong and where it started, their Playstation network has been offline for a little over two weeks now.

So, what’s the difference?

I see a few pretty clear messages in these two breaches. While I hate to reference it this way, as a security company, RSA “eats its own dog food”, meaning that they use everything they in turn sell. From log consolidation and data loss prevention to governance risk and compliance, they utilize every product they sell within their own data center. RSA also quickly announced the purchase of NetWitness following their attack, a tool which was instrumental in helping RSA find out what was breached as well as it’s severity.

Why wasn’t RSA able to stop this attack?

My answer is this: the primary fault concerning this particular breach lies in social engineering. Employees clicked on a link they shouldn’t have (and should have known better), and, unfortunately, security comes down to the one variable no computer program can control: human error. Basically, we are the weakest link. Despite being hit by one of most advanced threats the security community has ever witnessed, RSA was able to react to the attack as it was taking place. Generally, with attacks of this nature, it takes companies weeks or even months before they realize that an attack has occurred or is occurring.

Looking at Sony, we see a different story. More than two weeks have passed following discovery of their attack, and they are still uncovering information. They’ve engaged multiple security firms to help them sift through the data, but what is most astonishing is that they have only now realized that they need to hire a Chief Information Security Officer to be in charge of their security infrastructure (That’s right folks, Sony had no one focused on managing and mitigating their information risk). The last thing you want be called in the security industry is reactive.

Now Sony is in the process of implementing defense in depth and doing things they should have been doing all along, like implementing more firewalls, intrusion prevention systems and automated patch management. Sony is big enough that most customers and the general public will have forgotten about this in 6-8 months and they’ll be one of the most secure companies in the world.

But, what about your company?

How much exposure and risk can your company endure? When your customers read the paper or hear on the news that YOU lost their information, will they continue to be loyal? Will they forget in 6-8 months and continue to do business with you? Do you want to take the chance of finding out? If none of the above scenarios appeal to you, then take note of Sony’s reactive response and implement security practices BEFORE a breach—not in reaction to one.

2011 RSA Conference Rolls Out New Management Tools #datasecuritygrowsup

By | Data Loss Prevention, RSA, Security | No Comments

The older I get, the more I seem to turn into my father. Kids have it easy these days: teenagers and kids alike all have cell phones and text messaging. So when there’s a party, they just send a mass text (or better yet, a post on their Facebook wall) and a good time is had by all.

In my day, you had to be in the right place at the right time. We would ride our bikes around the neighborhood to see what everyone was up to. If we were lucky we would happen upon an impromptu party (or start one). My kids are tired of the tales I tell of how I had to walk to school uphill in the snow carrying my books and baritone saxophone. I’ve found that I have similar stories where it concerns information security and technology.

RSA’s unified eGRC strategy is one of those instances where I think back to when I developed my first information security program. I conducted interviews with business leaders and kept notes on an actual notepad. Some of those notes would make it to an excel spreadsheet and would then lead to the development of policies and procedures created in word documents. These documents would get approved and updated by other people in the organization in one shape or form.

As these documents changed, I tried to keep them in a central location where anyone could find them, but this didn’t always happen. I managed the documents for my group, but other groups such as Human Resources, Finance, etc. had policy and procedure documents that needed to be tracked and updated as well. These documents got scattered throughout the file system along with numerous revisions and made it nearly impossible to discern which files and information was current.

Last year RSA purchased Archer with it’s main purpose to bring order to this process, making it truly centralized and easily manageable for an entire organization. Archer eliminates the need to email a copy of a procedure document to multiple people and get multiple versions back to be reconciled. Archer provides the ability to manage vendor contacts, incidents, and business continuity, all from a single interface.

During the 2011 RSA Conference, many strategic partnerships were announced to strengthen this eGRC platform. (

  • RSA enVision: organizations can centrally collect, correlate and maintain log records in real time from every system that generates logs. This helps to “automate the identification, prioritization and resolution of enterprise security incidents”.
  • RSA DLP: organizations can identify and classify their sensitive information and ensure that it doesn’t get into the wrong hands.
  • McAfee: organizations can proactively identify, track and mitigate critical infrastructure vulnerabilities and security events.

Things just aren’t the same as they used to be. As times go on, security and IT management gets harder. Fortunately, tools are changing with the times to make the work we have to do easier and much more manageable.

Photo Credit: frumbert

RSA Hacked: Should the Security Breach Have Customers Concerned?

By | EMC, RSA, Security, Strong Authentication | No Comments

Last week, RSA experienced an attack that has breached their system. Information about their multi-factor authentication products (SecurID, Authentication Manager) have been compromised.

There’s not much information right now but this attack seems to be geared toward stealing intellectual property and does not affect any current or potential RSA customers. An open letter to customers went out last Thursday and Friday from RSA regarding the breach.

Being in the IT security industry as long as I have, I know that breaches like this happen to numerous companies more times than the public is ever made aware of. So, despite RSA being a security company, they are certainly not immune. It would be nice if they shared more information with the public about the current situation, but they’re walking a fine line sharing their security information because they don’t want to divulge anything that will benefit the attacker or future attackers.

We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.

RSA Executive Chairman Art Coviello stands by his above statement that customer information is not at risk, and I agree. It will take a considerable amount of work to reverse engineer RSA’s authentication infrastructure. There is an algorithm that generates token codes, token serial numbers, token records, customer created pass codes and revolving keys. One single part can’t be used to gain significant information about any other part. I don’t think we’ll see cloned tokens floating around being used to log into people’s accounts. There are too many variables. Even if this happens, RSA would just reissue new tokens and seed records to resolve the issue.

In their letter to customers, RSA provides some recommendations to help customers strengthen their security.

Overall Recommendations from RSA:

RSA strongly urges customers to review all documents referenced in this note. Based on customer requests for prioritization of remediation, below are the most important remediation steps being recommended to customers:

  • Secure your Authentication Manager database and ensure strong policy and security regarding any exported data (see Best Practices Guides for specific instructions).
  • Review recent Authentication Manager logs for unusually high rates of failed authentications and/or next token code events, both of which could indicate suspicious activity (see Authentication Manager 6.x and 7.x Log Guidelines and Best Practices Guides for specific instructions).
  • Educate your help desk and end users on best practices for avoiding social engineering attacks such as targeted phishing (see Best Practices Guides for specific instructions).
  • Establish strong PIN and lockout policies for all users (see Best Practices Guides for specific instructions).

Additional Information:

The Best Practice Guidelines are available from: RSA SecurCare Online (SCOL).

Letter from Art Coviello:

Wired Article:

Photo Credit: Don Hankins

RSA Authentication Manager Express: Bringing Strong Authentication to SMBs (w/o the Tokens)

By | RSA, Security, Strong Authentication | No Comments

RSA has recently introduced a new platform for strong authentication, Authentication Manager Express. It’s getting a lot of much deserved press for being the first to market multifactor authentication perfect for small to medium-sized businesses.

In fact, in an article in the MidMarket section of covering the release, our very own Justin Mescher was interviewed to provide his commentary:

Justin Mescher, CTO of Integrated Data Storage, said RSA’s product is cost-competitive, implements seamlessly into almost any IT environment and is designed to be one of the easiest ways to add another layer of security to resources that require user remote access. “Coupled with an expanded set of RSA SecurWorld reseller training resources and benefits, we expect Authentication Manager Express will help us drive new interest among midmarket customers that were previously hesitant to consider strong authentication solutions priced and designed for larger enterprises,” he said.

To reiterate Justin’s point, the reason why this system is so appealing is because it removes the barrier to entry for SMBs to implement strong authentication. Up to this point, many organization have felt that it’s cost prohibitive to purchase and maintain hardware tokens for their users. Authentication Manager Express uses both risked-based authentication and on-demand authentication without the need for tokens, leveraging their current active directory structure.

The system is designed to work with SSL VPNs and Web Portals to provide protection against unauthorized access. Users continue to use their user names and passwords, while the intelligent risk engine detects abnormal behavior. If the user generally logs into the the SSL VPN from a particular workstation in Chicago, IL and is later seen trying to authenticate from a workstation in France, the system will prompt the user with a challenge question to verify their identity. The user could also be prompted for an on-demand token code that’s delivered to their mobile phone via SMS or email before they’re allowed access to the system.

I had the priviledge of being one of the few users to beta test this appliance in my lab over the past few months and I’m excited to begin talking about how organizations will be able to leverage the system. I’ve got a number of customers that have been asking for a cost effective way to implement strong authentication and RSA has finally made this possible. Building on Authentication Manager and the well known SecurID, Authentication Manger Express will help meet the needs of customers who want to use multifactor authentication and also require a system that is managable and convenient for their users.

[Photo credit to Jeff Tabaco via Flickr]