The PCI Council Throws The Book At Virtualization Security

By | Security, Virtualization, VMware | No Comments

The adoption of virtualization has skyrocketed in the past few years. Companies have found tremendous cost savings when migrating to virtual environments. There have been savings in CapEx expenditures, not to mention lowering energy bills. Most importantly, improvements within operational efficiencies by introducing business continuity, automation and meeting service level agreements. This spike in the interest level of virtualization has led to a 300% increase in the Virtualization Practice here at IDS in the past year.

Traditionally, as ease of use increases, security decreases. There is always a balancing act between security and ease of use. When organizations first began using virtualization I was immediately skeptical about how it would take off from a security perspective. There were too many questions surrounding how secure these environments would be over time or could be made over time.

Now that VMware and other big names have been running the virtualization game for some time, and virtualization has been adopted by so many different organizations, it has proved to be a solid technology and many security components have been built in and around these products. We’re just to the point now where (virtually) any hardware device can be virtualized to some extent. This is hugely important when dealing with security because we are now seeing the emergence of virtual intrusion prevention systems, firewalls and antivirus. Many of these technologies are still fairly new and really have not been truly stress tested in the field. So for all intents and purposes we hope these virtual security products will provide the same protection as their hardware counterparts.

As we in the IT field vet these virtual security appliances we also need guidance about how we can maintain compliance with the various regulatory mandates such as PCI, SOX and HIPAA.

When dealing with virtual environments, should they be treated differently than physical environments? If so, then how?

At the end of June the PCI Security Standards Council provided an update on how organizations should view their regulatory compliance as it pertains to PCI. It’s good to see this shift and it is a step towards providing clarified information about how we can continue to protect sensitive data.

The PCI DSS Virtualization Guidelines cover the various risks associated with virtualized environments as well as their recommendations for securing these environments. This document is geared toward organizations who have or are considering the use of virtualization in their cardholder data environment. While we still have a long road ahead in proving that we can provide the same amount of security for virtual environments as we do in the physical world, this document is a step in the right direction about how we might be able to accomplish it.

Photo Credit: umjanedoan

UPDATE: The RSA Security Breach, Subsequent Attacks, and the Status of SecurID (Upcoming Webcast June 10th)

By | RSA, Security, Strong Authentication | No Comments

There has been a lot of news this week regarding the RSA breach in March, which has apparently led to an attack on defense contractor’s Lockheed Martin and L-3 Communications. Immediately following the negative press, RSA’s President Art Coviello issued an open letter stating that they have already reached out to “high risk” customers for remediation. For all other customers following best practice guidelines, RSA says they “can be confident in their continued security.”

The attacks appear to be specifically targeted towards defense contractors as a broad scheme to get access to defense secrets and intellectual property. RSA still hasn’t been clear as to what data specifically has been compromised. It’s likely that seed records and the algorithm used to calculate token numbers may have been taken. However, the attackers would still need access to the passwords of particular users who own the token. This tells me there also had to be some malware on end user computers that recorded key strokes and passwords.

[note title=”Webcast June 10th” align=”left” width=”200″] Get up to speed on news from the latest breaches, so you can learn a comprehensive security plan to minimize your company’s risk. Register here. [/note] It looks like RSA will be replacing current tokens and seed records for some customers and will be moving toward soft tokens and more risk-based authentication in the future to limit these types of threats. The strongest benefit is EMC’s ownership of RSA and how seriously they are taking this situation. They have a reputation to repair and  they have the money to ensure that this issue gets fixed. They were already working with Lockheed Martin and it looks like they anticipated some sort of attack. Once they saw the attack taking place, they were able to stop it almost immediately.

In light of this breach, as well as Sony’s major issues, IDS is hosting a webcast with RSA to discuss the current security landscape and recent breaches from RSA, Sony and Epsilon. It is very important to us that you’re aware of how this news in unfolding so that you can do what’s best for your organization to minimize risk. IDS will continue to be your trusted advisor for all things data center and guide you in strengthening your security posture.

While this is bad PR for RSA, it points directly to the reason for our webcast on Friday. SecurID is not (and should not) be an organization’s only line of defense. It is a piece of the puzzle to a full security program, which should include protecting sensitive information while also educating users.

Please sign up for the webcast here.

Photo credit: alvaroprieto via Flickr

Why Data Loss Prevention (DLP) Matters, Compliance Regulations or Not

By | Data Loss Prevention, RSA, Security | No Comments

Working in IT for as long as I have, the general public often asserts that I have magical powers as I excitedly speak technological jargon while their eyes glaze over. I’m sure everyone in this industry has had similar experiences. However, it’s our job to translate our “techno geek mumbo jumbo” into broad terms for everyone to understand. Security practictioners are responsible for giving business leaders the information they need to make decisions to drive and enable their business. CEOs, HR Directors and Finance Managers don’t care about bits, files and unstructured data.

They do care, however, if confidential, non-public information about the organization makes it into the public eye.

What most people don’t understand is that data loss is often accidental and businesses need to implement processes and procedures for educating their employees about acceptable best practices. As much as we’d like to, we can’t stand over everyone’s shoulder to instruct them on when they can copy data to a USB device or email a document to their personal Gmail account so they can work on it from home.

This is where Data Loss Prevention (DLP) technology comes into play.

DLP is used to monitor, identify and protect sensitive and/or confidential data. It’s used to proactively monitor and protect data as it:

  1. Moves through the network (Data in Motion)
  2. Becomes stored data (Data at Rest)
  3. And as it’s being used (Data in Use)

The system not only discovers and classifies sensitive data, but also educates users on how to use company data properly. Plus, it helps to identify potential theft and misuse.

Many companies that I talk to think they only need to consider DLP in their environment if they have compliance regulations to adhere to. Compliance is certainly an important driver for implementing DLP, but it isn’t the only driver.

All businesses have information that gives them some sort of a competitive advantage. How much is this information worth? How much damage would be done if it got into the hands of a competitor? I usually find out pretty quick when we do an evaluation and the IT director and CIO see what’s actually leaving their network.

Here’s a 3-minute video I made with our marketing team on behalf of a customer who showed it as his organization’s annual company-wide meeting, in order to explain and demo DLP technology.

A Tale of Two Security Breaches: Sony vs RSA

By | Data Loss Prevention, Log Management, RSA, Security, Strong Authentication | No Comments

In March, when RSA announced that they experienced a network attack which may have compromised their multi factor authentication systems, it was the attack heard around the world. A few weeks later consumers received notices that email marketing firm Epsilon had also suffered a major breach to the customer information from companies like Chase Bank, Walgreens and TiVo. Even more recently, Sony has been in the news due to attackers to their network which has caused them to completely shut down their Playstation network indefinitely.

These high profile cyber attacks have had varying degrees of severity and impact. From their response time, it would seem RSA was alerted quickly and then responded even faster to minimize their public exposure. While on the other hand, Sony is continuing to find new evidence that their system was breached at least two weeks before they had any idea what was going on. Again, while Sony scrambles to figure out what went wrong and where it started, their Playstation network has been offline for a little over two weeks now.

So, what’s the difference?

I see a few pretty clear messages in these two breaches. While I hate to reference it this way, as a security company, RSA “eats its own dog food”, meaning that they use everything they in turn sell. From log consolidation and data loss prevention to governance risk and compliance, they utilize every product they sell within their own data center. RSA also quickly announced the purchase of NetWitness following their attack, a tool which was instrumental in helping RSA find out what was breached as well as it’s severity.

Why wasn’t RSA able to stop this attack?

My answer is this: the primary fault concerning this particular breach lies in social engineering. Employees clicked on a link they shouldn’t have (and should have known better), and, unfortunately, security comes down to the one variable no computer program can control: human error. Basically, we are the weakest link. Despite being hit by one of most advanced threats the security community has ever witnessed, RSA was able to react to the attack as it was taking place. Generally, with attacks of this nature, it takes companies weeks or even months before they realize that an attack has occurred or is occurring.

Looking at Sony, we see a different story. More than two weeks have passed following discovery of their attack, and they are still uncovering information. They’ve engaged multiple security firms to help them sift through the data, but what is most astonishing is that they have only now realized that they need to hire a Chief Information Security Officer to be in charge of their security infrastructure (That’s right folks, Sony had no one focused on managing and mitigating their information risk). The last thing you want be called in the security industry is reactive.

Now Sony is in the process of implementing defense in depth and doing things they should have been doing all along, like implementing more firewalls, intrusion prevention systems and automated patch management. Sony is big enough that most customers and the general public will have forgotten about this in 6-8 months and they’ll be one of the most secure companies in the world.

But, what about your company?

How much exposure and risk can your company endure? When your customers read the paper or hear on the news that YOU lost their information, will they continue to be loyal? Will they forget in 6-8 months and continue to do business with you? Do you want to take the chance of finding out? If none of the above scenarios appeal to you, then take note of Sony’s reactive response and implement security practices BEFORE a breach—not in reaction to one.

Mobile Protection Cracked: How Your Cellphone Is Threatening Your Personal Data Security

By | Backup, Data Loss Prevention, Security | No Comments

Blackberry’s, iPhone’s, Droid’s, even flip phones, they are devices that have become a part of our daily lives. Within the last five years, the way we use our mobile devices has changed in dramatic ways no one could have completely predicted. We use them to call family, get directions, look up restaurants, watch movies, listen to music, class work and for some, even our jobs depend on the information contained on our mobiles. Something that most of us do not think about is the way we secure our mobile phones, the data on them, and our mobile presence.

Just recently it was revealed that the iPhone has been recording your every move since the day you activated. “Say what?” you say, and yes it is true. This is not the CIA tracking you, it is the simple device you carry around and use for everyday usage. You see, every time you sync or backup your phone to your PC, it uploads the historical data of where you have been to your computer. Does Apple have the right to access that data when you perform a sync to download the latest version of iTunes? You bet it does. Don’t believe me, read the article HERE.

Almost weekly there are stories of identity theft through stolen wallets, credit cards, personal documents that were disposed of improperly and items of that nature. Have you ever stopped to think about what kinds of personal information you have stored on your mobile device? What would happen if someone who was even the littlest bit technologically savvy got ahold off your phone, could they access the most critical parts of your life? Would they have access to the web sites that you use on a daily basis? Would your significant other question those random text messages that you sent to a friend?

Do I keep sensitive information stored on my phone? You bet I do, it makes my day to day life easier. Would I feel comfortable with that data getting lost in case I lost my phone or someone stole it, of course! I take precautions to make sure that the data I care about the most is buried so deep under lock and key; and backed up, that if my phone did disappear, I would be ok with it. So let’s get to the meat, how do I secure my phone and my mobile presence?

The first and most major step is to lock your phone. Set a password and set your phone to auto-lock as quickly as possible. Set your phones text display feature to not display the actual message until you actually select that message. In regards to websites that you visit or applications that you use, turn off the auto-save feature of your username and password. Yes, this will be more pain then anything, but do you want to worry about someone diving into your bank account if they grabbed your phone? Lastly, keep passwords out of plain text areas such as SMS or Notes features that are easily accessible. Download a password safe application to keep such data locked up.

Don’t fall victim to identity theft because you decided to keep your phone unlocked for ease of use. Defend yourself!

Further Reading:

Tracked by Cellphone: The Astounding Arguments of the US Government

iPhone Tracking Sparks Privacy Debate

Droid: Creepy Invasion of Privacy has never Been so Enjoyable

Is Your Boss Watching Your Blackberry?

Photo Credit: Incase.

vCenter Virtual Server: Risky or Secure? #decreasephysicalfootprint

By | Security, Storage, Virtualization, VMware | No Comments

What risks do I run by using a vm for my vCenter server?” This question is one of the most frequently asked of me in the field. I like to encourage people to ask the converse question when planning for their virtual deployments: “What are the risks of using a physical server for vCenter?”

A common answer I have been given by several clients is that they do not want the management server within the environment that it is managing. This is a sensible argument to me; it is a debate I have engaged in many times as an engineer and also as a consultant. There was a time when I would have opted for a physical server. Yet, when I started asking both of the above questions, the beauty and safety of a virtual vCenter server became evident. 

Much of the aversion to a virtual vCenter server may simply be based on comfort and knowledge levels of the ESX/ESXi design and functionality. One of the big concerns clients have is this: If the host within the vCenter server dies, users lose the ability to manage the environment. This is not necessarily true though. Below I have shared the top three reasons I like a virtual vCenter server:

  1.   The whole concept of virtualization = shrinking the physical footprint.
  2.   Ability to take easily manageable snapshots of your vCenter server.
  3.   vCenter server is a virtual machine protected by HA (High Availability).

Did you catch the last one? It’s true!

HA will protect the vCenter vm. Your vCenter server is required for the initial setup of HA; once it is configured the hosts have their orders and will carry them out without hesitation. So if the host with the vCenter server vm fails, your vCenter server will be powered up on an existing host as will all the other vm’s on the failed host. In the interim, users still have vSphere client access to their surviving hosts.

With a physical server, many different hardware components can fail and render the server out of commission until a physical repair or part replacement can be performed. Even with the highest level vendor support, a part replacement can take over 4 hours to complete. One way to protect against this is using MSCS (MicroSoft Cluster Service) to create a fault tolerant physical configuration. However, this adds to your physical footprint and may increase the complexity of your environment.

There are many more pros and cons to consider when planning your virtual infrastructure, and I would love to hear some insights from people who are using both physical and virtual vCenter servers.

My thought is this: Plan implementations carefully, always weighing all sides before committing. If a physical vCenter works for now, we can always P2V it down the road!

Photo Credit: Snap-shooter

2011 RSA Conference Rolls Out New Management Tools #datasecuritygrowsup

By | Data Loss Prevention, RSA, Security | No Comments

The older I get, the more I seem to turn into my father. Kids have it easy these days: teenagers and kids alike all have cell phones and text messaging. So when there’s a party, they just send a mass text (or better yet, a post on their Facebook wall) and a good time is had by all.

In my day, you had to be in the right place at the right time. We would ride our bikes around the neighborhood to see what everyone was up to. If we were lucky we would happen upon an impromptu party (or start one). My kids are tired of the tales I tell of how I had to walk to school uphill in the snow carrying my books and baritone saxophone. I’ve found that I have similar stories where it concerns information security and technology.

RSA’s unified eGRC strategy is one of those instances where I think back to when I developed my first information security program. I conducted interviews with business leaders and kept notes on an actual notepad. Some of those notes would make it to an excel spreadsheet and would then lead to the development of policies and procedures created in word documents. These documents would get approved and updated by other people in the organization in one shape or form.

As these documents changed, I tried to keep them in a central location where anyone could find them, but this didn’t always happen. I managed the documents for my group, but other groups such as Human Resources, Finance, etc. had policy and procedure documents that needed to be tracked and updated as well. These documents got scattered throughout the file system along with numerous revisions and made it nearly impossible to discern which files and information was current.

Last year RSA purchased Archer with it’s main purpose to bring order to this process, making it truly centralized and easily manageable for an entire organization. Archer eliminates the need to email a copy of a procedure document to multiple people and get multiple versions back to be reconciled. Archer provides the ability to manage vendor contacts, incidents, and business continuity, all from a single interface.

During the 2011 RSA Conference, many strategic partnerships were announced to strengthen this eGRC platform. (

  • RSA enVision: organizations can centrally collect, correlate and maintain log records in real time from every system that generates logs. This helps to “automate the identification, prioritization and resolution of enterprise security incidents”.
  • RSA DLP: organizations can identify and classify their sensitive information and ensure that it doesn’t get into the wrong hands.
  • McAfee: organizations can proactively identify, track and mitigate critical infrastructure vulnerabilities and security events.

Things just aren’t the same as they used to be. As times go on, security and IT management gets harder. Fortunately, tools are changing with the times to make the work we have to do easier and much more manageable.

Photo Credit: frumbert

RSA Hacked: Should the Security Breach Have Customers Concerned?

By | EMC, RSA, Security, Strong Authentication | No Comments

Last week, RSA experienced an attack that has breached their system. Information about their multi-factor authentication products (SecurID, Authentication Manager) have been compromised.

There’s not much information right now but this attack seems to be geared toward stealing intellectual property and does not affect any current or potential RSA customers. An open letter to customers went out last Thursday and Friday from RSA regarding the breach.

Being in the IT security industry as long as I have, I know that breaches like this happen to numerous companies more times than the public is ever made aware of. So, despite RSA being a security company, they are certainly not immune. It would be nice if they shared more information with the public about the current situation, but they’re walking a fine line sharing their security information because they don’t want to divulge anything that will benefit the attacker or future attackers.

We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.

RSA Executive Chairman Art Coviello stands by his above statement that customer information is not at risk, and I agree. It will take a considerable amount of work to reverse engineer RSA’s authentication infrastructure. There is an algorithm that generates token codes, token serial numbers, token records, customer created pass codes and revolving keys. One single part can’t be used to gain significant information about any other part. I don’t think we’ll see cloned tokens floating around being used to log into people’s accounts. There are too many variables. Even if this happens, RSA would just reissue new tokens and seed records to resolve the issue.

In their letter to customers, RSA provides some recommendations to help customers strengthen their security.

Overall Recommendations from RSA:

RSA strongly urges customers to review all documents referenced in this note. Based on customer requests for prioritization of remediation, below are the most important remediation steps being recommended to customers:

  • Secure your Authentication Manager database and ensure strong policy and security regarding any exported data (see Best Practices Guides for specific instructions).
  • Review recent Authentication Manager logs for unusually high rates of failed authentications and/or next token code events, both of which could indicate suspicious activity (see Authentication Manager 6.x and 7.x Log Guidelines and Best Practices Guides for specific instructions).
  • Educate your help desk and end users on best practices for avoiding social engineering attacks such as targeted phishing (see Best Practices Guides for specific instructions).
  • Establish strong PIN and lockout policies for all users (see Best Practices Guides for specific instructions).

Additional Information:

The Best Practice Guidelines are available from: RSA SecurCare Online (SCOL).

Letter from Art Coviello:

Wired Article:

Photo Credit: Don Hankins

Multifactor Authentication: Providing the “Strong” Protection Passwords Don’t

By | Security, Strong Authentication | No Comments

A few weeks ago, I was reading through some discussions posted on LinkedIn. One that caught my eye was, “How long should my password be?”

My first thought was, “Are people still talking about password lengths?”

Passwords are intended to authorize users to access only what they need access to. We’ve had questions about passwords and their effectiveness since we first began using them. Everyone in the security industry has an opinion. Many of the answers that you hear are different.

Most systems require at least 6 or 8 characters and people say this length is enough as long as you’re also incorporating alphanumeric with special characters. You’ll also hear that passwords just have to be 10 or more characters long regardless of the use of special characters and alphanumeric in order to be effective.

I’m going to take a stand and end all discussion by saying passwords are nearly useless.

Anyone with clear intent to get to your data can do so in a short period of time regardless of your password. With the current hardware processing power these days, it is trivial to “crack” passwords in a short amount of time. It becomes even easier with technology such as Rainbow Tables (I’ll leave you to do your own Google searching if you’re not familiar with this). Finally, all of this becomes moot if the attacker has physical access to the machine and/or admin control via a malicious exploit and gets a hold of the password hash on the system. What’s even easier is installing a key logger to capture all the keystrokes on the machine. GAME OVER!

I’m reminded of a study that took place a few years ago that discovered that people were willing to give away their passwords in exchange for a piece of chocolate. It was never verified that the passwords given were accurate but people have freely given me their password (without being asked) in exchange for nothing at all. Ultimately, it comes down to the weakest link, which is always the end user.

Okay, so now that I’ve destroyed any amount of hope you’ve had in your passwords, there’s no need to go cry in the corner. There is a more effective way to protect your assets with proper authentication. I’m a fan of multifactor authentication (a.k.a. “strong” authentication).

[note width=”250″ title=”Note” align=”right”] RSA recently announced their new platform, Authentication Manager Express, which provides strong authentication without the use of tokens, making it a more cost effective solution for SMBs.

Vaughn’s blog: “RSA Authentication Manager Express: Bringing Strong Authentication to SMBs (w/o the tokens)” [/note] Like using a ATM, mutilifactor authentication combines something you physically have with something that you know. One without the other is virtually useless.

Probably the most well known form of multifactor authentication is RSA tokens. Your password is replaced with a PIN (something you know) combined with a random number generated on a key fob (something you have). If you lose the key fob, it’s not too much to worry about because anyone who retrieves it will need to know your username and your PIN in order to gain access. This also protects against key loggers because part of your password will be a different random number each time you use it.

As always, when talking about security, layers are necessary. There is no such thing as being totally “secure”. Multifactor authentication is a great piece of the puzzle, but we still need to take other measures against malicious code (e.g. viruses, key loggers, root kits, etc.). All systems need to be hardened to protect against various types of penetration. That’s why we still need firewalls, intrusion prevention systems and the like.

[Photo credit to Mike Gdovin via Flickr]

RSA Authentication Manager Express: Bringing Strong Authentication to SMBs (w/o the Tokens)

By | RSA, Security, Strong Authentication | No Comments

RSA has recently introduced a new platform for strong authentication, Authentication Manager Express. It’s getting a lot of much deserved press for being the first to market multifactor authentication perfect for small to medium-sized businesses.

In fact, in an article in the MidMarket section of covering the release, our very own Justin Mescher was interviewed to provide his commentary:

Justin Mescher, CTO of Integrated Data Storage, said RSA’s product is cost-competitive, implements seamlessly into almost any IT environment and is designed to be one of the easiest ways to add another layer of security to resources that require user remote access. “Coupled with an expanded set of RSA SecurWorld reseller training resources and benefits, we expect Authentication Manager Express will help us drive new interest among midmarket customers that were previously hesitant to consider strong authentication solutions priced and designed for larger enterprises,” he said.

To reiterate Justin’s point, the reason why this system is so appealing is because it removes the barrier to entry for SMBs to implement strong authentication. Up to this point, many organization have felt that it’s cost prohibitive to purchase and maintain hardware tokens for their users. Authentication Manager Express uses both risked-based authentication and on-demand authentication without the need for tokens, leveraging their current active directory structure.

The system is designed to work with SSL VPNs and Web Portals to provide protection against unauthorized access. Users continue to use their user names and passwords, while the intelligent risk engine detects abnormal behavior. If the user generally logs into the the SSL VPN from a particular workstation in Chicago, IL and is later seen trying to authenticate from a workstation in France, the system will prompt the user with a challenge question to verify their identity. The user could also be prompted for an on-demand token code that’s delivered to their mobile phone via SMS or email before they’re allowed access to the system.

I had the priviledge of being one of the few users to beta test this appliance in my lab over the past few months and I’m excited to begin talking about how organizations will be able to leverage the system. I’ve got a number of customers that have been asking for a cost effective way to implement strong authentication and RSA has finally made this possible. Building on Authentication Manager and the well known SecurID, Authentication Manger Express will help meet the needs of customers who want to use multifactor authentication and also require a system that is managable and convenient for their users.

[Photo credit to Jeff Tabaco via Flickr]