This is an excellent series of articles by Kai the Security Guy about insider threat, to help understand the issue, and answer some tricky questions, such as “why do companies ignore it?”, “how big is the risk?”, “why do they do it?” and “what are they after?”.
“Dripping Data: Understanding and Reducing Insider Threat“
(part I, part II, part III, part IV, part V), part VI)
Apparently more parts are yet to be published. I’ll add the appropriate links as Kai posts them.
Modern operating systems typically have thousands of files, and thousands of hyerarchically-nested folders. There are cases in which we might need to have an overview of the content of a hard drive (or a USB pendrive, or DVD), and quickly find out what size and type of files there are. This is the case during the initial phases of a forensics investigation.
While reading Greg Conti’s excellent “Security Data Visualization” I came across this wonderful piece of software: SequoiaView. It is developed at the Technical University of Eindhoven (The Netherlands)
“Ever wondered why your hard disk is full? Or what directory is taking up most of the space? When using conventional disk browsing tools, such as Windows Explorer, these questions may be hard to answer. With SequoiaView however, they can be answered almost immediately. SequoiaView uses a visualization technique called cushion treemaps to provide you with a single picture of the entire contents of your hard drive. You can use it to locate those large files that you haven’t accessed in one year, or to quickly locate the largest picture files on your drive.”
The software is available for free, but only for Windows systems. For Unix-like and Linux users, there are several options. One of them is GDMap, which is very similar to SequoiaView, but with only some basic functionality implemented. For KDE desktops, there is the powerful KDirStat (there is a Windows clone called WinDirStat). For Gnome users, there is Baobab. A nice alternative is firelight, which uses circular representation of treemaps to show similar data (only for KDE).
Wouldn’t it be nice if popular forensics packages, such as Helix, bundled these kind of tools?
Excellent article from Bruce Schneier:
“We’ve opened up a new front on the war on terror. It’s an attack on the unique, the unorthodox, the unexpected; it’s a war on different. If you act different, you might find yourself investigated, questioned, and even arrested — even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats.”
Read the complete article here.
The Symantec Security Response blog reports a new local escalation of privilege vulnerability for Windows XP and Windows Server 2003 (fully patched and with latest Service Packs applied). Apparently Microsoft is already aware of the issue. Some driver included by default seems to be the culprit.
Don’t know what to read this weekend? :)
“A Multi-perspective Analysis of the Storm (Peacomm) Worm” by Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. Also, some useful links in the same site with further info on Storm.
Interesting article on “counterintelligence” initiatives to proactively stop insider attacks and information leaks: “Insider Attacks Put IT Security on the Offensive” by Tim Wilson at DarkReading.com
“Companies are beginning to see that most of the tools they are using — firewalls, intrusion prevention, log analysis, even a lot of the data leak prevention tools — are really only useful after you’ve been compromised,” says Kevin Harvey, senior sales engineer at Fidelis, who has participated in hundreds of insider threat assessments for large enterprises. “What they’re looking to do now is develop ways to proactively seek out the threats and prevent them, rather than just find out who did it.”
I wonder if it’s possible to implement this without companies misunderstanding it and turning their IT environments into Orwellian “ubiquitous law-enforcement” tools?
Another key piece of the “counterintelligence” puzzle is monitoring employee activity. “In our environment, any employee can use an online form to report suspicious activity,” says an IT security officer at a large banking company, who asked not to be identified. “That alerts corporate security, which then investigates.
[…]Many experts also recommend using employee monitoring tools, which can help identify unusual behavior and activity at odd hours.
Two articles about the same issue. “Security to drop out of CIO spending top ten” by John Leyden at The Register, and “Spend less on IT Security, says Gartner” by SA Mathieson at InfoSecurity Magazine. Both come from a keynote speech by Gartner’s vice-president John Pescatore at the IT Security Summit in London this month.
From Mathieson’s article:
Getting to a mature stage of IT security will take many organisations some time, Pescatore said: by 2010, Gartner estimates just a fifth will have reached its ‘operations excellence’ stage where they spend just 3-4% of IT on security, while two-fifths will still be in the previous ‘corrective’ stage, spending 7-8%.
In response to a question, Pescatore dismissed the idea that insider threats are growing: he believes that attacks generated by malicious insiders are stable at 20-25%. Half come from mistakes made by insiders, while around 30% of attacks are made solely by outsiders, the majority of whom are cybercriminals.
From Leyden’s article:
For security managers the process involves persuading their counterparts in, for example, application development to include security functions in their projects. In this way security expenditure in real terms can go up even as security budgets (as such) stay flat or modestly increase. Security budgets freed from firefighting problems can then be invested with a view to managing future risks.
“Even a reduced security budget does not necessarily mean reducing security-related spending,” Pescatore said. “Security professionals need to think in terms of changing who pays for security controls,” so they can “move upstream” and spend their time and resources on more demanding projects, he added.
Gartner predicts that security spending will rise 9.3 per cent in 2007, but will drop out the first ten spending priorities for CIOs for the first time since the prolific internet worms of 2003. Malware threats these days have evolved into targeted attacks featuring malware payloads designed not to draw attention to themselves.
It sounds reasonable. If all corporate departments assume their part in keeping the business secure (by means of security awareness, purchase of secure products and solutions, and inclusion of security-aware development practices, for example), the IT Security departments could shift from “firefighter mode” and focus on proactive security.
Excellent post from Matasano’s Thomas Ptacek about secure password schemes and the current craze about Rainbow Tables.
I loved the description of rainbow tables. It’s a jewel of precision and conciseness:
“Now let’s re-explain rainbow tables:
1. take a “dictionary” —- say, of all combinations of alphanumerics less than 15 characters
2. hash all of them
3. burn the results onto a DVD.You now have several hundred billion hash values that you can reverse back to text —- a “rainbow table”. To use,
1. take your stolen table of hashes
2. for each hash
3. find it in the rainbow table.If it’s there, you cracked it.
Here’s what you need to know about rainbow tables: no modern password scheme is vulnerable to them.”
Which is more secure? Does the question even make sense?
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Dec | ||||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |
If you can read Spanish, I’ve posted an article in three parts on my personal blog about Computing Forensics.
