Research
SecureWorks - On the Radar Newsletter - January 2008
On the Radar

Building a Security Team

For companies looking to improve security, one of the most challenging tasks is building a security team. A dedicated security team is critical in providing quick response to threats and vulnerabilities and in making risk-based priority decisions about the security stance of the company. But building a  security team can be challenging, In this article, we’ll discuss exactly what it takes to build and maintain a successful security team.

Step 1: Hiring/Transferring talent

First, you need security professionals – people with the knowledge and the time to focus on security. Some organizations opt to train existing employees while others will look outside the organization. Experienced security professionals are in demand and training takes time, so you will need to plan accordingly. The lack of available talent can also make hiring security team members costly, a problem that is exacerbated if your goal is 24x7 security staffing.

Potential security team members should be subjected to a rigorous background check, because the new team member will have extraordinary access to your network. Industry certifications are a good way to assess basic experience. Two major certifications dominate the industry, SANS (System Administration, Networking and Security) Institutes GIAC and (ISC) CISSP. The CISSP certification has been around longer than SANS and boasts more certified individuals. It is more common among policy-makers and business people who need to understand security issues. The SANS GIAC is more common among security administrators and analysts (for instance, all SecureWorks Security Operations Center analysts are required to be SANS GIAC certified).

Step 2: Training & Knowledge

Some companies opt to transfer employees from system administration or network monitoring services roles into security. This can be a wise decision because your security team will need to have a strong knowledge of how the network is configured.

There are three components to understanding security:

  1. A basic understanding about what is vulnerable (Network assessment)

    The easy answer is, "everything". Ultimately, every piece of software on your network could be vulnerable to attack. Network protection experts need to know exactly what's installed and how it’s configured. The security team needs a deep understanding of all the software installed anywhere on the network.

    Example: A classic worm attack took advantage of a vulnerability in a Microsoft database server which left the administrator account unprotected by a password and allowed Microsoft server applications to install SQL Server. The end result was that an attacker could identify vulnerable systems and "execute arbitrary commands".A vulnerability notice about the problem was issued.

    In understanding what's vulnerable, a security team would read the CERT announcement and then, based on their network knowledge, identify if their network is running any vulnerable software relating to this announcement. And that must include software that is hidden or bundled in other software. In this example, the worm did a lot of damage on networks where administrators didn't even realize they were running SQL Server because it was bundled with many other pieces of software. Knowing exactly what additional pieces of software are being installed by applications is a big part of knowing what's vulnerable.
  1. Knowing where to find up-to-date info on new vulnerabilities (Threat Intelligence)

    Keeping track of vulnerabilities and new attack vectors is not easy. Bugtraq is a leading source of vulnerability information. For more in-depth analysis and vulnerability disclosure, CERT's vulnerability announcements and the National Infrastructure Protection Center (NIPC) provide detailed announcements. In addition, vendor web sites of companies whose software you are using may have updates. Frequently, information is duplicated across Bugtraq, vendor mailing lists, CERT, and NIPC. Security Researchers need to monitor all sources,- there is no centralized reporting of security issues.

    Besides knowing exactly where to find current vulnerability information, security experts must have the time to read these sources regularly. Bugtraq alone can take 1/2 to 1 hour per day to read and digest. And that's just one of several sources on which a security professional must keep current..
  1. Knowing how to address new vulnerabilities where they occur (Risk assessment and security operations)

    The security team now will need a plan for what to do when a vulnerability is discovered. Procedures will typically take into account suggestions from the source of the vulnerability announcement. For example, whenever CERT announces a new vulnerability, the announcement frequently includes suggestions on how to address the problem. Their suggestions generally take the following form:

    • Turn off or filter vulnerable services
    • Apply workaround solutions as temporary fixes
    • Notify network monitoring services
    • Obtain and install vendor patches

    Each organization needs to determine how they'll apply patches or otherwise fix the vulnerability. Some questions to consider are:
    • What is the impact if an attack occurs? What assets will be impacted?
    • Will production services (that the outside world uses) be out during the patch?
    • Are there notification requirements within the company before the patch can be applied?
    • How will a new patch be tested?
    • What are the fallback procedures in the case of patch failure?

A security expert knows all of these for the environment (network) in which he or she operates. Getting serious about security means more than dedicating capital resources to the task. Hardware is great, but it will prove ineffective over time without a team that holds the most current knowledge about vulnerabilities and ways to protect networks from being exploited.

After you've built your security team and provided initial training (through a combination of external and internal sources), keep in mind that you'll need to provide for continuing education for the team, including attending security conferences, new certification courses and vendor training sessions.

STEP 3: Be Aware

System Administrators Are Not Security Experts

A common mistake made by IT managers is to ask system administrators or network monitoring professions to handle security duties as part of their daily routine. System administration is a full-time job. So is working as a security expert. Neither one can or should be a collateral duty of the other. According to over 1800 computer security experts surveyed by the SANS Institute, the worst mistake a company can make that'll lead to breach is to place untrained people in security roles.

How are system administrators supposed to keep their networks secure? Create a team of security experts whose primary responsibility is to assess what's vulnerable, how, and how the vulnerability can be fixed and communicate their findings. The network protection experts discover vulnerabilities and the system administrators apply the patches.

Applying security patches is a system administration duty, not a security duty. Administrators' primary duty is to ensure availability of system resources. Installing patches may require downtime, and therefore it makes more sense for administrators to include patching in their administrative downtime, rather than security personnel potentially affecting System Administrator job metrics.

Is Outsourcing A Good Idea?

Building a team to manage network security is a real challenge. You'll need to:

  • Hire the right people or transfer existing people (a team of three people is probably the minimum size that's viable)
  • Continually provide for expanding their knowledge (training with SANS, CISSP, etc. is one way)
  • Establish and maintain procedures for incident response

SecureWorks helps companies deal with this challenge by providing services that complement their efforts. With a full time research team and three 24x7 Security Operations Centers staffed by SANS GIAC certified analysts, SecureWorks can cover all the functions of a security team. For organizations with existing security staff, we complement their efforts by providing analyst support for select devices, functions or locations and by providing information and countermeasures from your security team.

 

Ask the Expert: Erik Petersen on FDIC Updates

According to Erik Petersen, SecureWorks' Vice President of Professional Services, the FDIC's new IT questionnaire, introduced in FIL-105-2007, is evidence of the FDIC's increasing IT examination vigor. The Sarbanes-like threat of imprisonment or fines printed below the signature block on the first page clearly ups the ante for financial executives. “When the executive officer signing off on IT's responses sees this statement, it will provide a strong effect on the signer, - making them think twice. They will want to ensure every response is truly accurate,” Petersen said. Legal authority to fine and imprison are not new, but the FDIC has gone out of its way to clearly associate this power with the veracity of the financial institution's questionnaire responses.

The new questionnaire is divided into five parts. Petersen individually evaluated each part and highlighted the key elements:

  1. Risk Assessment – With no major changes from the 2005 IT Officer's questionnaire, this section is asking for the information of the individuals responsible for the organization's IT risk assessment, the procedures which they follow, and if their program is formally approved by the Board of Directors annually.
  1. Operations Security and Risk ManagementWith more system specific questions, this section was heavily effected by the update. The questionnaire asks for encryption, incident response, security awareness training, and varying written documentation for each of the Originating Depository Financial Institutions (ODFIs) and merchant acquirers. Among the most interesting clarifications are the granular questions focused on securing, and monitoring controls at a system by system level. The systems and platforms include not only the usual core processing and core banking systems, but also other items like Voice-over-IP (VOIP), instant messaging, routers, portable devices and more.

    “The majority of banks are not going to be able to answer affirmatively to all of the FDIC's system specific control questions.  Petersen said. “For example, very few will have the robust formal controls for detecting and responding to log events for all of the systems the FDIC lists. Banks will be responding “no” to a lot of questions in this section. Inevitably, that will lead to more scrutiny in those areas when the examiners come onsite.”
  1. Audit/Independent Review Program - This part of the questionnaire is focused on the financial institution's audit results and procedures. Along with the organization's auditor information, it now asks for detailed results regarding the company's information security program, independent controls reviews and vulnerability testing, penetration testing, and more.

    “The FDIC questionnaire clarifies their expectations for independent review of a banks IT security and controls. This will help everyone involved in reviewing banks security.” Petersen commented.
  1. Disaster Recovery and Business Continuity Management - This section was not highly affected by the updates. Among other questions it asks about off-site backup systems and whether the Disaster Recovery/Business Continuitysystem has been tested successfully.
  1. Vendor Management and Service Provider Oversight - This section focuses on the organization's vendor management practices. Some of the vendor management requirements include: contract provision, financial condition, risk assessment, ongoing monitoring requirements, international service providers, application software compliance, and audit review.

“Overall, FIL-105-2007 normalizes the language and provides much better clarity on examination expectations,” Petersen said. “Financial institutions will have less latitude in responding. The questions are more exacting, and pointed, and consequently I expect most banks will be responding “no, this control is not in place” to more questions than in previous questionnaires. We recommend banks plan to spend more time preparing to respond to the questionnaire. Don’t wait until the FDIC sends it to you to contemplate your bank’s response. A lot of the security and controls are hard to put in place. A favorable questionnaire response depends on early planning.”

 

Security 101: Man in the Middle

Maninthemiddle

Description

This architecture is similar to sniffer however in this case the attacker is able to insert themselves in the stream of communication between the client and the server.  The attacker can either compromise a machine that is already in the path or can have the traffic route through a machine that he has control of by advertising a false route.  In this architecture the attacker not only has the ability to read the traffic the attacker has the capability of being able to change the traffic being transmitted between the two endpoints.    A common type of attack is known as TCP session hijacking where the attacker hijacks a TCP session.

Objectives

Confidentiality – Steal information

Integrity – Modify information as it is transmitted

Trust Model

The client and server both trust the network.

Strengths

Ability to detect: 2 (Med) It is hard to tell that an attacker has modified the traffic at the endpoint.
Ease: 4 (Hard) because it requires being somewhere in the path between the two devices. 

Weaknesses

This attack is costly because of the number of places of compromise are limited. Internet Service Providers (ISPs) and other popular traffic aggregation points are often targeted so that a criminal can either sniff the traffic or get inline and modify the traffic.

Detection Points

The best way to detect this attack is to audit the network to make sure that none of the machines are compromised and being used to sniff or modify traffic.  This is generally not possible because the network often  reaches beyond the administrative realm of one organization.

Prevention Points

Virtual private networking between the client and server will encrypt the traffic and prevent the attacker from being able to decrypt it and/or modify the traffic as it passes through the network

Use switches and vlans instead of hubs to limit the number of devices on a single segment.

References

CERT® Advisory CA-1995-01 IP Spoofing Attacks and Hijacked Terminal Connections

 

SecureFacts

Average Daily Hacker Attacks Blocked By SecureWorks in 2007

SecureWorksData

This information is provided by SecureWorks Counter Threat Unit.

 

All third-party brands and trademarks referenced in the text above belong to their respective owners. SecureWorks' On the Radar Newsletter is not authorized by, associated with or sponsored by the respective trademark owners.

Take our Poll

Next Steps
Start With SecureWorks Request More Information Now
Call SecureWorks Call Us Today
877-905-6661

Info Request

Newsletter Signup

* First Name:
* Last Name:
* Email Address: