Network Strategies, Inc

Security Why Bother?

2009-10-07T11:24:00.003-04:00

The popular idea of security is something a kin to the 1980‘s movie “War Games.” Many people imagine a lone hacker sitting in his bedroom trying to break into the pentagon from the Internet. For this reason, many people believe that if their anti-virus programs are up-to-date then there is a very small likelihood they would become a victim of such a crime. The actual reality is far from this popular idea.

The Cyber-Criminal Structure

Second quarter 2008 Finjan announced that the MCRC, or Malicious, Code Research Center, found cyber criminals were anything but loners. After some research, the MCRC found that the cyber-criminal hierarchy was structured much like the Mafia. The cyber-criminal hierarchy consists of crime bosses, under bosses, and capos. Each serving a specific function while creating a division of labor to protect all the criminals involved.

Crime bosses do not commit the crimes they are like business entrepreneurs. Under bosses are in charge of operations and tools. Capos operate beneath the under bosses with their own foot soldiers and campaign managers; leading attacks against their “affiliation networks”. Finally “resellers” sell the stolen information. Resellers do not know about stealing information; they keep track of replacement rules, such as reported stolen credit cards and company specific policies.

Credit cards and bank accounts, being commodities, are low priced on the underground black market. Currently high priced items include stolen healthcare information, single sign-on credentials, e-mail addresses and FTP accounts. PINs for credit cards and bank accounts at one time sold for as much as $100, but theses days are only selling for only around $10-$20 per item.

That’s Nice, But How Does It Effect Me?

Theses treats are becoming surprisingly simple for cyber-criminals to deploy. A recent and common occurrence is when employees decide to make an extra buck by planting malicious software. Every successful deployment of malware is another opportunity for revenue. Therefore the race is on. Cyber-criminals want to own as many computers as possible. They cleverly plant malware on popular sites. All the while knowing that only a handful of products are used to protect their victims; all of which they have acquired themselves and have taken apart to find holes to circumvent security their victims machines.

So imagine if you would; a company with the resources of Microsoft, but their sole purpose is to gain information and to take control of machines. For a long time it appeared that enterprise companies and the government were the main targets, but now SMBs (small to medium businesses) are an even bigger target.

SMBs represent a large population, many of which handle sensitive information such as Social Security Numbers and/or Credit Information. They have limited IT staff and what staff they have are not specialist in the area of security. Their user population is often naive to the danger of online attacks and they rely heavily on anti-virus/anti-spyware as their only means of defense. Once infected they would have little idea that their computer slow downs were data breeches. To make things worse, if a breech was discovered it would hardly be front page news, therefore other SMBs would not be notified of this alarming trend.

So What To Do?

The mantra of security is layering. Layer your security. If one layer falters another is should be there to catch the fallout. Most important is visibility. With layered security and no visibility you have no defense (image a prison with no guards). You must have eyes on the network. Another important tool against cyber-crime is intrusion detection. An intrusion detection system (IDS), or Intrusion Prevention System (IPS), that works beyond just signatures and URLs is an absolute necessity.

An effective IPS can be difficult to find and must be tested and retested over time. These devices may be your only way of verifying that sensitive information is leaving the network and if hosts are compromised. Another important tool is having a vulnerability scan done on a regular basis. These scans look for signs of compromise and for possible holes to be exploited by malware or malicious users. It would be nice to say, “call Network Strategies;” but even if you don’t call Network Strategies please call a qualified security provider.

Scott Brumley
CEO
Network Strategies, Inc
http://www.nsisecure.com

SANS Top Security Threats

2009-09-25T09:53:00.001-04:00

The SANS institute is reporting that the highest risks for data security breeches comes from not properly patching programs. The leading culprits are Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. The second on the list was web facing websites. Sixty percent of the websites being observed are getting compromised. And this is without a low estimate considering a large number of organizations are not monitoring their systems.

In this day and age web browsers are built with more functionality which creates an opportunity for more and more breeches. Now it is not even necessary to execute or download a program to get infected. Simply visiting a website can compromise your system and all the systems connected to it.

http://www.sans.org/top-cyber-security-risks/

Cost Savings and Security Through Wireless

2009-08-14T11:30:00.001-04:00

I recently wrote this article for an Association that we belong to and figured it might be good to put it here as well. Enjoy!

Wireless, or to be more specific unlicensed ISM band wireless networks, has been all the rage for the last 10 years. Terms such as WiFi, 802.11, and hotspots are not new to the mainstream media. When these wireless networks began making their debut back in the 1990’s, they were touted as the solution to untethered networks. This was technically correct, but the ratification of IEEE 802.11 created a security hole in the technology. Ever since, the security of wireless technology has been in question making institutions hesitant to deploy them.

Now more than 10 years later, wireless vendors have made wireless more secure and more cost effective than wired networks. Now wireless is being used to replace wired network devices and in some cases it is even replacing frame-relay. In the process, wireless has created a more cost effective and a more fault tolerant solution. Several institutions, with a number of remote sites, have been able to save money and pay back their initial investment (in some cases within 18 months). The really exciting part is that a handful of wireless vendors have secured the wireless so thoroughly that the wireless security bests most wired networks.

Most wired networks do not require user authentication (username and password) to connect, therefore anyone that can connect can have their way with your network. When user authentication is required, access can be controlled by the users' permissions. Some of these wireless devices will even allow you to extend user authentication to your existing wired network as well.

When evaluating wireless technology, five important requirements come to mind. First, an integrated system is important. It is difficult to secure and manage a system that has multiple products that are not integrated (having the same vendors logo on all the devices does not count). Secondly, an identity-based system is vital to security. A system that can separate guests, employees, and vendors while meeting compliance standards is paramount.

Third, wireless should provide application continuity for reliable operation and convergence. Fourth, centralized management is required to make configuring, monitoring, and troubleshooting easy and effective. Centralized management keeps sensitive information, such as WEP keys, out of an easily stolen wireless device. Last, but not least; one should consider flexibility and scalability. A wireless system should fit easily into your existing structure, should avoid excessive upgrades, and should avoid network redesigns.

Scott Brumley
CEO
Network Strategies, Inc.

802.11n vs. Switch Networking

2009-08-02T14:55:00.003-04:00

For years the wireless pipe dream has been alive, but unrealized. Replace your cable plant with wireless and save millions. There were three major drawbacks to this idea:

1) Wireless was not secure
2) Wireless was slow
3) Wireless had poor management

With the ratification of the 802.11n, the pipe dream has become a reality. Many large enterprise clients have upgraded and are saving.

With the Aruba wireless system we have found that wireless is now:

1) More secure than most wired networks
2) Is just as fast as wired networks to the access layer (10 GB might be the wired replacement limit)
3) And with the integrated Aruba controller, it is now easy to manage

But there are a few extras that you also get with the Aruba system.

4) It is a Green technology
5) It will authenticate users (doing away with insecure WEP/WPA keys)
6) It will authorize users (Users can be authenticated to the network hardware right out of the box)
7) It will provide accounting for users (Can account for what your users are doing to your network)
8) With the Aruba solution you can also manage other vendors devices (including Cisco Wireless)
9) Can manage network load and can balance it
10) Can provide true redundancy for the clients
11) Can manages interference with neighboring wireless
12) Comes with an integrated firewall
13) Comes with an integrated IDS (Intrusion Detection System)
14) Comes with a built-in guest portal (keeping visitors off secure networks while allowing them to browser the web. And even better it can work on you wired ports too)
15) Best of all is the ROI. It saves money!

Now if you remember many other wireless vendors claimed to be able to do this as well. Take Cisco for instance. To meet the integrated solution one Aruba controller provides, Cisco requires at least 5 Cisco 6500 Catalyst switches ($$$) and a list of security and management devices. To add insult to injury while using them our technicians found that the Cisco solution was far from integrated. You have to login to many different devices to see your network activity.

Why would we be a Cyber Victim?

2009-07-16T13:01:00.005-04:00

Cisco Systems recently performed a study that showed cyber-crime is on an upswing during these tough economic times. Inside jobs are becoming more common as employees are infecting systems to make ends meet. One man recently sold off 10,000 bot nets to pay for his sick child. He said that one of his friends made $5,000 to $10,000 per week deploying bot nets for phishing attacks.

Very little technical knowledge is need to exploit a system. A person can got to a fraud subscription service to find bugs to plant and get paid.

Reference - Cyber-Criminals and the Struggling Economy

Patching Operating Systems is Not Enough

2009-07-16T12:55:00.002-04:00

In the shadow of Microsoft's latest security hole, it becomes painfully clear that vendors patches alone will not insure a safe work place.

Again these attacks are using web browsers as the delivery mechanism.

http://www.channelinsider.com/c/a/Security/Microsoft-Office-Users-Attacked-by-Cybercriminals-305650/?kc=CITCIEMNL07162009STR3

I Have Anti-Virus and a Firewall So We Are Covered

2009-05-06T08:41:00.005-04:00

Currently health care providers are being targeted for attacks. One of the latest victims is Virginia Health Professionals. This incident only highlights the under lying problem in health care security, where providers are often operating under a false sense of security. In our research the premise is consistent, "I have a firewall and anti-virus, so we are covered."

Most of the attack mitigation sites that Network Strategies has been involved in for the last 3 years were sites with firewall and anti-virus. Several times anti-virus packages as popular as Symantec had been infiltrated, without any ones knowledge. In many cases, anti-virus updates systems or operating system update systems were actually being used to spread malware.

By far the biggest hole in network security is blind trust in one or two security measures. A second is that security counter measures are often deployed then forgotten. Best Practice in Network Security requires a layered plan that is consistently monitored and maintained.

1) Are Service Packs and Service Releases up-to-date? Are you certain of it?
2) Are any update services (anti-virus and operating system) compromised and reporting falsely that the system is up-to-date?
3) Are you able to detect anomalies outside of your anti-virus and firewalls?
4) Are you able to detect when network conditions change suspiciously?
- Network Performance De gradates
- All workstations started accessing a known malware site at the same time
- Workstations that only use web browsers start sending files to FTP servers
- Servers or workstations suddenly have new services or users on them
5) Do you have accountability for systems that touch health care information?
- Network Devices
- Databases
- File Storage
The age of script kiddie is past. A new age has dawned where the bad guys have the upper hand. They have more resources than their victims. This makes it vital to layer security and to consistently double check it. It is important to keep in mind that many bad guys also buy that Symantec (insert popular anti-virus here) anti-virus or that Cisco (insert popular firewall name here) firewall. But instead of using it to protect their networks they are reverse engineering them to improve the stealth and effectiveness of their attacks.

One recent article in a popular trade rag spelled it out plainly. Bad guys get paid based on the same criteria that should be used in defending networks known as CIA, Confidentiality, Integrity, Reliability. Their systems must be reliable to maximize profits and the integrity of their data should be maintained to maximize profit. These means they need to deploy large amounts of malware. That malware must be reliable. That malware must be invisible.

Vulnerability Windows Are Increasing

2009-05-01T08:09:00.004-04:00

"Companies are only marginally better at quickly plugging security holes, while exploit writers typically produce attacks within days" - SecurityFocus.com

I found this article pretty interesting because it dealt with an issue not often talked about. Most of the time we see or hear about a vulnerability in an application and how it then takes the manufacturer days if not months to actually release a patch to fix it. This is of course bad news for organizations that simply rely on anti-virus alone to help reduce the risk window while they wait for an update or patch.

The article cited above actually raises another issue of organizations, for any number of reasons, that know they have vulnerabilities but take way too long to actually patch the systems, if even at all. According to the article, most industries are averaging around 30 days after a patch is released to then actually patch thier systems. This actually means that the vulnerability window can be as long as 2 months or more from time of discovery to patch release to patch implementation. Layering the security defenses of these systems is the best approach and goes a long way in helping reduce the risk while waiting on the patch management process to take place.

The Many Facebook Attacks

2009-04-09T13:50:00.003-04:00

It should be no surprise that social networking is a prime target for security attacks. Sites like Facebook can pave the way for attacks. A few of the attacks as per PCTools (www.pctools.com)

1. Koobface (social networking worm). It gains access to Facebook profile pages and directs you to view a video that then encourages you to update your Flash player. Malicious files such as flash_update.exe and bloivar29.exe are being downloaded and installed which results in a range of visible problems, including modifications to your Facebook profile, with the immediate result being an error message to contact support. There is also the very real potential for your identity and finances to be compromised!

2. Picture files carrying malware are "planted" on social networking websites and instant messaging programs. Hackers try to convince you that your friend has sent you a message or IM to view pictures. Legitimate looking URL when clicked on sends you to an illegitimate website hosting malicious files and executables, which have been modified to appear to be genuine picture files (jpg, gif or bmp). When you download and open those "pictures"; the malware unknowingly runs on your computer. It allows hacker to take control over your operating system as well as the information in it and exposes you to identity fraud and financial loss!

3. UPS Delivery Threat, also known as Zbot. It delivers an illegitimate file when you are visiting a counterfeit UPS delivery site. Zbot has been known to distribute via email phishing and instant messenger. Upon informing you that you have missed a UPS delivery, the message urges you to view the invoice online, which in fact sends you to the counterfeit website which downloads a malicious program designed to bypass the firewall and then steal banking and personal information.

With many health care professionals using programs like facebook, security for social networking is mandatory.

Needless to say that anti-virus and anti-spyware is important. Many of these products slow down machine performance, so for our spyware we have been relying on Webroot's SAAS product. Aside from being small and having a low impact on machine performance, it can also keep up with new malware sites at a faster rate than just about any other technology.

HIPAA Risk Assessments

2009-04-09T13:39:00.004-04:00

Since 1996, HIPAA has been more of an unenforced standard than a compliance rule. But with the enactment of the ARRA (stimulus package for health care) the HITECH Act was put into place. The HITECH Act defines enforcement bodies and penalties to health care providers who do not comply. One of the important parts of the HIPAA standard calls for risk assessments. A risk assessments should be the corner stone of any good network security plan. Risk assessments compare policies, procedures, and practices. They can identify the proper amount of effort that should be put into security Patient Healthcare Information (ePHI). And they will show how vulnerable network resources are to threats. In order to stay compliant, over the next year health care providers will be very busy scheduling these assessments with the few companies that offer this kind of service.

Malware Hosting Websites Using Geo-Location to Lure Victims

2009-03-18T09:43:00.004-04:00

People are going to surf the web no matter what you tell them about security and no matter the policies put in place. It is simply a fact of life for most businesses and their employees. And despite the fact that 2 of the largest bot-nets were recently taken down, those behind the scheme and the threat of web based attacks are still very prevalent on the web and continue to get more and more creative in how they target potential unsuspecting victims. According to a recent article on eWeek.com, these bot-net creators are now luring victims to their infected sites by targeting their geographic location making the emails more believable. The more believable the add or email, the more likely an end user is to click on it.

One of the best ways to help defend your unsuspecting users, and ultimately your network, against these types of attacks is to utilize web proxies that include virus and spyware filtering. These services will stop much of the malware out in the Internet cloud from ever making it to your network and computers. They also offer other numerous benefits such as URL blacklists and productivity increases in your users through the content filtering.

For a link to the article in the title, please click here.

Safely Dealing with Facebook in Healthcare

2009-03-02T20:12:00.000-05:00

More and more social networks are appearing on the web. Facebook is one of the most popular as of late. Facebook in itself is not bad, but some of the phishing and redirecting websites can be. Doctors of small practices didn't mind social network surfing during breaks, but the cost of potential infection was too high. After much research Network Strategies, inc finally found a solution.

Our web content filter will help protect the clients while surfing. It maintains a list of malware sites that appear each day and protects against surfers from them. It can be used to block content as well as set times when this content is ok to view. Best of all it is affordable and puts little to no overhead on the client machines.

What HITECH Act means to Healthcare?

2009-03-02T19:12:00.000-05:00

On February 19th 2009, President Obama signed the HITECH Act into effect. The HITECH Act, which stands for Health Information Technology for Economic and Clinical Health, brings funding and penalties from the HIPAA Act of 1996. Penalties vary from $100 per violation to $50,000 per violations and will be as much as $10,000 to $50,000 if there is willful neglect. The Attorney General was authorized, as of February 19th 2009, to file civil actions for any violations or threat of violations against residents of its state.

Business Associates are also required to follow and comply with all HIPAA compliance mandates. Third party business associates are also subject to CMPs (or Civil Monetary Penalties). On August 16th 2009 security breech notifications requirements will have to be meet. If more than 500 individuals in a particular state are affected then the notice will have to be announced to a prominent media outlet.

So what is the bottom line?

Security policies will need to be created and updated, risk assessments will need to be regularly performed, and security infrastructures will need to updated and audited.

Web Content, Spam, and Google Apps

2009-02-09T17:10:00.000-05:00

Network Strategies is pleased to finally have the opportunity to offer Enterprise Spam Filtering, Enterprise Content Filter, and Google Apps. These help to round out our product offering making our over-all solution almost a one stop shop.

Data Breeches Are Becoming More Costly

2009-02-06T14:34:00.000-05:00

According to one article in E-Week, the cost of a data breech is more than monetary. Businesses also loose customers. In 2007 the average cost of a data breech was $197 per record. Now in 2008 the rate has jumped to $202 per record. Loss of business accounts for 69 percent of the cost incurred by businesses that were compromised.

This is significant when one compares the cost to the rate at which data breeches occurring. In one New York Times article, they announced that the bad guys were winning because the good guys could not keep up. At this point it is believed that at least 10 million machines are compromised. These machines are used to either hijack data or to attack other sites. To make matters even worse the malicious programs are undetectable by anti-virus.

So if you see your computers or Internet connection diminishing you might want to consult and expert.

P2P Networks Rife With Health-Care Data

2009-01-30T14:37:00.000-05:00

I stumbled on an interesting article today that talks about how peer to peer file sharing client programs people use are allowing sensitive patient health care data to be leaked out onto the Internet. The applications, such as Kazaa and Bearshare to name a couple, are used to download music, movies, etc from other computers out on the web. What people often do not realize is that these applications also share YOUR data as well so others can download it. If the user is not careful, they could end up sharing their entire hard drive and ALL of their personal or confidential data and not even know it. Obviously this can lead to a number of serious consequences including legal issues and fines.

The lesson to be taken away from this article....do NOT allow P2P applications or traffic on your business network or business computers, especially if there is even a remote chance it could contain sensitive information. This type of traffic should be monitored and blocked at all times in the office or while at work to help prevent these types of preventable data leaks.

Here is a link to the article.

Providing Secure User Authentication

2008-11-20T07:59:00.000-05:00

Network Strategies, Inc. and CRYPTOCard launch new partnership

Network Strategies chooses CRYPTOCard to provide secure, robust user authentication for health care industry

Ottawa, ON and Bristol, UK – Wednesday, November 19, 2008 - CRYPTOCard, a leading provider of two-factor authentication technology, announced that full service network security company, Network Strategies, Inc. has joined the CRYPTOCard Partner Program. Headquartered in Roswell, Georgia, Network Strategies provides security services and technologies targeted at the health care industry.

As more health care providers make the transition to electronic medical records coupled with an increase in ease of access to the networks and systems that hold that information, many organizations and their patients need to be assured that this private information is not accessible to hackers or fraudsters who may affect the integrity or confidentiality of the data. Many of the most common issues with network security in health care revolve around the lack of authentication and accountability for the end users, who access network resources and private patient information.

“Over the past two years we have been systematically tightening our network security, and Network Strategies has played an integral role in helping us achieve our security goals,” said Jeffrey Peace, CIO Sentinel Healthcare Services. “Our integration of the CRYPTOCard Two-factor authentication system plays an important role in our overall security strategy because it is allowing us to improve our VPN security as well as integrate with our existing HID system for building access.”

Network Strategies believes two-factor authentication utilizing CRYPTOCard is extremely important because it allows businesses large and small to replace insecure username and passwords, which are easily hacked, stolen, guessed or even lost, with a secure one-time password device. This substantially increases security of access to the network and its resources by limiting access only to people who have the authentication device.

“We have chosen CRYPTOCard because their focus is aligned with ours. The most important part of technology is meeting the business objectives of the customer while providing a very personal experience,” said Scott Brumley, Founder of Network Strategies, Inc. “We are able to call on CRYPTOCard, just as our customers should be able to call on us by name, without reservation, when they have questions about how technology can meet their objectives.”

By utilizing CRYPTOCard’s two-factor authentication product line and managed services, Network Strategies Inc. is able to provide customers including hospitals, group practices, clinics and medical billing companies with a proven solution, which secures end user access in ways rarely seen in these environments. This, coupled with Network Strategies’ secure managed service, create complete accountability for how those users access sensitive information.

“Healthcare organizations, regardless of size and budget, cannot afford to be crippled by unplanned and lenient security practices which compromise patient identity, regulatory compliance and the safety of other important IT assets,” said Neil Hollister, President and CEO of CRYPTOCard. “Partners like Network Strategies recognize that CRYPTOCard’s unique Managed Services approach not only provides the scalability needed for each customer’s specific requirement – but it also does not require a massive investment because it is based on a simple monthly payment.”

The CRYPTOCard Partner Program

With many SMBs and enterprises depending on value-added resellers and consultants to deliver the highest standards in their security technology and services, the CRYPTOCard Partner Program is designed to be a natural extension of partners’ offerings. The program provides proven technology, with the sales and marketing support necessary to partners to develop and strengthen their security practices.

About Network Strategies, Inc.

Network Strategies, Inc. was founded in 2001 to help provide businesses of all sizes with personal, professional, and cost-effective security and consulting solutions aimed at protecting the confidentiality, integrity, and availability of the entire network and its data. Through the use of proven security technologies and trained personnel monitoring that technology, Network Strategies Inc is able to provide businesses with a comprehensive security solution that will not only increase the overall network security posture of the organization, but also assist in aligning businesses with governmental compliance policies such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) or Sarbanes-Oxley (SOX).

Network Strategies Inc. is located in Roswell, Georgia. For more information or to speak to a sales representative please contact us at 678.436.5535 or info@nsisecure.com.

About CRYPTOCard, Inc.

With the best token technology in the industry and the lowest total cost of ownership, CRYPTOCard offers unsurpassed value in solutions for positively identifying individuals before giving them access to applications, data and networks. Twenty years of technical achievements have won CRYPTOCard the trust of thousands of organizations in over seventy countries. CRYPTOCard’s solutions reduce the risks associated with remote access and web-based processes, and increase compliance, at a price all businesses can afford. The only company to offer authentication in server-based, managed service and build-it-yourself options, CRYPTOCard provides the most flexible solutions on the market. For more information, visit www.cryptocard.com

CRYPTOCard is a registered trademark of CRYPTOCard. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies.

Securing Medical Wireless Network

2008-09-19T12:57:00.000-04:00

If you look through the news, wireless compromises seem common place. The recent incident where 3 men from Miami were able to acquire millions of dollars worth of information while "war driving", should be a wake up call to everyone. Many of the wireless systems that are currently deployed are not secure. During many of our vulnerability scans, our security consultants have seen this issue time and time again.

Due to the growing demand for wireless security, Network Strategies has teamed up with Aruba Networks to provide a secure wireless environment for hospitals and other medical industry facilities. For years, the race to secure wireless networks was daunting. Every time vendors were able to adjust to security issues, crackers were able to break through them. It started with WEP (Wire Equivilant Privacy) which was simple to crack due to constraints caused by the need for standardization (i.e. IEEE). The latest low hanging fruit is LWAPP. LWAPP messages are used for AP (Access Point) to AP and AP to controller messages. While this protocol makes management easier, it is an open hole for security attackers. LWAPP is easily tapped and decoded. To combat this sort of attack, Aruba encrypts its LWAPP traffic from the AP to the controller making an attack more than difficult.

Another common wireless attack includes de-authentication messages. Using a combination of this and brute force attacks, crackers can collect enough data quickly to compromise 128-bit WEP with TKIP/MIC and potentially even WPA. So you can see, it is just a matter of time before the cyber-crimal is able to go from passively listening on the wireless to actually attacking it. The best defense is to create visibility, and to have ways of mitigating attacks. This is where the combination of Network Strategies and Aruba comes in to play. Aruba with is strong security architecture and Network Strategies with its managed wireless security service can keep your wireless secure.

Network Strategies with Aruba takes wireless security to a whole knew level. Our ability to see and react to what is happening both in the air and on the wire is revolutionary. Many systems that can do this require the deployment of many separate and expensive defense systems, but this is not necessary with our service. Imagine being able to allow guest access to the Internet while keeping them off your network. Then, imagine being able to quarantine attackers from guests and the network. The Network Strategies' staff and advanced security techniques allows this to be a reality and with little staffing overhead. Even more importantly for already taxed hospital IT departments, this is turn key. Hospitals and businesses can now off load the difficult to manage problem of wireless networking to Network Strategies,Inc.

US Government Concerned with Backdoors Built into Commercial Products

2008-09-15T14:26:00.000-04:00

It was interesting to read this article, and helps us to justify the path Network Strategies took. We started building much of our own equipment since commercial products were ineffective. Even worse they created a false sense of security for businesses and institutes. While CIO's and IT staff believed their networks to be secure the new era cybercrimals were sliding right through.

Cybersecurity

The real question? Will the governments plan work?

Business Week is Latest Victim of Cyber Crime

2008-09-15T11:21:00.001-04:00

Business Week is the latest victim in the war against cyber-crime. Their site was attacked with a SQL injection technique in an effort to send malware to subscribers.

Slashdot

Apparently the attack was successful.

Investigation Shows Cybercrime is Structured Like Mafia

2008-09-10T20:26:00.001-04:00

An interesting article in Eweek shows how their are campaign managers, crime bosses, and under bosses in the cyber-crime world. In their experience the sophistication in attacks increased around Q4 2007. And continues to get worse. Under bosses manage the organization deployment of trojans. The data is sold by resellers via crimeware.

http://www.eweek.com/c/a/Security/Web-Security-Report-Outlines-Structure-of-Cybercrime-Gangs/

An Inherent Problem Accross All Industries

2008-09-10T09:46:00.000-04:00

"A security researcher has published code that could be used to take control of computers used to manage industrial machinery, potentially giving hackers a back door into utility companies, water plants and even oil and gas refineries." The researcher said that he "wants to raise awareness of the vulnerabilities in these systems, problems that he said are often downplayed by software vendors."

The article, found here, at NetworkWorld.com spoke about an issue with the software used by industrial companies that could lead to many of their systems being compromised or taken down. I think this article is important because this is an inherent problem seen in ALL industries, not just the one in the article. In the health care arena for instance, hospitals are chocked full of software used for anything from billing to medical records. I wonder just how many of the hostpitals actually take into consideration the security of that software and whether or not it has vulnerabilities in it that could allow unauthorized users to gain access. So much time and money is spent these days on managing Windows and other high profile patches that often times this type of software gets overlooked. Hopfully, at the very least, companies are taking other steps to protecting their software and the data it holds by implementing layered security practices in and around their networks.

Demonstration Reveals ‘Net Superattack to be Very, Very Real

2008-08-29T11:53:00.000-04:00

It seems as though more and more of the core protocols that are used in the Internet backbone are starting to reveal their weaknesses. The most recent popular one being the DNS poisoning flaw can expose users everywhere to malicious websites without them ever knowing it. Now, according to an article at www.anandtech.com, it seems as though the BGP routing protocol can also be "poisoned" and exploited. This potentially opens the door to allowing the bad guys to route traffic through their network first allowing them to snoop and capture traffic before routing it on to its destination.

Best Western Gets Slipped a Mickey

2008-08-25T15:40:00.000-04:00

No offense Mickey. Best Western appears to have fallen victim to an attack similar to the one were witnessing earlier in our blog. They were slipped a trojan that compromised guest information back to 2007 according to one article (the estimate? 8 million records).

John Bambenek from SANS had a write up that stated the importance of watching the following:

* Updating systems for software (i.e. Symantec and Microsoft update systems)
* Centralized management and Control Systems
* Payroll systems
* Web 2.0 (even though they claim it is the safest)
* And last but not least Malicious Insiders.

Let's Just Say The Kaminsky DNS Poisoning Works

2008-08-22T12:27:00.001-04:00

In the past it has been common place for malicious programs and spyware to rewrite host records, but now it has formally evolved into modifying DNS cache. It is strikingly easy to do. During our scans on some well secured networks we found the DNS were open to this attack. To add insult to injury cache records were modifiable without any security system noticing. Since then we have had to come up with approaches to find and alert on these types of modifications.

Defcon 16 Take Aways

2008-08-13T08:04:00.000-04:00

Below are just a few of the Defcon 16 highlights.

Kaminsky DNS Flaw - This allows an attacker to redirect any web browser to any site a bad guy wishes. Effects anyone with a DNS server
BGP Hack - Hackers at the Defcon gathering in Las Vegas were unknowingly hacked via and IP hijacking technique.
Medical Identity Theft - Using a hack known as the Cisco LWAPP decoder security consultants during a routine penentration test were able to retrieve 3.2 million patient records. The exploit taps packets between the Cisco AP and its controller.

Microsoft Black Tuesday August 12th

2008-08-13T07:40:00.000-04:00

This morning SANS was referring to yesterday as black Tuesday. Microsoft release a slew of updates, patches, and zero day fixes. Several are Critical and at least one should be patched immediately according to SANS.

Access Snapshot Viewer - Critical
Word Remote Code Execution - Critical
Excel Remote Code Execution - Critical
Filters in Office 2000, Office 2003, Works 8 , Project - Critical
Internet Explorer Cumulative Update - Patch Now!
Image Color mangement Windows 2000, XP, 2003 - Critical
IPSEC Policy Vista 2008 - Important
Outlook Express and Microsoft Mail - Important
Event System Windows - Important
Windows Messenger - Important
Powerpoint Office filters - Critical

http://isc.sans.org/diary.html?storyid=4876&rss

SSH Hijacking

2008-08-11T09:14:00.000-04:00

Even your putty is not safe. This was a pretty interesting article on hijacking an ssh or telnet session. Pretty easy to do as well. This could be deployed via a malicious website, email, or even an unsuspecting usb drive.

http://www.darknet.org.uk/2008/08/puttyhijack-v10-hijack-sshputty-connections-on-windows/

Attackers Try to Slip a Mickey

2008-08-11T08:21:00.000-04:00

For years the method of security was deploy and forget. A few years ago the attackers gained such an advantage that this could no longer be the preferred method. They started to reverse engineer sensors, firewalls, and anti-virus. If you hardware or software was well known you were now their low hanging fruit. Unmanned security systems were easily turned against unsuspecting companies and health care organizations. For years attackers have been the proverbial barbarians at the gates, but no longer. They are sophisticated, well funded, and make a considerable amount of money off of information, penetration, and control of others systems.

To stop them we had to turn to a tried and true approach; Sentries. Network Strategies, Inc can be compared to an organization of sentries. We actively search for and and deter attacks. With all this in mind, a few weeks ago an attempt to gain access occurred. Disguised as a harmless e-mail it found it's way through the Cisco ASA Firewall (with IPS) and the newly installed Symatec end-point system. With in seconds the Network Strategies system sprung into action. The machines were quickly isolated from the network allowing the IT department to clean off the infections at their leisure. Without this harmony of man and machine, coupled by a layered security system, these machines could have easily wreaked havoc upon the network. Even worse it could have leaked information or crashed other systems bringing large fines against the company. Upon examination of the e-mail and the infected machines a new pattern was identified and new counter measures were put into place.

The close relationship between the IT department and Network Strategies kept this incident from being a disaster. When attacks are well known, they are much easier to pin point and mitigate. Most of the dangerous ones we see daily are hybrids. And since there is an infinite combination of hybrid attacks, it is important to have a people watching your infrastructure and adapting.

CNN E-mail Attacks

2008-08-07T14:40:00.000-04:00

In the last 48 hours a barrage of e-mails have gone out on behalf of CNN.com. These e-mails lead the user to a hacked site that looks very much like cnn.com. The e-mails subject is consistent. "CNN.com Daily Top 10" but the topic vary. It leads the user to download a copy of flash.exe to their computer. This infects the machine with several trojans and a virus.

CNN Attack

Make sure if you install or upgrade flash you go to Adobe.com

Defending Against Insider Threats

2008-08-07T10:12:00.001-04:00

I wrote a short paper to help raise awareness of a not-so-new trend we are seeing more and more of, especially in the health care arena. This trend I am referring to is the problem of insider threats. These threats can be anything from disgruntled employees or contractors stealing information, to the naive employee who consistently opens email attachments from people they do not know. These types of threats that originate from the inside of company networks are on the rise and few businesses have an answer as to how to solve the problem.

The link to the paper on defending against Insider Threat can be found here.

The Poison Pill - DNS Poisoning

2008-08-06T18:51:00.000-04:00

This is important to note. Without proper intrusion detection and prevention measures this can go on without any resistance. AT&T had DNS servers that were poisoned, so their customers went to factious websites that looked like google.com, etc.

DNS is often just barely ahead of the attack curve. So they must be patched often. In many case more often than large companies can possible move due to there infrastructure overhead.

DNS Poisoning

Attack Piggybacks Microsoft Patching Service

2008-08-06T18:41:00.000-04:00

I remember this attack like it was yesterday. Last year some people began to realize that the Microsoft Patching Service could be used for great good or great evil. The system that typically patches the Operating System before a bad guy attacks was used to propagate the attacks for the bad guys.

I was pretty cleaver, but most of us in the security world believed it might be possible after the Symantec's client system, that updates signatures, had been compromised months earlier. We were happy to be ahead of the curve that year.

Microsoft Patching Attack

Symantec Update System

SANs Best Practices to Stop Top 20 Risks

2008-08-06T17:26:00.000-04:00

This seemed like a good topic to list on our blog. It comes directly from the SANS institute. SANs list of the Top 20 Biggest Risks.

Configure systems, from the first day, with the most secure configuration that your business functionality will allow, and use automation to keep users from installing/uninstalling software
Use automation to make sure systems maintain their secure configuration, remain fully patched with the latest version of the software (including keeping anti-virus software up to date)
Use proxies on your border network, configuring all client services (HTTP, HTTPS, FTP, DNS, etc.) so that they have to pass through the proxies to get to the Internet
Protect sensitive data through encryption, data classification mapped against access control, and through automated data leakage protection
Use automated inoculation for awareness and provide penalties for those who do not follow acceptable use policy.
Perform proper DMZ segmentation with firewalls
Remove the security flaws in web applications by testing programmers security knowledge and testing the software for flaws.

Stolen Credit Cards Makes Millions

2008-08-06T15:21:00.001-04:00

Three men stold 40 million card numbers. Some of the stores they cracked included TJ Maxx, Marshalls, OfficeMax, DSW, Barnes and Noble, Sports Authority, Forever 21, BJ's Wholesale Club and Boston Market. In most cases they used the wireless access point to gain entry.

3 Men held in Identity Theft Bust

Health Information Privacy and Security ACT (HIPSA)

2008-08-06T15:00:00.000-04:00

July 2007 Sen. Kennedy and Sen. Leahy introduced the Health Information Privacy and Security Act of 2007. This was designed to give HIPAA compliance teeth. HIPSA requires the Office Health Information Privacy which has the right to enforce HIPAA compliance by imposing civial and criminal penalties for the disclosure of patient information. It also directs the Attorney General to "debar" health entities from received federal programs if found guilty.

Unlike HIPAA, HIPSA allows individuals to sue for compensatory damages and receive punitive damages. It also allows authorizes state attorneys to sue and to protect whistle blowers from retaliation.

The Office of Inspector General has already started with similar audits. In March 2007 Piedmont Hospital was the first hospital provider to undergo such and audit.

Facebook Has Worms

2008-08-06T14:53:00.000-04:00

Apparently there is a new series of worms that are designed to attack facebook users. The worm turns the computer compromised into a zombie.

Facebook Worms

"Kaspersky analysts are warning users that the worms, Win32.Koobface.a. and Networm.Win32.Koobface.b, are designed to upload additional malicious modules with other functionality via the Internet. "It is highly probable that victim machines will not only be used for spreading links via these social networking sites, but the botnets will also be used for other malicious purposes," the analyst firm said in a statement. " -- Chris Gampat PC Magazine

This should be ushering in the new age for policy management. If businesses are not actively blocking these sorts of things they should at least be watching them with the ability to mitigate attacks.

Providence will pay $100,000 for HIPAA Fine

2008-08-06T14:30:00.000-04:00

From 2005 to 2006 tape backups, laptops, and optical disk drives were removed from the Providence, a Seattle based health system, premise. They were unattended and unencrypted. To settle with the federal government Providence will pay $100,000 for the HIPAA compliance failures.

http://www.bizjournals.com/portland/stories/2008/07/21/daily9.html

Again proof that HIPAA has teeth. More than likely this will trigger future audits for Providence. The laptops, tape backups, and optical disk will potentially have information that can allow bad guys on to the network with little or no effort. This is a sober call for network security monitoring. Client information could be sold as well as network information.

10 Myths of Information Security In The Medical Industry

2008-08-05T17:58:00.000-04:00

My IPS/Anti-virus/Anti-spam Software or Appliance will protect me

Anwser: You can no longer rely on these devices alone.

Up to a few years ago I might have agreed with this assessment. Most people were not being attacked. And when they were the attackers were mostly script kiddies that were easily disabled by these software and hardware solutions. In the past two to three years cybercrime has become incredibly profitable. The Russian Mafia even announced it made more from cybercrime than drugs.
Now more companies and institutions are low hanging fruit for cybercriminals. Large amounts of money is being invested in reverse engineering the standard security hardware and software. Their goal is to slip past and even exploit signature delivery systems (i.e. several worms have propagated via Symantec's service). In many cases the hackers know more about the security measures than the vendor that makes them.
We are low profile, no one will want to attack us
Answer: This is no longer the case.

This is also no longer the truth. With the increase in profitablity more scanning is taking place. There are distibuted non-tracable systems that constantly probe all addresses on the Internet. They are looking for open systems and security systems that they know how to slip past or leverage.
Our Network Engineering Team can handle the security
Answer: Network engineers are seldom expert in security and seldom have enough time to spend on security over-all. Security is a full-time job in most places. It takes constant studying and observing of hackers as they adapt.
Our Managed Security Service Provider will protect us
Answer: An MSSP often has a preferred vendor due to discounts or introduction into new accounts. They all too often blindly rely on the vendors ability to code a device that catches everything. It is important that security providers have an in depth knowledge of the bad guys more so than and in depth knowledge of a particular product.
Our Security Practices are solid
Answer: Outside audits are always a good source of tightening security. In security practices if you think that you have all your bases covered it is probably time to look closer.
We Can Not Afford To Outsource Our Security Needs.
Answer: Network Strategies main concern is competitive service pricing. Our business was born from this exact concern. What we were able to build was a hybrid of outsourcing that keeps cost down while allowing our engineers the ability to specialize on customers systems.
All of our employees are trustworthy!
Answer: And hopefully they never get angry or upset. One disgruntled employee can close your business if security is not treated with respect.
We do not need to implement policies and procedures, they will use common sense.
Answer: Even common sense can be manipulated by outside source. And what is considered common to one person is not always common. Written procedures will and practices will make operating procedures crystal clear.
We password protect our systems so they are safe from access.
Answer: Brute force attacks against username and passwords has been a staple of security breeches for decades. Even Hollywood depicts this in movies.
We dont have any systems exposed to the internet so no one can gain access.
Answer: There are many ways to access internal systems. Internal messages may be exploited as well as employee behavior. An assessment will give you a good idea if this is true or not. In our experience, at least 90% of the systems can still be accessed or exploited.