Archive for the ‘Information Security’ Category

What is OFAC? Why is it important for Information Security? OFAC Countries.

Thursday, August 23rd, 2012

OFAC stands for Office of Foreign Assets Control.

Office of Foreign Assets Control (OFAC), a department of the U.S. Treasury, administers and enforces economic and trade sanctions primarily against:

1. Govt’s of countries targeted by OFAC Regs
2. Terrorism
3. International Narcotics Traffickers
4. Proliferation of WMD’s

The list of countries below have been sanctioned against for Trade:

Ivory Coast
Democratic Republic of the Congo
North Korea

In my opinion, we should not be selling

1. Any information security assets or information to them

2. Information security tools and techniques including forensics, SIEM, malware detection, DLPs, Antivirus etc.

3. Information security services including cyber security strategy, security incident management and response,  cyber security defense and cyber security attack

What is it that a SIEM such as Arcsight, cannot do?

Monday, August 13th, 2012

SIEM (Security Information  and event management)  such as Arcsight ( Now part of HP offerings), RSA Envision, Q1Labs ( Now part of IBM offerings) - all have the common goal of identifying attacks, determining the actions to be taken for most type of events (remember the early days of ‘Conficker’ worm attack?)  and also thwarting attacks - in short, ‘incident management’. They give you infinite possibilities of creating policies/rules that thwart attacks or track tracks to the extent of preying for the attackers and get them to the court (in few instances).

But, there is one thing that any SIEM cannot do bec’ of the beauty of the beast - Identify_and_thwart attacks from Jump-off source and Spoofed source (multiple levels).

Attacks from Jump-off source: Attackers are very creative in spreading the worm or what have you, with the sources of the attack seemingly coming from several servers in diverse locations, say for example, attacks coming from servers in Israel, Iran, etc, although, in reality, the server in Israel, Iran,etc would just bump-off the incoming packets to the attacked destination - seeming as though the attack came from  a server in these locations.  This is similar to what we see in movies where police tracking villain’s call would seem that its coming from one location a minute ago and it changes to another diverse location the next minute. Ideally, SIEM would have to be intelligent enough to fingerprint packets and find a common signature between the attacking packets.

Also, one common behavior of any malware is to ‘contact home’ - meaning, once infected a computer, the malware sends status or contacts the source server for next steps. Would that mean the  ‘jump-off servers’ send these packets back to the original source? I am not sure about that but theoritically this bounce-off back to source attacking server should happen. Let me know what you think!

Attacks from Spoofed source - As the name says, the source address is a spoofed address, not the true source IP address.

For both of the above, unless there is data such as a CAM table of the network switches at the source network (why would somepne share this info??) and/or a signature that indicates the geo-location of the source of the attacker, it would be next to impossible to figure the source.

In practice, once SIEM identifies a malware ( Microsoft took over 4 years to identify ‘Flames malware’ ), attacked servers are either

  1. Contain this inside a Vlan (using Arcsight TRM or ) or
  2. Quarantined (’Refresh’ - The hard drive is scrubbed and a new installation that is hardened according to the corporate policy)
  3. Or, the most recent talk of containing the malware attack is to  ‘Sandbox’ the traffic.

Sandbox technology runs on a virtual machine along with operating systems and business applications, watching files for unusual activity. When a suspicious file is spotted, the technology alerts security pros while logging unusual behavior, such as application changes and unusual network traffic. It is then up IT staff to decide what to do.

While sandboxing doesn’t actually quarantine the file, the technology does spot threats before they can do significant damage.

I am not aware of SIEM Sandbox technology capability as of today but we can expect this in the near future.

Please let me know your thoughts on this.

DLP rules - Tips to reduce false postives and false negatives

Monday, July 9th, 2012

For those who are already conversant and comfortable with DLP, the following are some of the tips to avoid false positives and false negatives

a. For new rules you create - apply ‘Deep data’ strategy - most specific to least specific. For example, keyword ‘Company specific’ or ‘Company confidential’ is not enough. Research some more and add more data. Try it with a small team and have him/her send out some emails to summarize confidential type information. See if it is caught by DLP

b. Default rules are recommendations only - customize them to your environment - again ‘ MSLS’ - most specific to least specific’ rule. Do not leave the default rules in the system and expect it to work - it might work but may also generate false positive or false negavite

c. ‘False positives / negatives’ are not a waste of time - use them to focus more on what has worked and what has not worked - fine tune.

d. ‘Comprehensive overview of the risks’ or ‘leak areas’ - Always keep in mind what are the potential leak areas and apply MSLS rule first on these areas and slowly work through the rest. Also, there will be rules that may overlap multiple leak areas - treat them with even more care because the risk of data aggregation will be higher on such.

Hope this helps!