Relationship Risks come from business partners and customers. Relationships are the most critical to business, which often forces security to be an afterthought.

Risk:

Relationships

Summary:

Every business has relationships with suppliers, customers, partners, and even competitors. Some relationships are a necessity, others are chosen. Often, the necessity of a relationship makes them the largest security risk--the company can't do without, so substantial risks are accepted due to a lack of choice.

Examples:

• A direct network connection to a partner company
• A file transfer with transactions automatically sent daily from a payment processor
• A customer accessible web application
• A web provider that has direct access through the firewall to an internal database

En Garde War Story:

In an unusually public case, En Garde was hired by a large government agency to test the security of their internal network resources. This agency maintains direct network connectivity with more than a dozen contractors and service providers, and, in fact, cannot function without them.

In order to ensure high reliability, security was intentionally left out of these connections by both the agency and the contractors. From the perspective of the government agency, if any of their contractors were penetrated, they were completely vulnerable as well. From the perspective of one of the contractors, they were not aware that the agency fully trusted other companies (and therefore, so did they), including competitors.

En Garde documented every network connection of any type and rearchitected the external connections to go through a layer of security which would not only protect the agency from the contractors, but the contractors from each other.

Reliability Risks are both explicit and implicit. An inaccessible or slow web site can dramatically impact how a customer perceives a business. At the other extreme, disaster recovery plans can mean life or death for a business.

Risk:

Reliability

Summary:

In the event of a disaster, every day the business is down is revenue lost. The boundary between expensive and fatal to a business is often very small. Disasters aside, a business's reputation can be substantially impacted even if simple services such as a web site are unreliable, slow, or inaccurate.

Examples:

• Lack of a disaster recovery plan
• A mission-critical database server is installed in an unlocked office
• A web server is slow or unresponsive
• Change control and patch management are loosely implemented

En Garde War Story:

En Garde was hired by a mid-sized bank to assess the reliability of a web-based banking service. During the course of our work, we discovered a half-dozen rules had been installed on the firewall to allow for a variety of audio, video, and file sharing software to run. The CSO did not know how the rules appeared and removed them.

Within an hour, the rules reappeared. An employee had added the rules at the request of various department heads without passing them through the CSO because the bank had no change control policy of any kind.

En Garde helped create a policy and procedures for rolling out new services, changing configurations of critical infrastructure, and installing patches and upgrades.

Every business has resources that absolutely, positively cannot be lost, compromised, or exposed. En Garde helps identify these resources and the level to which they need to be protected.

Risk:

Core Resources

Summary:

Security must be adapted to each business. In an ideal world, every resource would be protected equally, and none would every be exploited. Unfortunately, this would require infinite resources, impair management, and make growth difficult. In every business, there are resources that must be absolutely protected for integrity, sensitivity, availability, or any combination of those traits. En Garde helps identify these resources, and ensures the level of protection is consistent with the sensitivity.

Examples:

• Patient record exposure in a hospital
• Governmental procurement system tampering
• Medicare check delivery on time, every time
• VOIP telephone system in a customer service organization

En Garde War Story:

En Garde was hired by large city government with a somewhat checkered history of organized crime involvement. On the first day of our Risk Assessment, we compromised the payroll system and were able add ourselves as employee and change the salary of any staff member. The checks were automatically written and signed without being touched by human hands, so our attack could have cost the agency a substantial amount of money. The agency was disappointed they were attacked so easily, but the revelation and fix was a non-event.

The next day, we were able to compromise the contract bidding system, which took bids from various vendors, allowed the agency to comment and review, and then finally handled the invoicing and deliverables for the contracts. The agency immediately called an all-hands meeting of the IT staff to remedy the issue. Every other project was dropped, calls were left unanswered until the problem was completely resolved.

To the government agency, an employee writing a check to himself was bad, but not a big deal. However, any possibility that the contracting system could be tampered with is completely unacceptable. The agency must be have integrity, impartiality, and a complete lack of interference in order to function.

En Garde helped the agency by building a risk model and identifying the core resources which absolutely must be secure. We then designed a secure architecture with multiple layers of defense to protect the contract system. Finally, we conducted an application source code review and helped train staff in writing secure code.

Dozens of new Technical Vulnerabilities are created every day, exposing flaws in everything from databases to printers. These risks present an endless challenge to businesses, and need to be addressed systematically, rather than piecemeal.

Risk:

Technical Vulnerabilities

Summary:

One site documents over 21,270 vulnerabilities (as of this writing) with 64 new attacks discovered today alone. There are black-market web sites that sell so-called "zero-day" attacks (i.e. those that are unknown to anyone but the attack author) at over $10,000 a piece. This endless onslaught forces businesses to do more than simply run a security scanner and IDS, but to implement comprehensive patching programs, build minimal desktops and servers, and implement a secure architecture.

Examples:

• Patches not applied to systems
• Custom applications containing logic or design flaws
• Relay attacks (e.g. cross-site scripting, email)
• Mixed data-sensitivity architectures
• Unexpected services
• Mistakes in firewall rules

En Garde War Story:

En Garde was hired by a fortune 500 company to review their new e-Commerce web application. While the customer didn't want a full source code review, we rigorously analyzed their application from the perspective of a typical customer

Like most shopping carts, you choose the items you want, and then "check out". We discovered that by editing the raw HTML of the check out page and changing the total from $9.95 to $-9.95 and submitting that form instead, no errors were generated.

3 days later, we received our merchandise and a credit for $9.95 on the company credit card.

En Garde helped redesign the data flow within the application so that data submitted by the user was not trusted. This sort of vulnerability is extremely common. We've found vulnerabilities in the random number generation of cookies, the pricing of merchandise, passwords contained within the source of web pages, and sites that will pass any data the customer enters directly into an SQL query.

Even the best intentioned staff can cause critical security lapses. Proper procedures and policy combined with recurrent training can substantially reduce the risk from both malicious and incidental insider attacks.

Risk:

Insiders

Summary:

Most security protections are focused on keeping outsiders from reaching critical data. However, the majority of financial loss through security incidents is caused by insiders. A solid combination of policy, procedures, and training can significantly reduce the risk of insiders accidentally or maliciously damaging a business.

Examples:

• Misuse of Internet resources (web surfing, IM, P2P file sharing)
• Poor password selection
• Downloading and running untrusted programs (spyware, viruses)
• Allowing continued access to terminated employees

En Garde War Story:

En Garde was hired by a mid-sized telecommunications company to perform a social engineering test. Such a test generally starts with a very benign request from a complete stranger and progresses to assuming the identity of the company president or CIO and demanding passwords or other administrative actions.

On our first test, we called 40 people in the company and said we were from a new startup which is creating a great new calendar application. We would love it if they could download the program, try it out, and give us feedback. (The application we pointed them to simply logged that the application was run, popped up an "OK" dialog, and exited).

During the course of the day, 115 different employees of the company downloaded the program. When we checked back in with the CSO, it turned out our calls were unusual enough that the staff started talking about the calendar application and sent the URL to their friends within the company.

En Garde helped update the corporate policy to deal with downloading untrusted applications and how to resopnd to unusual requests for information. In addition, we provided a recurrent training program for staff on how to avoid such traps

Many are surprised at the quantity and content of publically available information about their business. Such public information can range from trade secrets to personal emails to entire online discussions complaining about perceived mistreatment by the company.

Risk:

Public Information Exposure

Summary:

The Internet has a memory unlike any other media. Not only can web sites publish virtually any piece of information, but there are entire archives devoted to recording what other web sites once published. In short, once a piece of information is public, removing any traces from the Internet is virtually impossible. Businesses need to know what's public knowledge, and ensure they aren't taking any ongoing risks as a result.

Examples:

• Firewall access lists and network architecture diagrams
• Copies of private emails between company executives
• Confidential documents available through the search engine of a "private" web site
• Staff involved in "unapproved" activities
• Domain squatters on typo or alternate top level domains

En Garde War Story:

En Garde was hired by multinational consulting company to assess their risk from publicly accessible information. Often, vulnerabilities come from public databases that an organization benignly supplied information at some point. For example, many businesses have their network administrator's home address and phone number listed on their ARIN (IP address) registry entry. In this case, the risks to the company were much more serious.

The first problem we found was a series of Usenet (newgroup) postings from an employee of the company offering a wide array of illicit drugs for sale. His postings listed his office phone along with his weekly sale prices.

A year earlier, a security administrator posted the company's entire firewall configuration policy to a mailing list asking for opinions on its security. This policy gave us a listing of all ports and IP addresses that were allowed through the firewall.

En Garde helped write additional policy to prevent sensitive (or embarassing) information from being posted by employees. In addition, we redesigned the firewall to avoid the publicly known vulnerabilities. Finally, we investigated whether the company had been penetrated using the known holes in the past year.

Businesses are continually adapting to new opportunities and challenges, and so should network security. En Garde operates an ongoing, comprehensive program of Digital Risk Management tuned to the exact needs of each client.

Risk:

Continuous Assurance

Summary:

Securing digital assets is a continuous process. Regulations, technology, and threats change so frequently that what is secure today may not be tomorrow. Financial Institutions have just recently added multi-factor authentication due to a new regulation, virtually every enterprise is installing new patches weekly due to new technical threats, and any company that processes credit cards is scrambling to ensure a TJ Maxx-style compromise doesn't occur.

Examples:

• Recurrent Technical Vulnerability assessments
• Application reviews prior to deployment
• Policy and procedure development

En Garde War Story:

En Garde was hired by a large government agency to help manage ongoing Digital Risks. In such engagements, we become a part of the security team, and participate to whatever degree the customer needs. Aside from day-to-day assistance on an as-needed basis, we performed the following tasks:

• Annual external Digital Risk Assessments (as an outsider)
• Biannual internal Digital Risk Assessments (as an insider)
• Wardialing (testing every phone number for modems)
• Complete architecture review and design
• Digital Risk Assessments of outsourced Internet services
• Review desktop OS image before a new computer rollout
• Intrusion Detection System bakeoff
• Staff security training

En Garde can help your business get secure, and stay that way by becoming an integral member of the team.

No matter how well designed a businesses security protections, there is always the possibility of a security incident. En Garde can respond by collecting evidence with law enforcement, determining the cause of attack, finding what data has been lost or destroyed, and help ensure the intruder can't return.

Risk:

Response

Summary:

Even the best security protections are sometimes exploited. The key to Digital Risk Management is to design applications and network architecture to ensure attacks are as contained as possible, and that response is quick and efficient. If law enforcement or insurance claims may be involved, evidence needs to be maintained carefully. En Garde can find avenues of entrance, track intruders, collect evidence, determine data lost, and design countermeasures to protect from future occurences.

Examples:

• Find method intruder used to gain entrance
• Collect evidence with law enforcement or insurance companies
• Determine compromised systems and data
• Design countermeasures to protect from future attacks

En Garde War Story:

En Garde was hired by an Internet startup who had been contacted by a self-proclaimed hacker who said that he had penetrated their network and would take them down if he wasn't given an airplane ticket and a $50,000 consulting contract to help them fix their vulnerabilities. Our job was to determine how the intruder got in, find out what he might have stolen or destroyed, and make sure he didn't come back. The company was interested in working with law enforcement and prosecuting the hacker if we could determine who he was.

We found the vulnerability the hacker was exploiting and used it to gain access to his tools and log files. We then inserted a "bug" in his toolset which would track his movements and report back. We also analyzed his toolkit to see if there were other vulnerabilities exploited that the customer would be susceptible to.

In the end, our efforts made it much easier for the customer to recover from the attack--they knew what resources had been touched, and how the intruder moved about. We were also able to identify the hacker by name and home address, and had ample, carefully collected, evidence against this person. The client decided not to prosecute because the damage was minor, and they felt revealing to the hacker that we knew who he was and where he lived would be sufficient to stop further attacks.

En Garde was worked with a variety of law enforcment agencies, including the FBI, RCMP, and US Treasury and have tracked several hackers to the point of successful prosecution. By responding to security events properly, our clients have saved hundreds of hours and substantial embarassment.

Any security protection is only as good as the people behind it. Every employee needs to be a small link in the chain of strong Digital Risk Management. En Garde can help train developers in secure programming techniques, system administrators in keeping systems secure, and security specialists in responding to intrusions.

Risk:

Training

Summary:

Every member of an business needs to play an active role in keeping the group secure. The CEO needs to understand the realistic risks to his business and ensure protective programs are adequately funded and staffed. The IT group needs to design, build, and maintain systems to address a constantly evolving landscape of threats. Developers need to write applications that avoid many of the common security traps. Finally, the business operational staff needs to understand which activites are hazardous and how people might try to attack the business through them.

Examples:

• Train staff in password choices, safe web-surfing, responding to "social engineering"
• System administrators in building and maintaing secure systems
• Programmers in designing and testing code for security flaws
• Security specialists in responding to intrusions
• Executives in threats, technology, and industry best practices

En Garde War Story:

En Garde was hired by Fortune 500 company to help them prepare to launch a major new web application which would dramatically change their business. Our first step was to spend time digging into their application and talking to their developers--we needed to build a threat model to understand how motivated intruders would be and how intertwined with operations the application would be.

We then briefed the executive management on our assessment of the threats to their new business direction and answered questions. Our next step was to build a training program built around their policies and procedures.

En Garde ran a week long training course for the developers covering topics ranging from "Writing Secure Code" to "Public Key Management". This was followed by a 3 day course for the system and network administrators particularly focused on Auditing and Patch Management. Next, we presented a 1 day course to the security administrators on the firewall and network infrastructure pecularities specific to the application. Finally, we presented a half-day course to the front-line support staff who would be dealing with customers inquiries on looking for unusual behavior, dealing with passwords and credit card information, and a refresher on company policy related to security.

En Garde can help an entire staff get synchronized on a new product, or a small staff learn about the latest attack methodologies.