Monday, April 04, 2011

Breaches, Links, and other stuff...

As many of you know, I am (quite thankfully) no longer involved in Visa PCI breach investigations.  However, something I saw in the news recently did attract my attention; specifically, Briar Group LLC is the first restaurant chain fined under the Massachusetts data breach law (here).

So why is this interesting?  Well, most of the time I was doing this PCI work, I was rarely aware that any of the organizations I encountered got fined.  Yes, there were one or two that I heard about later, but like I said, it was rare.  Mostly, I'd go on-site, scope the incident, collect data, return to the lab to analyze the data and submit my report...and that was it.  Now, I didn't really need to know what happened, to be honest, but after the first year, organizations that had been breached would ask me, "What happens after you submit your report?", and I really didn't have much of an answer.  As far as I could tell, QIRA firms had only two functions with respect to PCI to keep their analysts certified, and submit reports within the timeframe specified.

This article provides a good deal of information, and for me, a bit of deja vu.  For example, while the actual issue isn't described in any detail, the incident itself is described as having first occurred in April 2009, and went undetected until December 2009.  If you have reviewed any of the cumulative annual reports that have come out over the years, and in particular the Verizon Business Security report, you'll notice that this sort of thing isn't unusual at all; organizations rarely detect an intrusion while it's in progress, but rather get notified by an external third party, well after the incident occurred.  I think that this is in part due to a lack of visibility into their networks, but I also think that there is a lack of intelligence provided by the oversight organization (collects up all reports), and then acted upon by those organizations who fall victim to these breaches.

Restaurants aren't the only organizations affected by these breaches.  Other businesses, such as credit unions, are being breached, as well.  While it may appear that credit unions are subject to a different set of compliance measures, these measures really aren't all that different from what's been mandated for other organizations.

With respect to the RSA breach, Federal News Radio 1500 AM has an interview with Gene Spafford, Executive Director, CERIAS, that is well worth a listen.

Getting Help
I'm not going to pick on LE for this one, because this same sort of thing applies to others, as well...but even with "simple" customer service stuff, I tend to get names, titles, and such when talking to folks.  In this particular case, it appears that the information on the cell phone was thought to be important, so one would think that all due care in handling the device would be the order of the day.

I recently had an issue I was attempting to address and wanted to get some credible information before proceeding.  As such, I reached out to Eoghan and Terrence at cmdLabs, and I have to say that their response and support was very greatly appreciated.

The point of all this is something that I think has its roots in the community fragmentation discussion that took place recently.  For my money, if the situation were more than just idle curiosity, I'd seek credible assistance.  However, having observed the industry for a number of years, I still believe that many analysts are simply afraid (for whatever reason) to ask for or seek out assistance, and others are simply asking the wrong questions to begin with.

What are your thoughts?

APT Tabletop Exercise
This recent post (link above) over on the SANS ISC blog caught my attention.  One statement in particular that caught my eye was:

If you're not on the obvious-targets list already...

Kevin goes on in the post to point out that every organization has its secrets, and he's absolutely right.  More importantly, I would suggest that it's the height of folly to think that you don't have something someone wants, whether that something is intellectual property, or simply storage space and CPU cycles.  I mean, here in the US, it's getting close to tax time, so if you were to survey a wide range of systems, you would probably find tax-related software (TurboTax, etc.) and information on many of these systems.  Also, loading a key logger or 'data jacker' on a system will often result in online banking or shopping credentials being revealed.  Ultimately, a compromise may come down to simply the connectivity and processor power, as the compromised system is part of a botnet.

Speaking of APT and preparing, it would probably be a good idea to take a look at the RSA blog, and specifically the Anatomy of an Attack post, written by Uri Rivner.  The post does a very good job of covering the general methodology of how these attacks occur, and even provides information about the specific details regarding the spear phishing attack that led to the initial entry.

For folks who are more detailed oriented, such as myself, the rest of the post is light on actual details, with the exception of some domains used by the attackers.  There are some details, such as the use of FTP to transfer files, but in other cases, the methodology is discussed without details.  That being said, there is enough information there to infer the nature of what occurs on systems compromised by these actors.

Looking at the details that were provided, I have to wonder what that post would look like had Carbon Black been installed on critical systems within the infrastructure.  Speaking of which, the early release of Carbon Black starts today...drop on by the Kyrus web page and check it out!

Brad Garnett moved his blog's now the Digital Forensic Source blog.  Brad hasn't been terribly prolific, but if you follow the Case Leads posts on the SANS Forensics Blog, you'll find Brad's posts to be similar, providing links to items you might otherwise have missed.  Sometimes you may run across something that will lead to another blog or blog post or media article that's of interest.

Speaking of blogs, Richard took the time to answer some questions from a previous post (on Reading) over on the TaoSecurity blog.  I thought that the previous post was interesting, but found the questions that Richard chose to respond to even more so.

Over the years, I've found Richard's reviews of various books to be very insightful, and it has been clear that he's put some considerable effort into the reviews.  I have always suspected that he does this because he puts his name on the review (ie, doesn't post it under Anonymous), and realizes that the entire review reflects upon him and his position.  I've seen quite a number of reviews of digital forensics that have amounted to "It was good" or simply "It sucked."  I've seen other reviews that were really nothing more than a listing of chapters and a regurgitation of the content in each.  As such, I tend to put a lot of value in reviews such as those that Richard writes, as they are very insightful.

I especially enjoyed the first question (and response) in the blog post.  I won't copy-paste it here, as you really should head on over to Richard's blog and check it out.  Regardless, I have to say that the question is pretty typical; like others, Richard is doing something that he enjoys doing, and he's doing it entirely for free.  Yet, there's always going to be someone who will ask for something more, many times without offering anything of their own. 

With respect to the final question on the blog, I pretty much followed what Richard mentioned when I did a recent review of the ebook edition of Cybercrime and Espionage; while I took notes directly in the material using the Kindle functionality, I also took notes in a notebook.  I know that some will probably look at that as extra work, but I usually find when I read books such as the one from Gragido and Pirc that I not only get ideas and insights about the material presented, but I will also sometimes find tie-ins to other books or online materials, so having handwritten notes is a great way of solidifying those thoughts in my mind, and having something right in front of me to review later.

Windows 8
Finally, I caught an article on CNNMoney this morning that indicates that Microsoft is getting ready to release Windows 8.  I love job security.

No comments: