BreachBytes

I find myself asking the question: “How can a network ever really be secure?” and talking about it with customers and colleagues all the time. This article “How dangerous user behavior puts networks at risk” brings this issue to the forefront. Regardless of the number of defenses a company puts in place whether it’s firewalls, Intrusion Prevention Systems, Security Information Management Systems or the like one of the biggest vulnerabilities are the users on a network.

It is becoming necessary both from what you read in the press and today’s environment to be sure that your company has the necessary “evidence” in a stockpile in addition to alerting and correlation tools for those times when you are alerted by one of your users or a network device about potentially damaging user behavior. What I mean by evidence is to retain all of that network and NetFlow data for future forensic analysis. While that data isn’t going to be able to spot the employee who loads up a thumb drive with company data and takes it home, that data is what allows network security experts in a company to address the insider threat caused by simple violations of corporate policies when it comes to what the employee does online.

(more…)

The following article in eWeek Magazine:

Worm Squirms Through Google’s Orkut

outlines how Google’s Orkut has a fast moving worm working it’s way through the popular social networking service.

“The worm, which first appeared on Dec. 19, has been spreading through Orkut’s Scrapbook system at a rapid pace, infecting more than 650,000 users in the space of a few hours.”

Don’t believe me? Just ask TJX or Monster.com or The Department of Homeland Security or Salesforce or TD Ameritrade or…..still don’t believe me? Well, check out what Sal Iannuzzi, CEO of Monster.com had to say (he agrees with me):

“I wish I could say…there will be absolutely no way that the Monster site can be compromised. I cannot ever make that promise, and no Internet company can.” 08/29/07, Reuters

If you still don’t believe me then feel free to move on. If you do, then read on.

Let’s reflect back on the past 12 months to perform that so-called “rocking chair test.” It certainly was a busy year! In fact, the Threats Watch Blog even went as far as to call 2007 “The Year of the Data Breaches.” Additionally, CSO magazine has a excellent summation of the past year in their article: The Top 10 Data Breaches of 2007.”

So, what can we learn from this past year? Three things:

1. Breaches are Inevitable.
2. Organization can no longer rely solely on Protection (Firewalls, IPS, etc) & Detection (IDS, Event correlation, Alerting) for security.
3. Organizations must have a comprehensive breach recovery plan in place.

(more…)

As you may have read in “About BreachBytes” over the past 6 months we have been posting links to articles on the Packet Analytics web site that have to do in one way or another with Breaches and Incident Response. Since we have converted BreachBytes from a list of links on our web site to a full blog I thought we should post the links on the BreachBytes Blog.

SourceForge hacked, but not to worry(?)
“We played a game of cat and mouse with a “security enthusiast” from Europe yesterday. :)” 12/8/2007

DOE Lab Hacked
Oak Ridge National Laboratory, a U.S. Department of Energy facility, said on Thursday that its computer network had been comprised by a spear-phishing attack. 12/7/2007

(more…)

Oak Ridge National Laboratory admitted that they had suffered a breach on October 29th, 2007. Luckily, it appears from this Information Week article that no classified information was compromised. This breach underscores the fact that breaches are inevitable and all organizations whether they are government, non-profit or for-profit must have a comprehensive response and recovery plan.

There are so many situations, reports and news articles where vague statements are used such as the one in the Information Week article: “ORNL said that no classified information was lost but that the personal information of visitors may have been stolen.” “…may have been stolen,” that makes me feel comfortable and secure. When responding to an incident it is necessary to be able to definitively state what actually happened and report a conclusive response. That’s what “incident response” is all about.

A comprehensive recovery plan that includes the ability to perform “deep dives” into all of an organizations network data particularly using NetFlow lets security analysts provide that definitive answer we are all looking for.