USA Today: Hackers got into 18 computer servers at World Bank

Did you see the USA Today article on the World Bank intrusions?

Cyberintruders used the Internet to crack into at least 18 computer servers at the World Bank Group last July.

One bank memo lists the breached servers and makes this assessment: "As of 9/9/08 we have determined that 5 of the compromised servers contain sensitive data, and care must be taken to determine the amount of information that may have been transmitted outside of the World Bank Group."

Wow, sounds like old school system penetrations. And here we thought all the hacking nowadays was through browser and email exploits.

Banks, indeed, are not the only targets. Corporate intrusions in general are on the rise, says Phil Neray, vice president at database security firm Guardium. Cybercrooks seek out PCs used by privileged insiders so they can access sensitive databases and other PCs. "Many organizations don't have any real-time monitoring or alerting mechanisms in place to identify unauthorized activities," Neray says.

Hopefully the state of information security in private industry is a lot better these days but somehow I doubt it. The risk needs to be palpable enough for CEOs to give a crap. As for the realtime monitoring, that should really be the last line of defense. The detective control to catch whatever preventative controls don't.

To me this type of article underscores the need to look at security in breadth across the enterprise as well as in depth. It's like securing a house. You don't put an iron door on a tin shed. Hackers are looking for the one way in. So make all the ways in a little bit harder.

Infosec Fortune Cookie Friday

Mitigating a risk with a stringent security control can create its own risk: that of business interruption.

Replacing Passwords

NY Times has an article on authentication without using passwords.

The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.
...
As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.
...
“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.

While I don't deny that passwords have their problems, I want to think this solution over a little. Meanwhile, if anyone out there is awake, I'm curious to hear your thoughts.

Changes

All I can say to this is, 'bout time:

IT directors will play a dramatically reduced role in working with security professionals, says the Information Security Forum, which has issued a report that outlines how businesses' view of security is evolving. Chief risk officers, chief security officers and chief operation officers will be more involved in security strategy, according to the ISF. The change is fueled by Enterprise Risk Management and companies' increasing vision of merging physical security with information security, reports the ISF. Network World (07/31)

The downside of the above is that information security requires highly technical solutions and so either security talent has to migrate and disperse into IT organizations (not a bad thing) or strong ties between infosec talent and IT have to remain, or perhaps both. Otherwise infosec becomes all high level strategy with extremely poor execution. The Network World article goes on to say:

less than 3 out 10 information security professionals believe they are focused on delivering solutions to the business.

When you hear people talking about information security enabling the business, this is what they are talking about. The goal isn't simply to prevent or reduce risk. It's to enable the business to move forward with opportunities but with a tolerable level of risk. To do that you have to come up with creative solutions-- finding ways to say yes instead of no.

Davies points out that there is currently a large increase in information security professionals reporting to chief risk officers (CRO), chief security officers (CSO) and chief operation officers.

Infosec stepping away from IT makes it more difficult to build trust and alliances at the worker level which is crucial in building a security culture where IT personnel help the security group rather than avoiding them. Appointing infosec point of contact within various IT organizations can help.

The upside of this move outside of IT is that the struggle between sometimes opposing goals of IT and Infosec can happen at a higher management level where it often belongs. Infosec can gain a bit more authority, to be weilded very carefully, of course. This arrangement also gives the proper business focus to security groups and provides better visibility of security issues to upper management.

DNS

So, how about that DNS vulnerability, huh?

Brings back memories of the days gone by when vulnerabilities and attacks regularly threatened the entire internet rather than being as targeted as they are now. Well, I guess this time there's a pretty ubiquitous hole that can be used for targeted attacks until folks patch. If they haven't they're nuts.

Meanwhile... Dan K suggests using OpenDNS since they were fixed before many ISPs. Having one place provide DNS to a lot of people kind of paints a giant target on their backs but then again that's no different than any major ISP's DNS servers. OpenDNS beat a lot of ISP's to the punch in patching so maybe that is an indiciation of the kind of shop they run. Plus they offer content filtering, typo fixing, and phishing protection features. Nice.

But, you probably knew all that, right?

So why didn't you tell me? :)

Infosec Fortune Cookie Friday

It is written: One who swings the great bat of authority cannot spare a helping hand.