Bearings are the technological silver bullet of their time, but we continue to rely upon them today. The methods by which we monitor the quality, integration and performance of bearings should show how we do the same thing with security intelligence.They are old, ubiquitous, transparent and irreplaceable. Just like security intelligence, we rely on them 100 percent of the time and they never fail (well, almost never). They cost nearly nothing to create or obtain, but a failure in their operation, design or implementation can have very expensive consequences. Each copy of the same model must be identical so that customers are assured quality. Their performance must be predictable since they are exposed to some of the most hostile and dynamic environments. They come in many sizes and designs and may be integrated into solutions in many ways, but they must perform perfectly to keep us safe.

What technology is this? A bearing.

Your automobile uses thousands of them. The aircraft and engines that push you through the sky have many more. Shower valves, bikes, treadmills, tape drives and even disk drives use bearings. They are everywhere. They are seamless. We depend on them all the time.

However, when they need to be replaced, it is not cheap. The cost of replacing a bearing in your transmission can be 1,000 times the cost of the bearing itself. Coincidentally, the same claims can be made about security technologies. An unanticipated failure due to software bugs, bad algorithms, incorrect integration or poor design can cost much more than the price of the technology itself.

However, without the technology of bearings, we would not have the high-reliability items that we rely on daily, from automobiles to air conditioners.

Why is it that we have mastered this level of high reliability with the design and implementation of bearings, but we continue to struggle with security, as is evident in the breaches that seem to be on the news nightly?

The reason is that there is more to the story of bearings than just a piece of metal. The secret to success in bearings is not about what they do or that they are made of hard metal. The true magic in bearings is all about the information we collect about how they are manufactured and how they perform every second of the day.

There is a lot we can learn from this 18th-century technology. We need to take those lessons and apply them to the security intelligence challenges of the 21st century. Surprisingly, it all comes down to lessons we should already have learned.

Quality Control

At the end of World War II, William Edwards Deming presented a paper on statistical process control in Japan. Without going into great detail, he highlighted the fact that if you are going to make something of quality, you cannot inspect each copy or widget to ensure it is “good.” You cannot look at millions of bearings. You cannot visually check every syringe. You cannot check every square micron on every platter in every disk drive.

Instead, you need to look at the process that makes these things, not the things themselves. You must know that your product is designed correctly. Furthermore, and perhaps more importantly, you must understand how the product is being manufactured to ensure it is meeting design specifications.

The idea is that if the design is good and the manufacturing process is efficient and consistent, the product coming off the line will always be as good as its design and have no variations. In other words, the focus should be less on inspecting the bearings and more on inspecting the process that creates them.

Bearings are the poster child for Deming’s theories. A bearings manufacturer can produce millions of bearings each year. However, those bearings can’t all be inspected for defects. Instead, the manufacturer must inspect the process that makes the bearings by collecting information on the manufacturing process.

On the other end of the supply chain is the manufacturer of the engine that uses the bearings, but it follows a similar process. The performance of the engine must be measured to know whether the bearings are achieving their required quality. Is the engine overheating? Is fuel consumption low? Are noises and vibrations within predictable limits? If not, you know it is likely due to the design of the engine, the design’s implementation or the components (bearings) used in the design.

However, the actual bearing is never inspected when it is in the engine. Information, intelligence and analysis tell you how the bearings are performing and whether they are meeting the needs of the dynamic environments in which they reside — that is, the engines.

What Does This Have to Do With Security Intelligence?

Similar to the design systems (engines), we never use just one security component in our security designs. The overall security of our systems, networks and infrastructure is not based on a single technology, but rather a culmination and integration of many technologies that must work together and be built with components that are intended to perform in a dynamic environment. Our system design should consider the hostile environment in which it works, and the components that are part of the design must also be designed to work in those hostile environments.

The lesson here is that the quality of the different layers of security is no different than the various layers at which bearing technology is applied. The design and implementation of the components (such as operating systems, firewalls, antivirus and IDs) must focus on eliminating unanticipated behavior (bugs), just like bearings cannot have flaws introduced during their manufacturing process.

Additionally, the integration of those components throughout an enterprise must also be pursued to enforce a desired behavior and eliminate unauthorized access and data leakage. Engines cannot have unpredictable behavior, and neither should our networks.

Bearings are designed, manufactured and integrated into engines to enforce highly predictable behavior. Security components are designed, manufactured and integrated into complex networks to provide the same highly predictable behavior.

Security System Applications

So why are bearings and engines able to do this but security systems cannot? That question can be paraphrased in the context of bearings. How do manufacturers know whether they are producing bearings with the same quality? How do engine manufacturers know whether the bearings are still performing within their engines? The answer to those questions comes down to data collection, information gathering and analysis — otherwise known as security intelligence.

Just like manufacturing and integration, security data gathering, intelligence and analytics let security analysts find the baseline normal behavior of networks. Quality control requires that you baseline your processes to achieve consistency — a necessary step before you achieve quality.

Once the analyst has a baseline of the network’s normal behaviour, anomalies such as unusual bandwidth consumption, rapid login failures, abnormal network connections and peculiar use patterns become more readily apparent.

The demands on our networks are dynamic and hostile, but they should be fairly predictable. It is that predictability and consistency that is a key component in the security of our environments. As we continue to improve predictability and consistency, continue to make regular improvements to our security profile and continue to make changes based on security intelligence and analysis of data that is collected and correlated across a large set of sources, we are able to meticulously close vulnerabilities and proactively minimise the ability for future vulnerabilities to be exploited.

These security benefits are the direct result of security intelligence, analysis and response. This is exactly the process that helps bearing and engine manufacturers produce incredible metrics. History shows us that this has been successful in implementing other technologies that are always there, always transparent, always meeting our needs and always working for us.

If we can do it with technology from the 18th century, we can do it with technology from the 21st century without reinventing the wheel — or bearing, in this case.

The original post by IBM can be found here: What Do Silver Bullets, Bearings and Engines Have to Do With Security Intelligence?


IBMSecurityIntelligence AUTHOR:
Analysis and Insight for Information Security Professionals

Posted in: Big data, Security      
Comments: 0
Tags: , , , ,


New changes to the Bank Secrecy Act have been proposed by the Financial Crimes Enforcement Network (FinCEN) in order to clamp down on money laundering for financial institutions. These changes have been debated for some time across numerous departments.The Financial Crimes Enforcement Network (FinCEN) has announced proposed changes that would amend part of the Bank Secrecy Act (BSA). According to the National Law Review, the changes affect customer due diligence (CDD) requirements for certain covered financial institutions. These include mutual funds, brokers or dealers in securities, future commission merchants and introducing brokers in commodities. Comments and feedback on these proposed changes are due by Oct. 3, 2014.

Details of the FinCEN Proposal

The proposed changes to the BSA add more requirements to anti-money-laundering (AML) programs and customer identification programs (CIP) in the form of CDD requirements. These CDD requirements would apply to all covered financial institutions under the USA PATRIOT Act. They force customers to document beneficial ownership for their legal entity (i.e., mutual funds and brokerage accounts) and codify the requirements.

FinCEN’s proposed rules to revise the current AML requirements for CDD address the following:

  • Identify and authenticate a customer’s identity, which is currently a requirement of the existing CIP rules.
  • Identify, authenticate and understand beneficial owners of a legal entity (i.e., an association, partnership, proprietorship, corporation or trust).The rule states that a beneficial owner will be anyone with a 25 percent or more equity interest of the entity or has significant management responsibilities within the entity.

FinCEN is also proposing an update requiring a fifth pillar to AML compliance. This pillar would address CDD and would require covered financial institutions to understand the use and purpose of their customers’ relationship, and implement ongoing monitoring.

Currently, the pillars are:

  1. Designate a compliance officer.
  2. Development of internal policies, procedures and controls.
  3. Ongoing and relevant training of employees.
  4. Independent testing and review.

Analyst Comments

These proposed CDD requirements have been a widely discussed topic for both U.S. and international law enforcement and regulatory agencies for quite some time. Fraudsterscriminal organisations and terrorists are known to abuse legal entities for their advantage. Having the ability to identify individuals who own these legal entities and do business within the U.S. financial system will greatly assist in reducing this type of abuse.

FinCEN’s first publication regarding the proposed CDD requirements was released in March 2012 and set the stage for coding and enhancing these CDD requirements. The current proposal is partly a product of the 2012 regulatory process and collaboration with other interested regulatory agencies (the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, Securities and Exchange Commission, and Commodity Futures Trading Commission).

If approved, this proposal would identify beneficial owners of legal entity customers and add this CDD component as a fifth pillar to BSA/AML programs.


IBMSecurityIntelligence AUTHOR:
Analysis and Insight for Information Security Professionals

Posted in: Security      
Comments: 0
Tags: ,


Media player vulnerabilitiesListening to music can have a positive impact on our brains. A study published in the journal “Neuroscience of Behavioral Physiology” found that a person’s ability to recognise images, letters and numbers was faster when rock or classical music was playing in the background compared to when there was no music. And, of course, music improves our mood because it triggers the release of the “pleasure chemical” dopamine.

But what most organisations don’t realise is that while music can have a positive impact on employees, the media player they use to listen to music or watch videos can expose them, their machines and the organisation at large to exploits and advanced malware infections.

Media Player Vulnerabilities

IBM has found that vulnerable media players are constantly targeted by malicious actors. Since media players exist, in most environments, on users’ desktops for their own personal use, IT and security administrators ignore these applications and the content files they use. After all, you want to keep your employees productive and happy and allow them to listen to their harmless music while they work. However, because these applications are not controlled and users are not in a rush to patch these applications, most installations are vulnerable to exploits.

A media player is a software program designed to play multimedia content as it streams in from a website, local storage or other resources. Some employees use the media players that arrive with the operating system, such as Windows Media Player, while others prefer to download a different media player and install it on their workstation. However, both OS-provided and downloaded players contain vulnerabilities that can be exploited to deliver malware and infect the user’s machine.

According to the National Vulnerabilities Database (NVD), over 1,200 vulnerabilities were discovered in media players since 2000. Most of these vulnerabilities were discovered in popular media players like QuickTime, iTunes, RealPlayer and Adobe Shockwave.

Media players are popular yet vulnerable applications and can be found on many user endpoints. Because they are designed to process and play files that originate from an external source, they become a top target for exploit attacks. By developing weaponised media content, i.e., an audio or video file that contains an exploit that takes advantage of a media player vulnerability, an attacker can effectively deliver malware to the user’s machine.

All that is left for the attacker to do is to send the weaponised file to the target user or convince a target user to view the content from a compromised website using phishing and social engineering schemes. Typical examples include “promotional videos,” links to “free” song downloads and more.

Exploits Targeting Media Players Exist in the Wild

This is not a theoretical threat. Over the past few years, we have seen exploits targeting both known and unknown zero-day vulnerabilities in media players. It is important to note that many exploits target known vulnerabilities for which a patch exists. As long as the patch is not deployed to mitigate the vulnerability, or some other controls are implemented to prevent the exploit, the media player is vulnerable to exploits and drive-by download attacks.

For example, here is a story about a drive-by-download attack that exploits a known critical vulnerability in Windows Media Player: On Jan. 10, 2012, Microsoft released a security fix addressing the MIDI Remote Code Execution Vulnerability (CVE-2012-0003) in Windows Media Player as part of its monthly patch cycle. Microsoft explained at the time that “an attacker who successfully exploited this vulnerability could take complete control of an affected system.”

A few weeks later, security researchers found an active drive-by download attack that exploited the known vulnerability. The attack used a malicious HTML page to load the malformed MIDI file as an embedded object for the Windows Media Player browser plug-in. If successful, the exploit silently downloaded a Remote Access Trojan (RAT) on the user’s machine without the user’s knowledge.

Protecting Media Players Against Weaponised Content and Exploits

The general best practice is to always apply security patches to vulnerable applications as soon as they become available. However, this is not applicable when the vulnerability is a zero-day vulnerability — one that is not publicly known and for which an appropriate patch doesn’t exist. To effectively protect employee endpoints and enterprise networks against exploits and advanced malware, organisations should consider implementing an endpoint solution that disrupts the exploit chain of events and prevents the delivery of malware via exploitation of both known and unknown vulnerabilities, both in popular media players and in other applications.

The original post by IBM can be found here:  Killer Music: Hackers Exploit Media Player Vulnerabilities


IBMSecurityIntelligence AUTHOR:
Analysis and Insight for Information Security Professionals

Posted in: IBM, Security      
Comments: 0
Tags: , ,


Through synthetic identity theft, fraudsters create fictitious identities based on a combination of real and fake information. They can apply for credit directly with a lender, use the authorized user provision of a credit card account and furnish data.Synthetic identity theft is fraud that involves the use of a fictitious identity. Identity thieves create new identities using a combination of real and fabricated information, or sometimes entirely fictitious information. Fraudsters use this fictitious identity to obtain credit, open deposit accounts and obtain driver’s licenses and passports.

Typically, fraudsters will use a real Social Security number (SSN) and pair it with a name not associated with that number. Fraudsters seek SSNs that are not actively being used, such as those of children and the deceased. In some cases, an identity fraudster may create a completely fake identity with a phony SSN, name and address. This would be categorised as synthetic identity fraud since there is no theft involved. For the purposes of this article, synthetic identity theft or fraud will be treated as the same.

Why Is Synthetic Identity Theft Important?

This type of theft has been emerging as a major fraud activity over the past five to seven years. The size of the synthetic identity theft business is estimated to be in the billions per year across North America. According to CBC, monthly case volumes are in the thousands as compared to five years ago, when they saw about 100 per month.

The exponential growth of synthetic identity theft — and particularly its impact on children’s identities — will have distressing consequences for young individuals in the future. A study performed by Carnegie Mellon’s CyLab found that children’s SSNs are 51 times more likely to be used in a synthetic fraud scheme than those of adults for the population studied. While CyLab clearly stated its findings could not be extrapolated to the general population, the threat to children is evident.

Synthetic identity thieves target children’s SSNs because they are inactive and will generally remain unchecked for up to 18 years. Children generally have no public information associated with their SSN, making them a prime target. Unless a victimised minor’s parents are tipped off by a bill collector, the child begins receiving credit card offers in the mail or the child is denied a driver’s license or college loan, the fraud may not be discovered.

The true impact of child identity theft, which has been increasing over the past 10 years, will be realized as the victimized youngsters approach college age, start applying for college aid or have difficulty getting their first jobs after high school when negative information appears in a company background screening.

How a Credit File Is Created

It’s important to understand how a credit file is created prior to delving into the ways in which cybercriminals manipulate the system to their advantage.

Credit history is compiled and maintained by credit reporting agencies (CRAs) or credit bureaus. There are three major CRAs in the United States: Equifax, TransUnion and Experian. These agencies collect consumer credit history from credit card companies, banks, mortgage companies and other creditors to create an in-depth credit report.

Whenever a consumer completes an application for a credit card or loan of some type, all the application information is sent to the CRAs. CRAs gather the applicant’s personally identifiable information and determine whether a credit report exists. They also scour public records for financial information such as court records from bankruptcies and foreclosures. If no matches are found, the CRAs must keep a record of the inquiry by establishing a credit file. If a match is found, the credit file information is returned to the lender for it to make a credit decision.

The key concept to understand is that any credit request submitted to a CRA will create a credit file if none existed prior to the request.

Every month, lending institutions and other creditors send updated consumer credit information to the CRAs. This information includes how much individual consumers owe and whether they make their payments on time.

There are two kinds of inquiries: hard and soft. Hard inquiries are requests made by institutional creditors such as credit card companies, mortgage lenders, retail companies and landlords for rental applications. Soft inquiries are made by the consumer or by an employer as part of an employment background screening. Negative events such as bankruptcies, foreclosures and charge-offs stay on credit reports for seven to 10 years, while positive events such as on-time mortgage payments, can stay on even longer.

There are three main ways in which identity fraudsters exploit the credit process to establish synthetic identities and execute frauds: apply for credit directly with a lender, use the authorized user provision of most credit card accounts or through a data-furnisher scheme.

Applying for Credit

Fraudsters will create a synthetic ID and build a credit profile by directly applying for credit with a lender such as a credit card issuer. The initial application will be declined, but a new credit file will be established as a result.

With the newly established credit file, the fraudster will then apply for credit with a credit card issuer. When the card company runs a credit inquiry, the CRA will return information to the card company that a profile does exist. The profile will not have any credit history associated with it, though the fraudsters typically target card issuers that offer credit lines of $300 to $500 to applicants with no history.

Armed with a new credit account, the fraudster will legitimately use the credit account and make payments to establish good history. The fraudster will leverage the positive credit history to obtain more credit cards, retail store credit accounts and car loans.

The process is straightforward and easy to execute, but it is less favorable because of the time it takes to build a solid credit profile.

Authorised Users

The authorised user process is how most synthetic IDs are created. Adding authorised users to an account is legal and allowable by credit card issuers. It is typically used for legitimate purposes, such as adding a spouse or a child.

Fraudsters exploit the authorised user process and actively recruit cardholders with good credit to add unknown people/identities to their card, often for just several days. Using this technique, often referred to as “piggybacking,” the legitimate cardholder receives a fee for adding the authorised user identity to his or her account. A credit card is not issued to the authorised user; it simply sits on the credit account for a period and “inherits” the card owner’s credit history.

Once the trade lines have reported to the CRAs, the synthetic identity can be removed from the account as an authorised user, but the credit history is retained. The fraudster will then apply for credit with multiple card issuers. With multiple credit lines successfully obtained, the fraudster will max out all the credit lines by buying gift cards and valuable merchandise such as smartphones and other electronics that can be easily sold.

In this example, the fraudster could also execute a bust-out scheme in which the credit lines are maxed out, paid down with worthless or counterfeit checks and maxed out again before the check payments are returned. This creates an exposure of as much as two times the original credit limit. Well-organized criminals may be able to repeat this process more than once.

Card owners who are recruited to add authorised users will have as many as 50 in their account at once. Card owners may believe they are donating their good credit history to help others establish or repair their credit. There are many credit repair/piggybacking brokers who bring together donors and those who need credit assistance. Accounts that continually produce identities tied to fraudulent activity are known as pollinator accounts.

For example, a synthetic ID had a credit file created in June 2014 and used an address tied to a retail shopping center. In August, a seasoned trade line with a credit limit of $55,000 was added to the synthetic ID. Within two months of adding the authorized user, the synthetic ID amassed $200,000 in unsecured credit, making out over $140,000.

  • Bank A: $10, 000
  • Bank B: $10,000
  • Bank C: $50,000
  • Bank D: $5,700
  • Bank E: $20,000
  • Retail 1: $16,000
  • Retail 2: $20,000

The investigation revealed that most of the purchases involved retail gift cards and some high-end merchandise. One CRA investigator indicated that Verizon Wireless and other similar merchants are being targeted for smartphones, particularly iPhones.

Data Furnishing

Data furnishing is a very effective tactic but requires more sophistication and organisation and may involve complicit insiders within a small business. This method requires fraudsters to use a front company, which is vetted by CRAs and approved to furnish or supply payment history on credit accounts extended to its customers.

These front companies may be new companies created for the purpose of committing fraud or may be existing businesses in which the owner or an individual within the business (e.g., credit or finance manager) is compromised by an organised fraud ring.

In the data-furnishing scheme, synthetic IDs can be created or credit files of existing synthetic IDs can be enriched. The typical scheme works in the following way:

  • An “applicant” applies for — and is granted — credit for a fictitious purchase of the business’s product, such as a used car.
  • Each month, the business reports payments on the credit account associated with the synthetic identities to which it has provided phantom credit.
  • Over several months, the synthetic identity’s credit score will improve, allowing the fraudster to obtain more and more unsecured credit from victim card-issuers until the fraudsters are ready to max out/bust out the card accounts.

Data furnishers engaged in synthetic ID activity may be identified because the CRA identifies anomalies such as credit accounts in amounts that far exceed the data furnisher’s product values. Additionally, CRAs may link multiple synthetic IDs to a particular data furnisher.

Synthetic identify theft is a growing problem, and its full effects may not be realised for several years. We will likely hear stories of children’s identities that were victimised years ago being uncovered years later as they moved into adulthood. Criminals understand that synthetic identity theft is generally an easy and lucrative scheme to employ. There are many factors that contribute to the problem, but the authorised user process and availability of credit from some of the major card issuers play key roles in this.

I will be writing more about synthetic fraud in the coming weeks, exploring challenges facing the industry, legislative initiatives and what financial institutions and consumers can do to help minimise synthetic fraud.


IBMSecurityIntelligence AUTHOR:
Analysis and Insight for Information Security Professionals

Posted in: IBM, Security      
Comments: 0
Tags: , , , ,


201306Security-Intelligence-IBM-Security-Blog.jpgIn 2012, there were 1,502 documented incidents resulting in loss of personally identifiable information, almost a 40% increase over the previous year’s 1,088 event count. In the last three years, 21 million patients in the United States have had their medical records exposed in data breaches.

Data leaks are becoming a common occurrence, exposing personal details such as email addresses, passwords (both encrypted and clear text), and even national ID numbers. The IBM X-Force 2012 Annual Trend and Risk Report calls for tighter security controls and policies in the healthcare industry.

With healthcare providers and payers alike trying to retain customers through better quality care and comply with an ever increasing corpus of regulations, patient records are the currency in trade, and as such must be protected with all due care. Moving to electronic health records (EHR) is a must for organisations to be able to share data between providers—even competing facilities—insurance companies, and the patient consumer themselves. Creating a record once and enriching it over the lifespan of the patient by all caregivers and payers involved holds the promise to reduce costs and improve outcomes. In addition, the U.S. government provides financial incentives for the meaningful use of EHR through the American Recovery and Reinvestment Act’s (ARRA) HITECH provisions.

Yet converting records to electronic format makes them convenient to steal en masse if not properly protected. The outcome of EHR theft include brand reputation damage in a competing market and financial penalties for non-compliance.

Here are some of the fundamental security controls healthcare organizations must undertake in order to safeguard patient data:

  • Discover all EHR and personally identifiable information (PII)
  • Encrypt or mask EHR and PII at rest and in transit
  • Impose and manage role-based access, coupled with central and/or federal authentication, to EHR and PII
  • Contract with Business Associates (BA) who have access to EHR and PII to ensure they are held to the same data protection standards, and audit them regularly
  • Protect the infrastructure housing EHR and PII using standard technical controls such as firewalls (perimeter and enclave), VPNs, network and host IPS, and endpoint protection
  • Monitor all system and network activities, optimally with automated detection of suspicious activity, particularly as it affects systems containing EHR and PII

Exposure of sensitive data is but one of the salient observations in the IBM X-Force 2012 Annual Trend and Risk Report. Download it now and get the full picture of how 2012 shaped up in terms of threats and gain intelligence into what to expect in 2013.


IBMSecurityIntelligence AUTHOR:
Analysis and Insight for Information Security Professionals

Posted in: Automation Testing, IBM, Opinion, Security      
Comments: 0
Tags: , ,