Security Ripcord

I was going to post a comment to Michael’s Computer World post titled “OK CXO, does this incident convince you of the need for security???” when I decided not to do it. Instead I realized that this is a prefect opportunity to do another Email Interview. So I hammered out a few questions I figured would be easy to answer and then tossed them his way. The following are his responses with the questions included in bold.

Who do you work for and what do you do?

Accuvant. Pre-sales Security Engineer. Basically, I am in customer
relations, with the occasional product evaluation installation thrown
in.

Centralized logging is one of the keys to a good security posture.
Percentage-wise, how many companies do you see doing this?

Unfortunately, the customers I have been dealing with are very late
coming to this game. And I am not talking about SIEM either. Just
centralized logging. Many of them have some kind of syslog server with
a few logs getting thrown to it, but very few have any kind of real
centralized logging solution where they can go do forensics and get a
good idea of what was happening in their network as a whole at any given
time.

When they are designing the networks, do you find that the
administrators are aware of the pitfalls and nuances of setting up a
logging infrastructure?

Generally they think it is just a matter of throwing some logs into a
bucket o’ hard drives and that is it. Not many think about the logs
being used for forensic purposes later in the case of an incident. Many
aren’t aware that normalizing logs pretty much makes it fodder for the
defense attorney. Administrators up until now have had to be concerned
with keeping servers going, and they read the logs when there is a
problem. Most don’t think from a security mindset, so they don’t have a
clue what to do to if those logs aren’t there (because they got deleted
by Mr. Bad Guy). There’s also the matter of retention and drive space,
maintaining the logs in such a manner that they can’t be altered, etc.
I mean, that is the central reason for logs: forensics. And forensics
does not necessarily mean criminal forensics. It means that if there is
any incident, malicious, accidental, mechanical, whatever. And if the
logs get corrupted, then you have problems.

Another problem that people don’t think about is application logs and
“x”-flow data. These are often very critical to determining what
happened in incidents because they give you two ends of the spectrum
that just server and device logs don’t give you. Of course, that will
greatly increase your storage needs, so be careful.

Where are the common weaknesses and how can we educate our
administrators better? Certifications associated with log management
and review?

See above for common weaknesses. As far as another specialized cert, I
don’t think that is the way to go. I know SANS is big on this, and I
have nothing but respect for those guys, but I really think that
security cannot be stovepiped anymore. Security has to be a part of a
sys admin’s job and training. This is one facet of that training, and
it realistically not all of security can be thrown into a couple of
Windows courses. But the mindset has to be taught more. A single cert
can’t do that.

Is it common practice to have critical systems administered through a
management network that does not touch the production network?
Basically, a network that is separated from the intranet and Internet?

Do you mean having something like separate NICs in critical servers
plugged into a different VLAN for management, and plugging management
NICS on devices into that same VLAN? To my knowledge, that is not very
common. It makes sense, but I could see it being something of a
headache to get setup. As far a segmenting critical systems altogether,
that is happening in a big way. PCI is driving that everywhere.

Can Small and Medium-Size Businesses really afford taking on a project
like centralized log management? What would be the first steps?

Yes, SMB’s can do this. I does not have to be expensive. I did it when
I was at an SMB. I used the PRO version of KIWI syslog server
(http://www.kiwisyslog.com/) and pointed all my devices and servers at
it. I used SNARE (http://www.intersectalliance.com/projects/Snare/) to
push server logs to the KIWI syslog. KIWI even has the ability to read
application logs if they are put into a flat file. It really is not
hard to setup if you are willing to take the time to organize it. But
be sure to take note of the problems mentioned above.

Do you have any recommendations for the Small/Home Office businesses
when it comes to log management?

See above. Should also work for them.

Companies are generally aware that they need to backup their common and
critical data. How much are they aware that they need to do the same
with logs? What is common practice in log retention?

I think they are becoming MORE aware, but the awareness is not where it
should be. Again, this is a failing in training. Security is not
taught as a “baked-in” component of knowledge.

Common practice depends. It seems like 7 years tends to be a good
retention length of time, but that can change depending on compliance
and other laws.

What types of sensitive information could be found in logs and what does
this mean about the protections associated with collecting and retaining
this information? When do you think encryption would be necessary?

It is feasible for access logs on servers containing data to hold
sensitive information such as credit card numbers, SSN’s, etc. It is
also feasible for logs from network devices such as routers and
firewalls to have sensitive data in them because the data passes through
them. That is why PCI specifically addresses this issue.

Encryption of sensitive fields in a database should always be in place.
Encryption when transmitting data should be the norm. And obfuscation
of sensitive data (”x”ing out most of the SSN number or the CC number)
should be done when records are viewed by parties that do not need the
information to perform their duties.

How does log management tie into forensic investigations?

As I mentioned above, log management is crucial to forensic
investigations. Most log management systems normalize logs because they
have to store the data in a manageable format. However, there has to be
some way to recover the raw log in order for the log to be used in
investigations. It is not as crucial if all you are trying to do is
determine what happened in an event. But if plans are to use the logs
in prosecution of criminal activity, then you have to be able to prove
that the logs are the raw, original logs that came from the servers and
devices.

If an investigation team walks in the crime scene and fouls evidence,
the judge is very likely not to admit it. Or if the cops don’t retain a
good chain of custody of the evidence, then the defense lawyer can make
the claim that there is no way to know that the police did not alter the
evidence in some fashion. Logs are evidence, so the same rules apply.

Do any of the forensic programs out there integrate with the logging
solutions you are familiar with?

Good question. I don’t know of any that do off the top of my head.
However, if standards are used to code each one, there is likely a way
to integrate them and transfer logs between them. But again, this can
only be done successfully if the evidence is not altered in doing so.

How can your company help with the issues related to this topic?

Accuvant has four practice areas (Security Assessment, Compliance,
Security Technologies, and Wireless). Our compliance team would be
specifically helpful with this kind of issue because they know the
different compliance controls that would require a company to adhere to
log management standards, and they could perform a gap analysis to let a
company know where they are lacking. They can also provide remediation
assistance to fill the gaps.

The assessment team can perform policy review and architecture review to
tell a company where they are lacking in this area and their security
posture as a whole. They can also perform penetration and vulnerability
tests to see what is getting logged and at what level. And they can
perform application code review to determine if an app’s logging is
sufficient. They can also provide remediation assistance.

The security technologies team can help in recommending an appropriate
log management solution, and they can provide professional services for
installation, configuration, and management of the solution.

The wireless team does not seem to be specific to this issue, but
wireless is actually an area that many administrators and managers tend
to kind of forget is in their network. Thus, logging rarely happens
from these devices. Our wireless team has expertise with many different
manufacturers of wireless technology, and they would be able to provide
best practices for gathering logs from these devices.

You are a blogger and Internet author. Tell us a bit about that.

Internet author?? Really just a blogger since I have rarely written
anything more than a page at one time. But oh well. It sounds good!

I started blogging a little over a year ago when I was in the trenches
as an Information Security Manager at a small / medium-sized psychiatric
clinic in Houston. I really enjoyed being able to write about the
things I ran into during the course of my job. It gave me a chance to
grow as a security professional, and it really helped me hone my writing
style.

As I went forward with it, I realized that it was also a way to get my
name known out in the world of security, which I think will help my
career in the long run.

I maintain two security-related blogs. My personal blog is at
http://infosecplace.com/blog. That one is known as An Information
Security Place. I also blog about security at ComputerWorld at
http://computerworld.com/blogs/farnum.

I also have a personal blog at http://infosecplace.com/tangential. I
don’t update that on a lot. It is mainly a place to keep anything
personal I want to write about, and it helps me maintain a more pure
security blog.

Nothing really ground breaking here. Just a few questions that I thought might help others that are thinking about centralized logging. Hopefully Michael’s answers will help you when you are considering initiating or increasing logging and log management within your environment.

I would like to thank Michael again for taking time out of his very busy schedule to answer these questions. Check out his sites when you have a few extra minutes. It is definitely worth bookmarking or placing into your feeds.

Go forth and do good things,
Cutaway

logging, Accuvant, An Information Security Place, Computer World, Michael Farnum, Security Ripcord

Okay, so the title is a little bit of a misnomer.  I have not found any security websites using web bugs.  Where this stems from is my own pondering.  At my 8 to 5 organization I have been wondering how I should track the usage of the security based website I manage.  This makes good sense because I want to see if I am reaching my audience. 

As I am not the administrator of the resource I do not have the proper privileges to view the logs associated with the web server.  Actually, I do not want those privileges unless necessary for auditing or incident response purposes.  I also do not want to burden the system administrator any more than necessary.  So, rather than ask for the output of the log associated with my virtual host I have started thinking about methods that I can track hits using some type of PHP counter.

While I was investigating how to accomplish this I received a few emails so I took a look.  I had received a couple mundane messages and an email from a vendor.  Once I opened the vendor email I noticed the usual vendor email format which, unfortunately, is strewn with plaintext HTML links.  The very first link was a web bug.  It said so right on the image “title=”Web Bug…”.  So, I started thinking to myself,  “Hmmm, web bug.”  Would that work?  I could include it in every web page.  I could include it in all of the documents and presentations I provide on the site.  This will tell me how often stuff is getting viewed and whether they are coming from the intranet or the Internet.  Exactly the information I could get from the web log.  But for some reason the idea of including a web bug on the site and in the documents made my skin crawl.  So I decided to do a little asking around in the Security Catalyst Community.  I started a thread titled “Web Bugs on Internal Security Sites“.

My call was answered by several people including Rebecca Herold.  She provided me with some good insight but even better documentation.  First she pointed me to a paper by the National Advertising Initiative.

Also, the The National Advertising Initiative (NAI) created a set of standards that cover the use of web bugs (also called web beacons, web gifs, and several more a.k.a.’s) on Internet sites.  You may find their standards interesting and perhaps helpful to your consideration of using them within your network: http://www.networkadvertising.org/networks/Web_Beacons_rev_11-1-04.pdf

Next she posted a white paper that she wrote about web bugs back in April 2005 titled “Quit Buggin Me!”  I have read it already and I highly recommend it if you are interested in web bugs.  Although I usually link directly to a document I would rather force you to her site so you can be aware of her other papers and books.  The paper can be found at her “Articles Regarding Technology Aspects of Privacy” page.

By this time I was completely squared away by Ms. Herold.  Although not necessarily bad, web bugs are not necessarily good.  In fact, they have to be used properly or you may face issues with your users, your organization, or even your government.  In this case my government would be the State of Texas.  So, to continue my research I did a little Googling.  And, of course, I got a hit that directed me to the Texas Department of Information Resources.   It was very quickly apparent that the State of Texas has a policy on how to use persistent cookies and Web Bugs.  In fact, the guidance set by the Texas Department of Information Resources states:

In order for visitors to make informed decisions about the privacy practices of state agencies, the visitor should be able to access the home page and Privacy and Security Policy page without the site setting a cookie or using a web bug to track visitor [sic].

Delving in a little deeper I noticed that there is specific guidance for Institutions of Higher Education.  Particularly Texas Administrative Code Rule 206.73 Privacy and Security of State Web Sites.  

(a) Each institution of higher education shall publish a privacy and security policy for its Web site, and post a link to the policy from its home page, or Site Policies page. The privacy and security policy shall address the following:
  (1) Notice: This section must disclose the institution of higher education’s information practices before the site collects personal information from the public, including the use of, cookies, and/or Web bugs as well as information collected by other technologies and processes, and information collected via e-mail and Web-based forms.
  (2) Choice: This section must disclose whether and how personal information collected from the public may be used for purposes beyond those for which the information was provided.
  (3) Access: This section must address the procedure under which an individual may obtain information about himself or herself from the institution of higher education and/or have the institution of higher education correct information about the individual.
  (4) Security: This section must describe the procedures that ensure that information collected from individuals is accurate and secure from unauthorized use.

So, basically, after a little help from the Security Catalyst Community and a little research into the laws and regulations set forth by my government I have decided that it will be much better for me to glean the personal information of the visitors to my internal website from the web logs provided by the web server than to glean them from a web bug or some other type of overt tracking mechanism.

Go forth and do good things,
Cutaway

Powered by ScribeFire.

cookies, privacyguidance.com, DIR, SCC, Texas, Security Ripcord, Rebecca Herold, web bug