LogBlog

« April 2009 | Main | June 2009 »

The world of worms, smart grids and privacy

  By Sudha Iyer

As a 21st century civilization, we detected and alerted the presence of the Influenza A virus and its various strains such as H1N1, H1N2, H3N1, H3N2, and H2N3 to the planet at large in almost real time. In order to prepare for pandemics or epidemics such as these, I don’t believe we were asked to sacrifice our privacy …instead we were asked to reduce our connectivity i.e., limit exposure in public situations.

Why then in the world of technology, specifically in the world of “Utility and Energy” sector, would we put the technology cart before the security and privacy horse?

The United States Department of Energy has been working the Smart Grid concept, design and implementation for a while now. On 18 May 2009, we heard about the set of sixteen standards for the smart grid being a national priority to gain energy independence, job creation and lowering the consumer costs for electricity consumption. Clearly, it is a huge undertaking and involves consistent focus and application of our collective effort to succeed. However, looking through a security lens, it continues to amaze me that energy sector’s CIA pyramid continues to be inverted – i.e, Availability is the most important mission and Confidentiality is the least important. Shouldn’t confidentiality be at the top of the pyramid now that electric grid breach has been well covered in the media? Some of the issues are

- There are more layers from the location of power generator to the end consumer… how is the information protected across the different supply/chain points? Security is only as strong as the weakest link …

- At the end consumer location, how do I ensure that only “authorized” people are able to read my power consumption?

- The SmartMeter program provides access to the “consumer’s” power consumption habits with web based access to the accounts in the hopes that looking at the pattern of consumption will help consumers gain control of its use. I guess this is a page out of the online statement access provided by the financial services to allow us to gain control over our spending habits. However, what certifications and standards are the authentication, access control and audit services of these systems subject to?

The utility and energy sector companies are subject to compliance with the North American Electric Regulatory Committee (NERC) standards. The protection of the infrastructure is not limited to SCADA systems or the corporate environment or the substation. In reality, we would expect it to be a mix of systems across these boundaries.

But somehow I do not expect the SmartMeter in my home to be part of the CIP program.

The SmartMeter is likely out of scope for the PCI and SOX audits these companies may be subject to as they do not include credit card information or financial data. However, the surface area of the energy infrastructure could get bigger with the installation of these devices (http://www.privacydigest.com/2009/03/23/electric+power+grid+smart+grid+may+be+vulnerable+hackers).

Is consumer education the only answer to ensuring that the SmartMeters are not infected with viruses, worms, unauthorized access and privacy violations? Making the consumer responsible for his choices is a great idea but, this technology is complex. Until the technology and protocols are developed by NIST and EPRI to ensure security is built-in, remember, Caveat emptor!

Posted May 28, 2009 in | Permalink | Comments (0)

« April 2009 | Main | June 2009 »

A Solution To The Problem

By: Dimitri McKay

When I started with LogLogic, nearly four years ago, I worked in the support group. Day by day I spoke to new and existing customers about their appliances, how to tailor the software, how to hone the tool to their needs and their networks. The questions were often the same, and one question which was repeated over and over went something like this:
“Hi. I’m a new customer, and we have the appliances up and running, and all of the log data on our network being sent to LogLogic. Now what?”
“Now what”, indeed.
This new customer had everything up and running, but didn’t know what to report on, what to alert on, what to search for. And this made sense. I work in log management full time, and I’m unable to remember which PIX message is created when there is a policy update or what log is created when PIX time server updates fail. I’m not Rain Man. How could I expect the average new customer to know what messages meant what. Each customer would have to re-invent the wheel, doing the task of searching for what events caused what messages on what devices. They would have to go through all of the controls of a compliance requirement and figure out how to map a control back to a set of reports and alerts. What a pain!
Unfortunately, the only answer I could give at that time was “It depends.”
I didn’t know what reason the customer had acquired LogLogic. Was it for Operations? Was it for Forensics? Was it for Compliance? And if so, what specific requirement? PCI? SOX? ITIL? ISO? HIPAA? COBIT?
Each of these compliance mandates carried their own list of controls and required actions. For example, the COBIT framework specifically recommends using log data to review what users do with access rights and privileges and to monitor log data to detect anomalous activities.  Well, for that we’re talking about a specific set of devices.
The Payment Card Industry (PCI DSS) security standards requires log data to be reviewed daily and to be archived online for one year. This is a different scope of devices to monitor and actions to accomplish.
The latest version of ITIL, version 3, recommends log data for problem isolation and user activity monitoring in conjunction with identity management. You see where this is going. Not all shoes fit on all feet.
Now, however, In each of these situations, LogLogic offers an answer to each question. Whether complying to PCI, to SOX to ISO or even ITIL, there is a suite to fit the need. As a Field Systems Engineer, when customers have a rock in their shoe, a thorn in their side, or a problem which needs a solution, we have an answer for them. We have a suite of alerts, of reports and of search filters to help them hit the ground running and find a path to unleashing that log power in as short a period of time as possible.
We have the answer to the question “now what?”.

Posted May 27, 2009 in | Permalink | Comments (0)

« April 2009 | Main | June 2009 »

Get Ready! New Cybersecurity Standard For American Businesses.

By Dominique Levin
VP Marketing and Strategy

The Cybersecurity Act proposes to give the President capabilities to “shut down the Internet”. While this got a lot of public attention (and outrage), the more significant part of the Act is the effort to create a “minimum bar” for security in a broad range of industries, including the Federal Government and “critical infrastructure” such as telecommunications, energy, financial services, transportation and healthcare. Such new security standard could have even greater consequences than the already widely adopted Payment Credit Card Industry Data Security Standard. This blog examines what the Cybersecurity standard could look like and what it would mean for American business.

The Cybersecurity Act would require the National Institute of Standards and Technology to develop cybersecurity standards for government, contractors and operators of the systems that control the nation's critical infrastructure. A newly created acquisitions board would certify that products the federal government purchased meet security standards, and regional cybersecurity centers would be set up to support small- and medium-size businesses complying with the standards.

From the draft act:

SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.

(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks in the following areas:

(2) SECURITY CONTROLS- The Institute shall establish standards for continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks.

Other areas for research and standards development by NIST include security metrics, software security and software configuration.

"The market has failed by definition and thus public policy is necessitated," said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team. "Hopefully, the private sector will comprehend that legislation like this creates long-term comparative advantage for American industry and subsequent technological sustainability."

A complementary bill is also circulating: the ICE (Information and Communications Enhancement) Act (print here) replaces the 2008 Federal Information Security Management Act, a rewrite of the 2002 law that the Senate never voted on. Presumably the ICE Act will not only take guidance from the current National Institute of Standards and Technology standards, but also look to a list of “Top 20 Security Controls”.

Many in the security industry believe that so far NIST has been too focused on security configuration, rather than on controls that truly prevent attacks. Alan Paller director of research at the SANS Institute and other security professionals argue that the approach is little more than a paper-pushing exercise and doesn't secure systems from known threats. Instead the SANS Institute is pushing (and appears to be getting some traction) with their own “Consensus Audit Guidelines” – a list of twenty relatively inexpensive controls every business should implement to prevent attacks.

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance

The SANS Institute

http://www.sans.org/cag/print.php

The bills "could do more to improve cybersecurity than any action in the last decade," said Jim Lewis, director and senior fellow for the technology and public policy program at the Center for Strategic and International Studies.

"This looks like the game-changer -- or at least the conversation-changer," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research group based in Bethesda, Md. "Its reach is far greater than any cyber bill I have ever seen, extending deep into corporate America."

Having a government endorsed “minimum bar” for security that applies to a broad range of industries would definitely be a positive for the security industry and for American businesses. The bill could make it a lot easier for executives in business to get approval for investments in security. Additionally, security is only as strong as the weakest link in the chain, so any initiative that can raise the bar is a good thing.

Posted May 05, 2009 in | Permalink | Comments (0)

« April 2009 | Main | June 2009 »

Cybersecurity: How Far Should The Government Go To Protect Cyberspace?

By Dominique Levin
VP Marketing & Strategy

The debate between the privacy rights of individuals and the information protection of the public rages not only in private enterprises, but also at the national level: how far should the government go to protect cyberspace? There are several bills currently being circulated. The two primary initiatives are the 2009 Cybersecurity Act, introduced on April 1, 2009 by Senator Olympia Snowe (R, ME) and Senator Jay Rockefeller (D, WV) and the ICE (Information and Communications Enhancement) Act (print here) introduced into the Senate on April 28, 2009 by Senator Thomas Carper (D-Del.).

Much of the public commentary on these initiatives seems to be negative, expressing concerns about privacy or free-market principles. Twitter was full of quotes about the Cybersecurity Act’s proposal to give the president powers to “shut down the Internet”.

Jennifer Granick of the Electronic Frontier Foundation laments that the language in the second excerpt would give the Commerce Department “absolute, non-emergency access to ‘all relevant data’ without any privacy safeguards like standards or judicial review.”

Others are opposed because of the impact on competitive, free-market enterprise: “Some see the Act as indicative of sweeping changes toward government regulation of private entities and worry that unintended consequences of these changes could impact competitive, free-market enterprise”.

Of course there are those, who strongly support the initiatives:

Senator Olympia Snowe [R, ME]. says of the cybersecurity act: “If we fail to take swift action, we, regrettably, risk a cyber-Katrina.”

Alan Paller, director of research at the SANS Institute, appearing before the Senate Homeland Security and Governmental Affairs Committee on Tuesday, called the federal government's cybersecurity defenses "childlike," and the work accomplished under FISMA "embarrassing."

It is shocking however that not much has been written about exactly how much is at stake when it comes to cybersecurity. This is surprising because the Department of Defense, intelligence community and other agencies agree that cybersecurity is one of the greatest security challenges the US faces today. In fact, the language of a 96-page report on Cyberspace: “Securing Cyberspace for the 44th Presidency”, a report of the

CSIS Commission on Cybersecurity for the 44th Presidency published in December 2008, uses very strong language to describe the threats:

“The enemy: foreign intelligence agencies, militaries, criminals – the most dangerous opponents are militaries and intelligence services of other nations. They are sophisticated, well resourced and persistent. Their intentions are clear and their successes are noticable”

“Secure cyberspace for the free exchange of ideas and commerce and to protect critical national assets from damage or attack (both infrastructure and information)”

“Depriving Americans of electricity, communications and financial services may not be enough to provide the margin of victory in conflict, but it could damage our ability to respond and our will to resist”

“Cyberspace is a central element for many companies’ business plans – how they manage their supply chains and their internal services and how they work with their customers”

“Damage from cyber attacks is real: in 2007 the Department of Defense, State, Homeland Security, Commerce, NASA, National Defense University all suffered major intrusions by unknown foreign entities – the Department of State lost terabytes of information”

“The US is losing the cybersecurity battle”

The report also warns that in the cyberwar, the US is currently playing the part of the Germans in World War II, who relied on their Enigma encryption system, but suffered a significant competitive blow when such system was cracked by the British Ultra.

Being a native Dutch-woman, I am also reminded of the Battle of The Netherlands, also in World War II, for a history lesson. There are parallels between the lack of preparation of the Dutch to resist the German invasion and the American apparent reluctance to ‘arm’ itself for cyberwar:

The Battle of The Netherlands lasted five days, and the Nazi German occupation that followed lasted five years, during which over 250,000 Dutchmen died, before the country was liberated. That was 2.5% of the population, equivalent to 7.5 million Americans. Just like in America today - in the Netherlands all the conditions were present for a successful defense: a dense population, wealthy, young, disciplined and well-educated; a geography favoring the defender and a strong technological and industrial basis including some armaments industry. However, these had not been exploited: the Dutch had not expanded their military equipment since before the First World War. On the one hand there was the modern German army, with tanks and dive bombers and on the other hand the Dutch army, with only 39 (!) armoured cars and 5 (!?) tankettes, and an airforce for a large part consisting of biplanes. Partly this was based on the desire not to antagonize its major trading partner (Germany), partly betting on a policy of neutrality and partly made inevitable by a policy of strict budgetary limits during the Great Depression (see the parallels?).

Back to the report “Securing Cyberspace for the 44th Presidency”:

“To meet this new threat we have relied on industrial-age government and industrial-age defense”

“The organization of the federal government, especially how agencies exchange information, dates from the 1930s or earlier and is part of the reason that we are vulnerable”.

The bottom line: the threat to our cybersecurity is a strategic issue on par with weapons of mass destruction and global jihad, where the federal government bears the primary responsibility. A failure to act decisively and to be overly concerned with citizen’s false sense of privacy, could lead to a much greater threat to our democratic traditions and citizen’s rights.

A final quote from “Securing Cyberspace for the 44th Presidency”:

“In cyberspace the war has begun”

“The evidence is both compelling and overwhelming”

Posted May 01, 2009 in | Permalink | Comments (0)

Visit loglogic.com

I ♥ Logs

Subscribe to this blog’s feed RSS

January 2010
Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            
Categories
Archives
Blogroll
Blogroll
Compliance
Good Reading
LogLogic
LogLogic Partners
Sites We Watch