August 11, 2014 at 9:30 am
The Fault (8/11/2014)
Lets just go back to everything being paper based. IT security issues resolved 🙂
If the news stories about badUSB are correct even devices like keyboards or mice can spread a security attack.
...
-- FORTRAN manual for Xerox Computers --
August 11, 2014 at 9:40 am
jay-h (8/11/2014)
The Fault (8/11/2014)
Lets just go back to everything being paper based. IT security issues resolved 🙂If the news stories about badUSB are correct even devices like keyboards or mice can spread a security attack.
For years, movies and TV have portrayed this scenario where the hacker walks up to a PC on the receptionist's desks and slips a thumbdrive into the monitor's USB port, which then grants them access to the network. Apparently, Hollywood actually got it right before the general public caught on. This is one more reason to enforce a Windows security policy of disabling USB ports; it not only protects data from leaking out but can also prevent bad code from coming in.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 11, 2014 at 9:42 am
Eric M Russell (8/11/2014)
jay-h (8/11/2014)
The Fault (8/11/2014)
Lets just go back to everything being paper based. IT security issues resolved 🙂If the news stories about badUSB are correct even devices like keyboards or mice can spread a security attack.
For years, movies and TV have portrayed this scenario where the hacker walks up to a PC on the receptionist's desks and slips a thumbdrive into the monitor's USB port, which then grants them access to the network. Apparently, Hollywood actually got it right before the general public caught on. This is one more reason to enforce a Windows security policy of disabling USB ports; it not only protects data from leaking out but can also prevent bad code from coming in.
Disable USB mice and keyboards?
...
-- FORTRAN manual for Xerox Computers --
August 11, 2014 at 10:15 am
I've worked with companies that have computers with NO USB devices. It was a high end Mutual Fund type company. When we brought code to their system the only way to get it on was handing them the usb drive so they could review/scan it. We couldn't download patches etc. from the internet. They were happy to pay for the extra time required.
August 11, 2014 at 10:50 am
John Hanrahan (8/11/2014)
I've worked with companies that have computers with NO USB devices. It was a high end Mutual Fund type company. When we brought code to their system the only way to get it on was handing them the usb drive so they could review/scan it. We couldn't download patches etc. from the internet. They were happy to pay for the extra time required.
But the point is that they would have scanned the contents of the USB drive but not its firmware. Also what information did it have access to on the USB bus? They have made the connection.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
August 11, 2014 at 11:01 am
jay-h (8/11/2014)
Eric M Russell (8/11/2014)
jay-h (8/11/2014)
The Fault (8/11/2014)
Lets just go back to everything being paper based. IT security issues resolved 🙂If the news stories about badUSB are correct even devices like keyboards or mice can spread a security attack.
For years, movies and TV have portrayed this scenario where the hacker walks up to a PC on the receptionist's desks and slips a thumbdrive into the monitor's USB port, which then grants them access to the network. Apparently, Hollywood actually got it right before the general public caught on. This is one more reason to enforce a Windows security policy of disabling USB ports; it not only protects data from leaking out but can also prevent bad code from coming in.
Disable USB mice and keyboards?
My own mouse and keybaord are PS/2, andI guess that port type will soon by obsolete. But in a corporate IT environment, there is no reason for users to install their own hardware from outside. That's the job of IT tech support, and anything with a USB port should be considered suspect.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 11, 2014 at 11:09 am
No they copied the code once it was approved to a network location. Since I never saw their process I don't know if they checked the firmware but I wouldn't be surprised if they did. They we "super" aggressive with checking us (and all vendors). They even used to comment on the code which was always interesting.
A few years ago the firm closed due to financial "whoopsie's". I think the founder went to jail. Great with computer security and not so good with accounting security.
August 11, 2014 at 12:20 pm
Credit card companies focus on fraud because they have to. A long time ago, a law was passed limiting the card holder's exposure to $50. (thank government regulations - for anyone who is anti-government).
And if you have not noticed, many executives think of data back-ups and security in the same perspective. An expense that IT should be just doing. "...just make it go away." Until it does not.
No surprise.
I've found most DBA's and data professionals do care, often having to raise issues others just do not want to be bothered with. So, listen to your neighborhood DBA!
The more you are prepared, the less you need it.
August 11, 2014 at 12:28 pm
Andrew..Peterson (8/11/2014)
Credit card companies focus on fraud because they have to. A long time ago, a law was passed limiting the card holder's exposure to $50. (thank government regulations - for anyone who is anti-government).
Funny thing, that. Many cards hold the cardholder to zero exposure. This is NOT required by regulation. But competition and the realization that getting the user to carry the card involves allaying fears.
Free market.
...
-- FORTRAN manual for Xerox Computers --
August 11, 2014 at 12:36 pm
Yes, free market now.
But back in the 1970's, without the limit, the only cards in wide use were American Express and Diner's Club.
The more you are prepared, the less you need it.
August 11, 2014 at 2:35 pm
As for teaching security in schools, that would be a waste of time. I heard about one school that went through and designed the whole security system so students would not have admin rights on the PC's and all the rest. It only took 48 hours after the schools opened for the year for the security system to crumble from the students hacking it.
I also read an article that banks would hire a security company to do an audit of their branches. The four guys showed up in fireman's blues in a plain white van, come in and say we're doing a yearly fire/safety inspection. When they left their was a tap on several keyboard wires, a USB plugged in that had spyware loaded on it and the server had a floppy in it that had a virus on it, and was setup to accept RDP sessions from anywhere on the internet.
So it isn't just remote hackers that you need to be worried about.
----------------
Jim P.
A little bit of this and a little byte of that can cause bloatware.
August 11, 2014 at 2:52 pm
That sounds like Auditors who know their stuff. I have been through audit after audit the last few years and have found from an IT perspective the auditors don't come close to understanding IT security or even the issues. It is disturbing to have them come in and audit our IT when it is clear they really only understand accounting. I figure if they aren't reading Brian Krebs on a regular basis they aren't up to speed (that isn't a guarantee though of course).
August 11, 2014 at 6:00 pm
Apropos to this topic, how many of us as DBAs or database developers has had exposure to concepts like minimizing the attack surface of a database, or follow principles of least privilege in designing a database? Or, even if you do, what kind of organizational pressures do you feel to compromise your security design?
I'm constantly surprised at how many systems are designed with admin privilege required as a proxy for security. In practice, though, that strategy requires granting admin access to too many actors to be secure. (i.e. more permissions granted than the minimum each actor needs to accomplish their task in the system.)
And, while the same system could be designed with lesser permissions granted, once a database is fielded that requires admin privilege, it becomes a self-reinforcing strategy that is set in deeper and deeper concrete as the system lives out its natural life.
August 12, 2014 at 2:01 am
John Hanrahan (8/11/2014)
No they copied the code once it was approved to a network location...
Unless they retyped it the "approved ... network location" was connected in some way to the other area.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
August 12, 2014 at 6:13 am
K. Brian Kelley (8/11/2014)
venoym (8/11/2014)
I have to question the "myth" of the Air-Gap that is referenced. A proper Air-Gap or Data Diode for SCADA systems provides a level of protection that cannot be denied.It provides an additional level of protection. I'm not denying that. However, the way most SCADA systems have been built, what's behind that data diode is ripe for the picking. You can't add additional layers of protection without breaking the system. Why do they have that attitude? Because they trust the air gap/data diode is the be all/end all. It isn't. It's just a broke and outdated idea in infosec.
I realize this will probably fall on deaf ears. If you rely on only the Data Diode/Air Gap, you deserve to fail, and will fail. An Air-Gap/Data Diode is required by Federal Regulations for Nuclear. Consider, you can't take a system that is a hodgepodge of equipment from every decade back to the 1970's and expect to run the latest and greatest IDS/IPS and anti-malware on every device. Most devices in a SCADA system are simple PLC/firmware devices that only know "point A and set points X, Y and Z". Servers and workstations need to be protected by Best Practices regardless of Air-Gap.
To blanketly state that a Data Diode/Air-Gap is broken and outdated Information Security is disingenuous at best. They work as long as you continue to do the other Cyber Security Best Practices in addition. Like anything, they are a tool to be used and used properly. Similar to the use of NULLs or GOTO, there are valid and GOOD uses of them (Yes, I realize that half of the people reading this just tuned out, but seriously... do some objective research). Finally I'll state that you do NOT want a Nuclear plant to have its control and protection systems to have a 2 way connection to the Internet.
Viewing 15 posts - 31 through 45 (of 56 total)
You must be logged in to reply to this topic. Login to reply