Townsend Security Data Privacy Blog

When the weather outside is frightful, keep a watchful eye on those tracks in the snow!

I used to love looking out the sliding glass doors at my parents deck when it would snow. I would rush to the cold glass first thing in the morning to see just who had been out and about. It was always exciting to see what footprints the various critters had left behind from the night before. Strange topic for a tech blog to be sure, however this memory always pops to the front of my mind when discussing system logging, log collectors, and their ever-important counterpart, SIEM solutions. The one question I hear most in our support department is “I’ve got a log collector do I really need a SIEM?” Well let’s think about that and compare log collection and monitoring to a fresh snowfall.

Envision the log collector as a blanket of snow over a deck. The deck in this example represents your database, the footprints are the events. Just one database server can generate millions of events in a day. With that kind of traffic your blanket of snow is going to become packed ice very quickly. You wouldn’t be able to pick out and clearly identify any one specific footprint from that mess. The shear amount of events generated by the average system makes detecting an anomalous event a logistical nightmare for a human observer. So simply having a good log collector is great, but it is only half of the equation. You have to be able to identify events and act on the information gathered, preferably in real-time.

One morning, after it had snowed I was up early peering out at the snow cover when I noticed boot prints near the garage. This was unusual as we lived in a relatively rural area. I told my parents what I’d seen, and tried to show them, but the snow was starting to melt. So the evidence that I had seen was rapidly being lost to time and inactivity. My parents brushed off my concern and went on with their day, opting to forego any further “analysis”. The following morning they awoke to an open garage door and a missing car.

This scenario is strikingly similar to how cyber criminals operate. Evidence of a breach is often left long before any data is actually stolen. It can take weeks and, in some cases, months for an intruder to find the data they want and take it. Early detection has spelled the end of many data theft attempts. Unusual events like someone accessing the system from an unfamiliar location, or an unexpected access of a sensitive file can be identified before data goes missing. All of those events show up in the system logs, but if you aren’t doing anything with the information, then you are making it easy for criminals to get what they came for. When properly deployed, and monitored in real-time, a SIEM can be your strongest weapon in actively preventing breaches.

Proper set-up can appear to be daunting because the system logging solution needs to be able to understand the events being received. The SIEM can’t correlate data to recognize patterns, and identify suspicious activity if the log collector is sending events in a language the SIEM doesn’t understand. In a perfect scenario SIEMs and log collectors would work together to create an “out of the box “ solution. Townsend Security has recently worked with IBM to enhance our system logging solution to include support for IBM Security QRadar.  Alliance LogAgent for IBM QRadar can now send events in IBMs “Log Event Extended Format” or LEEF to the QRadar SIEM. Because we worked directly with the IBM team for the QRadar Device Support Module (DSM) definitions, you just need to pull the latest DSM definitions from IBM to get started. Though it’s similar to other log formats like syslog, QRadar can sort and use the information received without any major set up.  This means that instead of logging tons of unreadable, unsorted events, you can query the SIEM to find something specific like a log on, or file change - which, going back to the original analogy, can help you find the boot prints in the snow!

Alliance LogAgent for IBM QRadar works seamlessly with IBM Security QRadar to give you the real-time, active monitoring tools you need to be proactive when dealing with a potential data breach. For more information, request this white paper on Making Security Better for the IBM i and IBM QRadar:

I recently watched a movie that really made me think about how the cryptographic landscape has evolved. Eighty years ago encryption was almost entirely the domain of military organizations. Now it is ingrained in nearly every business transaction that takes place every day. The average person hardly takes notice. Will strong encryption, secure key management, and complex passphrases be enough to stop attacks of future?

A Chink in the Armor

We can scarcely avoid them these days. The “smart phone” seems to have been the catalyst that blew our (at the very least my) cozy concept of privacy right out of the water. Most people trust that their data is secured by whatever cell service they use or by the social media site they frequent. Few people take responsibility for their own sensitive data management. Perhaps they do not feel there is a need, or perhaps they do not consider it sensitive.

I feel that this is not the right attitude. Consider, for instance, the webcam and mic. Fifteen years ago I needed to go to an electronics store to purchase a golf ball sized orb on a clip to use video chat, or spend upwards of $300 if I wanted to film my friends and I skiing. Those devices needed to be plugged in or turned on to work.

Now, just in my house alone, I have at least six HD cameras in the form of old smart-phones, laptops, and gaming devices. Most of those devices are always on by design, and vulnerable to breach. Suppose there was sensitive information within view of one of those cameras, even if it’s just a calendar. It’s worth thinking about, especially considering that today just about every device comes with an integrated camera. Video game systems can listen to our conversations and respond to verbal queues (and in some cases movement). Software can now turn speech into text accurately and reliably. Taking this into account, sensitive data now goes far beyond a credit card or social security number. Everything you say or do in your own home is now, quite possibly, sensitive data.

Rising to Meet Future Threats

Very soon the smartphone will be among the least of our worries. Things like computerized smart glasses, smart watches, and other smart appliances will start to invade our workplaces and homes. This raises a very real security concern when you think about it. All it would take is one compromised smartwatch to capture a password from a whiteboard. In fact it may not even be as sneaky as all that. I recently read a funny article that detailed three or four data security slips. In each of the instances there was a photo of an anchor with sensitive data such as a password in the shot behind them. These were photos deliberately taken without regard for what was captured in the shot. Responsibility for the photos falls on the photographer in that case.

That article did make me think though. Would crafty attackers be inclined to hack the cameras of personal devices? A smartphone that’s in your pocket most of the time might pose little threat, but what about a smart watch? Could a particularly determined attacker gain access to Database Administrators home appliances? What if they were able to learn of a passphrase or record business conversations by hacking an entertainment system? It would be worth the attempt if it meant the keys to the kingdom.

Surely you’ve implemented, or at the very least heard of the following security steps. These are the basics, the steps you take to prevent a conventional attack

1. Deploy strong encryption wherever possible, and adopt a strong key management solution.
2. Do not keep passwords written down, especially on whiteboards.
3. Use strong passwords like phrases that include dashes, or numbers are great.
4. Develop and enforce policies regarding security best practices on employee’s personal and home devices.

Finally, lets make the safe assumption that attackers are thinking outside of the box. It follows that we too must think creatively to stop data breaches. Now lets pretend that an attacker has hacked a smartwatch or webcam and acquired a password to your database. That attacker has just bypassed most of the security measures you’ve put in place. The only thing that will stop an attack at this stage is a strong two-factor authentication solution. If deployed on the breached system the attacker tries to enter the stolen passphrase. Instead of gaining access the screen displays an Alert. “A text message has been sent to your phone, please enter the 6 digit pin to continue”. Two Factor Authentication saves the day. As more and more digital devices flood the workplace the need for another line of defense become very real.