Shon Harris discusses some of the upcoming threats companies face in information security today and what she and her company, Logical Security, is doing to help in these efforts.  Here is the interview with Shon Harris, Owner and President of Logical Security.

1. 1. Please provide us with some background information on your organization and your industry.

I work in the information security industry, which has critical impacts on businesses, organizations and nations. Our society only increases its dependence upon technology, and properly securing it can come down to the life or death of an organization.

The information security industry is relatively new compared to other industries as in financial, medical, and telecommunications. The industry is currently going through many different ‘growth pains’ as it moves from a chaotic and infant entity to a more mature and disciplined space. I and my company have been seen as visionaries in helping some of the largest corporations and government agencies secure their most precious assets against the largest threats they face today.

Logical Security is going into its 8^th year of existence, while I have been in the industry for 15 years. My company specializes in risk management consulting services and training. We build enterprise-wide risk management programs that not only allow our customers to identify their vulnerabilities and stop their adversaries, but correlate and integrate information security issues into their overall business decisions and vision.

1. 2. What are some of the primary challenges your industry faces?

The threat landscape that companies face today is not the same that they had to deal with even five years ago. Today’s threats are not the lone hackers but organized, trained, and funded groups that are backed by organized crime rings or nation states.

Attackers are no longer interested in spreading benign viruses, but have very focused goals of obtaining an organization’s most sensitive data as in social security numbers, credit card information, medical data, and privacy and financial information. The attackers are using our technology against us and we are constantly being outsmarted.

Companies and government agencies are finding it difficult to keep up with a threat that can morph and adapt at the rate of speed that is currently taking place. Anti-virus products capture around 23% of the malware that is on our systems, meaning that most systems are infected and being used by an underground criminal without our knowledge.

Organizations have a false sense of security because they have anti-virus, firewalls, intrusion detection, intrusion prevention and other technologies in place. While these are necessary defenses, the enemy is circumventing them and covertly embedding themselves into the technology and devices we use day in and day out.

To view the entire Article, click here.

Other Information:

Certified Information Systems Security Professional (CISSP)

Data security breaches are a concern for every organization that holds sensitive data.  Until now, studies released have covered data that either must be kept confidential, or that contain a small number of breaches for analysis.  ”The Leaking Vault – Five Years of Data Breaches” analyzes over 2,800 data loss incidents from publicly accessible sources, with a known disclosure of 271.9 million records.  This study—the largest of its kind to date—provides analysis on which breach vectors carry the most risk, and should help provide organizations with more accurate information when combating this problem.

To assist organizations and current and future members of this workforce, the Department of Homeland Security National Cyber Security Division (DHS-NCSD) worked with experts from academia, government, and the private sector to develop a high-level framework that establishes a national baseline representing the essential knowledge and skills IT security practitioners should possess to perform.

DHS-NCSD developed the IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development as an umbrella document that links competencies and functional perspectives to IT security roles fulfilled by personnel in the public and private sectors.

Other Information:

Certified Information Systems Security Professional (CISSP)

Many times hackers are just scanning systems looking for a vulnerable running service or sending out malicious links in emails to unsuspecting victims. They are just looking for any way to get into any network. This would be the shotgun approach to network attacks. Another, more dangerous attacker has you in his crosshairs and he is determined to identify your weakest point and do with you what he will.

As an analogy, the thief that goes around rattling door knobs to find one that is not locked is not half as dangerous as the one who will watch you day in and day out to learn your activity patterns, where you work, what type of car you drive, find out who your family is, and patiently wait for your most vulnerable moment to ensure a successful and devastating attack.

In the computing world, we call this second type of attacker an advanced persistent threat (APT). This is a military term that has been around for ages, but since the digital world is becoming more of a battleground – this term is more relevant each and every day.

How APTs differ from the regular old vanilla attacker is that it is commonly a group of attackers, not just one hacker, who combines its knowledge and abilities to carry out whatever exploit that will get them into the environment they are seeking. The APT is very focused and motivated to aggressively and successfully penetrate a network with variously different attack methods and then clandestinely hide its presence while achieving a well-developed, multi-level foothold in the environment. The ‘advanced’ aspect of this term pertains to the expansive knowledge, capabilities, and skill base of the APT. The persistent component has to do with the fact that the attacker is not in a hurry to launch and attack quickly, but will wait for the most beneficial moment and attack vector to ensure that its activities go unnoticed. This is what we refer to as a “low-and-slow” attack. This type of attack is coordinated by human involvement, rather than just a virus type of threat that goes through automated steps to inject its payload. The APT has specific objectives and goals and is commonly highly organized and well-funded – which makes it the biggest threat of all.

A virus is not an APT, a worm is not an APT, a bot is not an APT. An APT is commonly custom developed malicious code that is built specifically for its target, has multiple ways of hiding itself once it infiltrates the environment, may be able to polymorph itself in replication capabilities, and has several different ‘anchors’ so eradicating it is difficult if it is discovered. Once the code is installed, it commonly sets up a covert back channel (as regular bots do) so that it can be remotely controlled by the attacker himself. The remote control functionality allows the attacker to transverse the network with the goal of gaining continuous access to critical assets.

APT infiltrations are usually very hard to detect with host-based solutions because the attacker puts the code through a barrage of tests against the most up-to-date detection applications on the market. A common way to detect these types of threats is through network traffic changes. When there is a new

IRC connection from a host that is a good indication that the system has a bot communicating to its command center. Since there are several technologies that are used in environments today to detect just type of traffic, the APT may have multiple control centers to communicate with so that if one connection get detected and removed – it still has an active channel to use. The APT may implement some type of VPN connection so that its data that is in transmission cannot be inspected.

The ways of getting into a network are basically endless (exploit a web service, email links and attachments to users, gain access through remote maintenance accounts, exploiting os and application vulnerabilities, compromise connections from home users, etc.) Each of these vulnerabilities has their own fixes (patches, proper configuration, awareness, proper credential practices, encryption, etc.). It is not only these fixes that need to be put in place, we need to move to a more effective situational awareness model. We need to have better capabilities of what is happening throughout our network in near to real time so that our defenses can react quickly and precisely.

Our battlefield landscape is changing from ‘smash-and-grab’ attacks to ‘slow-and-determined’ attacks. Just like military offensive practices evolve and morph as the target does the same, so must we as an industry.

Other Information:

Certified Information Systems Security Professional (CISSP)

SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances, or managed services and enable companies to respond to attacks faster, log security data and generate compliance reports. In spite of the economic downturn, the Security Information and Event Management marketplace is growing rapidly. There are several factors driving the rise of the SIEM market: it is ideal for reporting and compliance, exposes internal and external threats, improves operational efficiencies while cutting administrative expenses, and the technology’s flexibility allows it to be used as a managed service.

EMC, IBM, Novell, Cisco, CheckPoint, Symantec, CA, Attachmate, Q1Labs, eIQ Networks, SenSage and others all have SIEM products. Because of the technology’s relatively new emergence in the marketplace, there are few publications that address more than one vendor’s product.  SIEM Implementation shows how to implement multiple products, and also discusses the strengths, weaknesses, and advanced tuning of these various systems.  SIEM Implementation covers the gamut of topics a network administrator or security professional needs – from basic concepts and components to high-level configuration, analysis, interpretation and response.  It aids in the performance of risk analysis, threat detection, threat analysis and threat response for IT systems and businesses of every size.

Written by security and compliance experts and speakers, Security Information and Event Management Implementation shows IT professionals how to effectively implement SIEM in order to efficiently analyze and report data, respond effectively to inside and outside threats, and follow compliance regulations. This book also shows the separate pieces that make up a complete and cohesive SIEM.  These pieces are what most small and medium size businesses are forced to implement, due to the relatively high cost to acquire, implement, maintain and reap benefits from the full scale SIEM systems.  This teaches the IT professional how to implement a more integrated collection of discrete SIEM pieces, approaching similar utility of a full featured SIEM tool.  Further, SIEM Implementation shows readers how to use the SIEM tool to develop business intelligence, beyond the realm of being just a fancy security tool.

SIEM Implementation is a valuable addition to our security plan for 2010.

Key Selling Features

• Includes a Smartbook – a knowledge base of business use cases: real world examples of business needs that can be satisfied by using a finely tuned SIEM system.
• Covers the top SIEM products/vendors: ArcSight, Q1 QRadar, and Cisco MARS
• Authors are security, SIEM, and compliance experts who speak globally around the world, are famous published authors, and have close ties with the government and multiple corporate vendors.
• Foreword by Shon Harris
• Includes product feature summaries, and analysis and trending examples
• Covers regulatory compliance issues
• Provides Incident Response solutions

Market / Audience

• Targeted at IT/security professionals and compliance professionals
• Fueled originally by stealthy threats such as worms and more recently by compliance, the SIEM market is projected to grow from about $380 million last year to $873 million in 2010, according to research firm IDC.
• RSA Security, the security division of EMC, estimates that the SIEM market is expanding at a rate of between 25 percent and 35 percent annually.

Author Profiles

David R. Miller (SME, MCT, MCITPro Windows Server 2008 Enterprise Administrator, MCSE Windows NT 4.0, 2000, and Server 2003:Security, CISSP, LPT, ECSA, CEH, CWNA, CCNA, CNE, Security+, A+, N+). David is an IT security consultant specializing in information systems security, compliance and network engineering. He is a lecturer, an author and technical editor of books, curriculum, certification exams and computer based training videos. He regularly performs as a Microsoft Subject Matter Expert (SME) on product lines including Microsoft Server 2008, Microsoft Exchange Server 2007 and Microsoft Windows Vista.

Shon Harris, CISSP, is the CEO of Logical Security, a computer security consultant, a former engineer in the Air Force’s Information Warfare unit, an instructor and an author.  She has authored three best selling CISSP books, is a contributing author to the book Gray Hat Hacking, and developed a full digital information security product series for Pearson publishing.  Shon was recognized as one of the top 25 women in the Information Security field by Information Security Magazine.

Allen Harper, CISSP, is founder and president of N2NetSecurity, Inc., a consulting company specializing in advanced security and vulnerability analysis, penetration testing, SIEM implementation, and compliance. He served as a security engineer in the U.S. Department of Defense, and is a coauthor of Gray Hat Hacking.

Stephen VanDyke, CISSP, BCCPA, BCCPP, MCSA, Security+, Network+, was a founding member of the U.S. Army Reserve global network Computer Emergency Response Team and helped design and deploy its NetForensics SIEM. He implemented high end, multi-tiered security systems for the Multi-National Force – Iraq (MNFI) network.

Chris Blask, Vice President of Marketing at AlienVault, is on the faculty at the Institute for Applied Network Security, Co-founded Protego Networks (now Cisco MARS) and founded Critical Infrastructure Cybersecurity company Lofty Perch. Chris invented the BorderWare Firewall Server in the early days of the Internet Security market and built the Cisco Systems firewall business.

Other Information:

Certified Information Systems Security Professional (CISSP)