The end result is an ever expanding canvas of attack surfaces for highly skilled and motivated cybergangs to tap into corporate databases. In this LastWatchdog guest post, Timothy David McCreery, President and CEO of network monitoring firm WildPackets, examines why it might make sense for companies to embrace network forensics as ongoing preventive maintenance, instead of turning to it in after the fact investigations only.

McCreery

By Timothy David McCreery

Homeowners insurance, health and life insurance are well known forms of risk coverage. While these modes of protection have remained relatively the same there is a litany of new threats that aren’t as well accounted for. Most businesses today operate some form of computer network and for many, their entire business in based online. Company computer networks are increasingly more vulnerable in the era of phishing scams, cyber attacks and large-scale data breaches. So then, what is their form of insurance?

Today, preventative security is a top priority for any IT department, but no amount of security can protect all of your networks all of the time. Even global brands and governments aren’t immune to attacks, and every company should have a contingency plan in place in the event of a breach. One of the most easily implemented, but often-overlooked contingency plans for your network is network forensics.

While many companies believe that a simple activity monitoring solution is the only thing they need to help protect their network, network forensics is an essential part of any comprehensive security strategy. Although IDS/IPS (Intrusion Detection/Intrusion Prevention Systems) solutions do help indicate and prevent problems, when they miss something security teams have no data to analyze and figure out what went wrong. Typically simple activity monitoring solutions involving IDS/IPS are tedious and require sorting through possibly thousands of packets of data –including IP address, source/destination port, time, date, protocol, string and more – to find one incident.

Network forensics, on the other hand, captures complete network conversations, recording all network activity at the packet level to fixed storage, displays key network performance statistics, and provides visual tools for post-capture analysis in real-time. Captured data is stored in a central location and translated into a common format, allowing users to easily drill into problem areas and quickly locate a specific incident or monitor for potential virus ‘fingerprints’ to avoid a major infection.

With an increase in breaches from both inside and outside the network, analysis and prevention can only be achieved if you have a complete view of your network activity. This level of insight is even more essential with the number of on-the-go users and BYOD policies growing within companies. In fact, it’s often business-critical issues that have nothing to do with performance or cyber attacks, like violations of industry regulations or data breaches, which drive the need for post-incident analysis.

A breached mobile device or infected personal laptop brings outside threats inside the network, which can go undetected by most IDS/IPS solutions. The ability to recognize a breach and pinpoint the source prevents a compromise of the entire network. In addition, network forensics can be used to identify rogue or unauthorized devices trying to access the network, preventing another kind of potential hack.

Network forensics can be a powerful tool in both your security and compliance strategies, but the key to network forensics is to have a solution in place now – before you have a need for incident analysis or require data to investigate an attack.

About the essayist: Timothy David McCreery is the President and CEO at WildPackets, a provider of network analysis solutions. McCreery co-founded WildPackets, Inc. as AG Group in 1990. McCreery taught undergraduate Computer Science at U.C. Berkeley obtaining a Master’s degree in EECS, and is an industry veteran with over 25 years of experience.

However, many of these new ways to leverage the Internet cloud,  using a cool array of embedded and mobile computing devices, are triggering unforeseen ramifications. In this LastWatchdog guest post, Barrie Hadfield is CTO and co-founder of file-sharing company SkyDox outlines how we got here – and what systemic challenges have resulted.

Hadfield

By Barrie Hadfield

Nearly every organization has embedded within it some type of collaborative ecosystem. Traditionally, this was anchored in email or a centralized server, accessible almost exclusively from within the firewall. Yet as the cloud wields increasing influence on corporate environments, the traditional ecosystem becomes more antiquated. There’s some paradox in how the cloud is enabling this unparalleled productivity and collaboration for the workplace, while simultaneously eroding security protocols designed to protect intellectual property and corporate assets – often cited as the consumer-file sharing problem.

So how did the enterprise end up surrendering so much of its valued security measures to the cloud? First, let’s consider how the traditional corporate ecosystem was structured. Without the influence of cloud technologies, the workforce primarily shared and revised documents via a set of approved collaboration tools provided by the organization. In most cases, Microsoft’s Office suite reigned supreme with PowerPoint presentations, Word files and Excel spreadsheets stored on a single, centralized server accessible nearly exclusively via company-owned devices.

Provisioning history

The first crack in the traditional ecosystems surfaced via email, which has always provided an escape hatch for collaborating outside of the firewall. Do you, however, recall that old adage – never send anything via email that you don’t want to be leaked into the public domain? Quickly, this saying became a misnomer, as typically, the rush for convenience trumped nearly all security considerations. Employees soon found they could take advantage of email’s attachment feature to share files, without considering the potential risk of intellectual property loss or information breach.

Then, the cloud worked its way into the office and the collaborative ecosystem was permanently changed. The first sign of trouble was how these tools were introduced into corporate settings. In direct contradiction to the conventional top-to-bottom corporate application provisioning, in which tools are handed down from top executives and IT administrators to the workforce at large, consumer-style cloud platforms were shared among the employees at the frontlines first and then trickled upward. The result was an abundance of consumer-oriented tools, downloaded by all, used properly by few, none approved for security or compliance by the IT administrators.

Secondly, as opposed to, say, a packaged set of tools, such as the Microsoft Office suite, consumer-based cloud collaboration tools are usually in direct competition with one another. And according to Forrester, half of all office workers use between four and seven collaboration tools to do their jobs. With this patchwork approach, each platform becomes its own information silo, making it arduous to track the content once it is uploaded. Of course this is frustrating for employees who want to keep track of where their data is and whether the stored version is the most updated. But from a security standpoint it also causes significant harm to a business’ audit trail, making it nearly impossible to know if unauthorized users have access to the content to distribute, store or modify it.

No turning back

The resulting security threats are self-evident. Consumer-based products in general are designed with ease-of-use as the primary consideration, with security falling somewhere well below. When security aspects are even considered at all in the design process, it is frequently from a personal, as opposed to an enterprise-grade, level. Additionally, these types of platforms do little, if anything to prevent the distribution of files and information across enterprise firewalls. If a document or file was sent to an employee at one company, there are no measures in place for him or her to send it, even by accident, to the wrong person.

But there is no turning back the clock. The cloud is now part of the business fabric and will only become more ingrained in the collaborative process going forward. Trying to ban cloud collaboration tools will only hinder your organization’s ability to innovate and collaborate — and ultimately damage the entire productivity of the workforce. We have, however, reached a crossroads in which IT administrators must either take back control and have a voice in the way the cloud is deployed within their organizations – or risk irrelevancy. After all, would you want your company’s proprietary information pushed into the public domain on purpose or inadvertently?

About the essayist: Barrie Hadfield is CTO and co-founder of SkyDox, a cloud-enabled file sharing, file synchronization and collaboration platform for the enterprise. Before founding SkyDox, Barrie co-founded another document comparison and file-sharing company, WorkShare, in 1999.fore founding SkyDox, Barrie co-founded another document comparison and file-sharing company, WorkShare, in 1999.

That trend has not abated. And now governments may be getting into the act, orchestrating such attacks. Earlier this week the BBC accused the Iranian government for disrupting the news organization’s e-mail and web pages, along with jamming the BBC’s satellite feeds into Iran.

In this LastWatchdog guest post, Lori MacVittie, Senior Technical Marketing Manager at application delivery networking firm F5, delves into the technical underpinnings of modern-day DDos attacks.

MacVittie

By Lori MacVittie.

The success of Distributed Denial-of-service (DDos) attacks today is more about what an attacker is trying to do with the traffic than just how much traffic they generate.

Certainly massive volumes of traffic can overwhelm a site in any number of ways, but such attacks are costly and require coordination to execute. It takes hundreds of thousands of machines to generate the kind of volume necessary to overwhelm the public-facing presence of an organization today. Network infrastructure has become adept at not only handling such volume but recognizing a traditional DDoS attack for what it is, and putting the brakes on the traffic to protect a company’s presence.

This is why we’ve seen a rise in attacks directed at the application layers – exploits based on protocol behavior and basic application logic assumed by all web and application servers. These attacks offer maximum effect with minimal effort, requiring less coordination and fewer resources on the part of the attacker while still managing to disrupt services from even those organizations one hop from the Internet backbone.

A week-long DDoS attack in early November , targeting an Asian e-commerce retailer, was one of the largest in 2011: it reached traffic volumes of 45 Gbps. Yet waves of other attacks that have generated far less traffic volume have been far more successful in accomplishing the task of taking down a website.

Modern attacks

As noted by reports of the aforementioned attack, at its peak attackers were able to make 15,000 connections per second to the target company’s servers. This is the key to understanding modern attack methods. While network infrastructure can detect and throttle back traditional attack methods, it is not so good at detecting and throttling back modern attack methods that target application protocols. That this company saw connections being made to its servers indicates a failure on the part of its network and application delivery network infrastructure to correctly identify and execute appropriate measures to halt the attack.

This is likely for the same reason similar attacks have been successful in the past: the network and security infrastructure in place is simply not imbued with the intelligence necessary to distinguish between legitimate application requests and those that are not. The key to doing so lies in understanding interaction behavior at the protocol layers and being able to apply that understanding to live interactions in a way that clearly distinguishes illegitimate from legitimate requests. When clients behave in ways inconsistent with the network and client characteristics present in every connection attempt, it should trigger an alarm in the infrastructure that puts it on alert, ready to clamp down when a certain threshold of traffic or requests is seen.

Because network infrastructure today is unable to accurately distinguish between bad and good requests, it can do little more than pass the requests to servers. Those servers, despite the ever-increasing computing resources available, are still simply unable to handle the volume of connections being attempted. The end result is almost always a disruption of service. In an auto-scaling cloud computing environment, service may continue – but at a very high cost, as automated systems launch more and more virtual servers to handle the load, each one incurring costs on an hourly basis.

Traditional security mechanisms are excellent protection against traditional attackers. Sadly, however, they are largely ineffective against emerging modern attacks. Organizations need to recognize the changing focus of attackers from the network to the application layers and evaluate their strategy and infrastructure in light of how well such components would recognize and put a stop to modern attacks.

About the essayist. Lori MacVittie is responsible for F5’s outbound marketing, education, and evangelism of application. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts.

Today botnets have become the engine that drives all forms of cyber attacks. It’s simple enough to identify bot traffic on the Internet, and even pinpoint the IP address of specific bots. Many security companies can do this. But it has become  next to impossible to systematically wipe out botnets. The  big reason:  botted PCs are in constant use by millions of average consumers and workers in homes and workplaces all across the globe.

Practically speaking, there is no  way to  inoculate these PCs at a scale that would make a difference — not without disrupting Internet-commerce as we’ve come to know it.  In this LastWatchdog guest post, Tomer Teller, a researcher at firewall pioneer Check Point Software Technologies, outlines other factors contributing to the near invincibility of botnets.

Teller

By Tomer Teller

The first bot, GMBot, was not malicious. In fact, it was created in the late 1980s to emulate a live person in Internet Relay Chat (IRC) sessions. However, around 1999 bots emerged that were designed with harmful intentions. Thereafter, bots grew more sophisticated, and in some cases, were commercialized as products.

The Zeus bot of 2006, for example, originally sold for several thousand dollars. In mid-2011, source code for the Zeus and SpyEye botnet kits was leaked, making these powerful botnet creators available to practically anyone that wants to establish their own botnet.

Today, botnets are often used as a backdoor into the IT systems of large organizations. Once inside, hackers operate in silence and stay under the radar to steal as much information as possible before their presence is detected.

Unfortunately, because bots are so stealthy, many companies aren’t aware when that their computers have been infected and security teams often lack the proper visibility into the threats that botnets create.

Botnets  are here to stay. Botnets are dynamic and can quickly change form, based on the cybercriminal’s command.

It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet. In 2011, the TDL Botnet infected more than 4.5 million computers and approximately 100,000 unique addresses per day. In addition, the industry saw nearly half of IT security professionals experience a dramatic increase in malware attacks.

Botnets have achieved near invincibility due to a confluence of developments.

Malware has become big business

Cybercriminals are no longer isolated amateurs. They belong to well-structured organizations that resemble terrorist cells – with money, motivation and goals. They can deploy considerable intelligence, time and resources in order to execute botnets that can cost businesses millions.

Information has become a hacker’s gold mine. However, financial information is not the only valuable data worth stealing. We see a rise in attackers looking more for general customer information and less for specific billing or credit card data. Such information can be very lucrative for hackers, enabling them to customize future attacks or spam campaigns and increasing the likelihood of their success.

Imagine, for example, emailing 500,000 people with a proposal to buy some product. If only one person out of 1,000 orders your product, that’s already 500 new orders. Now, imagine the latent profit that a spammer can make with 70 million email addresses.

As an example of how powerful a botnet can be, the “Rustock” botnet’s bot army was generating up to 14 billion spam emails per day before it was dismantled by U.S. federal law enforcement in March 2011.

Threats have become very sophisticated

Organizations are facing a “zoo” of malware types that result in a wide range of security threats, including viruses, worms, Trojans, spyware, adware and botnets to name a few. These are all tools used by cybercriminals in Advanced Persistent Threats (APTs), where individuals or organizations are specific targets for attack.

In addition, botnets are polymorphic in nature and can mimic normal application and traffic patterns – making it difficult for signature based solutions, such as Antivirus, to combat botnets alone. Businesses need a multi-layered approach to effectively mitigate the bot threat.

Attack vectors have multiplied

There are multiple entry points to breach an organization’s existing defenses, including browser-based vulnerabilities, mobile phones, malicious attachments and removable media to name a few. In addition, the explosion of Web 2.0 applications and social networks being used as business tools are giving hackers a huge opportunity to lure victims to clicking on malicious links or “malvertising” – malicious advertisements running on legitimate websites.

In addition, the rising popularity of social networks have given hackers new opportunities to leverage socially-engineered hacking techniques to drive botnet activity. Social networks also have made it easier to obtain personal and professional information about individuals and create new entry points to execute socially-engineered attacks, botnets and APTs.

Check Point research has shown the primary motivation of social engineering attacks is financial gain (51%), followed by access to proprietary information (46%), competitive advantage (40%) and revenge (14%) and can cost businesses anywhere from $25,000 to $100,000 per security incident.

What the future holds

In the coming years, botnets will continue to evolve using a combination of social engineering, zero-day exploits, as well as the proliferation of mobile computing and social networking.

In the past, it was assumed that most of the popular botnets were running on Windows machines, this is no longer true today. Linux and Mac systems are not immune. New botnet variants are cross-platform and the industry should also expect to see more Apple, Android and other mobile based botnets pop up where they communicate to Command and Control servers (C&C) using via 3G or Wi-Fi networks.

A disturbing trend is the use of social networks being as command and control centers . Social networks and Web based services, like IM, are being used to send instructions to malicious programs installed on victim networks and can give hackers the ability to send encrypted commands.

Using social networks such as Twitter, can allow a cybercriminal to set up shop quickly and nimbly shut it down without incurring the expense of managing an entire server.

In this day and age, hackers can easily get the tools and resources needed to execute successful botnet attacks. Unfortunately, this is a cat and mouse game. Each time new antivirus releases a file signature, malware authors create new variants of the malware. Luckily, law enforcement, large corporations and security experts are starting to take things seriously and stop bots, such as the Rustock, in their tracks.

By bringing down the C&C servers, bot masters lose control over all of the zombie computers and prevent infection from spreading. While thousands of companies have already been targets of bots and APTs, businesses have the responsibility to stop it from spreading.

About the essayist: Teller is Security Researcher and Evangelist at Check Point Software Technologies

And tech security journalist Brian Krebs in October shed light on a list (presented to Congress) of 760 organizations that were similarly hacked, including a who’s who of the Fortune 100.

That’s just one subset set of successful breaches, albeit a big one. Sony, Epsilon, Bank of America, HB Gary, DigiNotar, and, most recently, the U.S. Chamber of Commerce also disclosed major data thefts.

RSA, a division of EMC, deserves kudos for disclosing details about how it got penetrated. Such post-event sharing has traditionally been rare among the good guys.

Arthur W. Coviello Jr, RSA’s executive chairman, just sent LastWatchdog this  year end review of key lessons learned and what to expect in 2012.

Coviello

By Art Coviello

I just came back from a five-week trip of meeting with customers around the world and never in my entire career have CEOs and corporate boards been as interested in security as they are now. The common theme throughout these conversations was that we are facing a new reality – one of persistent, advanced and intelligent threat.

This new reality was reflected in the headline-grabbing attacks throughout 2011, from the attack on RSA to Sony, Epsilon and Google just to name a few. Organizations around the world today are dealing with a deluge of digital information. The velocity of sharing information is skyrocketing as well – driven by web-based applications, mobile devices, social networks and cloud computing. As a result, we all are interconnected as never before.

This new openness to computing infrastructures is creating greater opportunities for collaboration, communication and innovation; but it’s also creating new vulnerabilities that cyber criminals, hacktivist groups and nation states have learned to exploit. Attackers are taking advantage of gaps in security created by complex and disparate technology with increased speed, agility and cunning….easily outflanking perimeter security defenses such as anti-virus software and intrusion detection systems.

If there is a silver lining to this rising threat, it is that the furor around the attacks in 2011 has reached a crescendo; it’s no longer about awareness, it’s about action. I believe that 2012 will be a year of action in which we’ll focus on key areas of improvement and innovation.

Real-time intelligence sharing will become a priority

In the era of advanced threats, greater situational awareness is essential to effectively detect, deter and to defend against cyber attacks. The industry needs better frameworks for communicating threat information and strengthening the security posture of all interconnected parties. In my conversations over the past months, people were united in their call for private and public sectors to work on establishing a common framework to share information dynamically and at line speed. Today’s attackers are better at sharing real-time intelligence than their targets, and fixing this should be a top priority in 2012.

Security professionals will bridge the boardroom gap

Never before has information security captured the mind share of board members than it has this past year. Information risk management must be integrated into an organization’s overall enterprise risk management strategy. Now is the time to make security a board-level conversation.

Education and training of our cyber workforce will become front and center

As cyber threats escalate, we need to invest in building the cybersecurity workforce with the requisite skills to defend our enterprises, government and critical infrastructure and help drive continued innovation. Efforts are underway and should receive our full support for cybersecurity programs that graduate more individuals with expertise in computer sciences, risk assessment, analytics, digital forensics and human behavior.

National governments will prioritize cyber security

Across the globe we are seeing governments prioritize cybersecurity as both a national security and economic security issue. The growth in cyber-crime, the rampant theft of IP and other sensitive information from corporations, and the penetration of defense systems and critical infrastructure by cyber attackers have all contributed to the urgency placed on cybersecurity by national governments. In the U.S., a bill on cyber threat intelligence information sharing between government and industry is expected to pass the House of Representatives, and in the Senate the Majority Leader has said that he will bring a comprehensive cybersecurity bill to the Senate floor by January or February. Shoring up its own defenses, the U.S. Federal Government is ramping up its cybersecurity workforce plans, and forecasts for spending on cybersecurity initiatives top $13.3 billion by 2015.

Organizations will begin to change the way they think about security

Outpacing the advances in today’s cyber threats will take a new approach to information security. Security must evolve from conventional frameworks of uncoordinated static point products to more advanced security systems that are risk-based and capable of meeting the challenges of dynamic threat environments.

Learning to live in a state of compromise, organizations will shift their security budgets away from traditional prevention technologies to detection technologies designed to limit exposure and mitigate damage from threats. The pervasiveness of virtual desktops will grow as organizations struggle to protect endpoints. And the adoption rate of technologies such as tokenization will take off as companies find new ways to protect sensitive and regulated information.

I believe 2012 also will be the year in which security management meets big data – enabled by advances in data storage, compute power and analytics. With this big data capability, security teams will be able to gain real-time access to the entirety of information relevant to the detection and remediation of security problems.

If 2011 was the year of the attack, then I believe 2012 will be the year of resiliency and adaptation within the industry. Our experiences of this year have indeed made us stronger and smarter. Our society has made unimaginable progress over the past 20 years through advances in information technology. It’s our responsibility to sustain this advancement through a trusted digital world.

A flurry of mega databreaches rocked the Internet in 2011. They included RSA, Epsilon, Bank of America, HBGary, the U.S. Chamber (twice), Sony (multiple breaches) and DigiNotar. Meanwhile, the most sophisticated attack campaign yet seen, Duqu, has now likely burrowed deep inside dozens of corporations.

Meanwhile, new variants of tried-and-true consumer attacks — ranging from drive-by downloads, to clickjacking to phishing campaigns — have made the Web as infectious as ever. In this LastWatchdog guestpost Simon Crosby, co-founder and CTO of virtualized security start-up, Bromium, argues that a big part of the problem lies in the good guys’ reluctance to share what they know about how they’ve been hacked. It will probably take new laws to change that, he argues.

Crosby

By Simon Crosby

For the last decade, we have been basking in the benefits of the Internet as a platform for democratization and commerce. Our society is now dependent on Internet connectivity. But we have blithely ignored the need to protect ourselves from its darker side. The public perception of cyber-criminals is of spotty faced, anti-social pranksters.

Unfortunately, we are in an extraordinarily vulnerable position, and every aspect of our on-line society and critical infrastructure is being actively probed for vulnerabilities. This year has delivered more compelling evidence of the potentially crippling economic consequences of cyber-attacks by nation states and wealthy crime syndicates, such as various attacks deriving from China which occurred throughout the year:

• in February, Chinese hackers broke into the systems of five multinational oil and natural gas companies to steal corporate information
• in August a highly coordinated five-year campaign launched in China resulted in the hacking of 72 networks including the United Nations and US Government
• in October, a man in China successfully breached the networks of at least 48 chemical and defense companies stealing design documents, formulas and details on manufacturing processes.

Some loss projections could be  over-hyped. But  it is clear  that the Internet is already a key battleground in international conflicts

Attack details needed

It’s time to get serious about the need to protect our society and our economic and national infrastructure.  None of us want to admit to losses, and we don’t share information about attacks. The only way to change this behavior is to impose legal requirements that place national interest above the interests of a single company.

Just as we require enterprises to comply with accounting regulations such as Sarbanes Oxley to protect all investors, we ought to require them to disclose information relevant to cyber-attacks – successful or not – and we should impose penalties on those that fail to adequately protect individuals or critical infrastructure; after all, technologies do exist that ensure network security.

If a nuclear facility fails due to poor engineering, we have every right to be upset. We need to recognize that an “insecure network” is an example of poor engineering, and define the consequences for those responsible.

Earlier this year, the White House proposed a new national cyber security plan that, in theory, seems to be focusing on appropriate tactics and measures. Among other specifics, the proposal mandates that private companies notify all customers of any and all data breaches and their potential for identity theft. It also would require organizations where breaches would result in the greatest impact to the nation – such as federal networks, power grids, water systems and other critical systems – to maintain the highest levels of network security and submit to annual third-party audits to ensure they are in compliance.

Laws with teeth

To take it one step further, the government needs to also focus on the individual protection of the general public. To do so, any company chartered with ownership of private data that is accessible over the interview needs to be held responsible for the security of that data, and in order to enforce this, there should be heavy penalties and/or fines imposed.

To this end, the government should create both an addendum that defines the minimum standard of protection required by any provider that hosts data, and create a separate law stating the punishment.

The easy part is proposing these changes, the difficulty will lie in the implementation and with how quickly the plan is put in effect and how thoroughly the mandates are followed. Crucially, we must ensure that compliance requirements are not couched in terms of today’s technologies. Leave it to the industry to advance the state of the art as fast as possible to meet the needs of enterprises subject to regulation. We are about to witness a profound change in favor of a more secure infrastructure.

Thanks to hardware-assisted virtualization and trusted execution, I am confident that in 2012 we will see security technologies that are a thousand times more robust, and whose creation is the result of the positive benefits of the Internet.

About the essayist: Simon Crosby is the co-founder and CTO of Bromium. Prior to co-founding Bromium, he was the CTO of the Data Center and Cloud Division of Citrix, which he joined after the acquisition of XenSource where he was founder and CTO. Previously, he was a principal engineer at Intel, where he led strategic research in distributed autonomic computing, platform security and trust. He was a member of faculty at the University of Cambridge Computer Laboratory and Fellow of Fitzwilliam College.

The 1998 COPPA law bans website publishers and social networks from collecting or using information from children under 13. Enforcement, however, has been spotty.  And it’s common practice for website operators to  do the minimum to meet the letter of the law.

Among other things, the FTC has proposed updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers, such as tracking cookies. And it  has  also proposed new methods and rules for obtaining verifiable parental consent.

In this LastWatchdog guest post, Paul Lipman, CEO of Total Defense, argues why he thinks the FTC’s proposed revisions fall short.

Lipman

By Paul Lipman.

On September 15th, the Federal Trade Commission  issued a long-awaited request for comments on proposed revisions to the Children’s Online Privacy Protection Act (COPPA), which gives parents control over what personal information Web sites may collect from children under the age of 13. While the sentiment behind this act is the right one, the proposed revisions don’t go far enough to protect children and families.

COPPA was enacted on October 21, 1998 and took effect April 21, 2000. At the time, the legislation was created to address the growth of online marketing techniques targeting children. Web sites were collecting information from children without parental knowledge or consent and children didn’t understand the risks of revealing personal information online. As a result, the public pressured Congress to legislate.

Current rules

COPPA details what Web sites must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities a Web site has to protect children’s privacy and safety online, including restrictions on marketing to those under 13. COPPA requires websites to  do one of the following:

• Attain a signed form from the parent via postal mail or facsimile
• Accept and verify a credit card number
• Take calls from parents staffed by trained personnel
• Require an email accompanied by digital signature from a parent
• Require an email accompanied by a PIN or password

While the COPPA regulations were timely and forward thinking, the Web has come a long way since 1998. It’s unbelievable that it’s taken the FTC more than 10 years to look into amending the decade old act.

Consider that in 1998,  Mark Zuckerberg, co-creator of Facebook was a child himself, at only 14 years of age. Facebook and MySpace did not exist.  Instant messaging, online shopping and Internet auctions were in their infancies. And few parents feared the possible repercussions of their children dropping personal information into the Web-o-sphere, because there was no real reason or way to do so.

The FTC proposed amendments to COPPA  expand the definition of “personal information” to include a child’s location, along with any personal data collected through the use of cookies. The FTC also suggested that parental consent be obtained by getting scanned versions of signed consent forms or via videoconferencing.

Parent engagement

The revisions come in light of the increase in children operating mobile devices, using online social networking sites and participating in interactive gaming. Unfortunately, these revisions come at a time when it’s almost too little too late. The proposed changes are not enough to keep kids safe online or to keep up with the ever evolving Web.

Like in other aspects of a child’s development, the parent should be actively engaged. Online behavior, both on the PC and mobile device is no exception. The repercussions of digital actions are not apparent as to how personal data is actually used and monetized by corporations.

COPPA legislation should help parents become more involved. Laws such as the state child restraint law help ensure adequate protection is offered to children while riding in a vehicle by requiring the parent to use age and size specific child seats. In a similar way, COPPA legislation should act as the restraint law for children when they are online by requiring a parent or legal guardian to register the child for any and all online services.

When it comes to social networking, the government must find ways to discourage youth from openly and freely sharing personal information. Mobile Internet use should also be more clearly addressed by outlining restrictions for mobile applications, browsing capabilities and more.

Marketing tilt

Current legislation provides too many registration options allowing the parent to be circumvented too easily. To avoid this, I recommend authenticating the parent or guardian by tying the transaction to the parent’s credit card. While this is a documented option in today’s COPPA standard, it’s just one of the options and not a requirement.

We must note that most child friendly Web sites offer plenty of interesting and valuable content without requiring any registration whatsoever. Still, these Web sites encourage registration via tempting sweepstakes and coupon offerings thus, should require parental consent or a ban of tempting sweepstakes on child friendly sites altogether.

Today’s legislation still tilts the scale in favor of the online marketer. Parents should be aware and legislation must change to better protect children, our future leaders, online.

About the essayist. Paul Lipman, CEO of Total Defense, was previously Chief Strategy Officer at Webroot. Prior to Webroot, Lipman was General Manager of Global Services at Keynote Systems, joining Keynote via the acquisition of Enviz. Lipman holds an MBA from the Stanford University Graduate School of Business and a Bachelor’s Degree in Physics from Manchester University in England.

Traditional perimeter firewalls are still in wide use as a fundamental defense mechanism.  But a group of security vendors are pushing for wider use of so-called Next Generation Firewalls, or NGFWs, that integrate firewall, intrusion detection and prevention, application monitoring and authentication and policy-use  controls.

These vendors include NSS Labs, Barracuda, Check Point, Cisco, Fortinet, Juniper, Palo Alto Networks and SonicWall. In this LastWatchdog guest post, AlgoSec’s CTO, Professor Avishai Wool, of Tel Aviv University, makes the technical argument for more pervasive use of NGFWs. (Clarification. 02Nov2010. NSS Labs tests security products, including firewalls,  and publishes the results.)

Wool

By Avishai Wool

The last few years have brought us arguably the most significant change in firewall technology in decades. Ever since “Stateful Inspection” was introduced by Check Point in the late 1990’s, firewall administrators and information security officers have been defining security policies based primarily on a connection’s source IP address, destination IP address, and service.

Now, with the so called “Next Generation” firewalls (NGFWs) promoted by Palo Alto Networks and Check Point R75, policy can also be defined based on the “application”.

To understand why this technical detail is an exciting development for organizations, we need a bit of background. Almost all organizations let their users browse the net. From a firewall point of view, this policy is implemented by allowing the “http” service (technically, tcp on port 80) from the internal net, to anywhere.

The trouble is that application programmers have realized this policy, and have adjusted: Almost every web-application now communicates over tcp/80. Since this port is practically certain to be open, there is no need for the application users to ask for a new rule through the firewall; the application will “just work”. This is very convenient for application developers, and also for application users.

But it is a serious concern for information security officers, because not all web-applications are born equal. While many web-applications are important business tools, others are not: some are inappropriate (think file-swapping applications), some are vectors for sensitive data loss (like personal network storage), and others are bandwidth hogs (like streaming video apps).

And lurking among all these we have the real nasty apps: cyber-warfare tools, corporate espionage trojans, identify-stealing ‘bots, viruses and worms, etc. And all these apps use tcp/80 – the good, the bad, and the ugly.

This leaves the information security officer with an unpleasant choice: Either block all the applications that use tcp/80, and disrupt business in a major way – or allow all apps, and assume the risk. Practically every firewall policy I have seen chooses business continuity over safety, and keeps tcp/80 open – with the associated heartburn for CISOs everywhere.

Now enter NGFWs. Through some pretty impressive technological advances, these devices can discriminate between applications that share the same port. NGFWs can enforce fine-grained policies like “block file-swapping applications”, or “allow Facebook but not its game applications”, or even “block the super-sneaky Skype application” – while allowing benign http traffic through the firewall.

The sales-pitch is indeed very compelling for many security-conscious organizations, and lots of organizations are indeed embracing the new technology.

However, once we are past the excitement over the cool new technology (and it is indeed cool!), we have to realize that NGFWs need to be managed. This will require some thought and planning. I’d like to raise two points you should think about when you are considering NGFWs.

The first point is policy granularity. For many years firewall policies were defined at a crude “service” granularity – lumping thousands of applications into a single “service”. And still, many corporate firewall policies have ballooned into monsters totaling thousands of rules.

Such giant policies are extremely difficult to keep secure – and invariably contain a surprisingly high number of errors. In fact, my research has demonstrated that there is a clear correlation between policy complexity and the number of errors in the policy; For firewall policies, “small is beautiful”.

Now imagine what will happen if instead of a single (albeit crude) rule allowing http, the policy will include 10,000 new rules, one per application… Without some careful design, the new policy could be even less secure just because of all the new errors that will creep in.

The second point is about “blacklisting” versus “whitelisting”. Fifteen years ago there was a raging debate among firewall administrators about how a good firewall policy should be structured. The “blacklisting” proponents suggested to “allow everything, and block the traffic you don’t want”, while the “whitelisting” aficionados argued to “block everything, and only allow the traffic you need”.

This debate was won by a landslide in favor of the more secure “whitelisting” approach: Today practically every firewall policy has a “default drop” rule and a great number of “allow” rules. Further, most regulations require such a structure to be in compliance.

However, this more secure approach has a cost: whitelisting causes a significant workload on firewall administrators. This is because every new connection potentially requires yet another firewall rule – which has to be planned, approved, implemented, and validated. Some organizations I’ve spoken to process hundreds of such rule-change requests every week, and as a result, suffer turnaround times of several weeks between change request and implementation.

With the advent of NGFWs, I think the blacklisting/whitelisting debate deserves a fresh look, and a conscious choice. Consider this: If you decide to whitelist at the application level (i.e., block outbound tcp/80 and only allow those web-applications you know about) – how many more change requests per week will you be processing? Can your existing team handle the extra load without degradation to turnaround time? Will you require additional headcount?

Furthermore, perhaps CISOs will find it easier to define policy via blacklisting, via rules like “block social networks, file sharing and video streaming, and allow all other web traffic”?

As anecdotal evidence, compare how filtering web-proxies and web-application firewalls (that do a similar job using different technologies) are configured. As far as I can tell, blacklisting is the more common approach for web-proxies, although I have spoken to some organizations that whitelist. Should NGFWs follow the web-proxy blacklist style – or should they follow the classical firewall’s whitelist approach?

So far most of what I’ve read about NGFWs has been about the technology. But what about the management challenges? We should be arguing about them! What do the regulators (PCI-DSS, NERC, NIST) say? What should the internal audit guidelines be (CobiT)? How about Managed Security Service Providers (MSSPs)? What are the vendors teaching in their NGFW configuration classes?

I think we’re going to have a few interesting years until the dust settles.

When he wakes up every morning, Jeremy Pepper, an engineering student at West Virginia University, rolls over, grabs his iPhone, opens  USA TODAY’s iPhone app, and glances at headlines. He then checks e-mail,  browses favorite Web sites and gets on  with his day.

Pepper uses his iPhone and a Windows 7 PC to access the Web. He spends much of his time online using Facebook, Safari, e-mail, Flashlight and camera apps. This past summer he used a cycling app, called iMapMyRIDE, to record and publish his cycling exercise routes. He shops using an Amazon app and uses a PayPal app for some financial transactions. In this LastWatchdog Q & A, Pepper shares a 23-year-old’s perspective on privacy.

Pepper

LW: Do you agree with Mark Zuckerberg’s assertion that privacy is no longer a social norm?

Pepper: To a certain extent. My sisters often make comments online that I would not feel comfortable making. However, I still only share things that I would feel comfortable with other people reading and I know that most of the people my age feel the same way.

LW: Why is privacy important to you?

Pepper: Privacy is important to me as far as it affects my ability to make purchases, to shape my own decisions, and to safeguard my information from reaching those whom I don’t want to have it. I think the thing I worry about above everything else in online transactions is financial theft. I don’t particularly care if people know where I live, where I study, and what I do for a living, etc. Those personal details are quite bland to most people and, as far as I can perceive, totally devoid of motive for theft – you could argue the same about my finances, but I’d still like to protect every last Honest Abe I have.

LW: How do you think most of your contemporaries feel about privacy?

Pepper: In my college classes I am surrounded by a group of kids who have a pretty good understanding of what to do with a computer and how to have their way with the electronic gadgets they use on a daily basis. I would say that most of them use their online interactions responsibly and safely. In fact, most of them even seem to care whether or not sites like Facebook know where they live and where they go to school.

LW: Do you believe current industry efforts at self-regulating the practice of tracking of Internet users, in support of online behavior advertising, are sufficient?

Pepper: I believe that some companies are doing an appropriate job and that others aren’t. I believe that Apple is doing a great job – though its efforts are often cast as attempts at dictatorial control over its devices – and that Facebook is doing o.k. Sites like Google, Yahoo, and Bing bother me a little more – although Google is the only search provider where my fear is as much the search provider as the safety of the link they provide.

With the exception of Google, I’m not really all that concerned about the large companies with whom I interact daily. What really concerns me are the smaller players where the internet is still a little more like the wild west than a well maintained location such as Facebook, USAToday, Apple.com, or Amazon.com.

LW: Do you believe federal regulations, generally along the lines as proposed by Sen. Rockefeller or Rep. Markey, are needed?

Pepper: Browsers like Mozilla, Safari, and Internet Explorer offer the same type of service proposed by Senator Rockefeller. Sometimes I think a tendency is to make-believe that the federal government can protect us, when in reality we already are protected. I can’t think of too many people who use the internet, aren’t that computer savy, and don’t use one of the three previously mentioned browsers. The main exception would be Google’s Chrome browser, but again, I try to stay away from all things Google.

LW: Do you believe Facebook should be covered by any Do Not Track rules that emerge, going forward?

Pepper: It depends. If they are intentionally sharing my data with so-called data aggregators, then yes, I think they should be included. If they are keeping the data and its analysis in house or are contracting with specific data analysis contractors, then no. Additionally, if they are simply seeking to improve the ads they display on our screen or what information we receive about our friends then I see no reason why they should be included. Facebook already gives us the tools to decide who sees what, which I find easy enough to use.

LW: What’s your main concern when it comes to your privacy?

Pepper: The thing I am most afraid of is twofold: one, misuse of my data by law enforcement agencies, and two, data sharing pertaining to my financial information. The first issue is largely handled by making sure the government is required to get a warrant to obtain any and all data pertaining to U.S. citizens.

The second issue, I feel, is significantly well dealt with by industry. Perhaps if a standard must be enacted, greater transparency about how our data will be used would be good. But I believe that for now the major players have shown largely good intentions in their usage of our data.

–Byron Acohido

Hacktivism has risen to new levels. Members of the hacking co-op Anonymous have gained infamy for disrupting the online operations of companies, such as Visa, PayPal and HB Gary, deemed to be misbehaving. Sony has been bedeviled by denial of service onslaughts and data theft stemming from business practices thought by some to be abhorrent. And the antics of the LulzSec hacktivist group has resulted in successful Distributed Denial of Service (DDos) attacks and data thefts committed against  numerous companies.

In this LastWatchdog guest post, Lori MacVittie, senior technical marketing manager at F5 Networks, describes what operatives who execute successful DDos attacks are doing to hide their tracks.

MacVittie

By Lori MacVittie

In recent years there has been a noticeable increase in the number of attacks motivated for reasons other than monetary gain. The infamous Anonymous group, responsible for a spate of attacks against organizations and government agencies involved in the Wikileaks incident, has continued to attack sites and organizations as a political statement in what some call “hacktivism.”

It’s become a form of digital protest; an attempt to overwhelm not the physical presence of an organization with bodies and picket signs but instead the digital presence with bits and bytes.

In the past, such attempts required significant resources. Overwhelming even a mid-sized organization’s web presence required thousands of launch points.

Today, overwhelming a website with volumes of traffic is still attempted, but it’s rarely as successful as it once was. Network hardware and security systems today are generally capable of handling the barrage of traffic thrown at it during a DDoS attack.

Attackers adapt

However digital attackers have adapted. Using knowledge of the software on which websites run and a deep understanding of the protocols – the rules of the digital road – attackers are able to disrupt business with a much smaller digital force than previously required. They’ve now learned to exploit the rules of the road  to execute successful attacks  with fewer resources.

This is not good news for businesses trying to avoid outages and associated costs. While fairly easy for technology to detect a traditional DDoS based on the characteristics of the data traffic, it is not so simple to identify the more subtle methods used today. Attack traffic no longer looks like an attack; it appears to be legitimate traffic.

What isn’t so easily detected is anomalous client behavior. Such behavior includes a digital version of “ring the bell and run away”, in which attackers contact a web site only to disappear.

Doing this repeatedly on a large scale means the web server is so busy opening the door and searching for who rang it that it simply doesn’t have the resources available to answer the door when a real visitor rings the bell.

A more modern version, prevalent in the successful retributive Anonymous attacks, is even more subtle. The attacker rings the bell and, instead of running, stays and talks – very, very slowly. The hallmark of the older, more detectable attack is the absence of communication, thus the modern version tricks the web server into believing the attacker is legitimate, leading it to waste time and resources waiting for the attacker to finish his sentence.

Other emerging modern attacks such as the recent “ApacheKiller,” take an under-the-table approach. Requiring very little traffic, these attacks target vulnerabilities in the web server via the HTTP headers –data exchanged between the browser and web server regarding capabilities of the browser such as language preferences.

HTTP headers are an integral part of web applications, and are generally ignored by most of the network hardware. Thus they are able to sneak into the web server where they are evaluated and can ultimately crash the system, causing an outage. This style of attack also appears to be legitimate traffic but is designed to cause a service outage with very little effort on the part of the attacker.

Current security measures, such as web application firewalls and application delivery controllers, are capable of detecting and putting an end to these threats. Therefore, the problem isn’t that the technology to head off these attacks doesn’t exist; it’s that businesses need to be more aware of current attack methods and the solutions that exist, to prevent outages and the damage they can cause.

About the author: Lori MacVittie is responsible for outbound marketing, education, and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise.