The results of the investigation into the recent DigiNotar SSL CA breach reads like a laundry list of “Things Not To Do™” on your critical servers and networks: no antivirus, no centralized logging, and outdated/vulnerable software exposed to the Internet, among other items.  What’s funny about the above list is that if the breached systems had been part of DigiNotar’s PCI cardholder data environment, then DigiNotar could never have passed a PCI QSA audit as all three items I noted above are required by the PCI DSS.  While I couldn’t verify that DigiNotar accepts credit card payments for its SSL certificates, it almost assuredly does (or did!).  It almost certainly had undergone a PCI QSA audit, too.

What are we to conclude from this information?  If my preceding two assumptions are true, then it would appear that DigiNotar likely protected its servers and networks involved in accepting and processing credit card transactions better than it protected the servers and networks involved in generating SSL certificates.

There is no reason not to have antivirus loaded on every server and workstation and no reason not to conduct regular vulnerability scans of your external services in an effort to identify vulnerable software.  For medium-sized businesses (50 or more users, 2 or more IT guys) there should be one person in IT who is designated to watch vendor software websites for security announcements and new releases for all software in use that is exposed to the Internet.  The organization should be committed to at least protecting the external services, even if it can’t spare the resources to perform the same on the internal network.

On to the central point of this blog post: Centralized Logging.  This area is where things get a bit more involved and difficult.  It is not too hard to purchase and setup a machine with 1TB of drive space that could adequately serve as a collector of logging data.  It is also not too difficult to setup most common systems (switches, routers, firewalls, and Windows and Unix servers) to log to this system.  Where the difficulty lies is making that data useful in near-real time, rather than as a source of information after a breach.  To make that data useful you will need an event correlator, which is usually part of a larger service called SIEM (Security Information and Event Management).  To date, I have not been made aware of any SIEM products that are affordable to purchase for most small businesses.  And, that is to say nothing of the cost in personnel time to properly wield such a product.   From what I have seen, the open-source SIEM products are even harder to configure and use than the commercial products, so I can’t recommend any free (or low-cost) alternatives.

So, what is a smaller sized company to do?  That’s a good question.  If you can afford an SIEM product, buy one and pay a Managed Security Services Provider (MSSP) (like True!) to setup and manage the device.  If you can’t afford a full SIEM product, at least purchase an inexpensive server with two 1TB drives, install Ubuntu, put the drives in a software RAID-1 configuration, and setup a syslog daemon (Syslog-ng is perfect) to collect logs from the network.  At least if you are breached you (or the investigator you hire–True!) have a lot more information at your disposal to determine the extent of the breach.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

With the current US economy downturn, cyber crime is increasing at an alarming rate. Let’s face it – data loss can quickly become a public relations nightmare for any business. Solid Core conducted a survey [solidcore.com] of 201 IT and compliance professionals and found that more than half of the respondents admitted their organization either experienced or did not know if they had experienced a compliance control deficiency in the last year.

The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, released the 2008 Annual Report on the number of Internet crime complaints received. This report [ic3.gov] was made available on March 31, 2009.

The 2008 Annual Report states that complaints of online crime hit a record high in 2008. The Internet Crime Complaint Center received a total of 275,284 complaints, a 33.1% increase over the previous year. The total dollar loss linked to online fraud was $265 million, about $25 million more than in 2007. The average individual loss totaled roughly around $931 dollars.

Now more than ever, it’s extremely critical for everyone to do their part and be vigilant when it comes to network and enterprise security. Still, with the recent gains in the stock market, I’m hopeful this trend will become more positive.

Nathaniel James

Website - More Posts

Walt Conway has some interesting commentary [treasuryinstitute.org] on the recently released Verizon data breach report [verizonbusiness.com].

All the valuable PCI compliance insight aside, I found the statistics on the prevalence and value of targeted attacks to be especially interesting.  We are frequently engaged to perform social engineering exercises for our clients, primarily to help them stress the importance of security policies, procedures, and communication to their employees.

While our generic email campaigns typically fool a few of the overly curious or too-quick-to-click crowd, the more informed (targeted) phishing campaigns are overwhelming effective to the point that we often need to reassure our clients that the world is not ending.  Unfortunately, this report highlights the fact that targeted attacks are not just elements of security company sales talk.

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.