giovedì 19 maggio 2011

Idan Aharoni - The woes of the extended organization

Today I'm honored to leave the floor to a blogger star: Idan Aharoni.

Idan, in fact, is one of the authors of the official RSA Blog and also writes for "SecurityWeek" online magazine. Despite his success in this field, blogging isn't his main activity; Idan is Head of Cyber Intelligence at RSA, a position from which he can explore the world of digital underground, understand the security trends and discover new threats.

So I'm very pleased to host his post. Thank you very much Idan! 

In this modern world where information is one of the most, if not the most important assets an organization can have, CISOs are tasked with preventing attackers from coming into their networks and stealing sensitive data. In order to do that, they arm themselves with an assortment of security tools, products and services used to secure these networks, protect information and mitigate the various threats to it. However, while these solutions grow more sophisticated, so do the challenges of the modern world CISOs face.

In a time when organizations’ infrastructure soars to the clouds and many customer-facing tasks are outsourced to third party companies in developing countries, the boundaries of organizations become blurry. Add to these recent trends the fact that organizations never worked in a vacuum - having strategic partners, suppliers, vendors, consultants and customers, each potentially having in their possession sensitive information of the organization and you get the feeling that the task of protecting an organization’s data is quite daunting. How can you protect an organization’s information when so much of it is outside of the network?

The recent Epsilon breach is a great example of such a case, where millions of e-mail addresses and names of consumers fell into the wrong hands. Epsilon, an e-mail campaign vendor, stored this information for multiple leading companies, who contracted the company to manage e-mail campaigns on their behalf. TiVo, Verizon, Victoria’s Secret and Best Buy are just a few of the companies that were affected. Their own networks may be quite secure, but once the data has been provided to a third party vendor, it has left to an area of the extended organization out of the CISOs’ control. In the Epsilon breach, the information was e-mail addresses and names. In many cases, much more sensitive information leaves the organizational network, such as customers’ credit card information, manufacturing plans, strategic planning documents and more. And with cybercriminals’ ever-growing tenacity in gaining access into highly secure networks, a review of a third party’s infrastructure before establishing working relationship may be inadequate to ensure the safety of the data.

Information doesn’t only leak from an attacker gaining access to an organization’s system. Malware, a relatively recent tool in the cybercriminal arsenal of obtaining highly sensitive information, is also a potential threat. We’ve encountered multiple cases at RSA in which sensitive e-mail correspondence of customers has leaked out – not because their own machines were infected by malware, but instead it was the machines of third parties they corresponded with. The employees of these third parties, which were customers or suppliers, wrote back. The Trojan horse, capturing every form filled on the machine, including e-mails, captured the correspondence and sent the information to the criminal’s drop server. Considering that the sensitive data was important for the normal course of business and that some of these third parties were half a world away, it was impossible for the CISOs of the affected organizations to prevent the data from leaking.

There are even more threats to an organization’s information when it comes to the extended organization. Without the ability to review and control policies of third parties, there’s a chance some of the data will leak out accidentally. In a presentation by Keith Tagliaferri, Director of Operation at Tiversa, a Pennsylvania-based information security company which monitors Peer-to-Peer (P2P) networks, he showed multiple censored examples of sensitive documents leaked from government agencies and large private enterprise which the company was able to recover. According to Tagliaferri, none of these documents have leaked from the actual agencies, but from vendors working for them. The documents leak to the P2P networks when the employees of such companies install P2P clients on their office or home machines and accidentally share their entire hard drive (which happens more often than you may think).

If sensitive information flows in and out of organizations to many destinations, how can they mitigate the multiple threats which target their data outside their sphere of control?

Only a few CISOs have the luxury of actually reviewing the infrastructure of the third parties they work with, and even that is far from a security guarantee. One arrow in the CISO’s quiver is threat intelligence – security services that provide intelligence across multiple organizations. Unlike security products designed to secure a specific network, these services monitor certain areas of the internet where sensitive information leaks out to, regardless of the source. In such a way, they’re able to recover leaked information of organizations even if they leak out of third parties. Such threat intelligence services may analyze credentials stolen by malware, searching for e-mail correspondences with customer organizations, regardless from which machine these correspondences were stolen from. Other services may provide open source intelligence, P2P monitoring and more.

As organizations lower their borders and move to the cloud, outsourcing and opening up to third parties, their data traverses to areas outside of their control. In such a modern world, it is no longer enough to just keep track of what’s happening in your own backyard – but in your friend’s and neighbor’s backyards as well.
 Idan Aharoni is the Head of the Cyber Intelligence at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity.

Mr. Aharoni contributes articles to RSA’s Speaking of Security blog, as well as Security Week, and participates in international law enforcement task forces focused on online fraud investigations. He maintains direct relationships with leading Cybercrime law enforcement agencies worldwide.

Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Through years of individual intelligence gathering, as well as analyzing intelligence findings made by his team, Idan developed a unique insight on the fraud community, mindset and methods of operation.
Follow Idan on Twitter:

Nessun commento:

Posta un commento