NEW YORK — Enterprises need to know what data they have and where it is. The process need not be expensive, said Verizon Business’ Dr. Peter Tippett, founder of ISCA Labs which is now part of the company’s Cybertrust division. “A big accounting firm will come in and interview every manager about their data. We found that if a cheap and lightweight discovery had been done, it would have prevented 90 percent of attacks.”
CyberTrust includes the largest MSSP in the nation, he added, and it does some simple things during an investigation that any enterprise network manager could do. Tippett spoke to an audience composed mostly of members of the military and security research organizations at educational institutions at the Cyber Infrastructure Protection ’09 (CIP 09) conference at the City University of New York (CUNY).
“We go into a company and we bring donuts and coffee because we’re there to help. We ask where the company keeps critical data. They show us machines A, B, C, D and E, and we install a free sniffer on them and we see that most of the data is going between those machines, but some of it is going elsewhere,” he said.
“We ask where machines P, Q, L and R are, and they say they’re not critical. We say, yes, but where are they. They say they’re not critical, and we say sure but can we see them.”
“Sixty-six percent of all data losses occurred on machines P, Q, L and R,” Tippett said. “It wasn’t laptops or USBs. It was on servers that the company didn’t know were there.”
He added that companies lose laptops regularly without incident. “If you have more than 100 users, you have experienced lost or stolen laptops,” he said. “Since in only one in 10,000 cases do the thieves get past the password, they often wipe it and fence it.”
“Of course, our data concerns the private sector. It may be different for military laptops,” he added.
If you’re looking for servers on your network, cheap often works. “We use a free sniffer,” Tippett said. “Maybe there’s a more complicated way to do it if it cannot be done that way in a few days, [but] why not do it the easy way?”
Besides unknown servers, the report pointed to unknown connections and unknown user privileges or accounts, Tippett said.
Asked by InternetNews.com if there’s an easy way to find orphan accounts in applications on servers, Tippett recommended that server administrators review a list of all accounts every month or quarter.
Finding Unusual Activity
There’s one strategy the MSSP uses that enterprise managers cannot replicate. Tippett said that the company has a list of a few thousand log rules that have caused previous breaches. The company searches a victim’s logs for evidence of the same kind of breach.
He said that companies often have the evidence in their log files, but have not noticed it because they’re relying on IDS. Many attacks exploit poorly chosen passwords or third-party access, so the IDS views the attackers as legitimate.
“At our MSSP, we do IDS but we also look at application and server logs,” he said. “In 82 percent of cases we examined, the attack was logged, but only 6 percent of attacks were detected by the IDS. We can do a very fast analysis of terabytes of logs for an entry that was a smoking gun in other cases. We have that capability, others don’t.”
In addition, Verizon Business makes a list of servers and ports and looks for critical machines as well as those that have more services or NICs than expected. “We can examine a class B network in six hours,” he said. “We find 93 percent of attacks.” In part 2 of this two-part article, Tippett discusses data that disproves many myths that govern security best practices.