Network Observations

2007 was a banner year for data theft; a record number of publicly reported security breaches were recorded and compromised personal records are at an all-time high. With this being said, the ability to investigate exactly what occurred during a unauthorized disclosure is essential. With eDiscovery tools being a relatively new idea to mainstream networking, how do you determine the key qualities for an eDiscovery solution?

How do I determine whether a solution will be successful in the longterm?
InfoGovernance set up a good discussion and formula that you can use to evaluate the longterm success of an eDiscovery solution. It’s very helpful to read when you’re trying to set up a “bake off” between multiple eDiscovery vendors. With the field being new, you not only need to take into account the success of the solution to be “useful” for your situation, but the ability of the company to succeed. If you’re spending thousands of dollars on a solution from a small company, you also want to be sure the company will be around. The questions to ask about the company and solution are outlined here.

How do I determine a reasonable price and the ROI from an eDiscovery solution?
Although there is a lot of marketing speak from vendors around eDiscovery tools, there are also several online resources that you can use to get around this. For example, MarkYacino wrote a great piece about some of the basic vocabulary you’ll need to understand when speaking with vendors. Gartner and Network World have also developed resources around purchasing and using eDiscovery tools. From a legal perspective you can also check out Nixon Peabody.

In a past post I have outlined other online resources for eDiscovery.

• InfoGovernance
  Post-termination employment forensics
• InfoWorld
  A fun quiz to test your Geek IQ
• Network World
  Virtualization, green IT, and other trends impacting the data center
• SearchNetworking
  How traffic shaping cures network congestion woes
• Sox First
  2007 Foot-In-Mouth awards
• TaoSecurity
  Very interesting security predictions for next year
• Ziff Davis IT Link
  An informative discussion on considering the Vista OS

Rob Robinson of InfoGovernance sent over an article published today in Law Technology by Robert Ambrogi. The article “Keeping Up with EDD Blogs and Tools” extensively documents online resources dedicated to eDiscovery.

As Ambrogi said in the article, “As I wrote last month in the first half of this two-part column, no lawyer today can afford to ignore electronic data discovery. No matter the case, digital data is likely to be implicated.“

Likewise, IT managers will find as eDiscovery laws and practices evolve, they will also need to be aware of how legal requirements impact network monitoring and management. eDiscovery can affect everything from how long data is preserved to the type of network activities and communications that need to be monitored.

Two blogs mentioned by the article that are worth checking out:

eDiscovery and Computer Forensics by DataTriage
Ride the Lightning by lawyer Sharon Nelson, who is also president of computer forensics company Sensei Enterprises

SecurityDude, CISSP-ISSAP is an IT Consultant, Security & Privacy Advocate and blogger at large with over 20 years IT experience.

The Federal government is an easy punching bag for all of us in the Tax Payer category. There are countless examples of mismanagement, incompetence, and pork-barrel spending. A “Bridge to Nowhere“, anyone? How about billions of dollars the Federal government “lost“? Just Google the phrase “wasteful federal spending” if you would like an anger-fueled adrenaline rush.

However, if you work in Information Security there are encouraging signs that some of our cash is being diverted to useful work. In this entry, I would like to cheer some of the Federal agencies for their contributions to the IT Security field.

National Security Agency
During the Cold War, the Federal government denied the existence of the National Security Agency (NSA). The joke at the time was that NSA stood for “No Such Agency”. As part of their mission to safeguard the US against foreign threats, the NSA hosts a number of carefully researched and very informative security best practices white papers on the following topics:

Application Security, Database Server Security, Operating System Security, Router & Switch Security, IP Telephony Security, Wireless Security & Web Security.

Defense Information Systems Agency
DISA’s Mission:“The Defense Information Systems Agency is a combat support agency responsible for planning, engineering, acquiring, fielding, and supporting global net-centric solutions to serve the needs of the President, Vice President, the Secretary of Defense, and other DoD Components, under all conditions of peace and war.”

One of the services that DISA provides to the military and Federal government is something called a STIG (Security Technical Implementation Guide). When the Air Force wanted to add wireless access to the non-classified portion of certain base networks, the Wireless STIG authored by DISA was a key design element.

• Click here for the STIG listing.
• Click here for DISAs Technical Guidance page for Federal Agency Security Practices.

National Institute of Standards and Technology
NIST is probably most famous for the Cesium Fountain Atomic Clock in Boulder, CO that is the basis for the “official” time of day in the United States. NIST is MUCH more than just Time & Measurement. NIST has an entire department dedicated to Computer Security. They are also the keepers of the Federal Information Processing Standards (FIPS). As an example, FIPS 140-2 outlines the current requirements Federal agencies must adhere to when encrypting non-classified information.

Here are some important and interesting NIST links:

• FIPS Standards
• Computer Security Resource Center
• CSRC Special Publications (800 Series Security Best Practices)
• CSRC Information Technology Lab - ITL Security Bulletins

SecurityDude, CISSP-ISSAP is an information technology consultant and blogger at large with over 20 years IT experience.

Friday, I found myself at the San Jose airport almost four hours before my flight home. As many frequent travelers do, I headed for the (relative) comfort and quiet of the Admiral’s Club. I grabbed a seat at one of the many cubes they provide, plugged in my laptop, and launched my Verizon broadband card to review some documentation over the Cisco SSL VPN connection to my office servers.

As the afternoon progressed, the cubes quickly filled with technology professionals. I usually try to tune out the people who speak too loudly on their cell phones, but two guys seemed to be competing for highest volume. One of the gentlemen worked in the marketing department of a very prominent Silicon Valley equipment manufacturer. I was privy to the details of a product launch that had not been announced to the public.

A woman sitting behind me was working on a quarterly financial presentation to the board of directors of another well-known local company. Just for grins, I turned on my web cam and pointed it at her screen. She was oblivious to the fact I could watch. Were I an industrial spy, I could have covertly recorded a movie with audio and video using a tool called Camtasia. I use Camtasia to record audio with PowerPoint presentations and publish them to Microsoft Media Player or QuickTime movie formats.

These are examples of data disclosure vulnerabilities that no firewall can protect you from. What could these people have done differently to increase their privacy?

• Invest in a 3M Privacy Screen. It significantly restricts the viewing angle of the laptop monitor and deters ’snoops’ and spying.
• Alert callers that you are speaking to them in a public area and that you can be overheard. Be conscious of your surroundings.
• Avoid typing user names and passwords into public computers. Hardware keyboard loggers such as the Key Ghost can be easily deployed and recovered. Key Ghost cannot be detected by any means other than physical examination of the keyboard cable. Even if you log into your email over an encrypted VPN link, the keystrokes on the local keyboard are intercepted BEFORE they hit the browser. Some SSL VPN clients now feature a “virtual keyboard” that mitigates this exposure.
• If using a public wireless hot spot like T-Mobile, login to your corporate VPN before accessing your email. POP mail and SMTP authenticate in clear text and all of the message bodies are sent in the clear. Absent the VPN, your business becomes everyone’s business.

A friend sent me an e-mail about a free widget called the SANS News Browser offered by the SANS Institute. It’s a single *.exe file that you can plant on your desktop and just run (no setup required). They gather security and virus stories from over 3000 news sources. The Browser pulls from their digest.

The stories are generally posted within thirty minutes after the story appears on the publications’ sites. It is useful for security professionals who need to be certain they don’t miss important stories. It’s also helpful for bloggers like me always in search of new fodder for readers.

You may keep the browser in a window on your Windows PC desktop. Whenever you see a story that sounds important, click on the headline to go immediately to the original story at the news site. The very first story link is advertising, which I’m sure is how the pay for the program.

Helpful Links
Questions
Safety Concerns
Download It
Ideas for Christmas

Continuing with our eDiscovery series, I’d like to talk today about a real-world scenario illustrating the consequences of failing to produce requested electronic documents.

As I discussed in previous blogs, organizations can now be penalized, financially and otherwise, for failing to produce e-mails and other electronic documents during the legal discovery phase. A prime example comes from a case involving a major corporation based near our own Minnesota headquarters.

Best Buy Co., along with Microsoft, is involved in a class action lawsuit in which they are accused of signing up legions of customers to a trial period of Microsoft’s MSN internet service and then charging their credit cards without authorization. When pressed to deliver relevant e-mail communications, Microsoft delivered and Best Buy stalled.

Network World quotes a lawyer for the plaintiff:

“We had all this e-mail coming from Microsoft discussing basically the issues that are key to our case, and some of them were discussions with Best Buy,” she said. “We were getting virtually no electronic documents or e-mail from Best Buy. It seemed very suspicious to us.”

And looking suspicious in a courtroom isn’t good. In speaking with a lawyer specializing in eDiscovery matters, I learned judges can order juries to consider a party’s failure to produce e-documents when assessing its overall credibility. Best Buy may also face stiff financial penalties if documents are not produced in a timely manner.

Furthering the case for solid data retention and e-mail archiving policies, the article goes on to state that requests for archived e-mails are hardly a rarity.

Brian Babineau, an analyst at Milford, Mass.-based Enterprise Strategy Group, said that his firm’s research has found that three out of four organizations that go through court-ordered electronic discoveries must produce e-mails related to the queries.

At Network Instruments we’ve been holding discussions to determine whether our GigaStor™ line of products, which capture and store all traffic traversing the network - up to 48 TB of data – can be useful in eDiscovery situations; the answer, in short, is yes.

In my next blog I’ll discuss the ways in which products like GigaStor may be used as a legal safeguard and what types of organizations are best suited to this type of solution.

I was recently assigned the task of researching the rules, regulations, and implications of using electronic archives as evidence during litigation. Since a prime selling point of our GigaStor product is the ability to capture data – multiple terabytes of it – traversing the network for later analysis, this project makes good sense.

Sure, the data is stored, but what can you do with it? My research led me square in the direction of an increasingly crucial legal issue: eDiscovery.

Law student Patrick R. Mueller of the University of Wisconsin recently published a brief on eDiscovery in Network Computing. Mueller, who specializes in privacy compliance, strongly advises organizations to have a forensics strategy in place. After-the-fact eDiscovery services, he claims, may not be enough.

“However, within a particular lawsuit, an intense search of a particular system may be needed, requiring a dedicated forensic product. Recently, a Minnesota federal district court ordered a plaintiff to produce all relevant documents including those deleted and corrupted–a task beyond most eDiscovery products.”

The U.S. government has taken note of the importance of electronic data in evidence gathering, and inserted new language into the Federal Rules of Civil Procedure, the document which regulates this process.

Muller says having dedicated forensics tools on hand makes good business sense.

If the scope of the eDiscovery request concerns events or communications in the past, a properly created forensic image of the relevant systems’ hard drives can help guard your company from claims of “spoliation” of evidence.

For small companies, simple imaging tools (scanners) may suffice. However, for those companies who can justify a dedicated forensics tool, other benefits may be realized in the form of bolstering information security and the time and cost savings brought about by not having to recreate issues or wait for them to recur.

As I continue with my research, I will offer further tips on approaches to IT forensics and recent calls for the adoption of new standards.

The list of possible exploits and wormholes into your network keeps growing longer. The latest threat comes from a seemingly unlikely source: Secunia.com reports that unpatched flaws in Adobe Photoshop could gain hackers system access via specially crafted Bitmap files.

The flaw has been confirmed in versions CS2 and CS3 of the popular graphics software and is rated “highly critical” by the web site.

Marsu has discovered a vulnerability in Adobe Photoshop, which can be exploited by malicious people to compromise a user’s system.The vulnerability is caused due to an error within the BMP.8BI Photoshop Format Plugin when handling Bitmap files (e.g. .BMP, .DIB, .RLE).

This can be exploited to cause a stack-based buffer overflow via a specially crafted Bitmap file.Successful exploitation allows execution of arbitrary code.T

he vulnerability is confirmed in Adobe Photoshop CS2 and reportedly affects Adobe Photoshop CS3. Other versions may also be affected.

The announcement illustrates yet another reason network security professionals should have a comprehensive defense system in place. Many experts recommend deploying a combination of “proactive” and “reactive” tools including IDS or IPS systems and more robust security forensics and analysis solutions such as a retrospective network analysis appliance.