• Good news: router is now officially a firewall (it has been for a while, but many people are still stuck in "security device" vs "network device" cloud) - see Req 1
• From the "WTH dept": anti-virus is a MUST on ALL platforms - Req 5. Please ship me some of the stuff they are smoking; I want it! BTW, I am going to Amsterdam soon :-)
• WAF or code review for web application security is still a stupid "OR" - Req 6.6. OMG, please, software security folks, teach them the truth.
• Can we kill "plain text passwords" once and for all? Req 8 tries to achieve that noble goal (good thing!)
• Visit your offsite data storage - good (if costly) idea - added to Req 9. Requirements to secure electronic AND  paper media  are solid too.
• Love it, love it! Req 10 explains that logs needs to be actually available: 'three months of audit trail history must be “immediately available for analysis” or quickly accessible' (bye-bye, silly log dumps...)
• Some vulnerability stuff clarified in Req 11, mostly about ASVs and pentesting.
• Scope of security policy is expanded to "employee-facing technologies" (what a term!) - Req 12
• All over: more references to wireless  (WEP, access points, hidden SSIDs, etc) - indeed, recent data losses are often due to insecure wireless.

Overall, a minor change that, sadly, doesn't touch a few KEY areas, such as virtualization, for one.

This new remote WiFi attack is particularly timely as a new indictment of 11 for ID theft of over 100 Million credit cards (watch video to see Veracode’s CEO) was handed down this week.  Guess how they got in?  They used War Driving to get on insecure internal WiFi networks and then used the internal access to install sniffing software.  The attackers were mostly from foriegn countries and the companies attacked in the US.  So at some point someone must have been in the country to physically scan the networks. 

David Maynor’s WarShipping trick solves this “need to be there” problem  to do wireless attacks.  Why travel and risk being physically apprehended when you can just mail a package with a WiFi and WAN enabled device and just hack remotely? 

We will have to see how insecure these businesses that need to be PCI compliant are now that this massive WiFi attack has been made public.  I find it takes a widely publicized attack of your organization or a close peer to actually get many security problems fixed.  I bet some retailer’s IT departments started scambling after this was made public.

Attackers like to keep updating their methods just ahead of compliance requirements.  Sometimes I think that becoming compliant is protecting yourself from last year’s attack due to the lag time between attacks becoming prevelant, compliance standards changing, and then organizations making security updates to meet complaince.

With application security we may already be a little behind.  PCI requirement 6.6 kicked in June 2008 and requires organizations handling credit card data to audit their applications for the vulnerability classes outlined in OWASP Top Ten 2004 (yes, note the lag time).  I fear a 100 Million ID theft scale compromise is still looming using application security attacks.

This new remote WiFi attack is particularly timely as a new indictment of 11 for ID theft of over 100 Million credit cards (watch video to see Veracode’s CEO) was handed down this week. Guess how they got in? They used War Driving to get on insecure internal WiFi networks and then used the internal access to install sniffing software. The attackers were mostly from foriegn countries and the companies attacked in the US. So at some point someone must have been in the country to physically scan the networks.

David Maynor’s WarShipping trick solves this “need to be there” problem to do wireless attacks. Why travel and risk being physically apprehended when you can just mail a package with a WiFi and WAN enabled device and just hack remotely?

We will have to see how insecure these businesses that need to be PCI compliant are now that this massive WiFi attack has been made public. I find it takes a widely publicized attack of your organization or a close peer to actually get many security problems fixed. I bet some retailer’s IT departments started scambling after this was made public.

Attackers like to keep updating their methods just ahead of compliance requirements. Sometimes I think that becoming compliant is protecting yourself from last year’s attack due to the lag time between attacks becoming prevelant, compliance standards changing, and then organizations making security updates to meet complaince.

With application security we may already be a little behind. PCI requirement 6.6 kicked in June 2008 and requires organizations handling credit card data to audit their applications for the vulnerability classes outlined in OWASP Top Ten 2004 (yes, note the lag time). I fear a 100 Million ID theft scale compromise is still looming using application security attacks.

ScienceLogic: Mike, what’s your background working with network and management system tools?

Mike Lawson: Before joining Apptis, I worked for the Air Force, mainly in satellite communications for almost nine years. I’m probably most familiar with HP OpenView and BMC Remedy. I managed a team that used them but wasn’t involved in tool selection; like many other federal IT workers, we didn’t have a choice of tools because there were existing enterprise licenses and maintenance contracts.

I also saw a large systems integrator do a full Remedy/Crystal Systems/OpenView installation. It took 6 weeks to stand up and customize to meet just the basic monitoring requirements, and it cost something like half a million dollars. At the time, I thought that wasn’t bad and was a pretty typical experience.

ScienceLogic: Coming from where you did, what’s your take on EM7?

Mike Lawson: Honestly, I didn’t believe that EM7 could really do all that it claimed. In many ways, it was the complete opposite of what I had seen first-hand with other monitoring solutions. Could it really cover that much functionality? At relatively much lower cost to the customer and without the licensing nightmare?

That quickly changed when I needed to understand the system enough to run it at a customer’s site. I went back over the training docs I received during my initial training class and jumped in; now, 6 months later, I’m the EM7 expert and can tell you that it delivers on all those promises. (But I still need to show people to get them to believe it too)

I preach the “EM7 gospel” and when anyone wants to talk monitoring, I ask about the universal pain points: cost, maintenance contracts and licensing, and then I explain EM7. The cost difference is real; the solution is based on capacity, so there’s no licensing and it’s easy to use. They are shocked to learn that they can buy multiple EM7 appliances and years of maintenance for what they paid for most other tools.

ScienceLogic: Apptis won the contract for monitoring aboard the USNS Mercy. We love that you’re using EM7 for one of the Navy’s hospital ships. Can you tell us more?

Mike Lawson: The USNS Mercy is a Military Sealift Command hospital ship. Some stats:

• 849 feet long (nearly the size of a football field)
• 12 fully-equipped operating rooms, a 1,000 bed hospital facility, digital radiological services, a diagnostic and clinical laboratory, a pharmacy, an optometry lab, a CAT scan and two oxygen producing plants
• Crew: 61 civilian mariners, 956 Naval medical staff, and 259 Naval support staff

The USNS recently departed on a five-month humanitarian mission in the Western Pacific and Southeast Asia in support of Pacific Partnership 2008. The partnership provides international medical, dental and engineering teams this summer to provide humanitarian support and conduct joint, combined, and cooperative Civil-Military Operations in order to improve regional stability and build partner capacity to respond to natural disasters and pandemic.

For the most part, the ship’s network is self-contained, but can also use a landline when docked. The network covers 400 devices, including Windows/Exchange servers and VMware for server virtualization. Prior to using EM7, none of the monitoring was integrated; each system was independently monitored through individual vendor-specific consoles.

Out of the box, EM7 provided integrated systems, application and network management for all network gear, applications and virtual machines in one solution. We didn’t have to do a lot of customization – EM7 includes best-practice based thresholds, event and monitoring templates and this covered what USNS Mercy needed to monitor.

ScienceLogic: You’re a systems integrator with a very useful “customer point of view” when it comes to looking at tools. From that perspective, can you share what you think are the biggest benefits that EM7 provides?

Mike Lawson: First of all, EM7 stands up right away. We’re talking days, not weeks. In contrast to the lengthy installation of OpenView and Remedy I witnessed during my military career, I was able to configure, customize, and implement the EM7 solution for the USNS Mercy in three days.

Second, it’s easy to train people on and the support is outstanding. This judgment is from first-hand experience. Right before the USNS Mercy departed on its latest voyage, the system administrator I had trained on EM7 left, so I had all of a day to train some new EM7 admins. I prepared a seven-page “cheat sheet” and over a 3-hour conference call, we walked through the entire EM7 solution; I haven’t gotten a support call since.

And when a problem did crop up with a device being discovered incorrectly, ScienceLogic was very responsive. We contacted ScienceLogic support on a Saturday and they created and emailed us a video to help troubleshoot the same day. Within 30 seconds of watching the video, the problem was resolved.

Finally, EM7 helps us be good stewards of the government’s money. This is very important to me personally and to Apptis as a company. Because EM7 is cheaper and deploys so quickly and easily, you might think that it’s just the opposite of what a system integrator would want to use. But that’s short-term thinking. We believe in deliver the most value for customers every time. It’s what creates trust and long-term relationships with our customers. Instead of that half million spent on standing up the solution and basic setup, I’d much rather (and I know the customer would rather) spend that on fine-tuning or extending the solution to do much, much more.

As a former government employee, I know what it’s like to use a tool that doesn’t fit my needs. EM7 proves that the best solution can totally break the old model of costly, lengthy installations. EM7 has the right model: the right solution and the right price delivered as an appliance that is easy to deploy, train on and use.

ShareThis

This use case is a clear example of a subfunction of complex event processing, folks in the mult-sensor data fusion field (and here at The CEP Blog) refer to as event (object) refinement, sometimes called “track and trace.”

The reason we call this processing function “event (object) refinement” is that, in the way the use case was described in the press release, the medical staff are basically tracking body temperature and comparing it to a key indicator to generate an alarm, in this case “body temperature too high.”   This is a simple event, not complex, because the level of inference is quite very low in an overall knowledge hierarchy.

For example, we cannot infer from the alarm that “body temperature too high” is caused by a previous medical condition.  There is no causality at this stage of the game.   We cannot infer from the alarm that the walker has embarked up a steep hill, and the body temperature is expected to exceed a key indicator for a period of time.

Looking at another complex event model,  the system does not (yet) combine all of the body temperatures of the entire group of walkers, correlated by the situation of an approaching thunderstorm, and infer that the walkers have increased their pace because they don’t want to be caught in a driving rainstorm with high winds.

In other words, tracking a single object like “body temperature” is a basic-step in a CEP application, but not really a CEP application yet, because to really be a complex event, there should be some inference of higher knowledge, or estimated situation.    For example, tracking and tracing the position of an aircraft is good data, but being able to infer the complex situation “potential mid-air crash” between two airplanes is better (defining a complex event vs simply tracking state changes).

Steam processing engines are well suited for track and trace processing of individual event objects, like a walker’s body temperature, or a similar temperature monitoring application from a network device, as demonstrated by the Apama use case.  Tracking events such as “temperature in an object reaches critical threshold” have been going on for decades, in your network, in your car,  in your washing machine, in as spacecraft, just about everywhere we sense-and-respond to temperature changes.

The real marvel of this application was not the event processing on the back end, but in the sensor network, comprised of the human body, an RFID sensor, and a transmission network to a centeralized data collection facility.

I also came across this tidbit online — the government has granted themselves the right to take any traveler’s laptops away on international flights, even if they have no reason for suspicion. Apparently this has been in place a while but they’re finally publicizing it.

Federal agents may take a traveler’s laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed.

Also, officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement.

Read the full article here.