Blogger: Randall Gamby

Two weeks ago the PCI Security Standards Council released the preliminary details of the PCI Data Security Standard (DSS) V1.2 that’s due out in October.  While many Analysts and Reporters have already written on the topic (I’ll be releasing an extensive update on Burton Group’s PCI coverage around the October release date), they really haven’t commented on what’s still not been addressed by the standard for enterprises still working on attaining compliance.

While I applaud the PCI Security Standards Council in further clarifying and adjusting the standard, a lot of work still needs to be done.  I receive about one or two PCI questions a week from our clients and they seem to revolve around a couple of topics I’ve yet to see addressed:

• Guidelines for selecting a Qualified Security Assessor (QSA) – while there are a large number of QSA organizations listed on the PCI Security Standards Council web site; they can’t really recommend a particular QSA for an individual organization.  This leads a lot of organizations to struggle with determining what criteria they should use in selecting a QSA for their certification.
• The role of the QSA – organizations are also still trying to understand the role of a QSA.  Should they get a QSA involved in the gap and remediation process in advance of certification?  If so, should it be the same QSA that will do their certification (knowing there’s a risk that the QSA will be pre-disposed to only care about certain vulnerabilities)?
• Industry-specific best practices – while each organization may have different infrastructures, in general, most industries try to be consistent with the major functions they perform.  So are credit card transactions handled differently between say, a major retailer with 10,000 POS systems and an insurance company that has hundreds of independent agents receiving remittances? Probably, so what are best practices around these industry-specific configurations?
• Virtualized environments – while the PCI Security Standards Council recognizes that some organizations have moved to virtual services for consolidation and management, the DSS really doesn’t provide guidelines for QSAs to evaluate and certify these environments.
• Monitoring and audit – while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security?  With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened.  So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
• PCI as part of an overall security model – what are the best practices around merging PCI security requirements into an enterprise’s overall security model?  Should it be maintained separately? Should some components be integrated with similar security mechanisms?  Should PCI be at the top of the security model and other configurations be based upon its requirements?  There are really no answers coming forth on this topic and the other question is where will they come from? Surely enterprises won’t expect the PCI Security Standards Council to tell them how to run their security services.

I will be providing Burton Group’s perspective on most of these questions in my upcoming report, but rather than relying on third parties to resolve these, I’d hope that the PCI Security Standards Council will be able to continue to provide answers to the questions they can in future updates, and releases, of the PCI DSS.

Blogger: Randall Gamby

Two weeks ago the PCI Security Standards Council released the preliminary details of the PCI Data Security Standard (DSS) V1.2 that???s due out in October.  While many Analysts and Reporters have already written on the topic (I???ll be releasing an extensive update on Burton Group???s PCI coverage around the October release date), they really haven???t commented on what???s still not been addressed by the standard for enterprises still working on attaining compliance.

While I applaud the PCI Security Standards Council in further clarifying and adjusting the standard, a lot of work still needs to be done.  I receive about one or two PCI questions a week from our clients and they seem to revolve around a couple of topics I???ve yet to see addressed:

• Guidelines for selecting a Qualified Security Assessor (QSA) ??? while there are a large number of QSA organizations listed on the PCI Security Standards Council web site; they can???t really recommend a particular QSA for an individual organization.  This leads a lot of organizations to struggle with determining what criteria they should use in selecting a QSA for their certification.
• The role of the QSA ??? organizations are also still trying to understand the role of a QSA.  Should they get a QSA involved in the gap and remediation process in advance of certification?  If so, should it be the same QSA that will do their certification (knowing there???s a risk that the QSA will be pre-disposed to only care about certain vulnerabilities)?
• Industry-specific best practices ??? while each organization may have different infrastructures, in general, most industries try to be consistent with the major functions they perform.  So are credit card transactions handled differently between say, a major retailer with 10,000 POS systems and an insurance company that has hundreds of independent agents receiving remittances? Probably, so what are best practices around these industry-specific configurations?
• Virtualized environments ??? while the PCI Security Standards Council recognizes that some organizations have moved to virtual services for consolidation and management, the DSS really doesn???t provide guidelines for QSAs to evaluate and certify these environments.
• Monitoring and audit ??? while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security?  With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened.  So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
• PCI as part of an overall security model ??? what are the best practices around merging PCI security requirements into an enterprise???s overall security model?  Should it be maintained separately? Should some components be integrated with similar security mechanisms?  Should PCI be at the top of the security model and other configurations be based upon its requirements?  There are really no answers coming forth on this topic and the other question is where will they come from? Surely enterprises won???t expect the PCI Security Standards Council to tell them how to run their security services.

I will be providing Burton Group???s perspective on most of these questions in my upcoming report, but rather than relying on third parties to resolve these, I???d hope that the PCI Security Standards Council will be able to continue to provide answers to the questions they can in future updates, and releases, of the PCI DSS.

I am currently without a phone and would appreciate a speedy reply.

I have been a Verizon Wireless customer for over 5 years and my monthly bill easily averages over $200 during that time frame.  While I love your network, I have been completely unsatisfied by your selection of phones.  It is a stretch to say that my last phone worked—it had a feature called a battery that allowed me to switch from the car charger to my office charger without dying.  And I waited—under duress—until I was allowed to purchase a new phone with the discount.

My current phone has a wonderful battery life, but this is the 4th time the charger has snapped off in the phone.  The phone is fine, but I keep paying $30 for new chargers.  I refuse to purchase another or wait until February when I will be eligible for a new phone.  You sold a phone with a design flaw, and I’m not even asking for a refund or a free phone.  Just allow me to take a chance on a new one at the 2 year contract renewal rate. 

If not, I will gladly pay the early termination fee and leave Verizon.  On general principle, I will spend more money canceling my account with you than I would likely receive as a discount on a new phone.  As a customer, I consider it unacceptable that you sell inferior phones and leave me with no recourse.

The first time I waited haplessly to become eligible for a new phone.  I will not suffer a second time.  If you don’t like the fact that you will end up losing money by allowing me to purchase a new phone early, I suggest you take it up your vendors who supply you with awful products.  I can promise you that we will both lose more money if you don’t.

Sincerely,

Eric Marvets

ScienceLogic: Can you share any of the strategies/advice that you give to companies embarking on their BSM journeys?

Doug McClure: Well, first they’ve got to have a BSM strategy. Nearly all the clients I talk to or hear about wanting to do BSM do not have a BSM strategy. I talk a lot about this on my blog and with clients and it is relevant whether you’re going to think about “BSM Lite” or “BSM Heavy” approaches.

Once we have a BSM strategy, we need to establish a BSM roadmap that guides us in how we’ll implement the BSM strategy in a more tactical manner, focusing on short term iterative quick wins and 30-60-90 day projects. For more of my thoughts on BSM strategy and roadmapping, see the following blog posts.

• Elements of Business Service Management Part 3: Getting Business Service Management on the Radar Screen

• Elements of Business Service Management Part 4: What’s your Business Service Management Strategy?

As I’ve alluded to previously, a client first must define and understand what “BSM Lite” may mean to them. Don’t take what the analysts or the vendors pitch for what you should do to achieve BSM or what value you should get from it.

For any type of BSM to be successful, each client must define what BSM means to them and state what they expect to get from BSM. They must make it personal, make it a part of their company culture and elevate it to be as an important initiative as compliance, risk management, SOA, ITIL, or other initiatives may be within the company.

Please don’t get scared off from this strategy thing. Please don’t blow this off as something that the secret enterprise architecture council should be doing. If you’re unable to get an audience in these areas within your company, start within your own sphere of influence.

Your strategy could be as simple as enabling the local operations center to more efficiently classify, triage and resolve problems based on a simple business service or application contextual understanding. Focus on how this changes the game within your environment. Come up with your own metrics and measures to assess the value this has to this organizational use. Trust me, you’ll need to justify your investment some time in the future.

Another trait of successful BSM implementations is that of the formal monitoring and management tools group has established some sort of database or knowledge repository that enables them to “manage the business of IT management and monitoring” if you will. In my opinion, the vendor community has let their clients down significantly in this area. The CMDB may be the correct answer, but most companies just don’t value monitoring enough to demand that this be included in their formal CMDB initiatives.

In my last job, we developed an application that I referred to as the “Service Management Database” or “SMDB”. Others may call it something else, but in essence, it was the database that captured what was monitored, how it was monitored, who owned it, what business services and applications it supported, the impact an outage or event from it had on the business services or applications, etc.

One key component of this “SMDB” was establishing the relationships of real and synthetic user and transaction monitoring steps to associated servers and applications. This is a significant gap area in many tools and vendor CMDBs.

Clients who have instituted something formal such as this generally have a very good handle on management and monitoring within their environment. Far too many clients do not have adequate monitoring (read visibility) in place to begin their BSM journey.

I’d strongly recommend a good hard look at how well the client’s monitoring and management practices are implemented and managed. Simply put, if they don’t have adequate visibility into how well those business services and applications are performing, you can’t expect to manage what you can’t “see” that may be impacting the business, clients, revenue, etc.

Just ask yourself this – can you explicitly state what monitoring is in place for a given business service or application? Can you quantify the impact of a simple event to a business service or application? Can you explain why something is red, yellow, purple or green and what causes it to change from one color to another? If you can’t, your BSM journey will be challenging.

Those with formal CMDB initiatives have their hands full with high risk, long time to value projects to just get a handle with traditional configuration management models. Taking these low level configuration items (CI’s) and establishing application and service dependencies comes after a lot of work getting through the organizational challenges of getting systems access to populate the CMDB.

I strongly recommend that the formal monitoring and management tools group create an authoritative database that enables them to establish end-to-end visibility into the service and application delivery chain and the impacts it has on the business, customer, etc. This ultimately becomes part of a more realistic federated CMDB within the business.

ScienceLogic: Can you provide an example of a successful implementation of BSM? Were there specific factors that especially contributed to its success?

Doug McClure: I’ve touched on the highlights of the most successful BSM implementations throughout my previous answers. Clients that have rallied around an organizational change or transformation focusing every team member’s efforts and energy towards ensuring that the business goals and objectives are being met through the delivery of highly available business services and applications.

Far too often the “change” never happens and it’s the “talking heads” that are preaching to the choir about what should be done. Every person on the front line, in the support teams, at the help desk, etc. must understand how they support or impact the business in business terms. Try putting this simple phrase after job titles “Hi, my name is Doug. I’m a Systems Administrator, Supporting the Business”.

That was a mouthful, but simply put, these clients have an impressively instrumented business and IT environment with the right amount of visibility into each area, joined together with an organization that thinks, operates and responds based on their understanding of the business goals and objectives and how these business services and applications enable business success.

The operational model for an organization fully adopting BSM identifies ways to establish a service management mentality across the entire business service and application delivery and support chain. The delivery, operations and support organizations must be incented to manage the services and applications being delivered with this end-to-end context.

A leading, outside the box “service management organization” may include the traditional IT silos but within a matrixed fashion focused on one or more key business services and applications. The “service management organization” is then incented to work together, as a team, for the end-to-end delivery and support of these services or applications.

It’s no longer one’s job to just be the systems administrator, database administrator or network engineer, their job is now to support specific business services and applications. They provide the subject matter expertise needed to support the services and applications together, as a team, eliminating the finger pointing or “not my problem” attitudes that exist in the majority of IT organizations today.

Overall, the KISS approach is what will enable BSM of any type (lite, heavy) to be the most successful. If it just feels natural, doesn’t take any additional effort, clicks or tasks to do then it’s going to work. BSM should be transparent and not just another buzz word. It’s not a form that gets filled out or a special process to follow in the run book. It’s doing the right thing for the business, no matter what the situation, crisis, buzz word or technology initiative of the day is.

ScienceLogic: How did you get involved in BSM?

Doug McClure: I think the foundations of my service management background and passion were initially established during my service in the US Navy. Today, I relate that experience to what I call BSM for the Military or Mission Services Management (MSM).

We had been taught over and over that extreme attention to the details of the mission at hand (aka “the business”) was the number one priority and that all of our technology, services, and applications existed for those Sailors and Marines on the other end (the “customer”). I can recall countless instances where mission critical communications services (telephony, orderwires, teletypes, command and control systems, etc.) were impacted in one way or another. It was extremely critical that we understood who was impacted and to what degree so that contingency plans could be activated. We weren’t just talking about lost revenue, poor sales or customer experience; we were talking about human lives and the security of the United States.

It is that military bearing, attention to detail and real world experience that drives me with many of my modern day BSM endeavors. That migration from “Mission Services Management” to BSM was honed working for over 10 years working in the Internet Service Provider (ISP) and datacenter, hosting and colocation business.

In those rapid growth businesses during the Internet boom, service differentiation was what “made you millions” or paved your way to bankruptcy. The companies I worked for had an extreme passion and focus on ensuring that their services, applications and Internet access products were of the highest quality, highly reliable and just plain better than the competition.

Again, the IT infrastructure, service quality and customer experience relationship was ingrained in all of our heads. It was all hands on deck when Webmail, Internet access, DNS, or the network experienced problems. We were measured in terms of how many customers experienced a busy signal or dropped connection or if you couldn’t log in fast enough to read your email. Companies like Keynote Systems and LionBridge/Veritest/Inverse tested the quality of our networks, services and applications and publicly ranked us against our competition. We thought in terms of customer experience and impact every minute of the day, 24×7.

It was in my last job managing a traditional enterprise management and monitoring development group for a nationwide ISP where I was able to work with emerging technology to help get a handle on the complexities of these rapidly growing IT environments filled with emerging technologies and products. Applying this early technology to complex service problems in our environment proved to me that the technology, coupled with the right emphasis on how the technology was implemented and an emphasis on the people and processes within the organization could bring BSM to life.

Where I felt left out in the cold was with my vendor relationship. While their technology gave me the potential, they didn’t teach me how to work through the organizational and technological problems to successfully implement the BSM strategy. My very first end-to-end BSM pilot was extremely successful and provided visibility into the IT environment and business service impact that have never been available before.

And here I am today, working at a software vendor for the first time. Welcome to the “dark side” as they say. The approach and methodology we followed for BSM has become the basis of the core BSM Methodology that I teach IBMers and our clients around the world today.

My personal mission and drive here at IBM Tivoli is to ensure that BSM is something that the typical monitoring tools administrator can actually implement and that our BSM story is something that any of our clients can be successful with. The sales and marketing slicks must be backed up by something like this whomever you are these days. Clients shouldn’t put up for “marketecture”, me too and gee whiz buzz words.

BSM takes a partnership and commitment to every client’s success, and I want to be involved in those BSM efforts in every industry or market worldwide. We need more thought leaders collaborating together in an open and public forum to change legacy attitudes about BSM and do what we can to enable client’s to be as successful as they can be.

ShareThis

• Poison anybody’s DNS cache
• Expose how the actual exploit works

What it does is check whether your ISP’s DNS server is patched. Plain and simple. It looks for one thing — source port randomization. This does not give away the exploit, it checks for the existence of the sledgehammer fix that prevents the exploit from working.

More specifically, there’s some Javascript code that generates a random hex string which is used to create a URL, e.g. http://6313d97e498e.toorrr.com. Your OS then does a DNS lookup for that unique hostname. Your ISP’s DNS server asks toorrr.com’s DNS server (a server Dan controls) to resolve that funky DNS name to an IP address. It sends a few packets in the process. Dan’s server makes a note of the source port of each request and sends back the webserver’s IP address to your DNS server, which sends it back to you.

Now that you have the IP address, your browser can fetch the results page. The web page is generated dynamically by parsing the hex string out of the URL you requested, using Ajax to fetch the relevant port and TXID data stored on Dan’s server, and printing out a “safe” or “vulnerable” message such as:

Your name server, at 71.243.0.38, appears to be safe.
Requests seen for 6313d97e498e.toorrr.com:

71.243.0.38:45298 TXID=13926
71.243.0.38:45310 TXID=25412
71.243.0.38:45338 TXID=30829
71.243.0.38:45332 TXID=13934
71.243.0.38:45321 TXID=2701

That’s all. Nothing tricky. This particular DNS server is deemed safe because the source port varies from one request to the next.

Come to think of it, those source ports don’t really look that random, do they. For anybody “in the know”, is that amount of randomness sufficient to protect against the attack?

You can find out a little more right now- I’m including some links below for you to read more.

If you don’t know what DNS is or why you care, see the bottom of this post for a little background info.

As for the real deal on disclosure- you’ll have to wait for Black Hat in August. I’ll be there, along with other members of the Security Bloggers Network (a (non-exclusive but highly visible and well-respected) security bloggers channel for Black Hat and RSA). I’m sure you’ll see *plenty* of post-Black Hat blogs, tweets and podcasts recapping the story.

Hear the buzz…

• Dan Kaminsky’s (discoverers) site
• US Cert Vulnerability Note
• InformationWeek Article: Security Community Comes Together
• Rich Mogull helps spread the word to CIOs
• Heise Securiy Blog: Nice overview
• Wall Street Journal

What is a DNS Server? DNS are servers throughout the Internet (and inside networks) that resolve domain names (ie www.SecurityUncorked.com) to the IP address of the hosting server. The idea is, if you can trick a DNS server, your request for ESPN.com may just take you to a malicious site where you’ll be immediately infected with a virus, malware or other undesirable creepy Internet-bred monster. They’ve found a bug that could be exploited to do just that.

What do we do? It’s not the end of the world. For now, know that almost all DNS servers need to have a patch installed to protect them from this vulnerability. It’s pretty universal and every manufacturer is on board and offering a patch as of yesterday, July 8th.

# # #