paul@paulmisner.com

Sometimes, I’ll have a conversation with my customers that is very relevant, and I’ll  feel that it makes sense to pass the conversation onto others. 

Last week was just such a case. I had a meeting with the CISO of a government agency and his staff. The conversation covered a number of topics, including Web 2.0 security, and  protecting sensitive information, including personally identifiable information (PII).  I felt all of the conversation was valuable, but I thought that I’d cover the portion of the conversation related to blogging for this article.

The conversation revolved around blogging and wikis, both internally and externally, and protecting sensitive information being leaked from or by blog and wikis.

Different scenarios were discussed, including blogs designed solely for internal use, blogs designed for external use, and blogs which recieve contect from external users.

Internal Blogs: Aren’t internal blogs and wikis, sitting behing the firewall, with limited access, protected? Here’s the paradox! While the blogs themselves are protected, the data sitting on those blogs is now centrally located, and arguably more of a target.  By setting up a permitted platform to allow information sharing, you’ve also set up a central repository of sensitive and valuable information.

You can protect the information found on internal blogs from exiting your organization in an inappropriate fashion by using data loss prevention (DLP) data fingerprinting on the underlying database.  Adding fingerprints to the DLP database provides a way to identify wiki/blog data that is being used inappropriately (i.e. someone tries to email this data to an external party), and stop its transmission. Technologies like Websense’s patented PreciseID (TM) can provide fingerprinting technology that is fast, reliable, and secure.

Blogs for external use:  Data leakage to external blogs could be a problem as well, as authors mistakenly publish sensitive material to a public facing website.

DLP provides a way to identify and stop data deemed sensitive or personal in nature. By setting up a policy that monitors the blog web interface, an agency can minimize the risk of sensitive information being exposed accidently.

Sensitive Data and PII Being Placed on Blogs from the Outside. In this scenario, users post information that compromises their own PII or sensitive information on an agency website.  For example, a Veteran uses a blog application and sends their SSN or medical records, not realizing that it would be exposed publicly.

In this case, the author’s comments are sent to a queue, pending acceptance from the publisher. DLP discovery could be used while this information is sitting in the queue, and if there is sensitive information, warn the publisher and other interested parties.

The publisher of a blog document has another potential issue. During the check for validity of a link in a message, the publisher could also expose her workstation to malware. The threat from this type of attack could be reduced by using something like Websense’s Defensio service.  Also, Websense Security Gateway can provide real-time analysis of the content of a URL string, and block it if the content is deemed malicious or inappropriate.

This was a good example of the conversations that Websense is having with our Federal Customers. We are providing practical solutions to difficult problems.

If you are interested in having a similar conversation regarding your agency’s information assets, please contact me at 410-740-3490 or pmisner@websense.com

www.defensio.com  Websense Defensio
www.websense.com/wsg  Websense Web Security Gateway
www.websense.com/dlp  Websense Data Security Suite

Communications, Information Security, Management

If you are concerned about your agency’s
information security, I’d encourage you to take a look at one of the
two reports that came out last week regarding the cyber attack on the
Office of His Holiness, the Dalai Lama.

(Overview: Video http://www.youtube.com/watch?v=tnK0s6aWzCM,
Text http://government.zdnet.com/?p=4498 )

The Dalai Lama’s organization  made the analysis
public, which is unusual for an information security breach of this
nature.   The reports are available at

http://documents.scribd.com/docs/1jiyoq3c13a9a4udh2s7.pdf

and http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf

It could be argued that there is nothing new in the findings in terms
of attack vectors, exploits, and payloads. What can’t be argued is that
this was a highly structured attack after specific high-level
targets.  This attack is similar to those we’ve seen at many
Federal Civilian Agencies.

One of the big differentiators I saw in this attack was the use the
content of legitimate outbound emails as a way to strengthen the target
profile. The attackers took the content of legitimate outbound emails,
and added malicious payloads hidden in Word and Acrobat
files.  There was no distinction between the text of a
legitimate email, and a compromised email, because they were written
with the same exact text.

The reason that the web and email are exploited as attack vectors is
that these vectors allow non-security personnel to essentially make
network access control decisions. It’s the user that makes the decision
to click on the URL or download the application to their desktop. In
the past, many security people have felt that the problem with web and
email security was due to users who didn’t understand or care about
network security. The Dalai Lama attack shows that there are web and
email based attacks that even the most vigilant and knowledgeable
security person would not be able to determine on face value.

I was enthusiastic about the analysis and detailed forensics in this
report. But it was painfully obvious to me that these reports fell
short when it came to providing solutions.  Some of the
recommendations were to use user based access controls, like SeLinux,
which arguably are very difficult to implement in any environment that
interacts with the outside world.

Preventing attacks like these is the reason why talking to Websense
should be required for your organization. Websense has the technology
to minimize exposure to these sophisticated, multi-channel
attacks.

• Websense Web Security Gateway can categorize, analyze, and inspect
  both known and unknown URLS, including those that contain malware and
  spyware. We can identify zero-day exploits, and provide protection
  before anti-virus definitions or patches are created. It is all but
  certain we would have blocked the links that contained the malware in
  this investigation.

• Websense Data Security Suite can discover, monitor, and protect
  sensitive agency information from being disseminated
  inappropriately.

• Websense Email Security can remove suspicious URLs in the
  cloud,  even before they bridge your network

If your agency is concerned about these types of attacks, it would be
beneficial to talk with my engineers and myself.  To schedule
an appointment with my team, please call  me at
410-740-3490, or email
pmisner@websense.com

• See reports and videos on Websense Security Gateway
  at  http://www.websense.com/wsg

• Information on Websense Data Security can be found at
  http://www.websense.com/dss

• Information on Websense email can be found at

  http://www.websense.com/content/HostedEmailSecurity.aspx

Communications, Information Security, Spirituality