Chairman and CEO of NetWitness, Amit Yoran, gave testimony yesterday to the House Committee on Homeland Security regarding the Review of the Federal Cyberspace Mission.  The House Committee wanted Mr. Yoran’s input based on his leadership in cyber security in the private and Federal space and his experiences as the first Director of the National Cyber Security Division (NCSD) and standing up the United States Computer Emergency Readiness Team (US-CERT) and Einstein program at the Department of Homeland Security (DHS), and as founder and CEO of Riptech.

Below is his five-minute summary to the Committee.

Ms. Chairwoman and members of the committee, thank you for the opportunity to testify before the Homeland Security Committee on Reviewing the Federal Cybersecurity Mission and for your attention to this important topic.

My name is Amit Yoran and I have a lot to say, so I’ll skip reading you my bio and jump into it.

Any effective national cyber effort must leverage the intelligence community’s superior technical acumen and scalability.  However, it is in grave peril if this effort is dominated by the intelligence community.  Simply put, the intelligence community has always and will always prioritize its own collection efforts over the defense and protection of our government’s and nation’s digital systems.  Where intelligence operations discover a compromise, the decision to inform system defenders or not, lacks transparency.  Mission conflict exists between those defending systems and those attempting to collect intelligence or counter intelligence insights.

The current series of cyber programs call for billions of dollars in funding for intelligence and centralized security efforts but are designed with very little emphasis on helping defenders better protect the systems housing our valuable data and business processes.  For instance the Center for Disease Control, which houses sensitive research and information about biological threats such as Anthrax, has ongoing cyber incidents which it lacks the personnel and technologies to adequately investigate,  In the face of spending billions more on centralized cyber intelligence activities, the CDC’s cyber budget is being cut by 37%.

Intelligence focused, our national cyber efforts are over-classified to the point where catastrophic consequences are highly probable.  High levels of classification prevent the sharing of information necessary to adequately defend systems.  For instance, IP addresses, when classified cannot be loaded into defensive monitoring systems.  It also creates insurmountable hurdles when working with a broad range of government IT staffs that do not have appropriate clearances, let alone when trying to communicate or partner with the private sector.

Classification cannot be used effectively as a cyber defensive technique, only one for avoiding responsibility and accountability. Over-classification leads to a narrowly limited review of any program.  One of the hard learned lessons from the Terrorist Surveillance Program (TSP) is that such limited review can lead to ineffective legal vetting of a program.  The cyber mission cannot be plagued by the same flaws as the TSP.

An immediate, thorough and transparent legal analysis of the governance, authorities, and privacy requirements should be performed on both the efforts used to protect IT systems as well as all cyber collection activities.  Given the broad concerns of over-classification and its cascading consequences, conducting these reviews must be a high priority task.

Cyber research investments are practically nonexistent at a time when bold new visions need to be explored.

The Department of Homeland Security (DHS) has demonstrated inefficiency and leadership failure in its cyber efforts.  While pockets of progress have been made, administrative incompetence and political infighting have squandered meaningful advancement and for years now, while our adversaries continue to aggressively press their advantage. DHS has repeated failed to either attract or retain the leadership and technical acumen required to successfully lead the cyber mission.  While the tendency would be to move the cyber mission to the NSA, it is ill advised for all of the reasons provided in my much longer written testimony.  We must enable civil government to succeed at its defensive mission or also concede that the private sector must be subjugated to intelligence support.

DHS is the natural and appropriate placement for public private partnership and cooperative activities, including those in cyber.  The current set of public private partnerships is at best ill defined.  They categorically suffer from meaningful value creation or private sector incentive.

Such incentives might include tax credits, fines, liability levers, public recognition, or even occur at an operational level, through mechanisms such as the sharing of threat intelligence, technical knowledge or incident response support to name just a few.

Trust relationships when dealing in cyber security matters are critical.  In discussions among privacy and civil liberties groups the role of the NSA in monitoring or defending US networks is debated.  Should such intelligence programs exist, DHS should be very careful before participation in, supporting  or engagement in these activities.   The department’s ability to fulfill its primary mission and responsibilities may be permanently damaged by a loss of public confidence and trust.

At a bare minimum, in order to preserve public trust, any interaction with domestic intelligence collection efforts should be explicitly and clearly articulated.  Such transparency will increase public trust and confidence and offset concerns raised by uncertainty and the uninformed.

DHS must be formally charged with and enabled to build an effective cyber capability in support of securing federal civilian systems.

Special provisions should be made in the hiring, contracting, human resources and political issues within the cyber mission of DHS to prevent it from remaining a victim of the department’s broader administrative failures.

DHS should also be given specific emergency authorities to address security concerns in civil systems, to include the ability to measure compliance with security standards, protocols and practices and take decisive action where organizations are not applying reasonable standards of care.

At present the operations cybersecurity arm of DHS, the US-CERT, remains politically torn apart into three components and completely subjugated to a cadre of detailees from the intelligence community.  In order to regain efficiency, the department’s operational security role activites must be reconsolidated in the US-CERT.  This operational mission is not resourced to succeed with less than 20 government FTEs, and a budget of only $67 million.  Additionally, the US-CERT must be led by a single federal civil executive.

The US-CERT must be provided appropriate staffing levels to move forward and given adequate funding.  Not doing so cannot help but send the strongest message to the cyber community, the rest of government, the intelligence community and the critical infrastructure in the private sector that cybersecurity does not matter to DHS leadership and should not matter to them.

A newly focused US-CERT should report directly to the Secretary of DHS, just as NTOC reports to the Director of the NSA.  The cyber responsibilities of the department must not remain buried in the bureaucracy of DHS or, alternatively, they must be removed and placed in an independent agency where they can succeed.

Amit Yoran’s full written testimony is available for download from the Committee website here.

Video archival footage of this Committee proceeding is available here.

On February 19th, Adobe confirmed reports that its version 9 software of Adobe Acrobat and Adobe Reader were vulnerable to buffer overflows that have allowed some companies to be targeted in spearphishing attacks.

Their announcement said:

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with anti-virus vendors, including McAfee and Symantec, on this issue in order to ensure the security of our mutual customers.

McAffee’s Avert Lab Blog has screenshots of the buffer overflow in action here. They go on to say:

Needless to further remind everyone, zero-day attacks are the preferred choice of cyber criminals and will continue to be so in 2009. If the recent W32/Conficker.worm (MS08-087) and Exploit-XMLhttp.d (MS08-078, MS09-002) were not good enough to prove our point, here is another one.

As a reminder, the Better Business Bureau phishing scam successfully exploited many large companies last year by sending emails with malicious .PDF attachments to executives of those companies. And since there will not be a patch in place until Mid-March, extra vigilance is required to prevent this exploit from affecting you.

Zero Day exploits don’t typically remain targeted against just a few enterprises for long. Within days we expect this exploit to accompany broader mass phishing attempts. And given the IRS tax season, perhaps malicious .Pdf’s will be seen targeting taxpayers via email.

A senior Unix administrator known only as “SK” admitted she got lucky when she found the malicious script planted in a development server on the network.  “The malicious script was at the bottom of the legitimate script, separated by approximately one page of blank lines, apparently in an effort to hide the malicious script within the legitimate script,” states an affidavit filed against Rajendrasinh Makwana, an Indian citizen living in the United States under a work visa.  Makwana is accused of illegally accessing Fannie’s network after being fired from the job. Had the script executed as planned, 4000 servers at Fannie would have been wiped clean tomorrow, January 31st.

According to an InformationWeek article here:

The discovery occurred on Oct. 29. Makwana had been terminated as a Fannie Mae contractor on Oct. 24, around 1 or 1:30 p.m., the affidavit says, but his network access was not terminated until late that evening. Makwana was fired for allegedly creating a computer script earlier that month that changed server settings without the permission of his supervisor.

Makwana was not required to turn in his badge or Fannie Mae-supplied laptop until the end of the day on Oct. 24. According to Nye’s affidavit, it was during that afternoon that Makwana is alleged to have planted the malicious script.

Makwana had planted his script by using his existing credentials over an encrypted channel.  Since his accounts were still active and his access rights still in place, no technological solution could have prevented or stopped such an attack.  But it clearly highlights the threats posed by internal users.

Information security is sometimes more about enforcing procedures than policies.  In Makwana’s case, the policies were followed for a termination in that accounts were disabled by the end of the employee’s last working day, but the procedures perhaps could have included building security escorting the employee and  the timely confiscation of corporate equipment.

Everyone wants to trust their employees as friends and colleagues.  And enforcing a procedure that requires a security guard to watch the employee pack his things and turn in building passes, credentials, laptops, phones, and other personal items just makes your company look like a cruel, bullying entity.  However, not following such a process could jeopardize your data.

We are pleased to be a part of the DoD CyberCrime Conference in chilly St. Louis Missouri.  Conference goers should feel free to stop by, say hello, and check out the demonstrations of our NextGen software.

For the second time in 18 months, Monster.Com has suffered a massive security breach.  In both cases, user account information was stolen, along with the email addresses and names of job seekers.  When this happened in August of 2007, 1.3 Million accounts were taken when an employee of the company divulged his credentials via a Trojan Horse program.  Within days of that attack, users of Monster.com who had their account information stolen found they were victims of targeted malware phishing attacks and, since hackers assume Monster.Com users are out of a job, many were invited to become money laundering mules for criminal hacker organizations.

In the latest breach, Monster put a notice here on their website that says:

As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes. Monster does not generally collect – and the accessed information does not include - sensitive data such as social security numbers or personal financial data.

Immediately upon learning about this, Monster initiated an investigation and took corrective steps. It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.

Now let’s flash back to 2007 and their statement to the press regarding that breach:

Sal Iannuzzi, the company’s chairman and chief executive, said the company was improving its surveillance of how the site is used as well as limiting the way data can be accessed. Iannuzzi declined to provide specific details about how the new security measures will work, saying he didn’t want to make them vulnerable to potential hackers.

Whatever improvements were made in Monster’s network surveillance and security measures were not adequate to deal with the severity of the threats the organization is facing from sophisticated adversaries.  In light of this second breach, Monster should review what went wrong with their previous remediation plan and develop something better to help them identify data breaches quickly and lock down their customer records.  Monster, as many enterprises today, simply needs better and deeper visibility into their network traffic.

NetWitness NextGen provides a new paradigm for network security monitoring.  Full packet capture and session analysis provides the ultimate truth about data crossing the wire because you are dealing with ALL the data — not just signatures or statistics or scans.  Your security managers actually will know what types of information is crossing network interfaces, will better understand the risks of that data in motion, and can therefore make better decisions about reducing those risks.  And regardless of how the hacker tries to exfiltrate the data -  via the web, trojanized control port to the internal network, or a disgruntled insider- NetWitness helps you close the gaps.

For Monster users, please change your password on the site.  Other bloggers are reporting that usernames and passwords were stored in clear text.  If so, and you use the same username and passwords on other accounts, you may wish to change those credentials as well.

If you have dined out at a local family restaurant in the past few months, or perhaps paid for books for your college-bound kids, or even paid for gasoline at the pumps with a credit card, you may have inadvertently allowed hackers to steal your credit card number during the transaction phase that takes place on Heartland Payment Systems’ backend network.

The Washington Post’s Brian Krebs broke the story yesterday. He writes on his SecurityFix blog here:

Heartland, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments

40 percent of transactions the company processes are from small to mid-sized restaurants across the country.

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. It wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.

Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Heartland said.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

In many cases where a processor experiences a breach, the affected banks may simply re-issue new cards to some customers. In other cases, consumers may spot the first signs of fraudulent activity by reviewing their bank statements.

Heartland Payment systems also went on to declare to the Wall Street Journal that the breach was due to a magnificent piece of malware that was “lightyears” ahead of what other hackers could do.

Heartland was targeted with malicious software that was “light-years more sophisticated” than malevolent programs commonly downloaded from the Internet.

NetWitness understands that cyber breaches happen.  Maybe this piece of malware was more sophisticated than than usual, but it was still malware that evaded standard security software detection capabilities.  Firewalls and intrusion detection systems alone cannot alert security personnel to activity that was designed by criminals to evade detection. 

Exfiltrated data can be recorded as it happens, along with how the malware came to be downloaded to the network.  And those packet collections can be preserved so when reports come in that data is being used fraudulently, you don’t have to pour over audit trails, IDS alerts and firewall logs looking for the problem.  You have the network traffic itself for audit.  And with NetWitness Investigator, analysts can easily spot the problem communications.  No need to wait for the Secret Service to show up with a forensics team.

In the meantime, keep an eye on your credit card bills for any suspicious charges.  Any fraudulent activity should be reported to your financial institution immediately.

I am not sure anyone really can understand how hard it is, to make a computer tutorial video that looks even remotely watchable on youtube.  It took quite a few trys to figure out how far I needed to zoom in, to make it readable at a resolution that was cutting edge in 1992.

In my searches for options, I stumbled on ViddYou.  Consider it a youtube clone, that will allow HD content for about 3 dollars a month.  The tutorial is now there as well - in a much clearer format.

On monday of this week, we released Investigator 8.6, and we released it free.  I thought I would take to this poor, neglected blog and write some thoughts about it.  So far the reaction has been very positive.  It seems people like what they see, and we are very happy with the many blog posts, and positive feedback we are getting.  I thought I would answer some questions here directly.

The number one question from the press, blogs, and friends - was “Why?”

It would be easy to say that this is simply a good thing for the security community - and we wanted to contribute.  To be sure - there was a lot of that in our discussions.  But the truth is - we really don’t sell Investigator.  What we sell - are enterprise class, distributed network appliances that perform very high speed network capture, and all the analysis you see in Investigator — in real time — providing weeks and months of historic visibility.

Investigator - is simply the front end for that solution.  If you want to know what we do as a company, and what we sell — it is simple.  If you like what Investigator does on a gigabyte of packet captures - just imagine it working over 100 Terabytes or more.  Imagine having that power over every every bit and byte that has entered or left your network over the last month.  To be sure - there are reporting engines and alerting engines we sell that automate common analysis - but with Investigator you should get the idea of what we offer enterprise customers.

The number two question that we get - always seems to involve Wireshark, in some sort of competition skew.

Again - the simple truth is that the products are not competitive at all.  In fact, they work together to make both products better.  In the demonstration videos - I even show how easy it is to open sessions in wireshark.  We use wireshark every day.  And those of you who used to - will still use it.  What we hopefully let you do - is find those sessions that need to be looked at - 100 times faster than before.  Perhaps a thousand…  In the end - I bet wireshark developers will use Investigator as well.  The products compliment - not compete.

The next question is about registration.  It seems everyone thinks it is a bit cumbersome.

There are several reasons for this.  First - we are a small - private - commercial company.  We are not a charity, a think tank, or a group of cyber crime fighters.  So if we require people to register - it can help us see which industries we should be focusing on, and other marketing needs.  We are not going to be overzealous in this regard, but the information will help us be a better company.

Next - there are quite a few ways we have built in extensibility in the product.  From custom alert rules - to custom threat and intelligence feeds - to full on custom session protocol parsing - users of investigator can contribute by creating extensions.  I wanted - personally above all else as CTO - to get a community of users that are pushing the product forward.  That is why your registration also registers you for the community.  The video tutorial did not focus on this aspect yet - but I will extend it soon.  For now - if you are interested in those aspects - you will have to make do with the manuals and the community forums.

The last question - seems to be “Windows - Really?”

Well - remember - this is our front end client software to enterprise solutions.  We actually are working in the background to make the client more cross platform.  All of our enterprise solutions work on dedicated - very high speed, open Linux architectures.  As a small company - we can move faster by picking our battles with technology.  All of the database technology that we have written, all of the core components for processing and extracting data, essentially all of our core components - are all already cross platform.  When we have time - we will work on getting the UI components there as well.

In the end - we really hope you enjoy Investigator.  We hope it makes your jobs easier.  Please provide us feedback.  We will listen - and we will update often with new capabilities.

The recent public disclosures at Hannaford Bros of millions of credit card numbers lost to professional carder gangs again raises questions regarding the state of preparedness of retail security and other industries to protect customer data in the current cyber threat environment.  In the case of Hannaford, these gangs may have followed a pattern familiar to network forensics researchers with whom we work – a weak link in the security program is exploited as a foothold to open a command and control channel on the victim network.  After that, it is just a matter of time before critical POS servers or store terminals are Trojanized, and are automatically transmitting perfectly valid customer credit card numbers directly to carder gang members. 

The amount of ensuing punditry is astounding.  First, the horror and shock from some corners that PCI Standards did not prevent this debacle.  For good or bad, PCI was the credit card companies’ much needed attempt to enforce some level of basic information security on organizations with merchant accounts.  The security controls in PCI were designed years ago, and are focused on well-understood and documented threats and essential security practices.  But, PCI compliance, due to its very nature, is not going to provide adequate protection against a well-funded and committed professional adversary who can design specific malware to circumvent these basic security controls. 

There also have been calls to jettison PCI.  The premise in these statements is that if the card companies would simply take responsibility for the storage and security of credit card numbers from the moment of card-swiping forward, there would be no need for retailers to comply with some key aspects of PCI.  This position, while seemingly attractive at the surface from a security perspective, is untenable in a multi-trillion dollar consumer facing industry.  The reality is that the same architectural, procedural, technological, and financial constraints preventing retailers from adequately protecting their data in many cases will prevent the card companies from implementing the suggested changes. 

Having spent time with top retailers over the past several years, I can tell you that there are many very good security people working at these organizations, but with limited ability to get things done.  These I/T professionals would benefit greatly from two things:  1) A self-directed industry effort to develop voluntary, model security standards that would deal effectively with today’s actual threat environment, versus force them to follow check lists.  This process requires leadership, organization and resources; and 2) A greater focus on operational security efficacy.  PCI was only good in the sense that it jolted retailers to focus on “Security 101” but it is not the end – simply a catalyst.  Retailers and other industries that handle PII now must take matters in their own hands and move beyond PCI and other regulations to recognize that today’s threat environment requires a deeper degree of security monitoring and network visibility, especially at the application layer.   

You can’t get this visibility from once-a-quarter scanning, annual audits, or even from most of the perimeter sensors deployed today.  If you are not doing full packet capture and session analysis with NetWitness you will miss indications and warnings of these TJX and Hannafords-like problems, and also will lack the evidence to figure out the scope and damage of the incident.   – Eddie Schwartz