In Part 1 of this series, we touched on some ways to make it so difficult to pull off a hack-attack, that the perpetrator will most likely want to go somewhere else and try their attack.

In this section, we’re going to address testing, maintaining and other important items that deserve your attention.

Testing

Once you have fixed all of the issues, you need to test everything to make sure it works the way it is supposed to. You must first create benchmarks in which you are testing against. Just to run a test for the sake of running a test is futile. Once the benchmark(s) have been set, you are ready to test:

• Run port scans to ensure only required ports and services are open and/or running
• Firewalls detect intrusions
• Switches and routers have only active administrator accounts
• Passwords adhere to compliance requirements etc

Be sure to document your test procedure(s) step-by-step as well as the test results. Note if the outcome of the test was expected or not. If there is anything that fails during your testing, you need to fix those issues and retest. Don’t skimp on testing…hackers are not forgiving and just like in dodge ball, there are no “do-overs”.

Maintaining

Once you have tested everything and are assured that your organization is where they need to be, you now need to create and maintain a testing program. Don’t try creating a maintenance program prior to everything being tested, as you will surely be making changes to the maintenance program, making are previous efforts null. Your maintenance program needs to have firm dates / times set for scheduled maintenance. You need to have multiple maintenance programs set up such as:

• Patch management
• Password management
• Network account management
• System management
• Applications management
• Operating system management
• Security administration etc

By setting up multiple maintenance programs you are able to create “silo’s” for each area and assign personnel who are responsible for each of these areas. This allows for a better view should there be a failure in any of these areas…and makes it easier to see where the failure occurred and to fix the area faster.

Worth Considering

There are a few tricks that you can implement on your network that will make a hacker think twice about trying anything. The more difficult you make it for the hacker to attack, the more likely it is that they will go somewhere else to attack. As someone who has spent the better part of the past quarter of a century protecting companies against attackers, I have listed a few neat tricks you can implement:

Honey Pots

A honey pot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers. These honey pots can be used to track and in some cases trap and report a hacker.

Trace Routing

Having the attacker’s IP is all well and good, but what can you do with it? The answer is, a lot more! It’s not enough to have the address, you also need to know where the attacker’s connections are coming from. You may have used automated trace routing tools before, but do you know how they work?

Go back to MSDOS and type tracert *type IP address/hostname here*

Now, what happens is, the Trace route will show you all the computers in between you and the target machine, including blockages, firewalls etc. More often than not, the hostname address listed before the final one will belong to the hacker’s ISP company. It’ll either say who the ISP is somewhere in there, or else you run a second trace on the new IP/hostname address to see who the ISP Company in question is.

Reverse DNS Query

This is probably the most effective way of running a trace on somebody. If ever you’re in a chat room and you see someone saying that they’ve “hacked into a satellite orbiting the Earth, and are taking pictures of your house right now”, ignore them because that’s just bad movie nonsense. THIS method is the way to go, with regard to finding out what country (even maybe what state/city etc.) someone resides, although it’s actually almost impossible to find an EXACT geographical location without actually breaking into your ISP’s head office and running off with the safe.

To run an rDNS query, simply go back to MS-DOS and type netstat and hit return. Any active connections will resolve to hostnames rather than a numerical format.

DNS stands for Domain Name Server. These are machines connected to the Internet whose job it is to keep track of the IP Addresses and Domain Names of other machines. When called upon, they take the ASCII Domain Name and convert it to the relevant numeric IP Address. A DNS search translates a hostname into an IP address….which is why we can enter “www.hotmail.com” and get the website to come up, instead of having to actually remember Hotmail’s IP address and enter that instead.

Well, reverse DNS, of course, translates the IP address into a hostname (i.e., in letters and words instead of numbers, because sometimes the hacker will employ various methods to stop netstat from picking up a correct hostname).

While we’ve given you a very high level look at what needs to be done to better protect yourself from a hack attack, we believe it represents the best place to start in understanding what you need to do.

James Holler is founder of Abidance Consulting.

Part 1 of a 2-part series

First, let me start with the bad news: There is no absolute way to prevent an internal or external hack-attack. With that said, there are some things that you can do that will make it so difficult to pull off a hack-attack, that the perpetrator will most likely want to go somewhere else and try their attack.

Now, there is an old saying, “cleanliness is next to Godliness.” I am sure you have all heard that line at some time in your life. This saying holds true in the security world. If your network is in total shambles (DAT files not updated, Service Packs are so far behind your need an abacus to determine how many versions behind you are, etc.) and your Intrusion Detection System (IDS) is monitored by humans only during business hours, then you have a “dirty” network that needs to either be cleaned, or as my mom used to tell me…let’s just burn your room and start over, it will be easier that way. If your network/server room looks as if a spaghetti factory has blown up, get it cleaned up by rewiring it using tags on each line so you know where each of the cables is assigned.

The first thing you need to understand in preparing to get your network in top form is to not only determine what is wrong with it, but to also be open to criticism from experts. Put away the ego (one of the top reasons why networks are in shambles to begin with) so that you can listen and learn from your internal experts or external consultants – you hired them, now listen to them.

In Part 1, we’ll look at network discovery issues, vulnerability assessments, and discuss ways to fix some of these challenges.

Network Discovery

Before you can determine what’s wrong with your network, you must first know what your network looks like. You will want to conduct a thorough network discovery since you are going to need to know not only what devices are on your network, but also where they are. Please don’t think that you are going to run a piece of software that will show you everything. If you have a wireless or dial-up modem hanging off of your network and the power button is off, you may never discover it. You may need to do a physical inspection of your entire facility…look up in the ceiling…those pesky tiles can support the weight of a modem and even an old sandwich from 4 years ago. I personally use an iPaq handheld device that is capable of “sniffing” out these modems, even when they are turned off. Now that you have a true and correct picture of your network, you will need to conduct a vulnerability assessment to determine what areas are weak and are in need of attention.

Vulnerability Assessment

To ensure that there are no “cover-ups” by your staff, it is recommended that you have an outside consulting firm come in and conduct the assessment for you. Depending on the size of your organization, the fee’s for this could be $15k to $30k or more. The final report to be delivered should be comprehensive in nature. Be sure to ask for sample reports prior to awarding a contract or project to anyone. There are areas that must be looked at closely. Make sure whoever you assign the project to gives you a list of the services they are going to run. My only word of caution here is that you do not allow a penetration attack be made against your Primary Domain Controller (PDC). Once the assessment is completed, make sure that you not only address the issues, but fix the issues.

Fixing The Issues

When you do get the final report, there are going to be a lot of errors that need to be fixed. Don’t worry; the “bark” of the report is much worse than the “bite”. Depending on how bad your network was when the assessment was conducted, you may have a few pages of issues to as much as a thousand pages of issues – one assessment we did a few years back yielded almost 7,000 pages (a government agency…need I say more). When you are reading your final report, one of the first questions you need to ask yourself is, “Where do I begin”? Not to worry, your security staff/consultants should prioritize what needs to be done and at what point in the project does it need to be done. The point at which a certain task is completed is very important since everything has a logical order of semblance to it…you wouldn’t put the seats in a car before you laid down the carpet. Your staff and/or consultants should know this and be able to build out a project plan with a scope of work, keeping you (the stakeholder) in the loop at all times. Never be afraid to ask questions or challenge something if you feel it isn’t the right thing to do or you don’t understand why something is or isn’t being done.

To save time and money, you have to look at all of the different compliance issues you have to deal with (NERC, EPA, OSHA etc) and cross-walk your efforts to all of these compliance requirements. Doing this will ultimately save yourself time and money by not overlapping efforts.

Next time, we’ll look at testing, maintaining, and some other important issues that merit your attention.

James Holler is founder of Abidance Consulting.

According to the Wall Street Journal (WSJ), computer hackers have designed a virus that targets the industrial control systems, to include power plants, built by German engineering giant Siemens AG. The virus apparently activates a kind of malicious software that analysts say represents a growing corporate-espionage threat. This type of threat has been talked about for years — and it is now a reality.

The virus, Stuxnet, is spread by USB devices plugged into the physically unsecured USB ports on the machine(s) hosting the SCADA systems used by power plants and other types of facilities. The virus is programmed to steal data from computer systems that are used to monitor power plants built for anything from manufacturing to power generation to water treatment.

Researchers analyzing the virus say that they are now seeing several thousand infection attempts daily, though the virus is only activated if it lands on a computer running the Siemens systems software. Analysts warn that the attack on the Siemens’s systems marks an escalation in hackers’ efforts to use viruses for industrial espionage or sabotage purposes. This attack will surely make the NERC CIP regulations become even tighter more quickly than before this story broke.

Smaller, more isolated virus attacks have been attempted before on SCADA systems, but this is the first such infection where a virus is searching specifically for SCADA systems to attack on such a large-scale basis. The worry among security analysts should be that such viruses will, at some point, be used by criminal organizations or even terror groups to sabotage power plants.

The Stuxnet virus specifically exploits an unpatched vulnerability in the Microsoft Windows operating system, allowing it to spread through all USB devices. Once the virus has infected the Siemens system, it uses default passwords that are hard-coded into the Siemens software to upload false control-system data to a remote server. In an advisory that Siemens posted on its website, the company said Microsoft was working on a patch to fix the vulnerability at the USB interface. In its own website advisory, Microsoft has provided a workaround fix to offer some additional protection until a patch, or update, is ready.

Siemens said it expects to approve the updated virus scanners this week and also plans to provide customers with a diagnostic tool to check if their systems have been infected. In the meantime, the company’s website advisory urges customers not to use any USB storage sticks.

Siemens, Microsoft and other security analysts haven’t determined where the virus originated. Many of the infection attempts have originated from India, Indonesia and Iran. The virus likely was created in Asia, given the pattern of attacks and technology used.

James Holler is founder of Abidance Consulting.

In previous series of articles Part I and Part II, we discussed the benefits of using a closed-loop process for managing regulatory compliance (pictured below). I also showed how setting up Key Performance Indicators (KPIs) that monitor performance to goals is a good way to Check that processes are working properly, thus reducing the need to perform manual audits of a given operation.

Let’s now take a closer look at the Track Problems step. The primary goal of this step is to collect and analyze data related to operational problems. This is a vital prerequisite for the next step in the process: Improve. Remember our overall goal is to systematically and continuously improve regulatory compliance. So let’s first take a look at collecting data.

Collecting data about operational problems sounds like an easy task, but it turns out to be anything but. First of all, there is a cultural stigma associated with anything that is labeled as a problem. This is because, where there is a problem, there is blame. And where there is blame, there are consequences. Given the fact that we are talking about consequences associated with someone’s livelihood, this is not something to take lightly. Therefore it is important to set a “tone from the top” that let’s employees know that the data will be used to improve operational processes and not punish employees. It is also helpful to ask employees to suggest improvement ideas. I’ve even seen some companies acknowledge and reward employees for suggestions that result in positive actions.  These are all good ways to encourage problem reporting. You want to tip the scale in favor of logging problems as shown in the illustration.

The next question is, “What data should we be collecting?” Let me start by pointing out that some data is better than no data. Waiting to create the perfect system will result in the loss of valuable information that could have alerted you to looming problems. So at the very least, start collecting data any way that you can.

I have seen hundreds of problem tracking forms spanning many processes and many industries. I’ve created product issue forms, process problem forms, out of spec forms, suggestions forms for industries regulated by the FDA, NERC and the SEC. I’ve summarized four design tips in the next illustration.

Now that you are collecting problem data, what should you do with that data? The high level steps for processing issues are: Identification, Investigation, Immediate Actions, Analysis and Planning for Further Action.

This is a summary of what each of these steps involves:

Identify: Collect problem data from all sources. Route these to someone that can determine immediate actions and investigate the problem.

Investigate: Look into the problem beyond the initial problem report. Look for trends from other sources (employees, vendors, customer) and from similar product and problems.

Immediate Actions: This step may be performed in parallel with or before the Investigate step. Determine if there are any immediate actions that need to be taken to contain the problem. While you are looking for root causes you don’t want the problem to grow or continue to do damage.

Root Cause Analysis: This is different from the initial investigate step in that you now are trying to determine what actually caused the problem. During the investigation you may determine that the problem was a result of operator error. But the root cause analysis may reveal that the operating procedure is unclear and is in fact the root cause of the problem.

Plans for Further Action: Once you have established the root cause you can take actions to Improve operations. In this step you would plan out what those improvement actions will entail, who will implement them, and how long they will take to enact. Typically this Corrective Action project requires management approval to allocate the required resources.

One benefit of this process is that a single Corrective Action project can address multiple problems. See the following illustration.

The next step is to Improve operations through implementing the corrective action project. We will take look at that step in the next article.

Sal Lucido is Vice President, Enterprise Solutions at AssurX, Inc. You can follow him at http://twitter.com/ComplianceTips

In Part I, we took a high-level look at a process for automating regulatory compliance management. The closed-loop process starts with Documenting your processes followed by Monitoring or Checking that your processes are being followed. Next you provide a means of Logging or Tracking any problems that may arise and then take actions to Improve. This improvement should then result in a revision to the Documented process followed by notifying or training those affected by the process improvement.  This closed-loop process, which I call the Circle of Compliance, should be used to automate the process of complying with regulatory standards.

Now lets take a closer look at the Check step. The goal of this step is to eliminate the need to manually audit a process in order to determine its effectiveness. One way to do this is by defining a Key Performance Indicator (KPI). That’s a measure of performance that is used to help an organization monitor progress to goals. For example, a company may decide to improve responsiveness by reducing the number of late tasks. A company might also set a goal for reducing violations or incidents to improve conformance to regulations or standards. You can see an example dashboard showing these two KPI’s in the diagram shown below.

Key Performance Indicators for monitoring late tasks and monthly incidents. Traffic Light indicators provide a method for quickly showing progress to goals.

Let’s take a closer look at this KPI dashboard. Both measurements are listed: Late Projects and Monthly Incidents. Notice that the date the measurement was made along with the actual performance data are displayed. We can see that for the month of May there were two late projects and five incidents. Then on the right we see a trend arrow (more on this below) and a traffic light, which give us a quick indication of performance to goal. Green is good and red is bad. Of course in order to set the traffic light to the correct state (green, yellow or red) we need some goals.

For example if there are less than two late projects each month the light will be green. If there are between two and four late projects we would consider that a yellow light (or caution). And if there were more than four late projects in a given month we would set the light to red.

When implemented properly, KPI’s monitor performance over a given time period (day, week, month, etc.) and provide a visual indication (traffic light, flag, etc.) of performance to goal. So let’s dig a bit deeper to better understand how to do it right.

Since a KPI measures performance over a given time period there must be historical data, trends and state changes. Let’s start with historical data. By clicking on the KPI dashboard we can see past measurements (shown below).

A report of historical KPI data shows an improving trend. An email is automatically sent in May when the light changes state.

We can see from the historical data that the trend is moving from bad to good and that in May there was a state change to red and yellow respectively. This system is set up to automatically send an email to the KPI Owner whenever there is a state change.

Emails are automatically sent when the light changes state. This shows a notification indicated that things are getting worse given the light changed from green to yellow.

Also if you look back at the KPI Dashboard you see the Trend arrow is green and down. Down indicates that we have fewer late projects than in the previous reporting period. The arrow is green, which indicates that this is a ‘good’ or desirable trend.

In summary, setting up Key Performance Indicators that monitor your performance to goals is a good way to ‘Check’ that your processes are working properly. It also eliminates the need to perform manual audits of
a given operation reducing labor costs. The next step in this closed-loop process is ‘Tracking Problems’.

Next time: We’ll take an in depth look at the ‘Tracking Problems’ step.

Sal Lucido is Vice President, Enterprise Solutions at AssurX, Inc. You can follow him at http://twitter.com/ComplianceTips