Cord Blood Registry breach – encryption controls and media controls

Archive for March, 2011

Cord Blood Registry breach – encryption controls and media controls

Posted by

Backup Files Put Database Information At Risk
Cord Blood Registry breach a cautionary tale in the need for encryption, key management, and secure physical transport of database back-up media.

Kelly explains that step No. 1 to keep this database information secure is implementing strong encryption practices and key management. J. Wolfgang Goerlich, a network security manager at a financial services firm, concurs. He says the risk of misplaced backup information is at the top of his list of worries.

“Encryption is the No. 1 control to prevent scenarios such as the Cord Blood Registry breach. Encryption does require time for configuration and ongoing maintenance, but it has a very low fixed cost,” Goerlich says. “In the Cord Blood Registry scenario, three areas that should have been encrypted: the laptop hard drive, the database backup file, and the LTO4 backup tapes. If encrypted, the stolen media would be all but useless. The personal information of 300,000 people would be unreadable and unrecognizable.”

He also believes organizations need to do a better job instituting tape media procedural controls as well. “These ensure that the storage tapes are transported in a manner that is physically secure. From the initial reports, it looks like Cord Blood Registry did not have these in place,” he says. “A solid procedure would prevent transporting sensitive backup tapes using an employee’s vehicle and prevent leaving those tapes unattended in a parking lot.”

Miss the basics, miss the boat – Core Blood Registry

Posted by

“The Cord Blood Registry earlier this week began notifying some 300,000 registrants that their personal data might be at risk. (…) a report on the Office of Inadequate Security website indicates that the breach was the result of the theft of data backup tapes from an employee’s car.”


The breach is a good reminder of the basics. If it moves, encrypt it. If it rests, encrypt it. If you are moving tapes, have basic media controls in place to keep unsecured tapes from sitting in someone’s car. Miss the basics, miss the boat.

Bypassing IDS/NSM detection

Posted by

There are a number of ways an attacker can circumvent the protection of network security monitoring. He can use evasion techniques to avoid detection, or use diversion techniques to distract the defender. Here are a couple methods.

Protocol misuse. NetFlow and layer 1/2/3 statistics track hardware addresses, IP addresses, and TCP/UDP ports. Application layer detail is generally not analyzed and tracked. Any packet sent over port 80 will be assumed an HTTP packet, anything over port 53 a DNS packet, and so on. An attacker can send information over alternate ports to mask their activities. Alternatively, some protocols can be directly misused to carry out an attacker’s aims. For example, see the OzymanDNS app that tunnels SSH and transfers files over the standard DNS protocol. When application layer tracking is not enabled, an attacker has a blind spot that they can use.

Kaminsky, D. (2004, July 29). Release!, from Dan Kaminsky’s Blog:

Payload obfuscation. An attacker can also create a blind spot by obfuscating (or disguising) their application layer traffic. If application layer analysis is enabled, it may be utilizing pattern matching for application layer analysis. The attacker has to modify the packet or its payload enough to no longer match the pattern. Perhaps the simplest method is fragmentation, where the IP packet is broken into fragments. Any one fragment will not match the pattern detection. When the fragments get to the host computer, the host re-assembles the packet. The attacker’s payload is then delivered undetected.

Schiffman, M. (2010, February 15). A Brief History of Malware Obfuscation, from Cisco:

Timm, K. (2002, May 05). IDS Evasion Techniques and Tactics, from Symantec:

Denial of Service. A solid NSM solution is one that performs application layer analysis, checks for fragmentation, and negates common obfuscation techniques. An attacker then has options. Think of the smash and grab crimes, where the criminal gets in, gets what they can, and gets out quickly. The equivalent is the attacker who triggers the NSM in one area to create a distraction while they attack in another area. For example, an attacker launches a Denial of Service attack on a network link unrelated to their real target. Alternatively, the DoS targets the NSM infrastructure itself. If the attack is a quick raid of the victim’s network, such methods may pay off.

In sum, attackers can hide in the blind spots, cover their tracks, or make diversions.