Most organizations are going to experience a computer security incident each year. Those organizations that don’t experience an incident only avoid doing so by being blind to what is going on in their information systems. If you are even casually looking at your computers and networks, you will find incidents. Read more
The latest Microsoft Security Intelligence Report (Volume 11) has been released and contains some interesting information that Microsoft has collected from the execution of its Malicious Software Removal Tool (MSRT) and Internet Explorer SmartScreen® data. Several of the results confirm what those of us in the network security monitoring community already know: Java is the most often exploited application (page xvii), Adobe Acrobat exploits account for most malicious documents (page xviii), and Adware is the most common type of malware identified (page xx). Microsoft also stated that over a third of malware detected could spread via the AutoRun feature on removable media or on network shares. Updates exist that help make the AutoRun feature in XP and Vista more like the one in Windows 7, which is to say more secure. Deploy those updates.Read more
The results of the investigation into the recent DigiNotar SSL CA breach reads like a laundry list of “Things Not To Do™” on your critical servers and networks: no antivirus, no centralized logging, and outdated/vulnerable software exposed to the Internet, among other items. What’s funny about the above list is that if the breached systems had been part of DigiNotar’s PCI cardholder data environment, then DigiNotar could never have passed a PCI QSA audit as all three items I noted above are required by the PCI DSS. While I couldn’t verify that DigiNotar accepts credit card payments for its SSL certificates, it almost assuredly does (or did!). It almost certainly had undergone a PCI QSA audit, too.Read more
In a previous article, I mentioned two firewall rules that every network should have: blocking outbound DNS (udp/53 and tcp/53), and blocking outbound SMTP (tcp/25). I’d like to suggest a few more rules to add to that list.
The first rule to add is blocking of outbound Windows NetBIOS/SMB/RPC requests. Windows networking requests should never, never, NEVER leave an internal network. Period. If you have a situation where you need to communicate with an external IP using Windows networking, I have two suggestions for you:Read more
As you may know, our company provides 24×7 Network Security Monitoring services to many customers. Our clients vary widely in size, industry, and information security maturity. Even so, we see many similar successes, failures, and trends in security monitoring alerts between these customers. Spyware infections tendsto be a significant number of the incident reports we generate. Today, I would like to write about the reason spyware alerts are a threat to your organization, why you should take them seriously and respond timely, and what you can do to decrease these incidents on your network.
The danger of spyware is two-fold. First, it indicates a deficiency on the part of the user in general information security knowledge and specific corporate information security policies. A spyware infection means that the user likely installed unapproved software on his/her system. Perhaps the user was doing non-business related web surfing and found the “Totally Awesome Change Your Life Toolbar” from hAcme Software, Inc. Or maybe the user was tricked into installing this software via social engineering. (“Click here to install a media player to see Jane E. Celebrity in a bikini!”) Either way, the user was not aware of the dangers of his/her actions wrt. information security and wrt. corporate security policies. (You do have policies defining acceptable use of corporate information resources and punishment for misuse, right?)
The second danger (related to the first–in fact, the first is a consequence of the second, so maybe I should have reversed these points–oh well) indicated by a spyware infection is that the user has sufficient rights to execute unapproved software on his/her system that can modify his/her settings and hijack information. With these rights the user may be delivered and subsequently execute much more damaging malware that exfiltrates personal and/or corporate information or receives and executes instructions from external attackers. This malware may be delivered by the spyware itself. Regardless of how it is delivered, your organization has a problem, and it needs to be fixed.
For these two reasons above you should take spyware infections seriously and respond to them in a timely manner. But what can you do to limit future infections?
- Limit user rights. Do not make them a member of the local Administrator or Power Users groups. If you have applications that require Administrator privileges to run (QuickBooks, I’m looking in your diretion), get rid of them. That is a poorly designed application and is likely going to have far worse flaws.
- One word: Education. Provide it to your users. If you don’t have a sufficiently trained and knowledgeable employee who can teach one day classes on information security, there are plenty of companies that provide that service–and you won’t have to develop the curriculum. Google is your friend, here.
- Follow the hardening guidelines from Microsoft, NIST and NSA on how to secure your Windows systems and networks.
- Use Group Policy or other enforcement mechanisms available from companies like Cisco, Symantec, etc., to whitelist applications. Only applications listed in the whitelist can be executed by the user. Use Group Policy to disable all but a few approved Internet Explorer BHOs (Browser Helper Objects). This will prevent a lot of the toolbar spyware software from infecting your systems.
- Get serious about your corporate information security posture. Convince upper management to dedicate sufficient time and money to sustaining a CISO position.