Oracle dropped a bomb today on DBAs everywhere: the January 2012 CPU addresses 79 vulnerabilities! Affected Oracle products range from the 10g and 11g releases of Oracle Database, to WebLogic, VirtualBox, and even MySQL. One of the Oracle Database patches fixes a vulnerability that is remotely exploitable without authentication. In other words, PATCH NOW! (After testing, of course.)

Hopefully, your Oracle applications are properly secured from general access on the Internet. Generally speaking, databases should be locked down to be only accessible from application servers, which should only be accessible from front-end web servers. If your Oracle DB is accessible from the Internet, you might want to re-think your architecture.

Internal network access to DBs and App Servers is probably less tightly controlled. In many instances, users may connect directly to the Oracle DB to run queries or a desktop application. So now, if one of your users has some malware that is permitting an external attacker to control the machine, your DB server is at risk. Just because your DBs are not exposed to the Internet does not mean you should downplay the threats addressed in this CPU. Remember, many data-loss attacks originate from an internal machine, not via an Internet-accessible machine.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Over the past month, TRUE NSM analysts have observed a significant increase in the number of corporate web users being attacked by the Blackhole Exploit Kit.  The rate of incidents reported involving this malware is now close to two per day.  The Blackhole exploit kit targets vulnerabilities in out-of-date Java and Adobe Reader software.  A cursory examination of a few of the deobfuscated Javascript files delivered to users by Blackhole also shows evidence that Adobe Flash is being targeted and perhaps even a few Microsoft vulnerabilities by way of the Windows Media Player ActiveX control.

So what can corporate IT security administrators do to prevent this attack?  There are several options.  First, you can make sure that your Adobe Reader, Flash, and Java Runtime software on all of your client computers are being updated on a regular basis.  This option is much easier said than done once you have more than a dozen PCs to worry about. There are some corporate systems management suites (e.g., LANDesk, Microsoft Systems Center Configuration Management, etc.) that could help manage this problem, but they are far from easy to install and wield properly.

The second option is to disallow use of all of this software in the first place. Unfortunately, in the modern corporate world all three of these applications are nearly essential to conduct business. Flash and Java are perhaps slightly less essential than Adobe Reader, but there are quite a few legitimate business-related websites that fail miserably if either of these software packages are missing.

The third option is probably the best: install a web filter that blocks Flash and Java except from white-listed websites. Unfortunately, installing a web filter usually requires a bit of a culture change and, for reasons I can’t understand, corporate legal counsels are all too often scared of approving its use.

Anybody have other suggestions on how to attack this problem?

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

It looks like the main anti-malware vendors are choosing sides and going head-to-head on the relationship between Duqu and Stuxnet.  So far, the fight is Symantec and Kaspersky, who say Duqu is related to Stuxnet, vs. SecureWorks and Bitdefender, who say they are not related at all.

If you haven’t heard, Duqu is a new piece of malware that has been found so far in Sudan and Iran and is spreading via an unknown method. It is similar to Stuxnet in that it installs a rootkit on infected machines and injects encrypted DLLs into the Windows kernel.  As SecureWorks points out in this analysis, none of this behavior is unique.  It is dissimilar to Stuxnext in that it does not appear to be targeting SCADA PLCs, but is apparently a remote-access trojan that receives commands and exfiltrates data.

It seems to me that the anti-malware vendors are just trying to ride the coattails of the media coverage of Stuxnet. (Wait, isn’t that what I’m doing here?)

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

In my previous two blog posts, we looked at the insights and interesting findings contained within the latest Microsoft Security Intelligence Report. The report is now getting some press in the tech community, and one article in particular caught my attention. A report published by H Security notes, with some surprise, that “users are responsible for nearly half of all infections.” This doesn’t surprise me at all, though.

Humans are (largely) by nature trusting creatures that crave community, for both protection and intellectual stimulation. This is why social engineering works so well and will continue to do so until we’ve learned to be highly suspicious of everything our computer does. If our computer pops up a properly worded box warning that it is infected with a virus and offers to run a program to fix it, most of us will run that program. Technology and the Internet reached into all of our lives so rapidly that the trusting nature in-grained within us was unable to adapt quickly enough to the notion that a significant minority of people do not have our best interests at heart and would like to exploit us.

From time to time, TRUE is asked by clients to conduct social engineering exercises against the client’s employees. Even in the rare case where a client has engaged in educating its users against phishing attacks, we usually experience a 25% success rate. USB drives and CD-Rs left lying around usually get inserted into corporate machines, too. These exercises have great value because users see firsthand how susceptible they are to social engineering attacks, while reinforcing they should think twice before automatically trusting their emails or computers.

I’ve said it before, and I’ll keep saying it: users are the weakest link in security.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

In yesterday’s article I detailed some interesting results from the latest Microsoft Security Intelligence Report from the Key Findings Summary.   I’ve now made it through several more sections and wish to highlight some more interesting data.

In the section titled “Malware and Potentially Unwanted Software” (starting on page 49, which is page 73 of the PDF), Microsoft presents many interesting statistics. They break down the infection rate by country (geolocated by IP), by Microsoft OS version (XP SP3 through Windows 7 SP1, including Server 2003 SP2 and Server 2008 R2) and bitted-ness (32 bit vs 64 bit), and threat categories by country. They also present statistics on rogue security software, a.k.a. “scareware.”

Most interesting to me, however, is the discussion of home vs. enterprise threats that starts at the bottom of page 66 (PDF page 90). By separating the data from its MSRT software into domain-joined vs. non-domain-joined computers, Microsoft is able to present a view of the differences between the home and the enterprise.  What is most interesting is that in the enterprise, the top threat category (approximately one-third of all threats) is worm-related.  On the home side, the top category (approximately one-third of all threats) is adware.  I sort of expected adware/spyware to be at the top of the list for home users, but based on data we gather from our enterprise network security monitoring (NSM) customers, I expected the same to hold true for the corporate world.

So what does this mean for enterprise NSM?  I don’t know for sure.  My first guess is that traditional network-based IDS is not as good at detecting worm traffic once it gets on the inside of the network, whereas it is quite a bit easier to detect adware/spyware that is going out to the Internet to retrieve advertisements (or transmit browsing histories).  Almost all of our customers place TRUE’s NSM devices at the Internet< ->internal boundary, so perhaps my expectations are an artifact of that placement.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

The latest Microsoft Security Intelligence Report (Volume 11) has been released and contains some interesting information that Microsoft has collected from the execution of its Malicious Software Removal Tool (MSRT) and Internet Explorer SmartScreen® data.  Several of the results confirm what those of us in the network security monitoring community already know: Java is the most often exploited application (page xvii), Adobe Acrobat exploits account for most malicious documents (page xviii), and Adware is the most common type of malware identified (page xx).  Microsoft also stated that over a third of malware detected could spread via the AutoRun feature on removable media or on network shares.  Updates exist that help make the AutoRun feature in XP and Vista more like the one in Windows 7, which is to say more secure.  Deploy those updates.

Some of the more interesting information reported:

• What is not getting exploited as often as I would have suspected – Adobe Flash and Microsoft Office.  Even though two Flash vulnerabilities identified in the first half of 2011 led to an increase in exploits against Flash, Flash is getting exploited 7 times less often than Java!

• For the last four quarters (Q3 2010 through Q2 2011) the detection of trojan and backdoor malware has experienced a consistent slight downward trend.  An explanation could be the coordinated take down of several large botnets in the past year.  Microsoft has been involved in those take downs, so a shout of thanks goes to them!

• Another unexpected result: phishing attacks against social networks accounted for slightly less than half of all phishing attempts, while attacks against financial institutions accounted for slightly more than one-third of phishing attempts.  In April, Microsoft’s data indicated that 84% of all phishing attempts were against social networks.

So, what does this mean for security professionals in the corporate world?  Well, it’s nothing new really: protect the clients just as you would the servers.  Patching the OS is no longer enough.  You must patch applications regularly too – most importantly, Java, Acrobat, and Flash.   Disable AutoRun, if possible, but at a minimum deploy the updates from Microsoft for XP and Vista that make them more secure.  And, finally, warn your users about phishing attacks and discourage using the same password for personal social networking and financial websites as they use for their corporate login(s).

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

For the past week, BEAST has been the talk of the InfoSec community.  BEAST stands for “Browser Exploit Against SSL/TLS” and is a new way to execute an attack against CBC mode encryption algorithms.  The attack has been theorized for quite some time (2006 seems to be about the time it became known), but until BEAST, an attacker had no practical way to execute the attack, and even with BEAST, the attack against CBC is still difficult to execute.

To execute a BEAST attack you must be able to “man-in-the-middle” (MitM) the network connection between the user and the web server.  Simplified, that means the attacker must be able to make network traffic between a target user’s browser and the web servers that user is talking to flow through the attacker’s computer.

The truth is, if you can MitM connections, you are going to have an easier time executing social engineering attacks (poisoning DNS queries, for instance) than executing the BEAST attack, although a savvy user may notice the social engineering.  The other 90% of users are going to be blissfully unaware.

So why all the hubbub?  The answer to that question is there is no easy way to fix this vulnerability.  Google has added some functionality to its Chrome browser that should be make it much harder (to the point of improbable) to execute BEAST against a Chrome user, and Mozilla is also working on a fix for its browsers.  You can bet Microsoft is working on it, too, but there is no simple fix.  TLSv1.1 and later aren’t vulnerable to this attack, but even though those protocols have been around for half a decade now, they are sparsely deployed.  Of the major browser vendors, I believe Microsoft is the only one that even offers the option of enabling those protocols, and that’s only as of Internet Explorer 9.0.  Fat lot of good it does IE9 users though – almost no web server on the planet supports TLSv1.1 or higher.  Why?  Because almost none of the browsers support it.  Chicken, meet egg.

If you’re paranoid, consider not connecting to untrusted wireless networks. (If you’re that paranoid, you probably don’t connect to wireless networks anyway.) Those are the easiest types of network for an attacker to MitM your connection, though far from the only type that is at risk.

Personally, I’m not too worried about it (yet).  By the time this attack becomes widespread (if ever), I expect the remaining browser vendors will have released updates to make it much harder to execute.  Maybe this will finally spur the adoption of the newer TLS protocols, though, and give the PCI SSC something else to ban from the Internet…

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

I was recently discussing IT GRC program implementation with the CIO of a growing, mid-sized software company when he presented the question, “But HOW do you do it?  I mean, how do you get employees to follow the rules in a GRC program?”  The following is the second part to my response to his question…

…After the matrix team is established, a series of environmental assessments and gap analyses relating to risk, controls, policy and procedures, etc. begins.  Process and control owners get involved in updating and/or creating necessary key control processes in the form of process maps, risk matrices, control and risk standardization and integration, test plan development, etc.  Around this time we also recommend that businesses begin working on procuring a system of record that is going to house it all.

Once the control environment begins to take shape, the Compliance and Awareness Training Phase – another critical element of the program – is developed.  This step is probably one of the most critical success factors of the entire implementation because it allows management to communicate the IT GRC vision, while allowing process and control owners to train and delegate that vision to their teams.

As a result of this training, the matrix organization understands compliance initiatives will be measured using a series of self-assessments, with results reported to Executive Management, the Board of Directors, Audit Committees, etc.  Conversations about controls and applications not operating effectively, test failures, significant deficiencies, etc. will create immediate incentive in the minds of the process owners to ensure their teams begin “following the new rules.”

Self-assessment testing should be followed by training and awareness sessions that report the results to the matrix organization.  Rewards and public recognition for successful testing creates incentive to keep doing it, which naturally stabilizes the control environment with sustainable operational effectiveness.  Public embarrassment (for lack of a better term) creates immediate incentive for remediation to occur in areas that are operating ineffectively, and the environment again begins to naturally stabilize.

Following this framework, we have seen clients go from hundreds of deficiencies and multiple ineffective applications to no deficiencies, no ineffective applications, and only a few exceptions noted (which is an acceptable risk because you can’t manage to perfection).

True doesn’t implement the IT GRC Program for you.  We enable you and your teams to be champions for the organization by transferring our knowledge base and expertise directly to you.

After a short pause this CIO responded, “Sweet!” He is now a client.

Tommy Thompson

Tommy Thompson is True's Director of Program Development Services, specializing in IT GRC and security program initiatives. Tommy has implemented successful IT GRC programs from start to finish, gaining valuable experience and lessons learned to develop a proven, proprietary True IT GRC Framework Methodology used to guide clients to IT GRC success. Tommy has presented at multiple IT conferences; served as a Director of the Product Enhancement Committee for a leading GRC Platform software solution; and has consulted multiple Fortune 100 and 500 companies.

Vulnerability scanning. Mention those two words, and your IT operations staff usually shudders. Conversely, your IT audit/security staff usually start doing a happy dance (I think those guys are sadists, like Steve Martin in Little Shop of Horrors.) Love it or hate it, vulnerability scanning is required by many compliance regimens. The PCI DSS states that you have to perform vulnerability scanning quarterly, and from both an external and internal perspective. If you follow the letter of the PCI law, that’s at least eight scans a year. I would like to posit that if you’re really doing PCI vulnerability scanning correctly, it’s more like a minimum of 12 scans each year, with 16 being the better number.

Where do I get that number, you ask? Well, it all depends on where you are scanning from…

External scanning is pretty straight-forward: you scan from a location external to your public IPs and see what vulnerabilities show up. There are vulnerability scanning services that can do this for you. The trick here is to white list the scan source IP(s) on any devices that may actively modify or deny traffic. Examples of these devices are intrusion prevention systems, some load balancers, denial-of-service prevention proxies, etc. PCI DSS 11.2 requires at least quarterly external scans, so that’s four scans each year.

Internal scanning is a bit more difficult. PCI DSS 11.2 requires at least quarterly internal scans as well, but you very likely have more than one internal network segment. If you have PCI data, I believe you have at least three segments: a DMZ, a CDE (cardholder data environment), and your internal business operations network. So when you scan the CDE, which segment should you scan from, the CDE, the DMZ, or the business network? The answer is: Yes.

If you scan from the CDE, you will see a lot of vulnerabilities that are exploitable only from the CDE network, since you (should) have firewalls in place that severely limit traffic inbound to the CDE. That’s four scans each year.

If you scan from the DMZ, you may see a lot fewer vulnerabilities, but you’re probably going to be missing some easy-to-fix stuff in the CDE that should be remediated just in case an attacker does manage to make it inside the CDE. Scanning from the DMZ is another four scans each year.

If you scan the CDE from the business network you will be seeing even fewer vulnerabilities (since you are going through a firewall at the DMZ< ->business network and CDE< ->DMZ boundaries). But let’s be honest: your users are your weakest link, and as they go about their merry way during the business day surfing the web (when they should be working), they will visit a few off-color sites (or even legitimate sites that have been hacked) that exploit their browsers, drop some malware on their computer, and give an attacker a foothold on the business network. Clearly you need to know what the threat landscape is on the CDE from the business network because USERS ARE STUPID. Four more scans each year.

That puts us at sixteen scans. Maybe you choose to short-change yourself and not scan from the local CDE network, which knocks four scans off the count, but if you’re already doing 12 scans, is performing four fewer scans really worth not having an accurate picture of the CDE’s threat landscape? I would say it’s not.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

TRUE’s latest event brought together a select group of industry thought leaders to discuss various aspects of risk management theories and principles as well as the metrics involved in executive-level decision-making.

Attendees benefited through open and candid exchange with peers on how risk impacted the various organizations. Participants conveyed how risk is defined within their respective companies and discussed quantitative vs. qualitative risk assessments and the concept of company-defined acceptable risk.

Hosted at Tulsa’s Summit Club, the exclusive event began with a cocktail hour, followed with dinner and lively discussion.

TRUE intends for The Round Table to be an annual event that serves as a forum to enable the mindshare of highly respected information security executives from various industries in years to come.

Kayna Kelley

Kayna Kelley is True's Marketing Manager and Technical Writer with responsibilities of managing True's marketing and sales support efforts. Kayna received her undergraduate and MBA degrees from Oklahoma State University and has rich experience promoting B2B technology companies.