…and there’s this [jeremiahgrossman.blogspot.com]. The Internets can be a little scary.
If you’re searching for ways to get buy-in or resources for SDLC, vulnerability management, or security testing improvements, this example should help.
Archive for the ‘Security’ Category
There’s fast…
Tuesday, May 12th, 2009Avoid Becoming a Data Loss Victim
Monday, May 4th, 2009With the current US economy downturn, cyber crime is increasing at an alarming rate. Let’s face it – data loss can quickly become a public relations nightmare for any business. Solid Core conducted a survey [solidcore.com] of 201 IT and compliance professionals and found that more than half of the respondents admitted their organization either experienced or did not know if they had experienced a compliance control deficiency in the last year.
The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, released the 2008 Annual Report on the number of Internet crime complaints received. This report [ic3.gov] was made available on March 31, 2009.
The 2008 Annual Report states that complaints of online crime hit a record high in 2008. The Internet Crime Complaint Center received a total of 275,284 complaints, a 33.1% increase over the previous year. The total dollar loss linked to online fraud was $265 million, about $25 million more than in 2007. The average individual loss totaled roughly around $931 dollars.
Now more than ever, it’s extremely critical for everyone to do their part and be vigilant when it comes to network and enterprise security. Still, with the recent gains in the stock market, I’m hopeful this trend will become more positive.
Security Advisory: Adobe Acrobat vulnerability
Friday, February 20th, 2009You know it’s a bad week when circumstances warrant two Security Advisory posts. There is a zero-day vulnerability making the rounds that affects Adobe Acrobat and Acrobat Reader versions 9. The exploit arrives in a PDF file and exploits the ability of Acrobat to run JavaScript embedded in PDF files. The vulnerability can be completely mitigated by disabling the execution of JavaScript in PDF files (such a PDF is very rare, anyways).
Unfortunately, there is no easy way to affect this Acrobat configuration change across all of your corporate PCs at once. It does make me wish that Adobe provided a Active Directory Group Policy plug-in to enforce certain configuration settings on a domain-wide basis.
Suggestions:
- As the PDF is an otherwise well-formed document, there is no easy way to detect a malicious document with any signature-based network monitoring like True’s NSM service. The best advice I can provide is to ensure that all anti-virus signatures are up-to-date across your enterprise although the AV vendors are playing catch-up at this point, and I cannot find any definitive answer as to whether any of them can detect this exploit yet. Some people are saying that Symantec may possibly detect this in some form.
- I suspect that the largest number of deliveries of a malicious PDF would arrive via e-mail, and so I would also recommend that you remind your users via e-mail to avoid opening PDFs which arrive unexpectedly in e-mail, are from untrusted (non-business related) sources, and/or are named in such a way as to suggest that they are recreational and non-business in nature.
By far the quickest, easiest and likely (at this point) most-effective action you can take is to notify your users via e-mail as I describe in
suggestion #2.
Security Advisory: MS09-002 exploit in the wild
Wednesday, February 18th, 2009Microsoft recently released a patch for security issue MS09-002 which is a vulnerability in Internet Explorer 7 that allows remote code execution. There is now an exploit in the wild for this vulnerability. The current version of this exploit steals personal data and exfiltrates it to a remote site. I would expect that RBN and BotNet infection vectors would also appear in short order.
If you are one of our NSM customers, please be assured that our NSM processes will be looking for this exploit code and we will be alerting you as necessary; however, this is a new exploit and is likely to change quickly as different malicious entities obtain the exploit code and change it to fit their nefarious needs. As such, it will be difficult to detect all versions of the exploit for several days.
I want to encourage you to ensure that all workstations on your corporate network are patched against this vulnerability, if at all possible. This occasion is an excellent reminder that it is always a good idea to update workstations (not servers) within one or two days of Microsoft’s Patch Tuesday security releases.
If you have no method of pushing patches to machines, I would encourage you to send an e-mail to your users reminding them to refrain from visiting non-business-related websites as much as possible to reduce the risk of infection by this (and other) exploits.
The patch for MS09-002 is available via Windows Update and/or Windows Software Update Services (WSUS) if your organization distributes patches internally.
The Sky is Falling…Again
Wednesday, October 1st, 2008The Internet security community is abuzz with rumors of an attack against the TCP protocol that can DoS almost (if not all) machines. The attack is against the TCP state machine. Details are very sketchy, but the rumors suggest that an extremely low-bandwidth attack could effectively kill a machine to the point that it must be rebooted to once again be effective at communicating on the network.
Adding to the hype is the claim that almost all machines running TCP can be attacked, regardless of the vendor. Windows, Linux, Mac, Solaris, all manner of embedded devices, etc., are all supposedly vulnerable.
It seems like a “vulnerability” like this (that is, one that will completely cripple the Internet) is announced once a year. A few details[t2.fi] are released to the media that make the vulnerability sound really scary in an effort to hype the conference where the full details are going to be discussed (which, in this case, is “T2 ‘08″ in Helsinki, Finland).
Call me a skeptic, but these usually turn out to be false. The sallacious details released to the media are mere propaganda items to increase interest. This particular vulnerability will probably turn out to be a non-issue except on your local network, which should be a (relatively) trustworthy area, anyway.
To sum it up: don’t go jumping out of a window yet.
Feds mandate DNSSEC; Internet techies yawn
Monday, September 22nd, 2008The Office of Management and Budget (OMB) has issued a memo directing all federal agencies to implement the DNSSEC (see, among others, RFC 4035) extension by January 2009. Assuming all agencies follow this memo and implement it on all of their public-facing DNS servers, this could finally be the long awaited start to securing the last major flaw in the Internet infrastructure–name resolution.
Unfortunately, the benefits of DNSSEC are still many years in the future, even if the above change happens quickly. Why? Because the name resolution chain starts and ends with your operating system, and the next link in the chain from either end is your ISP’s DNS servers. Neither of these likely support DNSSEC now. The user can’t verify the authenticity of a DNS responder if the entire resolver chain doesn’t support DNSSEC.
ISPs are unlikley to implement DNSSEC on their servers until end-user OSes support it, and end-user OSes are unlikely to support DNSSEC until ISP DNS servers do. Chicken, meet Egg. It might be reasonable to expect the default Linux resolvers to support DNSSEC soon, but Linux is a small part of the end-user market. Don’t expect Windows to support it very soon, either.
And so the Internet techies yawn…
Verizon RISK study: business partners h0se you the worst
Monday, June 23rd, 2008The Verizon Business RISK Team released a very interesting study early in June with detailed results and analysis from more than 500 forensic investigations it conducted over a four-year period (2004 to 2007). It claims that this study represents one-fourth of all publicly disclosed data breaches in that time frame. The report is chock full of statistics and percentages. The study examines the age-old question of IT risk-management: who is the largest threat source, insiders or outsiders?
The study weighs the impact of breaches (number of data records compromised) along with the frequency of threat source causing the breach. It also adds a third threat source to the mix: business partners, a sort of blended insider/outsider. One of the interesting results is that, using the classic risk equation (risk = likelihood * impact), business partners represent the greatest threat, followed closely by insiders.
The paper presents statistics but makes no blanket-conclusions on what to do about the problems, instead leaving that up to the individual organization (as it should). Everyone knows that monitoring the insider threat is difficult and time-consuming. It is somewhat easier to monitor business partners since they (should) have limited access via well-defined conduits. Given the results of this study, monitoring business partner interaction with the corporate network data sources may become the new fad in IT risk-management.
Google to the rescue
Friday, May 23rd, 2008With yesterday’s introduction[reuters.com] of Google Health, we can now add personal health records and related information to the types of data Google is storing. This service includes connections to pharmacies, like Walgreen Co. and CVS Caremark, and other health groups. It will “allow patients to schedule appointments, refill prescriptions, receive diagnostic results online, and instantly add their doctors’ email addresses to a list of contacts.”
This service sounds very useful and is likely to be used by many people. My concern is that as the diversity and sensitivity of data Google is storing increases, so does it’s attractiveness as a target for those with malicious intent. According to Marissa Mayer, Google’s vice president for search services and user experience, the service involves an additional layer of security and the data is stored separately from Google’s other data. Mayer stated that, “We certainly have put in place the foremost privacy policy[google.com] that we could construct.” We all hope so!
Life in the SMB lane
Saturday, March 1st, 2008Brian Granier with the Internet Storm Center[sans.org] compiled some interesting security findings[sans.org] from feedback sent by people working for and with Small to Medium Businesses. I have combined his analysis with some of my own in the pro’s and con’s to each finding.
1. All-in-one security products increasingly available at SMB prices
Pro’s: security needs being addressed
Con’s: over-emphasis on perimeter security, false sense of security provided by a device that is turned on and “left to do its job”
2. Commonly no full-time IT staff
Pro’s: IT and security needs can be outsourced to specialized companies (this can also be a ‘con’, if not managed well)
Con’s: IT and security needs addressed in a reactionary manner
3. Some cases of successful security integration, mostly motivated by external business pressures (i.e., regulations, customer demands)
Pro’s: security needs are being addressed, increasing understanding and support from management for security
Con’s: implementing security strictly to meet regulatory demands can often lead to tunnel-vision – addressing only what is regulated while potentially ignoring higher security risks
4. SMBs often ignore the insider threat
Pro’s: employee privacy, sense of trust
Con’s: insiders are more likely to cause security incidents and outsiders are often just one step away[truedigitalsecurity.com] from being an insider