The latest Microsoft Security Intelligence Report (Volume 11) has been released and contains some interesting information that Microsoft has collected from the execution of its Malicious Software Removal Tool (MSRT) and Internet Explorer SmartScreen® data. Several of the results confirm what those of us in the network security monitoring community already know: Java is the most often exploited application (page xvii), Adobe Acrobat exploits account for most malicious documents (page xviii), and Adware is the most common type of malware identified (page xx). Microsoft also stated that over a third of malware detected could spread via the AutoRun feature on removable media or on network shares. Updates exist that help make the AutoRun feature in XP and Vista more like the one in Windows 7, which is to say more secure. Deploy those updates.Read more
For the past week, BEAST has been the talk of the InfoSec community. BEAST stands for “Browser Exploit Against SSL/TLS” and is a new way to execute an attack against CBC mode encryption algorithms. The attack has been theorized for quite some time (2006 seems to be about the time it became known), but until BEAST, an attacker had no practical way to execute the attack, and even with BEAST, the attack against CBC is still difficult to execute.Read more
I was recently discussing IT GRC program implementation with the CIO of a growing, mid-sized software company when he presented the question, “But HOW do you do it? I mean, how do you get employees to follow the rules in a GRC program?” The following is the second part to my response to his question…Read more
Vulnerability scanning. Mention those two words, and your IT operations staff usually shudders. Conversely, your IT audit/security staff usually start doing a happy dance (I think those guys are sadists, like Steve Martin in Little Shop of Horrors.) Love it or hate it, vulnerability scanning is required by many compliance regimens. The PCI DSS states that you have to perform vulnerability scanning quarterly, and from both an external and internal perspective. If you follow the letter of the PCI law, that’s at least eight scans a year. I would like to posit that if you’re really doing PCI vulnerability scanning correctly, it’s more like a minimum of 12 scans each year, with 16 being the better number.Read more
TRUE’s latest event brought together a select group of industry thought leaders to discuss various aspects of risk management theories and principles as well as the metrics involved in executive-level decision-making.
Attendees benefited through open and candid exchange with peers on how risk impacted the various organizations. Participants conveyed how risk is defined within their respective companies and discussed quantitative vs. qualitative risk assessments and the concept of company-defined acceptable risk.Read more