Security Bytes

March 30, 2009  8:23 PM

CISOs seek frugal ways to secure systems

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

It is budget cutting time. Companies in all industries are looking for ways to save money in a down economy. Security analysts say companies are slowing ongoing projects and delaying others signaling the acceptance of more risk.

Security pros that attended the two day SecureWorld Expo on March 25-26 in Boston learned about a number of ways to keep sensitive systems locked down while trimming their already tightening budgets.

Candy Alexander, CISO at Long Term Care Partners LLC, urged attendees of her session, “Security compliance program on a shoe string budget,” to develop a framework by using guidelines outlined by NIST. Alexander said NIST would be a cheaper source over the ISO standard. Although the benefits of ISO over NIST or vise versa is debatable, ISO is also not a widely adopted standard in the U.S., she said.

While much of the information doled out during the 45 minute presentation was basic, it certainly could serve as a starting point for some security pros looking for ways to keep systems secure despite a tightening budget. The most important piece of the talk: Know your data. Know where it is. Know how it flows through your systems. It’s so simple, yet time after time I hear that many data breaches happen because an attacker found a hole in a database that IT didn’t even know existed.

A friend who works for a major university in Massachusetts told me that in the first few weeks on the job he followed the basic steps of identifying the most sensitive information, where it was and how well it was protected. During the process he found a database containing thousands of credit card transactions in a small office off one of the university’s dining facilities. It had been there for years. Few knew it was there and those that did — dining facility staff with little technical expertise — didn’t realize the data residing on it was so sensitive.

Having a sound security policy and enforcing that policy was also one of the takeaways from the expo. Although it’s another fundamental part of being a security professional, we’ve heard countless times that some organizations have policies that they downloaded off of a website and rarely refer to them or educate end users about them. Charles Cresson Wood, a consultant at InfoSecurity Infrastructure Inc., a Mendocino, Calif-based consultancy, gave the SecureWorld keynote, urging those listening to rethink their security policies. If an organization doesn’t have policies that align with business objectives then they should be written with that in mind, Wood said.

Wood advised attendees to conduct an annual risk assessment tying it into the company security policies. He said some of the best security programs also create an environment that fosters higher security standards among employees. Management plays a big role, he said.

Finally, an information security officer tag team of Leilani Lauger of Loyola University and Morey Straus of NHHEAF Network Organizations tackled ways CISOs can do their job frugally. Straus said CISOs can consider managed security services and should also take a look at the company’s existing contracts with third-party vendors. Some of them may be able to be renegotiated at a cost savings, he said. Straus said CISOs can also help foster the culture of valuing information security by acting “less as a cop and more like a guide.” Lauger said security pros should also design training programs that are interesting and replace outdated posters and material with fresh content on a regular basis. Send out security messages in multiple forms, not just weekly email messages or security posters, she said.

March 4, 2009  8:33 PM

Cisco’s email services — They hadda’ do it

Neil Roiter Profile: NBRoiter

I’ll throw in my nickel’s worth (two cents just isn’t worth anything) on Cisco’s announcement that its IronPort email security — long available in a series of top-shelf appliances — would be offered as a managed service.

This was a necessary, even defensive move for Cisco, when you look at it from a market perspective. Email security as a service, which has been very popular among SMBs, is getting more traction among enterprises as they look at which tasks they can offload comfortably without violating or changing security policy.

So the hybrid approach may be particularly appealing to enterprises. It’s one of three along with a hosted model in which the appliance is managed in a Cisco data center and a managed service in which Cisco manages boxes on the customer’s premises. The hybrid approach takes the chore of managing incoming filtering off the enterprise’s shoulders, while allowing the customer to keep control over their outbound data for DLP and encryption. It’s relinquishing that outbound piece that often makes enterprise security managers’ blood run cold.

SaaS, on the other hand, does more than take up the administrative chores as well as the care and feeding of more boxes on your network. The pay-as-you-go lets you treat email security as an expense. Laid off 1,000 people? Ratchet down. Good times coming? Ratchet back up. Consider whether your email security vendor can offer that kind of flexibility or comparable value if you are looking to move to some services model.

Cisco isn’t offering any new security capabilities, but to my way of thinking, if I were a vendor (thanks, but no, I prefer poverty) I’d want to tell my customers they can get the same level of security whether they buy appliances or contract for services — and IronPort appliances are considered first-rate.

So, Cisco had to start offering their email security as a service. Symantec acquired a full-blown leading SaaS vendor in MessageLabs, in addition to its own appliance and software options. Symantec already offers a stronger DLP combo than Cisco, through its acquisition of Vontu, but IronPort offers more formidable Web security.

McAfee, another big security competitor, applied some considerable pressure when they bought rival Secure Computing, which in turn, got into the email security business by acquiring CipherTrust. They also offered a hosted service option and a mix and match of hybrid combinations (the major appliance vendors also offer virtual appliances, which Symantec says may already account for as much as 20% of its appliance business).

Proofpoint, one of the increasingly rare major independent pure-play email security vendors, offers both appliances and hosted services.

This is getting down to the nitty-gritty. The email security market is pretty well consolidated, both on products and service-based options. SaaS vendors like Google and Symantec’s MessageLabs are gobbling up SMB contracts. At the high and mid-high ends of the market, in particular, competitors are going to have to offer a mix of very robust options at attractive prices.

February 26, 2009  11:30 PM

Data walks out the door, but what do you really care about?

Neil Roiter Profile: NBRoiter

There were only two of us on the graveyard shift.

“If it’s not locked up,” a colleague at my first newspaper declared as he snatched a folder of papers from our boss’ desk and strode towards the office copying machine, “Xerox it.”  (Old-tongue for photocopy.)

That was long before CDs, and USB drives and, certainly, iPods, but the lesson was the same. If you are stupid about protecting company information, shame on you.

I guess that’s the message behind the “revelation” released in a survey this week that the majority of people who leave their jobs, voluntarily or otherwise, are taking company information with them.

Lots of it.

My reaction was the same as when I watched my fellow journalist grab and copy whatever it was that had been so carelessly left in the open. I shrugged. (We are by nature an overly curious species, and that overrides our normally dominant ethics gene.)

Data Loss Risks During Downsizing conducted by the Ponemon Institute and sponsored by Symantec, was apparently designed to test the hypothesis that in this dire economy (ominous music in background), former employees are going to take important company information out the door. And, in fact, the poll of 945 former employees who left their jobs or were dismissed in the last 12 months showed that 59% stole company data.

What kind of data? Email lists, non-financial business information and customer information, including contact lists. Not the secret formula for Coke, not the clinical trial reports on a cure for cancer, no insider information on proposed mergers and acquisitions. Not even a few thousand credit card numbers.

Hardly worthy of shock and dismay. This is what a lot of people do when they leave jobs. Are they supposed to? No. Is it wrong? Yeah, but it’s sort of like cheating on taxes. Folks rationalize it in a variety of ways, or it just doesn’t weigh heavily enough on their conscience to set off an internal alarm.

Most of the people who took data — 79% — said it was not permitted. So, the other 21% were either ignorant, their managers said it was OK, or their former employers didn’t make a big enough deal about this sort of thing to make it worth remembering. Let’s face it. If this kind of grayish area thievery were really important, every single employee with a desk, a computer and a file cabinet would be escorted out of the building by security when they were laid off, fired or gave two weeks notice.

The report, perhaps, should have emphasized the smaller, but more important numbers, which show that some of these former employers did take financial information, did take source code, or did take intellectual property. That’s the stuff that gives management chills. Those numbers are much smaller than the 59% who admit taking some sort of information they shouldn’t or the 65% of those who took email lists. But those smaller numbers represent the kind of information leaks that can do serious harm to a business.

The real crime — and this is where the report excels — is that the overwhelming majority of the companies these people left didn’t even try to check what kind of information was about to walk out. Only 15% of the companies performed any sort of audit or review of what information the former employees were removing, and even these reviews were, in many cases, characterized as incomplete or even superficial.

So, the message employees take away is the same as it was in that cramped, dank newsroom, many years ago in the dead of night: “If it’s not locked up, Xerox it.”

February 24, 2009  4:30 PM

Adobe zero-day threat limited so dont panic

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

The sky is not falling.

Shadowserver Foundation volunteers Steven Adair and Matt Richard sounded the alarm about an Adobe JavaScript zero-day flaw last week. They should be commended for their volunteer work. There’s no doubting the importance of researchers calling out flaws so vendors can quickly fix their products. Adobe responded and will issue a patch by March 11.

Just as some places have a law against shouting “fire” in a crowded theater, those responsible for issuing warnings and protecting customers need to take heed. Those who write about flaws should be clearly explaining the threat level so readers can assess the risks. Too many times the threat is clouded making risk assessment extremely difficult.

First, there’s a workaround to the Adobe zero-day — disable JavaScript. Yes, that’s easier said than done since it could break critical applications at some businesses.

Second, the threat is minimal — extremely minimal. Security vendors that track these threats are not releasing infection estimates. Hmm. I wonder why? Kevin Haley, director of security response at Symantec told me the attacks began appearing in the wild in Japan. They have been spreading slowly for several reasons. The attack has been largely unsuccessful. The malicious Adobe file is spreading in an email message that can be detected as malicious and filtered out. And the message being sent is detected as spam in most cases. The threat can also spread if a user visits a website hosting a malicious PDF file. This can be mitigated by disabling Internet Explorer from auto-opening PDF files.

If your firm can’t handle the increased risk, Sourcefire released a homebrew patch for Adobe 9 users. There’s no guarantee the patch will block an attack. But if your users are using common sense and opening Adobe files from only trusted users and other protections are in place, the risk of infection should be minimal until Adobe issues an update plugging the hole.

There’s no doubt the risk level increases over time when new variants exploiting the code show up in the wild.

Is this a good time to mention Foxit Reader or other alternative PDF readers?

UPDATE:…….Danish vulnerability clearinghouse Secunia says disabling Javascript will not prevent exploitation:
Over the last couple of days, we have seen many sources recommend users to disable support for JavaScript in Adobe Reader/Acrobat to prevent exploitation. While this does prevent many of the currently seen exploits from successfully executing arbitrary code (as they rely on JavaScript), it does not protect against the actual vulnerability.

February 3, 2009  9:30 PM

Security-Bytes blog added to IT Knowledge Exchange

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

The editorial team will continue to post regularly on some of the latest information security issues. Our aim has been to provide news analysis as events unfold. We’ve moved to IT Knowledge Exchange to take advantage of some new blog features as well as the community features IT Knowledge Exchange offers.

To highlight the most popular topics, we’ve added a Tag Cloud rather than a list of bland categories. The Tag Cloud is dynamic, so the more a tag is used, the larger and darker it will appear.

You’ll also notice we’ve integrated more of our related editorial content in the right sidebar. If you’re on a post about a specific topic be sure to browse the links in the right sidebar.

The number of bookmarking tools has increased from four to forty-three. If you enjoy a post, please be sure to share it with friends and colleagues.

Above each post is the SearchSecurity navigation bar. Clicking Home or the logo will bring you to the home page.

At the top of the page you’ll see a row of tabs. You can click the IT Blogs tab to find dozens of technology blogs, both user-generated and TechTarget editorial blogs. You can even request your own blog and start sharing your expertise with your peers.

There is also a tab labeled IT Answers. This is where you can ask your own IT question and have it seen by thousands of IT Knowledge Exchange members. So be sure to pose your own question, browse thousands of answers or help out a fellow IT pro by answering a question.

January 27, 2009  5:51 PM

Microsoft Conficker/Downadup infections still not a major threat

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

I had an excellent briefing with the folks at TippingPoint about Conficker and they gave me access to their ThreatLinQ, a service that helps TippingPoint IPS customers proactively configure their systems. I’ll be writing about Conficker in a news story tomorrow. ThreatLinQ is essentially a portal that shows global threat data caught in TippingPoint’s DVLabs’ IPS filters. It can rank threats on a global scale and threats by country. It also shows how other TippingPoint customers are using their IPS and what is being blocked by default.

Security researcher Derek Brown of TippingPoint’s DVLabs, explained to me that while Conficker/Downadup has spread to an estimated 10 million machines, it reached its peak on Jan. 10. It’s an interesting worm because it can propagate either by exploiting the Microsoft RPC flaw, patched in October with MS08-067, or it can spread via USB sticks and other removable storage devices.

Ten million infections is a lot of computers, but I repeat what I said in an earlier post that most infections have taken place in countries where it took longer to deploy MS08-067. Places where pirated software is rampant; where machines are more likely to go unpatched. TippingPoint’s ThreatLinQ supports this.

Attempts to attack the Microsoft RPC vulnerability ranks No. 5 of all threat’s globally, according to the TippingPoint data. It’s well behind the MS-SQL: Slammer-Sapphire Worm which was picked up globally more than 32 million times in TippingPoint’s honeypots. Slammer ranks No. 1. Conficker was detected about a half a million times, according to the real-time data.

In China, where Symantec ranked Conficker infections the highest, Microsoft RPC attacks ranked ninth, according to the TippingPoint data. In the United States, attacks attempting to exploit the Microsoft flaw didn’t even rank in the top 10.

Conficker is also relatively easy to disinfect using any number of tools including Microsoft’s Malicious Software Removal Tool.

Conficker still fascinates security researchers. It’s got a built in password cracker. Once infecting a machine it seeks out other IP addresses to try to continue to spread. It can spread on shared drives. It also relays location information to the author.

Let me be clear: Derek Brown of TippingPoint’s DV Labs did not downplay the worm. The damage the fledgling botnet inflicts is still unknown. Once the attacker delivers the payload to the infected machines we’ll begin to measure the extent of Conficker’s destruction.

January 21, 2009  5:47 PM

Conficker, Downadup worm hype? Get the facts

Robert Westervelt Robert Westervelt Profile: Robert Westervelt


Update 1/23: Microsoft has released a blog post explaining everything you need to know about Conficker/Downadup. The bottom line: Ensure that MS08-067 is installed on all machines in the environment, use up-to-date antivirus, ensure you have strong passwords for user accounts, consider disabling AutoPlay.

Security vendors from across the spectrum have warned that a stingy worm has been successfully exploiting a hole in Microsoft Windows server service. Known as Conficker or Downadup, the worm spreads by exploiting a remote procedure call (RPC) vulnerability.

The flaw was patched by Microsoft in October. The MS08-067 update was meant to stop the worm in its tracks. Many patching vendors say organizations apparently have been slow to deploy the update.

But that may not be the case. Symantec released data explaining which countries have had the highest worm infection rates. North America does not even rank in the top 10 countries infected by the worm. It has spread in countries where software pirating is rampant. Bootlegged versions of Microsoft Windows won’t receive the latest security updates. Is it a coincidence that the highest infection rates are in China, Russia, Argentina, Taiwan and Brazil? (In that order) China and Russia have been at the top of the list of software pirating countries for years.

So first don’t panic. If you’re running antivirus and it’s up-to-date, you’re probably fine. Second, ensure that the MS08-067 update has been deployed. If it hasn’t deploy it and then do a thorough review of your patch management processes. This patch should have been deployed months ago.

In its latest round of updates, Microsoft security experts addressed the spread of the worm and how people can check to see if their machines are infected. Microsoft advises customers to scan the machine with up-to-date antivirus. The worm also blocks access to a large number of security websites listed by Microsoft.

Also, Microsoft said its Malicious Software Removal Tool completely cleans the registry elements related to the worm.

What’s all the fascination among security researchers about Conficker/Downadup? It’s not necessarily who’s infected, but how they are being infected. As Derek Brown, of TippingPoint’s DVLabs points out, the worm is an example of advanced malicious software coding. Conficker/Downadup can self-propagate by guessing a person’s weak password or it can spread by simply being passed along on someone’s portable storage device. It disables several system services and security products and then signals to its host that it is ready to download additional instructions.

January 19, 2009  7:56 PM

SANS Log Management Survey is looking for the ROI

Neil Roiter Profile: NBRoiter

Good information security requires…good information.

That’s why logs are so important and why so many regulatory and industry directives require companies to not only gather but monitor, read and analyze them.

By the same token, if we’re going to get this log management thing right, we need to share our experiences and pain points with each other and the vendors who want to make their log management products more responsive to our needs, so we, in turn, will keep giving them money.

So, if you have not yet taken the fifth annual SANS Log Management Survey, please take a few minutes. The survey will be up through January. Obviously, the more respondents SANS gets, the more reliable the results.  The findings will be released at SANS WhatWorks Log Management and Analysis Summit to be held in Washington April 6-7.

The survey has evolved as organizations experience with log management has evolved, said Stephen Northcutt, SANS CEO. Compliance is now well established as a driver for developing and improving log management programs and deploying automated tools. In fact, the 2008 report showed that compliance was only the second highest reason for collecting log data, behind detection and analysis of security and performance incidents.

With this year’s survey, SANS wants to emphasize getting full value to leverage log management for security and operations.

“The biggest thing in the survey that’s new and different is looking for the ROI,” Northcutt said. “We’re trying to see what the biz case for this is; the compliance case is established.  Two years you had to go to the CFO and say, look, I need 200,000 bucks.  Here are the findings of the audit report. So, you spent the money and now you’re saying, ‘Gosh, what can I DO with this?'”

January 15, 2009  7:32 PM

Should states lead the charge for secure application development?

Neil Roiter Profile: NBRoiter

I’m not a big fan of states’ rights, which made a lot more sense in 1791 than they do today (Why should one state’s misdemeanor be another state’s felony? Why is a gay couple married in one state and unmarried when they drive over the state line?).

My 18-year-old son wonders why I vote Republican and sound so much like a Democrat. I guess it’s because I like standards but don’t like government spending a lot of money on what it thinks will improve people.

I also share Gary McGraw’s skepticism about Top 10 lists Software [In]security: Top 11 Reasons Why Top 10 (or Top 25) Lists Don’t Work.

So it’s hardly surprising I have mixed feelings about New York state’s plan to use the freshly minted CWE/SANS Top 25 Dangerous Programming Errors list, as a key requirement of its procurement enforcement requirements for software developers.

But while we can quibble over the value of this list or that list, what I do like is that it is incorporated as a component of the Application Security Procurement Language, drafted by New York CISO William Pelgrin and posted on the SANS website. The critical point is that if and when the procurement requirement is adopted, developers of custom software will be held accountable. They’ll be required to demonstrate that security is a core element of their application development lifecycle, from coding thru final pen testing if they want to do business with New York.

What gives me pause, though, is that we’re likely to see a cascade of initiatives in many states, a la the breach disclosure laws that followed California SB 1386 and what we will no doubt see in the wake of the new Nevada and Massachusetts data protection laws. I’d rather see federal standards that can be applied across state borders. The states step into the, ahem, breach, because the feds are slow and/or reluctant to act. California enacted 1386 more than five years ago, and something like 42 states, the District of Columbia and Puerto Rico have followed suit, while a variety of bills have been introduced, debated and left to wither in Congress.

Companies doing business with customers in more than one state (that is, almost everyone except Sam’s Hardware over on Sycamore Street, that Sam III runs since Sam, Jr. retired 20 years after he took over from Sam, Sr.) have had to develop policies and procedures that fit the most stringent of these laws–and they’re relatively straightforward.

What happens when we start to see a smorgasbord of data protection laws (consider that Massachusetts law, which is to go into effect in May is far more demanding than Nevada’s). And secure software development? Now that’s complex. Will one state adopt the SANS guidelines and another, perhaps, insist on incorporating the secure development lifecycle directive being drafted by NIST? Will one state require developers to expunge the SANS 25, another the OWASP Top 10, and yet another an assortment from among the 700 or so errors that can leave code vulnerable?

So, applause to all who try to put teeth into security. Now if it wasn’t like pulling teeth to get everyone pulling together.

January 13, 2009  11:51 AM

Phishing attack uses pop-up message on bank sites

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

PhishingResearchers at security vendor Trusteer have discovered a new phishing method that forces pop-up login messages to appear on legitimate banking websites.

The messages trick users into giving up passwords, account numbers and other sensitive information. Sometimes the messages appear after they have logged into an online banking or other financial website, Trusteer said.

Trusteer issued an advisory on their find. The technique is called Session Phishing, and is used after attackers inject malicious code into major browsers.

Trusteer CTO Amit Klein said the method makes phishing attacks more likely to be successful because they try to trick people after they have logged into a legitimate website. Klein said the major browser makers have been notified.

I can see how the phishing attack can easily trick people. Trusteer said the pop-up window sometimes requests the user to retype their username and password because the session has expired. How many times have you had that happen? It sometimes also asks users to complete a customer satisfaction survey or participate in a promotion. I typically stay away from those and so should you.

Two researchers recently wrote a report outlining how phishers are failing to make a ton of money. The report, which we wrote about last week, said there were too many phishers driving down the price cybercriminals pay for stolen information. There’s varying opinions on this report and some are immediately doubting it because it came from Microsoft Research. More on that in another post.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: