risk

Schneier on the hidden cost of poor security

Sales for certain specialized services depend highly on reputation and trust.

Specialized services depend highly on trust and reputation says security guru Bruce Schneier who recently reposted a column he wrote for The Guardian.

Schneier writes about how people should expect specialized IT companies, especially service providers, to have extremely strong security in place - at least a level stronger than their customers. This example can be transferred to a broad spectrum of businesses, Schneier says.

Infrastructures can be spread on a broad continuum, ranging from generic to highly specialized. Power and water are generic; who supplies them doesn’t really matter. Mobile phone services, credit cards, ISPs, and airlines are mostly generic. More specialized infrastructure services are restaurant meals, haircuts, and social networking sites. Highly specialized services include tax preparation for complex businesses; management consulting, legal services, and medical services.

If you are in the bottom half of that list of more specialized and highly specialized services, Schneier believes your risk-based business decisions should take into account your reputation and ability to build and sustain a trust relationship with your customers. That means you better have strong security in place and guard against a data breach.

Another good example of how a company can take on added risk if the service it offers is fairly generic is TJX. The retailer that was the poster child for its massive data breach just a few years ago is now thriving. It could be said that it is somewhat specialized since it’s a discount retailer, but I submit that most retailers are generic in nature. That would be the reason why the retailer’s reputation although initially damaged, easily bounced back despite the poor economy. The massive retailer, with a number of different chain stores, has survived with several profitable quarters.

Adobe zero-day threat limited so dont panic

The sky is not falling.

Shadowserver Foundation volunteers Steven Adair and Matt Richard sounded the alarm about an Adobe JavaScript zero-day flaw last week. They should be commended for their volunteer work. There’s no doubting the importance of researchers calling out flaws so vendors can quickly fix their products. Adobe responded and will issue a patch by March 11.

Just as some places have a law against shouting “fire” in a crowded theater, those responsible for issuing warnings and protecting customers need to take heed. Those who write about flaws should be clearly explaining the threat level so readers can assess the risks. Too many times the threat is clouded making risk assessment extremely difficult.

First, there’s a workaround to the Adobe zero-day — disable JavaScript. Yes, that’s easier said than done since it could break critical applications at some businesses.

Second, the threat is minimal — extremely minimal. Security vendors that track these threats are not releasing infection estimates. Hmm. I wonder why? Kevin Haley, director of security response at Symantec told me the attacks began appearing in the wild in Japan. They have been spreading slowly for several reasons. The attack has been largely unsuccessful. The malicious Adobe file is spreading in an email message that can be detected as malicious and filtered out. And the message being sent is detected as spam in most cases. The threat can also spread if a user visits a website hosting a malicious PDF file. This can be mitigated by disabling Internet Explorer from auto-opening PDF files.

If your firm can’t handle the increased risk, Sourcefire released a homebrew patch for Adobe 9 users. There’s no guarantee the patch will block an attack. But if your users are using common sense and opening Adobe files from only trusted users and other protections are in place, the risk of infection should be minimal until Adobe issues an update plugging the hole.

There’s no doubt the risk level increases over time when new variants exploiting the code show up in the wild.

Is this a good time to mention Foxit Reader or other alternative PDF readers?

UPDATE:…….Danish vulnerability clearinghouse Secunia says disabling Javascript will not prevent exploitation:
Over the last couple of days, we have seen many sources recommend users to disable support for JavaScript in Adobe Reader/Acrobat to prevent exploitation. While this does prevent many of the currently seen exploits from successfully executing arbitrary code (as they rely on JavaScript), it does not protect against the actual vulnerability.