February 29, 2012 7:09 PM
Posted by: Tony Bradley
, Patch Priority Index
At the RSA Security conference in San Francisco today, nCircle announced a new program: Patch Priority Index™. The free, publicly available Patch Priority Index (PPI) provides an extensively researched list that global IT security teams can use to effectively prioritize the most critical vulnerabilities for immediate remediation. The PPI is updated monthly to provide security teams the quickest, most efficient path to a more secure network.
The nCircle PPI is created by nCircle’s Vulnerability and Exposure Research Team (VERT), a group of highly skilled security research engineers that develop vulnerability and configuration checks for nCircle’s agentless auditing solutions. VERT uses a range of unique sources and reviews a variety of criteria, selecting the most severe issues that can be patched in a given month as candidates for the list. For a vulnerability to be included on the PPI list, it MUST have a patch available. VERT researches each vulnerability and ranks them using the following criteria:
· Attack Vector
· CVSS Score
· Availability of Public Exploit Code
· Popularity of the Service or Software
· Customer Feedback
· Worst-Case Attack Scenarios
· Attack Outcome
“Deploying software patches is a complex process even for smaller organizations,” said Lamar Bailey, director of security research and development for nCircle. “Companies need deep security knowledge to identify and prioritize the software updates that will translate into the greatest security improvements. VERT’s security experts created PPI to give every business access to an up-to-date, prioritized ‘patch immediately’ list that translates directly into a more security network.”
The nCircle Patch Priority Index will be updated monthly and is publicly available to any IT security professional.
February 28, 2012 10:59 AM
Posted by: Tony Bradley
, Personal Security Inspector
, PSI 3.0
Secunia has a beta of a new version of its PSI (Personal Security Inspector) software available. It includes better accuracy and a simpler interface to help users simplify and automate the tasks of keeping the PC protected. A Secunia press release explains:
The Secunia Personal Software Inspector (PSI) is a free security scanner aimed at home computer users. The Secunia PSI 3.0 will significantly reduce the number of programs that users need to update manually to stay secure. It automatically detects insecure programs – from all software vendors, not just those from Microsoft – that need updating. The Secunia PSI then downloads the required security updates and installs them without any effort from the user, making it much easier to maintain a secure PC. In addition to providing extended automatic security updates, the new version offers a redesigned interface to make it dramatically simpler and extremely intuitive to use.
PC users will now be able to keep their software more secure with the launch today of the latest version of the Secunia Personal Software Inspector (PSI) from Secunia, the leading provider of IT security solutions that help businesses and private individuals manage and control vulnerability threats. Comprehensive and automatic patching of software and a dramatically simplified user interface are among the new features of the Secunia PSI 3.0, which will help reduce the chore of keeping software programs secure and up to date. The new version of this free software offers extended automatic patching using the Secunia Package System (SPS), thereby removing the dependency on vendors providing silent installers.
The Secunia PSI 3.0 is currently in beta, which is being made available to allow testing and evaluation by the public, Secunia customers, and the community prior to the final product release in June 2012.
The Secunia PSI 3.0 (beta) can be downloaded from Secunia’s website now at Secunia.com/PSI.
February 17, 2012 9:11 AM
Posted by: Tony Bradley
, Security Compliance Manager
, System Center Configuration Manager
It is only a Beta version right now, but if you have machines to lock down, protect, or otherwise make compliant with various regulatory or industry mandates, you should at least take a look at this product.
Security Compliance Manager is a free tool from the Microsoft Solution Accelerators team that enables you to quickly configure and manage your computers using Group Policy and Microsoft System Center Configuration Manager.
The Springboard Series Blog recently announced that the Beta of Security Compliance Manager (SCM) is available for download. The blog post explains:
“SCM 2 provides ready-to-deploy policies and DCM configuration packs that are tested and fully supported. Our product baselines are based on Microsoft security guide recommendations and industry best practices, allowing you to manage configuration drift, address compliance requirements, and reduce security threats”
The boilerplate templates are great. But, one of the best features in my opinion is the ability to capture a “gold master” image and use it as the baseline for your security policy configuration. You can invest the time and effort to construct one machine to your exacting specifications, then snapshot that machine to use as the baseline for the rest of your systems.
January 19, 2012 11:39 PM
Posted by: Tony Bradley
, Security Development Lifecycle
, Trustworthy Computing
Ten years ago, Bill Gates threw down the gauntlet for Microsoft to raise the bar for security:
Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet truly useful for people. Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don’t do this, people simply won’t be willing – or able – to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing.
The last decade has included a wide array of significant strides by Microsoft when it comes to security. At the foundation of it all is the Security Development Lifecycle — the bible of secure coding practices that drives more secure products from the ground up. Along the way, Microsoft has introduced a number of security tools and products, including:
This list doesn’t really even scratch the surface. In addition to the security tools it has developed, Microsoft has also made all of its software more secure by default. Month after month after month, vulnerabilities are discovered that impact Windows XP, but not Windows 7 — or if Windows 7 is affected it is to a much lesser degree.
Beyond its own products, Microsoft has also been tenacious in attacking and taking down botnets that impact the security of everyone on the Internet. And it all started with the Trustworthy Computing memo from Bill Gates a decade ago.
January 4, 2012 11:20 PM
Posted by: Tony Bradley
, Patch Tuesday
, Wolfgang Kandek
Sir Winston Churchill once said, “Those who fail to learn from history are doomed to repeat it.” Those are wise words, and a sentiment that applies nicely to information security.
As we begin 2012, it is a great time to reflect on the significant security events that occurred over the last year, and identify trends that can help you prepare for the threats to come this year. With that in mind, let’s take a look at what 2011 served up.
The Low-Hanging Fruit
Attacks have traditionally targeted flaws related to specific operating systems – mainly Microsoft Windows. But, malware developers prefer the path of least resistance. They want the simplest means of developing an attack with the largest potential pool of victims and odds of success.
Adobe products and Web browsers are just the sort of low-hanging fruit malware developers love. Products like Adobe Reader, Adobe Flash, and Adobe Air, and browsers like Firefox, Chrome, and Internet Explorer are virtually ubiquitous across all platforms.
In April, Adobe Flash was hit with back to back zero day attacks – the first using a malicious file embedded in an Excel spreadsheet, and the second relying on a file attachment embedded in a Microsoft Word document. In either case, opening the malicious attachment would infect the PC.
Qualys CTO, Wolfgang Kandek noted in his Laws of Vulnerabilities blog, “This all happens so fast that a normal user would not notice the attack.”
That was just the beginning for Adobe, though. Flaws in Adobe products are believed to have played a key role in high-profile attacks targeting RSA Security, Pacific Northwest National Laboratories and numerous other victims. There are rumors that the attack used against RSA was also used against 760 other organizations, including many global marquis organizations.
Damages from cyber attacks have been hard to estimate up to now. But 2011 saw the shutdown of a company due to cyber attack. That was just the beginning for Adobe, though. Flaws in Adobe products are believed to have played a key role in high-profile attacks targeting RSA Security, and Digital certificate authority Diginotar was attacked in August. Soon Microsoft, Mozilla, Opera, Apple, and others revoked trust in certificates issued from Diginotar, and this eventually resulted in Diginotar closing down for good.
Web browsers are another attack vector that are present on virtually every PC and mobile device. Many users also install a variety of third-party plugins and add-ons – complicating the effort involved in keeping it all up to date. An extensive review of browser security by Qualys found that a majority are running out of date versions of commonly targeted tools – like Adobe Flash.
No Such Thing As Perfect
While there are many applications that seem to be full of holes and provide an easy target for malware developers, it is equally important to realize there is no impervious application. Most software is comprised of tens of thousands, or even millions of lines of code. Even with secure coding practices, and diligence on the part of developers, it is virtually inevitable that a flaw (or many flaws) exist somewhere just waiting to be discovered.
For evidence of the frailty of operating systems and software applications, you don’t need to look any farther than the information security conferences that occur throughout the year. One shining example is the annual Pwn2Own contest at the CanSecWest conference. Security researchers compromise fully patched and updated systems in a matter of seconds – demonstrating that someone with sufficient time and skill can always succeed in finding an exploit.
Don’t Believe the Hype
Zero day exploits are like the bogeyman of information security. They are scary – in theory – and make for sensational headlines, but the reality is that they aren’t really that insidious.
A recent Microsoft Security Intelligence Report (SIR) drilled down to analyze the flaws and vulnerabilities responsible for the most infections and compromised PCs, and found that zero day exploits barely come into play at all. Kandek stressed in a blog post, “This is not really a surprise as zero days are a much too expensive a component to be included in mass-malware, which tend to use older, well understood vulnerabilities for propagation.”
Of course, the “never say never” principle also comes into play. Soon after Microsoft released that report, two threats equipped with zero-day exploits – Duqu and Beast – were discovered targeting previously unknown vulnerabilities in Microsoft products. The moral is that zero day flaws pose a very real, and credible threat for precision, targeted attacks, but that history illustrates there is little chance of any malware pandemic starting from a zero day.
Batten Down the Hatches
There is no silver bullet for security, and there is no impervious software, but that doesn’t mean that there aren’t things that can be done to improve security and thwart attacks. Microsoft was vigilant in 2011 when it came to taking proactive steps to strengthen security.
With the February Patch Tuesday, Microsoft pushed out an update that changes the behavior of the “AutoRun” feature in Windows to prevent malware infections through USB or network drives. The update was available as an option prior to that, but Microsoft forced the update to mitigate a common attack vector.
Microsoft also built on what it started with the Coordinated Vulnerability Disclosure (CVD) program, and made changes to its vulnerability exploitability index to provide more valuable information. Microsoft separated out the exploitability index for the current version of software like the Windows operating system, and the Internet Explorer Web browser because legacy software is generally less secure and presents a greater risk for organizations.
In December, Microsoft unveiled plans to start silently updating Internet Explorer to the most current version. The move follows in the footsteps of rivals like Google and Mozilla, and will help make the Internet at large more secure by creating an environment where more users have the most up to date, most secure browsers possible.
Qualys’ Kandek noted, “Being on the newest possible Internet Explorer (IE8 on Windows XP, IE9 on Vista/Win7) brings a significant increase in security and robustness to malware infections due to better architecture, sandboxing and the included URL filtering feature.”
2011 was a busy year in information security, and 2012 will most likely continue the trend. What is important is for organizations to understand the risks, stay aware of emerging threats and vulnerabilities, and take proactive steps to avoid attacks.
December 15, 2011 11:41 AM
Posted by: Tony Bradley
, mobile malware
, Windows Phone 7
Android is under fire from all sides. It has the attention of mobile malware developers, and now Microsoft is hoping to capitalize on recent Android malware news as a marketing stunt for Windows Phone 7.
Google’s mobile operating system has skyrocketed to the top of the smartphone heap, and has a rising share in the tablet market, which makes it a prime target for mobile malware. It’s relatively open nature, and the ability for malicious apps to get pushed through Android app stores also makes it potentially more vulnerable. In a recent report, McAfee found that mobile malware overall is exploding, and that Android was the sole target for all mobile malware detected in the most recent quarter.
In the past week, a number of fraudulent apps–part of the RuFraud family–have been detected and pulled from the Android Market by Google. These apps pose as legitimate, popular apps and trick users into spending money on SMS text messages.
Microsoft is trying to use all of this to its marketing advantage. It is seeking Android malware horror stories and will award Windows Phone 7.5 “Mango” smartphones to the five worst ones. It is a bit of a marketing gamble, though, because it is like throwing stones in a glass house. If any similar security concerns are found on Windows Phone 7, the ploy could backfire.
September 26, 2011 2:08 PM
Posted by: Tony Bradley
, Windows 8
With each incarnation of Windows, Microsoft has made the operating system more secure by default. Windows 8 is no exception.
In Windows 8, Microsoft has enhanced many of the existing security controls from Windows 7, and added some new stuff as well. For one thing, rather than having Windows Defender antispyware installed by default, with Microsoft Security Essentials antimalware as some separate, optional tool, Microsoft is rolling all of the antimalware and antispyware protection into one tool. Now, the aptly named Windows Defender will guard Windows 8 from all manner of threat.
Microsoft is also improving on core mitigation and protection technologies like ASLR (Address Space Layout Randomization), and protecting the Windows kernel, Windows Heap, and Internet Explorer.
Check out this Building Windows 8 blog post from Steven Sinofsky for more details.
September 26, 2011 1:18 PM
Posted by: Tony Bradley
, ProSecure UTM9S
, unified threat management
Small businesses don’t have full IT departments and network infrastructures like larger companies, but they still have the same needs when it comes to connecting to network resources and making sure data and network assets are protected from threats.
Netgear has announced a new appliance-the ProSecure UTM9S–which combines a VDSL modem, wireless-N access point, and unified threat management gateway into one, cost-effective appliance that is relatively simple to manage and maintain.
Here is the full press release from Netgear:
SAN JOSE, Calif., Sept. 26, 2011 /PRNewswire/ — NETGEAR®, Inc. (NASDAQGM: NTGR), a global networking company that delivers innovative products to consumers, businesses and service providers, today introduced the NETGEAR ProSecure® UTM9S – the industry’s first Unified Threat Management (UTM) gateway with both VDSL and WiFi capability. Additionally, the UTM9S integrates with NETGEAR ReadyNAS® network-attached storage systems, providing virtually unlimited activity log and quarantine capacity for forensic, regulatory and legal requirements.
The UTM9S is the latest addition to NETGEAR’s ProSecure unified threat management product line, and delivers comprehensive Internet security without traditional vendor complexity and cost. The ProSecure UTM9S is the first UTM firewall on the market to provide high-speed Internet access through an on-board VDSL modem (VDSL is the latest standard for high-speed DSL and is backward-compatible with today’s ADSL networks). At the same time, the UTM9S offers a wireless-N access point module and is a best-of-breed UTM firewall gateway. Small businesses and branch offices may now access modern high-speed Internet connections, provide a wireless network and protect against Internet threats – all from one simple device.
Security devices traditionally include a very small amount of storage for log and threat quarantine data. The ProSecure UTM9S can be set to automatically send activity logs and complete quarantined threats to NETGEAR ReadyNAS storage systems, ensuring nearly limitless storage capacity for forensic analysis.
“Advanced targeted threats are going after customer information at businesses large and small,” said John Pescatore, Vice President for network security at Gartner Inc. “Just spending more to throw more security products at this problem is rarely the best solution. Businesses need to choose network security platforms that are effective against advanced attacks while offering price points and management capabilities that match constrained procurement and staffing budgets.”
Mike Chandler, the CEO of ASICSoft, an integrated circuit engineering services firm in San Jose, California, said: “The UTM9S does a fantastic job securing us from social media malware and scareware phishing scams, while keeping our workforce focused and productive. And the fact that the UTM9S archives quarantined threats and traffic logs in a virtually limitless manner on an external NAS is something we prize for legal reasons. NETGEAR has packaged all this functionality, along with wireless and broadband capability, into a condensed form factor with one GUI to manage – the essence of simplicity.”
“The ProSecure UTM9S brings our commitment to ‘smart IT, not big IT’ to the next level,” said Jason Leung, Senior Product Marketing Manager at NETGEAR. “NETGEAR uniquely leverages ReadyNAS storage systems to provide simple, seamless archival for quarantined email threats and log information. This cross-product technology integration is an example of NETGEAR delivering smart IT solutions – not just products – to our customers.”
Pricing and Availability
The NETGEAR ProSecure UTM9S is available now worldwide with prices starting at $535 in the United States, including one year of web and email protection subscription services, 24/7 technical support and a lifetime warranty.
The NETGEAR ProSecure UTM series uses patented Stream Scanning Technology, which analyzes data streams as they enter the network against a full malware signature library – offering maximum protection with minimum latency. NETGEAR ProSecure UTM appliances have won top ratings in reviews from SC Magazine, PC Pro and IT Pro, and significantly outperformed UTMs from Fortinet, SonicWALL, Cisco, WatchGuard and ZyXEL in third-party testing. To learn more about the ProSecure UTM9S, please visit: http://netgear.com/business/products/security/UTM-series/default.aspx.
About NETGEAR, Inc.
NETGEAR (NASDAQGM: NTGR) is a global networking company that delivers innovative products to consumers, businesses and service providers. For consumers, the company makes high performance, dependable and easy to use home networking, storage and digital media products to connect people with the Internet and their content and devices. For businesses, NETGEAR provides networking, storage and security solutions without the cost and complexity of Big IT. The company also supplies top service providers with retail proven, whole home solutions for their customers. NETGEAR products are built on a variety of proven technologies such as wireless, Ethernet and powerline, with a focus on reliability and ease-of-use. NETGEAR products are sold in approximately 28,000 retail locations around the globe, and through more than 37,000 value-added resellers. The company’s headquarters are in San Jose, Calif., with additional offices in 25 countries. NETGEAR is an ENERGY STAR® partner. More information is available at http://www.NETGEAR.com or by calling (408) 907-8000. Connect with NETGEAR at http://twitter.com/NETGEAR and http://www.facebook.com/NETGEAR.
September 22, 2011 8:54 AM
Posted by: Tony Bradley
, denial of service
, Web servers
What do you do when your Web servers are overwhelmed with traffic from a distributed denial of service (DDoS) attack? How do you filter or block the offending DDoS traffic, while still allowing legitimate traffic to reach your site(s)?
Apparently, one solution is to engage the services of Prolexic. Prolexic restores mission critical Internet facing infrastructures for global enterprises and government agencies within minutes. Traffic is routed through the Prolexic scrubbing center where Prolexic technicians analyze and mitigate the attacks while legitimate traffic passes through unaffected.
Five of the world’s ten largest banks and the leading companies in e-Commerce, payment processing, travel/hospitality, gaming and other at-risk industries rely on Prolexic to protect their businesses. Founded in 2003 as the world’s first “in the cloud” DDoS mitigation platform, Prolexic is headquartered in Hollywood, Florida and has scrubbing centers located in the Americas, Europe and Asia.