Roer.com

Guest Post: 5 Reasons To Optimize Your Web Security

Wed, 12/28/2011 - 06:08

Security comprises a number of different fields, including the often neglected concept of web security.  Web security is often not seen as a first line of defence and simply having an antivirus and a firewall installed are enough to provide adequate security protection; however, that’s not the case.

 

Here are five reasons why you need to optimize your security by focusing on web security and not basic measures such as antivirus or a firewall.

 

1. Information Disclosure – Web security is not just about ensuring nothing malicious gets in, it’s also about ensuring nothing important gets out. A web security system needs to be able to detect if users are trying to access malicious sites such as phishing sites and other online scams so as to prevent information leaks.
2. Availability – Security is understood to mean three things: Confidentiality, Integrity and Availability. If  users are spending excessive time browsing high bandwidth sites such as video streaming sites they could saturate bandwidth to a point where mission critical systems, such as email, would not have the necessary bandwidth to operate thus causing delays or dropped connections.
3. Legal Liability – Virus infected software is not the only concern for an organization. One also needs to ensure that no unauthorized software has been downloaded. Web security means making sure that users are not visiting sites that might place the organization in legal jeopardy.
4. Exploitation – Not all malicious website attacks occur using viruses or Trojans. Exploits can target vulnerable web browsers which allow the attacker to take over and run commands on the victim’s computer, which will however, not seem malicious to an antivirus.
5. Abusive Behaviour – While reasonable personal use of the Internet by an employee is perfectly fine, abuse is not. Monitoring Internet usage is very important and beneficial to an organization as it can save on bandwidth costs, improve productivity and provide a morale boost for those employees who browse within the organization’s limits. Excessive Internet use can also be seen as a warning sign, because if someone is breaking that policy then they could very well be breaking others.

 

Excessive browsing can also put the company at risk to the above-mentioned threats. If an employee spends a lot of time on social networking or instant messaging sites there could be the risk of information disclosure. Moreover, if a lot of time is spent streaming videos or music there could be a risk to availability and legal liability.

While installing a firewall and an antivirus solution provide a good start to a security policy, as they cover certain areas of the security paradigm, it’s definitely not all there is to web security. Apart from the above-mentioned topics, there are plenty of other reasons justifying why you need to go beyond the basics and further optimize your web security.

 

 

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more on what to include in your web security strategy. 

All product and company names herein may be trademarks of their respective owners.

 

Guest post: How Hackers Utilize Social Media to Attack an Organization’s Network

Wed, 12/21/2011 - 07:35

It’s a common problem we’ve all seen before: An employee at work logs into their personal Facebook, Twitter or LinkedIn page to see an interesting video link shared by a “friend.”  Once they click the link, a virus spreads throughout their account and onto their computer.  As a reoccurring problem in the workplace, organizations are left struggling to find a way to manage social media sites.

With many Internet applications such as online social media outlets and web services, the line between corporate and personal usage has quickly distorted, causing an increase in data loss and malware outbreaks. Services such as blogs, Facebook, Twitter and LinkedIn now pose a great threat in the workplace, despite their functionality and organizational benefits.

Based on popularity, many organizations label these social media sites as trusted websites, however, user generated content is not taken into account. Through newsfeeds, recommendations and status updates, hackers manipulate users into downloading malicious content or into viewing malicious sites, abusing their primary weakness, friends. According to a recent study (Editors note: 2008) by Kaspersky Labs, social networking sites are 10 times more effective at delivering malware than previous methods of email delivery.

Two primary weaknesses have emerged from social media attacks, Complex Delivery Methods and Data Harvesting. Cisco studies show that organizations are spending more than $1.29 billion a year to fix targeted attacks, which increases the need to employ a security solution with social media access while simultaneously safeguarding organizational policies.

 

User Generated Content: Genuine or Malicious?

The growing popularity of social media sites come from its ability for end users to maintain their own page and share links with their personal connections. Hackers utilize the likelihood that people will click on their malicious link by exploiting the trust between a user and their connections.  They are able to embed malware into friend’s content, thus compromising the privacy and security of these sites.

Through user delivered content such as tweets or status updates, hackers post malicious content that is delivered to all contacts linked to an account, through URLs, links, photos and videos. With user content and updates being generated at a rapid pace, hackers are able to utilize social networking platforms to quickly send malicious content to a vast majority of users.

 

Using Information to Create a Personal Attack

Despite the dangers associated with malicious content delivery, an even greater problem can arise. The ability for hackers to create dangerous content based on information they have gathered about the user, poses a huge threat to an organization.

Thanks to the technology crazed world we live in, practically everything is either on your computer or mobile device, making information easy to find for anyone looking. Hackers are able to easily integrate this information to create malicious content customized to a person or organization.

Not only is data harvesting the most threatening, but it is also the hardest to control. Preventing employees from clicking on a link they find appealing is an unrealistic solution. This leaves organizations needing to find a way to protect themselves as well as their employees from malicious content that might be opened by an unsuspecting end user.

 

Conclusion

An organization’s ability to block or control certain sites are no longer useful now that most attacks are user generated and come from so-called “clean” sites. As IT departments struggle to keep up with the growing number of potentially threatening sites, a new security solution is necessary to counter socially engineered attacks.

Essential to defending an organization is inline real-time threat protection and malware analysis of all content. Deep content inspection, anti-malware analytical engines and high-performance architecture group together to effectively analyze web traffic at all endpoints for malicious attacks.

Security solutions with the ability for deep content inspection give organizations the advantage of utilizing all social media, while guaranteeing compliance mandates are met and the organization is protected, regardless of what the end-user is accessing. The solutions provide visibility of the application content and the aptitude in which to apply flexible policies over users, applications and protocols based on the real-time understanding of these applications’ intent.

The ability to see the content available and apply policies over users based on real-time comprehension of the content is just as important. Additionally, being able to analyze web traffic for potential attacks will provide organizations with the comfort and knowledge that they are protected.

About the Author:

Dr. Hongwen Zhang is president and CEO of Wedge Networks, an innovative provider of remediation-based Deep Content Inspection for high-performance, network-based Web security. He holds a PhD in Computer Science from the University of Calgary; a MSc in Computer Engineering from the Institute of Computer Technology - Chinese Academy of Sciences (Beijing, PRC), and a Bachelor of Science in Computer Science from Fudan University (Shanghai, PRC). With more than two decades of high tech leadership experience, Dr. Zhang is a co-inventor and holder of several patents in the area of computing and networking.

The Roer Group stand on plagiarism

Tue, 10/25/2011 - 13:43

 

Three weeks ago, I was on London, at the RSA Europe Conference to launch our latest book, The Cloud Security Rules. It was a proud moment, marking the end of almost two years of work, with 15 co-authors from around the world. I spoke with peers and journalists, and gave away review copies, hoping for overwhelming positive feedback (in the hope that great reviews would help push the sales of this book).

Coming home, I was thrilled with the feedback we got on Twitter and other channels.

Then, the bomb blasted in my face last Saturday.

Attrition.org, a long time contributor to fight plagiarism, posted an accusation towards one of our co-authors, accusing him for plagiarism on his blog. I was alerted to the accusations very early, and immediately decided we needed to review the contributing chapters in The Cloud Security Rules book. Unfortunately, both our internal investigations, and the third-party investigations conducted showed evidence of plagiarism also in the two chapters contributed to the book.

Upon the discovery, The Roer Group, the publisher of the book, immediately took action to recall The Cloud Security Rules from the market. We also decided to do a new, full review of the book. We asked for the help from Attrition.org staff, whom agreed to do a full technical edit of the book. No, we did not pay for this, so they have no reason to be nice to us in any way.

We also decided to remove the two chapters written by Mourad ben Lakhoua from the book, and we are taking actions to write a new chapter on the topic of Datacenter security in the cloud.

Obviously, our actions does not come without cost. As I have repeatedly stated, I am here to make a better world. The Roer Group donates the profit of all the books we publish to charity. We engage in helping people move from short-sighted «me, myself and I» mentality, to develop sustainable leadership. We are committed to go further, to be better, to show the road ahead. And we believe our actions can and will make a difference. We have no choice but to do the right thing. And the right thing in this case is very clear - pull the book from the market, fix the errors, then relaunch.

The book will be relaunched later this year, with the updated content, and with a better quality than before.

We, The Roer Group, and I, the editor, sincerely apologize for our failure to spot the plagiarism before the launch of the book. Luckily, less than 50 books made it «out» in the wild, and we believe our prompt actions have reduced the possible damage to a bare minimum.

The Roer Group wish to thank Attrition.org for their important work of searching for plagiarism. We also want to thank some of the people who supported us, and helped us making the right choices during this crisis, namely @brianhonan and @wimremes.

We also would like to note that Mourad ben Lakhoua have accepted his responsibilities, and promise to change his methods for writing on his blog in the future. A public statement from him is expected this week. We trust that he will do as he promise, and only time will show.

 

Related articles

• The Cloud Security Rules (365.rsaconference.com)
• NEWS: The Cloud Security Book now available! (roer.com)
• Update: The Cloud Security Rules book is almost ready! (roer.com)

RSA Europe Conference final day

Thu, 10/13/2011 - 12:57

I have enjoyed the time at the RSA conference on London very much. I came with pre-judices, thinking this would be a very vendor centric conference. I have to accept that I was wrong.

Of course, there were some sessions being sale pitches, but those were few and far between. I did attend some really great sessions, like the one with Alex Hutton and Joshua Corman on security metrics (and zombies). When you are ready for doing real metrics instead of quasi metrics, talk to these guys!

I also sat in on a discussion on the cloudy future, moderated by Paul Simmonds, which was very enlightning with a good mix of industry experts and practitioners. Great fun, even without beers.

Talking about beers - if you are into Sushi, and you are in London, you want to check out Sushi-Say at 33 Walm Lane. Simply the best sushi I ever had, and my two Japanese guides said it was some of the best they ever had.

Tonight there will no sake, but pub food at some Twinja event - guess it is a special for the infosec guys in London.

- Posted using BlogPress from my iPad

RSA Europe conference - a waste of time?

Wed, 10/12/2011 - 11:03

The RSA Europe conference is a traditional vendor centric conference with all the frills and free booze that comes with such conferences. As is expected, it also consists of speaking tracks, panel discussions and group sessions designed to promote the sponsors. And of course a trade show where you can let yourself be seduced by the sales crews who hunt you like hungry wolfs.

If this is all you are after, I suggest you save your time and money, and stay home. You will be getting better advice and service from your local sales and consulting team.

If you realize that the trade show, the sponsored tracks and the booze is just the stuffing on the cake, you are far better off. Conferences like these are mainly networking events, a meeting place to share, discuss and learn about the different parts of the industry.

Choosing the tracks to follow wisely, you can also pick up new trends, and also learn how old trends may be impacting you and your business in ways you'd rather not be thinking about. One such session is the gaming consol session by Chris Boyd of GFI. Most business people consider gaming consoles to be irrelevant to business, yet they allow consoles in their office space - so their employment happiness ratings may increase.

When you see the security heads of one of the largest banks of Europe, or the security team of Statoil, the public oil company of Norway, their public excuse may be to learn from some of the tracks. But the real reason they are here is to meet and greet with peers, as well as network with key players who may help them stay in front of threats.

So to decide if a conference like this is a waste of time or not, it all depends on your expectations and preparations. A few tips on how to get return on your investment:

- go through the program in advance, look for speakers who are interesting (you may know them from twitter, media or other conferences)
- look for topics that are of interest to you
- look for topics that are new to you (some times you can get just that, even at these conferences)
- set up meetings with people you know, or know of. The great potential of events like these lies in networking

When at the conference, these are some tips that may help bring you value:

- attend the bars, the minglings and the other networking opportunities - introduce yourself to people, including the speakers (they are suckers for attention, and love it when you talk to them)
- never eat alone - if you are alone, invite someone to join you. If you travel in group, try to spend time with people outside your group - remember that you can spend time with your colleagues back home, while at a conference you can meet people who may bring great value to both you, your team and your organization

What are your best conference attendence tips?

- Posted using BlogPress from my iPad

RSA Europe, day one

Wed, 10/12/2011 - 07:53

A short summary of my first RSA Europe day would include things like refreshing drinks, fun talks, interesting discussions and spending time with many of my friends. Not bad at all.

Two things are crystalizing. RSA Europe is all vendor centric (no surprise there), and the group of security people who see the whole image is alarming small. As we discussed in the bar last night, as all who focus on one or a few topics, we tend to be paying more attention to our belly buttons than we probably should be. At least once in a while it would be good to raise the focus, look to other topics, other organizations and other areas to see what is common, what are emerging and what is really happening in the rest of the world.

In my opinion, as security people, we need to realise a few things.

One is the fact that people do not care about risk, what we care about is loss, or loosing. We do not like to loose, and we are likely to go to great length to avoid loss. In other words, you are more likely to do something for me if I threat to take away something you already got, than if I offer you something you don't yet have.

Realising this, and accepting it, forces us to change our focus on security too.

- Posted using BlogPress from my iPad

RSA Europe starting

Mon, 10/10/2011 - 16:23

We plan to follow the RSA Europe conference that is taking place this week in London. I have already arrived, and got my badge in my pocket. This is the first of what will be a series of posts on the conference and what is going on here this week.

I left home early this morning, and had an eventless travel (except a very nice discussing about globalization and the Chinese impact in Africa with the drive who picked me up at the airport).

Arriving at the conference venue, the Hilton Metropole London hotel, I checked-in, and went to my room. Not much to write about. Until I enter the room, and I am met with a distinct smell. Strong. Blasting it's way through my nostrils and hitting my brain like a spear.

I first think it is just some smell still residing in the room after a previous guest (well, that is exactly what it is, the only question is how long ago the guest left). I open the window, wanting to get some fresh air in, and the stinking smell out. After a few more minutes, I go into the bathroom, where the smell actually weakens, almost as it is not comfortable with this room. I bring out a bottle of YSL eaux de toilette, and spray the main room frantically. And deside to go for lunch.

Passing the reception, I deside to eat first, then change the room. There is a long line in front of the reception. I do not like long lines.

Having a wonderful lamb dish at a local diner, where the other guests ate with their fingers, I come back to the Hilton, and ask the qute girl who checked me in earlier to help sort my problem. I explain how my room smells like a mens room, a lavatory on the subway (if those still exists), and that even though I am a man, I prefer my room to smell a little nicer.

After I decline her offer of having someone "spray some nice smell in your room", we agree that she will give me a new room. Next, she try to get someone to bring my luggage from the lavatory smelling room to my new room, to no avail. I tell her that I do not mind carrying my own luggage, and get the new keys. Which, it turns out, does not work.

This time, with my trolley in one hand, and a condesending smile on my face, I get keys to another room (not sure why I just could not get working keys instead), this time high above ground.

Considering the Hilton to be a Hilton (not quite sure what that really means, but everyone seems to think a Hilton should be a great thing), the Metropole is not much more than a huge conference hotel, where thousands of people pass through every week. This number of guests, many of which only visit a hotel once a year, to party their boots off at a conference, there is no surprise that the hotel is old and battered. But there is quite a distance from being old and tired, and to no longer caring if you smell like a public restroom.

Being who I am, I had to tweet https://twitter.com/kairoer/status/123346180339011584 my experience too. Full disclosure, right? Well, Hilton hotels being who they are, they picked up my tweet very quickly, and claim to have contacted the hotel manager to sort out the room. Since there was no working Wifi at a place where I can also get a decent cappuccino (yes, yes, I am spoiled. But you already knew), I am writing this from the Starbucks next door, and I actually do not know if they have "sorted things out" or not. I'll have another coffee, then head back.

Just to make this clear, I asked for a replacement room myself. But Hilton did take action upon my request, and fixed it. And their twitter monitoring deserves kudos no matter if they where not able to fix it in time.

Still, Hilton, my favorite London hotel is the InterContinental Park Lane. I had a (tiny, but still) hope that you would make me change my mind. Not this time around.

As for the RSA itself? I have glanced through the program, planned to attend some sessions, namely those where I get to learn something new. If all works out the rest of the week, and the parties does not get too hard, I will update at least once a day.

In the meanwhile - stay tuned on twitter: http://twitter.com/kairoer

- Posted using BlogPress from my iPad

NEWS: The Cloud Security Book now available!

Fri, 10/07/2011 - 09:28

It is with great joy, and quite some relief that I can share that our latest book The Cloud Security Rules, finally is available for sale! You can buy your copy at Amazon.com by following this link!

Exerpt from the books website:

-------

This book targets decision makers in organizations worldwide. Whether you run a small company, is the president of a global NGO, or the CISO of a well-known brand - this book brings you relevant knowledge about security in the Cloud.

This book helps you to understand the differences and the similarities between cloud computing and traditional networking - which in essence is the same, yet different. If you are considering moving to the cloud, or are looking for a higher level of security for your existing appliance, The Cloud Security Rules help you to choose the right level of security - based on your needs and understanding.

Infographic: Burglary Statistics (USA)

Tue, 09/27/2011 - 13:43

RSA Europe Update: New Key Note Speakers at the RSA Conference

Mon, 09/26/2011 - 06:00

Clipped directly from the press communication:

RSA® Conference Europe (11-13 October, 2011) taking place at the Hilton London Metropole Hotel, UK is only 3 weeks away and we are excited to announce 2 new keynote sessions:

• Stefano Grassi, Vice President Security and Safety, Poste Italiane, Chairman, European Electronic Crime Task Force

Title: European Electronic Crime Task Force: State of Cyber Crime in Europe

Abstract: EECTF supports analysis and best practices against cybercrime in Europe through alliances with Law Enforcement, Academia, Legal and the Private Sector. The Task Force, initially between Poste Italiane, Polizia Postale and the US Secret Service now includes the Global Cyber Security Center, Citibank, American Express, VISA, Bulgarian Police, Romanian Police, the UN Interregional Crime Research Institute, RSA and Verizon. This session will cover survey results from its 2011 European Cybercrime Survey.

Wednesday, 12 October, 11.00 – 11.30

• Hugh Thompson, Chief Security Strategist, People Security

Title: Pillars of Trust? The Science of Security Fragility

Abstract: Security is fragile because it has overlooked critical dependencies which frequently fail. One such dependency is that end users will make good security choices. Another is that the supply chain is reliable. To deal with modern attackers, the kind that will go after our dependencies, we need a new failure-tolerant model of defense. This talks takes a look at the science (and art) of security fragility. It will pull striking examples from IT, physics, weather, and business and introduce The Five Laws of Security Fragility.

Tuesday, 11 October, 11.00 – 11.30

• As already announced, Sir Tim Berners-Lee will present the Closing Keynote Session on Thursday 13th October. Details are below:

Title: Evolving Web Technology and Some Security Challenges Which Surround It

Abstract: The talk will look back at how web technology has evolved, and how it may evolve in the future, including: web applications, the web of data, and decentralized social networks. Meanwhile, the author, not a security expert, points out a few things he would like to see the security community provide to him as a user of connected computer systems in today's world.

Thursday, 13 October, 15.10 – 16.00

 

• Other Keynote Sessions

 

• Arthur W Coviello, Jr. Executive Vice President, EMC Corporation and Executive Chairman, RSA, The Security Division of EMC
  Title: Opening Address RSA Conference 2011 Europe
  Tuesday, 11th October

• Thomas P. Heiser, President, RSA, The Security Division of EMC
  Title: Lessons Learned: Surviving an Advanced Persistent Threat
  Tuesday, 11th October

• Adrienne Hall, General Manager, Trustworthy Computing, Microsoft Trustworthy Computing
  Title: Trust Me, I’m a Cloud Vendor
  Tuesday, 11th October

• Sean Doherty, Vice President and Chief Technical Officer, Enterprise Security Group, Symantec Corporation
  Title: Today’s IT Attacks: Building a Security Strategy to Protect Your Assets
  Wednesday, 12th October

• Philippe Courtot, Chairman & Chief Executive Officer, Qualys, Inc.
  Title: Advanced Persistent Threats - Illusion or Disillusionment?
  Wednesday, 12th October

• Ambika Gadre, Senior Director, Product Management, Cisco Systems
  Title: Secure This: Every Device, Every Cloud, Every Moment
  Wednesday, 12th October

 

For more information please go to http://www.rsaconference.com/2011/europe/agenda/keynote-speakers.htm

 

Article: Information Security is not IT Security - Dale Pearson

Sun, 09/25/2011 - 15:39

Hello friends! This article is the third in a series of articles by industry experts wherein Roer.com explores the differences and similarities between Information Security and IT Security. In this Q&A session, I ask Dale Pearson, a reknown expert in the field of information security, his views on the topic.

Dale is a passionate Information Security Professional who has been working in the IT industry since 1998 and focused on Information Security since 2004. He has been exposed to a wide range of security areas, such as security and risk consulting, policy and compliance, penetration testing, social engineering, forensics, incident response, wireless pen testing and awareness training. Dale is the founder of subliminalhacking.net where he blogs about social engineering, hypnosis, and other skills to improve success as a social engineer, and also blogs about other InfoSec related topics at Security Active. He is also one of the hosts of the Eurotrash Security Podcast.

 

What is Information Security?

Information Security relates to all any information regardless of its format. This could be electronic, print or any form of confidential information and assets, both physical and electrical. In my mind this would also include the systems, controls and processes that are implemented to present and protect this information. When talking about Information Security I guess the proper identifier should be anything related to the confidentiality, integrity and availability of information. I think there is a distinction between this and IT Security, but IT Security is part of Information Security but not visa versa.

 

What is IT Security?

In my opinion IT Security is similar to Information Security, but it is only concerned with the systems that store, process and make available electronic data. So it is not concerned with data in the physical form, and its not really concerned with the methodologies and processes used to control the information flow, its primary concern is more from a technology perspective.

Do we really need Information Security?

If we want to ensure we maintain the appropriate levels of confidentiality, integrity and availability of data throughout an organisation regardless of its media its certainly a good idea. I think the problem is like most things in the IT and InfoSec world these things mean different things to different people, so both the perception and implementation can vary greatly. I don't think many organisations fully embrace the full meaning of Information Security, perhaps they really mean IT Security but they just don't know it.

 

Can't my IT department manage both IT Security and Information Security?

Can't is a strange word in my mind. Can't the IT department do both? Sure they can. I think the real question should be are they capable to do it effectively, do they know what it means? Personally I believe and Information Security function is most effective when it sits outside of IT, and reports to a CSO or appropriate other director that has visibility at board level. If you hide it in among IT you may find Information Security is seen more as a blocker and an enabler, and is not given both the visibility and support that it deserves. So in my opinion yes the IT Department can, as anything is possible, however I don't think it will be as successful or beneficial to an organisation as it would be if it sat in its own functional structure.

 

How can I become an Information Security professional? Do I have to be a GEEK to be one?

This is a tricky question and I am sure many people will not share my opinion but here it goes. How do you become a Information Security Professional. The most important thing in my opinion is passion. To be really good and effective at something it really helps to enjoy it, and want to make things better. This applies to any profession of course. I personally don't have a hang up on certifications, but there are many people who are Information Security Professionals, they have their CISSP and CISM, and they do their 9 – 5 gig to pay the bills and that’s enough for them. This is fine, and sometimes I admire that, I have no doubt they have a much healthier work life balance than me. I guess this brings us onto the next section about being a GEEK. Do you have to be one? Of course not, does it come with being passionate about the industry I think so. GEEK doesn't mean spotty and big black rimmed glasses though. I would happily consider myself a GEEK, and I don't have anywhere near the skills of so many awesome guys in this industry, but I am passionate, and Information Security is more than just a job to me, it is a way of life. Some may call that sad, but I think I am lucky to work in an industry with some amazing people (friends) and enjoy what I do to pay the bills.

 

What are the important divisions of Information Security?

When I think of divisions of Information Security I think about the different roles I would have it an InfoSec Team. So you would have your policy writers, awareness guys, risk management folks and incident response, information assurance is in there to along with your operational guys and gals, and then the people that work on the BCP and DR aspects, then finally you hopefully have some people that simulate attacks to see if your organisation can take a hit as well as it thinks it does. Whats most important is a tricky one, as it certainly depends on where you sit. All of them are certainly very important depending on what is happening at the time, but for me the three most important divisions you could have would be the team that simulates the attacks, the team that formulates and implements the defences and the awareness people. As I am part of a red team you might expect that I would say this is the most important, and it is very important and still something not many companies are coming to terms with, but if I am honest I think the awareness team could be the most important and under utilised team we have in Information Security. Many people will say we are flogging a dead horse when it comes to user awareness, we have tried it already, it doesn't work, its to difficult. So the answer is we are doing it wrong. People are the weakest link in an organisation, they are also the most valuable asset. If we could formulate an approach that really made Information Security everyones responsibility then the defence guys would have a hugely enlarged team, and the red team would find a lot more barriers when trying to formulate an appropriate attack vector.

 

My organization never had a breach, why do I care?

That sounds like the muffled mumblings of someone with their head in the sand. I don't think many organisations could say 100% hand on heart they have not suffered a breach at some level. Perhaps what this question should really be is, I have not suffered a breach that has been brought to our attention and made publicly known, so why do I care. Its not a matter of if, it really is a matter of when. As online presence increases, and the utilisation of 3rd parties and outsourcing continues to grow the permitter gets more and more grey, essentially making our jobs a lot harder. As Information Security professionals I believe we need to be a lot more pragmatic in our approach, and in many ways accept the inevitable. We should focus on helping the business identify what their real important assets are, and how to effectively provide the level of protection required, and helping the business make informed decisions. It our jobs to be paranoid, and share this in an effective and constructive manner.

 

What has been your biggest learning till date?

Wow this is a difficult question. Hmm, I think you might as well pack up your bags and go home if your not learning something new everyday. I would say two big things really. The first one is really that if you set your mind to something, and do it for the right reasons you can accomplish great things. So it really is important to believe in yourself, but also listen to opinions of others and take that information on board accordingly. The other one is that no matter how good you are, you can't do everything on your own, no one person can fix all that is wrong on their own. So it is important to surround yourself with trusted friends and colleagues, and put faith in their abilities to help you and what your trying to achieve be successful. No man is an island and all that.

 

Thanks for the highly informative article Dale!

-Kakroo

Update: The Cloud Security Rules book is almost ready!

Wed, 09/21/2011 - 10:10

It has been a long two years since Mourad Ben Lakhoua and I first started our talks about writing a book on security together. Many things have happend since then, and the scope of the book have changed dramatically.

What started out as an idea of writing "something" together, ended up with The Cloud Security Rules, a book co-authored with 13 information security bloggers and industry specialists. The topics include standards like the ISO27001, PCI-DSS and compliance. It discussess password use, authentication and ID. And it looks into how the Cloud should, and could be used from a security perspective.

Progress is really moving, now with the book in the print, and the new website up: http://TheCloudSecurityRules.com.

The book will be available on Amazon.com, as well as bookstores. Language: English.

Fake anti-virus is a real threat

Fri, 09/16/2011 - 06:00

Panda software posted an update on rogue security software flourishing on the web. A while back, I wrote about a class I visited where the teacher misspelled Kaspersky's website, and had the students download a fake anti-virus tool.

The challenge with rogue software is not the software itself, nor the operating system. The challenge is the operator, or the user if you will. The users usually have no clue what so ever when it comes to spotting rogue software, trojans or spam. And who can blame them? When the trusted sources (teachers, websites, search engines, journalists, blogs, friends, Facebook etc) are either not able to tell the difference either, or the same sources are being used to advertise the software?

I happen to surfe on the net too, and more often than not I see advertisements for anti-virus tools (no, not the brands), cleaning tools, and so-called tests to see if you are infected. Some of these are looking quite serious, and I have no challenge seeing why people are tricked into clicking. Some sites I don't even click on anything - I just close the browser - immediately.

But how many regualar users are expected to do the same? And how can we teach them to spot these things? How can we make the users realise that when something is too good to be true, it really is?

Related articles

• Win32/Delf.QCZ:Trust Me, I'm Your Anti-Virus (eset.com)
• Western Union money transfer email disguises Trojan attack (nakedsecurity.sophos.com)
• Google: 'Your computer appears to be infected' (nakedsecurity.sophos.com)

Hackers are a resource, if used as one!

Wed, 09/14/2011 - 06:28

This is a TED talk by Misha Glenny, who have investigated cyber crime and their roots. He quickly discovered that hackers play a vital part (no surprise there), and suggests that the way we treat black hats may be a threat to our society. Perhaps he's got a point?

 

Related articles

• Black Hat Hires: Can the benefits ever outweigh the risk? (securityskeptic.typepad.com)
• I'm a hacker, not a "hacker"! (c22.cc)
• Guest Article: The Evolution of Cyber Crime (roer.com)

Guest Article: The Evolution of Cyber Crime

Wed, 09/07/2011 - 08:48

The following article has been compiled by Bev Robb. Bev owns Teksquisite, a Southern Oregon IT Consulting business that specializes in Internet security technologies and social media. She is currently consulting with Virtual World Computing (VWC) on their flagship product Cocoon, a Firefox plug-in that protects Internet users from viruses, malware and online tracking.  She blogs at the Tekblog and the Cocoon blog and currently administers five Facebook fanpages.

She has also been an Experts-exchange (EE) Dinosaur (since 2000) and was an active participant for many years in the Windows, malware and security areas at their site. She has been mentioned around EE corporate offices as an "Experts-Exchange Staple." She is Comptia A+ certified and holds a number of Dell, HP and Samsung certifications. With over 17 years of hardware and software experience she has been known to troubleshoot/repair Cisco routers, commercial printers, network issues, servers and once crawled around a cow pasture in Vermont looking to resolve a satellite ticket for a remote business.

 

The Evolution of Cyber Crime

The Second Annual Cost of Cyber Crime Study from the Ponemon Institute noted that cyber attacks have become common occurrences, they disrupt business operations and incur significant costs (from loss or theft of information) and the most costly cyber crimes are those caused by web-based attacks.

"The fact that discernible attacks in this year’s study have increased – coupled with the fact that the time to resolve attacks has also increased – suggests the cyber crime landscape continues to evolve in terms of attack severity and frequency.  In other words, results of the present study suggest things might be getting worse." –Ponemon Institute

Last week McAfee released the McAfee Threats Report: Second Quarter 2011 with a toppling 12 million unique malware samples for the first half of 2011 – a 22 percent increase over 2010.  Android devices were the most attacked mobile operating system (up a whopping 76 percent from the previous quarter) and stealth malware also increased 38 percent from 2010.

Back in the old days, hackers (MIT/Stanford) hacked to flaunt their knowledge (bragging rights), gain recognition and bolster their egos.  Hackers of old were also known for liberating information. They were esteemed for having strong programming skills where almost everything was based on command line. The majority of viruses created were for the most part, harmless pranks.

Today, hackers do not have to have any programming knowledge because they have a wide variety of automated hacking tools at their fingertips. Automation has simplified their ability to exploit zero-day vulnerabilities in software and websites before anyone has the opportunity to patch the vulnerability. Tools such as script-kiddy-friendly Havij can automate the process of SQL injection and extract sensitive database information within seconds of using it.

Brian Krebs remarked in a blog post in June at KrebsonSecurity: “The global economy may be struggling to create new jobs, but the employment outlook for criminally-inclined computer programmers has never been brighter.”

Though there is still demand for actual programmers in the underground economy, the requirement is not to hire a hacker to write entire software packages, only to assist in raising the features and stealth of existing malware.

2011- The Year of the Data Breach

According to F-Secure, RSA was one of the biggest hacks in history. It only took one RSA employee to open a spoofed email and click on the XLS attachment replete with an embedded flash object (in the spreadsheet) to drop a backdoor (RAT). This infected the workstation – giving the attacker full remote access to the workstation and network drives that the employee had rights to. At the time that the employee opened the Excel file – it was a zero-day exploit and they would not have been able to protect their system anyway. [Source]

RSA, Sony, Wordpress, HBGary Federal and Epsilon were a few of the more notable data breaches this year. Money is not always the chief motivation behind an attack; data can be just as valuable.

Social Engineering

With the rise of social media (Facebook and Twitter) as a popular attack vector to distribute malicious links, conduct strategically coordinated phishing campaigns, hijack accounts, and even run botnets – social engineering tactics still have the potential to play a strong role in cybercrime by enabling the victim to trust the message.

If the message arrives in an email (such as RSA) that looks legitimate and comes from a company that is known (though spoofed) and trusted, there will probably be an employee on the receiving end who will download the infected attachment.

The message can come in many forms; an urgent email from the bank, a Facebook distress message from a vacationing friend needing more money or a fake Smartphone app – the end result always involves the exploitation of trust.

What do the malware and security experts have to say?

I asked three experts to answer some questions…

1) Graham Cluley, Senior Technology Consultant at Sophos, is well known in the security industry shares his thoughts on malware, social engineering and the Internet.

Bev: How much do you think the malware scene has changed over the past decade?

Graham: It's steadily grown more commercial.  Money is normally the motive. There is still some hobbyist malware being written, but it's a much smaller proportion than it used to be. But it's not *all* about the money - recently we've seen internet attacks which appear to have been about gaining an economic/commercial or even (dare I say it) potentially military advantage over another. Countries have recognized that they can use the internet to do their spying, as it's easy to deny and probably less dangerous than more traditional methods.

Bev: How much of this change do you attribute to "social engineering" tactics?"

Graham: Social engineering is a very important element to many any attacks.  You can have your computer patched all you want, the user can still undo everything if they make a bad decision. It's frustrating to see that people haven't learnt much from old tricks.  The offer of a sexy video still catches many people out for instance.

Bev: What do you think is currently the biggest security threat on the Internet?

Graham: The biggest threat on the internet is careless users.  It can be end users making bad decisions like clicking on a link which is obviously suspect, or it can be someone in a web team not coding a website securely enough and leaving a vulnerability in place for a data-stealing hacker to waltz past.

2) Maxim Weinstein, President & Executive Director of StopBadware.org on malware.

Bev: What do you think about the changing landscape of malware today?

Maxim: Malware is constantly changing; due both to necessity (keeping ahead of evolving defenses) and technology (malware is very different today than it was pre-Web, for example). For all that, though, two core elements of malware have remained the same. Except for highly targeted attacks, malware spreads opportunistically, typically using whatever forms of data transfer or communication are most popular. And malware consistently depends on abusing the user's trust.

Several years ago, these would have manifested themselves as a worm spreading from friend to friend by email, or a Trojan disguising itself with a Microsoft Word icon. Today, you see malicious links spread from friend to friend via Facebook, or fake antivirus alerts disguised as Microsoft security warnings. The techniques aren't new, just the particular variations.

3) Andre' DiMino, Security Researcher, Forensic Analyst and Co-Founder & ex-Director of The Shadowserver Foundation.

Bev: What is your primary area of concern for cybercrime in 2012?

Andre': I would say that mobile malware will be an area of concern for 2012. As the mobile and desktop platforms continue to converge in functionality and utility, we will certainly see attacks ramp up on the mobile side. Targeted attacks will continue to evolve and cross over to a wider victim area.  I would say that even the info-sec community will recognize that APT isn't just a buzzword, the threat is active and genuine, and in place even as we speak.

Closing Thoughts

With more dependency on mobile devices, the cybercrime landscape is sure to introduce intense competition in the development of Smartphone MalApps (malware applications). With more people banking, browsing the Internet, gaming and visiting social networking sites via their Smartphone, windows-based systems may see a major downturn in attacks in 2012.

 

Thanks to Bev for compiling the insightful article with valuable inputs from Graham, Maxim and Andre'. You may contact Bev on Twitter @teksquisite.

 

- Kakroo