February 2010 Archives

Hulver's Impressive IT-Security Background Over Nearly Two Decades and Dedication to Improving America's Security Posture Underscore Reasons for Award

Tracy Hulver, Executive Vice President of Products and Marketing of netForensics, has been named a 2010 Security Superstar by CRN's Everything Channel. CRN's comprehensive list represents today's thought leaders and technology innovators in the information security industry.

"The IT security industry is a rapidly changing landscape that continues to challenge both security vendors and companies of all types and sizes. I am honored to play a role in helping companies gain clear visibility into their security posture," said Tracy Hulver. "The Solution Provider Community is at the forefront of helping businesses improve and manage the security of their networks and through their efforts we can better defend against complex and malicious threats to corporate and government data as well as critical infrastructure."

Click here for the full story

As Gordon Smith from Canaudit Inc. pointed out this week "What do hackers want? they want your data." They go through great lengths not only to obtain your data but to correlate that data to make it even more valuable to their clients.

Last year we posted an article published by a German Online News service "wiwo.de" on a sting operation that involved millions of consumers correlated information for sale that may have come partly from well known back doors in customer corporate data.

Today it was published on that Deutsche Telekom found itself in the middle of a scandal accused of giving mobile phone retailer The Phone House access to data on 16 million T-Mobile Germany Customers according to the report published at wiwo.de "Deutsche Telekom: violation of the law, by secret agreements?"

As we have seen through the recent attacks on Google and Intel that no matter how your infrastructure is secured you can be come a target for an attack that they may have been in the planning for sometime or someone waiting for that pre-zero data vulnerability that allows them access to trust relationships.

Who as access to your personnel information and what information is available from their browsers and shares. As Gordon points out in his article it maybe as simple as someone bringing in a laptop that has internet access or wireless scans from your lobby or elevators.

Related articles by Zemanta

• Deutsche Telekom reportedly considering T-Mobile IPO (seattletimes.nwsource.com)
• T-Mobile USA could be spun off or sold (ecombizcenter.blogspot.com)

According to the New York Times Bits Section Intel and Google were under "sophisticated" Cyber Attacks in around the time frame. Intel reports that although the events were close in time that they were unrelated. The cyber-attacks against Intel was reported in it's annual report to the Security Exchange Commission. Intel reported that it did not suffer a wide spread attack and no intellectual property was exposed.

On 2/20 the New York times reported that two Chinese Universities were involved in the attacks against Google and other corporations since then the Universities have denied any involvement in the attacks. "It was not until 2006 that our graduates began to join the army. So far, 38 students have been recruited by the military for their talent in auto repair, cooking and electric welding," said Zhou Hui, director of Lanxiang school's general office. He disputed claims in the New York Times article, which cited anonymous officials from the US National Security Agency, that there was a link to a computer science class taught at the school by a Ukrainian professor.

in other news the Telegraph.co.uk published that Cyber attacks in 2009 cost on average 1.2 Pounds a year.

Last October we published information regarding published report by Northrop Grumman a study done for the U.S.-China Economic and Security Review Commission
that describes similar tactics. ( Thank you Niels Groeneveld of "Operation Aurora" for reminding me about the relationship. If you have not read the Northrop Grumman report it is an interesting read on social and economic effects of this type of behavior.

SIEM in the Cloud Solutions Drive 3rd Consecutive Quarter of Growth

netForensics' continued growth this quarter was achieved in large part due to is its market-ready SIEM in the Cloud solutions. For organizations looking to deploy software-as-a-service (SaaS), Cloud security is a primary concern. netForensics' capabilities of adding a defensive layer to the cloud architecture enable organizations to achieve the same level of situational awareness as if the security was installed locally. For those organizations that require additional security expertise to mitigate the increasing threats facing their environments, netForensics' deployments with Managed Security Service Providers provides yet another option to ensure an acceptable level of risk.

click here for the full story

Developing an Information Security Privacy Schedule for Service Provider Transactions by David Navetta.

This article points out the need for customers to develop Information Security and Privacy Schedules as part of their Service Provider agreements. As more and more of our Information Technology and Information Security moves to out sourced technologies, customers need to be aware that not only are they still responsible for the privacy and security of their data, but may be undertaking the risks involved with utilizing the service providers information security environment.

"The Customer should think of the Service Provider's security as an extension of their own internal security." IT Services and Information Security Management must undertake the security of how the trust relationships with their Service Providers are handled and how those relationships may impact the business, should the Service Provider be compromised or suffer a breach.

In David Navetta's closing statement, he mentions the impact of incidents, not from the initial impact of the exploitation of an exposure but the after effects concerning liability and reputation damage. "First, it is not unusual for a security incident to yield "consequential damages" in addition to "direct damages," including loss of profits, lost customers, attorney fees, breach notice costs and other similar costs. If the overall contract contains a consequential damages disclaimer, the Customer should endeavor to get an exception for consequential damages arising out of a security incident and/or breach of the Schedule."

The credibility and reliability of your information security program is now an integral part of stability and reputation of the business along with how well you are maintaining the trust relationships with your business partners and service providers which are now part of your extended business and control environment. The days of IT involving a few core services are gone and now have been replaced by data moving in and out of the environment for outside processing and storage, site to site vpns, international privacy and security laws of internal, external data and the rise of "Cyber insurance". David's article covers a wide variety of suggestions of what can be included in the Security /Privacy Schedule in contractual agreements with Service Providers.

Related articles by Zemanta

• Cloud Security and Privacy (oreilly.com)
• National Survey Reveals Privacy Breach Notification and Reputational Damage among Top Concerns with Regards to New Privacy Rules (eon.businesswire.com)
• Why "Verified By Visa" System Is Insecure (news.slashdot.org)

Yesterday at the Security Awareness for 2010 ISACA meeting in Philadelphia John Raezer delivered a welcomed presentation on Risk Management Effectiveness.

How Information Technology and Information Security Management must understand the Business Model. What are the key assets, what are their exposures and vulnerabilities,
and from the peril of a threat what would be the outcome. It is not only the identification or the recognition of a incident but what was the root cause and contributing factors, how does this information get included or relayed back to Business Intelligence information. What are the distribution of events not only in near real-time
but historically their severity, impacts, risk response, what policy and procedures were used in containment, mitigation, follow up step and what was the contributing factors,
who owns the Risk Relationships.

In his example on why Frameworks such as BASEL, COSO, COBIT, are so important was the highest thing that affected corporate reputation to it's business partners, customers, and suppliers was accounting irregularities. By far accounting irregularities had the highest corporate reputation risk of affecting your business with suppliers, business partners, and customers, he sited some recent banking incidents as an example of customer and partner distrust.

The need to study and understand what disruptive technologies will have an impact on business processes how many industries are using chaos theory for risk assessment, black swan events the unexpected, unexpected and how we must understand the Language of Risk, not only in the physical world but in the virtual world and that eventually he believed there will be Risk Management Accounting.

If you get a chance to read his presentation or see him speak on the values of risk management in the enterprise it is well worth the time.

Related articles by Zemanta

• Are You Ready to Implement a Supply Risk Solution? (spendmatters.com)
• ISA chairman assures nation: Your data is safe (go.theregister.com)

According to IT World Canada ,
A Microsoft-employed forum moderator had other advice. "For the people who installed [the update but] cannot start the computer normally, it is better to wait for the next stability and reliability update," said Arthur Li on Feb. 1. "Since there are thousands of different hardware and software configurations, it is hard for Microsoft to test the updates on all the different hardware and software configurations."

Microsoft Support

If there is one thing that makes everyone kind of nervous is the instability of new operating systems being deployed in the enterprise, with IE having control issues, there would be a concern that the OS would also have stability problems.

Just a quick note that 2 Mozilla Firefox Add-Ons were found to include a little more than bargained for in the form of Windows-based trojan malware. To be sure, these weren't the most popular add-ons in the catalog, with only around 4,600 downloads between the 2 infected offerings.

These add-ons were available for download from the Mozilla site. This only goes to underscore the importance of having your local scanners active and up to date. You shouldn't blindly download, install or run code from any website, vendor or media regardless of its intentions or reputation. "Trust but verify," seems to apply here.

Jason Ross's presentation at the Blackhat DC conference related the issues about checkbox compliance, that companies are using checkbox compliance as a means to indicate whether they are secure. When in fact it should be deemed as the lowest possible level of acceptance a baseline of acceptance and he points out as others have that some of the largest privacy compromises of personal information were done at companies that had past their external PCI audits. Compliance is absolutely wonderful it enforces at least a baseline of requirements but it should not be used as a means that you have a seal that protects you from exploits and non-publicized
holes in the grid.

Jason points out the difficulties of detecting Malware in enterprise environments, that by the time the antivirus sends off an alert about a malware or virus being seen it's usually too late you have already been owned, as Dan Geer pointed out a few years ago at the Gartner Risk Conference it's hard to get exact metrics on what is happening because by the time that alert kicks off 6 other events have already happened that were not detected.

For IT and Security administrators that have been through some of these malware wars with Downloaders and Polymorphic attacks know that just because the antivirus says it's cleaning up there are way too many other things happening. I once saw some thing interesting it was a Polymorphic virus that was loaded on a system that had Microsoft's development studio on it, that we could watch as the polymorphic virus recompiled other malware from it's code that would attempt many ways to infect the machine and other machines quickly and one time there was a downloader. Even Microsoft writes about recovering the operating system and files from a known state from before this activity started unfortunately with out historical view of activity on this node and user that information and the correlation of events will be difficult.

Jason Ross points out the goals of malware now is to have Business support models. Their objective is not to be noisy but to be very quietly performing their tasks of infecting other hosts and using a network of hosts to make money and the use of malware like URL Zone and Monkif

In the presentation he talks about Spider Monkey - By Didier Stevens a tool for helping to analyze malcode. The use of SAN NETS to isolate malcode in action so that it can be analyzed to determine what it wants to connect with or what services or files it wants to abuse with Polymorphic viruses that constantly change it's usually interesting to observe them in action in a closed environment.

Years ago I can't remember the movie name, but the analyst in the movie were collecting them and keeping the code and binaries for sale and redistribution or modifying them in some way not to be detected.

Another point from the presentation is that Malcode writers are now writing them so they can not be easily detected by signatures by using multicode that each binary performs a small function of the code.

via this Black Hat briefing

• Internet Explorer could turn your Windows XP machine into a web server, Microsoft warns (guardian.co.uk)

• Massive blackhat SEO of 200K sites (ecombizcenter.blogspot.com)

At the Blackhat Conference in Washington D.C., David Litchfield revealed a privilege escalation session and scripts that could be used by anyone with basic session access to gain administrative privilege to a Oracle 11g database and administrative access to the operating system files.

One of the interesting topics in the beginning of the presentation was that of the amount of security vulnerabilities reported by Oracle or other researchers compared to the number reported against Microsoft SQL Server 2005 and 2008. Although I would have expected the complete reverse on the the number of vulnerabilities reported against each product. David used Java calls in Oracle Aurora to gain access.

Oracle and Java Stored Procedures

SOURCE: FORBES.COM