Security News Curated from across the world
Hackers both set up malicious blogs on the service, and inject dangerous web links and content into innocent blogs in the form of comments.
Blogspot.com accounts for 2 percent of all of the world’s malware hosted on the web.
http://www.net-security.org/malware_news.php?id=962
Officials at VeriSign’s iDefense Labs reported last month that 15,000 people fell victim to spear phishing attacks by two different groups during the preceding 15 months.
Intrepidus provides templates to help organizations simulate attacks and allows organizations to measure, track and report on employees’ responses to the tests.
PhishMe does not collect sensitive information, Higbee said, explaining that JavaScript on the Web site overrides anything users actually input into fields during tests.
http://www.eweek.com/c/a/Security/Security-Service-Helps-Organizations-Test-Awareness-of-Phishing-Attacks/?kc=rss
Respondents also reported additional business costs from compromised security, including: Loss of productivity — 61 percent in 2008 compared to 52 percent in 2006.
The CA survey results show there has been significant time and IT budget spent on IT security compliance to help meet regulations and mitigate future risk. The survey results point to Identity Access and Management (IAM) solutions as a key and growing area of security investment by large U.S. organizations. Survey respondents indicate that more than 85 percent of large U.S. organizations are using an IAM solution, with 75 percent of those organizations planning to make further IAM investments within the next 12 months.
http://www.net-security.org/secworld.php?id=6333
At the same time, it’s likely you won’t have thought of everything or implemented defenses against every possible attack. It’s very unlikely you have a home defense management plan or have ever run a penetration test against your home.
As we build software, regardless of whether we’re in an agile or a waterfall world, we need agreement on what we’re building, what we’re not building, and what we’re doing to ensure we’re building the right thing. In the past few years, a perception that threat modeling is a heavy, bureaucratic process has been generated. There are some good reasons to move toward adding processes; I’d like to talk about them, some lessons learned from these processes, and how to put the fun back in threat modeling while making it an efficient, agile-friendly activity that anyone can do.
Approaches to Threat Modeling
There are many things called threat modeling. Rather than argue about which is “the one true way,” consider your needs and what your skills, abilities, and schedules are, and then work with a method that’s best for you. As part of that approach, some people ask, “What’s your threat model?” and “Have you threat modeled that component?”
One is requirements elicitation, the other design analysis. At Microsoft, we almost always mean the latter technique. There are more threat modeling methods out there than I can dream of covering in one column. There’s also a tremendous diversity of goals. Should your threat modeling process be fast or deep? Should it focus on assurance and completeness, or ease of use? Should you involve experts or developers in every meeting? Do you have organizational or industry rules you need to follow, such as the Microsoft® Security Development Lifecycle (SDL) or the rules for medical device manufacturers?
The high level objective should be to understand security issues early so you can address them in the design rather than try to overcome design flaws later. Some of the major ways to approach threat modeling activity include the following:
Assets
Asset-driven threat modeling is much like thinking about what you want to protect in your house. You start by listing what assets your software has associated with it, and then you think about how an attacker might compromise those assets. Examples include a database that stores customer credit cards or a file that contains encrypted passwords. Some people may interpret an asset as an element of the threat modeling diagram, thinking that a Web server itself is an asset. Digital assets are things an attacker wants to read, tamper with, or deny you the use of.
Attackers
Attacker-driven threat modeling involves thinking about who might want your assets, and it works from an understanding of their capabilities to an understanding of how they might attack you. This works great when your adversary is a foreign army with a known strategic doctrine, physical world limits, and long-lead-time weapons systems development. This works less well when your adversary is a loosely organized group of anonymous hackers. More generally, it’s not clear this is useful in software threat modeling. There are certainly people for whom “think like an attacker” is an effective part of design analysis. It’s less clear that this is a reproducible process in which people can get training. If you’re going to start from attackers, it’s probably worth using a standard set. It will be helpful to have a small set of these anti-personas written out.
Software Design
Design-driven threat modeling is threat modeling based on where your fences and windows are. You draw diagrams and worry about what can go wrong with each thing in your diagram. (This is the essence of the SDL threat modeling process today because everyone in software knows how to draw diagrams on a whiteboard.) The software equivalents of fences and windows are the various forms of attack surface, such as file parsers or network listening services—sockets, remote procedure call (RPC) services, Web services description language (WSDL) interfaces, or AJAX APIs. They’re the trust boundaries where you should expect an attacker to first get a foothold.
A Quick and Dirty Threat Model
Threat modeling doesn’t have to be a chore. Following the process illustrated in Figure 1, here is the outline of a basic threat modeling process that will get you going quickly and painlessly: Diagram your application, and use this to tell your app’s story in front of the whiteboard (see Figure 2). Use circles for code, boxes for things that exist outside of it (people, servers), and drums for storage. Our team uses funny looking parallel lines for data stores. Draw some trust boundaries using dotted lines to distinguish domains. When you get stuck, apply the STRIDE threat model, described in Figure 3, on each element of your app. All the threats in one place may mean you’re worried about the front door and not worrying about anything else. A third order defense might be an alarm system on the door, and to mitigate the threat of someone cutting the wire, you send a regular message down the wire. If you find yourself worrying about the software equivalent of what happens when someone cuts the phone wire to the alarm system before you worry about locks on the doors, you’re worrying about the wrong things.
File bugs so you can fix what you found threat modeling. Modifying a DLL on disk or DVD, or a packet as it traverses the LAN. Allowing someone to read the Windows source code; publishing a list of customers to a Web site. Crashing Windows or a Web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole. Elevation of Privilege Authorization Gain capabilities without proper authorization.
Finally, you need to account for the availability of time and resources both for your threat modeling process and any resulting mitigation and testing.
Microsoft has found that threat modeling works better with a security expert in the room, but there isn’t always one available. You can get decent results by giving people structure and feedback on their work, and by breaking it down into small, easy pieces with rules and self-checks in each one. For problems validating the threat model and your mitigation plan, look to see whether the diagrams represent the code and whether you have agreement between developers and testers on that.
http://msdn.microsoft.com/en-us/magazine/cc700352.aspx
The report includes real documented discussions conducted by the company’s researchers with resellers of stolen data and their “bosses”, confirming it’s analysis of the current state of the cybercrime economy.
“Over the course of the last 18 months we have been watching the profit-driven Cybercrime market maturing rapidly… This makes businesses today even more vulnerable for cybercrime attacks, especially considering the maturity of the cybercrime market and its well-structured cybercrime organizations,” said Yuval Ben-Itzhak, Finjan’s CTO.
The report explores the trend of loosely organized clusters of hackers trading stolen data online being replaced by hierarchical cybercrime organizations. These organizations deploy sophisticated pricing models, Crimeware business models refined for optimal operation, Crimeware drop zones, and campaigns for optimal distribution of the Crimeware. These cybercrime organizations consist of strict hierarchies, in which each cybercriminal is rewarded according to his position and task. Directly under him is the “underboss”, acting as the second in command and managing the operation. This individual provides the Trojans for attacks and manages the Command and Control (C&C) of those Trojans.
As a preventative measure, businesses should look closely at their security practices to make sure they are protected.
http://www.security-industry-today.com/news/news_all.asp?ID_key=381
Sixty-six percent of respondents say their vulnerability to breaches and malicious code attacks is either the same as last year or worse.
Since when is “no worse than before” an acceptable return on investment? The solution lies in securing to specific threats. The problem is that IT lags well behind other disciplines in adopting systematic risk management processes. But those technology professionals who have made the leap into classifying IT assets, assigning values, evaluating threats, then determining where and how to mitigate risk find the process to be extremely valuable. In short, risk management principles bring rigor to information security.
Here’s one illustration from our security study of how risk management can focus companies on the most important threats: Insecure coding practices are a pox on all our houses.
Roughly half of respondents whose organizations have risk management plans in place specify security features at the time of application design.
Of those without risk management plans, just 22% focus on code security.
We need the jolt that this security study provides.
Twenty-one percent of companies never conduct security risk assessments, and of those that do, just one in five imposes the rigor of using a specialized external auditor.
This despite 63% contending with government or industry regulations related to data security, many of which don’t give adequate guidance on how to comply. Best practices are the best defense in such gray areas.
mployee data.
We had hoped that the ongoing parade of high-profile data losses would set most companies on the road to comprehensive privacy protection. So we were discouraged that the only actions to safeguard customer data that are used by more than half of companies are … informing employees of standards and putting a privacy policy on the Web site.
Fine steps, but they don’t exclude the need for encryption (used by 34%) or privacy policy audits (25%). Amazingly, 11% say they have no privacy safeguards for customer data.
We could go on, and we will. But we need to stop for a second and ask, what gives?
WHAT DO WE GET FOR THE MONEY?
There’s no blaming the financial powers that be. For nearly 30% of respondents, security accounts for at least 11% of the total IT budget.
The bad news: Viruses, phishing attacks, and worms continue to cause headaches, and companies keep pouring money into firewalls and antivirus protection.
Speculation that these product categories would fade away, or at least be assimilated into other technologies, is premature, as 13% say their vulnerability to breaches and malicious code is even worse than last year.
And they’re the only two product categories rated as effective by more than half of respondents.
Complexity, cited as the biggest security challenge by 62% of respondents. More data is ending up on the network. More agents are running on company computers, and employees expect some control over the PCs they use. As travel and energy costs skyrocket, companies are increasing the use of branch offices and teleworkers, a trend that spreads data far and wide as people expect to work securely from customer sites, home, or the coffee shop down the street. Complexity also stems from juggling multiple compliance requirements, training and educating staff and users in security awareness, and coping with increasing technical sophistication of networks.
Most organizations–63%–must comply with one or more government or industry regulations, many of them vaguely worded and offering little guidance on translating requirements into technology. To meet compliance goals, Kevin Sanchez Cherry, information systems security office program manager with a U.S. government department, says he applies best practices, which he determines by consulting a variety of sources, including the National Institute of Standards and Technology, the SANS Institute, and colleagues facing similar challenges.
Electric Insurance spends about 20% to 25% of its project planning time on risk analysis and management, says Michael Hannigan, manager of systems engineering and support. Because the entire process, from planning to postproduction, includes risk analysis, Hannigan finds potential problems are identified and addressed early.
Risk assessments primarily are used to develop mitigation policies and fix vulnerabilities; that can yield process-oriented efficiencies, such as leveraging databases to simplify asset management and policy compliance.
http://www.informationweek.com/news/security/management/showArticle.jhtml;jsessionid=TVNSCDTAPU452QSNDLPSKHSCJUNN2JVN?articleID=208800942