Category: Uncategorized

Access to Public Web/E-mail: Vulnerability #1
Over 90 percent of business executives who responded to Bluefire’s survey are using their device for email, either for a web-based account or for a corporate server-based account. An attack can be anything from a hacker at Starbucks who is accessing the data on someone else’s device, to someone using Bluetooth to steal personal information from another person’s handheld. “Trojans” can be defined by something posing as something other than itself. For example, a “Trojan” can be an application that can open a port that should not be opened, allowing outsiders access to the device. Firewalls set rules for the device that designate which ports are allowing traffic into the device. A firewall can keep certain attacks out by blocking the ports that would allow those viruses in. Using Bluetooth requires the devices to be within 30 feet of each other while IR control requires the devices to point at each other from closer than 30 feet.

Some mobile security software controls can be used to keep wireless connections turned off. While most device owners are not using IPSec VPNs for personal communications, they should at least insist on secure web-based connections using SSL encrypted communications. Integrity Manager is an application that monitors the settings on each device and will quarantine the device if the settings change. Anti-virus with automatic updates also keeps your smartphone protected by providing an up to date list of all known viruses from which the software can scrub emails and attachments, just like on your notebook or desktop.

Access to Corporate Email, Networks, Databases: Vulnerability #2
Smartphones and wireless devices are often used to gain access to the enterprise server for e-mail, shared files, and shared databases. Yet as with other wireless networking options, this also leaves the device open to attacks, viruses, or “Trojans”, and ultimately makes the network vulnerable as an unsecured device connecting to a secure server makes that connection unsecured.

Mobile Security Solution: Vulnerability #3
Mobile security features for protecting lost or stolen devices. Bluefire has seen an increasing number of government and enterprise customers requesting that Bluetooth and IR be temporarily or permanently blocked from use. If a device is lost or stolen, the private information becomes open and accessible.

http://www.blackberrytoday.com/articles/2006/6/2006-6-1-Mobile-Device-Security.html

A year ago, network-based IPS was all the rage, whereas HIPS had an estimated 1% market-penetration rate, according to Gartner Inc. in Stamford, Conn. But new attack routes into the enterprise — such as the recent Windows Metafile (WMF) vulnerability — have forced IT organizations to rethink their tactics. In a recent Forrester survey of 150 enterprise technology decision-makers, 28% of respondents said they plan to purchase desktop HIPS during the course of the year, says Lambert.

Alaska, however, is ahead of the game. It is most of the way through an implementation of Cisco Security Agent (CSA) from Cisco Systems Inc. Along with the 19,000 desktops — primarily Windows-based ones, with a few Linux and Macintosh systems — CSA also protects about 2,000 servers across dozens of data centers. Software like CSA watches for behavior that would indicate spyware activity, such as a program opening a file in a temporary folder.

Software like CSA watches for behavior that would indicate spyware activity, but that is by no means the only way such tools operate. Most include several functions: In addition to host intrusion prevention, they can incorporate adware protection, protection against buffer-overflow attacks, firewalling, various forms of system hardening, malicious mobile-code protection and even signature-based modules.

Proventia Desktop from Internet Security Systems Inc. (ISS) in Atlanta is used on about 2,500 seats campuswide, most of which are student laptops — 95% run Microsoft Windows XP and the rest are Macintoshes.

“Some colleges have attempted to dictate to their students, but you really can’t control what they put on their laptops,” says Hammon.

Unlike virus signatures, though, they need to be delivered only about once a month. Instead of constantly scanning and analyzing every system call and application as CSA does, its SpyWall software zeroes in on the primary avenue of attack – via Web browser. For example, SpyWall blocked the latest Internet Explorer createText-Range zero-day exploit without using any signatures. “After we put in SpyWall, we didn’t get any more infections for six months,” says Robert Wong, network administrator.

First came enterprise-class anti-virus tools and then firewalls, IDS and spyware protection. But with each advance, attackers managed to outwit the defenses. Antivirus and spyware technology now appear to be morphing into back-line defenses, which are used to mop up employee goofs and safeguard against known threats.

That’s why the likes of Symantec Corp., CA Inc. and Cisco are gobbling up desktop HIPS vendors: Symantec bought ManHunt, ISS acquired BlackICE, Cisco bought Okena, and CA now owns Tiny Software Inc.

The next major release of CA Integrated Threat Management will include a firewall and HIPS.

“Most companies are sitting ducks,” says Nancy Flynn, founder and executive director of the ePolicy Institute. “They don’t realize that E-mail is the electronic equivalent of DNA evidence.”

Bill Gates wasn’t thinking about that when he sent messages to Microsoft executives in 1996 discussing the need for the company to increase its share of the Web browser market. Two years later, he had to explain his written statements under oath when the federal government accused the company of violating antitrust laws when it crushed Netscape in the Web browser market. Watching Gates squirm–and grab headlines–in a court case involving E-mail should have been fair warning to all business executives and other high-ranking officials to exercise greater caution when writing E-mails.

Failure to get a handle on E-mail–and soon instant messages and blogs and other forms of business communications–can cost companies money and their reputations. Morgan Stanley learned that lesson the hard way. It’s been hit with millions of dollars in Securities and Exchange Commission and court fines as well as legal judgments for violating E-mail retention rules. And it’s been embarrassed by archived mail introduced in a wrongful termination case that showed, among other things, its CTO hitting up vendors for tickets to sporting events.

Many industries have regulations such as the Health Insurance Portability and Accountability Act in health care, and all public companies are governed by Sarbanes-Oxley. “The first thing my clients want to see now is E-mail and E-mail attachments,” says Eric Blank, managing attorney of law firm Blank Law & Technology, which specializes in electronic evidence detection. If a company has to review millions of pages of E-mail, legal fees of $300 an hour can quickly add up to hundreds of thousands of dollars.

The average company creates at least a million messages each day, Forrester Research estimates. But technology tools and services can help companies monitor and manage that E-mail, including specialized archiving, retrieval, and discovery software.

Blank turned to archiving software from Postini to sort through the messages, eliminate the captured spam, and create files of relevant E-mail for use in regulatory compliance.

Transatlantic Reinsurance, a provider of insurance to the insurance industry, operates within a “very litigious environment, as the insurance industry is highly scrutinized,” says Socrates Pichardo, VP of IT. The company was receiving numerous search requests from its IT and legal teams that required the manual review of thousands of E-mails. The offering lets customers automate information collection and archiving and avoid the “save everything” strategy by saving only what needs to be saved.

Consultants offer advice on classification and policy services, records management and assessment, E-mail archiving assessment, tape restoration and migration planning, and data erasure.

Businesses in the past year have shifted their attention from border security to regulatory compliance, so the services company needs to help its customers retain messages for compliance reasons as well as preserve other valuable communications.

http://www.informationweek.com/news/showArticle.jhtml?articleID=187200562

Priority One: Make sure employees are well trained to recognize and respond to threats
Priority Two: Eliminate passwords
Priority Three: Keep it simple

http://www.darkreading.com/document.asp?doc_id=93336&WT.svl=column1_2

“A CEO’s favorite visualization of metrics is a stock chart, a 1-inch square that contains a month’s worth of opening and closing prices, a trend line and several other indicators.

By no means does Jaquith (or CSO for that matter) think these five metrics are the final word on infosecurity. Quite the contrary, they’re a starting point, relatively easy to ascertain and hopefully smart enough to get CISOs thinking about finding other metrics like these, out in the vast fields of data, waiting to be reaped.

Your coverage of devices by these security tools should be in the range of 94 percent to 98 percent. If in one quarter you’ve got 96 percent antivirus coverage, and it’s 91 percent two quarters later, you may need more formalized protocols for introducing devices to the network or a better way to introduce defenses to devices. “At any given time, your network management software doesn’t know about 30 percent of the IP addresses on your network,” says Jaquith, because either they were brought online ad hoc or they’re transient. How to get it: Run network scans and canvass departments to find as many devices and their network IP addresses as you can. Then check those devices’ IP addresses against the IP addresses in the log files of your antivirus, antispyware, IDS, firewall and other security products to find out how many IP addresses aren’t covered by your basic defenses.

Maximum coverage, while an important baseline, is too narrow in scope to give any sort of overall idea of your security profile. For example, percentage coverage by class of device (for instance, 98 percent antivirus coverage of desktops, 87 percent of servers) or by business unit or geography (for instance, 92 percent antispyware coverage of desktops in operations, 83 percent of desktops in marketing) will help uncover tendencies of certain types of infrastructure, people or offices to miss security coverage. That is, 98 percent antivirus coverage of manufacturing servers is useless if the average age of the virus definitions on manufacturing’s servers is 335 days. Here’s an example: plotting the percentages of five business units’ antivirus and antispyware coverage and the time of their last update against a companywide benchmark.

Patch latency is the time between a patch’s release and your successful deployment of that patch. As with basic coverage metrics, patch latency stats may show machines with lots of missing patches or machines with outdated patches, which might point to the need for centralized patch management or process improvements. At any rate, through accurate patch latency mapping, you can discover the proverbial low-hanging fruit by identifying the machines that might be the most vulnerable to attack. One possible visualization: For data where you can sum up the results, such as total number of missing patches, a “small multiples” graphic works well.

Password strength: This metric offers simple risk reduction by sifting out bad passwords and making them harder to break, and finding potential weak spots where key systems use default passwords. Password cracking can also be a powerful demonstration tool with executives who themselves have weak passwords.

Gratuitous pictures, 3-D bars, florid design and noise around the data diminish effectiveness.

One possible visualization: An overall score here is simple to do: It’s a number between 1 and 10. To supplement that, consider a tree map. Tree maps use color and space in a field to show “hot spots” and “cool spots” in your data. They are not meant for precision; rather they’re a streamlined way to present complex data. They give you a feel for where your problems are most intense. In the case of platform-compliance scores, for instance, you could map the different elements of your benchmark test and assign each element a color based on how risky it is and a size based on how often it was left exposed. Be warned, tree maps are not easy to do. But when done right, they can have instant visual impact.

Legitimate e-mail traffic analysis is a family of metrics including incoming and outgoing traffic volume, incoming and outgoing traffic size, and traffic flow between your company and others. There are any number of ways to parse this data; mapping the communication flow between your company and your competitors may alert you to an employee divulging intellectual property, for example. The fascination to this point has been with comparing the amount of good and junk e-mail that companies are receiving (typically it’s about 20 percent good and 80 percent junk). Such metrics can be disturbing, but Jaquith argues they’re also relatively useless. By monitoring legitimate e-mail flow over time, you can learn where to set alarm points. At least one financial services company has benchmarked its e-mail flow to the point that it knows to flag traffic when e-mail size exceeds several megabytes and when a certain number go out in a certain span of time. How to get it: First shed all the spam and other junk e-mail from the population of e-mails that you intend to analyze. Then parse the legitimate e-mails every which way you can. Added benefit: An investigations group can watch e-mail flow during an open investigation, say, when IP theft is suspected. Try this: Monitor legitimate e-mail flow over time.

CISOs can actually begin to predict the size and shape of spikes in traffic flow by correlating them with events such as an earnings conference call.

You can also mine data after unexpected events to see how they affect traffic and then alter security plans to best address those changes in e-mail flow. Time series simply means that the X axis delineates some unit of time over which something happens. How to get it: Build a risk indexing tool to measure risks in your top business applications. Expressed as: A score, or temperature, or other scale for which the higher the number, the higher the exposure to risk. Could also be a series of scores for different areas of risk (for example, business impact score of 10 out of 16, compliance score of 3 out of 16, and other risks score of 7 out of 16). Added benefit: A simple index like this is a good way to introduce risk analysis into information security (if it’s not already used) because it follows the principles of risk management without getting too deeply into statistics. Try this: With your industry consortia, set up an industrywide group to use the same scorecard and create industrywide application risk benchmarks to share (confidentially, of course).

To this excellent article, the author suggests to use the measurment of Incidents and their impact as a metric.

http://www.csoonline.com/read/070105/metrics.html

“We started seeing huge vulnerabilities,” Borg said Wednesday at the GovSec conference in Washington, where the draft document was released. Most of the systems were compliant with current security checklists and best practices. “And portions of those systems were extraordinarily secure. But they were Maginot Lines,” susceptible to being outflanked. The problem is that existing best practices are static lists based on outdated data. “We are way into diminishing returns on our investments in perimeter defense,” he said. “To deal with it now, you have to think of the problem of cybersecurity not from a technical standpoint, but by focusing on what the systems do, what you could do with them and what … the consequences [would] be.”

The list is based on real-world experience and on economic analysis of breaches. Surprisingly, the researchers found that simply shutting a system down is not the biggest threat in most areas of critical infrastructure. “Shutting things down for two or three days is not that costly,” Borg said. The larger threat is disruption of systems in ways that are not immediately evident.

“All of the things we are talking about are already under way,” Borg said, but some of the items in the checklist have no cost-effective commercial solutions. Borg said he hopes industry will step up to the plate to create solutions, and that government will adapt its acquisition policies to create incentives for these developments.

Borg said there is no schedule for final DHS approval of the draft. Additional information about the checklist is available from Borg at mailto:scott.borg@usccu.us.

http://www.gcn.com/online/vol1_no1/40564-1.html