Major security breaches, defined by a survey “as one that caused real harm, resulted in confidential information taken or interrupted business,” are slowly increasing and are most often attributed to human error (47%), rather than technical problems.
IT directors welcome Big Four’s corporate security initiative
The consortium, which includes the Big Four accounting firms and insurance giant AIG international, aims to agree a cyber-risk model that can be used by companies in all industries.
Auditors and insurers could also use the “risk preparedness index” to help decide whether a company has adequate IT security arrangements.
Although details of the framework have yet to be finalised, security experts believe it will focus on an organisation’s IT security safeguards, such as its firewalls and anti-virus software, and compare this against the security threats it faces.
“IT infrastructure risk management is of critical importance to the industry and Barclays broadly welcomes the principles behind this initiative,” said Barclays group chief technology officer Kevin Lloyd. “We will continue to monitor the development of this framework with interest and potentially inclusion in the shaping of the framework.”
Nick Leake, director of operations and infrastructure at ITV, said, “I think the real value of this approach is in sorting out the companies with dreadful levels of non compliance/operation from those with high levels – it won’t be much use in distinguishing the better of two already very compliant operations. And as with all these things, it will have to be kept up to date.”
Industry experts said that an accepted model for measuring security risk would be a breakthrough if widely adopted and would also help IT departments justify security spending.
“The new security standard looks promising, although a lot of the devil will be in the detail,” said Graham Titterington, principal analyst at Ovum. “It will make it easier for people to justify spending on IT security because of the backers of the standard are blue chip companies, which gives it credibility with the board.”
Neil Barrett, technical director of security consultancy information risk management, said the proposed security standard would allow IT directors to measure their organisation’s security arrangements against a benchmark.
http://www.computerweekly.com/articles/article.asp?liArticleID=129789&liArticleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1
Delivering the 12kb Bomb
A young virus writer, sitting in his underwear in his parent’s dark basement, takes a hex editor and modifies a few bytes of the latest Netsky.M (16.5kb), Beagle.J (12kb) or Mydoom.G (20kb) mutation, spawns a new virus variant, and then releases it into the wild.
The resulting few thousand compromised machines, a conservative estimate perhaps, will sit naked as drones or “bots” on the Internet, waiting patiently for their summons and commands.
A mere 12 kilobytes of action-packed code is impressive.
For a 12 kilobyte Beagle, you get total system compromise, plus a highly effective spam engine.
The latest code that brings a Microsoft computer to its knees is small enough that it could be silk-screened onto an extra-large t-shirt: a walking time bomb, if you will.
With today’s monolithic software programs and operating systems, often barely fitting compressed on a CD-ROM, it’s easy to see how small bits of malicious code can slip under the radar.
I still remember the days, many computer-years ago now, when BackOrifice and SubSeven Trojans first came out.
At just over 100kb, they were impressive in their day.
Back then most people were running Windows 98, and a small 100kb email attachment could easily slip into the operating system and wreak havoc without ever being noticed.
Today these are 100kb Trojans are monolithic in comparison to our modern email-based worm-virus-backdoor-spam-engines that tend to be under 20kb; these old relics are still a useful footnote, however, for watching the long-term evolution of malicious code.
Speaking of monolithic: Windows XP Home Edition requires approximately 1,572,864 kilobytes (1.5Gbytes) for a typical install, according to Microsoft.
Of course, it’s better/faster/easier-to-use than previous versions, as the advertisements say, and if you believe the literature too it’s also less buggy and significantly more secure.
The public relations spin machine for such a large company is fascinating to me Windows has become bloated into millions and millions of lines code, yet it only takes a mere 12 kilobytes to provide full system compromise and an annoying spam engine.
The divide between David and Goliath has never been greater.
Consider an analogy on the size of modern malicious code: if Windows XP were the size of the Empire State Building, then the little barking Beagle virus – the size of a small dog – can come in through the front door, lift its leg, deliver its payload, and somehow cause the entire building to come crumbling down.
The latest craze in the virus-worm-spam war has seen computer worms crawling inside of other computer worms – like watching maggots crawl on top of each other as they make their way through a tender piece of meat.
Some of the latest worms found in the wild have multi-vector propagation algorithms and also make use of previous viral infections by Beagle and Mydoom.
I do not know to what extent Microsoft’s code is scrutinized through an exhaustive security audit, but two years after Bill Gates’ long-heralded announcement the holes in the cheese are larger than they’ve ever been.
For now we’re stuck with millions and millions of lines code compiled into a giant operating system that can be wiped out of existence remotely with nothing but a small 12 kilobyte piece of code, launched by someone in his underwear on the other side of the world.
http://www.theregister.co.uk/content/55/36345.html
Bridging the gap between security and developers
Peter Wood, partner and chief of operations at First Base Technologies, said that because developers are not security professionals, their application development stresses functionality, not security, and there is a lack of awareness of security issues.
Application vulnerabilities occur, said Wood, because common coding techniques do not necessarily include security; input is assumed to be valid, but untested; and inappropriate file calls can reveal source code and system files.
To bring security to the development environment, said Wood, it is necessary to create and enforce secure coding practices, self-assess code during development, implement security checks into the quality assurance cycle and consider security during change control.
The challenge of achieving this in global organisations was addressed by Andy MacGovern, global security awareness manager at Reuters.
He said that security is often seen as a “hold up” in the product development lifecycle, where products have to be delivered faster in a climate of increased customer expectations, more complex products, reduced budgets, fewer resources and a tougher legislative environment.
Similarly, you should identify and adopt an appropriate security framework and develop policies appropriate to the organisation, said MacGovern.
Reuters has developed an extended practice that takes into account limited security resources, and aims to have two “streams”: replication of security consulting resources, and the development of so-called “security evangelists” – people who understand the need for security.
In his presentation, Stuart King, security consultant at Reed Elsevier, highlighted the most common vulnerabilities in corporate IT infrastructure: buffer overflow, web servers, database servers, cookie poisoning, parameter tampering, SQL injection and cross-site scripting.
http://www.microscope.co.uk/articles/article.asp?liArticleID=129648&liArticleTypeID=20&liCategoryID=2&liChannelID=22&liFlavourID=2&sSearch=&nPage=1
Forrester questions Linux security
The report finds that on average, Linux distributors took longer than Microsoft to patch security holes, although Microsoft flaws tended to be more severe.
But leading Linux vendor Red Hat said that while Forrester’s underlying figures were sound, its conclusions didn’t give an accurate idea of relative security, as they failed to distinguish between patch times for critical updates and routine, obscure problems.
The report arrives in the midst of a fierce debate around the relative merits of Linux and Windows, and follows a number of reports perceived to have been slanted in Microsoft’s favor.
Last October, Forrester forbade its customers to publicize studies they had commissioned; it made the move partly because of criticism of a report from Forrester subsidiary Giga Research that found some companies saved money by developing with Windows rather than Linux.
A new tactic in that battle has been to compare how long it takes for various operating system vendors to patch flaws — the “days of risk” for each operating system.
Microsoft took on average 25 days to release a patch; Red Hat and Debian 57, SUSE 74 and MandrakeSoft 82, Forrester said.
“Microsoft’s average of 25 days between disclosure and release of a fix was the lowest of all the platform maintainers we evaluated,” wrote analyst Laura Koetzle in the report.
The figures Forrester uses for “all days of risk” are arrived at by averaging the number of days needed to fix a flaw, without distinguishing between critical flaws and harmless ones.
Thus, if a vendor took six months to patch a low-risk bug, it would make them appear to have a slow security response time overall, even if all critical bugs had been fixed instantly.
Using Microsoft’s own definition of a critical flaw as a bug which could allow a worm to propagate without user interaction, only 13 Red Hat vulnerabilities were critical during the one-year time period, and they took an average of just over a day to fix, Cox said.
http://www.linuxworld.com.au/index.php/id;554502920;fp;2;fpid;1
Sarb-Ox Offerings on the Rise
With the first Sarbanes-Oxley Act compliance deadlines just seven months away, Microsoft Corp. and Oracle Corp. have introduced software to automate publicly held companies’ compliance processes. Microsoft’s Office Solution Accelerator for Sarbanes-Oxley, rolled out last week, provides best-practice guidelines and templates for documenting processes using Microsoft’s Windows SharePoint Services and…