12. October 2011 · Comments Off on Controlling remote access tool usage in the enterprise · Categories: blog · Tags: , , ,

Palo Alto Networks’ recent advice on controlling remote access tools in the enterprise was prompted by Google releasing a remote desktop control feature for Chrome, which also has the ability to be configured “to punch through the firewall.”

As Palo Alto Networks points out, the 2011 Verizon Data Breach Report showed that the initial penetrations in over 1/3 of the 900 incidents analyzed could be tracked to remote access errors.

Here are Palo Alto Networks’ recommendations:

  1. Learn which remote access tools are in use, who is using them and why.
  2. Establish a standard list of remote access tools for those who need them
  3. Establish a list of who should be allowed to use these tools.
  4. Document the usage guidelines, complete with ramifications of misuse and educate ALL users.
  5. Enforce the usage using traffic monitoring tools or better yet, a Palo Alto Networks next-generation firewall.

 

 

25. July 2011 · Comments Off on Google+ Gets a “+1″ for Browser Security | The Barracuda Labs Internet Security Blog · Categories: blog · Tags: , , ,

Google+ Gets a “+1″ for Browser Security | The Barracuda Labs Internet Security Blog.

Barracuda compares Google+ vs Facebook with respect to SSL and Secure Headers. Google+ wins.

24. January 2011 · Comments Off on Zscaler reports on ‘blackhat’ SEO numbers for December 2010 · Categories: blog · Tags: , , ,

Zscaler reports on ‘blackhat’ SEO numbers for December 2010.

One of the Social Engineering risks a user must cope with is malicious web page links that show up in Google searches. Google is aware of this problem and works to weed out the “blackhat” website pages that attempt to fool Google’s algorithms.

While Google’s efforts are improving, Zscaler is reporting that in December 2010, Google flagged only 44% of the “blackhat” links that Zscaler identified.

Full disclosure – Zscaler is a Cymbel partner.

13. December 2010 · Comments Off on Jeremiah Grossman: Internet Explorer 9 ad blocking via “Tracing Protection” — no means yes. · Categories: blog · Tags: , , , ,

Jeremiah Grossman: Internet Explorer 9 ad blocking via “Tracing Protection” — no means yes..

Last week, the FTC issued a report recommending Congress implement Do-Not-Track legislation to help protect consumer privacy. This week, Microsoft detailed Do-Not-Track” options in the upcoming Internet Explorer 9. Coincidence? Doubtful.

No way Microsoft slammed out the code from scratch in a few short days because the FTC made some recommendation. The IE team clearly saw ad blocking as a good idea despite what they told us before and had ad blocking, errr I mean Tracking Protection, ready to go. Only they might not have had the juice to include it because of the aforementioned road blocks.

Will Mozilla make AdBlock Plus a standard feature of Firefox? AdBlock Plus is the top download in the Privacy & Security category with overd over 100 million downloads. It has over 8 million daily active users and a 5 star rating with over 2,000 reviews.

Will Mozilla try to match or exceed Microsoft? How will Google react?

Are we going to see a major shift in Internet advertising so it’s more akin to email marketing?

I think we’re witnessing the beginning of a whole new chapter in the ongoing browser war. Now we must ask, when and if Mozilla is going to add the functionality of their #1 extension natively into their browser? How can they now not do so? Can Firefox’s market-share position afford Internet Explorer to be more advanced in privacy protection features? We’ll have to wait and see what they say or do. I’m hopeful they’ll come around as Microsoft did. Even more interesting will be how Google reacts. AdBlock is their most popular add-on as well. The bottom line is these are very good signs for everyone on the Web.

15. August 2010 · Comments Off on Time for security protection on smartphones? · Categories: Malware · Tags: , , , , , ,

Critical vulnerabilities appearing in both iPhones and Android phones point to the need for third party security products.

Apparently Juniper and McAfee think so. Juniper recently announced that it was acquiring SMobile Systems for $70 million. McAfee acquired TenCube. Another product in this space is Lookout.

Finally, which operating system do you think is more secure? Do you prefer closed vs. open source? Here is a recent article from Network World discussing this issue.

26. April 2010 · Comments Off on Google discovers privacy flaw in Facebook Graph API · Categories: Privacy · Tags: , , ,

The UK-based Guardian posted a story today that an engineer from Google discovered a flaw in Facebook's Graph API where all events you have participated in or are planning to participate in cannot be kept private.

My reactions are (1) given Facebook's privacy policy trajectory, I am not surprised, and (2) given the threat that Facebook represents to Google, I am not surprised that a person from Google found the flaw.

If anything is going to blunt Facebook's popularity, it's going to be privacy issues. And I say this despite the long history of consumers willingness to give up privacy to gain convenience, e.g. Debit Cards.

16. January 2010 · Comments Off on Google discloses breach and new threat type from China – Advanced Persistent Threats · Categories: Advanced Persistent Threat (APT), Books, Botnets, Breaches, Malware, Phishing, Privacy, Risk Management, Security Management, Trade Secrets Theft · Tags: , , , ,

Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.

First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."

I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.

Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.

Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:

The world has changed. Everyone’s threat model now needs to be adapted
to the new reality of these advanced persistent threats. In addition to
worrying about Eastern European cybercriminals trying to siphon off
credit card databases, you have to focus on protecting all of your core
intellectual property, private nonfinancial customer information and
anything else of intangible value. 

Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:

Malware is just a tool. The fundamental element to these (and
any espionage attack) lies with the tether that connects the victim
with the attacker. Advanced Persistent Threats (APT), like their bigger
and more visible brother “botnets”, are meaningless without that tether
– which is more often labeled as Command and Control (CnC).

Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.

Indeed, the threat landscape has changed.