RiskPundit

YouTube – Black Hat Spam SEO

Interesting presentation on Black Hat Spam SEO by Zscaler’s Julien Sobrier.

Outgunned: How Security Tech Is Failing Us — InformationWeek

13. October 2010 · Comments Off · Categories: blog · Tags: 0-day, FireEye, Greg Shipley, Next Generation Defense-in-Depth, next-generation firewall, Palo Alto Networks, SANS 20 Critical Controls

Outgunned: How Security Tech Is Failing Us — InformationWeek.

Our testing shows we’re spending billions on defenses that are no match for the stealthy attacks being thrown at us today. What can be done?

Greg Shipley has written an excellent article about the state of information security. The hard copy version in this week’s InformationWeek magazine sums up the situation – “Epic Fail.”

…collectively, we’ve spent billions of dollars on security technologies, and we still can’t curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize. Meantime, our identity management efforts guzzle funds faster than politicians before a crucial vote.

Recent events suggest that we are at a tipping point, and the need to reassess and adapt has never been greater. That starts with facing some hard truths and a willingness to change the status quo.

Greg points out what we’ve been saying for the last three years:

…sometime in the last few years a number of our key security technology controls crossed that threshold and ceased to be effective, yet as an industry we have yet to adjust. We’re pouring billions of dollars–literally–into security products that are gaining us very little. We don’t retire anything but rather pile on more layers, leading to increased complexity, expense, and exposure.

One of the big three security technology controls Greg calls out is firewalls. I would be more specific and say “stateful inspection” firewalls. These have been the staple of network security for 15 years. But Web 2.0 applications and social networking breeze right by the stateful inspection firewall. In fact, the stateful inspection firewall provides practically no control or protection at all.

Fortunately, we have begun to see the rise of what Gartner calls the Next Generation Firewall as exemplified by Palo Alto Networks. NextGen Firewalls are application aware and more importantly enable you to build policies based on applications and users rather than ports, protocols, and IP addresses.

Greg’s four recommendations are:

1) Start spending money on controls that are more in line with threats. This is in fact why Cymbel has embraced (and enhanced) the SANS 20 Critical Security Controls for Effective Cyber Defense. Controls were selected based knowledge of exploits. For example, Controls #1 and #2 are about Discovery of network assets and the software running on them. Unknown and/or unmanaged devices will thwart a patch management program every time.

2) Adjust assumptions and put to rest some age-old debates. For example the insider vs. outsider debate. Due to what we call the ‘inside-out” attack vector, the outside attacker becomes an insider once the attacker steals the insider’s credentials. We discuss this in more detail in the Threats section of the Five Forces of Change. This is why internal network segmentation based on application and user policies has become critical.

3) Stop rewarding ineffectiveness and start rewarding innovation. Here Greg repeats his observations about the ineffectiveness of (stateful inspection) firewalls and antivirus. It is for this reason that we developed our Next Generation Defense-in-Depth architecture, which features real, proven, innovative solutions which mitigate these new threats. Another good example is FireEye, which prevents 0-day and unknown malware attacks using heuristics plus virtual sandboxes to test suspicious code. The virtual sandbox capability practically eliminates false positives, the bane of heuristics-based intrusion prevention systems.

4) Know when security products cannot help you. Technology is not always the answer. Our Approach, based on the SANS 20 Critical Controls acknowledges this as well. While the first 15 are automation oriented, the last five are not: Secure Network Engineering, Penetration Testing, Incident Response Capability, Data Recovery Capability, Security Training.

The validation of our approach to information security is gratifying. Thanks Greg.

Read ‘Em All: Pentagon’s 193 Mind-Numbing Cybersecurity Regs | Danger Room | Wired.com

13. October 2010 · Comments Off · Categories: SANS 20 Critical Controls · Tags: SANS 20 Critical Controls

Read ‘Em All: Pentagon’s 193 Mind-Numbing Cybersecurity Regs | Danger Room | Wired.com.

According to the Deputy Assistant Secretary of Defense for Cyber, Identity & Information Assurance (DASD CIIA) there are 119 different information security documents published by the Department of Defense (including the NIST SP 800 series). DASD CIIA helpfully published a two-foot long chart to help you make sense of it all.

Perhaps they ought to take a look at the SANS 20 Critical Security Controls for Effective Cyber Defense. The whole thing is only 58 pages.

‘Scrapers’ Dig Deep for Data on the Web – WSJ.com

13. October 2010 · Comments Off · Categories: Privacy · Tags: privacy, web scraping

‘Scrapers’ Dig Deep for Data on the Web – WSJ.com.

Unauthorized, but not illegal, “web scraping” of personal data is big business – $840 million according to an estimate by the Wall St. Journal.

The market for personal data about Internet users is booming, and in the vanguard is the practice of “scraping.” Firms offer to harvest online conversations and collect personal details from social-networking sites, résumé sites and online forums where people might discuss their lives.

The emerging business of web scraping provides some of the raw material for a rapidly expanding data economy. Marketers spent $7.8 billion on online and offline data in 2009, according to the New York management consulting firm Winterberry Group LLC. Spending on data from online sources is set to more than double, to $840 million in 2012 from $410 million in 2009.

The Wall Street Journal’s examination of scraping—a trade that involves personal information as well as many other types of data—is part of the newspaper’s investigation into the business of tracking people’s activities online and selling details about their behavior and personal interests.

The fact-filled article is well worth reading its entirety, but it offers no ideas for a solution. At this point, you have to assume that anything you say on the web is public knowledge.

New Password Not Enough to Secure Hacked E-mail Account | threatpost

10. October 2010 · Comments Off · Categories: Security-Compliance · Tags: Gmail

New Password Not Enough to Secure Hacked E-mail Account | threatpost.

Good set of recommendations for Gmail users. If you Gmail account is hacked and you change your password, you could still have problems. Make sure you do the following:

Check your filters
Check the Password Recovery settings
Check for Authorized applications

Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists — Krebs on Security

10. October 2010 · Comments Off · Categories: Uncategorized · Tags: bank fraud, Becrypt

Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists — Krebs on Security.

Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.

At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.

This is an excellent article by Brian Krebs detailing the latest in a series of arrests related to electronic funds transfer fraud.

In another article Brian Krebs details a specific incident where hackers stole $600,000 from the town of Brigantine, NJ.

No business should be using the “general purpose” computer for electronic funds transfer transactions. As I said in my last post, either use a dedicated computer or an encrypted bootable USB stick like the one we offer from Becrypt.

Bill would protect towns, schools from cybertheft losses – Computerworld

10. October 2010 · Comments Off · Categories: Uncategorized · Tags: bank fraud, Becrypt, EFTA, Electronic Funds Transfer Act

Bill would protect towns, schools from cybertheft losses – Computerworld.

Sen. Charles Schumer (D-N.Y.) has introduced a bill that would protect municipalities and school districts against financial losses resulting from certain types of cybertheft.

Under the proposed bill, cities, towns and school districts would not be held liable for losses tied to online account takeovers and fraudulent electronic funds transfers initiated by cyberthieves, as long as the theft is reported in a timely manner.

It is the same sort of protection that consumers have under the Electronic Fund Transfer Act, which caps consumer liability for an unauthorized EFT at $50. Schumer’s bill (S. 3898) would modify portions of the EFTA to offer the same protection to schools and municipalities.

The idea of moving the liability electronic funds transfer fraud from the bank account holder to the bank will force banks to implement better protection measures.

In our opinion, there are only two ways online account holders can protect themselves from online bank fraud: (1) use a dedicated computer for online bank transactions, (2) use a dedicated encrypted bootable USB stick. Using just a separate browser, even in a separate virtual machine is not good enough.

If a dedicated computer is not feasible, we at Cymbel recommend Becrypt‘s Trusted Client solution.

Oracle fixes add to massive patch load expected Tuesday – SC Magazine US

10. October 2010 · Comments Off · Categories: Data Loss Prevention · Tags: Data Loss Prevention, database security, Oracle, Sentrigo

Oracle fixes add to massive patch load expected Tuesday – SC Magazine US.

Of the 81 fixes in Oracle’s quarterly patch release, seven of them are for databases.

The question is how long will it take to test and install these patches? Experience says months. That means your systems will be exposed to these vulnerabilities for months.

I am by no means suggesting you should rush the deployment of these patches. Thorough testing is a must.

The answer is the virtual patching capability of Sentrigo, a database protection solution. In a matter of days, if not sooner, Sentrigo updates their agents protecting your databases with new “vulnerability signatures” that protect against threats looking to exploit the well documented vulnerabilities for which Oracle is providing patches.

In many cases, Sentrigo ships the “vPatches” before Oracle ships their patches.

We recommend Sentrigo as a core component of our next-generation defense-in-depth architecture.

NitroSecurity Fuels Momentum With New Funding and Technology Acquisition – MarketWatch

09. October 2010 · Comments Off · Categories: Security-Compliance · Tags: LogMatrix, NitroSecurity, SIEM

NitroSecurity Fuels Momentum With New Funding and Technology Acquisition – MarketWatch.

Having spent eight years of my life at LogMatrix (which had been called OpenService until it was renamed in 2009) helping develop its security business, I am glad to see it in the hands of the fast-growing NitroSecurity.

We brought to market several innovative concepts to improve the effectiveness of SIEM solutions including a risk-based quantitative algorithm that worked on both network and application logs, and a user-based behavioral anomaly algorithm.

I wish my friends at LogMatrix who moved over to NitroSecurity all the best.

Schneier on Security: Stuxnet

07. October 2010 · Comments Off · Categories: Security-Compliance · Tags: Schneier, Stuxnet

Schneier on Security: Stuxnet.

Excellent summary of Stuxnet. Separates facts from conjecture. Points out some of the erroneous descriptions you may have read, e.g. SCADA is incorrect.