12. October 2011 · Comments Off on Rethinking the balance between Prevention, Detection, and Response · Categories: blog · Tags: , , , ,

One of Information Security’s basic triads is Prevention, Detection, and Response. How many organizations consciously use these categories when allocating InfoSec budgets? Whether intentional or not, I have found most organizations are over-weighted to Prevention.

Perhaps spending most of the InfoSec budget on Prevention made sense in the late 90’s and the first half of the 2000’s. But the changes we’ve seen during the last five to seven years in technology, threats, and the economy have led to an inevitability of organizations experiencing successful attacks. Therefore more budget must be allocated to Detection and Response.

What’s changed during the last several years?


  • The rise of Web 2.0 applications and social networking for business use, in response to the need to improve collaboration with customers and suppliers, and among employees.
  • Higher speed networks in response to the convergence of data, voice, and video which helps organizations cut operating costs
  • Increased number of remote and mobile workers, in response to efforts to reduce real estate costs and avoid wasting time commuting. I put this under technology because without high speed, low cost Internet connections this would not be happening.


  • Attacker motives have changed from glory to profits.
  • Attackers don’t bother building fast-spreading worms like Code Red and Nimda. Now adversaries work stealthily while they steal credit card information, bank account credentials, and intellectual property.
  • The main threat vector has shifted to the application layer and what I call the “inside-out” attack vector where social engineering actions like phishing lure users out to malware-laden web pages.


  • The Great Recession of 2008-2009 and the slow growth of the last couple of years have put enormous pressure on InfoSec budgets.

Using Bejtlich’s Security Effectiveness Model, the Threat Actions have changed but, for the most part, the Defensive Plans and Live Defenses have not kept up.

Organizations cannot continue to simply add new prevention controls to respond to the new reality. More effective and lower cost prevention controls must replace obsolete ones to improve Prevention and to free up budget for Detection and Response.





31. July 2009 · Comments Off on Clampi malware plus exploit raises risk to extremely high · Categories: Uncategorized · Tags: , , , , , , , , , ,

The risk associated with a known three year old Trojan-type virus called Clampi has gone from low to extremely high due the sophisticated exploit created and being executed by an Eastern European cyber-crime group.

Just as businesses can differentiate themselves by applying creative processes to commodity technology, so now are cyber-criminals. Clampi has been around since 2007. Symantec as of July 23, 2009 considered the risk posed by Clampi as Risk Level 1: Very Low. I don’t mean to pick on Symantec. McAfee, which calls the virus LLomo, has the Risk Level set to Low as of July 16, 2009. TrendMicro’s ThreatInfo site was so slow, I gave up trying to find the Risk Level they chose.

The exploit process used was first reported (to my knowledge) by Brian Krebs of the Washington Post on July 20, 2009.

On July 29, 2009, Joe Stewart, Director of Malware Research for the Counter Threat Unit (CTU) of SecureWorks released a summary of his research about Clampi and how it’s being used, just prior to this week’s Black Hat Security Conference in Las Vegas.

Clampi is a Trojan-type virus which, when installed on your desktop or
laptop, can be used by this cyber-crime group to steal financial data,
apparently including User Identification and Password credentials used
for online banking and other types of online commerce. Apparently, this
Eastern European cyber-crime group controls a large number of PC’s
infected with Clampi and is stealing money from both consumers and

Brian Krebs of the Washington Post ran a story on July 2, 2009 about a similar exploit using a different PC-based Trojan called Zeus. $415,000 was stolen from Bullitt County, KY.

Trojans like Clampi and Zeus have been around for years. What makes these exploits so high risk is the methods by which these Trojans infect us and the sophistication of the exploits’ processes for extracting money from bank accounts.

Security has always been a “cat-and-mouse” game where the bad guys develop new exploits and the good guys respond. So now I am sure we are going to see the creativity of the security vendor industry applied to reducing the risk associated with this type of exploit. At the most basic level, firewalls need to be much more application and user aware. Intrusion detection systems may already be able to detect some aspect of this type of exploit. We also need better anomaly detection capabilities.