06. December 2010 · Comments Off on Researchers Bypass Internet Explorer Protected Mode | threatpost · Categories: blog · Tags: , , , ,

Researchers Bypass Internet Explorer Protected Mode | threatpost.

A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he’s successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. Protected Mode was introduced in Windows Vista and Internet Explorer 7, and other software vendors have followed Microsoft’s lead, introducing sandboxes in applications such as Adobe Reader X and Google Chrome.

The key points and recommended actions are well summarized in Verizon’s own blog post, Evaluating Protected Mode in Internet Explorer:

Since it is not an official security boundary, Microsoft does not guarantee that it will issue patches for bypasses within the monthly patch-cycle.

It can be recommended that domain administrators consider following the steps below to improve the security of Protected Mode Internet Explorer in the enterprise:

  • Ensure that User Access Control (UAC) is enabled, as disabling it will also disable Protected Mode.
  • Ensure that workstation users cannot run as administrators.
  • Enable Protected Mode for all zones where possible.
  • Disable the Local Intranet Zone, or limit the members of the zone as far as possible.
  • Ensure that third-party software vendors create software which does not incorrectly configure Internet Explorer’s elevation policy and introduce privilege escalation bugs that allow malicious code to escape from Protected Mode.
14. November 2010 · Comments Off on Verizon Incident Classification and Reporting · Categories: blog · Tags: ,

Verizon Incident Classification and Reporting.

In an effort to broaden the range of incidents used by Verizon Business’s annual Data Breach Investigations Report beyond those it investigates itself and those provided in 2010 by the Secret Service, Verizon Business’s ICSA Labs has created an application that allows anyone to add incidents using the VERIS Framework.

In return for adding anonymized incident information,

…you will receive a comparative report that frames your incident within the broader VERIS dataset. You will, for instance, know whether your incident was a rare event or one commonly experienced by others and such information can help you decide what, if anything, should be done to prevent similar events in the future.

Is this enough value? Why not allow direct access to the VERIS database through an API? This would allow you to do your own analysis rather than just relying on Verizon’s. Is it possible that third parties, bringing different perspectives and tools, would glean insights that Verizon is missing?

The VERIS Framework is very straightforward. There are three key components to any incident – Agents (actors), Actions, Assets. Perhaps I like it because it’s very similar to methodology I developed with a colleague for log analysis using the terms Subject, Action, Object, which not coincidentally corresponds to the three key parts of a sentence – Subject, Verb, Object.

There is a fourth “A” which stands for Attributes of the above mentioned three A’s. The selection of classification Attributes is critical to effective analysis. For anonymized incident information, Verizon has done a good job in its classification attribute selection.

13. March 2010 · Comments Off on Verizon Business extends its thought leadership in security incident metrics · Categories: Breaches, Research, Risk Management, Security Management, Theory vs. Practice · Tags: , ,

The Verizon Business Security Incident Response team, whose yearly published Data Breach Investigations Reports I've written about here, has has extended its thought leadership in security incident metrics with the release of its Incident Sharing Framework. Their purpose is to enable those responsible for incident response to "create data sets that can be used and compared because of their
commonality. Together, we can work to eliminate both equivocality (sic) and
uncertainty, and help defend the organizations we serve." The document can be found here.

Of course Verizon Business is a for-profit organization and the license terms are as follows:

Verizon grants you a limited, revocable, personal and nontransferable license to use the Verizon Incident Sharing Framework for purposes of collecting, organizing and reporting security incident information for non-­‐commercial purposes.

Nevertheless, I do hope that this or an alternative incident sharing framework becomes an industry standard which enables the publishing and sharing of a larger number incidents from which we can all learn and improve our security policies and processes.

28. December 2009 · Comments Off on Verizon Business 2009 DBIR Supplemental Report provides empirical guidance for unifying security and compliance priorities · Categories: Breaches, Compliance, Risk Management, Security Management, Theory vs. Practice · Tags: , , ,

The Verizon Business security forensics group's recently released 2009 Data Breach Investigations Supplemental Report provides common ground between those in the enterprise who are compliance oriented and those who are security oriented. While in theory, there should be no difference between these groups, in practice there is.   

Table 8 on page 28 evaluates the breach data set from the perspective of data types breached. Number one by far is Payment Card Data at 84%. Second is Personal Information at 31%. (Obviously each case in their data set can be categorized in multiple data breach categories.) These are exactly the types of breaches regulatory compliance standards like PCI and breach disclosure laws like Mass 201 CMR 17 are focused on.

Therefore there is high value in using the report's "threat action types" analysis to prioritize risk reduction as well as compliance programs, processes, and technologies.

While the original 2009 DBIR did provide similar information in Figure 29 on page 33, it's the Supplemental report which provides the threat action type analysis that can drive a common set of risk reduction and compliance priorities.