Security Detractors?

February 12th, 2011 by peter.bassill

Sensibility around Security is something we as an industry can be lacking and with the continual growth of compliance controls being imposed on businesses by a myriad of organisations and governmental bodies’ compliance is becoming a significant security detractor. Two years ago I hear Josh Corman of the 451 Group stated many businesses “fear the auditor more than the attacker” and to this day I feel it remains true. As security professionals, we have in many aspects been reduced to mere box tickers and list checkers in an effort to make sure we meet the simplest of security standards. The very best example of this is the PCI-DSS.

When the Payment Card Industries Data Security Standards (PCI-DSS) version 2.0 was released in the last quarter of 2010, it seemed that every vendor under the sun once again started phoning claiming to have the solution to my PCI-DSS problems, if only they really did have a solution.

There is a common belief that in order to be secure you must have a checklist, something auditors love to see. While I am not adverse to checklists, in fact I use a number of them on occasion to ensure we are carrying out our routine tasks correctly, they don’t really help your security baseline. The trouble here is that this very simple task, of checking tasks off a checklist, ties up security professionals for excessive amounts of time in order to prove compliance.

Is there a light at the end of the tunnel? For the moment, I don’t see how there can be one. Many standards are evolving, some for the better, but with more requirements being sought to be proven in a single audit the life of the security professional is without doubt being reduced to box checking.

My suggestion for increased security is simple; less large single annual audits. Split the audits into three or four segments and eat them like an orange, one piece at a time.

Human side of Security

February 11th, 2011 by peter.bassill

One of the hot topics for many information security officers and almost all suppliers within the IT security industry at present is data loss prevention.

For many information security officers (ISOs) and IT directors, not a week will pass without a supplier calling to talk about and sell a data loss prevention solution that is hailed as a way of controlling data egress points.

From the products I have tested, I can say that they do what they say on the packaging, but in this economic climate, when boards are mandating decreased budgets and businesses drive for lower operational costs, is there another way of achieving a similar result without large capital outlay?

Good increases in data management can be achieved through a good information security awareness programme. A good awareness programme can make significant strides to decrease accidental loss of data, which is by far the most common cause of data breaches, and then use technical solutions to assist and complement the work of the awareness programme. Awareness programmes take time to set up and need buy-in from the very top of the business. Key executives are usually happy and eager to help; they see both the security benefits and the benefits of lower operating costs.

For example, the use of portable media has caused many businesses a large headache and has lead to a number of high-profile data breaches. By educating your staff on the virtues of good data management around portable devices and ensuring a good understanding of classification labels and how to protect data within certain classifications, staff have shown they are capable of adequately protecting data and correctly using portable media devices.

This is not to say that you should not complement the training by issuing only encrypted portable devices and controlling data written to non-encrypted devices. In taking this step you reinforce the training and show the workforce that you are taking the matter seriously.

By viewing technology as an assistant to good information security practices rather than the primary enabler to information security you are better placed to view the options open to the business, taking a broader spectrum view of your business practices allows you to better understand where information security gains can be achieved easily and where gains will take longer to realise.

An excellent area within the realm of information security where the people element returns excellent gains is in penetration testing. By engaging different business unit members in internal penetration testing it is possible to identify where processes are not working and could lead to potential security issues. Using this method of penetration testing in conjunction with traditional external testing you get a fuller and more rounded view of your overall security stance. This will help in identifying the many egress routes that data could potentially take out of the business.

A good security awareness programme will not safeguard against those rouge employees that want to take the data with them, however. This is where there is no replacement for the technical counter-measure. But with an awareness programme in place, employees will be aware of what will happen if they are found to have taken data and the HR department will have an easier time of dealing with these employees if you can prove they are fully aware of the policies and have taken part in the awareness training.

ZeuS Source Code for $10k.

February 1st, 2011 by peter.bassill

Late last year, online crime forums were abuzz with talk that development of the world’s most notorious banking Trojan — ZeuS — was being retired, after its maker handed the malware’s secret blueprints to a rival developer.

The recipient of those plans — the author of the SpyEye Trojan– has been hard at work on a malware strain that blends the two malware families. But new evidence suggests that the source code for the latest ZeuS version may have also been given or sold to a third party who is now reselling it to the highest bidder in the criminal underground, a development that could soon guarantee the production of a whole new ZeuS lineage.

Sources say the ZeuS author — known variously as “Slavik” and “Monstr” on criminal forums — gave the SpyEye author Gribodemon stewardship over the ZeuS code base, on the condition that Gribodemon agreed to provide ongoing support for existing ZeuS clients, a sizable user base that demands considerable care and attention. Sources also believe Slavik may have separately sold the code itself, ostensibly to the same individual shown in the screen shot below.

Established crime forums are built upon reputation, which is earned over a period of time by points awarded from other members for positive or negative transactions — much like eBay’s buyer and seller feedback system. The solicitation in the above screen shot is unlikely to be a fake: It indicates that the seller has been a member of this particular vetted crime forum since June 13, 2009, and has 18 positive reputation points and zero negative.

This seller is offering the full ZeuS source code for the latest version 2.0.8.9, and warns away members without a significant war chest. But how much could the code actually fetch? Toward the end of last year, the ZeuS author was selling fully-loaded, single-user licenses for up to $10,000 apiece. Aviv Raff, chief technology officer and co-founder of Seculert, said this individual could probably demand at least ten times that amount for the source code, which would give the buyer full rights to sell one-off licenses to others, and/or to continue developing the malware family.

But don’t come bearing gold, credit cards, or even cold hard cash: This seller only accepts payment via an irreversible virtual currency called Liberty Reserve. On top of that, payments must be made through the forum’s escrow service — a feature offered by forum administrators designed to cut down on members ripping one another off — but one which can add considerably to the final price of the item(s) for sale.

re-posted from krebsonsecurity.com