WindowSecurity.com - Monthly Newsletter - March 2013

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com

Editor's Corner

The Problem with Our Security Models

“You can haz better security, you can haz worse security. But you cannot haz “security”. There is no security, Deal [with it].” — Richard Steven Hack

I thought I would start with this quote from Rich Hack, it does describe the issue in a nutshell. The reason for this article is a post from Bruce Schneier where he states: “Our security models will never work — no matter what we do”.

I’m quoting his first few paragraphs here: “A core, not side, effect of technology is its ability to magnify power and multiply force — for both attackers and defenders. One side creates ceramic handguns, laser-guided missiles, and new-identity theft techniques, while the other side creates anti-missile defense systems, fingerprint databases, and automatic facial recognition systems."

“The problem is that it’s not balanced: Attackers generally benefit from new security technologies before defenders do. They have a first-mover advantage. They’re more nimble and adaptable than defensive institutions like police forces. They’re not limited by bureaucracy, laws, or ethics. They can evolve faster. And entropy is on their side — it’s easier to destroy something than it is to prevent, defend against, or recover from that destruction."

“For the most part, though, society still wins. The bad guys simply can’t do enough damage to destroy the underlying social system. The question for us is: can society still maintain security as technology becomes more advanced? I don’t think it can.”

Of course he refers to the ultimate example of a terrorist with a nuclear bomb that everyone is terrified of, but even that is something survivable for a society. Japan resurfaced from two detonations in a relatively short time. Of course he is right in the sense that an attacker only needs to succeed once, and the defender needs to succeed 100% of the time. That is why we need to design with failure in mind, and fail with the least amount of (collateral) damage.

Schneier notes that traditional security largely works “after the fact”, and that is where some of the problems lie. On planet earth, we tend to invent weapons but neglect to invent the protection against that weapon at the same time. The Manhattan project developed the atom bomb and completely neglected to also develop at the same time a force field that would stop an atomic blast. Wouldn’t having both technologies been a much more powerful solution?

He continues: “Because sooner or later, the technology will exist for a hobbyist to explode a nuclear weapon, print a lethal virus from a bio-printer, or turn our electronic infrastructure into a vehicle for large-scale murder. We’ll have the technology eventually to annihilate ourselves in great numbers, and sometime after, that technology will become cheap enough to be easy.” He then states: “If security won’t work in the end, what is the solution? Resilience — building systems able to survive unexpected and devastating attacks — is the best answer we have right now.”

At this point I’d have to say his answer is incomplete. Schneier takes for granted that human nature cannot be changed, and that someone will inevitably get the tools in hand to create major damage. That event could be prevented by a change in mankind’s worldwide respect for the United Nations’ Human Rights, a change in all world government’s priorities regarding education, and the realization that planet earth is on a downward spiral until we wake up and -do- something about it.

Security Defined

Did you know that the root of the word 'security' comes from the Latin 'securus'; SE + cura meaning "to care" so feeling no care; safe, certain. The thought also comes to mind that there might be a diametrically opposed way to look at this, as in; "security is something that results when you  -do- care."

Sun Tzu Quotes Of The Month

"Agents are a ruler's treasure. They are called the hidden network of mastery over the enemy." - Sun Tzu

"Victory is achieved by means of predicting and then handling that which is predicted" - Sun Tzu

Warm regards,

Stu Sjouwerman

Editor, WindowSecurity.com Newsletter
Email me at feedback@windowsecurity.com

Released: Kevin Mitnick Security Awareness Training


Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.

Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did.

Security Detail

Need Real-time And Personally Relevant Cyber Intelligence?

If so, check out Swan Island Networks.
 
Their Cybero(TM) service helps you navigate today’s dynamic cyber threat environment, by delivering a steady stream of up-to-date, personally relevant cyber intelligence. It addresses your critical cyber risks NOT prevented by next-generation firewalls, anti-virus software or stronger encryption. Cybero addresses the human side of cyber security, with the goal of helping your workforce become a new human firewall. Cybero includes Kevin Mitnick Security Awareness Training but gives you much, much more.
 
You get the latest cyber threat environment alerts—in understandable, actionable form—filtered precisely for you. When part of a company-wide cyber awareness campaign, you can produce quantifiable reductions in workforce cyber risk, with positive, measurable ROI.
 
Cybero is powered by Swan Island Networks’ proven TIES® platform, which is currently used by more than 300 enterprises, including 20% of the Fortune 100 and is very easy to use. Cybero provides you and your staff with knowledge that can prevent data loss, stop system intrusion and reduce overall cyber vulnerability. Cybero Delivers:

  • Relevant information feeds from US Federal agencies, leading security vendors and authentic cyber security experts, filtered just for you.
  • A consolidated, edited view of the latest cyber developments in order to help you perform your professional responsibilities (in the form of personalized dashboards and alerts).
  • A rich library of personal cyber security training and best practices.
  • Open source data feeds: top cyber blogs and news.
  • The ability to automatically report critical cyber incidents to the right corporate groups or government agency.
  • Ability to integrate with corporate compliance and governance initiatives to help ensure incidents are appropriately managed and documented.
  • And much, much more. Register here if you want a product demo.

Acunetix Web Vulnerability Scanner Voted Readers' Choice

Acunetix Web Vulnerability Scanner was selected the winner in the Web Application Security category of the WindowSecurity.com Readers' Choice Awards. N-Stalker Web Application Security Scanner and Syhunt Suite were runner-up and second runner-up respectively. More.

Who Loses Their Data And How?

The Harvard Business Review has a fascinating blog post based on data from auditing firm KPMG. Sarah Green spoke with Greg Bell, their information protection lead. The article talks about how they are getting this data, how the threats are evolving, which industries are most at risk, which countries lose the most data and a whole host of other interesting things. Read the full blog post here, lots of interesting graphs.

SecureToolBox

ViewPoint - Your Take

Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at feedback@windowsecurity.com 

SecOps: What You Need To Know

Scam Of The Week: Army CID

The Army Criminal Investigation Department warns that if you get an email that appears to come from “US-Army-Criminal-Investigation-Command@usa.com,” it’s a phishing scam. The real Army Criminal Investigation Command, also known as CID (made famous by the Jack Reacher movie and books), is warning the public that criminals are posing as Army law enforcement officials in an email that is making the rounds. WHAT TO DO:
 
CID is asking that recipients of emails claiming to be from “Office of the Division of Criminal Investigation” take the following steps:

  • Do not respond to the email.
  • If you have responded to the email, stop all contact.
  • Report the email to Army CID.

“By reporting this crime one can assist CID and other law enforcement officials across the United States in their investigations and help bring those responsible to justice,” said Christopher Grey, CID’s chief of public affairs. More at the armytimes website.

Georgia Tech Researchers Try To Stop Spear-phishing

Georgia Tech has correctly identified that the most challenging threat facing corporate networks today is “spear phishing.”

“Spear phishing is the most popular way to get into a corporate network these days,” said Andrew Howard, a GTRI research scientist who heads up the organization’s malware unit. “Because the malware authors now have some information about the people they are sending these to, they are more likely to get a response. When they know something about you, they can dramatically increase their odds.”
 
Trying to stop spear phishing with software is not that simple. Dozens of antivirus companies have spam modules in their software and they all try to do this as well. The big problem is false positives; legit messages that are being blocked. The issue is that the attacker is human and the victim is human. Until we can create expert systems that are smart enough to for instance identify a scam which makes the target try to avoid a negative consequence, we should follow the Georgia Tech advice “users are the front line defense. We need every user to have a little paranoia about email."

How Phishing Attacks Are Evolving

Tracy Kitten at bankinfosecurity reported: Phishing attacks are up, and the methods are changing. Paul Ferguson of the Anti-Phishing Working Group explains how phishers are fine-tuning their schemes and exploiting cross-platform technologies.
 
From PCs and Macs to mobile devices, cybercriminals no longer have to be selective about the operating systems they target, says Ferguson, vice president of threat intelligence for online security company IID (Internet Identity) and a member of the Anti-Phishing Working Group.
 
“What we have seen lately are attacks on cross-platform software,” he says. “They only care about plug-ins or the browser. They don’t care about the operating systems.”
 
Increases in cross-platform technologies have made phishing attacks more fruitful, Ferguson explains, because they’ve made it easier for attackers to compromise desktops, laptops, mobile devices, websites and servers, all from a single campaign. “The cross-platform technologies are suffering from what I call ‘the tragedy of the masses,’ and criminals are taking advantage.” Here is the article.

Hackers’ Haven

28 Percent of Successful Hacks Lead to Fraud

New research says 28 percent of consumers hit by a data breach later become victims of identity fraud - especially when payment card information is exposed. But card issuers and consumers are taking proactive steps to mitigate their risk of fraud in the wake of a data breach, says Pascual, an analyst at Javelin Strategy & Research and lead researcher for "2013 Identity Fraud Report: Data Breaches Becoming a Treasure Trove for Fraudsters." The annual study has surveyed 48,200 respondents over the last 10 years and is the longest-running independent analysis of U.S. identity fraud. This is an interesting article at the BankInfoSecurity site.

Video: Akamai CSO Andy Ellis at RSA

This video was recorded by RSA Conference organizers. Here, Akamai CSO Andy Ellis talks about managing risk with psychology instead of brute force. This is an interesting talk and worth the 29 minutes; some good concepts and new language. Make it your next 'lunch & learn', Andy is a smart guy!

Fave links & Cool Sites

MSExchange.org WindowsNetworking.com VirtualizationAdmin.com ISAserver.org MSPanswers.com WServerNews.com