Vulnerability Scanner Pitfalls
Most of us use 'em. But are they really effective? It looks like well over 90% of us use a vulnerability management system, but almost 50% of you think that your network is “somewhat” to “extremely” vulnerable to security threats, according to a recent survey by Osterman Research and Skybox Security. The numbers are interesting. It is a good opportunity to compare yourself to your peers.
I happen to know Osterman, and he's a straightforward and objective researcher who reports on what the actual scene is. It's not looking all that great. I looked at the survey results and they show a large disconnect between on the one hand the frequency and depth of vulnerability scanning actually conducted and on the other hand the volume of scanning that the respondents felt was really needed.
Forty percent scan their internal networks once per month (or even less frequently), and critical DMZ zones are typically scanned once per week or less.
And then there is the coverage problem. Sometimes you cannot scan what you want to, 49% said their organizations did not conduct vulnerability scanning as often or as in depth as they would like. But then look at the numbers. 27% of large organizations reported scanning less than half of hosts in the DMZ per cycle, while 60% of medium sized companies scan less than half of the DMZ hosts.
Of course sometimes there are good reasons for the low scanning frequency and coverage. Fifty-seven percent of you replied that traditional active scanning often disrupts your network services and
mission critical apps, 33% replied that parts of the network simply are not scannable, and 29% replied that they have trouble getting access to the systems they need to scan.
Some of they key survey takeaways:
- More than 90% of firms have a vulnerability management program and consider vulnerability management a priority.
- 49% of companies have experienced a cyber attack leading to a service outage, unauthorized access to information, data breach, or damage over the past six months.
- 40% of companies scan their DMZ monthly or less frequently.
- Internal networks and data centers get the top priority in terms of scanning frequency with 35% of organizations scanning these zones on a daily basis.
- Large organizations (more than 1,500 employees) tend to scan more frequently and with greater coverage of hosts compared to mid-size organizations (250-1,499 employees).
- 73% of large organizations (more than 1,500 employees) scan at least 50 percent of hosts in their DMZ, while only 39% of mid-size organizations (250-1,499 employees) scan at least 50% of hosts in their DMZ.
- Both large and mid-size organizations cite “concerns about disruptions caused by active scanning” and “don’t have the resources to analyze more frequent scan data” as the top reasons for scanning less often than desired.
- Large organizations cite lack of patching resources and non-scannable hosts as a significantly greater issue than mid-size organizations.
Download the full survey findings.
I Was Interviewed On TV Thursday
Ever wondered who that new Editor was? Here's your chance to see me. Cyber threats reported by U.S. energy companies, public water districts and other infrastructure facilities surged last year, a new government report shows. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team said that it received 198 reports of suspected cyber incidents, or security threats, in 2011, more than four times(!) the 2010 level. BayNews9 wanted an expert to comment on this and asked me to come over. I was able to explain why it’s urgent to give employees security awareness training. Here is the 9-minute segment.
Quotes Of The Month
"The public should always be wondering how it is possible to give so much for the money." -- Henry Ford
"We act as though comfort and luxury were the chief requirements of life, when all that we need to make us happy is something to be enthusiastic about." -- Einstein
Editor, WindowSecurity.com Newsletter
Email me at email@example.com
Samsung Galaxy Tab 2 Winner Announced
TechGenix is delighted to announce that the winner of the Samsung Galaxy Tab 2 is long-time subscriber Konrad Eysink from Dallas, Texas. Congratulations! Read the full announcement here.
Released: Kevin Mitnick Security Awareness Training
Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.
Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did:
Security Training Fragmentation Causes Knowledge Gap
OK, time to get onto my soapbox and rant for a moment. But first, remember that before I moved into IT, back in Europe I studied educational sciences for almost 5 years and I'm a licensed teacher. So with that in mind, here goes:
More and more, you see training companies promote their security awareness training products as 'modular' as if that is something good. It's not. They break their training into small modules, split up by security topic, and say that this is better. They say that this is the way people learn and work. It's definitely not.
They claim that short lessons are easy to learn. That is patent nonsense. Is a 10 minute lesson in astrophysics easy to learn?
They say that one lesson a month, each with a different security awareness topic, is the best approach. Unless you have an extremely secure environment, it's actually an invitation to a data breach. Would you install a firewall and slowly, over time, block the ports you need to defend?
There is a massive problem with this approach: security training fragmentation actually causes a dangerous knowledge gap.
- You want -all- your employees, as soon as possible, to understand and be armed against -all- attack vectors.
- Employees should get all the important online dangers in one training session, integrated and reinforced multiple times within that initial training session. That is the only responsible way to deploy security awareness training.
- With all employees knowing all the online dangers, there is group agreement and peer pressure in the direction of secure behavior.
- You don't want to start by training them about phishing and only weeks or months later train them about social networking. That leaves a social engineering hole big enough to drive a truck through.
- If you want to keep all employees on their toes with security top of mind, do that with continued testing. Sending a simulated phishing attack once a week is extremely effective to keep them alert, and a proven way to dramatically decrease their Phish-prone percentage.
My apologies if I sound a bit hot under the collar, but I am passionate about security. Perhaps other types of training can be drawn out and fragmented, but we are dealing with IT security here, and employees are the weak link!
Windows Server 2012: What's New in Security (Part 1)
The excellent Deb Shinder takes a deep dive in the new WinServer 2012 Security features. In Part 1 she talks about Direct Access improvements and where that leaves UAG. It's worthwhile, in-depth article you do not want to miss.
Security Is Not Only Training, It's Culture
We all went to school, but how would you do if you were asked to retake your finals? Probably not too well and neither would I. Education fades unless it is regularly reinforced. And even the reinforcement is liable to go 'on autopilot' and lose its effect. Security needs to become an ingrained habit to truly work, and that means it needs to be part of your company culture.
Some organizations have a strong security culture, others not so much. Those are the ones you will find in the story: 'The Worst Security Snafus Of 2012 - So Far'. If the company as a group does not care much about security, that reflects in everyone's behavior including IT's approach to security and compliance, whether they like it or not. IT in those cases often does not get the budget to do it right.
Ideally, you need a security culture driven from the top down which makes sure that institutional security knowledge gets documented, retained, drilled into new employees during their onboarding, and from there on kept alive by training, events, reminders and regular security audits that will have repercussions if someone fails.
Only then will the general consensus and necessity level be high enough to make your organization a hard target that is too expensive to attack. Look, learn, and don't let this happen to you.
Cybercriminals Sniff Out Vulnerable Firms
I could have written this headline myself. But I didn't, it was Sarah Needleman at the Wall Street Journal. And she's right, that is exactly what is happening.
She started out with:" With cybercriminals a greater threat to small businesses than ever before, more entrepreneurs like Lloyd Keilson are left asking themselves who is to blame for hacking attacks that drain their business accounts. In May, Lifestyle Forms & Displays Inc., a mannequin maker and importer led by the 65-year-old Mr. Keilson, had $1.2 million wiped out of its bank accounts in just hours through online transactions. The theft from the Brooklyn, N.Y., company, which has about 100 employees, wasn't an isolated incident."
Nope, it sure ain't. The bad buys scan websites all day, every day with fully automated tools very similar to Nessus and Qualys and look for holes. Once found, they have automated tools to see if the holes can be exploited. Only then do human criminals get involved, who, again, have a whole lot of automated tools at their disposal.
In parallel with that, roughly one in every 300 emails is a phishing attack. Compare that to about 100 emails sent and received per day by the average corporate user. Can you say: "shooting phish in a barrel"?
"Small businesses feel like they're immune from cybercrime, and they're wrong. They are absolutely on the list of potential targets of cybercriminals," said Larry Ponemon, chairman of the Ponemon Institute, a privacy think tank in Traverse City, Mich.
Read the article, it has some good suggestions at the end. This is also a good one to forward to C-level Executives. Wall Street Journal has the story.
ViewPoint - Your Take
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at firstname.lastname@example.org
SecOps: What You Need To Know
Bank Sues Customer Over BankWire Fraud
Tracy Kitten at BankInfo Security reported on this: "In another legal wrangling over liability linked to ACH and wire fraud, a bank is taking action against a former commercial customer, claiming the customer, not the bank, is liable for losses and damages, as well as legal costs. In March, BancorpSouth, a $14.3 billion bank in Mississippi, filed a counterclaim against Choice Escrow and Land Title LLC, a family-owned business based in Missouri. This week, Choice Escrow co-owner Jim Payne is being questioned in a deposition tied to the counterclaim. BankInfo Security has the story.
Malware Moves Up Into Cloud
You all probably know about the recent 60 million Euro cyberheist. I have been digging into this a bit more, as it’s the most advanced attack yet. Cybercrime is not revolutionary, it clearly builds upon itself in an evolutionary process. Well, malware has metastasized and moved up into the cloud.
Up to now, malware lived on the PC itself in its entirety. All the code was run locally on the workstation, and it communicated only with the mothership to send stolen data, whether that be keystrokes, files, credit card numbers or any other confidential data.
But now, the bad guys have upped the game and rewrote their malware architecture from the ground up. It’s almost like they took a page from the antivirus playbook and cut down their own bloatware to a small, lightweight agent (that the bad guys can hide easily), with the real processing being done on a server in the cloud.
So how this works is as follows. The attacks start off with a phishing email, usually pretending to be from the victim’s bank and social engineering them to change their account password which is not that hard. Next, in early versions, the Zeus or SpyEye trojans would be downloaded to the workstation. But not any more. These days only a tiny bit of malware is put on the workstation and now the actual attack is coming from the cloud. Yikes.
When the victim logs into their bank site, the malware uses web-inject code to throw up a page that looks just like the victims bank web page. But what happens behind the scenes and invisible to the victim is that the malware server starts transferring money from the victim’s account to the criminal’s account, with all the work being done on the criminal’s cloud server that usually sits at an Internet Service Provider which is owned by the criminal network.
And quite a bit of work is being done. The attack takes the log-in from the PC and redirects it to the server in real-time and does all the transactions in the bank account. It can even circumvent two-factor authentications where the victim has a card they need to swipe to get into the account. Double yikes.
The malware on the workstation is relatively small, simple and does not need to be updated for the next attack, as the updates can happen on the server side. This makes the attack more agile and scalable. Once that new, lightweight malware agent infects the user’s workstation, that machine can be used for a multitude of criminal activities.
Protecting A Critical Machine? Use Whitelisting, Not Antivirus
And who said that? It's not me, surprisingly it's McAfee!
First of all, I have no dog in this fight, and no product to sell you. But I have seen the antivirus industry from the inside out, and I have paid a lot of attention to the Virusbulletin website for a long time.
Recently, a few things have made me realize that it’s time to turn things upside down. You can no longer protect against the bad, Stuxnet and Flame bear witness to this fact; the AV industry did not detect these for years. The first graph shows the good executables compared to the bad (malware) executables in 2002. Now, let's look 10 years later:
Malware writers have fast-forwarded a few generations ahead, and automated generating malware. The next graph shows the situation now. As you can see it is high time for the proverbial paradigm shift.
There is too much malware out there and the antivirus concept of keeping bad code out has essentially been overtaken. The best illustration of this is the recent analysis of the University of Alabama, which looked at the most recent 30 days of phishing attacks and what percentage of the antivirus products protected against these new flavors of malware. A horrifying one-in-five caught the malware, and this is over 20 leading brands! You read that right, a whopping 80% of the existing antivirus products did not catch these attacks. And it’s objective Virusbulletin data! Ouch.
Now McAfee essentially admits defeat and states together with the Pacific Northwest National Laboratory that if you have machines that are critical for infrastructure, whitelisting and related technologies are the best solution. The researchers conclude that it is time to switch from blocking bad code to allowing only good code. For you, if you are not an electricity utility or municipal water plant that means machines in accounting, development servers, or that hold any kind of intellectual property. And it is needed more than ever to educate your users which makes for happy admins and a lot less malware infections.
I have taken the time to look at the whitelisting concept and wrote it up for you. Here is the link to my whitepaper.
Scam Of The Month: Payroll Phish
The nakedsecurity blog over at Sophos highlighted a new phishing scam that would be good to alert your employees about. The bad guys are pretending to be payroll processing company ADP. There are two variants of this phishing scam. They wrote: "One is simply a plain text message with the subject "ADP Funding Notification - Debit Draft" instructing you to click a link to view your transaction report. The second is more professional looking and suggests to a human resource specialists that ADP is upgrading its security processes and you need to login and be trained on the new procedures."
I would not be surprised if the bad guys did some homework and checked on job sites for companies that are looking for HR people with ADP experience, or scanned LinkedIn for the same and did a spear-phishing attack where they also included 'HR@company.com' so that the net would be as wide as possible.
Why Pill Pushing Spam Pays Off
Brian Krebs is on a roll. Here is why pill pushing spam pays off.
"Consumer demand for cheap prescription drugs sold through spam-advertised Web sites shows no sign of abating, according to a new analysis of bookeeping records maintained by three of the world's largest rogue pharmacy operations. Researchers at the University of California, San Diego, the International Computer Science Institute and George Mason University examined caches of data showing the day-to-day finances of GlavMed, SpamIt, and Rx-Promotion, shadowy affiliate programs that over a four-year period processed more than $170 million worth of orders from customers seeking cheaper, more accessible and more discretely available drugs. The result is is perhaps the most detailed analysis yet of the business case for the malicious software and spam epidemics that persist to this day. Here is link to Brian's blog.
How The Bad Guys Do It: Email-Based Malware Attacks
The excellent cybercrime journalist Brian Krebs has done it again. Great blog post that explains how small- and mid-size businesses lose hundreds of thousands of dollars in cyberheists. He started out with:
“Nearly every time I write about a small- to mid-sized business that has lost hundreds of thousands of dollars after falling victim to a malicious software attack, readers want to know how the perpetrators broke through the victim organization’s defenses, and which type of malware paved the way. Normally, victim companies don’t know or disclose that information, so to get a better idea, I’ve put together a profile of the top email-based malware attacks for each day over the past month.”
This is a very interesting post, because it also shows the percentage of the attacks that were caught by antivirus products as tested bythe independent Virus Bulletin site. Here is link to his blog post. It is almost required reading for anyone in security!
Fave links & Cool Sites