Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
Don't Wait on The RDP Patch!
Redmond normally lets you install Patch Tuesday fixes at your own rate, but they are making an exception and urge you to hurry up with one severe fix released on Patch Tuesday. Security Update MS12-020 addresses two vulnerabilities in Microsoft's implementation of the Remote Desktop Protocol (RDP). One of the two, CVE-2012-0002, is a Critical, remote code execution vulnerability affecting all versions of Windows. The blog post below at TechNet has the details. There are 5 million machines with this hole, so good chance some of yours are vulnerable as well. What makes things worse is that Redmond probably has leaked attack code for this bug, meaning the bad guys are going to scan your network really soon. This is an epic security fail. Fix your systems fast. Read more
Hey, Is There A Patch For Stupid?
System Administrators and IT Security people have an expression that goes: "There is no patch for stupid".
Observations like that about end-users are often a reflection of reality, but they don't always hold true. Here is an example of where this rule is more damaging than you might think. The technical director of Symantec Security Response said that bad guys are generally not trying to exploit technical vulnerabilities in Windows. They are going after your users instead. "You don't need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content." And that gets -you- to run over and disinfect that workstation, again.
Only about 3% of the malware that Symantec runs into tries to exploit an actual technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme. This means it does not matter if that workstation is a PC or a Mac. Today, a very important line of defense actually is the end-user, and that brings us to Security Awareness Training. This is no longer a 'nice to have' but a crucial element of your IT defense-in-depth.
So let's have another look at 'is there a patch for stupid'? If you train people the right way, starting off at a point that assumes zero knowledge and take it up from there, making sure all terms are defined and that you make it real to them by examples and drills, you’d be surprised how end-users suddenly perk up and see it’s their responsibility to pay attention and protect your network as if it was their own.
There are pitfalls though. Are you in a company where you have to sit through sexual harassment training once a year? In that case you probably know where I am going. After a few weeks, all that training has been long forgotten, and things go back to 'normal'. This type of training is really done as a legal CYA exercise, but for Security Awareness Training, that approach does not hack it.
If you want to do it right, you create a baseline by sending a simulated phishing attack to all users, and see who clicks on it. The percentage of employees that is Phish-prone usually falls between 20 and 30 percent, which if you look at it, is gruesome. Even one is too many, as just one wrong click on a malicious zero-day phishing link can be the cause of a very expensive network penetration. Next, you train the end-users. Mandatory, driven by a combination of HR and IT. Half an hour online training in their browser.
Last, but absolutely not least, you keep sending simulated phishing attacks once a week. You will see a dramatic drop in Phish-prone percentage, and a lot less malware infections on workstations. Internet Security Awareness Training done right, is something you really should look at as an essential element of your defense-in-depth. This is why I'm doing what I'm doing:
Check out my website
Quotes Of The Month
"Management is doing things right; leadership is doing the right things." - Peter Drucker
"Don’t tell people how to do things; tell them what to do and let them surprise you with the results." - General George S. Patton
"The price of greatness is responsibility." - Winston Churchill
Email me at email@example.com
Editor, WindowSecurity.com Monthly Newsletter
Stop Phishing Security Breaches
Are you aware that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch (spear-) phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly 'security awareness' trained.
IT Security specialists call it your 'phishing attack surface'. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. It’s often a surprise how many addresses are actually out there.
Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. KnowBe4 customers with a Gold package get an EEC sent to them regularly so they can address the issues that are found. An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think. Sign Up For Your Free Email Exposure Check
McAfee: Malware Grows To 75 Million Unique Samples in 2011
Patrick Budmar at CSO had the write-up: "Despite McAfee predicting that unique malware samples would hit 75 million in 2011, the security vendor actually found that the real number actually surpassed that estimate. The vendor's latest report, McAfee Threats Report: Fourth Quarter 2011, finds that while new malware slowed in Q4, mobile malware was on the rise and experienced its busiest period to date.
McAfee Labs senior vice-president, Vincent Weafer, found the threat landscape in 2011 highly evolved, with a change in the motivation typical for cyber attacks. "Increasingly, we've seen that no organisation, platform or device is immune to the increasingly sophisticated and targeted threats," he said.
While the good news in the report was that PC-based malware was found to have declined throughout Q4 of 2011, reaching a level that was in fact significantly lower than the same quarter a year earlier, the fact is unique malware samples exceeded 75 million.
McAfee found that Q4 2011 was the busiest period for mobile malware, with the victim in this case being the Android platform due to loopholes found by hackers in the open source OS. More here.
The Top 13 Security Myths
I thought that this story by NetworkWorld was very much to the point. "They're "security myths," oft-repeated and generally accepted notions about IT security that arguably are simply not true -- in order words, it's just a myth. We asked security experts, consultants, vendors and enterprise security managers to share their favorite "security myths" with us. Here are 13 of them:
- Myth No. 1: "More security is always better."
- Myth No. 2: "The DDoS problem is bandwidth-oriented."
- Myth No. 3: "Regular expiration (typically every 90 days) strengthens password systems."
- Myth No. 4: "You can rely on the wisdom of the crowds."
- Myth No. 5: "Client-side virtualization will solve the security problems of 'bring your own device.'"
- Myth No. 6: "IT should encourage users to use completely random password to increase password strength and they should also require passwords to be changed at least every 30 days."
- Myth No. 7: "Any computer virus will produce a visible symptom on the screen."
- Myth No. 8: "We are not a target."
- Myth No. 9: "Software today isn't any better than it used to be in terms of security holes."
- Myth No. 10: "Sensitive information transfer via SSL session is secure."
- Myth No. 11: "Endpoint security software is a commodity product."
- Myth No. 12: "Sure, we have a firewall on our network; of course we're protected!"
- Myth No. 13: "You should not upload malware samples found as part of a targeted attack to reputable malware vendors or services."
Here is the article
, and all these myths are explained.
ViewPoint –-Your Take
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at firstname.lastname@example.org
SecOps: What You Need To Know
Researchers: Digitally Signed Malware On Rise
Security companies have recently identified multiple malware threats that use stolen digital certificates to sign their components in an attempt to avoid detection and bypass Windows defenses. Computer World
has the best write-up on this problem:
"When it was discovered in 2010, the Stuxnet industrial sabotage worm surprised the security industry with its use of rootkit components that were digitally signed with certificates stolen from semiconductor manufacturers Realtek and JMicron. Security experts predicted at the time that other malware creators would adopt the technique in order to bypass the driver signature enforcement in 64-bit versions of Windows Vista and 7. Given recent developments it seems that they were right."
The 19 Most Maddening Security Questions
Roger Grimes writes the Security Adviser Column, and he's very good:
"I've been immersed in IT security for more than two decades, and I've learned a lot along the way. Yet for all the knowledge I've soaked up, several questions still baffle me. Some of them pertain to end-users who seem to fall for the same sorts of scams year after year. Others, though, relate to security technologies and practices that organizations continually embrace, though they don't work as well as they should -- if at all. The following is just a short of list the questions that nag me day to day as I'm hunkered down in the IT security trenches." You should really check out these questions
, and see how -you- are doing!
Antivirus: The Silent Virtualization Killer
"Life in IT is full of onerous tasks. Along with making good backups and maintaining a solid patching regimen, you must ensure that multiple levels of antimalware software are properly deployed. Unfortunately, in heavily virtualized environments, antivirus can go beyond being a pain to manage and actually become a threat in and of itself. As the saying goes, sometimes the cure is worse than the disease.
That antivirus software can slow down a machine probably comes as no surprise to anyone. Any software that watches each and every disk I/O and inspects it for threats adds overhead that didn't previously exist. In most cases, this manifests itself through marginally higher disk latency and greater CPU load. But with careful use of scanning exclusions (for heavily used databases and the like), it's usually not enough to bring a system to its knees.
Recently, however, I've been presented with two excellent examples of how antivirus run amok can have enormous sitewide impact -- and how it can be difficult to detect the cause unless you know to look for it and have the monitoring data necessary to do so."
'Non-Humans' Account for 51% of All Internet Traffic
So, what is all that traffic then? Here is a breakdown.
- Hacking Tools -- 5% of any site's traffic - causing data (including credit card) theft, malware infection, site hijacking and other site crashes
- Scrapers -- 5% of any site's traffic -- stealing email addresses for spam email lists, reverse engineering of pricing and business models, and more. Most commonly targeting travel, classifieds, news sites and forums
- Comment Spammers -- 2% of any site's traffic -- posting irrelevant content that annoys site visitors, inserting links to malware that cause the site to be blacklisted, bogs down and slows website, and more.
- Spies of sorts -- 19% of any site's traffic -- stealing of marketing intelligence and compromising competitive advantage. Keyword and SEO analyzers assess site information and inform competitors of proprietary information.
Incapsula collected the data in these findings from an anonymous sample of 1,000 Incapsula customers with an average of 50,000 to 10,000 monthly visitors. Here is the blog post
Malware Increasingly Uses DNS As Command and Control Channel to Avoid Detection
The CSO website reported on news released at RSA which is important, as you can see where this might be going:
"The number of malware threats that receive instructions from attackers through DNS is expected to increase, and most companies are not currently scanning for such activity on their networks, security experts said at the RSA Conference 2012 on Tuesday.
There are many channels that attackers use for communicating with their botnets, ranging from traditional ones like TCP, IRC and HTTP to more unusual ones like Twitter feeds, Facebook walls and even YouTube comments.
Most malware-generated traffic that passes through these channels can be detected and blocked at the network level by firewalls or intrusion prevention systems. However, that's not the case for DNS (Domain Name System) and attackers are taking advantage of that, said Ed Skoudis, founder of Counter Hack Challenges and SANS fellow, during a presentation on new attack techniques at the conference."
Android Continues To Be Most Targeted By Hackers
Security researchers compared the attractiveness of Google's Android and Apple's iOS, and Android is still the most attractive smartphone OS for malevolent hackers, so devices based on the platform will continue to get compromised, researchers said at the recent Black Hat Europe.
Mobile devices are loaded up with private data, a very attractive target for hackers, though not all information on a phone is useful. "They won't go after 200,000 Yelp credentials, that wouldn't help them much," said Dan Guido, a researcher at information security company Trail of Bits, in a combined keynote with Mike Arpaia, security consultant with Isec Partners. Read here
Fave links & Cool Sites