Posts Tagged ‘Firewall Software’

Answering Enterprise Security Questions

Monday, April 5th, 2010
q

I was asked to answer some specific questions for a reporter of Processor Magazine. They usually take bits and pieces of what I send combined with others in the industry to write their articles. So I thought I would list the questions here and my full answers. At some point we will see what they use of these…
—————————

What does it take to keep the enterprise secure?
A lot more than people think. The idea that a firewall and anti-virus software are enough can only be described as reckless these days. Even intrusion detection and prevention systems can be easily bypassed by cyber criminals. Every organization is different and therefore there isn’t one answer that will keep all enterprises secure; but in general a layered security approach that includes information security defenses at the edge, in the core of the network, and on the endpoints is what is needed.

More importantly than the technologies or solutions employed is the way in which the enterprise will get the most out of those solutions. Centralized reporting and administration is key. Central repositories for compliance documents and audit documentation is critical. Policies, procedures and controls are paramount. The best thing an enterprise can do is work with a security expert that has their best interest in mind and help them design and roll out a comprehensive security program that fits their requirements and budget.

Why should some applications (or classes of apps) NOT be used in the enterprise?
The term “applications” is so broad it is tough to answer this. In general, there are lots of applications that shouldn’t be used in an enterprise or closely managed and monitored if they are used. Some for productivity reasons. Others for security reasons. In my mind, what is more important than broadly banning applications (although there are times you should do that) is ensuring that systems only have the applications they need to perform their various functions. Any application can have vulnerabilities that can be exploited. Look at Adobe Acrobat for example. It is on more systems than any other application on the planet and has one of the highest rates of known, critical vulnerabilities. I don’t know of many enterprises that are going to ban Adobe Acrobat. So the more important thing is a process whereby you can patch the systems and keep them up to date to reduce the chance of compromise.

If you are referring to “applications” in the context of security solutions then I would answer differently. Simply stated, every organization is unique and information security must be implemented and somewhat customized for that particular organization to offer real value.

Why should others be used? Do you have any examples?
Again, if we are talking about security applications, one that I feel is really necessary these days but often not known or used is Host Based Intrusion Detection & Prevention (HIPS). This is software that goes right on the endpoints you want to protect. It does a great job with securing individual assets you want to protect at a higher level such as mission critical systems, customer databases, active directory services, or Internet accessible devices like an email server or web server. Web Content Filtering is another one that is absolutely necessary to help keep malware out of your organization. From a security standpoint, there are so many solutions an enterprise really needs to work with an expert to see what they need.

Why isn’t it the best idea to give end-users administrator rights?
There are lots of reasons for this 1) the user may install software that could compromise the system and subsequently the entire network. 2) Hackers that compromise the system may use these rights for other nefarious purposes.

How is mobility affecting the typical company’s security planning?
USB thumb drives, smart phones, iPods/iPhones, and other devices are causing major problems for enterprises. Malicious insiders can use these devices to steal massive amounts of information and walk out with it on their keychain or in their pocket. Careless and untrained insiders often spread malware, viruses, Trojans, worms and other things that can compromise or destroy systems and data. Mobile users such as telecommuters and travelers often have laptops stolen which have sensitive data on them. 45 of the 50 states have data breach disclosure laws that require an enterprise to publicly announce these incidents which can have a huge impact on revenue, customer retention, and stock prices, not to mention the fees and class action lawsuits that usually follow.

Is there such thing as too much or too little security?
Of course there is such a thing as too little security. I also believe that there can be too much security. If you have so many security solutions and technology that you aren’t able to keep up with the 24×7 management and monitoring, you aren’t getting what you need out of those solutions. You are wasting money. In the hands of properly qualified information security experts, it would be better. But there are so many solutions that people have deployed and they simply aren’t getting much value from them. Maybe they were at one time, but people keep adding solution after solution and technology after technology rather than doing a risk and gap analysis and finding out what they really need and then simply using those things. They will find they spend less in the end and get much better risk mitigation.


Tags: , , , ,
No Comments »

Major Security Risks of Opening Firewall Ports

Wednesday, March 31st, 2010

I was recently asked a question by one of our account managers on behalf of a client that I thought would benefit my readers – enjoy!

Q: My point of contact for one of my clients had a question about port security. I figured I would ask you this question seeing as he wanted to get the opinion of one of our highest security experts. Currently he has some clients that are asking to open a high number of ports, in the range of the hundreds. His main question is, “What are some of the major security risks in allowing him to do this, if any? Also, what are some of the possible negative effects of allowing this?”

A: The question should be directed back at your client’s customer. It sounds like they are deploying an application that requires all these ports open. While it is always better to have fewer more open than more ports, it ultimately comes down to the application that is responding on that port. An open port with a vulnerable application can cause a major data security breach. An open port with a secure application is not nearly as vulnerable. So someone should ask them why they need so many ports open, what is the application they are using, if they understand the risks of opening these ports, and if they will have someone responsible for the security of the application ongoing to limit exposure to a breach.

Also, I am assuming that these ports are inbound ports (ports open so computers on the Internet can come through them). If these are outbound or egress ports (internal computers needing to talk outbound to the Internet), the security issue is not nearly as great.


Tags: ,
No Comments »

Phishing Techniques via Facebook Used to Control Two Bank Servers

Monday, March 29th, 2010
f

A lot of people think I am crazy when I rail on social networking sites and how they pose (in my opinion) one of the weakest links in security. Their very nature make them the perfect “social Trojan horse”.

Take for example a recent story that I read. Attackers took control of a large bank employee’s Facebook account. Most of you can understand how relatively simple this would be. From that Facebook account, the hackers sent messages to other employees about the company picnic and the posted pictures (which they saw from the account they hijacked). In the message to the other employees, there was a link that infected the other employees’ systems. As a result, the attackers were able to gain access to the network and were able to capture keystrokes using malware. One access point lead to another, which lead to another, and before these attackers were detected, they had complete control of two servers in the network.


Tags: , ,
No Comments »

Malware More Intelligent and Hidden than Ever

Wednesday, March 24th, 2010
b

Some people wonder how malware gets installed on computers. Put aside the individual that falls prey to some social engineering scam where they open an email they shouldn’t, click on a link they shouldn’t, etc. Put aside malicious websites or compromised websites that some may be redirected to. Put aside SEO poisoning and the like. If you never have these issues, you could still be infected. Take for example the Trojan that was recently found in the Energizer DUO battery charger software. This malware is part of the standard download and is capable of sending files to the hackers or downloading more malicious software. It appears that this Trojan has been in software since May 2007.

Even when you are really smart, and really careful, you could still be compromised.


Tags: ,
No Comments »

Massive Mariposa Botnet Shut Down with Arrest of Administrators

Wednesday, March 17th, 2010

A very large botnet named “Mariposa” was recently shut down with the arrest of 3 of the main administrators. More arrests are expected in other countries.

Mariposa is said to have as many as 12.7 million compromised computers (Zombies) worldwide. The software acted as a Trojan horse and captured login credentials for online bank accounts. Following the arrests, police recovered personal information of more than 800,000 people. Zombies were in many of the Fortune 1000 companies as well as in 40 major banks. The Mariposa Working Group, which is a coalition of security experts, academics and law enforcement, were the ones who got it shut down.


Tags: , , ,
1 Comment »

Aurora Cyber Attackers Infiltrate Source-Code Management Systems of Google and Others

Monday, March 15th, 2010
G

More things are coming to light about the Aurora cyber attackers who targeted Google and other companies. This is really pretty interesting stuff (if your geek-o-meter pegs solidly in the red). McAfee released a paper at RSA last week that says that the Aurora cyber attackers had been going after source-code management systems. These are software systems that house, manage, and control the source code for companies. Keeping track of source code can be a big task. Imagine all the different developers, different versions, etc. These systems are the life blood of development organizations. If a hacker could gain access to these systems, they could modify code, inject trojans and malware potentially, and certainly steal code (intellectual property).

According to the paper released by McAfee, the source code system was virtually “wide open” which tells us they had a severe lack in their security. But here is where it gets interesting. Remember that other companies were targeted by the same Aurora group at the same time? Well they were all using the same code management system…with likely all the same security vulnerabilities. Someone might ask how cyber criminals could determine which companies were using which code management systems. There was a lot of talk about “Google Hacking” a few years ago. This is different than hacking Google, but rather using Google’s search engine to hack others…or maybe Google as well. Google and other search engines are such amazing indexing tools that often they can find bits of code or web pages that indicate what software a particular company uses. This is most often the case with web applications, web servers, etc. You can run specific queries in Google and it will tell you exactly who uses what. I don’t know for sure that is what was used here, but it seems like a perfect application of such a tactic.

The cyber criminals had to get on the inside of the organization because code management systems are never connected to the Internet (or at least they definitely shouldn’t be). So they used targeted (spear) phishing attacks to do it. Basically the bad guys knew if they could get some insider to fall prey to their phishing attack, they would essentially have the keys to the kingdom…which essentially they did.


Tags: , , ,
No Comments »

Malware Alert: Two Mozilla Plug-ins Contain Trojan

Thursday, February 18th, 2010
M

Some people are baffled when they learn that their computer is infected with malware. They wonder where did this come from?

As one example, Mozilla recently removed two Trojan-Laced plug-ins from the Firefox download site. Just because they have been removed from the download site does not mean they are removed from individual computers. So users that have installed Sothink Web Video Downloader version 4.0 and all versions of Master Filer should remove them immediately. They should also run Anti-Virus software to further clean up the infections.


Tags: ,
No Comments »

New SQL Injection Attack Infects Nearly 300k Web Sites

Tuesday, January 5th, 2010

As we discuss how attacks get more virulent, here is a good example. A newly detected SQL injection attack has now infected close to 300,000 web sites with an invisible iframe. An iFrame can pull code from an alternate web site. In this case, it can pull from a series of web sites. The malware looks for vulnerable versions of many client side applications including Adobe Flash and Internet Explorer (IE). Once installed it acts as a Trojan horse that captures and steals online banking credentials.


Tags: ,
No Comments »

Mystery Laptops Sent to Key Government Officials

Thursday, September 24th, 2009

So what would you do if a brand new HP laptop arrived at your home or office with your name on it? Would you think you are having an early Christmas or would you call the police? Well, that very thing has been happening to key individuals in the government. The FBI is investigating the source of mysterious laptop deliveries to several individuals such as Governor Machin of West Virginia and others. At this point investigators think it may be part of a fraud operation where the system could be configured to do a myriad of malicious things. This will be an interesting story to watch.


Tags:
No Comments »

Trojan Targeting Over 4600 Companies Uncovered

Friday, August 21st, 2009

A cyber-crime group based in Eastern Europe is running a scheme that utilizes the Clampi Trojan (also known as Ligats, Ilomo and Rscan) to extract data from websites and even withdraw funds right out of accounts.  As of July 29th, more than 4,600 companies had been infected by this malware and fallen prey to this scam.  This Trojan is like so many coming out now where it can actually avoid detection by anti-virus software. It is getting more and more difficult to keep these things off your systems.  I often write about methods of preventing this malware from getting installed on your systems in the first place including IDS/IPS, Web Content Filtering, Vulnerability Assessments, Patch Management, and many more.  More recently I have been talking about the greater need for desktop security, specifically software that can detect and block the installation of new applications.  For critical systems, HIPS (host based intrusion prevention systems) are great for this, but greater emphasis should be placed on desktops, laptops, and other workstations as well.


Tags:
No Comments »

$400,000 Wire Transferred Right Out of the Bank to Thieves’ Accounts

Friday, July 31st, 2009

Kentucky County Government was a victim to an attack where the cyber criminals used the Zbot Trojan horse program to capture the username and password of a legitimate authorized user of the system, and then launching the attack from that users system was able to subvert detection. $400,000 were wire transfered to other accounts and so far, only $45,000 has been recovered. The attackers are believed to be based in Ukraine, but have cohorts here in the U.S.

There are so many information security solutions that would have prevented this. This just goes to show just how much money can be stolen by cyber theives and doing it from anywhere in the world. How do you know you don’t have similar software on one of your systems right now?

While the main command and control server for the Zbot software was discovered in the Cayman Islands and shut down recently, undoubtedly they will simply move these operations to another location. That is the dangerous flexibility of botnets and P2P like communications.


Tags: ,
No Comments »

Golden Cash Bot

Wednesday, July 15th, 2009

A few more details that were uncovered on the Golden Cash Bot that can be leased by individuals for $5 to $100 for 1000 compromised PCs.  Once under your control, you can use it to steal data, send SPAM or any number of other nefarious purposes.

They call it Golden Cash because it is “Your money-making machine”. Customers pay for the ability to install different types of malware on the Golden Cash bots, which are recycled for new jobs and new customers afterward. Prices are higher for compromised PCs in western countries. In their examples 1,000 bots in Australia go for $100, but 1,000 bots in Vietnam go for a mere $5.

There was a good breakdown of the most common ways you can be infected “a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor that reports back to the Golden Cash command and control server. Then the Golden Cash server installs an FTP (file transfer protocol) grabber on new zombies to steal credentials used by the computers to run Web sites, giving the server control over additional legitimate Web sites. Approximately 100,000 domains, including corporate domains from around the world, were identified among the stolen FTP credentials under Golden Cash’s control.”  100,000 domains is a whole lot of compromised websites.  Think how many hundreds, thousands, and millions of users hit these various websites daily.  For those interested, the Trojan name is “Trojan-Spy.Win32.Agent.amdz”.


Tags: , ,
No Comments »

Trojans installed in ATMs likely by malicious insiders

Monday, June 15th, 2009

If you were a criminal, what would be the ultimate exploit?  How about a Trojan inside of ATMs that allowed you to drain them of cash, manipulate the logs to not show any signs of compromise, and even expel the code when commanded.  Well, that is exactly what has been found on a series of ATMs in Europe.  It does appear that the software was installed manually which would likely require an insider.  This supports my #1 threat of malicious insiders due to the economic drop that began at the end of 2007 bringing out the worst in people.  The malware looks to have been enabled for over 18 months with 16 updates to it during that time.

I am always amazed at how many organizations feel they are safe because they don’t believe they have been compromised.  Most of the serious attacks are active in a network for months or even years before detection.  At this moment, thousands of systems and networks are likely compromised without their owners/IT Admins being aware at all.

Read more about it here


Tags: , ,
No Comments »

Pirated Version of Windows 7 RC Contain Trojan

Wednesday, May 27th, 2009

Cyber criminals know that often times people want to get their hands on the latest and greatest software prior to its official release.  As a result, these hackers have been known to modify this software and post it to the Internet for unsuspecting people to download.  The modifications that they make include methods to subvert traditional AV systems, install Trojans and other malware that can offer full control to the bad guys anywhere in the world.

Microsofts Windwos 7 was the latest to have this happen, although this is far from the first time. Apple’s iWork ‘09 had something similar last year.  My suggestion is to not download and use pirated software because the security implications can be huge.  Remember, it isn’t just about that one system being infected.  Once it is on the inside of your network, it can spread to other systems.

Article


Tags: ,
No Comments »

Router Exploits Take Center Stage

Wednesday, April 1st, 2009

Research has been conducted by Felix “FX” Lindner who demonstratated that many routers (especially Cisco) are susceptible to attack and compromise.  Often these devices are overlooked from a vulnerability detection and patching perspective.  Many organizations run vulnerability assessments against their publically accessible systems, but they usually only do their firewall, web server, email server, etc.  They often forget about the router that connects all this to the Internet.  Other times they know the device is there but are unwilling to pay extra to scan that system.

I believe one reason for this is because they think that anything on the outside of the firewall is someone else’s problem.  Another reason is because most firewalls can’t simply be patched.  You actually have to apply an entire new firmware (the equivelant of an operating system on a PC) to the router.  This all-too-often leads to lost configurations, misconfigurations, and downtime.  So the device is left to its own devices (no pun intended).

The successful compromise of a public Internet router on the outside of your firewall can still be very serious.  The most obvious result could of course be denial of service.  The criminals could simply turn off your Internet access.  Beyond that, there are several things they could also do to monitor your traffic and more.

Cisco recently released multiple advisories for IOS (the firmware for Cisco routers) which makes this even more critical.  The advisories are:

Cisco security advisories and apply any necessary workarounds or
updates to help mitigate the risks.

Relevant Update URLs:

My advice is to run vulnerability assessments against your external routers and make sure these devices are included in your patch management program…even if it is a little painful to deal with upgrading that firmware.


Tags: ,
No Comments »