0

Blended Attacks: The Nasdaq Edition

Posted on October 25, 2011 by Adam Bosnian

Despite spending nearly $1 billion a year defending itself against constant cyber attacks, news broke late last week in an exclusive report from Reuters that “the hackers who infiltrated the Nasdaq’s computer systems last year installed malicious software that allowed them to spy on the directors of publicly held companies.”

According the story, the Nasdaq case, reportedly similar to the attack against RSA earlier this year, is an example of a “blended attack,” where elite hackers infiltrate one target to facilitate access to another. Nasdaq has said that hackers attacked a Web-based software program called Directors Desk, used by corporate boards to share documents and communicate with executives, among other things. By infecting Directors Desk, the hackers were able to access confidential documents and the communications of board directors.

As Jaikumar Vijayan emphasized in his recent article for Computerworld, “Despite Stuxnet, Duqu, control system flaws still overlooked,” most efforts to fix infrastructure threats are wrongly focused. It seems Nasdaq learned the hard way that throwing a large budget at a security issue to build up perimeter walls won’t fix an issue that’s already inside.  ”God knows exactly what they have done. The long term impact of such attack is still unknown,” Tom Kellermann, a well-known cyber security expert, told Reuters of the attack.

Cyber-Ark believes that regardless of the attack vector, there must be heightened emphasis on the importance of proactively locking down and isolating sensitive information, and maybe even more critically, the servers, systems and applications where this confidential information resides or is transmitted to or from.  Post-fact reaction by its very nature means that the vulnerability has already been leveraged.  Only truly proactive, preventative approaches can help organizations guard themselves from these types of ongoing and often persistent attacks.

Additionally, it’s important to examine the concept of enforcing the rule of least privilege for end-users and security administrators – the idea being to provide only that amount of privilege necessary for a given activity. What’s often overlooked is how these accounts can be tampered with to provide unwanted ‘escalation of privileges’ to aid in persistent attacks – as it appears what happened in the Nasdaq case.

In the RSA case, recommendations to customers included enforcing strong password and PIN policies, and watching closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes. Could these steps have helped Nasdaq?  It will be interesting to learn more as this story continues to unfold.

0

UK ICO unveils latest research findings

Posted on October 24, 2011 by Nick Lowe

The UK’s Information Commissioner’s Office (ICO) has announced the findings of its annual track survey*.  The new figures reveal that almost 75 percent of businesses surveyed know that the Data Protection Act requires them to keep personal information secure, an increase of 26 percent on 2010’s findings.  However, reflecting a fall in public confidence, less than half of the people surveyed believe that organisations process their data in a fair and proper manner.  The survey also found that the number of data breaches in the private sector is rising, with 58 percent more breaches reported to the ICO so far in 2011/2012 than in the same period last year.

The ICO’s research highlights some interesting, albeit unsurprising, trends surrounding data protection today in the UK.  Whilst a greater proportion of businesses are aware of the data protection obligations placed on them, the public is less confident than ever of these businesses’ ability to safeguard their information.

Indeed, why should the public have any faith in the existing practices employed by organisations, when news report after news report highlights a series of serious data protection failings? Over the last few months we’ve seen a plethora of NHS Trusts hit the headlines over the loss of substantial and confidential patient information. Throw into that previous reports of the police snooping on citizen’s personal details and it’s not exactly going to do much to bolster public confidence in the state of data protection today.

Whilst we should welcome the fact that the report demonstrates an increase in awareness surrounding data protection, awareness on its own is not going to obliterate this growing problem.  What’s needed is action and organisations need to put in place the requisite security tools to ensure that they can properly enforce a sound and water-tight data protection policy going forward.

* http://www.ico.gov.uk/news/latest_news/2011/businesses-waking-up-to-data-protection-responsibilities-21102011.aspx

0

IT Security Rewind – Week of October 10, 2011

Posted on October 17, 2011 by Josh Arrington

This week we honored Christopher Columbus, someone who undoubtedly took a major risk and in the end, discovered something completely new. Thus it is appropriate that in this week’s IT Security Rewind we must report the passing of the visionary Dennis Ritchie, creator of the C programming language and co-developer of the Unix operating system. eWeek.com provided the following quote from Jeong Kim, president of Alcatel-Lucent Bell Labs, “Dennis was well loved by his colleagues at Alcatel-Lucent Bell Labs, and will be greatly missed. He was truly an inspiration to all of us, not just for his many accomplishments, but because of who he was as a friend, an inventor, and a humble and gracious man. We would like to express our deepest sympathies to the Ritchie family, and to all who have been touched in some way by Dennis.” To read more about Dennis’ accomplishments visit: http://www.eweek.com/c/a/Security/Dennis-Ritchie-Founder-of-Unix-C-Dies-at-70-215748/.

In other security news this week:

FTP may be dying but collaboration is not: eWeek’s Cameron Sturdevant (@csturdevant) took a look at the effect of the consumerization of IT on collaboration tools highlighting some major security vulnerabilities that have arose with the adoption of these free Saas tools.  With the proliferation of mobile devices Sturdevant emphasizes the importance of regulations in file sharing stating, “There are reasons to put boundaries on user collaboration, and licensed SaaS and on-premise tools are often best equipped to put these restrictions into practice. Blocking restricted data is among the chief reasons to curtail user file sharing. Helping well-meaning employees stay on the right side of the law when it comes to using regulated data is an important feature that is missing from nearly all the no-cost Internet services.” We completely agree and hope that Sturdevant will check out our secure file transfer solution to see how we successfully secure data in transit.

The real threat is still Inside: Despite constant media chatter around advanced persistent threats and external hackers, Dark Reading reported on a study that serves as a good reminder to organizations to look inside their organizations for threats within company walls. The study, conducted annually by Amplitude Research on behalf of VanDyke Software, found that a “of the many reasons cited for network intrusions, more than half could be attributed to internal issues: lack of adequate security policies (17 percent); employee negligence (12 percent); unauthorized access by current or future employees (11 percent); employee Web usage (6 percent); and lack of software updates (6 percent).”  Surprisingly, hacker/network attacks accounted for only 14 percent of intrusions; viruses, malware, and spyware were 10 percent.

PCI still a pain point for many: Okay we admit it, we love reports, especially when they support messages we’ve been sending for some time now. This report conducted by Verizon and covered by SC Magazine UK, found that “most businesses that accept credit or debit cards, or both, continue to struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI-DSS).” In fact, of those assessed by Verizon, only 21 percent were found to be fully compliant. These results were almost identical to last year’s which proves that, as an industry, we need to do more to educate organizations and help them to understand how to achieve compliance not just for auditing purposes, but for the protection of their customers’ sensitive information.

0

NHS loses unencrypted USB stick

Posted on October 4, 2011 by Nick Lowe

A report from the Surrey and Sussex Healthcare NHS Trust in the UK has revealed that East Surrey Hospital lost the details of 800 patients in September 2010 but failed to notify any of the affected patients*. The Trust’s 2010/2011 annual report stated that the lost information had been held on an unencrypted memory stick, and included the names, dates of births and operation details of each patient.  The report also revealed a further nine “near misses” whereby information was lost but later recovered.

It’s a worrying situation when it is no longer surprising to see an NHS data breach with a lost, unencrypted USB stick at the heart of it.  Such devices – which have proven to be consistently vulnerable to loss, theft and poor security practices – must be retired.  Technology has moved on, and so should organisations looking to transfer information securely.  Only by using modern Secure File Transfer solutions can organisations be sure that their data is protected at all times, and only accessible by the intended recipient.

It’s also hugely disappointing to see that the Surrey and Sussex Healthcare Trust failed to notify the individuals affected by the data breach.  The Trust has an obligation to protect the personal information of those in its care properly, however, revelations of the poor data security and failure to notify, indicate that there are some serious flaws in its current approach.

It’s unclear just how many more of these incidents are needed before lessons are learned and changes made, but this data breach, along with the nine “near misses” mentioned in the report, will do little to inspire public faith in the NHS.

*Full Article

0

IT Event Rewind: ArcSight Protect ‘11

Posted on October 3, 2011 by Richard Weeks

A couple of weeks ago I had the pleasure of attending HP ArcSight Protect ’11, hosted by HP Enterprise Security: ArcSight, Fortify and TippingPoint. This wasn’t my first time attending this show, and as usual, I was very impressed by the global customer conference.  For those of you who didn’t get to attend, I have finally sat down and pulled together some thoughts to share.

The Big news from the show was that HP’s Enterprise Security Products (ESP) division will formally launchon Nov 1st, 2011. This division will include products from ArcSight, TippingPoint, Fortify and Viistorm (the UK-based security company that will act as the global security services arm). ArcSight

I also really enjoyed HP EVP Tom Reilly’s visionary keynote message as it was right on target with the ID Intelligence theme that I dedicate a lot of focus to on a regular basis. The keynote emphasized ArcSight’s new acronym Security Information Risk Management (“SIRM”) (remember ETRM?) and also touched on major industry news and trends such as:

  • The APT & Stuxnet Reality:  Assume that you’ve already been hacked; adopt a prioritized, Risk-based InfoSec approach
  • “Well-Funded Adversaries” =  Nation States and Organized Crime are highly sophisticated
  • “We all struggle with ‘BYOD’ (Bring Your Own Device) to Work” = Mobility Security Challenges
  • The Cloud,  Virtual Environments and Mobility provide new ‘attack surfaces’

If you’d like to learn more about Reilly’s keynote click here to see his video interview:

http://www.youtube.com/user/HPSecure?feature=mhsn#p/u/0/uhb6u_LB7To

In other ArcSight news, their technology ecosystem partners are being strongly encouraged to implement “closed loop response actions” that will allow real-time remediation activity from directly within the SOC & the ArcSight ESM™ platform to complementary third party security solutions.

Finally, based on Cyber-Ark’s alliance with HP ArcSight, we were privileged to have had the opportunity to present a customer case study at the event. To top that, we were also invited to be the subjects of a video interview by SC Magazine on the topic of, you guessed it, ‘Privileged Identity Intelligence.’ Check out the link to the video and let us know what you think. You can expect to hear more from us on this topic moving forward.

Have any ArcSight highlights of your own? Share them here!

A couple of weeks ago I had the pleasure of attending HP ArcSight Protect ’11, hosted by HP Enterprise Security: ArcSight, Fortify and TippingPoint. This wasn’t my first time attending this show, and as usual, I was very impressed by the global customer conference.  For those of you who didn’t get to attend, I have finally sat down and pulled together some thoughts to share.

Description: Description: Description: ArcSight Cyber-Ark Integration Diagram.jpgThe Big news from the show was that HP’s Enterprise Security Products (ESP) division will formally launchon Nov 1st, 2011. This division will include products from ArcSight, TippingPoint, Fortify and Viistorm (the UK-based security company that will act as the global security services arm).

I also really enjoyed HP EVP Tom Reilly’s visionary keynote message as it was right on target with the ID Intelligence theme that I dedicate a lot of focus to on a regular basis. The keynote emphasized ArcSight’s new acronym Security Information Risk Management (“SIRM”) (remember ETRM?) and also touched on major industry news and trends such as:

· The APT & Stuxnet Reality:  Assume that you’ve already been hacked; adopt a prioritized, Risk-based InfoSec approach

· “Well-Funded Adversaries” =  Nation States and Organized Crime are highly sophisticated

· “We all struggle with ‘BYOD’ (Bring Your Own Device) to Work” = Mobility Security Challenges

· The Cloud,  Virtual Environments and Mobility provide new ‘attack surfaces’

If you’d like to learn more about Reilly’s keynote click here to see his video interview:

http://www.youtube.com/user/HPSecure?feature=mhs

A couple of weeks ago I had the pleasure of attending HP ArcSight Protect ’11, hosted by HP Enterprise Security: ArcSight, Fortify and TippingPoint. This wasn’t my first time attending this show, and as usual, I was very impressed by the global customer conference.  For those of you who didn’t get to attend, I have finally sat down and pulled together some thoughts to share.

The Big news from the show was that HP’s Enterprise Security Products (ESP) division will formally launchon Nov 1st, 2011. This division will include products from ArcSight, TippingPoint, Fortify and Viistorm (the UK-based security company that will act as the global security services arm).

I also really enjoyed HP EVP Tom Reilly’s visionary keynote message as it was right on target with the ID Intelligence theme that I dedicate a lot of focus to on a regular basis. The keynote emphasized ArcSight’s new acronym Security Information Risk Management (“SIRM”) (remember ETRM?) and also touched on major industry news and trends such as:

  • The APT & Stuxnet Reality:  Assume that you’ve already been hacked; adopt a prioritized, Risk-based InfoSec approach
  • “Well-Funded Adversaries” =  Nation States and Organized Crime are highly sophisticated
  • “We all struggle with ‘BYOD’ (Bring Your Own Device) to Work” = Mobility Security Challenges
  • The Cloud,  Virtual Environments and Mobility provide new ‘attack surfaces’

If you’d like to learn more about Reilly’s keynote click here to see his video interview:

http://www.youtube.com/user/HPSecure?feature=mhsn#p/u/0/uhb6u_LB7To

In other ArcSight news, their technology ecosystem partners are being strongly encouraged to implement “closed loop response actions” that will allow real-time remediation activity from directly within the SOC & the ArcSight ESM™ platform to complementary third party security solutions.

Finally, based on Cyber-Ark’s alliance with HP ArcSight, we were privileged to have had the opportunity to present a customer case study at the event. To top that, we were also invited to be the subjects of a video interview by SC Magazine on the topic of, you guessed it, ‘Privileged Identity Intelligence.’ Check out the link to the video and let us know what you think. You can expect to hear more from us on this topic moving forward.

Have any ArcSight highlights of your own? Share them here!

n#p/u/0/uhb6u_LB7To

In other ArcSight news, their technology ecosystem partners are being strongly encouraged to implement “closed loop response actions” that will allow real-time remediation activity from directly within the SOC & the ArcSight ESM™ platform to complementary third party security solutions.

Finally, based on Cyber-Ark’s alliance with HP ArcSight, we were privileged to have had the opportunity to present a customer case study at the event. To top that, we were also invited to be the subjects of a video interview by SC Magazine on the topic of, you guessed it, ‘Privileged Identity Intelligence.’ Check out the link to the video and let us know what you think. You can expect to hear more from us on this topic moving forward.

Have any ArcSight highlights of your own? Share them here!