Top Security Tweets: Week of May 30
At the close of each week we look back on the major happenings in the security industry and recap the hottest news in our “IT Security Rewind.” This week however, we decided to mix things up a bit (all this summer weather must be getting to our heads) and instead we’ve listed some of the thought-provoking topics that may not be making headlines but still have major implications for the security industry.
Since Twitter has emerged as an outlet for individuals to engage in conversation and share their opinions, this week we scoured the social channel to see what security industry influencers have to say. Below are some of this week’s Top Security Tweets from thoughts leaders like Josh Corman, Bob Rudis, Chris Nerney and Eugene Spafford. Did you see any other interesting Tweets that we missed? Feel free to add them below.
@joshcorman For the EleventyBillionth time. An APT is not a WHAT, but a WHO and a HOW. It is an ADVERSARY. FREE: http://bit.ly/gGxuD9
@hrbrmstr What I would truly give a big chunk of budget $ for are infosec prods w/focused functions * *wicked-awesome* mgmt & reporting capabilities.
@RSAConference: Top five social media security threats (via @ChrisNerney) http://bit.ly/iqtYAP
@RobotSpaf: Why the bad guys are winning – Computerworld Blogs – Great list. I don’t agree with all of it, but 95% of it… http://tumblr.com/xfz2t3zpfg
TechEd2011 Week: Our Q&A with Paul Kenyon, Co-founder and COO of Avecto
Microsoft TechEd North America 2011—an international conference that draws IT developers and professionals from around the globe and encourages engagement and collaboration with Microsoft innovators, third party leaders and industry peers—is now in full swing at the Georgia World Congress Center in Atlanta, Georgia. Cyber-Ark will be on hand to demonstrate the advantages of its Privileged Identity Management Suite as well as the advanced auto-discovery functionality for automating the detection process of all forms of privileged accounts, including the service accounts commonly associated with Microsoft Windows Services. To join the conversation surrounding the event, we decided to check in with one of our partners—Avecto, a pioneer in least privilege technology that enables organizations to deploy secure and compliant desktops—to see what they have planned for the show and beyond.
Read on for our brief Q&A with Paul Kenyon, Co-Founder and COO at Avecto:
Cyber-Ark: What does the Avecto team have in store for attendees and followers of TechEd 2011? Any new technologies and products you anticipate will generate a good deal of buzz at the show?
Paul: Avecto will be demonstrating the latest release of our privilege management product, Privilege Guard 2.7. Amongst the various new features in the product we have significantly increased the integration with Windows 7 User Account Control (UAC). We see UAC as a great solution for true administrators and home users, but felt that there was some functionality lacking for corporate environments. In Privilege Guard 2.7 we have filled that gap to make Windows 7 migrations simpler and more secure.
Already, Privilege Guard has received the Windows 7 compatibility accreditation, and the product is a snap in to Group Policy and WinRM (a standard feature in Windows 7) for centralizing our events. Specifically, what we have tried to do is avoid making our customers invest in additional architecture to obtain the benefits we provide—and we anticipate this will be received warmly at TechEd.
Cyber-Ark: Last year, Avecto and Cyber-Ark officially announced a strategic partnership to enable the resale of Avecto’s Privilege Guard products to Cyber-Ark’s Privileged Identity Management Suite customers. Can you share some milestones from this partnership in terms of evolving market demand and customer traction, even anecdotally?
Paul: Well to start, the relationship began with a meeting between myself and Udi Mokady, in Ireland, last year. I had suffered for a fall from my Mountain Bike so was looking a little worse for wear, but needless to say, I didn’t want to miss the chance to get together with Udi whilst it was geographically so convenient to meet. It was at that meeting that it became clear that the synergy between our two companies was too great to pass up on the opportunity to partner.
Naturally these things take time to hatch but once all the paperwork had been completed and the partnership launched internally we started to see considerable customer interest arise. Only yesterday I spoke with a prospect who is looking at both our products and was keen to make me aware of the value of purchasing technologies that he knows are compliant with one another from day one.
Cyber-Ark: With security, and IT in general, the focus always seems to be on “What’s Next?” With that in mind, how do you foresee enterprise security practices and technologies, both on-premise and in the cloud, evolving come TechEd 2012?
Paul: Most of the organizations we have spoken to are saying similar things; they have invested in anti-virus, firewalls, intrusion prevention and various other technologies at the perimeter but now they want to further secure desktop and servers inside the network. More than that, we have seen the increasing demand on CISO’s to improve customer satisfaction which means that they need to implement technology that improves the security of the business but not directly at the expense of user flexibility.
IT Security Rewind: The Week of May 9
Welcome back to our weekly “IT Security Rewind” blog series. If there is one thing that IT security professionals know all too well, it’s that there is no such thing as a “slow week.” So while we didn’t witness a series of spectacular breaches as seems to have been the norm over the past few weeks, one in particular is making us think twice before swiping our credit cards through a store’s PIN pad! Here are our top three security stories from the week of May 9:
- A scrapbook that drains your bank account? : When news broke that debit and credit card numbers and PINs had been stolen through PIN-pad tampering at Michael’s, a national fabric retailer based in Irving, Texas, original reports indicated that the breach impacted only Chicago-area stores. But as is often the case, this week Michael’s reported that about 90 PIN pads at stores located throughout the US have allegedly been tampered with. The root cause of the attack is still under investigation—was it simple skimming through the use of an electronic device, or is it possible to implant malware on such a device through a network hack? We’ll certainly be watching for additional details on this story as they are uncovered.
- More SCADA Security Flaws: It is never a good thing when “vulnerabilities” are included in the same sentence as “critical infrastructure.” According to ThreatPost, the “U.S.’s Computer Emergency Response Team (CERT) issued a warning to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks.” ThreatPost and other outlets reported that the vulnerability “can allow malicious code to run with the privileges of the current user.” Very much in the same vein as Stuxnet, we continue to see companies in the electricity, oil and gas, manufacturing and water treatment sectors emerging as the focus of targeted attacks.
- Hacking a CMS? A Help Net Security report uncovered a new vulnerability in Exponent CMS that could enable hackers to “create an arbitrary user with administrative privileges if a logged-in administrative user visits a malicious web site.” Could privileged identity management technology play a role in mitigating this threat? Either way, here is another potentially damaging flaw that could “conduct cross-site request forgery attacks and disclose sensitive information.”
Check back here again soon for next week’s IT Security Rewind, and as always, let us know your take on the news.
The RSA Breach and Security Best Practices: The Role of Least Privilege
As the security industry continues to look for answers and insight to RSA’s recent data breach, we found the security best practices suggested to SecurCare customers valuable for nearly every organization that shares, stores or provides access to sensitive data. We need to wait and see what emerges from this latest attack to see what vector was used – but we support and re-emphasize the response by RSA to its customers as it provides some valuable, current and real-world lessons every organization needs to follow.
Following are several that are particularly relevant to our customers and partners, including:
• We recommend customers enforce strong password and pin policies.
• We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
Let’s dive into the concept of enforcing the rule of least privilege for end-users and security administrators– the idea being to provide only that amount of privilege necessary for a given activity. When applied to privileged accounts, those used by administrators or applications to access and manage key systems, applications and databases, it becomes a bit harder to do, since these powerful accounts often provide full, unfettered access to enterprise systems and applications.
However, what’s often overlooked is how these accounts can provide unwanted ‘escalation of privileges’ for Advanced Persistent Threat (APT) attacks. These access points, often in the form of embedded or hardcoded passwords, exist in almost every networked system, application or database. We saw this recently with the Stuxnet virus – entering in through an embedded credential in a SCADA system, as well as in the Operation Aurora attacks on several companies’ source code management systems.
While malicious outsiders and insiders have focused often on the administrative credentials on typical systems like servers, databases and the like, in reality, IT organizations need to identify every asset that has a microprocessor, memory or an application/process. From copiers to scanners, these devices all have similar embedded credentials that represent significant organizational vulnerabilities.
At the end of the day, the use of privileged access to exploit vulnerabilities such as hardcoded passwords is a very real threat that provides malicious hackers with new ways into the enterprise. It’s not just about ensuring that your system administrators are equipped with least privileged access, it’s something that every company—security vendors and enterprises alike—needs to recognize and proactively guard against.
What are some of your favorite security best practices, particularly related to managing, monitoring and controlling privileged access?