Cenzic report “Firefox is the most vulnerable browser”

0
Posted by Stephen Northcutt on November 14, 2009 – 2:29 am
Filed under Information Security Community, Vendor

I respect Cenzic and have spoken with Mandeep several times and he has always been well educated and evenly balanced. That is why I was so surprised when I saw Spaf’s “Firefox is the most vulnerable browser” on Facebook comment and ran this to ground.

The report is available at: http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf and I want to thank Cenzic for letting people download it directly not requiring that we fill in a form with our name, rank and serial number.

The controversial statement is on page 6, key findings, “Of the browser vulnerabilities, the big surprise was that Firefox at 44 percent had significantly more vulnerabilities than the other browsers. What was also surprising was that Safari vulnerabilities which are usually very low came in at 35 percent, significantly higher than even Internet Explorer which comprised 15 percent of the browser vulnerabilities.”

A couple of points. OpenSSL probably has had more vulnerabilities reported than any closed source TLS solution, does that make it more dangerous? Probably not, it is open source, more bugs are found partly because people can look at the code, partly because so many people exercise the technology. You could even say, but not prove, that OpenSSL is safer to sure than its closed source neighbors.

I would guess that Firefox is used by a bit more sophisticated crowd than Internet Explorer, but cannot prove that either. I can say when I ask for a show of hands, “who uses Firefox AND NoScript”, it tends to be the more technical folks in the crowd and since I have given my endpoint keynote to well over a thousand people, this starts to be statistically significant. I can also say that I have done a lot of surfing with Firefox and NoScript in the past two months using either Bit 9 or Savant Protection and I have not gotten a single popup from the endpoint software asking me about a system change, so you are at least reasonable safe if you run the pair.

Try not to throw the baby out with the bath water, the report is an interesting read, has some useful information and I hope Cenzic keeps doing this. Also, if you want to focus on one sentence more than any other, the number of vulnerabilities attributed to Safari because of the iPhone right at the time of the second iPhone worm seems like the really rich sound bite.

First Look: Sophos Endpoint Security Tool

0
Posted by Stephen Northcutt on November 14, 2009 – 12:51 am
Filed under Vendor

We received a submission from my request for endpoint security experiences. It is shown below (thanks Sam).

Dear Stephen,

Bit late I know, but just dropping you a line following your request for Endpoint Control feedback in the SANS newsbites 31st July. We specialise in providing IT support to small businesses, and recently one of them had a malware infection on a desktop – easy to occur and very hard to prevent these days as I’m sure you know. Before we had the chance to clean it properly (unfortunately, whilst we’re responsible for the server, they like to look after the desktops, with predictable results!) the malware had got their public IP blacklisted by mass-mailing of some kind.

In reaction to the infection, we rolled out the Sophos Client Firewall to all the desktops and laptops. Have to say I’ve been really impressed with it – it’s fantastic to have centralised control of all processes that are requesting outbound network access, to be able to see at a glance and decide which ones are allowed and which aren’t.

We’re now planning on rolling this out to the rest of our clients as an additional and very effective layer of network security. It’s never going to be 100% prophylactic, but will certainly be a brilliant defence for limiting damage and identifying rogue processes.

So to sum up, yes, the Sophos Endpoint Security Tool has given us excellent control at the application level, and for a very reasonable licence fee as well. Highly recommended.

Yours,

Sam Tinley
Director
6was9 consulting ltd

www.6was9.com

0870 770 0069

Define Zero Day

0
Posted by Stephen Northcutt on November 14, 2009 – 12:04 am
Filed under Information Security Community

We received a comment from a faithful NewsBites reader gently chiding about the use of the word “Zero Day”.  He said, “A few years ago, as the rogue hackers began to automate vulnerability identification and exploit writing, they began to brag about how quickly they were able to exploit a vulnerability after it was identified.  They bragged that their tools were getting so good that they would soon be able to exploit a vulnerability within the same day that it was identified.   It was from this boast that the idea of the “zero-day exploit” was born.

In my own history as an IDS analyst, the circle I traveled in defined Zero Day as an exploit for an unpublished vulnerability. Twelve years ago, IDS was primarily signature based, if the vulnerability was not published you would not have a signature for the attack. Our research showed that hackers that hacked for money would find unpublished vulnerabilities, create exploits for them and use them to break into systems and steal credit card numbers etc. Then after 3 – 6 months, they would start making these exploits available to other hackers and quit using them. This way, they could cover their tracks. Wikipedia has a page titled Zero Day Attack, that lines up with this definition. The website zerodaythreat.com defines zero day as, “(n) a hazard so new that no viable protection against it exists”, and they offer a book by the same title. eEye sees things differently and offers a zero day tracker, which with the definition above would be impossible.

In the search for truth, I plugged zero day into Google to get additional thoughts on the definition of zero day. Here are a few of the more interesting things that I found:

Zero Day is a movie.  From what I read on Wikipedia, it is unlikely to be a movie I would want to see, “Zero Day (2003) is a movie directed by Ben Coccio, about a school shooting much along the lines of the Columbine High School massacre.” It is available on Google Films. The trailer is here.

Zero Day is a ZDNet blog, that focuses on attacks and vulnerabilities. It is the name of a Harvard Law Blog as well. The Zero Day Initiative is a TippingPoint project to purchase zero day exploits. Some security professionals disapprove of this practice.

Product Update: Covey Planner Software Unusable

2
Posted by Stephen Northcutt on November 12, 2009 – 8:23 pm
Filed under Vendor

It is with great sadness I post this for my wife. She has been attempting to use their software tool for years and they update and the data cannot be moved to the new solution. To be honest, I have been amazed Kathy has stuck with them for so long, but last night she made it very clear this is the end of the road. Shame on you Stephen Covey.

“I have been a customer for years, taken the Habits of Highly Effective Teachers at the graduate level through the University of VA, read The 7 Habits, The Eighth Habit, First Things First, held fast to the planner system for two decades and have lost all my data in the design- your -own planner series for the third year in a row. Last year I was told it was because you’d switched service providers. This year I’ve yet to hear a reason. Still, I persevered, re-entering recurring events first, mistakenly believing it might stick this time. The software sent an error message each time I attempted to save the work, add more entries, or upload photos. Each time a page of events are entered the software creates duplicates in the events field, which freezes the program until those are all deleted manually. Nonetheless, I continued logging recurring entries all the way through the end of September when a new error message appeared: “there is no data”. Hours lost. Data lost. I am beyond frustrated.

How can the company that purports to believe in the pursuit of excellence, sharpening one’s saw, pursuing one’s highest and best put out such horribly flawed software, followed with zero customer service expect to be perceived?

Kathy Northcutt”

First Look: LogMatrix

0
Posted by Stephen Northcutt on November 12, 2009 – 7:52 pm
Filed under Vendor

Yesterday I spoke with Mike Schmitt and Jeff Aliber, corporate leaders at LogMatrix. This is the SIEM vendor formerly known as OpenService. They have rebranded their company and their marketing approach is to work with existing customers, leverage relationships and work for organic growth. They have always been in the SIEM space (EventCenter), but now have a Log Management solution (LogCenter). They also have a correlation engine at this point (NerveCenter). I am assuming these are separately priced. They say their largest customer is up to 1.5B events/day and headed for 2B events. They are not certain how many collectors are required, but estimate 10 – 12. Hopefully they will leave a comment with a researched answer.

One of the latest additions to the product mix is compliance reporting. They have PCI, SOX, HIPAA, NERC, GLBA and FISMA, and these are included in the price. LogMatrix claims they can generate a report across six months of data in a few minutes.

I asked them who they compete with and they said for SIEM deployments, they tend to see ARCSIGHT and EMC and for Log Management LogLogic and LogRhythm.

They were very excited about the Cisco MARS announcement about no additional 3rd party support. And have jumped onto the Gartner Magic Quadrant bashing with a press release.

First look: Q1 Labs Radar

0
Posted by Stephen Northcutt on October 20, 2009 – 6:19 pm
Filed under Vendor

Had a wonderful chat with John Burnham and Chris Poulin from Q1 Labs. Their SIEM product certainly seems to be on par with the current generation. The earlier SIEMs were fairly brutal and required a lot of 3rd party ( Professional services from the vendor or specialist consultant) help to bring online and maintain. These days you expect to be up and running fast.

One of their design decisions was to create their own database. That saves you a license fee with the big “O”. They have a smaller rulebase than some vendors in the space, but assert the rules are well chosen. At the end of the day the value of a SIEM is the reports that are actionable, not the number trees you kill creating reports no one reads.

Another one of the decisions they have made is to partner with other vendors. Examples include:
Enterasys
Juniper
Nortel
As well as channel partners. I think this is important because you have to use a suite of tools and if you are running Juniper equipment as an example, a SIEM that is integrated with Juniper makes a lot of sense.
They say they are willing to put me in touch with a couple customers. If you are running Q1 and are willing to leave a comment that would be awesome.

Critical Control 20: Security Skills Assessment and Training to Fill Gaps

0
Posted by ecole on August 19, 2009 – 5:18 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 20 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 20: Security Skills Assessment and Training to Fill Gaps   

Technology moves and evolves at such a fast pace that without a good training plan and motivated self learners, most IT professions get left behind after only a short amount time. For an organization to maintain security, it must afford the opportunity to its personnel to enhance their skill set through various training efforts.

Any organization that hopes to be ready to find and respond to attacks effectively owes it to their employees and contractors to find the gaps in their knowledge and to provide exercises and training to fill those gaps. A solid security skills assessment program can provide actionable information to decision makers about where security awareness needs to be improved, and can also help determine proper allocation of limited resources to improve security practices

Training is the most effective way to increase the workforce proficiency but is generally the first thing cut during economic challenges. The value add to an organizations security posture is directly proportionate to its willingness to allow its trained personnel to increase their skill set, which in turn increases the ability to identify security risks. Additional benefits include the ability to:

  • Identify and report malicious activity
  • Respond to an incident in accordance to set policies
  • Minimize the impact of an incident
  • Return to normal operation in a more efficient manner

There are a number of training opportunities available to organizations. These range from online webinars to locally hosted classrooms. Most training sessions can be tailored to meet the needs of an organization and the budget available.

Training comes in a variety of packages. Some are relatively inexpensive, while others are very costly for an organization. The organization must identify its critical needs to increase or maintain an excellent security posture and focus on training that meets the task at hand. Primary types of training that have the greatest impact:

  • Specific, incident-based scenarios
  • Lessons learned
  • Trends and methods

Specialized pointed training gives added benefit to the organization and allows for the increase in workforce talent.

For additional details on the controls, please go to www.sans.org/cag.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

 You can also follow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 19: Data Recovery Capability

0
Posted by ecole on August 19, 2009 – 5:17 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 19 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 19: Data Recovery Capability

Data is one of the most important assets of most organizations.  If this is the case, then why is it most organizations don’t incorporate a good data recovery plan?  Without a good plan, “when it’s gone it’s gone” and there is no getting it back. If it’s a major event and the organization loses large amounts of data, then the same can be said for the organization: “When it’s gone it’s gone.” 

When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. When the attackers’ presence is discovered, organizations without a trustworthy data recovery capability can have extreme difficulty removing all aspects of the attacker’s presence on the machine.

Data recovery has been an ever increasing field as more companies rely on data. In their eyes, it’s irreplaceable.  Primary reasons, but not the only reasons for data recovery requirements, are:

  • Trace evidence of an incident
  • Lost files due to user error
  • Lost files or data due to system malfunction

Malicious activity has also become more of a challenge to find and identify the root cause.  Some malicious code starts a process and then deletes itself. This then becomes a challenge to identify and to recover the deleted code.  With a good backup recovery procedure in place, an organization can recover, regardless if its hardware malfunction or malicious attacks. The goal of data recovery is just that, recover the lost data. It may not be possible to recover all of the data but the majority is generally enough to resume operations. That’s the goal, to resume operation with the minimum amount of disruption.

Back-up solutions are available in many different forms and different levels. You can choose from a software solution that also requires hardware such as tape drives, tapes, and interfaces to ensure that all of the equipment works together.  Tapes even come in a variety of sizes and storage capacities. Software must be used in conjunction with tape drives to properly back-up and/or restore the data when needed.

Hardware solutions include raid solutions that require controllers, hard drives, and the ability to configure them. Organizations must determine the best method to utilize raid for their needs. The biggest issue for most organizations is that all back-up methods require funding and an IT professional to maintain them.

Identifying the level that best meets the needs of the organization and the processes to run it is a challenge.   Depending on the need, an off-site back-up solution may be identified as the best choice. Once proper levels have been identified and established, the overall ability to recover after a significant disaster increases tremendously.   Current best practices identify that information should be stored encrypted. With this said, back-ups are often overlooked and not encrypted.  It’s easy to take back-up software out of the package, install it, and let it do its thing. The problem is that most back-up solutions do not encrypt the back-ups by default. This can be a significant security risk and should be a priority to ensure the back-ups are encrypted.

Ensure that the software or method being used to back-up the data has the ability to encrypt the data as it’s backed up. If not, then this should be addressed and an alternate back-up plan should be reviewed that includes the ability to encrypt the data.

Data storage media must be handled and stored to ensure security of the media. Once the data is saved it must be stored for future use if needed. The sensitivity of the data will directly effect the way the information is stored.  If the information is sensitive or classified, does the storage facility meet government regulations for the handling and storage of that type of data. Does it meet your policies?

When identifying the storage locations the last thing that may be necessary to consider is climate control and accessibility in the advent of an emergency. If the data is of high value and would be needed to recover operations of the organization, then the location must be in close proximity to the operation’s center to be recovered.

For additional details on the controls, please go to www.sans.org/cag.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 18: Incident Response Capability

0
Posted by ecole on August 18, 2009 – 4:58 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 18 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 18: Incident Response Capability  

A great deal of damage has been done to organizational reputations and a great deal of information has been lost in organizations that do not have fully effective incident response programs in place.  Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion.  Thus, the attacker may have far higher impact on the target organization, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible with an effective incident response plan. 

If there is an incident and it’s identified as an attack, there are several things that can be done. The worst of course is the “lets close our eyes and maybe it will go away”. This happens more often than not.  So with that said there are two ways to approach incident response: Reactive and Proactive. Either is better then nothing, but if you can set your organization up to incorporate both you have a plan that will carry you through the worst situations.

A good reactive plan involves policies and training to identify what requires response, what should be done when an incident is identified, and the best course of action to take.  A good proactive plan puts in place all of the necessary components towards identifying or stopping  potential attacks before they are able to be completed.

Incident response is key when safeguarding data once an incident has occurred. If an incident is identified and personnel identifying it are able to respond appropriately, the ability to safeguard data and recover back to an operational state has increased.  In some cases a properly developed incident response plan can prevent a small incident from becoming a catastrophe.  Incident response is more than a group of people responding to an incident.  A good response team is developed with a strong set of procedures in place to ensure each member knows their role and that the individual who identified the incident also knows the proper reporting procedures.

For any good process to work, management must see the value of having the policies and process. This is a key element towards developing a working response plan.  There are numerous guides and standards that outline response procedures and methods. It is important to know which guidelines your organization falls under and incorporate your own standards that meet or exceed government minimum standards.  A good baseline is the NIST Guidelines. 

Once the standards have been identified, ensure that all team members are aware of their roles and responsibilities.  Conduct training to reinforce the policies and incident response roles for both team members and managers. Executive management should be involved in various aspects of the incident response plan to ensure buy-in and support.

Before an incident response can be initiated there must be set policies that identify what actions must be taken for the different types of incidents. Policies and training will ensure that the proper methodology is followed to ensure a successful outcome to the incident.  Policies should be clear and not left for interpretation by members of the organization or contractors.

When an incident occurs, all aspects of training and policy must be followed. This will ensure a positive outcome.   All reports should be based on an organization-wide template to ensure uniformity. 

The key element of this process is the reporting and documentation of the incident. The documentation can be useful in identifying shortfalls and high points. Documentation will allow for good audit reviews and process improvements as well as protection from legal repercussions due to an incident.

All reports should be clear and concise, they should contain only factual observations and information. A report should not contain information based on conjecture. 

For additional details on the controls, please go to www.sans.org/cag.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 17: Penetration Tests and Red Team Exercises

0
Posted by ecole on August 17, 2009 – 12:50 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 17 of the 20 Critical Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 17: Penetration Tests and Red Team Exercises

Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware.  Once they get access, they often burrow deep into target systems and broadly expand the number of machines over which they have control.  Most organizations do not exercise their defenses so they are uncertain about their capabilities and unprepared for identifying and responding to attack.

A red team exercise is guided by what the customer needs or wants. In developing the Rules of Engagement (ROE) these could differ from exercise to exercise. The end result is still designed to strengthen an organization’s network security. It will assist in the identification of weak areas and highlight the strengths used to establish baselines for the weaker areas. Some possible avenues used to identify security risks are:

  • Scans
  • Social engineering
  • Malware
  • Specialized tools
  • Passive attacks

Each test should have a specific goal, and provide different pertinent information to the customer. Each test by itself will not provide an overall picture of the current security state of the network, but when all the areas are evaluated and put together, you will have a good overall picture of the security posture of the organization’s network.

Red team efforts can identify multiple areas of concern they are:

  • System vulnerabilities
  • Personnel complacency
  • Security monitoring flaws
  • Response procedures

Using the above items, it’s possible to conduct a root cause analysis in an effort to assist the shoring up of the network.

Each area tested is designed to mimic the actual methods and tools used by a would-be hacker. The assessment team should be skilled and have the ability to identify weaknesses and use them to gain access to the network.  This access presents itself to an organization, the opportunity to identify weaknesses, gauge response abilities and, and correct shortcomings.

The overall goal of an assessment is to ensure the organization is as secure as possible and is prepared for future incidents. 

For additional details on the controls, please go to www.sans.org/cag.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at drericcole or email ecole@secure-anchor.com with any questions.