Rotman – Telus Release Joint Study on Canadian IT Security Practices

Canada is a distinct market, significantly different from the US, with a very different regulatory climate, yet subject to many of the same threats and risks.  With the threat landscape rapidly evolving, Canadian organizations are finding it difficult to maintain their security posture, especially amidst current financial challenges.  In 2009, top performers overcame these difficulties by:

• Managing a complete breach life-cycle, ensuring detection and remediation improvements are accompanied by prevention improvements.
• Developing flexible security programs with strong core capabilities and the ability to adjust to a rapidly changing threat environment.
• Increasing focus on education and awareness across IT and other employees to ensure risks and responsibilities are understood by all.
• Balancing technology spend with staffing to ensure that lack of resources does not impede deploying and using needed technologies.

Key Findings

• Breaches and annual costs are up while per breach costs are down
• Canada is catching up to the US in terms of breaches
• Most breaches led by unauthorized Access by Employees
  • Insider breaches almost double in 2009, now comparable to US rates
• Disclosure or loss of customer data remains top issues
• Organizations cite damage to brand as biggest breach concern
• Growing threats have rendered most security budgets inadequate
• The average security budget was 7% of the IT budget
• Top performing respondents spent at least 10% of their IT budget on IT security
• Organizations rewarding formal education more than certifications
• 46% of respondents earned more than $100,000
• High-performing security programs have strong governance and focus on education
  • Business metrics substantially increased the perceived value of security
• On-shore security outsourcing increases
  • Privacy favoring Canadian service providers
  • Publicly traded companies outsource to the best-value provider regardless of location
• Application security practices not keeping up with evolving threats
  • More than half of respondents consider security in their development lifecycle
  • Focus in Canada is predominantly towards after-the-fact security, rather than “build it secure.”
• Cloud security concerns similar to classic outsourcing
• Technology investments focus on fighting malware
  • Organizations favor protecting applications versus fixing them

Highly recommended reading.  Download a copy of the Executive Briefing and the Full Report for FREE!  –  Compare your own security posture to over 600 study participants at Telus.com/securitystudy

RAM Scrapers

A new flavor of malware is aiming at grabbing valuable data from memory in point-of-sale systems   Verizon Business Data Breach Investigation Report has included RAM scrapers in a recent list of the top data breach attack vectors and has prompted discussion about how much of a threat it poses.

A RAM scraper is identified in the report as a piece of customized malware created to grab credit card, PIN, and other confidential information out of a system’s volatile random access memory. The RAM-scraping breaches in Verizon’s report occurred in point-of-sale (POS) servers. RAM scraping is not really new, but Verizon flagged the emergent threat trend in POS devices as a tactical change.

The data in RAM is often easier to grab than at the reader or off of the computer’s hard disk.  Current PCI compliance standards require the end-to-end encryption of sensitive payment card data when being transmitted, received, or stored.  Unencrypted credit card data may be exposed during processing, remaining resident in the POS device’s RAM for a period of time.  That’s where the malware can capture the strings related to card identifiers rather than performing bulk data grabs, reducing the likelihood of detection.

One of the incidents Verizon Business’s RISK Team investigated was discovered as a result of a spike in credit card fraud reports coming from a casino: The RAM scraper itself wasn’t detected on the server.  The scraper dumped the card data to a file named dumper.dll in a Windows system subdirectory, where it waited for backdoor access and retrieval.

POS RAM scrapers enter systems that are either insufficiently protected, such as those that use default credentials, or that get compromised by trusted partners, according to the Verizon report.  Ram scrapers are typically a secondary infection agent, most often installed after a system has been compromised using some other primary attack method.  Backdoor access and command/control agents are common features of RAM scraper attacks.  Because this malware is typically customized for each attack, its signatures are less likely to be recognized by antivirus software.

The best way to detect a RAM scraper is via regular traffic and critical file monitoring and log analysis. Here are 10 tips for protecting against malware in general  and RAM scraping in particular, gleaned from the report:

1. Make use of hardware AND software firewalls.
2. Install and maintain antivirus software.
3. Perform regular system maintenance, patching, logging, and complete reviews of POS systems.
4. Regularly confirm the integrity of your intrusion detection systems.
5. Monitor file integrity.  These files will often try to attach to real processes or system files.
6. Monitor disk activity and watch out for file-creation in system and temporary subfolders.
7. There is absolutely no excuse for default credentials on ANY computer, much less systems that process financial transactions.
8. Bear in mind that end-to-end encryption doesn’t always include the clear-data processes happening at the end-points.
9. Deny, if possible, admin-level credentials to POS and POS support vendors and reset vendor credentials and settings.
10. Minimize and test data persistence in memory. Just because the specs say data persists for a millisecond doesn’t make it true.

While Verizon found POS systems to be at risk of RAM scraping in their report, the technique also lends itself to use against other systems’ volatile memory.  You may be surprised at how much data is sitting in the RAM of your network printers, for instance…

Secure USB Flaw Exposed

A flaw in USB vendor SanDisk’s secure USB technology is leaving multiple devices vulnerable to attack, and has led to the recall and patching of multiple vendors’ secure USB drive products.  The flaw resides in the password-handling process of the encrypted USB keys. 

SanDisk has issued a security alert and updates for multiple Cruzer Enterprise models that fixes the bug in the access-control features.  SanDisk emphasized in their alert that the flaw was not in the device hardware or firmware, but in the application that runs on the host system.

Kingston Technologies, which uses SanDisk software in its products, has recalled 3 of its secure USB drives, warning its customers that data on the encrypted drives could be accessed by seasoned attackers with local access and a specialized tool in their notice. Kingston recommends the drives be physically returned for updates, although they are also reported to be working on a downloadable patch.

Verbatim, which also uses SanDisk technology, has issued an update alert on some of its USB products, as well.

The vulnerability, which was discovered by researchers at German penetration testing firm SySS, would basically provide access to data on the drives if a weakness in the way the software handles passwords was exploited.  The problem lays in the fact that they check passwords using software, and rely on the same underlying master password. They are relying on software on a computer to check if a password is correct.  Vendor IronKey suggests that their devices, which use dedicated hardware components for security measures are the way to go.

Vulnerability finds for secure USB drives have been rare, with the biggest threats to these devices historically being malware contamination.  Some say this newly discovered password-handling flaw is only the tip of the iceberg when it comes to potential bugs that could be found in secure USBs that rely on software controls.  Software-based password validation technology may leave the door open for trouble, as any software element is bound to be subject to flaws.

Affected Devices:

• SanDisk Cruzer Enterprise USB flash drive CZ22 & CZ32
• SanDisk Cruzer Enterprise with McAfee USB flash drive CZ38
• SanDisk Cruzer Enterprise FIPS Edition with McAfee USB flash drive CZ46
• Kingston Technologies DataTraveler BlackBox
• Kingston Technologies DataTraveler Secure”Privacy Edition
• Kingston Technologies DataTraveler Elite”Privacy Edition