Incident Preparedness 101

In this day and age, who should be worried about security incidents?   Anyone who uses a computer.  Reports based on investigation after investigation have now been published by vendor after vendor.

Poaching from Keydet89’s blog, remember the first Mission: Impossible movie, where Ethan gets to the top of the safe-house stairs, removes a light bulb, crushes it in his jacket, and then backs into his room as he doles out the broken bits of glass onto the darkened hallway floor?  WHAMM-O.  He has just installed a basic Intrusion Detection System.  Anyone who steps into the now darkened hallway will step on and break the shards of glass, making enough nosie to alert Ethan to their presence, because he is listening specifically for that noise.

Brian Krebs makes it pretty clear in his blog that EVERYONE is susceptible to the latest attacks.  Read this.   I wonder how those dentists feel now about spending $10K or less to setup some kind of basic security protection and monitoring.  As an attacker, why take a little at a time from a large enterprise target and risk being caught, when you can nibble away at smaller targets all over the world, and when they run out of money and fold up shop or get wise and implement some controls, move on to the next easy target?   If you don’t think that this is an issue, keep an eye on Brian’s and Keydet89’s blogs.

Advertisements

CEOs Resigned To Looming Data Breach

New research indicates that a large majority of CEOs are resigned to the fact that their organisations will suffer a data breach of some type in the coming year.  Depressing, but quite likely, considering the changes in malware, exploit developments and the general threat landscape.  The IBM sponsored study carried out by the Ponemon Institute suggests the need for a radical rethink in the way businesses prioritise and plan their IT security strategies.

All of the respondents to the survey said that their companies had seen an attack at least once in the past year, with 77% saying they had endured a data breach at some point.   As a result, 76% of the CEOs said that they now view reducing potential security flaws in their business-critical applications as the single most important aspect of their IT security plan.

InfoSec Magazine

ISACA CobIT 5 Design Exposure Draft

ISACA has released the COBIT 5 Design Exposure (draft) in order to garner comments.  COBIT 5 will be a major strategic improvement providing the next generation of ISACA’s guidance on the enterprise governance of IT.  Building on more than 15 years of practical usage and application of COBIT by many enterprises and users from the business, IT, security and assurance communities, COBIT 5 will be designed to meet the current needs of stakeholders and align with the most up-to-date thinking in enterprise governance and IT management techniques.  It will consolidate and integrate the COBIT 4.1, Val IT 2.0 and Risk IT frameworks and also draw significantly from the Business Model for Information Security (BMIS) and ITAF.  The primary objective of this initial exposure is to obtain input and comment regarding assumption of requirements, the proposed strategic approach and the high-level design.  An online questionnaire is provided to capture specific feedback on certain aspects of the paper, as well as any other comments you may want to provide on the document.

ISACA Download Page

Please provide feedback using the online questionnaire. The comment period will close 12 April 2010.

MS10-018 Released Out Of Cycle

Microsoft has released the patch against the iepeers.dll zero-day vulnerability.  This vulnerability is being exploited in the wild, and offers remote code execution by simply viewing a specially crafted webpage.  The patch for this unfortunately, is bundled in with 9 other responsibly disclosed vulnerability fixes.  This delays testing and deployment of the one item that needs to be patched NOW, and I really wish Microsoft would stop doing that.

Anyway, get patching.  You should not wait around to get this one onto your systems.  Desktops are the focus, however the bundling makes ALL versions of IE and Windows vulnerable.  A reboot will be required.

3.3 Million Records Lost After Break-in

A Minnesota company that processes loans for students nationwide has reported a major theft of “personally identifiable information” involving 3.3 million students after a break-in last weekend at its Oakdale headquarters.  No bank account or other financial information was included in the data.

Chief executive Richard Boyle said the theft occurred from a secured location at ECMC and involved portable media containing student loan borrowers’ personally identifiable information.  The media was apparently removed from a safe.

StarTribune

Microsoft Out-Of-Cycle Patch

Microsoft will be releasing an out-of-cycle update on Tuesday March 30th for Internet Explorer that fixes 9 vulnerabilities, including a zero-day that has been exploited in attacks on IE6 and 7.   The zero-day IE vulnerability could allow an attacker to take control of a machine if a user visited a malicious Web site.  Users of IE8 and Windows 7 are not vulnerable to that flaw, however all current versions of Windows are listed as affected by the other vulnerabiilties being addressed by the cumulative update.  Microsoft’s decision to release rather than wait until April 13th is an indication that attacks against the ‘iepeers’ vulnerability are on the rise.

Security Advisory 981374

Trojan Imitates Update Utility

Email malware that promises security updates from trusted companies is a frequent ruse used by hackers to fool users into downloading their cruft.  Malware authors have begun creating malware that imitates and overwrites software update applications from Adobe and other vendors. 

Nguyen Minh Duc, director of Bkis Security, writes that the recently detected Fakeupver trojan establishes a backdoor on compromised systems while camouflaging its presence by using the same icons and version number as the official Adobe update packages.  Variants of the malware also pose as updaters for Java and other software applications.

The Register