June 2013 Newsletter

Check out our latest Securus newsletter to see what’s been happening in the security sphere. From mandatory disclosure of data breaches, to vulnerability management, a review of penetration testing to changes in the PCI standards, in this issue, there is something of interest for everyone!

http://createsend.com/t/j-A842B2EA4BEC2ADB

Attack code released following IE security update

A new Internet Explorer security update, released by Microsoft on June 12, is already being exploited by cyber criminals.

Malware tracking blog Contagio posted a download of the exploit source code and a video of the exploit in action on computer security tool Metasploit on June 15.

Technology website AllThingsD is reporting that this exploit could potentially allow cybercriminals to perform mass malware attacks.

“The vulnerability (CVE-2012-1875) is a remote code execution flaw in the way that Internet Explorer accesses an object that has been deleted,” wrote online security expert Ryan Naraine on June 18.

“The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”

When Microsoft released the initial security update, it warned users that exploit codes could be available within 30 days.

Modern cyber criminals have access to highly advanced techniques and technology with which to locate any vulnerabilities or access points in even the most state-of-the-art systems.

That is why it is important to assess security protocols regularly and thoroughly to ensure private information is secure.

A red cell evaluation is one of the best ways to locate any potential flaws in your security system.

Red cell teams are highly trained in ethical hacking and are able to utilise a variety of common and unusual penetration techniques in order to fully simulate a potential attack.

Vulnerability management vital in battle against online threats

It’s no secret that businesses need to take measures to protect their essential data on a regular basis – ever-changing cyber threats mean that security processes also need to evolve.

When it comes to monitoring an organisation’s security, it’s important to consider the various option – internal reviews, third-party testing, or a combination of the two.

Often, internal reviews on their own can be inefficient – which is why an impartial assessment can be a useful measure of how effective security measures are.

This provides a thorough breakdown of strengths and weaknesses – a team of highly trained experts can seek out and identify the most common flaws in security systems, as well as locating out-of-the-box problems which may not occur to those without specific industry knowledge.

Once those vulnerabilities are assessed, it is then essential to evaluate how any potential weaknesses affect the security of your business.

A good risk assessment will address any changes that need to be implemented, schedule further evaluation for future dates when security could again become compromised, and plan for the future.

Internet and computer technology is constantly evolving, with new software designs and systems emerging on a regular basis. Businesses who allow their vulnerability management systems to stagnate are potentially putting themselves at risk.

Not having complete security measures in place can have a range of consequences, ranging from simple lapses in security which make confidential documents available to unqualified employees to creating backdoors that are susceptible to cybercrime.

Many people still don’t understand the importance of internet security

Recent security breaches in major websites like Linkedin, eHarmony and LastFM have given us a timely reminder of the importance of having strong internet security practices in place.

Despite this, many people still show an alarming apathy for internet security and will often choose convenience over safety when it comes to securing their private information.

Last year, IT security consultant Mark Burnett set out to find the worst (AKA most common) passwords in the world by comparing 6,000,000 publicly available username/password combinations.

The word ‘Password’ was ranked first, while QWERTY took fourth place. Embarrassingly, the remaining top six were all an ascending series of numbers starting with one.

According to Burnett’s study, 91 per cent of users employ a password from the list of top 1000 selections.

This is concerning as obviously the more commonly used a password is, the easier it is to hack. Essentially anyone looking to crack into private information can access the majority of accounts simply by trying usernames in combination with those 1000 passwords.

Burnett recently posted a blog entry confirming that 93 per cent of the Linkedin passwords leaked earlier this month were present in his top 1000 list.

This is despite the fact that many security firms have encouraged people to select secure and unpredictable passwords in order to prevent hackers gaining unauthorised access.

While there are unlikely to be many businesses out there with the password ‘123456’, the findings are still an indication of a lack of public awareness for the importance of good security protocols.

Anyone concerned that their procedures may not be up to scratch should consider a due diligence assessment in order to stay on top of the latest technological developments.

By undertaking a due diligence assessment, businesses receive a thorough evaluation of the strengths and vulnerabilities in their online security systems and can make any necessary adjustments required to reduce the risk of unwanted access.

Well informed staff members assist vulnerability management

Forward thinking employers take the security of information assets as seriously as they do the protection of their commercial property and their staff members.

This is because – like other more tangible resources – the data collected and stored by a firm offers a range of value-adding opportunities that are unique to the business concerned.

Understandably this makes the collection and analysis of information from a range of sources a sound investment in future development – allowing managers to gain insight into market patterns and buyer behaviour that might otherwise slip by unnoticed.

Anonymous trend data in itself can seem fairly innocuous – after all, there are no names attached and the details used will be of little use to anyone outside the industry.

However, the proprietary nature of this information – or rather the planning resources it can provide – mean that it can be a target for malicious parties looking to disrupt the organization’s developmental capacities.

When these resources are combined with client details, account numbers or contact channels, the threat posed by the loss or misappropriation of these data stores grows even more.

This is because such attentions hurt not only the planning activities normally undertaken by managers but also have the power to damage the company’s hard won reputation.

Moreover, should the details be made freely available there is a very real chance that valued customers and clients could become the unwilling targets of endless spam campaigns and social engineering attempts.

This is why it is a good idea for managers to ensure that staff members are well informed of the role they play in actively enforcing vulnerability management.

Professional security audits can go a long way towards ensuring that employees are aware of how their behaviour and routines can be tightened to ensure that breaches are less likely to occur.

In addition these professional teams are able to offer sound advice on measures that can be used to restrict unauthorised access should a gap in the defences become known – reducing the potential for damage to brand image.

When combined with other strategic moves – such as training sessions and proactive feedback initiatives – businesses are able to keep staff members informed of the role they play in managing data security while also allowing workers to contribute to the safety of proprietary information.

This engagement is perhaps the greatest measure of employee commitment – as they feel like a valuable part of a team that is working together, rather than viewing due diligence as a chore to be avoided.

Security patches assist enterprise vulnerability management tasks

Keeping on top of security patches can form a large part of an organisation’s vulnerability management activities, depending on the degree of sophistication of the systems involved.

For firms that rely heavily on Microsoft infrastructure, May 8 is likely to be a busy time for information officers as there are a number of crucial updates that will be made available.

Known colloquially as ‘Patch Tuesday’ the date coincides with the time of months when the software giant releases its range of security fixes to newly discovered vulnerabilities.

This latest issue will help to provide cover for a range of popular programs including Microsoft Office, Windows, the .NET Framework and Silverlight – all of which enjoy common usage throughout commercial, governmental and third-sector organisations.

For information technology officers, the challenge will be to ensure that their infrastructure receives the best possible results from the security updates – while the installation does not affect the smooth running of the business’ various operations.

One of the biggest problems facing staff members tasked with patch deployment is the time taken to backup proprietary information before the patches are deployed, followed by systems testing to ensure the additions do not interfere with customised settings and macros.

Cybercrime progression requires intelligent security audits

As with any criminal undertaking, if there is a measurable profit available to malicious parties they are likely to spend more time on perfecting their skills.

Data theft and other cybercrimes are becoming much more organised as the practices and procedures required to gain access to sensitive information becomes more complex.

This is because the vulnerability management activities performed by professional security managers forces malicious parties to rethink their strategies – slowing them in their tracks.

However, over time and through collaboration, online criminals are able to develop new and innovative approaches to discover penetration avenues.

Of course, this in turn forces the hand of security experts to review and upgrade their defences yet again – or face the consequences that come with complacency.

In short, managing vulnerabilities requires careful use of resources in order to ensure that the constant cycle of penetration attempts and security upgrades does not become the digital equivalent of an arms race.

This is because the cost of protecting information assets should reflect their potential value to both the company concerned and its stakeholders.

Making valuable data out of reach of malicious parties effectively puts an end to what could otherwise be an expensive cycle – with careful planning and regular review, the costs soon become an investment in security rather than a drain on resources.

Australian vulnerability management agencies considering new legislation

The Australian government is considering its options in relation to the communications monitoring powers held by the Australian Security Intelligence Organisation (ASIO).

In particular, the federal body is reviewing public sentiment on a number of proposals that could force internet service providers (ISP) to retain user details for up to two years.

However, it has been decided that the data retention scheme will be put forward for public debate before it is entered into legislation.

According to Chris Owen – spokesman for the federal attorney-general Nicola Roxon – a review will be held by a parliamentary joint committee to determine how the laws will be put into effect.

Mr Owen told SC Magazine on May 4: “We haven’t drafted legislation yet and we are seeking a wide view of opinion before we consider the reforms in detail.”

This move is being made nearly two years after discussions between intelligence authorities and ISPs regarding data retention, vulnerability management and the use of federal warrants.

Current plans will see the number of agencies that are able to access potentially sensitive user information reduced over time.

However, greater information-sharing protocols will see more exchanged between authorities more freely than in previous years – enabling the use of a single warrant to be used across multiple organisations.

How thinking outside the box helps to manage vulnerabilities

As the number of interactions between organisations and stakeholders is enabled by advances in technologies, the amount of information retained by many businesses is bound to increase.

The opportunities available to companies engaging in this kind of activity are enormous – intensive analysis of so-called ‘big data’ collections can lead to advances in product and service offerings, as well as enhancements to a range of corporate communications.However, this information is still valuable to other parties without further treatment, meaning that firms need to be prepared to look after their investment.

Vulnerability management is not a simple process that requires a basic stop-gap approach – it is more of a cycle that involves a number of steps.

After deciding on the security state preferred by the company, the firm needs to compare this to the measures currently in place.

This activity requires a fair bit of innovation and out-of-the-box thinking in order to develop viable scenarios where the company would be in danger of losing control over its proprietary data, as these penetration avenues may not always be immediately obvious.

By keeping an open mind on the subject of vulnerability management – or making use of professional testers – a firm is able to identify the gaps well in advance and can act to stop a threat becoming a reality

IT developments to factor in security audits

A new survey from Gartner has shown that 2012 may be set to become the year of cautious IT behaviour, as companies face economically turbulent market conditions.

For many chief executive officers (CEO), the uncertain financial situation presented by their competitors and stakeholders presents a powerful argument towards investing in new developments.

Gartner's survey of over 220 CEOs published on April 16 found that – while fiscal responsibility and cost control had grown in priority – IT investment was to grow over the remainder of the year.

Vice president at Gartner Jorge Lopez explained that the drive to produce additional value from technology investment was "comparatively healthy".

Mr Lopez asserted: "The newer trends, such as mobile and cloud, are rising to the foreground of CEOs attention.

"However, CRM remains CEOs' favourite IT capability because marketing is a never-ending competitive quest for customer retention."

While the value generated from effective use of data mining and long-term relationship management activities, due diligence demands that the level of online security needs to reflect the value represented by the material kept on hand.

Ideally, vulnerability management measures should be an integral part of the planning process – with the costs and benefits factored into additional IT project planning.