Vendor risk assessment are not part of everyday corporate managememnt but it should be. If you drive a car and every week you have to get something fixed it would prove pretty annoying, disgusting, outrageous and you probably you would never buy that model again and probably wouldn’t by from that manufacturer either. So why do we accepts buggy software that is vulnerable to things like cross site scripting attacks, buffer overflows, malware and such? But we do that everyday.

Everything from vulnerable operating systems such as Windows to vulnerable applications such as Adobe and weak website such as Facebook. As stated by CIO.com, “SANS and Mitre, a Bedford, Mass.-based non-profit, federally funded technology research and development organization, today is also releasing its second annual CWE/SANS Top 25 list of the most common programming errors currently being made by software developers. The authors say the errors on the list are responsible nearly every major type of cyber attack, including the recent intrusions at Google (GOOG), and numerous utilities and government agencies.”  The biggest companies are culprits.

So what are we do to about buggy software? How do you force a vendor risk assessment on all yoru vendors? Maybe scream “I’m mad as hell and I am not going to take it anymore!”  Might feel good for a second or two, but not going to solve the almost daily patch process we have to go through for our software. Patch management is a thriving sector!

As I see it, some theoretical things the end user can do to change the deadly cycle of poor software:

1. Sue! I don’t know if that’s possible, but if you bought a car with bad acceleration problems (ahem Toyota) you might just sue the manufacturer if you got into an accident. What can we do that if some hacker breaks in through buggy software?
2. Stop buying from that vendor! Apple seems to be taking this tactic by not allowing Flash on the IPad. But can we all move away from Microsoft tomorrow? Probably not.
3. Make the vendors conduct Risk Assessments of their products prior to release. A third party risk assessment is probably a good idea. Something with more teeth than a SAS70 type review.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

 *Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

 *FREE Website Security Test 

Related articles by Zemanta

• Apple vs. Microsoft: Making Platform Enemies and Friends (seekingalpha.com)
• Adobe Reader And Acrobat Get Yet Another Security Update (ghacks.net)
• Microsoft investigates new Internet Explorer flaw (news.cnet.com)
• Google readies Flash for Android devices (infoworld.com)
• IBM: Vulnerabilities fell in ’09, but other risks abound (computerworld.com)
• Update: Adobe issues emergency PDF patches (computerworld.com)
• Serious web vuln found in 8 million Flash files (theregister.co.uk)
• Hold vendors liable for buggy software, group says (computerworld.com)

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

SC magazine just reported that the Ponemon Institute has determined the cost of a data breach is $204 per record. “Data breaches last year cost organizations $204 per exposed record on average, which represents an almost two percent increase over 2008, according to the fifth annual “Cost of  Data Breach” study released on Monday by the Ponemon Institute…  The study, which examined the experiences of 45 U.S. companies that suffered breaches last year, also found that the number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent  in 2009. In addition, data breaches caused by malicious attacks cost organizations 30 to 40 percent more on average than those caused by human negligence or by IT system glitches.” There are a number of ways to protect your data in transit such as PGP Encryption but when the companies looses data, there isnt much the end user can do to protect themselves.

Thats a lot of money. If we look at the data breach of Heartland, which was over 100 million records, that, well let me do the math, may take a minute. Its $20,400,000,000. Thats a lot of money. Condidering I was a shopper mostlikely of Heartland, I do not recall getting a check from anyone for $204. I will not hold my breath for that. We all asked if the retailers like Heartland and TJ Max had a PCI Audit done. Would this have protected our information?

So far, I am pretty sure I recieved a letter offering me free 2 year credit monitoring from Chase, Citibank, Bank of America and Countrywide because thet lost my records. I am waiting for my check for $204 from each of those companies. Also, over the past few years I have had to have my credit cards replaced with Chase, American Express, and several Visa versions. So I am still waiting for those $204 checks. Maybe in total I am owed about 9x$204=$1,836.  That will be a nice check when I get it.

Security Requirements

So what can a company do to help reduce these data breaches? The easy answers, yet not implemented, include:
1) Encryption of back-up data and tapes
2) Conduct yearly Vulnerability Assessments
3) Conduct Quarterly or Monthly Vulnerability Scanning
4) Implement a Data loss prevention solution
5) Go through a PCI Audit or HIPAA Security Assessment yearly

Related articles by Zemanta

• Data breach costs continue to rise (v3.co.uk)
• Survey: Data breaches from malicious attacks doubled last year (news.cnet.com)
• Breach numbers fall while costs rise Ponemon study finds (v3.co.uk)
• Humans Continue To Be ‘Weak Link’ In Data Security (it.slashdot.org)
• Cost of a Data Breach – $204 per record (pindebit.blogspot.com)
• Private Sector Keeps Mum on Cyber Attacks (online.wsj.com)

Regards
Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

According to Bloomberg, “Albert Gonzalez, a 28-year-old Miami resident, and two hackers living “in or near Russia” were indicted yesterday by a federal grand jury in Newark, New Jersey, for stealing data from Heartland Payment Systems Inc., 7-Eleven Inc., Delhaize Group’s Hannaford Brothers Co. and two unidentified national retailers.”

It always amazes me when really smart computer folks insist on hacking from the US. Why not just head down the the Caribbean and hack from there, let likely to get caught.

My question about this is whats the value of regulations such as PCI or HIPAA.  A PCI Security Audit and Hipaa Security policy are supposed to prevent this type of thing when the companies being hacked usually come out after the fact and say they were compliant?

Privacyrights.org has this list of breaches in the month of August alone. I wonder what the compliance or network security audit was like for these companies? I dont suppose there really is a good answer to what to do about compliant companies getting breached. They will just keep giving you a year of free credit monitoring I guess.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Network Solutions, one of the largest domain registrars recently announced a data breach. Malicious code was found on its e-commerce server which may have captured transactions from thousands of websites and capturing half a million or more credit cards. The company said they found the code during a routine check. Since the breach occurred between March 12 and June 8th, how routine was the actual checks? I wonder when their last vulnerability assessment or Information security risk assessment was conducted? Data loss prevention is sorely lacking in just about every industry.

Here is what the company said “At this point, we have no reports or other reasons to believe that any credit card account information has been misused and, under established practice, credit card issuing companies generally will not hold our merchants’ customers liable for any fraudulent purchases made using their credit card account numbers that are reported in a timely way to the issuer,” a statement from the company reads. All these statements around hacker breaches and stolen credit cards read the same.

The process now begins where all the merchants have to be identified, then each merchant has to notify their customers. Their customer then have to work with their banks to stop credit cards, have to get credit monitoring and thus goes the Circle of Life (of data breaches) Here is the list of data breaches in 2009 alone. If you recall the breaches of Heartland Payment Systems and RBS WorldPay, the breachescaused them to be removed from the PCI security audit () list . Well that should be obvious, or should they have been rated compliant int he first place. Known non-compliance might be a better than weak compliance.

The basic question is what was Network Solution not doing to have malicious software installed on key servers? Was it a breach through a web application, was it through malicious email, a browser based attack, some insider who didn’t know enough about security and clicked on the wrong thing? What routine check found it and why wasn’t this check run on a more routine basis, such as weekly or even daily?

At the end of the day, security is a moving target. We can utilize encryption, vulnerability management, application security risk assessment, email filtering, backup and recovery, but all will be useless is we follow poor practices or do not have good procedures in place to take into account the human element. Most breaches are insider problems or mis-configurations or plain old stupidity.

Gary Bahadur
http://www.kraasecurity.com

http://blog.kraasecurity.com

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

When the Heartland data breach happened, it was interesting but the general public didnt find it sexy enough. A ransom note, publicly done makes for good drama. Equate it to the Somali pirates. They really broke in the news because of the weapons they captured. This might be the “weapons” story that gets the general public asking about security of the places they use on the Internet.

Identity theft is on the rise. Most companies never do a web application security assessment. They almost never do a database security review. If the hacker can break in through your web portal but your database of customer data is encrypted, well your last line of defense can save your hide.

So what are some things you can do to protect your website?

1) Conduct a web application security assessment. You should probably do this twice a year or anytime you make any significant changes to the application.

2) Conduct an architecture review. If your network architecture has holes in it, a hacker can find away around the application and perhaps get to the data through a different port.

3) Conduct a host security diagnostic review. If the hacker can get on the system and take advantage of an operating system weakness, you will still be compromised

4) Conduct a database security review. Your last line of defense, make sure the data in encrypted, access is completely authenticated and IDS on the database to flag and stop inappropriate access

5) Hire someone smart to do your security assessment.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

+++++++++++++++++++++++++++++++++++++++++++++++

So the employee lost the laptop. Do you blame the employee or the agency for not educating the employee and provide wholedisk encryption? The agency believes that an unencrypted harddrive, but that has a “password” is secure? Well maybe someone should explain computer hacking, windows security, encryption and the concept of intrusion prevention to DHS.

Well you will probably see that laptop on Ebay or in a pawn shop. Some halfway intelligent person who buys it might be able to get to the data. Then what?

Five Steps to Laptop Security 101:

1) Encrypt using wholedisk encryption or at a minimum encrypt your data folders. Try PGP encryption (www.auroraent.com)

2) Patch Management, use automated patch management

3) Firewall, use a managed firewall in a corporate environment or a personal firewall, lots of free ones out there and cheap ones.

4) Hard Disk password, you can protect your drive from even booting with a hard disk password. yes this can be broken and have the manufacturer resetm, but its a pain and the casual person will not know what to do

5) Dont let the government have a laptop.

regards

gary

http://www.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

* Managed Firewall

* Managed Antivirus

* Managed IDS

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Unencrypted laptop with 1 million SSNs stolen from state

SC Magazine Dan Kaplan April 24, 2009

The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee.

The computer file contained the names, Social Security numbers, birth dates and home addresses of Oklahoma’s Human Services’ clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits, the agency announced Thursday.

The computer, which was stolen when a thief broke into the car April 3 after the employee stopped on her way home from work, was password protected, and officials do not believe the burglar realized what he or she was stealing. Therefore, the risk of the data being accessed is minimal, according to the agency.

“We feel this was not a situation where someone was targeting the agency or that information,” DHS spokeswoman Mary Leaver told SCMagazineUS.com on Friday. “We feel it was random.”

Leaver said the state Office of Inspector General is conducting an investigation, out of which likely will come a mandatory review of information security policies. However, it is not believed the employee violated existing policy when the incident occurred, she said.

News of the theft comes one day after the Ponemon Institute, in conjunction with Intel, released a study that found the average value of a lost laptop is $49,246. About 80 percent of the cost is related to the chance that a breach could occur, the study showed.

Interesting that these are the same questions your online back account asks you as challenge questions. How long until some really cool tool gets released by the underground that can scan a Profile, and ctageorize data into all the fields a bank usually asks as a challenge question? (I should trademark the concept)

Stop the madness. That includes all these Blogs! Down with Blogs!

Gary

baha@kraasecurity.com

www.kraasecurity.com

Managed Security Services

++++++++++++++++++++++++++++++++++++++++++

Gartner have published a document (in PDF format) on their analysis and recommendations on the above subject:

Twitter’s recent security issues follow the same arc that many other consumer-grade services have experienced. An innovative idea is quickly turned into a cool Web site that attracts lots of consumer use. Security is, however, not typically part of the cool site’s business model. Hype about the potential businesses use of the new technology quickly leads to malware attacks. After a successful attack, security measures that were not built in are “sprinkled on.”

This pattern will not change anytime soon. There will always be real reliability and security differences between consumer- and business-grade technologies. But there will also be real business benefits to using consumer-grade technologies before they are “business-strength.” Enterprises must consider the cost of integrating or adding security controls to contain the risks of using these technologies before they reach security maturity. Trying to ignore or block them simply will not work.

Recommendations

All enterprises:
Ensure that everyone who accesses enterprise systems is aware of the risks of using consumer-grade technologies such as Twitter.
Update Web security gateways and network intrusion prevention systems to block transmission of the malware used in the Twitter attacks.
Require malware blocking and data loss prevention capabilities in any business plans using Twitter or other consumer-grade technologies
The document can be downloaded from http://www.gartner.com/DisplayDocument?doc…;ref=g_homelink