Recommended Readings: Deloitte’s 2006 Global Security Survey
June 27th, 2006I recommend Deloitte’s fourth annual Global Security Survey provides benchmarks for IT security in the financial services industry.
This year the survey highlights a surge in the number of security attacks, with more than 75 percent of respondents confirming external breaches, and almost 50 percent reporting internal breaches. This year the survey reveals that the majority of attacks were originated to extort some form of monetary gain, indicating an increase in threat from more organized crime operations, rather than the “nuisance” hackers seen in previous years.
Other findings of this year�s survey include:
* 95 percent of participants have increased their information security budgets since last year
* 72 percent of participants experiencing a breach estimate that it cost their organization greater than US$1 million
* 71 percent of participants indicate that they now have a defined information security governance structure in place
Download the full report here: Deloitte’s 2006 Global Security Survey
Microsoft Chief Executive Steve Ballmer vs. Malware
June 8th, 2006At a recent Windows Vista reviewers conference, Microsoft Platforms Vice-President Jim Allchin shared a story about Microsoft Chief Executive Steve Ballmer’s experience trying to clean a computer infected with malware.
Steve Ballmer was at a friend’s wedding reception when the bride’s father complained that his PC had slowed to a crawl and asked Steve if he would be able to take a look.
Ballmer spent almost two days trying to rid the PC of worms, viruses, spyware, malware and severe fragmentation without success.
He then took the computer to Microsoft’s headquarters and gave it to a team of engineers who spent several days on the machine, finding it infected with more than 100 pieces of malware, some of which were nearly impossible to eradicate.
“This really opened our eyes to what goes on in the real world,” Allchin told the audience.
If Microsoft’s Chief Executive and a team of Microsoft’s best engineers faced defeat, what chance do ordinary people have of keeping their computers malware-free?
Lessons Learned:
1) Microsoft’s top executives were not really aware as too the difficulties regular computer users face when trying to deal with security threats. Only when they came in contact with a “real world” computer did they become aware as to the extent of the problem.
Security professionals need to emerge from behind their intrusion detection systems, log reports, automatic vulnerability scanners and honeypots and view these security threats through the eyes of everyday users.
Three researchers from Harvard and Berkeley attempted to do exactly that in order to better understand why Phishing attacks are so successful. Rachna Dhamija, J. D. Tygar and Marti Hearst used 22 participants and had them interact with a number of web sites. Some were fake site which were created by the team, and some were real. After watching their actions and behaviors, the researchers quizzed the users as to the motivations for their actions and behaviors. The results are eye-opening, to say the least. I highly recommend everyone read their results: Why Phishing Works.
2) Recovery solutions are clearly lacking. The standard response to malware infection is now to trash the entire system and perform a completely new installation. In fact, Microsoft is now claiming that recovery from malware is becoming impossible.
Mike Danseglio, Microsoft Program Manager in the Security Solutions group said in a presentation at the InfoSec World Conference that, “When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit.”
“We’ve seen the self-healing malware that actually detects that you’re trying to get rid of it. You remove it, and the next time you look in that directory, it’s sitting there. It can simply reinstall itself,” Danseglio said. He conceded that the cleanup process is “just way too hard.”
“Detection is difficult, and remediation is often impossible.”
Security Vendor vs. Cybercriminal
June 1st, 2006Shortly after my Security Absurdity article was posted online, we witnessed a remarkable series of events which illustrates quite clearly that cybercriminals are indeed currently winning the battle.
In my article, I mentioned that one of the challenges security professionals face is that cyberspace’s digital battlefield heavily favors the cybercriminal. The freedom, privacy, and anonymity cyberspace offers gives cybercriminals the opportunity and confidence to target victims around the world with little chance of being caught. Spam is so prevalent because the economics of spam are attractive for both the spammers and the companies that pay them to spam.
Anti-spam vendor Blue Security aimed to change all this by rewriting the rules of the game with an unconventional - yet by all measures highly effective - method. Blue Security plan was to make cyberspace socially, technically, and legally hostile to cybercriminals. (More on this topic in a future post.)
Blue Security’s approach to reducing unsolicited email is to combine a Do-Not-Email registry with a mechanism that automates and simplifies the user’s process of sending an opt-out email message. Under the US CAN-SPAM Act of 2003, individuals are legally allowed to send an opt-out email and Blue Security was simply automating this ability. If messages are sent to Blue Security customers, in violation of Blue Security’s Do Not Email registry, Blue Security identifies the merchant advertised in the messages and issues an initial complaint and tries to resolve the situation. If the initial complaint is not resolved satisfactorily within a ten day grace period, Blue Security instructs their Blue Frog agent installed on each of their customer’s computers to automatically send an opt-out email message to the merchant responsible for the spam. The fundamental economics of sending unsolicited emails change when this happens, because the sender now has to ensure that they have the resources to handle the flood of legitimate opt-out requests. (More details on Blue Security’s model can be found here.)
Some have inaccurately described the Blue Security model as a DDOS. Sending spam, and hiring individuals to hijack computers in order to build botnets which can then be used to send spam is illegal. Under CAN-SPAM, individuals are legally allowed to send an opt-out email and Blue Security was simply automating this ability. The risk with any “strike-back” technology was that the wrong sites and individuals may be hit. Blue Security had a number of safeguards against this by attempting to contact the site and resolve the situation before starting an automated opt-out response. Allowing any individual to launch their own DDOS attack against spam sites at their whim would be dangerous and irresponsible. However, Blue Security had a responsible model with built-in safeguards. And one thing that can’t be argued is that it was successful in reducing the appeal of sending spam. According to Blue Security, 6 out of 10 top spammers were complying with Blue Securityââ?¬â?¢s Do-Not-Email registry.
It was so successful, in fact, that a spammer (or group of spammers) known as PharmaMaster decided to fight back. PharmaMaster instructed his botnet to launch a DDOS attack against Blue Security. The resulting DDOS attack was so severe that it shut down:
- the Blue Security corporate website
- the Blue Security backend system
- Major blog sites Typepad, Typekey and LiveJournal
- Prolexic, the security company that was hired by Blue Security
- Tucows DNS service of the domain
Tucows chief executive Elliot Noss called the attack “by far the largest the company had ever seen” and said that only a handful of companies have the infrastructure in place to withstand such an assault. In cyberspace, a single anti-spam vendor was no match for PharmaMaster. Shortly after the attack began, Blue Security closed up shop.
Lessons Learned:
1) In order to be successful against cybercriminals, we must make cyberspace socially, technically, and legally hostile to them. Blue Security model - while unconventional - worked.
2) A small groups of spammers were able to easily shut down a number of large web sites which had considerable DDOS defenses already in place. They were able to do this without detection and without repercussions. The fact that these cybercriminals have this much control over cyberspace should be of much concern to everyone.
3) A single anti-spam vendor was no match for the resources that cybercriminals have. That is why any effort to stop cybercriminals must take industry and community-wide initiatives and support.
Todd Underwood, chief of operations and security for Renesys Corp., a company that monitors Internet connectivity, remarked that this event was, “extremely unfortunate, because it shows how much the spammers are winning this battle.”
Security Vendor vs. Cybercriminal.
Result: Technical Knock Out.
…and it wasn’t even close.
Security Absurdity.
May 8th, 2006They say if you drop a frog in a pot of boiling water, it will, of course, frantically try to clamber out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite placidly. As you turn up the heat, the frog will sink into a tranquil stupor and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death. The security industry is much like that frog; completely and uncontrollably in disarray - yet we tolerate it since we are used to it.
It is time to admit what many security professionals already know: We, as security professionals, are drastically failing ourselves, our community, and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect.
The ramifications of our failure are immense. The success of the Internet and the global economy relies on trust and security. Billions of dollars of ecommerce opportunities are being lost due to inadequate security. A recent survey of U.S. adults revealed that three times the number of respondents believed they were more likely to be victimized in an online attack than a physical crime. A recent Gartner survey indicated that 14% of those who had banked online had stopped because of security concerns, and 30% had altered their usage. People are simply losing trust in the internet.
The security community is not just failing in one specific way - it is failing across multiple categories.
It is being out innovated.
It is losing the digital battle over cyberspace.
Click here to read the full article.