007 - Swiss Cheese, Hard Candy, Remote Code Execution, Keyloggers Gone Wrong, MS Security Essentials
Monday, November 2nd 2009 @ 12:00 AM (not yet rated)
The Streetwise Security Zone Podcast – Episode #7 for November 1, 2009
This Episode's Topics:
1 - Turning Swiss Cheese Into Hard Candy
2 - Remote Code Execution Threats and Associated Vulnerabilities
3 - Microsoft Security Essentials
4 - Case study of keylogging gone wrong
5 - Feedback
You can listen to the podcast while viewing this page in The Streetwise Security Zone website by clicking on the "Play" icon in the player widget above, or you can download it by clicking on the "Down Arrow" at the left side of the widget. It's also available through iTunes via the iTunes link in the left hand column in The Streetwise Security Zone Podcast page of the website.
Turning Swiss Cheese Into Hard Candy
This past week I delivered a keynote presentation to the Ottawa Chapter of the Information Systems Security Association. The analogy I use harkens back to the days – not too long ago – when security professionals would grudgingly endorse a security strategy that used the very technical term – “Hard crunchy outside, soft gooey inside.”
This referred to using firewalls at the perimeter to keep the bad stuff out and the good stuff in. However, due to mobile, wireless, and the UFBP (HTTP over Port 80), we can’t really say that using just a hard perimeter will do an adequate job for security any more
So, I refer to our situation now as being like Swiss Cheese. But what we really need is Hard Candy – a crystalline structure that is hard to break through. I use this in the context of security awareness, and how it can be used to harden workflows in an orgnization, to look like a crystal.
In addition to the direct security benefits of educating people on a process – not just the gauntlet of risks and tips, I point out the other “quality-related” benefits of an aware workforce. The process I’m referring to is what I now call the “Streetwise Workflow-based Risk Awarness Process” - or WRAP. This is a process I’m now offering in my training courses, which can be delivered in various formats and durations. I can do intensive 3 hour sessions to start the process off; or a series of shorter sessions, followed by a workshop to dig into the various steps in the process, which can lead to some very magical and productive exchanges between management and staff that really do start to change the organizations culture.
The basic WRAP process follows these steps:
1 – Know the security awareness fundamentals; things everyone should know
2 – Identify your trusted sources of guidance, whether it’s security policies, IT Helpdesks or managers
3 – Identify your information context; what information, where it comes from, where it goes, who it gets delivered to, etc.
4 – Control your information within your context, and keep it separate from unrelated processes (like web surfing)
5 – Collaborate for security and efficiency
Through the learning and repetition of these 5 steps as part of a job performance process, you can change the culture of your organization from that of Swiss Cheese to one of Hard Candy.
If you’d like more information on this process, please contact me at scott@streetwise-security-zone.com or call me at 1-613-693-0997.
Remote Code Execution Threats and Associated Vulnerabilities
If you were to look closely at the ongoing stream of updates from companies like Microsoft, Apple, Adobe, Mozilla and other software suppliers, you’d notice this very technical term being thrown around very matter-of-factly, as though they were doctors talking about ear infections.
It always bothers me when we start to take serious problems for granted as being “just the way it is” – this is what we have to live with. For IT Security staff, terms like this are very disturbing, but they are heard so often, the people who are supposed to be dealing with them become desensitized to the risks.
You should think of Remote Code Execution as potentially the most serious type of vulnerability you could imagine. Essentially, what it means is that, under the right conditions, an attacker can take over control of your computer from the safety and comfort of their basement.
What these vendors are saying when they announce that a Remote Code Execution vulnerability has been found or fixed, is that the conditions exist in the current version of their product that could allow somebody to take over your computer while you are using their software.
For example, if an Adobe Acrobat RCE bug exists, then it’s possible that a hacker could send an Acrobat (PDF) file to you that causes your system to hand over control to him when you open the file and launch Acrobat. Consequently, any time a piece of software has a “RCE” vulnerability in it, the vendor tends to call the software that is supposed to fix this vulnerability a “Critical Security Patch.”
A patch is simply a quick fix provided by the software vendor; one that wasn’t planned before the vulnerability was found. It’s important for IT operational staff to review and understand the implications of these critical patches. Usually, they will want to deploy them throughout the organization quickly. But there are often other considerations such as whether a patch might have other changes that could affect proper functioning of other software required for the business’s operations.
So, you should make sure your IT staff has a “vulnerability management” process for reviewing all the critical patches from vendors, and planning for their deployment in a way that does not disrupt operations, but provides the quickest possible closure of Remote Code Execution vulnerabilities.
Microsoft Security Essentials
Just a quick note about a new free antivirus product offered by Microsoft called Microsoft Security Essentials. It was really only a matter of time after Microsoft bought an antivirus company a few years ago. People have always said that the operating system vendors need to do a better job of protecting their own software from viruses.
There are a lot of benefits to having the operating system vendor supply antivirus software, not the least of which is it’s ability to reduce the “false positives” and mistaken system file removals. This is not to say that the Microsoft AV offering will be perfect, but it is getting good reviews.
I haven’t tried it yet, but I intend to. Obviously, being a free product (for PCs, but not for servers), this will tend to put pressure on the big anti-virus makers like McAfee and Norton who make a lot of money from the sale of their AV products.
Case Study: Regretful Boyfriend Wishes He Hadn’t Tried to Spy on His Ex-Girlfriend
http://pcworld.about.com/od/securit1/Misdirected-Spyware-Infects-Oh.htm
In this case study, a 38 year old man in Ohio sent a “keylogging” program to his ex-girlfriend’s email account, so he could secretly find out what she was doing when she was at her computer. He probably told her that the attachment was something that would interest her, so she would click on it.
Although he expected her to open it on her home computer, she ended up running it on her computer at work – at an Akron children’s hospital. As a result, several other employees’ actions and personal records were captured, as well as medical records of 62 patients.
Needless to say, this is not what he intended to have happen, but the damage was done, and he is facing a penalty of $33,000 for damages.
This is also a good story to use as a case study for hospitals and other organizations that allow computers to be shared among employees. While any organization should be concerned about this kind of malware getting on their computers, it’s especially dangerous in hospitals, for obvious reasons. While no anti-malware solutions are 100% effective at catching keyloggers, it is important to have some good defenses in this area.
As a layered security strategy, which any good Threat and Risk Assessment would try to recommend, it’s also important for systems with patient records to be separate from systems that can access email. This can be achieved through separate computers, separate non-privileged accounts or separate virtual machines (separate simulated operating systems).
Staff should also be educated not to use personal email, or at least not to click on any attachments or links that are not related to business operations while logged into operational systems.
Feedback
I just wanted to thank one of the Streetwise Security Zone Members – Rob Bell - for commenting on my blog post regarding banking fraud protection mantra – IGNORE, SEPARATE and WATCH.
I was referring to a threatpost.com story which quoted the FBI as stating that $46 Million has been lost by SMBs due to online banking fraud. Because the most common fraud method is to get keyloggers onto your computer, and capture your banking credentials, I recommend the following process:
1) IGNORE SPAM
2) SEPARATE Banking from other activities
3) WATCH your bank account balances, preferably using telephone banking
Rob’s comment was that the second step of separating activities was interesting and helpful.
Thanks for that comment, Rob.
Wrap Up
Also, if you’ve found this podcast to be valuable, please consider joining The Streetwise Security Zone and trying some of my resources. I’m also interested in hearing from you if you have a need for security awareness training, live on-site or via webcast, or if you are looking for a speaker for your next event or company meeting. You can contact me via the quote form available on my website home page.
It's helpful for me to hear how you heard about The Streetwise Security Zone Podcast, what you like about it and how it is helping you; or if it’s not helping you. It doesn’t have to be a positive comment, either. I want to make this podcast useful to as many people as possible, and I value your input.
If you’re not already a member, please join The Streetwise Security Zone at:
http://www.streetwise-security-zone.com/members/streetwise/info/ScottWright-join.html
You can subscribe to this podcast on iTunes at:
http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=298647305
Thanks for listening!
Until next time, Stay Streetwise.
- Scott
| | I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn't mean you can't have an economical way to address human security risks. Please call or email me at the coordinates below...
Scott Wright
The Streetwise Security Coach
Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html
Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
 |
