Windows systems are harder to hack than portrayed?

I came across this article and I would completely agree with what the author has written.. Windows if hardened and patched properly with some kind of user awareness can reduce the chances of break-ins drastically. 

Over the past few weeks, I've been putting together test hacking scenarios for a customer. They wanted to see copies of the RSA attack [1], the Google attack [2], advanced persistent threat (APT) [3] simulations, social engineered Trojans, worms, remote buffer overflows, and more. The objective: to test what they could do to prevent all of those assaults on their predominately Microsoft Windows environment.

I put the customer's environment through its paces, and as expected, it was great fun. It certainly beats filling out paperwork and reading security policies. But something unexpected happened along the way, although I shouldn't have been surprised as I am a full-time principal security architect at Microsoft: I found that Windows 7 and other Microsoft programs were significantly harder to hack than most anyone would believe. It was difficult to perform almost any hack without disabling multiple default defenses and ignoring one or more additional warnings.  

Now, many readers will paint me as a shill for Microsoft, but if you don't believe me, try it yourself. Until then, please don't waste my time and yours reading me the Riot Act diatribe. I've walked the walk, and the results were surprising.

For example, simulating the RSA and Google attacks only worked if I was using software many years old; neither of them worked if I was using Microsoft software built in the past three to four years. In the RSA attack, employees were sent a spam email claiming to be a recruitment list. It contained an Excel spreadsheet with a link that opened a malicious zero-day Flash file (containing vulnerability CVE 20110609 [7]). The zero-day vulnerability could grant a hacker remote access, and the rest would be history.

First, as with the real attack on RSA, all spam emails were caught and placed in spam folders. Thus, employees had to first leap that small hurdle, which they willingly did. When the Excel file was opened in almost any version of Microsoft Office made in the past 10 years, the user was given a warning that the file contains a macro or script and, depending on the version, a link to an external file. The user was warned that the file may contain a malicious item. A user would have to ignore all of that to even give the malware a chance to launch. Microsoft Office 2010 opened the file in its new Protection Mode, which automatically disables the malicious code, by default.

In order to get the exploit to work, I had to disable most of the protections that Office gives, or I had to act -- as is very reasonable -- like an employee who ignores multiple warnings on purpose. In nearly every exploit, I had to disable User Account Control (UAC) and Data Execution Prevention (DEP) in Windows, Office, and Internet Explorer. Most of the exploits did not work with Internet Explorer 7 or 8.

Even when I disabled all the memory protections, application protections, and so on, warnings continued to pop up. I've always known that a fully patched Windows system was a tough opponent, but I'm here to tell you it's much more resilient than it used to be.

It's not just my lack of leet skillz. I worked with several vulnerability testing vendors, and they all grudgingly agreed it's difficult to hack Windows these days.
Microsoft's own Security Intelligence reports [8] say the same thing: The latest versions of Microsoft Windows are harder to hack than their predecessors (see page four of the Key Findings Summary [9]). To be honest, I never trust those sorts of self-serving statements. But having done the tests myself, I'm a converted believer: The software is getting harder and harder to break.

This is not to say that Microsoft software is impossible to hack. Of course not. Further, zero-day exploits are appearing more frequently, and nearly everyone continues to have unpatched software. But it's more obvious than ever that the biggest threat to any environment is the end-user [10]. Users installing socially engineered Trojans have long been the No. 1 vulnerability in today's computer security policy.

Even the Mac Defender scareware problem [11] affecting Mac users wouldn't be a huge problem if people simply didn't install questionable items. In the course of a given year, a normal installation of OS X will have hundreds of vulnerabilities patched. But none of those matter in this instance.

Software and antimalware vendors need to do a better job of preventing users from shooting themselves in the foot. Internet Explorer 9's improved Smartscreen Filter feature is a fantastic step in the right direction, and I assume other browsers have followed suit or will do so in the near future. Smartscreen Filter has an Application Reputation feature that works fairly well. It looks at files being downloaded; for those that are recognized as popular and legitimate, it removes additional warnings (if so configured). If it finds a high-risk application, it warns the user.

This is a great service, as Microsoft is detecting [12] that one in every 14 Internet downloads is malicious. Better yet, 90 percent of users who get a warning from IE9 don't run those high-risk programs. I had to turn off IE9's Smartscreen Filter feature to get any of the exploits to work.
The list of computer defenses I had to disable to get a working exploit demo working numbered more than 10, and that, my friends, is progress. [infoworld]

Read more...

Seven cloud-computing security risks from Gartner

Cloud computing is fraught with security risks, according to analyst firm Gartner. Smart customers will ask tough questions and consider getting a security assessment from a neutral third party before committing to a cloud vendor, Gartner says in a June report titled “Assessing the Security Risks of Cloud Computing.”
Cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing,” Gartner says.

Amazon’s EC2 service and Google’s Google App Engine are examples of cloud computing, which Gartner defines as a type of computing in which “massively scalable IT-enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies.”

Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.

Here are seven of the specific security issues Gartner says customers should raise with vendors before selecting a cloud vendor.


1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the “physical, logical and personnel controls” IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. “Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access,” Gartner says.


2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security
certifications. Cloud computing providers who refuse to undergo this scrutiny are “signaling that customers can only use them for the most trivial functions,” according to Gartner.


3. Data location. When you use the cloud, you probably won’t know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.


4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn’t a cure-all. “Find out what is done to segregate data at rest,” Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. “Encryption accidents can make data totally unusable, and even normal encryption can complicate availability,” Gartner says.


5. Recovery. Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. “Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure,” Gartner says. Ask your provider if it has “the ability to do a complete restoration, and how long it will take.”


6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. “Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.”


7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. “Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application,” Gartner states. [source]

Read more...

The Role of a SIEM in an Overall Enterprise Security - ISC blog

A good article by Brian Albrecht written on ISC Blog on How SIEM fits in the enterprise security.

An overall Enterprise Security plan will be comprised of many different moving pieces. An effective plan will have all of these pieces in place and working together like a fine tuned machine.  Managing this plan and taking in all of the data that is presented can be an overwhelming task.  Correlating all of this data is tough as well – the potential attack that was picked up by your IDS, was it successful?  Was there any suspicious activity soon after, maybe representing a data breach and a success?

The inclusion of a SIEM (Security, Information and Event Management) product can be a great addition to an already stout enterprise security infrastructure.  A well tuned SIEM product can lend insight into an enterprise’s overall network status – both security related and otherwise.   By taking information from varying sources throughout the enterprise, IDS/IPS data, application, firewall, database, etc, and putting this all together.
In addition, a SIEM may also benefit an organization’s compliance program as well.  A SIEM on its own will not make and organization compliant, however the log management capabilities can go a long way to helping “prove” an organization’s compliance.

Now, it cannot be left unsaid that the effectiveness of a SIEM is only as good as the data that is being fed into it.  That being said, a SIEM may be an excellent “last piece” to an organization’s overall enterprise security puzzle.
Now, for full disclosure, I am currently employed by an SIEM provider…on that note, I have the chance to work with our customers on a daily basis and see the benefits that a SIEM provides first hand. Prior to my current employment, I did not have much experience within the SIEM market. It has been a fascinating experience, working with customers and working with them to discover data and trending that they could not have seen before. 

Read more...

Microsoft Security Intelligence Report Volume 10

The Security Intelligence Report (SIR) is an investigation of the current threat landscape.
It analyzes exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, as well as internet services, and three Microsoft Security Centers.Get the report

some of the facts:

• Exploitation thru Java platform is on significant rise since Q2 2010. The number of exploitation on Java platform far exceed Adobe software and OS platforms.
• Malicious IFrames accounts for a large number of the attacks over HTTP, this likely indicate the effect of hijacked and compromised websites
• Conficker is the most active malware family in Enterprise environment and only 9th in the general Internet environment
• JS/Pornpop is the most active malware family on the general Internet (non-domain joined computer) environment
• On phishing front, the phishing sites targeting social networking are increasing and they are effective in getting themselves presented to victims.
• Overall OS level vulnerability counts is steady and browser vulnerability count is increasing slower, however, it is surprising that application vulnerability count is decreasing since 2008. Maybe the software vendors are actually getting much more secure? 

Read more...

Tips for Secure Online Banking

Below are some tips from McAfee blog for secure online banking transactions.

1. Offers via an unknown person or offers that are too good to be true should be suspect.  The same goes for offers via tweets and in social media.
2. Don’t click the links in emails. Always go to the source. Use your favorites menu or manually type in the address in your web browser with a safe search plug-in.
3. Beware of cybersquatting and typosquatting which may look like the domain of the legitimate eTailer.
4. Use secure sites. https in the address bar signifies it’s a secure page.
5. Beware of eBay scammers. Don’t respond to eBay email offers. Review eBayers history. Established sellers should have great feedback.
6. Pay attention to your billing statements. Check them every two weeks online and refute unauthorized charges within 2 billing cycles.
7. Don’t use a debit card online. If your debit card is compromised that’s money out of your bank account. Credit cards provide more protection and less liability.
8. Avoid paying by check online/mail-order. Credit cards have more protection and less liability.
9. Do business with those you know, like and trust. It’s best to buy high ticket items from eTailers that also have a brick and mortar location.
10. Secure your PC. Update your critical security patches and anti-virus and only shop from a secured Internet connection.

Read more...

QnA on Google Apps.. a good read

Boston-based Bay Cove Human Services is a non-profit organization that offers assistance and service to 4,000 people and families in Massachusetts. CIO Hilary Croach has several technology challenges to contend with. For starters, the agency has its hands in a number of service areas, including helping individuals with developmental disabilities, mental illness, drug and alcohol addiction, and those who need support with aging. With about 140 locations around Eastern Massachusetts, Bay Cove's employees and IT operations are scattered.


Because of the expansive nature of his users, Croach decided to take some applications into the cloud with Google Apps for Business. But Bay Cove is subject to a number of regulations, including HIPAA, so the move to the cloud wasn't done without extreme consideration with regard to access control and privacy. Croach recently detailed for CSO why he felt Google Apps tools were the right fit for his agency, and how he handles security in a regulated environment like social services.

CSO: How did you first become interested in using Google Apps for Bay Cove?
Hilary Croach: We had an email platform we had used for fourteen years. It was a great platform when we first got it. But, in recent years, it became clear it wasn't being updated, it wasn't connecting in with mobile devices, so we couldn't continue with it for our email platform. We looked at Exchange and the idea of hosted solution was on the table. We have about 1600 users. When I looked at Exchange implementation from the ground up, I was talking about a $100,000-capital investment, and that was with the relatively-cheap licensing that Microsoft offers to non-profits. But Google, for non-profits of our size, offers Google Apps for free. That was a huge deal for me.

Now, of course using Google Apps means it's not in my data center. And there are concerns about security if it's not in my data center. But we quickly became pretty confident that the email and calendar piece of the Google Apps suite would work as well and be as secure as our previous email system for internal communications - and we were clear that sending an email out of any system is pretty much unsafe unless you have encryption tools and so forth. So we made the move.

Did you use everything in the suite?
No. When we first moved to Google Apps, all we had turned on was Gmail and Calendar. And it's a better platform than we had before, with better connectivity to mobile devices.
When we rolled it out, Google had just given administrators the ability to parse out other pieces. Prior to when we did starting using it, if you wanted to use Google Apps, you had to roll out whole thing. But we were able to just use Gmail and Calendar. And we also rolled out Docs to small group of people. We were using sites for other stuff, like our personnel policies. We were using it as adjunct to our intranet. But more and more people starting coming to me, telling me they really liked the collaborative abilities of Google Docs and they wanted me to turn it on for others.

Did you have hesitations about that? How did you handle it?
Google Docs, out of the box, is a user-centric collaboration tool. And, one thing to remember, is that most documents, whether Word or Google Docs, don't have protected information in them. When I say protected, I mean by statutes, like the Massachusetts statues or HIPAA. Most are just documents. So this is a wonderfully collaborative tool that can be used, for instance, to write a proposal our staff may be working on to bid on a contract. That document might be private in that we don't want people to see it, but it isn't protected from the point of view of regulation and compliance. Many documents, probably over 90 percent, don't have protected information in them. What a drag to say "We aren't going to let you use it because we are scared you might share something that has protected information in it."

On the other hand, we had no visibility; no way of knowing how people were sharing documents. Google is moving more into the enterprise, but the control for the administrators at this point is pretty low, particularly in Google Docs. The ability to share documents is very different from trying to share a Word document that sits on my network. Google Docs has this really scary thing where I can right click on the document and it says "share this with public." That means anyone can access it, even search engines can search it. That can't happen with Word document. Sure, people can print out a Word document and share it or put it on flashdrive. But most breaches in our industry come from inadvertent sharing and Google Docs allows for that in a much greater way. So we decided we didn't want to roll Google Docs.

Then I got some push back. So I started looking around the at third-party apps, some of which were administrative tools, to see if there was there anything that could help me with the visibility component. I found CloudLock. Their tool gives me the ability to retrospectively know if something has been shared with the public, to an individual outside my domain, or within my own agency. We are using all three levels of sharing appropriately. They key to being able to use Google Docs is having the visibility on it.
You can see what people are doing with the documents, but how do you ensure they are sharing appropriately?

To completely prevent inappropriate sharing, I can certainly go into my admin center and indicate no Google Doc can be shared outside my domain. But if I do that, there may be a counselor on my side who wants to share with doctor outside with appropriate consent. If I lock that down, they couldnt do that. Part of it is the visibility and understanding. But just like with my internal documents, I make assumptions staff know and understand polices and will make correct decisions most of the time, I just need to point out to them when they may have accidentally shred.

I can do that because the tool gives me high-level dashboard that shows me how many docs I have in my domain, and lets me know how many have been shared publicly, how many have been shared with individuals in my domain, and what has been shared with everyone in my domain. In the case of protected health information, that could be inappropriate. The tool gives me numbers. And I can look at the content and see if it's appropriate or not. If we feel it is inappropriate, we can then change the sharing privileges. The tool also alerts document owners of potential exposures.

And you are able to fully comply with privacy regulations using Google Apps tools?
Our compliance is part of a much larger strategy. If you look at the new Massachusetts regulations, the technology lockdown is just one part of it. A lot of it is education of staff around what's appropriate, what's not, what's locked down and what's not. It is ongoing education and then giving people tools to make sure they are following procedures.


Do you have any suggestions for other organizations who might consider Google Apps?
Don't reject it out of hand because it's in the cloud. There is a huge split between cloud fans and those who believe if they can't touch it, it's not secure. The reality is somewhere in the middle. By adding a third-party tool, it gives me more visibility on Google Docs than I have on documents in my network. People think Google is not secure. But I think their security is better than a lot of hospitals have for the data centers. My argument is always this: Don't reject it out of hand. [source]

Read more...