threat geek Feed

Friday, February 17, 2012

What the Candidates Aren’t Talking About

I consider myself somewhat of a political junkie, and as such, I frequently find myself tuning into the Sunday morning Washington insider shows or taking in one of the seemingly endless debates during the election season. 

Given my involvement in the IT security industry, I have a heightened awareness for discussions Peterg on issues in this arena and have often found it odd that none of the candidates or the journalists charged with asking the tough questions have hit on the issue of cybersecurity.  In conversations with colleagues I was encouraged that I was not the only one who felt this way, but was willing to chalk it up to perhaps a little over sensitivity given my chosen profession.

However, that line of thinking all changed a short time ago when I tuned into the evening news and heard Robert Mueller, Director of the FBI, make the following proclamation:

“I do not think today it is necessarily [the] number one threat, but it will be tomorrow…Counterterrorism — stopping terrorist attacks — with the FBI is the present number one priority. But down the road, the cyberthreat, which cuts across all [FBI] programs, will be the number one threat to the country.”

Mueller was not alone in his observations either, as he was joined by National Intelligence Director James Clapper, who went on to add:

“The cyberthreat is one of the most challenging ones we face...Among state actors, we’re particularly concerned about entities within China and Russia conducting intrusions into U.S. computer networks and stealing U.S. data.  And the growing role that nonstate actors are playing in cyberspace is a great example of the easy access to potentially disruptive and even lethal technology and know-how by such groups.”

Let that sink in for a moment.

The Director of the FBI and the National Intelligence Director just stated for the world to hear that in a very short period of time, cyberthreats will be our country’s biggest threat, yet none of the major candidates are talking about it and to my knowledge, the media hasn’t been asking.  Given the process candidates go through in order to secure their party’s nomination where they are asked for their position on seemingly everything, one would think this issue would be more talked about.

Personally, while I don’t necessarily expect the candidate to be an expert on cyber security themselves, I would like to know that they have given the issue some thought and they recognize the potential hazards.  I’d also like to know how they would address the issue; do they view it as a law enforcement issue or would it fall under the domain of homeland security?

I recently saw that U.S. officials estimate there are 60,000 new malicious computer programs identified each day. I think that qualifies as a significant threat and one that the voters deserve some answers on before they go into the booths come November. I for one will be on the lookout to see what kind of attention this issue gets paid in the weeks and months ahead, and which candidate has a plan to deal with it.

- Peter George

Posted by at 10:29 AM in advanced threats, cybercrime , Peter George, prevent cyber attacks, prevent data breaches, protect against APT, threat assessment , threat geek, threat intelligence | | Comments (0)

| |

Monday, January 23, 2012

Gross Negligence or Blatant Disregard for Security – You Decide

Let’s start with this hypothetical situation.  I have a very large warehouse where people are welcome to store their belongings. I don’t charge you to store your valuables in this warehouse, nor do I restrict who has access.  You can store as much as you want, I give you a complimentary ability to draw the lines on the floor that would symbolize the walls surrounding your belongings. I would also inform you in a 70-page legal document (that you most likely wouldn't read) that everything you put in this space has the potential to be viewed by countless others and in some cases, stolen or used for undesirable purposes.  And because I do not charge you for this service, I feel no obligation to provide you with any sort of oversight. So my question is would you store items of value to you in this location?

GeneApparently 700+ million subscribers to Facebook and other social media sites such as Google+ and Twitter would answer "yes" to this question.  We are in the midst of a virtual generation where lots of people voluntarily submit their whereabouts, habits, and everything else to the matrix of social media engines--yet when they expose themselves, it somehow becomes the website's responsibility to keep this information secure and private.

None of these social media behemoths charge users money, yet the service they provide is obviously not free for them--bandwidth, servers, employees, R&D, cost money, right? The only thing they take from subscribers is the information that they have give them-- what they search for, what they think, what they buy, where they’re located ,and so on. 

To me, it clearly means that this information is enough for them to make their money and have their valuations. The fact that they don’t charge users should mean that they don’t owe them anything material. So would it be fair to say if somebody keeps submitting updates about himself and everything he does on the public website, he doesn't care nor deserve privacy?

I think that most of those who actively use the social networking websites do care about privacy--but in a limited way, similar to yesterday's “physical” world. If my co-workers (parents, relatives, etc) don't have access to my Facebook page, I'm fine and private. I didnt read the EULA and it’s above and beyond my casual computer knowledge to think about all the ways somebody else (like the website owner and its affiliates or, say hackers) can access and use my info. Anyway, they are not physical 3-dimentional creatures to me. This alone makes a potential harm look virtual and kinda harmless. Also, headlines with simplistic exaggerated stories from security vendors blaming some far-far away nation states for all the privacy violations, while trying to sell their products, warps the reality of what people need to understand to take ownership of their own privacy controls.

While I’m sure this issue will be debated for years to come, as a security vendor, I will continue to thank the hackers and user ignorance that necessitate my existence.

- Gene Savchuk

Posted by at 12:23 PM in APT prevention, cybercrime , Gene Savchuk, network security monitoring , protect against APT, threat geek | | Comments (0)

| |

Tuesday, December 27, 2011

2012 Security Predictions

2012 2

With the New Year just days away, here are some 2012 security predictions from our Threat Geekers...

Peter George:

In 2012, we expect to see APTs continuing to center on content-based attacks. Nation-states are well funded and organized, and attacking the content-level is difficult to detect and stop. Burying malware deep into content will continue to be at the epicenter of attacks, and it will be absolutely imperative in the coming year that companies deploy tools to detect and stop these types of threats by gaining content-level visibility.

Hardik Modi:

Marginal but globally-trusted Certification Authorities will continue to be the victims of breaches in 2012, putting the entire eco-system around SSL at risk. Key functions on the Internet requiring security, such as e-commerce and e-government, will be threatened by this and will prompt intervention by national authorities, likely elevating CAs to national/regional critical infrastructure status and fragmenting the global nature of the CA system. Alternative solutions, both good and bad, will be proposed to fix or work around the issue, but have no real chance of sufficient adoption to have a meaningful impact.

Will Irace:

In 2012, I expect to see:

  • Businesses continuing to innovate ways to make their customers and shareholders happier in 2012.
  • Much of this innovation will continue to focus on the Internet as an essential enabling technology.
  • Some of this innovation will open new doors for bad guys to exploit unforeseen weakness.
  • The information security echo chamber will continue to reverberate as a result.

Here's another possibility: excitement about such topics as CarrierIQ and SOPA could give rise to increased security and privacy awareness among "civilians"--Aunt Susie--in the same way that Occupy Wall Street has raised income inequality as a topic for national discussion. We tend to think of security from the perspective of our customers: Fortune 500 companies and governments who want to protect their bottom line. But there are ordinary human beings that need protection too. Maybe 2012 can be their year.

David Chirico:

I could take a dark view of the 2012 and say that we will see and experience untold increases in the amount of threats, the types of threats, the amount of breaches and loss. 

Instead I will take a more positive viewpoint and predict that 2012 will be the year of change in security adoption and growth, in that both commercial enterprises and government agencies will embrace and adopt new strategies and vendor technologies to defend and protect their intellectual property, their sensitive data and provide greater shareholder trust and value in doing so.

I also predict that we will see more information sharing across industries and governments and expect to see more regulations and legal actions holding those accountable. 

 

What do you see as the top security trends for 2012?

Posted by at 11:17 AM in advanced malware, advanced persistent threat protection, advanced threats, content inspection, content monitoring, content protection, cyber information protection, cybercrime , David Chirico, Hardik Modi, network analysis and visibility , network forensics, Peter George, prevent cyber attacks, protect against APT, threat geek, Will Irace | | Comments (0)

| |

Thursday, December 22, 2011

IPsec - The Other White Meat

The technology community is swimming in alarming news and analysis about SSL recently. The trust-model that SSL uses for authenticity is crumbling before our eyes. There's a spotlight turned on SSL right now and odds are that we haven't heard the end of this story.

One obvious response is to try and manage around these vulnerabilities and we have a few ideas in this regard. But we've also been prescient enough to point out that there's an alernate protocol that does the authentication and encryption that you'd want to secure your traffic - IPsec.

HDIPsec can operate at Layer-3 of the ISO Internet model and consequently payloads from higher layer applications can be secured without the applications necessarily knowing about the use of IPsec. In this respect, it is far superior to SSL and this has made IPsec the primary basis for secure tunnels between sites on the Internet.

The reason IPsec isn't used more widely is that it typically requires a high degree of manual configuration. This makes it suitable for use between parties that know each other and are capable of doing the initial configuration required to make secure communication between them possible. But this is also why it's not suitable for securing the bulk of what we do on the Internet with SSL - web-based email, banking, shopping, social networks etc. It'd be a real bear to make the configurations necessary to secure each of these transactions. This is also a key reason that SSL has been the dominant form of VPN technology for employees outside the enterprise security perimeter to access intranet resources.

Microsoft has now provided a way for widespread use of IPsec with the recent announcement of their new connectivity feature, Direct Access. It consists of a number of components, all of which combine to provide IPsec-secured connections between clients running Microsoft Windows 7 and enterprise applications running on Windows Server 2008 R2. The upside of this is that client systems can use the authentication and optional encryption features of IPsec for connectivity to the kind of applications they might see on a Windows Server - Exchange, Sharepoint, IIS Webserver etc. In addition to the client and server components, Microsoft has introduced nifty management tools to simplify the installation and use of certificates to provide the pre-shared keys required to make security associations between say, a host running Outlook and a server running Exchange.

One of the upshots of this is that while a user might continue to use SSL to create a VPN session into their corporate network, they can be assured that they're connecting to the right Outlook or Sharepoint server, neatly side-stepping the authentication issues with SSL that have recently been exposed. Direct Access also has an option of standing up servers outside the enterprise firewall allowing clients to connect without the SSL tunnel. There's some interesting use of IP tunneling too, but I'll save that for another post.

So Direct Access is a clever combination of technologies like IPsec and IP tunnels to provide an alternative to a more recent protocol SSL/TLS that is under extreme stress at the moment.

But if I'm the security guy responsible for looking for malicious Javascript that is embedded in PDF files that might be zipped up and available on a corporate Sharepoint server, downloaded by a client that's connecting using IPsec, I might scratch my head and wonder what's the point of my current network security stack. There isn't a web proxy that pick apart all those layers. Try writing an IPS signature to look in all packets to identify the threat - the network adds enough polymorphism that the malware-author not even bother.

I salute Microsoft for their contributions to enterprise network security with the introduction of Direct Access and hope that it's taken seriously by those responsible for securing enterprise systems. In order to enable you to use Direct Access while maintaining your content-based security threat posture, Fidelis has introduced the IPsec decoder, capable of detecting and decoding IPsec sessions in Tunnel and Transport mode, using either of AH or ESP Headers. In cases where the payload is not encrypted, the decoder will find the HTTP session, the PDF that's being transferred and the embedded Javascript and make them available for content-based rules - all of this in real-time.

Use the IPsec decoder to dig into and do content analysis on your Direct Access sessions. And if you're not using Direct Access and find IPsec traffic on your network - well, that's something very interesting to look into.

- Hardik Modi

Posted by at 09:27 AM in APT prevention, cybercrime , Hardik Modi, network forensics, network forensics tools, prevent cyber attacks, prevent data breaches, protect against APT, threat geek | | Comments (0)

| |

Monday, December 12, 2011

Dark Reading's 10 Tips and Best Practices for a Data Security Detective

Read the full article here.

This is interesting. I’d like to take a crack at expanding this list in a future post. I rely on the ability to have a true defensive strategy that works in real-time, gives deep content-aware visibility, analysis, and control. The defender must now go on the hunt, lean forward and take action. Poring through security logs and stored packet data in a rear view mirror to see what had happened is no longer enough to protect.  Environment autopsies, while still necessary, should not be the front line approach to your defensive posture. We all need to start thinking differently, act differently, and share what we learn!

Digital-detective-470-0509Content is the new game, and you need a new defensive strategy. One solution is not enough, especially if it is a point product, but one solution can help especially if it can be both highly surgical, and offer a broad view of the attack life cycle from inbound injection to call-back, from lateral movement and staging and the final end game – data exfiltration. It should also work with other security solutions to set a foundation on which to build your defenses upon.  This approach can help your security environment be better, smarter, faster.

One last thought. I believe in the power of situational awareness. We are all going to get some information somehow – either through a blog, a posting, a tweet, or a tap on the shoulder from some government agency – and what will help ensure our survival is the ability to leverage this information into our security toolsets and go on the hunt, not just from recordings of logs/data but also in real-time.

- David Chirico

Posted by at 09:43 AM in advanced malware, cyber threat intelligence, cyber threat security, cybercrime , data breach prevention, data breaches , data loss prevention, David Chirico, prevent cyber attacks, prevent data breaches, protect against APT, threat geek, threat intelligence | | Comments (0)

| |

Friday, December 09, 2011

Keeping Tabs on the Security Industry: One Opinion at a Time

AsfsI have spent my whole life working with and using technology. From a Commodore 64 console as child to the first IBM XT computers.  With this lifetime of experiences, I find the technical evolution curve is growing faster with each passing year. While many credit innovations by vendors and technology thought leaders, much credit over these last few years is also due to our adversaries.

Security measures in technology have tended to be a mere afterthought to protocol, network, database, clients, and application designs, and naturally the business drivers that motivate them. It is among these afterthoughts and between these cracks that our elusive hackers, APT, threat actors, hacktivists, nation states, etc. are now reminding us that security needs to be paramount. Now more than ever we must design our networks, systems and business processes with security in mind.

As an avid reader of security news from around the web, I’ll be periodically sharing a few headlines and adding my $.02 worth where I deem appropriate. 

Facebook Zeus worm – Evades VM detection

This is a very interesting threat: it represents all the major concerns that are on the security community’s mind. It leverages social media as vector for infection andinvolves one of the most worrisome Trojans the planet has ever known, Zeus. Zeus continues to be customized and equipped to evade even the latest “next-generation” techniques, VM analyzers (I like VM analyzers and think they have good value but as anything else, they alone cannot do it all as my colleague Kurt wrote in "Automated Sandboxes not a Panacea."

Slide Show – The Year in Data Theft - 

Each one of the topics in this collection is unique, but they share some commonality. The fight isn’t just about client-side malware infections. This is why we need products that can be both surgical in detection but broad in their capabilities to give us multiple “bites at the apple” and a clear, content-aware view across the network.

I hope you enjoy the posts and whether you agree or disagree with my input, please add some of your own. We want to hear from you!

- David Chirico

Posted by at 02:11 PM in advanced malware, advanced persistent threat protection, advanced threats, APT prevention, cyber threat security, cybercrime , data breach prevention, David Chirico, prevent cyber attacks, prevent data breaches, protect against APT, threat geek | | Comments (0)

| |

Friday, November 18, 2011

Thoughts From The Forrester Security Forum 2011

Last week I spent two days at the Forrester Security Conference (Miami is very stressful, as you can tell from the picture below). It was a very interesting experience, with lots of information to swallow. Usually this process doesn't go easily for me—the information and conclusions I'm trying to stick in my head are met with a lot of half-baked thoughts and ideas that already are sitting there.

IMG00012-20111111-1457Looking at the current advanced threat landscape, apparently the two most massive and effective ways to break into the network from the outside, or abuse individual computers, are Java script XSS and SQL injections (information validated by speakers at the Forrester conference). Bad guys use those methods frequently to get to the protected data - passwords, credit cards numbers and user information in general. It doesn't sound particularly cutting edge - mating the databases with the web interface and using java script to implement the "thin client" is a mainstream technology. So is the methodology of abusing them.

There are forums and websites where the credit card and identity stealers exchange tips and tutorials - and also sell the stolen goods. Since this underground economy is taking place on the Internet, which is currently borderless and fast, the law enforcement of each particular country doesn't have the resources to be effective. Plus, the credit card industry is used to 5-6% of accounts being stolen, and it's built into the system. You and I will most likely pay nothing if we are a victim of this kind of crime aside from the minor inconvenience of calling the bank’s 800 number.

So, all of this brings an interesting question – if the threats at the root of these crimes are not novel, why aren’t software vendors--and the consumers for that matter— even caring about making the products secure in the first place, and implementing simple "internet hygiene"?

General buyers most likely don’t care. I mean, they do—they assume it’s already taken care of.  

They are buying all those media-consumption devices in all form factors to, well, consume media, do social networking, and maybe even work. They (rightfully) expect those laptops, smartphones, tablets, etc. just to function and be secure out of the box. They just want convenience.

So what about the software vendors? What is their role in embedding security?

For example, one might think, if the java script XSS attacks are so troublesome, why wouldn't the web browser makers put some per-domain JS protection into their products? The desktop version of Firefox at least has a third-party add-on that does just that. I'm pretty religious about using it and you should be too. So I've spent several hours looking at the options on my iPad, Android tablet and phone - to no avail. And that's understandable--the market of mobile browsers is rapidly growing and very competitive. This feature means more coding, more QA, increased time to market…and after all, 99% of users would never change the default settings. And if they did - all the companies that track, collect, and sell the information about you and me - from Double-click to Google - will loose their revenues?

We certainly shouldn't allow that. :)

Did you attend the Forrester Conference? Let me know what you thought. 

- Gene Savchuk

Posted by at 12:07 PM in APT prevention, cyber threat intelligence, cyber threat security, cybercrime , Gene Savchuk, intelligent network forensics, network forensics, prevent cyber attacks, prevent data breaches, protect against APT, situational awareness, threat assessment , threat geek, threat intelligence | | Comments (0)

| |

Monday, November 14, 2011

Want to Slow Down Cybercriminals? Share!

In 1901 Connecticut passed the first U.S state law regulating motor vehicles speeds—12 mph in cities, but they let you open it up to 15 mph as you headed out of town. Sure, on today’s roads, this seems ridiculous—well, to most of us in the left two lanes.

But it was a sign of the time; motor vehicles in the early 1900’s were substantially less Speed Limit
technologically advanced than they are today—yes, that’s the understatement of the year. Like most things, innovation boomed, and the landscape shifted. Soon cars were reaching speeds of 30, 40, 50 mph, and it was evident that the good ole 12 mph limits were not going to cut it. Fast forward over 100 years: the majority of cars are capable of reaching well over 100 mph, and, for the most part, we are ordered to stay within the 55-65 mph range.

Continue reading "Want to Slow Down Cybercriminals? Share!" »

Posted by at 11:12 AM in advanced malware, advanced threats, APT prevention, incident response, intelligent network forensics, intrusion detection , network forensics, network surveillance , network visibility, Peter George, threat geek, threat intelligence | | Comments (0)

| |

Tuesday, September 27, 2011

"But IPv6 Solves Everything, Right?"

The Internet Protocol (IP) is a set of standards that are completely fundamental to what the Internet is and how it works. Most of the information traversing the Internet today conforms to version 4 of the IP standard, known as IPv4. IPv4 was last updated three decades ago and our needs have evolved in ways that could not have been anticipated in those days. First, we've outgrown the numbering system established by IPv4, which has a theoretical limit of just over four billion addresses (and a practical limit that's considerably lower than that). And the second need we have today that wasn't evident in 1981 is that the Internet makes us equally accessible to our allies and our adversaries. Over the years we've developed an arsenal of defensive technologies, but they've all been layered on top of the IPv4 foundation.

Nanobots

Among other things, IPv6 tackles these issues. IPv6 has an address limit of around 340 undecillion, or forty million billion times the number of stars in the observable universe. The IPv6 standard also includes specific security capabilities which--if properly implemented--can help improve overall Internet safety.

So if IPv6 is supposed to make things better, then why are there widespread security concerns about it? Because while manufacturers of all kinds of devices from smartphones to high-bandwidth routers have supported IPv6 for some time, many companies have been slow to establish controls over how IPv6 traffic is managed, monitored and regulated on their networks. Most of the security infrastructure they've built around IPv4 is blind to the IPv6 traffic that is starting to course through their wires unchecked. Adversaries who are aware of this oversight now have a disconcerting variety of new approaches at their disposal, some of which use tunneling to blend IPv6 and IPv4 in all kinds of mind-bending ways.

So there's no particular security problem with IPv6; the excitement comes from a disconnect between the technology vendors who are eager to ensure that their products are compatible with the new standard, and the technology consumers who aren't yet exercising visibility and control over the new way devices are communicating on their infrastructure. If that sounds like you, make sure you're not turning a blind eye to IPv6, even if--especially if--you haven't taken your first steps toward IPv6 migration.

-Will Irace

Posted by at 09:00 AM in cyber threat intelligence, cybercrime , prevent data breaches, threat geek, threat intelligence , threat intelligence feed, Will Irace | | Comments (0)

| |

Thursday, August 18, 2011

The Analysis is Complete and Fidelis Has Been Named a Visionary!

Gartner Research just released the findings of its 2011 Magic Quadrant for Content-Aware Data Loss Prevention, and has recognized Fidelis for our completeness of vision and ability to execute by placing us in the Visionaries Quadrant.   For those of you who may not be familiar with the Gartner MQ system, they define it as follows:D

“Gartner Magic Quadrants are a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market's competitors. By applying a graphical treat­ment and a uniform set of evaluation criteria, a Gartner Magic Quadrant quickly helps you digest how well technology providers are executing against their stated vision.”

Third party validation from a respected industry source such as Gartner is always high praise; it was also extremely gratifying seeing our partner Verdasys—who OEMs Fidelis network DLP technology—positioned as a Leader in the Quadrant based on its ability to execute with Fidelis technology.

We at Fidelis are fond of the expression that our technology vision goes beyond ‘catching stupid.’ Anyone can do that.  We focus our efforts on providing the most powerful security solutions that uncover even the most sophisticated attacks.  With Gartner recognizing us as having the vision to make this happen and the proven execution and leadership of our technology, it would seem we are well on our way of accomplishing these goals.

- Peter George

Posted by at 10:27 AM in APT prevention, cyber threat security, cybercrime , data loss prevention, data loss prevention products, data loss prevention tools, network visibility, Peter George, prevent cyber attacks, prevent data breaches, threat geek | | Comments (0)

| |

« Previous | Next »

Search

Categories

Archives

Related Posts Plugin for WordPress, Blogger...
Related Posts Plugin for WordPress, Blogger...