Users: Greatest Asset or Weakest Link?

Recent events at very large and very important institutions, such as the Veterans Administration, have highlighted the importance of having an informed, security minded user-base.  Many, if not all, organizations, that electronically processes client or customer information, have begun to recognize the importance of having a comprehensive Information Security Policy in place.  While every well-prepared Information Security Policy includes provisions that speak directly to the roles and responsibilities of the common user base, it is becoming apparent that few organizations actually provide the training and awareness programs, which have proven effective, in creating that sought after, informed user-base. 


As cyber-criminals realize that organizations’ perimeter defenses have become increasingly more difficult to circumvent, attackers have begun focusing their attention on the individual user, as a means for compromise, instead of the organization as a whole.  Cyber attacks such as Phishing attacks and E-Mail scams attempt to trick a user into providing some sort of personal or confidential information to an attacker, without the user knowing.  With the advent of the slew of different removable “Destructive Technology” devices (i.e.…Laptops, USB Thumb Drives, Smart Phones, PDA’s, etc…) that are available to the layperson, it is quite possible for a common user to contract some sort of malware, while outside of the organization, only to inadvertently introduce the malware to the organization’s “squishy underbelly” that is the internal network. 


It is incredibly important, often mandated by law, for an organization to have a comprehensive Information Security Policy in place.  Even more important, is the requirement that the Information Security Policy includes provisions that explicitly detail the roles and responsibilities of the user-base, in the organization’s overall security posture.  Every organization should include a comprehensive Information Security Awareness Program that speaks directly to how a user should interact with the onslaught of cyber attacks that they are certainly going to encounter.  It should be the ultimate responsibility of the user-base to ensure that they are doing their part in defending their organization’s client/customer information.  It should be the responsibility of the organization to ensure that the policies that detail the responsibilities of the user-base are in place.  But, it ultimately comes down to the user to make sure that they are practicing their due-diligence and adhering to those guidelines.

Does your organization have a Security Awareness Program?  Better yet…do you follow it?

Hat trick of Excel vulnerabilities

Three vulnerabilities were identified in Microsoft Excel recently. The worst of them, in which a specially-crafted flash video can be inserted into a spreadsheet to remotely compromise a computer, doesn’t even require that the user click on anything. All they have to do is open the Excel file from an email attachment and their system is compromised. Excel spreadsheets can even be embedded into web pages, which allows for yet another attack vector.

The other two Excel vulnerabilities were found less than a week earlier. One exploited Excel’s apparent inability to successfully handle long URLs, and the other was a targeted attack that Microsoft has barely commented on. We expect all of these holes will be patched by Microsoft in their upcoming monthly security update. Until then you should handle unknown excel documents as if they could very well be infected with a virus.

Upcoming Podcast, MS Patches Push and a Request

Stay tuned for an upcoming podcast that reviews Unified Threat Management and gives some ideas on how it can help your organization. I also identify some things to look for in choosing a UTM solution and some of the changes we can expect in the UTM market. I am working on it now, and should have it posted next week.

In the meantime, keep working on getting the patches from MS yesterday applied. It looks like exploits are already making the rounds for some of these, so stay vigiliant. WatchDog is yellow now due to the issues and exploits.

Also, I had a pretty good discussion yesterday with some Cisco folks. They had some good feedback and such on where they are going with the “Self Defending Network”. I would love to get some client feedback about how people the view the Cisco mission and the products since they have embraced this idea.

Telnet Spike Seems Localized

For the last week or so, DShield and SANS have been showing a spike in Telnet (port 23) traffic for scans and attacks. However, the scans truly seem to be localized to specific ISPs. To date, none of the MSI honeypots or sensors have recorded any increase in Telnet traffic. On a couple of our consumer broadband connections, we have been watching for Telnet traffic for nearly a month without a SINGLE connection to any of our systems.

This may mean that some specific malware or scanning autorooter has been created that targets specific IP blocks that are known to belong to commercial operations. What they are seeking, at this point is still unknown.

This leaves us wondering if something else is coming, or if this is simply an anomoly or noise in the Net, so to speak. The smart idea is to do some additional monitoring around hosts that provide Internet facing Telnet services. It might be a good idea to run some quick scans for open Telnet connections and begin to round up whether they are needed or not. Some perimeter firewall config changes may help hide the unneeded ones from whatever is out there crawling the net for them.

If you see any unusual traffic on Telnet, please submit logs, packet captures or let us know using email or the “Talk to ISOC” function of WatchDog.