If You’re Still Using IE6, Read This!

We still see an alarming number of users visiting our sites using Internet Explorer 6 (IE6). Although for the first time, IE8 and IE7 both had a slightly higher share than IE6.

We urge users who continue to use IE6 to update to IE7 or IE8, or switch to an alternative as soon as possible. There are numerous reasons for this. IE6 has been shown many times to be insecure, lacking privacy options, has no protection from XSS or phishing attacks, and it’s not compliant with common web standards. It’s also much slower than modern browsers, particuarly with javascript.

Upgrading your browser can have many benefits. The most important being enhanced security and privacy. Other benefits include a better browsing experience through better compliance and faster rendering. So please, upgrade your browsers!

Beware of ‘Free’ InfoSec

It’s tempting to gravitate toward security vendors who offer assessments on the “we find holes or it’s free” basis. I wanted to take a moment and express my thoughts on this approach.

First off, security testing choices should not be based on price. They should be based on risk. The goal is to reduce the risk that any given operation (application, network, system, process, etc.) presents to the organization to a level that is manageable. Trust me, I have been in the security business for 20 years and all vendor processes are NOT created equal. Many variations exist in depth, skill level, scope, reporting capability, experience, etc. As such, selecting security testing vendors based upon price is a really bad idea. Matching vendors specific experience, reporting styles and technical capabilities to your environment and needs is a far better solution for too many reasons to expound upon here.

Second, the “find vulnerabilities or it’s free” mentality can really back fire for everyone involved. It’s hard enough for developers and technical teams to take their lumps from a security test when holes emerge, but to now also tie that to price makes it doubly difficult for them to take. “Great, I pay now because Tommy made some silly mistake!” is just one possibility. How do you think management may handle that? What about Tommy? Believe me, there can be long term side effects for Tommy’s career, especially if he is also blamed for breaking the team’s budget in addition to causing them to fail an audit.

Thirdly, it actually encourages the security assessment team to make mountains out of mole hills. Since they are rewarded only when they find vulnerabilities and the customer expectations of value are automatically built on severity (it’s human nature), then it certainly (even if only unconsciously) behooves the security team to note even small issues as serious security holes. In our experience, this can drastically impact the perceived risk of identified security issues in both technicians and management and has even been known to cause knee-jerk reactions and unneeded panic when reports arrive that show things like simple information leakage as “critical vulnerabilities”. Clearly, if the vendor is not extremely careful and mindful of ethical behavior among their teams, you can get seriously skewed views between perceived risk and real-world risk, again primarily motivated by the need to find issues to make the engagement profitable.

In my opinion, let’s stick to plain old value. My organization helps you find and manage your risk. We help you focus on the specific technical vulnerabilities in networks, systems, applications and operations that attackers could exploit to cause you damage. To do this, my company employs security engineers. These deeply skilled experts earn a wage and thus cost money. Our services are based around the idea that the work we do has value. The damages that we prevent from occurring save your company money. Some of that money pays us for our services and thus, we pay our experts. Value. End of story.

Detection, Prevention Best Measure for Risk


For years now, security folks have been shouting to high heaven about the end of the world, cyber-terrorism, cyber-jihad and all of the other creative phrasings for increased levels of risk and attacks.

SANS Institute (SysAdmin, Audit, Network, Security) at least asks for good things, too. It is always, as they point out, so much easier to create a list of threats and attack points than a list of what we have done, and are doing right. It is human nature to focus on the shortcomings.

We have to create rational security. Yes, we have to protect against increases in risk, but we have to realize that we have only so many resources and risk will never approach zero!

We recently worked an incident where a complete network compromise was likely to have occurred. In that event, the advice of another analyst was to completely shut down and destroy the entire network, rebuild each and every device from the ground up and come back online only when a state of security was created. The problem: the business of the organization would have been decimated by such a task. Removing the IT capability of the organization as a whole was simply not tenable.

Additionally, even if all systems were “turned and burned” and the architecture rebuilt from the ground up, security “nirvana” would likely not have been reached anyway. Any misstep, misconfigured system or device or mobile system introduced into the network would immediately raise the level of risk again.

Thus, the decision was made to focus not on mitigation of the risk, but on minimizing it. Steps were taken to replace the known compromised systems. Scans and password changes became the order of the day and entire segments of the network were removed from operation to minimize the risk during a particularly critical 12 hour cycle where critical data was being processed and services performed.

Has there been some downtime? Sure. Has there been some cost? Sure. How about user and business process pain? Of course! But the impact on their organization, business bottom line and reputation has been absolutely minimized than if they had taken the “turn and burn” approach.

Rational response to risk is what we need, not gloom and doom. Finding the holes in security will always be easy, but understanding what holes need to be prevented, wrapped in detection and protected by response is the key. Only when we can clearly communicate to management and consumers alike that we have rational approaches to solving the security problems will they likely start listening again.

3 Tips to Improve Your Organization’s Application Security

Did you know that 65% of all reported attacks in 2007 were in the application layer, according to the FBI? Applications are the new playground for hackers and with more apps being developed daily, it makes for one very tempting area for the bad guys. Let’s look at three ways you can make a difference in blocking these attacks:

  1. Integrate Application Security into the Software Development Life Cycle (SDLC). Add security to the following phases: requirements, business impact analysis, functional testing, and quality assurance. When you improve your SDLC in this way, you will catch red flags during the designing phase and not later. You’ll also ensure that the security team recognizes the impact and interactions necessary for security and increase the consistency in maintaining standards.
  2. Get Proactive – Develop programming standards, embrace development frameworks, create baselines for internal and external applications, create testing procedures, and – make sure to publish this information internally.
  3. Educate Developers – This is the most important strategy. It can eliminate a significant number of vulnerabilities by providing an ongoing general awareness. Deep training for leaders will build a strong foundation for training teams who will be empowered to implement a stronger appsec program. Helping developers evaluate outdated applications, for instance, will go a long way toward preventing any potential vulnerabilities from being exploited.

SQL injection and XSS account for 32% of all indents alone! More web applications are being developed which means more targets for the attackers. The threats are data loss, regulatory and legal issues, a loss of customer confidence, a loss of system/network control, an increase of more bots, phishing expeditions, and malware. By following these tips, you will significantly decrease the number of attacks.

Evaluating your frameworks can really help with determining outdated software that would affect your applications; both internal and external. Should you have any questions about the tips or desire additional assistance in the design of your appsec program, please don’t hesitate to contact MSI for help.