Microsoft posted their patches for May today. Looks like 3 critical patches, all of which allow remote code execution. A denial of service patch is also included as a moderate.
Given the interest lately in patch-based vulnerability generation, if exploits don’t already exist in the wild, they are likely very quickly.
Organizations should immediately begin testing the patches against their normal QA process and get them applied as quickly as possible.
Corporate Counter Intelligence: Ancient Strategy,Bleeding-Edge Protection
Abstract:
The message is very clear. What we have been doing to secure information has not been working. Attackers are on the rise, the number of successful compromises is higher than before and all of the legislation and regulations just make things more complicated. Attackers continue to grow in number capability and sophistication.
The principles of corporate counterintelligence are rooted in the history of warfare. This presentation will explain how organizations can improve, simplify and increase the effectiveness of their information security programs. Using ancient principles and techniques based on the art of counter intelligence information security teams can become more strategic, focused their resources where they will achieve the highest return and reduce the risk that their organizations face.
MSI security visionary, Brent Huston, will explain how these techniques can be applied to your business and introduce specific strageties and tactics that you can deploy today. Explanations of how these evolutions in security thought can truly translate into faster, safer and more powerful protection for your organization will be revealed.
For more information, access to the visual and audio content for the presentation, simply email info@microsolved.com.
The virtual event will be conducted Tuesday, May 20, 2008 at 4pm Eastern.
Nothing like a disaster to bring out the crimeware.
Keep your eyes open for disaster and aid oriented phishing and trojan scams. There is likely to be the same types of attacks that we have seen with other disasters. We can expect everything from Trojan horses designed to look like headline update tools, phishing schemes asking for donations, basic client-side exploits from web and HTML emails and the usual myriad of outright fraud.
Basically, if you really want to help folks, drop by known and trusted organizations such as the Red Cross, etc.
Be on the look out for strange network activity as this is likely going to be a basis for growing the bot-nets by yet another expansion.
MSI is seeking a technical leader with an understanding of Linux, networking and an interest in information security. The main focus of this position is project/engagement management, but the successful candidate will also need to be able to participate in security testing as a member of our team. They should have excellent written and verbal communication skills and not be afraid of dynamic environments. Public speaking, customer presentations and technical writing definitely go in the “plus” column.
The position is full time, located in Columbus, Ohio and has excellent benefits, a friendly and casual working environment and minimal travel. It also includes working with our team and being the best that the security industry has to offer.
If you would like more information about this position, please send your resume to bhuston**AT**microsolved.com.
In the last couple of years since we launched the HoneyPoint family of products, it has been an interesting experience. I have learned the joys and hardships of marketing a security software product. I have tried to make myself heard in an overcrowded and noisy marketplace. I would do it all over again, because HoneyPoint is the right idea and the right thing to do.
Now, MSI is again out to change the world. This week, we are launching a new release of HoneyPoint Security Server Console and officially releasing the long awaited HoneyPoint Trojan. Using these new tools, security teams can now create friendly Trojans that report information back to them whenever they are used. Security teams can gather when people access data that they should not and they can track data, documents and other pseudo-information around the world. That means that if you make jet engines, you can drop these Trojans on your file servers and anonymous FTP sites and then proceed to learn more about where they propagate!
But, that isn’t even the big news. The big deal is a new enhancement to HoneyPoint Security Server called HornetPoint. HornetPoints are the world’s first implementation of what we call “defensive fuzzing”. Like normal HoneyPoints, these pseudo-services listen on IP ports and wait for network contact. Just like HoneyPoints, they then capture the source and content of those transactions and report them to the central server. HoneyPoints, of course are often deployed to create an enterprise honeypot.
But, unlike normal HoneyPoints, HornetPoints are not a passive defense. Instead of replying with normal and expected data, the HornetPoints fuzz the expected data and mutate it into random and unexpected ways. The result is that a high number of attacker tools, worms, scanners and bot-net tools crash when the mutated data is received. Thus, HornetPoints, actively defend themselves and the network of their owners. Unlike more traditional defenses, HornetPoints don’t just guard against attacks – they break attackers and their tools!
We are just starting to populate the web site with information on these new versions and enhancements to the HoneyPoint product line. Over the next several days, we will make the new versions available and get the updated marketing added to the web site. In the meantime, if you are interested in hearing more about these new capabilities and the evolution from security to Corporate Counter Intelligence, just give us a call.
A special thanks is due from the MSI staff to those who have supported us during this process. Thanks to all of the folks who have urged us to complete the enhancements and to those who have helped challenge us to again rise to a new level. Things are certainly changing and we are all very proud to be a part of the next evolution of information security! We promise, we will continue to work hard to bring the best bleeding-edge protection and insights to all of you. As always, thanks so much for believing in us and in choosing MSI as your security partner!
Abstract:
This presentation will explain several techniques that have successfully been used to help upper management understand the information security initiative in several organizations. Overall strategies and specific tactics for gaining upper management support will be identified. The audience can use these techniques to gain, maintain and ensure rapport with upper management, establish and reinforce the value of the security team and to demonstrate the value of including the security team in business operational decisions and planning.
This virtual event will be held Wednesday, April 30th 2008 at 4pm Eastern time. You can get access to a PDF of the slides and the phone number and passcode for the audio portion by sending an RSVP email to info@microsolved.com.
For those unable to attend, the slides and an MP3 of the audio portion will be made available following the presentation.
Yesterday, we were proud to announce a new service offering and process from MSI. This is a new approach to threat modeling that allows organizations to proactively model their threat exposures and the changes in their risk posture, before an infrastructure change is made, a new business operation is launched, a new application is deployed or other IT risk impacts occur.
Using our HoneyPoint technology, organizations can effectively model new business processes, applications or infrastructure changes and then deploy the emulated services in their real world risk environments. Now, for the first time ever, organizations can establish real-world threat models and risk conditions BEFORE they invest in application development, new products or make changes to their firewalls and other security tools.
Even more impressive is that the process generates real-world risk metrics that include frequency of interaction with services, frequency of interaction with various controls, frequency of interaction with emulated vulnerabilities, human attackers versus automated tools, insight into attacker capabilities, focus and intent! No longer will organizations be forced to guess at their threat models, now they can establish them with defendable, real world values!
Much of the data created by this process can be plugged directly into existing risk management systems, risk assessment tools and methodologies. Real-world values can be established for many of the variables and other metrics, that in the past have been decided by “estimation”.
Truly, if RISK = THREAT X VULNERABILITY, then this new process can establish that THREAT variable for you, even before typical security tools like scanners, code reviews and penetration testing have a rough implementation to work against to measure VULNERABILITY. Our new process can be used to model threats, even before a single line of real code has been written – while the project is still in the decision or concept phases!
We presented this material at the local ISSA chapter meeting yesterday. The slides are available here:
Give us a call and schedule a time to discuss this new capability with an engineer. If your organization is ready to add some maturity and true insight into its risk management and risk assessment processes, then this just might be what you have been waiting for.
I really wanted to call this post How NOT to Sell Your Scanning Tool to Other Security Companies, but it seemed a little long.
Great….. That’s really just what you want to see…Looks like it went out to all PCI ASV companies. Fantastic, now I get spam based upon the PCI vendor list… I guess there is irony in the security business after all…
So, today, I was lucky enough to get spam from another security vendor with an offer to tell me all about how their company and tool can really help us be a better PCI ASV. I thought I would include it here, with some relevant commentary…
My name is Bob XXX and I am responsible for XXX PCI Compliance Partner Program.
Hi Bob. Just in case you are new to the security world, spam is not really cool and uninvited emails, especially those without an opt-out mechanism (like this one…) are really not much different than the guys selling V1agr4 and other junk via email. It basically uses other peoples’ time and resources without their consent…
A number of PCI ASVs use XXX products and services as a basis for their PCI Scanning offerings for the following reasons:
Wow! This is a great point. So, I can use your tool, just like other ASV providers and have even LESS to set me apart from my competition on the race to FREE scanning for PCI compliance. Ummm, thanks…
XXX PCI Scanning Solution
Wait for it… Here it comes…. The long list of “benefits” to me as a security provider…. Right….
… Is a leveraged investment providing unlimited scans and not a pay for every scan expense.
Well, at least I only have to pay for it like regular software and not that pay as you go model. Ummm… How is this a benefit for ASV companies? How is this different from Nessus and the plethora of other scanners that don’t follow the “Comodo model” (wait… aren’t they FREE for PCI scans now???)?
… Can accurately identify over 17,000 conditions which can decrease analyst review time; reducing time and cost.
I always love these numbers… Our toolset checks for more than 20,000 security issues… I hate adding these in, but a lot of clients always ask for them….Also, a definition of “accurately” would be appreciated. If you are suggesting that your tool has 17,000 checks that don’t create any false positives then I would say you are delusional. Be truthful, you say it reduces analyst time, but if an analyst still has to check them then we are again back to the definition of “accurate”…
… Is based on XXX XXX, a commercially available product, with ongoing investment in research and development to insure it is the most robust and accurate solution available.
So, “commercially available” translates to “better”? I would love to see you argue this with several security folks I can think of. How does commercial availability translate to quality? Are you implying that open source or propietary solutions are lesser because of their availability and lack of commercial cost? Is Linux less “robust and accurate” than Windows because it is open source or does the fact that Redhat sells a version of it make it more “robust and accurate” since it is commercial???
… Is supported by XXX’s award winning customer support organization.
Good. I am glad to hear you have won awards for support. How much support does the product need? Oh, wait, I think I see your implication – it’s that open source thing again isn’t it? Exactly what products are you attempting to compete against? I mean Nessus, which I would assume to be your primary target, has support too if you purchase the product. My guess is that this is a stab at the customer emotions and fears of newsgroup and mailing list support. Is that still an issue? I mean, especially since ASV companies are supposed to be the experts with their scanning tools, how does this translate to something I should be concerned about? Don’t my technicians know their tools well enough to not need the usual technical support?
… Can provide a strategic foundation for other revenue generating services such as
Ø Web Application Scanning
Ø Vulnerability Risk Management Scanning
Ø Configuration Compliance solutions
Now this is interesting… At first, I took it to mean that the tool did all of this… But it just says that it provides a “strategic foundation” for generating revenue from other services… What exactly is “Vulnerability Risk Management Scanning”? How is that different from traditional vulnerability scanning? Does it measure, quantify or create metrics somehow that communicate real-world risk, or is this just the usual H/M/L stuff like always? As for the revenue, would that be revenue for the ASV or for XXX? Both? On the good news front, I am pretty glad to see that you mentioned scans for web application issues, that is a good thing and at least you got this right…
I would like the opportunity to discuss your current solution and answer any questions about XXX to determine if we are an attractive alternative.
If you are interested in learning more, please respond to me so we can coordinate a day/time for a phone conversation.
Ummm…. Thanks, but no thanks. First, my company is an ASV. To become an ASV we had to do some scanning and testing. Thus, we already have tools. We also already appear to have tools that are superior to yours, at least in our opinion.
But, the number one reason I would not buy from your company is that one of the first rules of e-commerce security is don’t purchase things from unsolicited emails; it only encourages more spam. In addition, it just doesn’t fit my ethical compass to support security vendors who would engage in “spammy practices”. Good luck, Bob, but I think you might want to think about your email marketing approach a little bit more…
Authors: Anjum & Mouchtaris
Publisher: Wiley
Cost: $75.00
Rating: 3 out of 5
This book reads like a PHD thesis. It is long on technical and mathematic detail and a little short on real-world scenarios. The examples are well researched and deeply technical. While the reading is a little tedious, those seeking an in depth understanding of wireless security will benefit greatly from this book.
At just under 250 pages it’s likely to take longer than a weekend to complete the read, but especially if you’re a mathematical genius, this book should be right up your alley. One of the highlights of the book is the content that relates to intrusion detection systems. The section did an excellent job of explaining various techniques and architectures for wireless intrusion detection. This content will be especially interesting to engineers and vendors in the wireless security space.
MSI is proud to release a new tool to help security managers analyze the overall balance, maturity and capability of their security program. The new tool is a simple matrix based around quantifying the amount of controls, efforts and processes you are employing.
Using the tool as brainstorming aid is also possible. Security engineers have told us that the process works for them to analyze particular applications and other security undertakings. Simply build out the matrix on paper or in your chosen office product and it should help you clarify where your security initiative stands.
Effective, mature security programs should be well rounded in the matrix and should be well balanced between all of the cells. They also tend to balance out between strategic and tactical approaches.
Feel free to give us feedback on this project and let us know if we can answer any questions you may have.
You can obtain the relevant file here.
It is licensed under Creative Commons. Check out the PDF for details.