We wanted to ask, you, our readers, the folks in the treches everyday, just what you might be wishing for. Is the answer more time, less changes in the environment, one patch to rule them all?
Use the comment link below, and give us some insight into just what you are wishing for. Heck, you never know, it might just come true.
Ahhh, the big question of tradeoffs. Do you apply the new Microsoft patch and stop Exchange from working with your Blackberry users or do you risk being compromised and worm infected when attackers release malware based on the vulnerability?
That is a HUGE question for many organizations. Right now, as I write this, several folks are contemplating that very question. Do you take the risk of a breach or keep your users happy? Both have large political fallout issues and long term impacts. Both have highly visible outcomes.
How do you make such a decision? Well, our suggestion is to evaluate the risks to your organization. But, that said, we are risk management folks, and others might not agree. We suggest you evaluate the potential of damage to your business that a compromise or worm infection could cause (perhaps based on your latest risk assessment) and compare that to the losses from having some members of your user population (the Blackberry users) partially unable to access some services in Exchange. Complete the process by converting these risks to real dollar damages to the bottom line and then decide. Of course, don’t forget to include regulatory and reputational damages in the comparison.
For some organizations, who are truly dependent on the Blackberry technology, the case may be that patching is the greater risk. For those organizations with additional controls and security mechanisms to protect their Exchange implementations, the risk may be partially mitigated and thus much less. For most, however, the answer will be to apply the patch. Then the question becomes, how can you explain to users the tradeoff you have been forced to accept?
For those organizations choosing not to patch, be very careful. It is very likely that a widely available target, such as Exchange, would make a ripe target for attackers and worms. Make sure you monitor the systems, networks and log files continually until you can apply the patch.
For those that patch and have to explain the solution to users who won’t be praying the “Blackberry prayer” for a while, be honest, open and up front. The more we explain the ideas of risk management to our users, the better decisions we empower them to make in the future. Awareness truly may be the key to a more secure future for all of us.
The ASN.1 Microsoft vulnerability is still alive and well. If you check your IIS logs you probably see this activity on a regular basis. ASN.1 seems to be the Code Red and Nimda of today – it simply just won’t die.
Patches for ASN.1 have been available for quite some time, and the malware using this mechanism to spread is easily identified by proper IDS/IPS and anti-virus rules. With so many easily available options for protecting against it, it seems to be very robust at hanging in there.
Perhaps an organized effort should be arranged through some online forum to identify systems spreading very old malware such as this and to contact the system owners to inform them. Maybe an incident response effort for “aging worms, exploits and malware” or the like.
Any volunteers to head the effort?
As we posted to WatchDog last week, more and more attacks against FTP implementations are likely in the coming weeks. We noticed the release of a new GUI FTP fuzzer and so far it appears to be getting heavy use to find new vulnerabilities in several FTP servers, both commercial and shareware/freeware/open source. New FTP vulnerabilities and exploits are starting to emerge and are very likely to continue.
Admins of FTP servers should pay careful attention to their logs and their vendor information sources for new vulnerabilities and patches. It might also be a good time to make sure you have proper IDS/IPS coverage for all of your FTP servers and network drops.
As new fuzzers get developed and released, we think this might be an interesting precursor to vulnerability patterns. Let us know if you see anything interesting!
For some time now Bots have been growing in importance. They have truly become the most serious infosec threat to networks today. They are insidious, common and borne by some of the easiest to exploit vulnerabilities in many client side applications.
In many cases, organizations have rampant Bot activity inside their networks, though more often than not, they have no idea it is happening until a serious event like a DDoS attack or the like rises to their radar levels. The sad thing is, this is often too late. The attackers may have already gathered tons of data from network scans, sniffing and keyboard logging. They may already have access to the most critical data on the corporate network.
Now it seems that Bot masters have even begun to implement cryptography to better secure the connections between their programs. This helps protect the Bot traffic from discovery, analysis and reverse engineering attempts. It also makes signature matching and other IDS/IPS techniques much more difficult.
As before, the best defense against Bot attacks remains a two fold process. Organizations must implement proper egress filtering, including port blocking, traffic monitoring and analysis and proxy use. User systems simply can not be permitted to directly access the Internet in an unfettered manner in most networks. It is simply too risky.
Secondly, organizations must employ awareness to combat Bot infections. They must teach users of the associated dangers with open surfing, email attachments, instant messaging and peer to peer networks. All of these technologies and behaviors pose significant risk to the network environment – be it small, mid-size or enterprise.
Of course, all of this assumes the basic steps of patching, network firewalling and typical anti-virus/anti-spyware are already in place and functioning. You are doing that, right?
Welcome to StateofSecurity.com!
This site is dedicated to bringing you the latest in information security insight from the staff at MicroSolved, Inc.
From security news to evolving threats and research, we plan to cover it here.
Feel free to use the comment tool for feedback, and to download our FREE WatchDog Threat Intelligence tool from: http://www.microsolved.com/watchdog/
We hope you enjoy reading our new site.