Just added this to Revision 2 of the whitepaper:

Attack Vector Management

Part of mitigating the risk of this security issue is also managing the availability of the attack vector. In this case, it is essential that security teams understand how DNS resolution operates in their environment. DNS resolution must be controlled to the greatest extent possible. That means that all servers and workstations MUST be configured to use a set of known, trusted and approved DNS servers whenever possible. In addition, proper egress filtering should be implemented to prevent external DNS resolution and contact with port 53 on unknown systems. Without control over desktop and server DNS use, the attack vector available for exploitation becomes unmanageably large. Upper management must support the adoption of these controls in order to prevent compromise as this and other DNS vulnerabilities evolve.

Home User and Small Office Vulnerability

Home users and small offices (or enclaves within larger organizations) should pay careful attention to how their DNS resolution takes place. Many home and small business firewall devices such as Linksys, D-Link, Netgear, etc. are likely to be vulnerable to these attacks and are quite UNLIKELY to be patched to current firmware levels. Efforts must be made to educate home and small office users about this issue and to update all of these devices as the patches and upgrades to their firmware becomes available.

Our engineering team has analyzed the available data on this emerging security issue and the fixes identified. As such, we have prepared the following white paper for our clients and readers.

Please review the paper and feel free to distribute it to your management team, co-workers and others who need to be involved in understanding and remediating the problems emerging with DNS.

You can obtain the white paper here.

If your organization needs any assistance in understanding or managing this vulnerability, please do not hesitate to contact us. We would be happy to assist in any way possible.

There is quite a bit of talk online right now about a new bot-net that is supposedly quite a bit larger than Storm. This new bot-net, called Kraken, was discovered and initially revealed by another security team. Various folks are pointing at it as another evolutionary step in the growth of the bot-net threat and as a major new development in the area of cyber-crime.

Bot-nets, it seems, are today’s Internet worms. Their power, capability to produce FUD and impact make them on par with the Slammer, Code Red and Nimda worms of the past as significant threat evolutions. However, just like the worms of yesterday, there are some pretty common – albeit sometimes tough – things you can do to help minimize your risk of exposure.

First, segregate your network. Create enclaves that separate and manage access to servers that hold critical or sensitive data. Basically, segregate any and all user systems into untrusted areas and manage them as if they were untrusted systems (they are!!!)

Next, deploy egress controls as tightly as possible for all user -> Internet activity. Apply egress controls as tightly as possible to all enclaves.

Now, ensure that you have proper preventative and monitoring controls on all of the enclaves. Check for unneeded services, missing patches (OS and applications), bad configurations and known security issues. Mitigate or repair as many as possible. Monitor everything at the egress point for forensics and help with finding infected hosts. Deploy HoneyPoint sensors in user community and all enclaves.

Harden the user systems to the largest extent possible. AV, personal firewalls, patches, consider hardening or changing browsers. No matter what, consider user systems as untrusted hosts!

Educate your users about threats, their responsibilities and security mechanisms for their systems when outside the corporate network.

Monitor, manage and handle incidents quickly and with public consequences. If you find an infected machine and can trace it back to porn downloads on a company machine, fire the person and make a public example of the fact that actions against security policy (you have one of those, right?) have consequences…

Doing these basics will increase your overall security and greatly reduce your risk from bot-nets (and other threats). Is it easy? No. Is it expensive? It can be, depending on your size, complexity and technology level. Is it worth doing? Yes. It reduces risk and is much more interesting than ignoring the problem and/or continually working reactively to various incidents and compromises.

I thought this particular “hacker” article was pretty interesting. Thanks to Dr. Anton Chuvakin’s “Security Warrior” blog for pointing it out.

Once you look beyond the manifesto hype, you can really get a feel for what it represents. It represents a call to action to remind security professionals that the game has changed. The network and systems that it is composed of remain but a part of the security equation. The real target of the attackers that represent the REAL THREAT is the data that the network and systems hold.

Attackers have definitely moved up the stack. They do not care that most organizations are still focused on the network layer and more than a few are still trying to get the basics of that right. In fact, it simply empowers them more.

Today, attackers are focused on the application. That is true whether you look at holes like SQL injection and XSS or at the browser vulnerabilities that are at the root of a majority of malware and bot-net activity today. Today’s attackers have excellent tools for exploit development that have seriously changed the security landscape. More attackers understand the deeper nuances of computer science than ever before. Man security teams and professionals are lagging behind in knowledge, resources and capability.

One of the big reinforcers of this ideal to me was a presentation I gave a few weeks ago about application security. During the research for it, I found that according to several sources, a HUGE amount – roughly a third – of all reported security incidents last year involved SQL injection and XSS. Almost 2/3s of all reported incidents were web-application focused. Clearly, there is no denying that the attackers have moved up the security stack – the question is – have the defenders…

What are you, your security team and your security partners doing today to ensure that your data is protected tomorrow?