Risk Management

Wednesday, 28 April 2010

Blippy's security/privacy strategy - do they deserve to survive?

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our services in a manner that does or is intended to mislead, confuse, deceive, or harass others.

Serial Accounts: You may not create serial accounts or relationships in order to evade the block tools or to otherwise disrupt the Services.

Name Squatting:You may not engage in name-squatting (creating accounts for the purpose of preventing others from using those account names or for the purpose of selling those accounts). Accounts that are inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link to malicious content intended to damage or disrupt another user.s browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a variety of ways for users to interact with one another. You may not abuse these tools for the purpose of spamming users. Some of the behaviors we look at when determining whether an account is spamming include:

  • The user has followed and unfollowed people in a short time period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

Posted at 08:58 PM in Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management | | Comments (0) | TrackBack (0)

Saturday, 13 March 2010

Verizon Business extends its thought leadership in security incident metrics

The Verizon Business Security Incident Response team, whose yearly published Data Breach Investigations Reports I've written about here, has has extended its thought leadership in security incident metrics with the release of its Incident Sharing Framework. Their purpose is to enable those responsible for incident response to "create data sets that can be used and compared because of their commonality. Together, we can work to eliminate both equivocality (sic) and uncertainty, and help defend the organizations we serve." The document can be found here.

Of course Verizon Business is a for-profit organization and the license terms are as follows:

Verizon grants you a limited, revocable, personal and nontransferable license to use the Verizon Incident Sharing Framework for purposes of collecting, organizing and reporting security incident information for non-­‐commercial purposes.

Nevertheless, I do hope that this or an alternative incident sharing framework becomes an industry standard which enables the publishing and sharing of a larger number incidents from which we can all learn and improve our security policies and processes.

Posted at 03:26 PM in Breaches, Research, Risk Management, Security Management, Theory vs. Practice | | Comments (0) | TrackBack (0)

Technorati Tags:

Saturday, 16 January 2010

Google discloses breach and new threat type from China - Advanced Persistent Threats

Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.

First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."

I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.

Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.

Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:

The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information and anything else of intangible value. 

Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:

Malware is just a tool. The fundamental element to these (and any espionage attack) lies with the tether that connects the victim with the attacker. Advanced Persistent Threats (APT), like their bigger and more visible brother “botnets”, are meaningless without that tether – which is more often labeled as Command and Control (CnC).

Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.

Indeed, the threat landscape has changed.


Posted at 08:43 PM in Advanced Persistent Threat (APT), Books, Botnets, Breaches, Malware, Phishing, Privacy, Risk Management, Security Management, Trade Secrets Theft | | Comments (0) | TrackBack (0)

Technorati Tags:

Monday, 28 December 2009

Verizon Business 2009 DBIR Supplemental Report provides empirical guidance for unifying security and compliance priorities

The Verizon Business security forensics group's recently released 2009 Data Breach Investigations Supplemental Report provides common ground between those in the enterprise who are compliance oriented and those who are security oriented. While in theory, there should be no difference between these groups, in practice there is.   

Table 8 on page 28 evaluates the breach data set from the perspective of data types breached. Number one by far is Payment Card Data at 84%. Second is Personal Information at 31%. (Obviously each case in their data set can be categorized in multiple data breach categories.) These are exactly the types of breaches regulatory compliance standards like PCI and breach disclosure laws like Mass 201 CMR 17 are focused on.

Therefore there is high value in using the report's "threat action types" analysis to prioritize risk reduction as well as compliance programs, processes, and technologies.

While the original 2009 DBIR did provide similar information in Figure 29 on page 33, it's the Supplemental report which provides the threat action type analysis that can drive a common set of risk reduction and compliance priorities.

Posted at 07:47 AM in Breaches, Compliance, Risk Management, Security Management, Theory vs. Practice | | Comments (0) | TrackBack (0)

Technorati Tags:

Sunday, 06 December 2009

Koobface launches new Christmas message attack on Facebook

Symantec's Hon Lau, senior security response manager, is reporting that the Koobface worm/botnet began a new attack using fake Christmas messages to lure Facebook users to download the Koobface malware.

This again shows the flexibility of the command and control function of the Koobface botnet. I previously wrote about Koobface creating new Facebook accounts to lure users to fake Facebook (or YouTube) pages.

These Facebook malware issues are a serious security risk for enterprises. While simply blocking Facebook altogether may seem like the right policy, it may not be for two reasons: 1) No access to Facebook could become a morale problem for a segment of your employees, and 2) Employees may be using Facebook to engage customers in sales/marketing activities.

Network security technology must be able to detect Facebook usage and block threats while allowing productive activity.

Posted at 01:40 PM in Application Security, Botnets, IT Security 2.0, Malware, Network Security, Next Generation Firewalls, Risk Management, Security Policy, User Activity Monitoring | | Comments (0) | TrackBack (0)

Technorati Tags: ,

Sunday, 22 November 2009

Koobface botnet creates fake Facebook accounts to lure you to fake Facebook or YouTube page

TrendMicro's Malware Blog posted information about a new method of luring Facebook users to a fake Facebook or Youtube page to infect the user with the Koobface malware agent. 

The Koobface botnet has pushed out a new component that automates the following routines:

  • Registering a Facebook account
  • Confirming an email address in Gmail to activate the registered Facebook account
  • Joining random Facebook groups
  • Adding Facebook friends
  • Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. 

Here is yet another example of the risks associated with allowing Facebook to be used within the enterprise. However simply blocking Facebook may not be an option either because (1) it's demotivating to young employees used to accessing Facebook, or (2) it's a good marketing/sales tool you want to take advantage of.

Your network security solution, for example a next generation firewall, must enable you to implement fine grained policy control and threat prevention for social network sites like Facebook.

Posted at 03:54 PM in Botnets, IT Security 2.0, Malware, Network Security, Next Generation Firewalls, Risk Management, Security Policy | | Comments (0) | TrackBack (0)

Technorati Tags: ,

Monday, 26 October 2009

Social Networking's Promise and Peril

NetworkWorld has an interesting article today on the perils of social networking. The article focuses on the risk of employees transmitting confidential data. However, it's actually worse than that. There are also risks of malware infection via spam and other social engineering tactics. Twitter is notorious for its lax security. See my post, Twitter is Dead.

Blocking social networks completely is not the answer just as disconnecting from the Internet was not the answer in the 90's. Facebook, Twitter, and LinkedIn, among others can be powerful marketing and sales tools.

The answer is "IT Security 2.0" tools that can monitor these and hundreds of other web 2.0 applications to block incoming malware and outgoing confidential documents.

Posted at 05:48 PM in Application Security, Data Loss Prevention, IT Security 2.0, Network Security, Risk Management, User Activity Monitoring | | Comments (0) | TrackBack (0)

Technorati Tags: ,

Evil Maid attack shows that laptop hard drive encryption not the silver bullet

As important as laptop hard drive encryption is, it's not the silver bullet for protecting confidential data on laptops. Bruce Schneier described Joanna Rutkowska's "evil maid" attack against a disk encryption product. This type of attack would probably work against any disk encryption product because disk encryption does not defend against an attack where the attacker gets access to your encryption key.

As usual, risk management is about understanding the threat which you are trying to mitigate. Disk encryption does solve the stolen laptop problem. But if an attacker can get access to your laptop multiple times without your realizing it, the evil maid attack can defeat disk encryption.

PGP, a disk encryption vendor, discusses the limitations of disk encryption and as well as other defenses available to protect against evil maid and other attacks.

Bruce Schneier notes that two-factor authentication will defeat the evil maid attack. BTW, don't leave your token in the hotel room for the evil maid to find. :-)

Posted at 10:18 AM in Breaches, Malware, Risk Management | | Comments (0) | TrackBack (0)

Technorati Tags: ,

Monday, 12 October 2009

IBM CIO study ranks Risk Management and Compliance #3 of 10 CIO visionary plans

On September 10th, IBM released the results of a global study (registration required) they conducted of 2,500 CIO's from around the world. Of the ten top "visionary plans," these CIO's ranked Risk Management and Compliance third. Business Intelligence and Analytics was first followed by Virtualization. Also, I found it significant that Customer and Partner Collaboration came in fourth.

Unfortunately, the report did not divulge details of the methodology used beyond saying that over 2,500 CIO's were interviewed. If one grants that IBM is an able marketing organization, it genuinely wants to understand the priorities of CIO's so it can respond with the right services to increase its revenue. Therefore these priorities do represent what CIOs are thinking.

A more cynical opinion would be that this study is simply a marketing tool of IBM Global Services. In this case, IBM Global Services is advising CIOs that Risk Management and Compliance should be their third highest priority. Either way, this report highlights the importance of Risk Management and Compliance.

Looking at the study as a whole, it correlates the use of information technology to drive innovation with higher corporate profits. (Reminder - correlation and causation are not the same thing.)  In addition, information technology creates new risks which must be understood and mitigated.

Perhaps I am writing this because it supports my previously stated position that risk management enables innovation, e.g. Web 2.0 creates new risks which if not mitigated completely outweigh the value.

Posted at 09:27 PM in IT Security 2.0, Risk Management | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

Thursday, 01 October 2009

Block Facebook?

I just received an email advertisement from a "Web 2.0 security" vendor recommending that I use its product to block the evil Facebook. This is rather heavy handed.

Sales and marketing people want to use Facebook to reach prospects and interact with customers.
Sure there are issues with Facebook, but an all-or-nothing solution does not make sense. A more granular approach is much better. I discussed this issue recently in a post entitled, How to leverage Facebook and minimize risk.

Posted at 09:29 AM in Application Security, IT Security 2.0, Risk Management, Security Policy | | Comments (1) | TrackBack (0)

Technorati Tags: ,

Next »

About

Subscribe to this blog's feed

Recent Posts

My Favorite Books on Risk and IT Security