Wednesday, July 25, 2012

WindowSecurity.com Newsletter - July 2012

-------------------------------------------------------
WindowSecurity.com Newsletter - July 2012
Sponsored by: ManageEngine
<http://www.manageengine.com/products/eventlog/?utm_source=wownsec&utm_medium=newsletter&utm_campaign=textlinkELA&utm_term=jul12>
-------------------------------------------------------

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com


1. Editor's Corner
-------------------------------------------------------

* Vulnerability Scanner Pitfalls

Most of us use 'em. But are they really effective? It looks like well
over 90% of us use a vulnerability management system, but almost 50%
of you think that your network is "somewhat" to "extremely" vulnerable
to security threats, according to a recent survey by Osterman Research
and Skybox Security. The numbers are interesting. It is a good
opportunity to compare yourself to your peers.

I happen to know Osterman, and he's a straightforward and objective
researcher who reports on what the actual scene is. It's not looking
all that great. I looked at the survey results and they show a large
disconnect between on the one hand the frequency and depth of
vulnerability scanning actually conducted and on the other hand the
volume of scanning that the respondents felt was really needed.

Forty percent scan their internal networks once per month (or even
less frequently), and critical DMZ zones are typically scanned once
per week or less.

And then there is the coverage problem. Sometimes you cannot scan
what you want to, 49% said their organizations did not conduct
vulnerability scanning as often or as in depth as they would like.
But then look at the numbers. 27% of large organizations reported
scanning less than half of hosts in the DMZ per cycle, while 60%
of medium sized companies scan less than half of the DMZ hosts.

Of course sometimes there are good reasons for the low scanning
frequency and coverage. Fifty-seven percent of you replied that
traditional active scanning often disrupts your network services and
mission critical apps, 33% replied that parts of the network simply
are not scannable, and 29% replied that they have trouble getting
access to the systems they need to scan.

Some of they key survey takeaways:

- More than 90% of firms have a vulnerability management program and
consider vulnerability management a priority.

- 49% of companies have experienced a cyber attack leading to a service
outage, unauthorized access to information, data breach, or damage over
the past six months.

- 40% of companies scan their DMZ monthly or less frequently.

- Internal networks and data centers get the top priority in terms of
scanning frequency with 35% of organizations scanning these zones on a
daily basis.

- Large organizations (more than 1,500 employees) tend to scan more
frequently and with greater coverage of hosts compared to mid-size
organizations (250-1,499 employees).

- 73% of large organizations (more than 1,500 employees) scan at least
50 percent of hosts in their DMZ, while only 39% of mid-size organizations
(250-1,499 employees) scan at least 50% of hosts in their DMZ.

- Both large and mid-size organizations cite "concerns about disruptions
caused by active scanning" and "don't have the resources to analyze
more frequent scan data" as the top reasons for scanning less often
than desired.

- Large organizations cite lack of patching resources and non-scannable
hosts as a significantly greater issue than mid-size organizations.
The full survey findings are available for download at:
http://lp.skyboxsecurity.com/VMSurvey.html
---------------------------



* I Was Interviewed On TV Thursday

Ever wondered who that new Editor was? Here's your chance to see me.
Cyber threats reported by U.S. energy companies, public water districts
and other infrastructure facilities surged last year, a new government
report shows. The Department of Homeland Security's Industrial Control
Systems Cyber Emergency Response Team said that it received 198 reports
of suspected cyber incidents, or security threats, in 2011, more than
four times(!) the 2010 level. BayNews9 wanted an expert to comment on
this and asked me to come over. I was able to explain why it's urgent to
give employees security awareness training. Here is the 9-minute segment:
http://www.youtube.com/watch?v=74bofWwWjM4
---------------------------

* Quotes Of The Month:

"The public should always be wondering how it is possible to give
so much for the money." -- Henry Ford

"We act as though comfort and luxury were the chief requirements of
life, when all that we need to make us happy is something to be
enthusiastic about." -- Einstein

Warm regards,

Stu Sjouwerman
Editor, WindowSecurity Newsletter
Email me at feedback@windowsecurity.com

Samsung Galaxy Tab 2 Winner Announced

TechGenix is delighted to announce that the winner of the Samsung Galaxy Tab 2 is long-time subscriber Konrad Eysink from Dallas, Texas. Congratulations! Read the full announcement here:
http://www.techgenix.com/news/samsung-galaxy-tab-2-winner-announced.htm


2. Prevent Email Phishing
-------------------------------------------
Want to stop Phishing Security Breaches? Did you know that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch spear-phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly "security awareness" trained.

IT Security specialists call it your phishing attack surface. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Find out now which of your email addresses are exposed with the free Email Exposure Check (EEC). An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.

Sign Up For Your Free Email Exposure Check Now http://www.knowbe4.com/email-exposure-check/



3. Security Detail
----------------------------------------

* Security Training Fragmentation Causes Knowledge Gap

OK, time to get onto my soapbox and rant for a moment. But first, remember
that before I moved into IT, back in Europe I studied educational sciences
for almost 5 years and I'm a licensed teacher. So with that in mind, here
goes:

More and more, you see training companies promote their security awareness
training products as 'modular' as if that is something good. It's not.
They break their training into small modules, split up by security topic,
and say that this is better. They say that this is the way people learn
and work. It's definitely not.

They claim that short lessons are easy to learn. That is patent nonsense.
Is a 10 minute lesson in astrophysics easy to learn?

They say that one lesson a month, each with a different security awareness
topic, is the best approach. Unless you have an extremely secure environment,
it's actually an invitation to a data breach. Would you install a firewall
and slowly, over time, block the ports you need to defend?

There is a massive problem with this approach: security training fragmentation
actually causes a dangerous knowledge gap.

- You want -all- your employees, as soon as possible, to understand and be
armed against -all- attack vectors.

- Employees should get all the important online dangers in one training
session, integrated and reinforced multiple times within that initial
training session. That is the only responsible way to deploy security
awareness training.

- With all employees knowing all the online dangers, there is group
agreement and peer pressure in the direction of secure behavior.

- You don't want to start by training them about phishing and only weeks
or months later train them about social networking. That leaves a social
engineering hole big enough to drive a truck through.

- If you want to keep all employees on their toes with security top of
mind, do that with continued testing. Sending a simulated phishing attack
once a week is extremely effective to keep them alert, and a proven way
to dramatically decrease their Phish-prone percentage.

My apologies if I sound a bit hot under the collar, but I am passionate
about security. Perhaps other types of training can be drawn out and
fragmented, but we are dealing with IT security here, and employees are
the weak link!
---------------------------

* Windows Server 2012: What's New in Security (Part 1)

The excellent Deb Schinder takes a deep dive in the new WinServer
2012 Security features. In Part 1 she talks about Direct Access
improvements and where that leaves UAG. It's worthwhile, in-depth
article you do not want to miss:
http://www.windowsecurity.com/articles/Windows-Server-2012-Whats-New-Security-Part1.html
-------------------------

* Security Is Not Only Training, It's Culture

We all went to school, but how would you do if you were asked to
retake your finals? Probably not too well and neither would I. Education fades unless it
is regularly reinforced. And even the reinforcement is liable to
go 'on autopilot' and lose its effect. Security needs to become an
ingrained habit to truly work, and that means it needs to be part
of your company culture.

Some organizations have a strong security culture, others not so much.
Those are the ones you will find in the story below: 'The Worst
Security Snafus Of 2012 - So Far'. If the company as a group does
not care much about security, that reflects in everyone's behavior
including IT's approach to security and compliance, whether they
like it or not. IT in those cases often does not get the budget
to do it right.

Ideally, you need a security culture driven from the top down which
makes sure that institutional security knowledge gets documented,
retained, drilled into new employees during their onboarding, and
from there on kept alive by training, events, reminders and regular
security audits that will have repercussions if someone fails.

Only then will the general consensus and necessity level be high
enough to make your organization a hard target that is too expensive
to attack. Look, learn, and don't let this happen to -you-:
http://www.networkworld.com/news/2012/071312-security-snafus-260874.html?
---------------------

* Cybercriminals Sniff Out Vulnerable Firms

I could have written this headline myself. But I didn't, it was Sarah
Needleman at the Wall Street Journal. And she's right, that is exactly
what is happening.

She started out with:" With cybercriminals a greater threat to small
businesses than ever before, more entrepreneurs like Lloyd Keilson are
left asking themselves who is to blame for hacking attacks that drain
their business accounts. In May, Lifestyle Forms & Displays Inc., a
mannequin maker and importer led by the 65-year-old Mr. Keilson, had
$1.2 million wiped out of its bank accounts in just hours through
online transactions. The theft from the Brooklyn, N.Y., company,
which has about 100 employees, wasn't an isolated incident."

Nope, it sure ain't. The bad buys scan websites all day, every day with
fully automated tools very similar to Nessus and Qualys and look for
holes. Once found, they have automated tools to see if the holes can
be exploited. Only then do human criminals get involved, who, again,
have a whole lot of automated tools at their disposal.

In parallel with that, roughly one in every 300 emails is a phishing
attack. Compare that to about 100 emails sent and received per day by
the average corporate user. Can you say: "shooting phish in a barrel"?

"Small businesses feel like they're immune from cybercrime, and they're
wrong. They are absolutely on the list of potential targets of
cybercriminals," said Larry Ponemon, chairman of the Ponemon Institute,
a privacy think tank in Traverse City, Mich.

Read the article, it has some good suggestions at the end. This is also a
good one to forward to C-level Executives. Wall Street Journal has the story:
http://online.wsj.com/article/SB10001424052702303933404577504790964060610.html


4. SecureToolBox
-----------------------------------------------

* Free Service: Email Exposure Check. Find out which addresses of your
organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/

* Frustrated with gullible end-users causing malware infections? Find out
who the culprits are in 10 minutes. Do this Free Phishing Security Test
on your users:
http://www.knowbe4.com/phishing-security-test/


5. ViewPoint – Your Take
-------------------------------------------

Write me! This is the spot for your take on things. Let me know what you think
about Security, tools, and things that need to be improved.
Email me at feedback@windowsecurity.com

6. SecOps: What You Need To Know
--------------------------

* Bank Sues Customer Over BankWire Fraud

Tracy Kitten at BankInfo Security reported on this: "In another legal
wrangling over liability linked to ACH and wire fraud, a bank is taking
action against a former commercial customer, claiming the customer, not
the bank, is liable for losses and damages, as well as legal costs. In
March, BancorpSouth, a $14.3 billion bank in Mississippi, filed a
counterclaim against Choice Escrow and Land Title LLC, a family-owned
business based in Missouri. This week, Choice Escrow co-owner Jim Payne
is being questioned in a deposition tied to the counterclaim. BankInfo
Security has the story:
http://www.bankinfosecurity.com/bank-sues-customer-over-achwire-fraud-a-4945?
------------------------

* Malware Moves Up Into Cloud

You all probably know about the recent 60 million Euro cyberheist. I have
been digging into this a bit more, as it's the most advanced attack yet.
Cybercrime is not revolutionary, it clearly builds upon itself in an
evolutionary process. Well, malware has metastasized and moved up into
the cloud.

Up to now, malware lived on the PC itself in its entirety. All the code
was run locally on the workstation, and it communicated only with the
mothership to send stolen data, whether that be keystrokes, files, credit
card numbers or any other confidential data.

But now, the bad guys have upped the game and rewrote their malware
architecture from the ground up. It's almost like they took a page from
the antivirus playbook and cut down their own bloatware to a small,
lightweight agent (that the bad guys can hide easily), with the real
processing being done on a server in the cloud.

So how this works is as follows. The attacks start off with a phishing
email, usually pretending to be from the victim's bank and social
engineering them to change their account password which is not that
hard. Next, in early versions, the Zeus or SpyEye trojans would be
downloaded to the workstation. But not any more. These days only a tiny bit of malware is
put on the workstation and now the actual attack is coming from the
cloud. Yikes.

When the victim logs into their bank site, the malware uses web-inject
code to throw up a page that looks just like the victims bank web page.
But what happens behind the scenes and invisible to the victim is that
the malware server starts transferring money from the victim's account
to the criminal's account, with all the work being done on the criminal's
cloud server that usually sits at an Internet Service Provider which
is owned by the criminal network.

And quite a bit of work is being done. The attack takes the log-in
from the PC and redirects it to the server in real-time and does all
the transactions in the bank account. It can even circumvent two-factor
authentications where the victim has a card they need to swipe to
get into the account. Double yikes.

The malware on the workstation is relatively small, simple and does
not need to be updated for the next attack, as the updates can happen
on the server side. This makes the attack more agile and scalable.
Once that new, lightweight malware agent infects the user's workstation,
that machine can be used for a multitude of criminal activities.
--------------------

* Protecting A Critical Machine? Use Whitelisting, Not Antivirus

And who said that? It's not me, surprisingly it's McAfee!

First of all, I have no dog in this fight, and no product to sell you.
But I have seen the antivirus industry from the inside out, and I have
paid a lot of attention to the Virusbulletin website for a long time.

Recently, a few things have made me realize that it's time to turn
things upside down. You can no longer protect against the bad, Stuxnet
and Flame bear witness to this fact; the AV industry did not detect
these for years. The first graph shows the good executables compared
to the bad (malware) executables in 2002. Now, let's look 10 years later:

https://s3.amazonaws.com/blog.knowbe4Images/BlogImages/2002.jpg

Malware writers have fast-forwarded a few generations ahead, and
automated generating malware. The next graph shows the situation now.
As you can see it is high time for the proverbial paradigm shift.

https://s3.amazonaws.com/blog.knowbe4Images/BlogImages/2012.jpg

There is too much malware out there and the antivirus concept of keeping
bad code out has essentially been overtaken. The best illustration of
this is the recent analysis of the University of Alabama, which looked
at the most recent 30 days of phishing attacks and what percentage of
the antivirus products protected against these new flavors of malware.
A horrifying one-in-five caught the malware, and this is over 20
leading brands! You read that right, a whopping 80% of the existing
antivirus products did not catch these attacks. And it's objective
Virusbulletin data! Ouch.

Now McAfee essentially admits defeat and states together with the
Pacific Northwest National Laboratory that if you have machines that
are critical for infrastructure, whitelisting and related technologies
are the best solution. The researchers conclude that it is time to
switch from blocking bad code to allowing only good code. For you,
if you are not an electricity utility or municipal water plant that
means machines in accounting, development servers, or that hold any
kind of intellectual property. And it is needed more than ever to
educate your users which makes for happy admins and a lot less malware
infections.

I have taken the time to look at the whitelisting concept and wrote
it up for you. Here is the link to my whitepaper:
https://s3.amazonaws.com/knowbe4.cdn/Whitelisting_WhitePaper.pdf


7. Hackers' Haven
--------------------------

* Scam Of The Month: Payroll Phish

The nakedsecurity blog over at Sophos highlighted a new phishing scam
that would be good to alert your employees about. The bad guys are
pretending to be payroll processing company ADP. There are two variants
of this phishing scam. They wrote: "One is simply a plain text message
with the subject "ADP Funding Notification - Debit Draft" instructing
you to click a link to view your transaction report. The second is
more professional looking and suggests to a human resource specialists
that ADP is upgrading its security processes and you need to login
and be trained on the new procedures."

I would not be surprised if the bad guys did some homework and checked
on job sites for companies that are looking for HR people with ADP
experience, or scanned LinkedIn for the same and did a spear-phishing
attack where they also included 'HR@company.com' so that the net would
be as wide as possible.

"The links in all of the messages we have received redirect to
compromised websites that attempt to load malicious JavaScript that
has all of the telltale signs of the Blackhole exploit kit. Don't
click links in email folks. It's 2012 and we have been saying this
for over 10 years now. Think before you click." Here is the blog:
http://nakedsecurity.sophos.com/2012/06/29/adp-spams-lead-to-a-nasty-surprise/"
---------------------

* Why Pill Pushing Spam Pays Off

Brian Krebs is on a roll. Here is why pill pushing spam pays off.

"Consumer demand for cheap prescription drugs sold through spam-advertised
Web sites shows no sign of abating, according to a new analysis of
bookeeping records maintained by three of the world's largest rogue
pharmacy operations. Researchers at the University of California, San
Diego, the International Computer Science Institute and George Mason
University examined caches of data showing the day-to-day finances
of GlavMed, SpamIt, and Rx-Promotion, shadowy affiliate programs that
over a four-year period processed more than $170 million worth of
orders from customers seeking cheaper, more accessible and more
discretely available drugs. The result is is perhaps the most detailed
analysis yet of the business case for the malicious software and spam
epidemics that persist to this day. Here is link to Brian's blog:
http://krebsonsecurity.com/2012/06/pharmaleaks-rogue-pharmacy-economics-101/
---------------------

* How The Bad Guys Do It: Email-Based Malware Attacks

The excellent cybercrime journalist Brian Krebs has done it again.
Great blog post that explains how small- and mid-size businesses lose
hundreds of thousands of dollars in cyberheists. He started out with:

"Nearly every time I write about a small- to mid-sized business that
has lost hundreds of thousands of dollars after falling victim to a
malicious software attack, readers want to know how the perpetrators
broke through the victim organization's defenses, and which type of
malware paved the way. Normally, victim companies don't know or disclose
that information, so to get a better idea, I've put together a profile
of the top email-based malware attacks for each day over the past month."

This is a very interesting post, because it also shows the percentage
of the attacks that were caught by antivirus products as tested by
the independent Virus Bulletin site. Here is link to his blog post.
It is almost required reading for anyone in security !!
http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/

8. Fave links & Cool Sites
--------------------------

Super FAVE. Yes, I know, It's a Red Bull ad, but wow it's good. Felix
Baumgartner could become the first person to break the speed of sound
with his own body, protected only by a space suit:
http://www.flixxy.com/supersonic-freefall-from-the-edge-of-space.htm
---
More space: The "Sentinel" mission plans to place an asteroid-hunting
space telescope into orbit around the Sun in search of asteroids that
could impact Earth:
http://www.flixxy.com/sentinel-asteroid-hunting-space-telescope.htm
---
Next time you redecorate your living room, try this new invention:
The room is continually redecorated using two projectors and
state-of-the-art software. Interesting!:
http://www.flixxy.com/digital-redecorating.htm
---
I have discovered a website that shows you your influence in social
media. Name of the site is KLOUT and it's quite interesting. Check
it out, or forward this link to marketing.
http://klout.com/?i=1009527&v=dashboard_opt_in&n=gn
---
How to explain the "Higgs Boson" to a seven-year-old:
http://www.flixxy.com/higgs-boson-how-to-explain-it-to-a-seven-year-old.htm
---
Technology and art collide as 16 quadcopters give a light and sound show:
http://www.geek.com/articles/geek-cetera/technology-and-art-collide-as-16-
quadcopters-give-a-light-and-sound-show-20120628/

---
Gwapo's Professional DDOS Service. The sad truth is that this is a real
service. This is just one ad in a series for this criminal company:
http://www.youtube.com/watch?v=c9MuuW0HfSA


TechGenix Sites
----------------------------------------------------------------
ISAserver.org <http://www.isaserver.org/>
MSExchange.org <http://www.msexchange.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
WServerNews.com <http://www.wservernews.com/>

----------------------------------------------------------------
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@windowsecurity.com

Copyright c WindowSecurity.com 2012. All rights reserved.

No comments:

Post a Comment