Attackers Exploit Heartbleed Vulnerability to Circumvent Multi-factor Authentication on VPNs and Hijack Active User Sessions

After details of the critical “Heartbleed” vulnerability in OpenSSL emerged earlier this month, which enables attackers to steal sensitive data typically protected by TLS encryption, there has been widespread concern among system administrators, network security teams, software developers and essentially anyone with any technical connection to the Internet.

In short, the Heartbleed vulnerability allows attackers to repeatedly access 64K blocks of memory by sending a specially crafted packet to a server running a vulnerable version of OpenSSL. Because an attacker can’t specify what kind of data to obtain from the computer’s memory or reliably get the same kind of information each time, the attack depends on luck and timing.

Originally, one of the key concerns about the vulnerability was if an attacker could obtain the private SSL Keys from a server by exploiting Heartbleed. As it turns out, through an experiment setup by CloudFlare, several researchers independently retrieved the private keys from the intentionally-vulnerable NGINX server using the Heartbleed exploit. 

Now, according to researchers at Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. 

“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” Mandiant’s Christopher Glyer explained in a blog post. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.”

The victim was an organization located in the United States, a FireEye spokesperson told SecurityWeek.

According to Mandiant, the following evidence proved the attacker had stolen legitimate user session tokens:

1. A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization’s SSL VPN.

2. The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, “flip flopping”, between the malicious IP address and the user’s original IP address. In several cases the “flip flopping” activity lasted for multiple hours.

3. The timestamps associated with the IP address changes were often within one to two seconds of each other.

4. The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.

5. The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.

After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.

Additional details and remediation advice are available from Mandiant.

The vulnerability is “catastrophic” for SSL and Internet security, Bruce Schneier, a well-known cryptologist and CTO of Co3 Systems, previously told SecurityWeek. “On the scale of 1 to 10, this is an 11.”

While it’s perfectly possible there are even more serious flaws in TLS lurking undiscovered, Heatbleed is quite possibly the worst one to date. Calling Heartbleed a “ginormous issue” would be a conservative assessment, Schneier said.

It’s very likely governments around the world used Heartbleed to exploit whatever server they could and grab whatever they could get as soon as they heard about the vulnerability, Schneier suggested. “Because why would you not?”

The NSA has denied a report claiming it was aware of and even exploited Heartbleed to gather critical intelligence.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokeswoman said.

Earlier this week, Canadian police arrested and charged a 19-year-old man for stealing the data of 900 Canadian taxpayers’ data through an attack that exploited the Heartbleed bug.

Tags:

• Network Security
• NEWS & INDUSTRY
• Vulnerabilities

Yahoo’s recently-appointed VP of Information Security and CISO said that, as of this week, Internet traffic moving between Yahoo’s data centers is now fully encrypted.

Alex Stamos, who joined the company last month and has been tasked with securing Yahoo’s online products, provided a status update Wednesday on the company’s initiatives to protect users and their data.

The efforts by Yahoo are the latest as Internet and technology firms scramble to boost their security efforts and up encryption after Edward Snowden began to leak classified details on the scope of US government spying.

According to Stamos, the company has accomplished the following:

• Made Yahoo Mail more secure by making browsing over HTTPS the default.

• Has enabled encryption of mail between its servers and other mail providers that support the SMTPTLS standard.

• The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default.

• Implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many the company’s global properties.

He also said that users can initiate an encrypted session for a variety of the company’s news and media services by typing “https” before the site URL in their web browser.

“One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure,” Stamos wrote in a blog post. “Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.”

A new, encrypted, version of Yahoo Messenger will be available in the months ahead, Stamos said.

“In addition to moving all of our properties to encryption by default, we will be implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency over the coming months,” Stamos continued. “This isn’t a project where we’ll ever check a box and be “finished.” Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.” 

Late last month, Google announced that its Gmail service would use added encryption to protect against eavesdropping and keep messages secure.

In December 2013, a group of US-based Internet giants called on Washington to overhaul its surveillance laws. In an open letter to President Obama and Congress, the tech giants called on Washington to lead the way in a worldwide reform of state-sponsored spying.

In January, President Barack Obama announced plans to curtail the reach of massive phone surveillance sweeps by the NSA, but said bulk data collection must go on to protect America from terrorists.

In December, Microsoft said it would “pursue a comprehensive engineering effort to strengthen the encryption of customer data” in order to protect its customers from prying eyes and increase transparency.

Tags:

• Network Security
• NEWS & INDUSTRY
• Privacy

WASHINGTON – The United States will show “restraint” in cyber operations outside of US government networks, Secretary of Defense Chuck Hagel said Friday, urging other countries to do the same.

Hagel, speaking at the National Security Agency (NSA) headquarters at Fort Meade, Maryland, said that the Pentagon “does not seek to ‘militarize’ cyberspace.”

Instead, Hagel said that the US government “is promoting the very qualities of the Internet — integrity, reliability, and openness — that have made it a catalyst for freedom and prosperity in the United States, and around the world.”

The remarks came at the retirement ceremony for outgoing NSA chief, General Keith Alexander.

The Pentagon “will maintain an approach of restraint to any cyber operations outside the US government networks. We are urging other nations to do the same,” Hagel said.

He also said that the United States “will continue to take steps to be open and transparent about our cyber capabilities” with Americans, US allies, “and even competitors.”

The idea is to “use the minimal amount of force possible” in cyber operations, a senior defense official told reporters, speaking on condition of anonymity.

This would take place only when it would “either prevent conflict, de-escalate conflict or allow us to use the minimal amount of force,” the official said.

“That is not always the approach that other nations in the world use,” the official said. Although he emphasized that there was “a clear difference” between espionage and cyber operations, restraint is also applicable “for espionage and communications intelligence” at both the NSA and Cyber Command, the official said.

“We think very carefully about the things we do outside of our own network,” the official said. The budget for the Pentagon’s Cyber Command for fiscal 2015 is $ 5.1 billion. The Command must have 6,000 soldiers by 2016.

Alexander’s successor is a US Navy officer, Vice Admiral Michael Rogers, who will take over as both head of the NSA and Cyber Command.

Hagel is set to begin next week a tour of Asia with a stop in China, where cyberspying will be a hot topic following a report in The New York Times and Germany’s Der Spiegel that the NSA had secretly tapped Chinese telecoms giant Huawei for years.

The NSA had access to Huawei’s email archive, communications between top company officials, and even the secret source code of some of its products, according to the reports based on information provided by fugitive former NSA contractor Edward Snowden.

Tags:

• Cyberwarfare
• NEWS & INDUSTRY

The fallout from the Target data breach has put security firm Trustwave in the middle of a class action lawsuit.

The complaint, which was filed March 24 in U.S. District Court in Illinois, names both Target and Trustwave and accuses the security company of failing to protect Target’s systems.

Contacted by SecurityWeek, a Trustwave spokesperson said the company does not comment on pending litigation or confirm the identities of customers.

The complaint was filed on behalf of Trustmark National Bank and Green Bank, N.A., and “all other similarly situated financial institutions.”

In the compliant, the banks state Trustwave was hired by Target to protect and monitor the retailer’s systems, and that the security vendor scanned Target’s systems on Sept. 20, 2013, and found no vulnerabilities were present. Because of vulnerabilities in Target’s network however, millions of payment card records were stolen, the complaint states.

“Additionally…Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII [personally-identifiable information] or other sensitive data,” the complaint reads. “In fact, however, the Data Breach continued for nearly three weeks on Trustwave’s watch.”

“Trustwave failed to live up to its promises, or to meet industry standards,” the complaint continues. “Trustwave’s failings, in turn, allowed hackers to cause the Data Breach and to steal Target customers’ PII and sensitive payment card information. In addition, Trustwave failed to timely discover and report the Data Breach to Target or the public.”

The investigation into the breach revealed that Target’s systems were compromised from Nov. 27 to Dec. 15. The data breach, which also included the theft of information such as email and mailing addresses for millions of Target customers, was one of the biggest such incidents in recent history. In February, the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA) reported that costs associated with the breach exceed $ 200 million. Much of that figure – $ 172 million – comes from the cost of replacing cards for CBA members, while CUNA reported that the cost to credit unions had reached $ 30.6 million.

“A recent analysis by global investment banking firm Jefferies suggests that payment card issuers could sustain upwards of $ 1 billion of damages as a result of the Target Data Breach based on an estimated 4.8 million to 7.2 million stolen and compromised Payment Cards being used to make fraudulent purchases and unauthorized cash withdrawals,” according to the complaint. “These costs fall on Trustmark and the other Class members, even though they had nothing to do with causing the Data Breach and could not have avoided it.”

The suit asks for unspecified damages. 

Just last week, TrustWave announced that it had acquired Cenzic, Inc., a maker of application security testing solutions, for an undisclosed sum.

Tags:

• NEWS & INDUSTRY
• Cybercrime

WASHINGTON – The US National Security Agency has secretly tapped into the networks of Chinese telecom and internet giant Huawei, the New York Times and Der Spiegel reported on their websites Saturday.

The NSA accessed Huawei’s email archive, communication between top company officials internal documents, and even the secret source code of individual Huawei products, read the reports, based on documents provided by fugitive NSA contractor Edward Snowden.

“We currently have good access and so much data that we don’t know what to do with it,” states one internal document cited by Der Spiegel.

Huawei — founded in 1987 by former People’s Liberation Army engineer Ren Zhengfei — has long been seen by Washington as a potential security Trojan Horse due to perceived close links to the Chinese government, which it denies.

The United States and Australia have barred Huawei from involvement in broadband projects over espionage fears.

Related: China’s Huawei Denies US Spies Compromised its Equipment

Shenzhen-based Huawei is one of the world’s leading network equipment providers and is the world’s third-largest smartphone vendor.

The original goal of Operation “Shotgiant” was to find links between Huawei and the Chinese military, according to a 2010 document cited by The Times.

But it then expanded with the goal of learning how to penetrate Huawei computer and telephone networks sold to third countries.

“Many of our targets communicate over Huawei-produced products,” the NSA document read, according to The Times.

“We want to make sure that we know how to exploit these products,” it added, to “gain access to networks of interest” around the world.

Huawei is a major competitor to US-based Cisco Systems Inc. – but US officials insist that the spy agencies are not waging an industrial espionage campaign on behalf of US companies, as Snowden has alleged.

“The fact that we target foreign companies for intelligence is not part of any economic espionage,” a senior intelligence official told reporters Thursday.

The goal of economic intelligence efforts is “to support national security interests,” and “not to try to help Boeing,” the official said.

Related: China’s Huawei Denies US Spies Compromised its Equipment

Related: Huawei Founder Breaks Silence to Reject Security Concerns

Related: PLA Concerns Lead to Huawei Being Blocked in Australia 

Related: Huawei Calls for Global Security Standards

Related: China’s Huawei Responds to US Hackers

Related: China’s Huawei to Curb Business In Iran 

Insight: A Convenient Scapegoat – Why All Cyber Attacks Originate in China

Tags:

• Network Security
• NEWS & INDUSTRY
• Tracking & Law Enforcement
• Security Infrastructure

A Linux worm first spotted in November has joined the growing ranks of malware mining for crypto-currency.

The worm is called Darlloz. Late last year, Symantec reported that the worm was spreading via a known vulnerability in PHP that was patched in 2012.

“The worm targets computers running Intel x86 architectures,” blogged Symantec researcher Kaoru Hayashi. “Not only that, but the worm also focuses on devices running the ARM, MIPS and PowerPC architectures, which are usually found on routers and set-top boxes. Since the initial discovery of Linux.Darlloz, we have found a new variant of the worm in mid-January. According to our analysis, the author of the worm continuously updates the code and adds new features, particularly focusing on making money with the worm.”

The most recent update includes functionality that installs ‘cpuminer’ and begins mining for Mincoins or Dogecoins, which are similar to bitcoins. The main reason for this is Mincoin and Dogecoin use the scrypt algorithm, which can still successfully mine on home PCs, whereas bitcoin requires custom ASIC chips to be profitable, the researcher explained.

“By the end of February 2014, the attacker mined 42,438 Dogecoins (approximately US$ 46 at the time of writing) and 282 Mincoins (approximately US$ 150 at the time of writing),” Hayashi blogged. “These amounts are relatively low for the average cybercrime activity so, we expect the attacker to continue to evolve their threat for increased monetization.”

While the initial version of Darlloz has nine combinations of usernames and passwords for routers and set-top boxes, the latest version comes armed with 13 of these login credential combinations – including ones that work for IP cameras. Once a device is infected, the malware starts a HTTP Web server on port 58455 in order to spread. The server hosts worm files and lets anyone download files through this port by using a HTTP GET request, the researcher explained.

“The Internet of Things is all about connected devices of all types,” Hayashi blogged. “While many users may ensure that their computers are secure from attack, users may not realize that their IoT (Internet of Things) devices need to be protected too. Unlike regular computers, a lot of IoT devices ship with a default user name and password and many users may not have changed these. As a result, the use of default user names and passwords is one of the top attack vectors against IoT devices. Many of these devices also contain unpatched vulnerabilities users are unaware of. While this particular threat focuses on computers, routers, set-top boxes and IP cameras, the worm could be updated to target other IoT devices in the future, such as home automation devices and wearable technology.”

The worm also includes functionality to block other malware to keep other attackers from controlling an infected device. So far, Symantec has identified more than 31,000 unique IP addresses as being infected. Thirty-eight percent appear to be IoT devices such as routers, IP cameras and printers. Five regions of the world that account for half of the Darlloz infections are China, South Korea, Taiwan, India and the United States.

“Consumers may not realize that their IoT devices could be infected with malware,” blogged Hayashi. “As a result, this worm managed to compromise 31,000 computers and IoT devices in four months and it is still spreading. We expect that the malware author will continue to update this worm with new features as the technology landscape changes over time. Symantec will continue to keep an eye on this threat.”

Related: Linux Worm Targets “Internet of things”

Related: New Banking Trojan Targets Linux Users

Related: Exploring the Misconceptions of Linux Security – Focus

Related: Researchers Uncover Attack Campaign Leveraging 25,000 Unix Servers

Tags:

• NEWS & INDUSTRY
• Email Security

Late last August, some visitors to the New York Times website received an unexpected surprise – the website was down.

The source of the interruption was not a power outage or even a denial-of-service attack. Instead, it was a battle against a DNS hijacking attempt believed to be connected to hacktivsts with the Syrian Electronic Army.

The attack was one of several in 2013 that focused on DNS (domain name system) infrastructure, and security experts don’t expect this year to be all that different – meaning organizations need to stay aware of DNS security threats. 

Just last month, domain registrar and hosting provider Namecheap was hit with a distributed denial-of-service (DDoS) attack targeting its DNS platform that impacted roughly 300 sites. Beyond DDoS, attackers can also compromise a ame server and redirect DNS queries to a name server under their control. 

“DNS providers are often targets of attack because they are a central point for disrupting all services, web, mail, chat, etc. for an organization,” said Michael Hamelin, lead X-Force security architect at IBM. “The DNS server is the roadmap for the Internet, and once disrupted, services that are the lifeblood of the organization such as web, mail, and chat become inaccessible. If a DNS provider goes down, it could mean that thousands of customers have their digital presence temporarily erased.”

In the case of the New York Times, the attack that affected their users occurred when someone accessed a reseller account on Melbourne IT’s systems and changed the DNS records for nytimes.com as well as other domain names such as twitter.co.uk. This kind of password theft can have far-reaching implications, said Hamelin, who recommended DNS providers use two-factor authentication and “enable a restricted IP block requiring all edits to be made internally on the network.”

“Organizations need to understand that just because they have outsourced their hosting and DNS, it doesn’t mean that they’re guaranteed that the vendor has taken adequate security precautions to provide a highly available and secure service,” he said. “The organization needs to anticipate their DNS may become a target of an attack, and implement countermeasures such using two different DNS systems and/or hosting providers.”

By its very nature, DNS is one of the weaker links in many infrastructures, said Vann Abernethy, senior product manager at NSFOCUS, adding that the company had seen an increase in both DDoS attacks on DNS infrastructure last year as well as the use of DNS to amplify traffic. Juxtaposed with the critical nature of its operation, its status as a weak link makes it an enticing target for attacks, he said.

“There are quite a few variants of DDoS attacks that can be executed against DNS servers, such as DNS Query Flood – a resource consumption attack aimed at a single infrastructure,” Abernethy said. “And there are new ones cropping up as well.”

Among those is a technique similar to a DNS amplification attack that relies on the attacker sending a query with fake subdomains that the victim DNS server cannot resolve, flooding the DNS authoritative servers it must contact, he said.

Fortunately, there are a number of actions organizations can take to improve DNS security. For starters, don’t run open resolvers, advised Mark Beckett, vice president of marketing for DNS security vendor Secure64.

“Open resolvers allow anyone on the internet to query a DNS resolver, and are widely used by botnets to inflict damage,” he said. “[Also] don’t allow spoofed IP addresses to exit your network. Organizations should set egress filters so that only packets with IP addresses within their network address space are allowed to exit their network. This eliminates the ability of the attack to spoof any IP address that it wishes from an infected machine.”

He also suggested organization use rate limiting capabilities within their DNS server if possible, and monitor the network to detect any sudden spikes in DNS packet rates or inbound or outbound DNS traffic volume.

“Early detection of an attack can allow an organization to take defensive measures (like blocking attack traffic upstream at the router or firewall) before the attack is severe enough to impact their users or their network,” he said.

DNS-related attacks will continue to be a theme of 2014, Hamelin said, noting there aren’t a lot of steps in place to protect organizations from a hijacked DNS server or its clients.

“Attackers are focused on ROI [return on investment] and attacking a DNS server could be a great way to have a large impact with little effort,” he said. 

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Despite concerns over unemployment and the challenging job market, the IT job market has been fairly healthy, and demand for cyber-security professionals remained high in 2013, according to a new jobs study.

The number of job postings for cyber-security positions grew twice as fast as the number for overall IT job postings in 2013, Burning Glass Technologies found in its latest installment of the Job Market Intelligence report. There were 209,749 national postings for cyber-security jobs in 2013, and the average salary for a cyber-security posting was $ 93,028, according to the report, which is compiled by reviewing job postings across 32,000 online sites daily. In comparison, the average salary for all IT job postings was $ 77,642.

“These postings are growing twice as fast as IT jobs overall, and now represent 10 percent of all IT job postings,” the report said.

When considered against the backdrop of increased number of data breaches, distributed denial-of-service attacks, online fraud, and cyber-espionage being reported each day, it’s no surprise the cyber-security job market is booming. Over 17 major retailers and financial institutions were targeted in 2013 alone, and according to the FBI, nearly 300,000 cyber-crimes were reported in the past year, resulting in losses of over $ 525 million.

Security is no longer restricted to just technology companies or financial institutions, as retailers such as Target and organizations in charge of critical infrastructure such as the electric grid grapple with skilled adversaries who take advantage of holes in the network defenses to cause damage. “If you have sensitive data, you are a security company,” David Lindsay, a senior product manager at Coverity, said in an earlier interview.

Burning Glass released the report last week, hours after the Labor Department reported the U.S. Economy added 175,000 jobs in February. The Labor Department said the biggest growth nationwide was in the professional services sector, which includes technology jobs. According to the Burning Glass report, 38 percent of those technology jobs are cyber-security positions. Manufacturing, defense, finance, insurance, and health care sectors also had high demand for cyber-security jobs, Burning Glass found.

While there are many jobs, Burning Glass said they are concentrated in three major hubs: Washington, D.C., New York, and San Francisco/Bay Area. The Washington, D.C. metropolitan area had the most cybersecurity job postings in 2013, with more than 23,000 listings, followed by New York City with just over 15,000, Burning Glass said in its report. The San Francisco-San Jose corridor, which includes the Silicon Valley, had more than 12,000 listings. Chicago and Dallas rounded out the top 5.

The demand for skilled cyber-security professionals in the federal government and for the contracting firms that work on government contractors explains the high numbers for the D.C.-area. In a state-by-state analysis, Burning Glass found that Virginia ranked second in the number of cybersecurity job listings, and Maryland ranked sixth. As would be expected considering its concentration of technology companies, California ranked first in the number of open jobs.

The report highlighted the oft-discussed skills gap, as well. The demand is there for cyber-security professionals, but cyber-security jobs took 24 percent longer—45 days as opposed to 36 days for other IT jobs—to fill, Burning Glass found. Cyber-security jobs also took 36 percent longer than all job postings.

“The demand for cybersecurity talent appears to be outstripping supply,” said Matt Sigelman, CEO of Burning Glass.

One reason for the gap may be because employers are looking for significant educational background and experience, with two-third of postings requiring at least four years of experience and 84 percent looking for applicants with at least a bachelor’s degree. About half of all cyber-security positions requested at least one professional certification, such as Certified Information System Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (Security+), and Certified Information Security Manager (CISM).

Sigelman noted that 50,000 job postings in 2013 required applicants to have the Certified Information Systems Security Professional (CISSP) credential, but there were only 60,000 such certified professionals at the moment. And considering that CISSP requires four years of full-time cyber-security experience, it’s not possible to “fast track” professionals to meet the demand.

“This is a huge gap between supply and demand,” Sigelman said.

The difficulty in finding cyber-security professionals to fill positions was part of the conversation at last month’s RSA Conference in San Francisco, as well.

Andy Ellis, CSO of Akamai, noted on the security gaps panel that the problem wasn’t a dearth of skilled individuals, but rather that “We’re writing job descriptions that are unrealistic.” The panel emphasized that cyber-security professionals need to be able to communicate with business stakeholders and be able to show how security affects the business bottom line.

With the jobs market booming for cyber-security professionals, it seems there are plenty of opportunities for them to show off what they can do.

Related: Report Shows Extreme Demand for Skilled Security Professionals

Tags:

• NEWS & INDUSTRY
• Training & Certification
• Management & Strategy

Microsoft plans to release five security bulletins next week for this month’s Patch Tuesday, including a fix for a security vulnerability used in attacks against Internet Explorer 10.

That vulnerability, which was described in Security Advisory 2934088, was spotted being used in watering hole attacks during the past few weeks. The bug also affects Internet Explorer 9, and could be exploited if the victim is tricked into visiting a compromised Website. Customers using other versions of IE are not impacted, Microsoft noted.

In addition to the IE bulletin, Microsoft will release one other critical bulletin for Windows. The other three bulletins are rated ‘important’ and affect Microsoft Windows and Microsoft Silverlight.

“The March patch list is small, with only five bulletins, but they are certainly significant,” said Ken Pickering, director of engineering at CORE Security. “There are two bulletins listed as ‘critical’ with remote code executions, one on Internet Explorer and one on a series of Windows versions. These types of bulletins need immediate attention and a reboot, which is always a headache for IT teams. Bulletin 5 only affects Silverlight, and aside from using it to stream House of Cards on Netflix, doesn’t have a big impact.”

“Windows XP is affected by all five updates, and there is really no reason to expect this picture to change; Windows XP will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem, but you will not be able to address the issues anymore,” blogged Wolfgang Kandek, CTO of Qualys. “Windows XP is getting its penultimate update and is now very close (just over 30 days) to its declared end-of-life date…so you need a strategy for the XP machines remaining in your infrastructure.”

The Patch Tuesday updates will be released March 11.

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Balancing data privacy and data security is a long-standing information security challenge. Historically, companies have focused their response efforts on establishing strong perimeter and endpoint controls; data was considered at risk from external actors, and protected by encryption, DLP, and network controls, but often left open to insiders without respect to role and need to see the information. Success and failure were measured in terms of data access; if an outsider was able to read company data, the security program had failed.

The public cloud has changed this model, however. The very market forces that sparked the explosive adoption of public cloud platforms (mobile technology, a robust app market, consumerization of IT, and the technological convergence of our personal and professional lives) have rewritten the rules for how and where users are accessing and sharing their information. In allowing employees to bring their devices to work, organizations have created expectations around access and efficiency that are radically different from the top-down control model that dominated the previous decade. More importantly, the decision as to whether to implement public cloud technologies such as SaaS applications has been made already, by those very users; fail to address their needs, and they will simply use consumer-grade alternatives of their own accord.

As security professionals, the initial response — to simply block all applications coming in from a cloud environment — is no longer the most appropriate or most effective way to respond to the market’s demands for information protection and security. Where companies establish restrictive controls, end-users are presented with myriad options for circumventing them; where collaboration technologies where once the domain of IT, they have become democratized, and end users who are familiar with traditionally consumer-focused apps such as DropBox or Box are likely to bring those technologies into play if alternatives like Google Apps or Salesforce are locked down by organizational policies, preventing them from operating in a way that maximizes their efficiency.

In response, organizations need to rethink how they approach the challenge of data management. Engaging the user when working through data security is something that most companies have come to accept; the question that remains is how they can also enforce data privacy rules, through which highly sensitive information is protected from inadvertent exposure and external threat without driving users “underground’ into consumer-grade filesharing applications.

A Change in Expectations

End users often feel comfortable working with familiar apps that have not been subject to a security review because they do not see evidence of risk. As an industry trend, this is understandable; even catastrophic data breaches often go undetected by IT and InfoSec teams for months prior to discovery.

The delay in detection is not equivalent to a delay in damage, however. Even if a given file is only theoretically externalized, and no indicators suggest that sensitive or regulated data has been viewed by a malicious party, the exposure itself can be a data breach sufficient to warrant regulatory response.

Are your people the problem, or the solution?

What needs to change is the perception that the primary role of IT is in safeguarding and blocking data from being viewed by an outsider. The notion that the company’s employees are the source of risk is counterproductive when translated to attempts at formulating a solution; given the tremendous autonomy that the cloud grants the typical user today, especially when they own and control the endpoint devices being used to access organizational information, it is clear that security needs to make all of the people who interact with sensitive data and systems participants (and even custodians) of information security.

Putting the Pieces Together

Training is a fundamental part of the change process. Information security threats are constantly evolving and changing; to assume that your people inherently have a full understanding of the risks they are confronted with and the appropriate skills to respond is foolhardy. Make them aware of the risks, make them aware of the practices they should follow to protect data security, and importantly, make them aware that their performance in safeguarding information assets can and will be measured.

Supporting this effort requires the implementation of a risk appropriate response framework: content awareness to differentiate sensitive and mundane data, encryption where it makes sense, and the ability to easily and efficiently monitor your total risk space. Consider the following elements:

– Content Awareness: the ability to discover and classify information assets on the network that belong inside the secure perimeter, right down to the level of individual words and numbers. This allows you to flag files containing potentially sensitive data such as social security numbers, health information, credit card data, or internal IP, without manually parsing the contents.

– Risk-appropriate Encryption: Encryption is a tool, and a necessary component to a good security framework, but it is not a solution in itself. It should be an iterative response, one that builds on the content-aware policies that an organization puts in place; ideally, users will be able to self-select which files should be encrypted, to add a defense-in-depth security layer to their sharing activities. This might then be extended by policy-driven encryption actions, which can automatically encrypt files considered highly sensitive; note that this is different from universally applied encryption designed to establish a perimeter, but without any means of protecting against insider threat.

– Consolidated Security View: As mentioned above, one of the primary challenges around information security is how to narrow the gap between an incident and its detection. Any strategy designed to support a cloud security model should address this; a particularly effective approach will entail the consolidation of incidents into a single interface, highlighting policy violations, end-user data access activities, geo-awareness regarding logins and data access, and application risk in a single view.

Importantly, by enlisting information workers as part of the data security system, this total solution approach changes the equation in security management. The organization’s staff can become a vital part of the process of protecting secure information assets, rather than working at cross-purposes with InfoSec efforts, and instead of pushing users away from the environment and into consumer apps, they can be converted into essential perimeters unto themselves.

The cloud is already here; talking about adoption in 2014 is passé, because users have and will continue to find ways to move your data into cloud platforms, and will do so even more quickly when forced by overly coercive policies. Instead of trying to obfuscate and block, or worse, attempting to solve for a threat that no longer exists (that is, the perimeter security model), change your focus. We as an industry are on the cusp of a technological paradigm shift; you need to decide whether you will embrace that change, or be cast aside by it.

Tags:

• INDUSTRY INSIGHTS
• Cloud Security