Insider vs. Outsider Threats: Can We Protect Against Both?
Posted on June 26, 2014 by Kara Dunlap in Security
Media reports affirm that malicious insiders are real. But unintentional or negligent actions can introduce significant risks to sensitive information too. Some employees simply forget security best practices or shortcut them for convenience reasons, while others just make mistakes.
Some may not have received sufficient security awareness training and are oblivious to the ramifications of their actions or inactions. They inadvertently download malware, accidentally misconfigure systems, or transmit and store sensitive data in ways that place it at risk of exposure.
Personnel change too. Companies hire new employees, and promote and transfer individuals to new roles. They augment staff with temporary workers and contractors. New leadership comes onboard. Many of these insiders require legitimate access to sensitive information, but needs differ with changing roles, tenure, or contract length. It’s extremely challenging to manage user identities and access privileges in this environment, not to mention the people themselves. A person who was once trustworthy might gradually become an insider threat – while another becomes a threat immediately, overnight.
New technologies and shifting paradigms further complicate matters. The evolving trends of mobility, cloud computing and collaboration break down the traditional network perimeter and create complexity. While these new tools and business models enhance productivity and present new opportunities for competitive advantage, they also introduce new risks.
At the same time, you can’t ignore outsider threats which are responsible for the lion’s share of breaches. Since 2008, the Verizon Data Breach Investigations Report has shown that external actors – not insiders – are responsible for the vast majority of the breaches they investigated. Some of the top reasons why breaches were successful include: weak credentials, malware propagation, privilege misuse, and social tactics. These are precisely the types of weaknesses that trace back to the actions (or inactions) of insiders.
The question isn’t whether to focus on the insider or outsider threat. The question is how to defend against both – equally effectively.
What’s needed is a threat-centric approach to security that provides comprehensive visibility, continuous control, and advanced threat protection regardless of where the threat originates. To enable this new security model, look for technologies that are based on the following tenets:
Visibility-driven: Security administrators must be able to accurately see everything that is happening. When evaluating security technologies, breadth and depth of visibility are equally important to gain knowledge about environments and threats. Ask vendors if their technologies will allow you to see and gather data from a full spectrum of potential attack vectors across the network fabric, endpoints, email and web gateways, mobile devices, virtual environments, and the cloud. These technologies must also offer depth, meaning the ability to correlate that data and apply intelligence to understand context and make better decisions.
Threat-focused: Modern networks extend to wherever employees are, wherever data is, and wherever data can be accessed from. Keeping pace with constantly evolving attack vectors is a challenge for security professionals and an opportunity for insider and outsider threats. Policies and controls are essential to reduce the surface area of attack, but breaches still happen. Look for technologies that can also detect, understand, and stop threats once they’ve penetrated the network and as they unfold. Being threat-focused means thinking like an attacker, applying visibility and context to understand and adapt to changes in the environment, and then evolving protections to take action and stop threats.
Platform-based: Security is now more than a network issue; it requires an integrated system of agile and open platforms that cover the network, devices, and the cloud. Seek out a security platform that is extensible, built for scale, and can be centrally managed for unified policy and consistent controls. This is particularly important since breaches often stem from the same weaknesses regardless of whether they result from insider actions or an external actor. This constitutes a shift from deploying simply point security appliances that create security gaps, to integrating a true platform of scalable services and applications that are easy to deploy, monitor, and manage.
Protecting against today’s threats – whether they originate from the inside or the outside – is equally challenging. But they have a lot in common – tapping into many of the same vulnerabilities and methods to accomplish their missions. There’s no need to choose which to prioritize as you allocate precious resources. With the right approach to security you can protect your organization’s sensitive information from both insiders and outsiders.
Nasty IE Zero-Day Used in Attacks Against Defense, Financial Sectors: FireEye
Posted on April 27, 2014 by Kara Dunlap in Security
Researchers from FireEye have discovered a nasty zero-day exploit that bypasses the ASLR and DEP protections in Microsoft Windows and is being used in targeted attacks.
The security flaw is a remote code execution vulnerability (CVE-2014-1776) that affects versions of IE6 through IE11, which in total accounted for 26.25% of the browser market in 2013.
The campaign is currently targeting US-based firms tied to the defense and financial sectors, a FireEye spokesperson told SecurityWeek, and is specifically targeting IE9 through IE11.
“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” FireEye wrote in a blog post Saturday.
Microsoft also issued a security advisory on Saturday and said they were working with partners in its Microsoft Active Protections Program (MAPP) to extend broader protections to customers as soon as possible.
If successfully exploited, an attacker could gain the same user rights on the impacted system as the current user, Microsoft said. Accounts configured with fewer rights on the could be less impacted than users who operate with administrative privilages.
FireEye has named the campaign “Operation Clandestine Fox,” but has shared very little details other than saying the group behind the exploit has been the first to have access to a select number of browser-based 0-days in the past.
FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”
“They have a number of backdoors including one known as Pirpi that we previously discussed here,” the researchers wrote. “CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case.”
“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray,” FireEye explained. “The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”
Because the attack leverages Adobe Flash, users who do not have Flash installed or have the Flash plugin for IE disabled, will be protected. Additionally, several versions of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) will break the exploit.
Additional technical details are available from FireEye. Microsoft also has provided some mitigation information.
Related: ASLR Bypass Techniques Appearing More Frequently in Attacks