BreachBytes

Microsoft has launched a highly technical blog to disseminate vulnerability information to security researchers and practitioners on Patch Tuesdays. While they have been sharing information about vulnerabilities and patches on Patch Tuesdays, there has not been this level of technical depth available until now.

The blog’s tagline is as follows:

“Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, and other related guidance and information.”

As an example of the type of posts on the site, one post has a PCAP file used to show the pre-patch states of SMBv2 network traffic. This packet data can easily be used to identify unpatched computers on the network using an intrusion detection system like Snort.

(more…)

New Years is a time of reflection and preparation: reflection on the year ending and preparation for the year beginning. This year I thought I would share my New Years resolutions as they relate to my job as a security vendor:

1. Go easy on the jargon. I will do my best not to say “IDS” and “PCI” and instead say “Intrusion Detection System” and “Payment Card Industry”.
2. Be straightforward. Customers don’t have much spare time and I will do a better job of getting to the point. I will tell customers what they need to know and nothing more.
3. Give users tools they want. Flashy interfaces may sell initially but what makes products stick is utility. I will focus on making software that makes security analysts more effective in their jobs.

(more…)

I find myself asking the question: “How can a network ever really be secure?” and talking about it with customers and colleagues all the time. This article “How dangerous user behavior puts networks at risk” brings this issue to the forefront. Regardless of the number of defenses a company puts in place whether it’s firewalls, Intrusion Prevention Systems, Security Information Management Systems or the like one of the biggest vulnerabilities are the users on a network.

It is becoming necessary both from what you read in the press and today’s environment to be sure that your company has the necessary “evidence” in a stockpile in addition to alerting and correlation tools for those times when you are alerted by one of your users or a network device about potentially damaging user behavior. What I mean by evidence is to retain all of that network and NetFlow data for future forensic analysis. While that data isn’t going to be able to spot the employee who loads up a thumb drive with company data and takes it home, that data is what allows network security experts in a company to address the insider threat caused by simple violations of corporate policies when it comes to what the employee does online.

(more…)

The following article in eWeek Magazine:

Worm Squirms Through Google’s Orkut

outlines how Google’s Orkut has a fast moving worm working it’s way through the popular social networking service.

“The worm, which first appeared on Dec. 19, has been spreading through Orkut’s Scrapbook system at a rapid pace, infecting more than 650,000 users in the space of a few hours.”

Don’t believe me? Just ask TJX or Monster.com or The Department of Homeland Security or Salesforce or TD Ameritrade or…..still don’t believe me? Well, check out what Sal Iannuzzi, CEO of Monster.com had to say (he agrees with me):

“I wish I could say…there will be absolutely no way that the Monster site can be compromised. I cannot ever make that promise, and no Internet company can.” 08/29/07, Reuters

If you still don’t believe me then feel free to move on. If you do, then read on.

Let’s reflect back on the past 12 months to perform that so-called “rocking chair test.” It certainly was a busy year! In fact, the Threats Watch Blog even went as far as to call 2007 “The Year of the Data Breaches.” Additionally, CSO magazine has a excellent summation of the past year in their article: The Top 10 Data Breaches of 2007.”

So, what can we learn from this past year? Three things:

1. Breaches are Inevitable.
2. Organization can no longer rely solely on Protection (Firewalls, IPS, etc) & Detection (IDS, Event correlation, Alerting) for security.
3. Organizations must have a comprehensive breach recovery plan in place.

(more…)