Is Antivirus Software Still Necessary?

Robert McMillan from Wired recently published an article about the necessity of Antivirus Software in light of the ever changing and more sophisticated threat landscape. Here is an excerpt from the article and if you would like to read the whole thing (you should) click here.

"Dan Guido, the CEO of security startup Trail of Bits also doesn’t use AV. Some security pros use it because they’re in regulated industries, or because they work with customers who require it. “If it weren’t for that,” he says, “almost nobody in the security industry would run it.”

It’s a story we heard again and again at RSA this week. The pros are generally smart enough to avoid the things that will get them hacked — visiting malicious websites or opening documents from untrusted sources. But even if they get fooled, the odds are their antivirus software catching it are pretty low. But many of these pros also believe that antivirus isn’t always that useful to the average business either.

“Ten years ago if you were to ask someone the question, ‘Do you need antivirus?’ the overwhelming response would be, ‘Absolutely, my entire security strategy is based on endpoint antivirus,’” says Paul Carugati, a security architect with Motorola Solutions. “Today … I don’t want to downplay the need for it, but it has certainly lost its effectiveness.”

The problem is that most criminals are smart enough to test their attacks against popular antivirus products. There’s even a free website called Virus Total that lets you see whether any of the most popular malware scanning engines will spot your Trojan program or virus. So when new attacks pop up on the internet, it’s common for them to completely evade antivirus detection."

Stratfor Documents Obtained in December 2011 Breach - Released

The fallout from the December 2011 breach of Stratfor was not fully felt until today, when the website WikiLeaks released a statement that they would begin to publish "5 million e-mails from the private intelligence company Stratfor, starting with a company "glossary" that features unflattering descriptions of U.S. government agencies." 


Stratfor will not confirm nor deny the authenticity of the documents but they do make mention that the documents can now be easily edited by those who release the information.


Wikileaks has stated that the documents will be released through a network of more than 25 news outlets and activist groups in the coming weeks. The first document out was titled "The Stratfor Glossary of Useful, Baffling and Strange Intelligence Terms," featuring brief and sometimes humorous definitions and blunt assessments of U.S. intelligence and law enforcement.


To read more about Stratfor and Wikileaks click here
To read the full text of what was released click here

New Microsoft Windows Server 8 FCI Integrates Websense DLP Technology

Data breaches and theft can be detrimental to any company and preventing the accidental loss or misuse of sensitive documents is a major IT security concern. In this video demo, we explain how Microsoft has integrated Websense DLP technology into its File Classification Infrastructure to prevent these major data-stealing attacks.

Websense DLP technology is a key feature in the Websense® TRITON™ solution, which offers unified web, email, and data security. The TRITON modules are available separately or together, and can be deployed in enterprise-grade appliances, as cloud-based services (SaaS), and as powerful and efficient hybrids of on-premise and SaaS elements working together. Backed by Websense data classification expertise, the collaboration between Microsoft and Websense technologies allows organizations to accurately monitor, identify, categorize, and ensure protection and proper use of sensitive information— as it is being authored.

Web Security Company Mykonos Acquired by Juniper Networks

Juniper networks closed the 80 million dollar deal February 13th and has added Mykonos, a provider of website and web application security software, to their Security Business Unit. 

The idea behind the acquisition is that Juniper can use the technology to detect attacks before the attack is in progress. The Mykonos product uses predictive analysis and deception-based software that is able to catch an attack in progress, profile the attack, learn the behavior, and then using that behavior to thwart future attacks.

Citing data from a Verizon report, Juniper says web applications are among the largest unprotected attack surfaces and the frequency of attack is increasing.

Read more about this acquisition on Network World

Shameless Plug Tuesday!

One of our goals of DLP Digest is to keep the "sales pitch" out of our updates and provide a non-biased view of what is happening in the technology and security worlds. However, from time to time we can't help but promote some of the cool stuff we are doing with our education and training programs. We have just rolled out regional training dates for Websense DLP solutions and chances are we will be in a city near you very soon! So sign up and maximize your organization's investment! Attevo is proud to announce a Websense Authorized Training program designed to provide organizations with the knowledge and skills needed to confidently manage your Websense technology investment. Attevo Websense certified instructors provide classroom, on-premise, or customized training for the following technologies: Web Security Gateway Anywhere Email Security Gateway Data Security Suite Triton Enterprise Attevo offers formal classroom training in Cleveland, Ohio on a regular basis in addition, we currently have regional courses scheduled in the following cities: New York City:  April 16-19  Atlanta:           April 23-26 Chicago:          April 30-May 3 Dallas:             May 7-10 Los Angeles:     May 14-17 Seattle:           May 21-24 St. Louis:         June 4-7 Course Schedules and Course Outlines can be found using the OnCourse button or date links above.  We now return you to your regularly scheduled programming...

Cool Websense Security Survey Infographic

Content Security and Data Loss Prevention company, Websense in conjunction with independent research firm Dynamic Markets just released their "Security Pros & ‘Cons’" survey. IT managers and non-IT employees in the U.S., UK, Canada, and Australia where they asked about the latest threats to corporate and personal security, including modern malware and advanced persistent threats (APTs).

Websense has condensed the findings of the study into an easy to read infographic. The portion of the infographic below is one of the more interesting data points collected regarding a "false sense of security" that is felt by many IT managers. They know that they need to protect their organization against modern malware and web 2.0 threats, but 52% of IT managers do not protect their organization from confidential data being uploaded to the web.

Fortunately, help is on the horizon as headline-grabbing security incidents have promoted data security talks amongst top management and have driven focus on security, including the need for additional budget. Click here to download the full report 

Wall Street Journal: Chinese Hackers Suspected In Long-Term Nortel Breach

In an article in the Wall Street Journal by Siobhan Gorman it is speculated that the over decade long breach of the once massive telecommunications company Nortel  was the result of hackers based on China. The article goes on to detail recent U.S. intelligence reports that Chinese hackers are a threat to world networks and that "both government-affiliated and private-sector [Chinese Hackers]—are the world's most 'active and persistent' perpetrators of industrial spying."


While China has been a hot topic in security news for a while I think the most egregious offense is the negligence on the side of Nortel executives. It was reported in the article that nothing was done from a security standpoint after the breach was discovered other than changing the passwords that were used to gain access to the network.


Publicly traded Nortel did not disclose the breach and did not believe that they had to make investors aware because it was not considered a "material" risk or event. Late last year the SEC released a formal memo stating that cyber attacks can be "material" and that an organization must investigate all cyber attacks to determine if they are in fact "material".


In the meantime, Nortel was also in the process of selling portions of their business as a result of filing for bankruptcy. Even during this process executives did not disclose the breach to potential buyers. According to the article, former CEO of Nortel Mike Zafirovski believes, " People who looked at [the hacking] did not believe it was a real issue. This never came up like, 'We have a real issue and we need to disclose to potential buyers of businesses.' Mr. Zafirovski said he didn't believe the infiltrations could be passed on to acquiring companies. 'That's a real, real stretch'."

The article in the WSJ is a great comprehensive timeline of the Nortel breach and all of the factors at play in this complicated story. While outside hackers are a threat to networks, an even greater threat to world networks is a lack of security education, or in this case negligent organizations. Tell us what you think and be sure to check out the full WSJ article here: Chinese Hackers Suspected in Long-Term Nortel Breach

Foxconn Breached

Hackers have breached embattled technology manufacturer Foxconn. The hacking group, Swagg Security, uploaded a collection of files to the Pirate Bay website that, once downloaded and uncompressed, measured almost 16 megabytes in size and contained around 25 spreadsheets along with a handful of text documents.

As reported by Time.Com " One document titled 'Company_Sensitive_information.txt' contains what the group claims are login credentials that 'could allow individuals to make fraudulent orders under big companies like Microsoft, Apple, IBM, Intel, and Dell.' "  

Some may remember Foxconn as the 900,000 employee company that manufactures iPhones, iPads and other consumer technologies by hand and has seen a a rash of employee suicides blamed on poor working conditions. Many consumers have begun to speak out against Foxconn's unfair labor practices and what is seen as Apple's apathy towards the issue.

In the same Time.com article, "Some consumers don’t think that’s enough, however. A group of 'concerned Apple customers' has announced that it will be delivering more than 250,000 petition signatures to Apple 'demanding the company respond to recent criticisms of worker abuse in their supplier factories and commit to creating an ethical iPhone 5.'"

It will be interesting to see what happens to Foxconn, and the consumer electronics companies that rely on their services to keep prices low. 

For more information on this topic check out the Time.com/Techland article here: Time.com -- Techland

Man in the Browser Attacks Online Banking Customers

Last week you may remember that Symantec notified pcAnywhere customers of the potential for "Man in the Middle" attacks as a result of their leaked source code. This week a malware testing lab out of Britain,  S21sec, is warning online banking users of "Man in the Browser" or MitB threats. 


The idea behind these two threats, despite the different name, is the same. The user downloads malware accidentally and the application lives in their browser and alters what is seen on the site and where the entered data goes. Some more sophisticated versions will change payment details and amounts to try and cover the malicious activity.

Fortunately, many banks use software that understands a user's patterns and when something out of the norm occurs, the bank will alert the account holder of the activity. 

Read more: UPI.com

Anonymous Strikes Again - Texas Police Officer Edition

A hacker affiliated with Anonymous has gained access to the Texas Police Association website and obtained names, addresses and police departments of more than 700 officers across the state. These records were then published along with a link to a news story about a Texas police officer being placed on administrative leave while being investigated for child pornography charges.


This is not the first time the Texas Police Association's website has been hacked, but it is the first time personal data has been revealed. Erwin Ballarta, Executive Director of the Texas Police Association has contacted the FBI.

pcAnywhere is Safe Again

Symantec issued a statement updating their pcAnywhere customers with the news that they were able to patch all breach-exposed vulnerabilities that had previously caused the company to advise users to disable the product.

"On Friday, January 27, 2012, Symantec released a patch that eliminates known

vulnerabilities affecting customers using pcAnywhere 12.0 and pcAnywhere 12.1."

Symantec is also offering a free-upon-request upgrade to the latest version of pcAnywhere, version 12.5. Users should send the company an email to their pcanywhere@symantec.com address.

Symantec Urges Customers to Disable pcAnywhere

The breach of Symantec source code by an Indian hacking group a few weeks ago was all but brushed off by the security giant. Symantec went on the record saying that the leaked code is, "so old that current out-of-the-box security settings will suffice against any possible threats that might materialise as a result of this incident." 

However, in a posting on their website yesterday and an accompanying technical white paper, Symantec suggests that pcAnywhere customers are at a heightened risk and advises users to "disable the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks." Customers could be at risk for "man in the middle" attacks where an unauthorized person accesses pcAnywhere transactions and intercepts data as it travels from its source to its destination. These attacks are more likely because the blueprints for Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack) and pcAnywhere were accessed in the breach. The information contained in these blueprints makes it easier to identify and exploit software vulnerabilities. 

Symantec reps say that there are 50,000 people using the standalone version of pcAnywhere along with an unknown number of users who received the product bundled within other security packages.

Almost 1/3 of Americans Own an E-Reader or a Tablet

According to new research released by the good people at The Pew Internet Project,  "the share of adults in the United States who own tablet computers nearly doubled from 10% to 19% between mid-December and early January and the same surge in growth also applied to e-book readers, which also jumped from 10% to 19% over the same time period." This brings the total number of Americans who own at least one tablet or e-reader to 29%.

This study puts solid numbers on the tablet and e-reader market growth speculations. It is becoming more and more important for organizations to look into how they are going to integrate tablet and, more broadly,  mobile security into their enterprise DLP strategy. 

Two of the largest enterprise DLP vendors,Symantec and Websense, are introducing a DLP plug-in for tablets this year. The concept for tablets is pretty basic and shared for the most part across vendors. It works like an endpoint monitor that views and classifies information as it flows from a tablet to a web or cloud application. If the content is deemed appropriate it is allowed to reach its destination, and if the content is sensitive it will either notify DLP administrators, block the content or a combination of both.

Unsecured Video Conferencing Systems May be Exposing Your Meetings

In a New York Times Article by Nicole Perlroth published on January 22nd. Perlroth describes one of the latest organizational vulnerabilities found and exploited by Rapid7, a Boston based company that looks for security holes in computer systems. 

"SAN FRANCISCO — One afternoon this month, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment.

With the move of a mouse, he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.

In this case, the hacker was HD Moore, a chief security officer at Rapid7, a Boston based company that looks for security holes in computer systems that are used in devices like toaster ovens and Mars landing equipment. His latest find: videoconferencing equipment is often left vulnerable to hackers."

Read the rest of this article here: Flaws in videoconferencing systems put boardrooms at risk

Symantec confirms source code leak in two enterprise security products

Computer world has a great article on Symantec's recent source code leak in India. It was supposedly taken from a government database in India where it is not uncommon for tech companies to have to submit their source code to prove they are not using their software to spy on the government. I think many organizations will take notice of this breach and begin to push back more on the requirements to submit source code.

Computerworld - Symantec late Thursday confirmed that source code used in two of its older enterprise security products was publicly exposed by hackers this week.In a statement, the company said that the compromised code is between four and five years old and does not affect Symantec's consumer-oriented Norton products as had been previously speculated."Our own network was not breached, but rather that of a third party entity," the company said in the statement. "We are still gathering information on the details and are not in a position to provide specifics on the third party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions," the statement said.Symantec spokesman Cris Paden identified the two affected products as Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2. Both products are targeted at enterprise customers and are more than five years old, Paden said."We're taking this extremely seriously, but in terms of a threat, a lot has changed since these codes were developed," Paden said. "We distributed 10 million new signatures in 2010 alone. That gives you an idea of how much these products have morphed since then, when you're talking four and five years."Symantec is developing a remediation process for enterprise customers who are still using the affected products, Paden noted. Details of the remediation process will be made available in due course, he added.

To read more of this article follow this link: http://www.computerworld.com/s/article/9223198/Symantec_confirms_source_code_leak_in_two_enterprise_security_products

Compliance and Protection are NOT Synonymous

Much of the focus in the Data Loss Prevention market is on questions such as  "How do I pass a PCI audit?" or any kind of data security/privacy audit for that matter. While not passing an audit can be costly in the form of  penalties and upgrades it can also lead to a myopic view of data security. 


Beyond compliance lies much more.  Passing an audit with flying colors can still mean an organization's data is vulnerable to a variety of evolving attack vectors such as the much publicized "zero-day attack." In a zero-day attack a hacker exploits computer application vulnerabilities that are unknown to others or the software developer. These vulnerabilities are shared with other hackers and used as a way to gain entry to an organizations network. 


How should an organization protect themselves from zero-day attacks and other attack vectors? One way to do this is by taking a data-centric approach to protecting corporate information assets. Voltage Security President and CEO Sathvik Krishnamurthy recently discussed his idea of what a data-centric approach entails:

"From the very first point of entry, the data, structured or unstructured, is encrypted. As it is used across data centers, public and private clouds and mobile devices—in use, in transit, or at rest—it remains encrypted. That’s important because in the event of a breach, the theft of data is minimized."

The idea of encrypting all data across an organization gives many IT managers a headache. The thought of managing the encryption keys with the use of a key database that stores copies of every key ever issued and and having to make changes to existing structure according to how the database behaves can be costly and create undue pressure on IT management and create oppressive overhead. These operational barriers have made encryption an impractical and expensive option for large scale deployments.


Fortunately, there is a solution that makes key management less cumbersome and more practical. Voltage Security has released a Stateless Key Management system that securely and mathematically derives any key, as required by an application, once that application and its users have been properly authenticated and authorized against a centrally managed
policy. Voltage Stateless Key Management reduces IT costs and eases the IT administrative burden by:

• Eliminating the need for a key database, as well as the corresponding hardware, software and IT processes required to protect the database continuously or the need to replicate or back-up keys from site to site.
• Easily recovering archived data because keys can always be recovered.
• Automating supervisory or legal e-discovery requirements through simple application APIs, both native and via web services.
• Maximizing the re-use of access policy infrastructure by integrating easily with identity and access management frameworks and dynamically enforcing data-level access to data fields or partial fields, by policy, as roles change.

Stratfor Breach

New year, new breach investigation. This time hackers claiming to be a part of the "hacktivist" group Anonymous have breached Austin based research company Strategic Forensics. A spokesperson from Anonymous denies this claim and lays blame on a hacker known as “Sabu,” who is closely associated with the LulzSec group.


Strategic Forensics, commonly known as "Stratfor", lost data for about 4,000 clients including passwords, credit card details, and home addresses. 


The hacker or hackers claim they will use the credit card information to make fraudulent donations to charities. Many experts speculate that they will also make efforts to decrypt the passwords and then use them to try and gain access to other accounts held by Stratfor's considerably high-end clientele. Their clients span many big name organizations including U.S. Military, U.S. State Department, Bank of America, JP Morgan Chase, IBM, and Microsoft employees.


This initial dump of client information is apparently not final blow for Stratfor from Anonymous. The group is planning to release millions of private company emails as well.

For a great article on this breach: Digital Trends -- Stratfor Breach