GNSC Blog

In an article from today’s NY Times, John Markoff quotes Rick Wesson a security researcher at  Support Intelligence, a company that tracks BotNet computers, as saying 

“The rate of infection [of Botnets] is still high, but concern among corporations is low…” Many corporations seem to think it’s O.K. to be infected several times a month.”

He says this because it was discovered recently that the Russian hacker gang who’s BotNet was controlling about 100K computers was re-infecting large corporations and even a state police agency.  The infections were removed but the admin passwords were not changed so it made re-infection easy.  Although the details are sketchy they appear to have used Microsoft’s own software distribution program to infect many of the computers

The juicy details will be released over the next few days at Black Hat.

There are always lessons learned from these breaches. 

1. It’s not only important to remove an infection but to find the source of the infection and remove it.
2. Breaches involving Trojans, backdoors or keyloggers (such as CoreFlood, the one used here) should prompt a complete change of all admin passwords.  Going through this is “bloody” in some cases but the alternative as we have seen is worse.
3. Forensic data must be kept.  That’s why having system logs on all devices activated and having some form of a log consolidator is so important.  Logs give you the evidence you need to locate infections, track the sources of infections and provide the evidence to law enforcement agencies for criminal prosecution.

A financial analyst for Countrywide Home Financial, the troubled mortgage lender reportedly stole over 20,000 customer profiles per week for about two years.    The data was stolen on USB drives. Although Countrywide had technology in place to disable flash drives on employee computers, the analyst used a PC where the protection was not installed.

The moral of the story is that if you are going to install security software on every PC except one or two, you might has well not install it at all.  People talk. Someone will spill the beans and when one person knows, everyone knows.

One of the things we highly recommend is using USB policy management on ALL PC’s.  There are two general ways to approach this problem,.  The simplest is to disable all USB drives.  The second more flexible approach is to force high encryption on all USB drives that renders the USB drive unusable unless it is plugged into a company computer.  Both methods work well but if and only if they are applied uniformly across all PC’s including Laptops.

PromiSEC’s Spectator is an excellent solution for not only preventing this type of situation but also for enforcing and monitoring software compliance, and anti-virus updates.  It provides the facility to ensure there are no exceptions, without the local installation of agent software.

The IT security firm Kaspersky, reported today that it has discovered a malicious mini-site on Twitter. (NOTE: this link does not open to the malicious site)  Twitter is a popular social networking site, similar to MySpace or FaceBook but it’s format is short messaging, not detailed blogging. 

The site supposedly lures readers to download the latest version of Adobe Flash Player but really downloads software that steals information from your computer such as Login ID’s and passwords.

Four things are important to note here.

1. Many people are trusting of these sites since the goal is to create social networks.  Openness is their key to success and the source of their real danger.  FaceBook and MySpace have already been booby-trapped in similar ways.
2. If you are asked to download anything from a site other than the actual software vendor’s site (in this case Adobe), don’t do it.  If you get a note that your Flash player (or any other software for that matter) needs to be upgraded, don’t take the note as real. Close the dialog box and go directly to the vendor’s site and check the situation there.  If the vendor site says your software is up to date, there is a very high likelihood that the note you saw was a scam to exploit your computer.
3. Twitter and other social networking sites are not just popular with teens and college students.  Your employees are using them as well.  So realize this is not just a threat to your home computer, but your office ones as well.  Look at your web filtering reports for these sites.  Many web filters will categorize them automatically in your report.
4. This is a daily reminder of the need to keep your anti-virus and anti-malware programs up to date and why all downloads should be carefully screened. 

Most computer users today know why they need anti-virus software.  Many realize they need anti-malware software to help fill in the gap where anti-virus does not protect.  Some even know why everyone should have a firewall.  Yet we still receive calls from people who installed each of these and were having trouble.  The issue was not installation but proper configuration. 

In this first installment, we’ll talk about the importance of properly configuring your basic security components. 

Before starting, if you haven’t read my article on The Importance of Proactivity, take a moment and see why these three basics need to be in place before you start networking your computers.

Step 1 – Installing and configuring your anti-virus program. 

While each vendor offers different ways to configure their products, there are generally four main areas that require a decision on how to work. 

1. Real-time scanning
2. On demand or scheduled scanning
3. Exclusions - what shouldn’t you scan
4. Updates to the database

Real time scanning is the function your AV product uses to protect you proactively against threats.  Real time scanning works by intercepting every read and write and scanning the file against the virus database.  If the file is infected, the AV program alerts and disposes of the file in some way.  When configuring this, you need to remember to set it to scan every file.  People were accustomed to disabling this protection for audio, video and document files to speed things up a bit.  Today these types of files are used to spread malware as well.  Reference the now infamous Pidief.A virus.  No files are immune. 

On demand or scheduled scanning is when you tell your AV program to scan your entire hard disk.  I can’t tell you how many people disable this, thinking that because their real time protection is active they don’t need this.  BIG MISTAKE.  You should scan each PC at least 1X per week, if not more.  The reason is that an unknown virus may infect a PC before the AV program is updated or if the program’s update module is not working or has been disabled.  

Exclusions are needed for various reasons mostly to prevent conflict with other files that may be seen as either as false positives or may cause some other conflict with a vendor product.  If a vendor tells you to disable your AV, your first question should be why?  And the answer should be a good one.  They should be able to explain why and how not having AV protection on a specific file or folder will not compromise your security.  To just take their word for it.  Ask the why and how questions. (Remember, people either disable or are told to disable AV all the time.  I was on the phone with Comcast the other day and the tech told me to disable my customer’s AV protection and then plug my PC directly into the cable modem, to diagnose a problem.  I asked why and they actually told me, the script they are told to read said to ask me to do that.   Watch out for this.

Your AV program is only as good as it’s updates. Your program should be set to update at least 1x per day.  Your program should also have the ability to tell you that it has been updated either visually or via a date and time stamp.  Most computer infections occur not because people are not using AV but because they have not updated their AV.  Remember to always make sure it’s updated.  If your computers are networked, your AV vendor should have a way of telling you which computers have not been updated.  Pay attention to these reports.

The follow-up question to all of this is always which AV product should I buy.  We’ve used and tested every one.  Who do we like?   We love Norman and Sophos.  Why?  Because of their superior protection, performance and customer support.  The other guys are lagging way behind in these areas. As for the free ones, I can’t recommend any but I have successfully used AVAST in the past and I still hear it’s a good product.

The other thing we like to see our customers large and small do is to create a layered approach and mix their AV vendors.  What I mean by this is using both a network or gateway based product along with a desktop product, each one being a different vendor.  What this does is ensure that endpoints on your network are not your only line of defense.  The more stuff that can be stopped outside your network, the better.

Step 2 – Install and configure a good anti-malware program.  This is easier said than done.  There are so many bogus anti-malware programs out there that actually infect your computer with malware.  I have found the following ones to be reputable: PCTools Spyware Doctor, Uniblue’s SpyEraser and Lavasoft’s AdAware and then there is Windows Defender.  I especially like the network-based ones (Cymphonix) that scan everything at the gateway.  They all have their benefits and drawbacks.  Caution, don’t Google up anti-spyware and install trials or free scans. You’ll regret it later.  Configure your product to provide whatever proactive protection it can and then configure it to scan ALL your hard drives at least 1X per week. 

Step 3 – Install and configure a good firewall. 

First off, Windows firewall is not good enough.  It’s a good  2nd layer of protection but it in no way eliminates the need for a good firewall.  Secondly, get a good firewall.  Don’t buy $50 specials on the clearance racks.  The cost of preventing one incident in the life of a company pays for the initial cost of a good firewall many times over.  Figure $500 as a good starting point.  Third, when it comes to configuration, let an expert do this for you.  Ask the vendor who is authorized to work on their units.  Fourth, make sure you turn on the firewall’s log.  Tell the person who is installing and configuring it, you want logging turned on.  Don’t settle for NO.  We’ll cover logging in more detail later.  For now however know that logging gives you a history of what happened on your firewall over a period of time.  Without it you have no evidence of activity or changes.  Finally, use a service or tool to test your firewall’s settings. Nmap is a good open-source tool for this purpose.  But again, don’t try to do it yourself; let an expert do it.

What firewalls do we recommend?  Over the years, we’ve sold several but the two brands that we like best are Astaro and Cyberoam.   They both provide excellent protection, will grow with your company and their customer service is excellent.  They also are full Unified Threat Management platforms meaning they can used as a firewall but also can perform email and web filtering along with Intrusion prevention and act as a VPN for remote access.  Units like these provide greater value over time than typical entry-level devices. The Cyberoam unit is especially suited to small business due to its intuitive interface, its rich set of standard features and a great price.

So there we’ve completed 3 key steps to getting your on your way to a more secure computer network.  In Part 2 of this series we’ll be address the next phase of computer security; education and knowledge.

Ever use iGoogle? I do and I love it.  It’s as close as you can get to a personalized home page without having to know web code. However, the platform is about to be rocked by a presentation this week at Black Hat, the annual hacker conference.

According to Yahoo News, Cenzic senior security analyst Tom Stracener and security researcher Robert Hansen, better known as “RSnake,” plan to demonstrate a zero-day vulnerability that affects Google Gadgets. What this means is that they are going to announce that knowledgeable web coders will be able to inject malware into your PC, possibly beyond the realm of traditional detection with antivirus and malware protection.

So if you’re an “iGoogle-Google-Gadget-User” what do you do? 

1. The first thing is to educate your users about the dangers of installing unknown software.  This is a good practice no matter what.
2. Watch what comes out of BlackHat 2008.  Follow the mainstream IT Security bloggers as they summarize the presentations.  I’ll post more on this as it gets closer. 
3. If in your opinion the risk of iGoogle malware outweights the benefits, use your webfilter to block it.  Or block the installation of Google Gadgets.   You can still get all the benefits of Google.

Most of the time when people think of China and computers two things come to mind; hackers and a heavy-handed government.  However this year there is a third category; the Olympics. 

As has become common with all major sporting events, this year’s Olympic games are being streamed on the Internet. NBCOlympics.com This means your employees will be enjoying swimming, track and field and other exciting events on company time.  Not only that, the additional bandwidth will slow down everything on the network.

Not convinced?  Well we weren’t either until two years ago when some our customer’s Internet service came to a grinding halt during “March Madness”.  Then same thing happened in 2007.  Last March, we noticed slowness again; but not to the extent we did in March 2006 and 2007.

So what’s the solution?   The solution is simple, use a smart web filter and prioritize your Internet traffic.  The filter will keep your employees off the sites you don’t want them on during the business day.  Prioritization ranks protocols and caps their overall bandwidth, making streaming media a lower priority.

The Cymphonix Network Composer solution is a great way for any business to affordably do this.  We’ve had customers install these units and as a result defer the cost of additional bandwidth for over a year which paid for the cost of the unit in less than 4 months.  We offer them on free 30 day trials to our customers.  Now would be a great time to see how well they work.  Contact us today.

One of the most effective ways to enhance email security is to use encryption.  Encryption in theory makes the email unreadable by anyone other the sender and receiver.  The downside is that there are few easy ways to add encryption to email without adding a third-party product like MailMarshal Secure Email Server, CertifiedMail, Borderware or PGP.  These are all great products and do an excellent job of keeping your email secure.  But they cost $$$. 

There is an easy way to add a simple level of encryption to your email without going through the expense of installing and configuring a full featured encryption solution.  It’s called TLS, Transport Layer Security.  TLS is essentially SSL for email.  What it does is create a secure channel through which email can be sent and received between servers and clients.  In most cases, it’s a matter of “turning it on” since it’s already a feature in most mail servers and email clients. 

What does TLS give you?

TLS provides a level of security as your mail is transmitted through the Internet.  It’s like creating a tunnel between you and the mail server as you exchange mail.  It makes it harder to snoop on your mail as it moves across the dozens of connections on the Internet. 

What doesn’t TLS give you? 

TLS does not provide security beyond the connection layer.  That means that if you are sending an email to person A’s email server,  beyond the server, there is no encryption.  Someone in Person A’s company can still snoop on it. 

So, TLS is something everyone should consider.  It’s just a wise option.  If you need more than TLS, for example if you are sending sensitive information or are required by law to have encrypted email, give us a call.  We have several solutions that can be matched to your business needs.

Bill Brenner from CSO Magazine recently wrote the following:

“In the wake of a data breach, the company’s top brass may go looking for someone to blame. If you are the security chief, chances are it’s going to be you.

It doesn’t matter that you warned executives repeatedly that certain technological or cultural flaws were putting the company at risk, or that you had to maintain security with a shoestring budget and little or no staff. Chances are you’ll take the fall whether you deserve it or not, says George Moraetes, a Chicago-based security contractor and executive board advisor for security event management firm IdentityLogix.

He has watched as some of his CSO acquaintances were blamed for a security failure or dismissed for trying to blow the whistle over the company’s security holes.

One friend of mine, the CISO of a credit bureau, blew the whistle on a security auditor who wasn’t following best practices and was making reporting discrepancies,” says Moraetes, an independent consultant. “The auditor was a friend of the top brass, and the CISO was let go. I know of three others in Georgia who were fired or demoted for similar reasons.”

The moral of the story…If you’re in charge of security at your company, whether you have 5 employees or 5000, you should have a documented best practices policy and procedures manual that is audited for compliance.  Your job is at risk as the precident has already been established.

Best practices are free.   You just need to follow them.  What are they?  Well a good place to start is the SANS Institute  www.sans.org.  This group puts out quality material, much of it available to the general public.  They have some good starter guides if you want to get started with best practices.

Also, the NIST Manual from our July 23 posting is another good manual with good measurement metrics.

You can also use security comsultants with CISSP or GIA certifications to help establish and audit them.