Apr 07 2023

Microsoft aims at stopping cybercriminals from using cracked copies of Cobalt Strike

Category: Cyber crime,CybercrimeDISC @ 11:21 am

Microsoft announced it has taken legal action to disrupt the illegal use of copies of the post-exploitation tool Cobalt Strike by cybercriminals.

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. The Beacon includes a wealth of functionality for the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. 

Microsoft Digital Crimes Unit (DCU) announced that has collaborated with Fortra, the company that develops and maintains the tool, and Health Information Sharing and Analysis Center (Health-ISAC) to curb the abuse of Cobalt Strike by cybercriminals.

The Microsoft DCU secured a court order in the U.S. to remove cracked versions of Cobalt Strike (“refer to stolen, unlicensed, or otherwise unauthorized versions or copies of the tool”) so they can no longer be used by cybercriminals.

Threat actors, including ransomware groups and nation-state actors, use Cobalt Strike after obtaining initial access to a target network. The tool is used to conduct multiple malicious activities, including escalating privileges, lateral movements, and deploying additional malicious payloads.

“More specifically, cracked versions of Cobalt Strike allow Defendants to gain control of their victim’s machine and move laterally through the connected network to find other victims and install malware. This includes installing ransomware like ContiLockBit, Quantum Locker, Royal, Cuba, BlackBasta, BlackCat and PlayCrypt, to arrest access to the systems. In essence, Defendants are able to leverage cracked versions of Cobalt Strike to brutally force their way into victim machines and deploy malware.” reads the court order. “Additionally, once the Defendants deploy the malware or ransomware onto computers running Microsoft’s Window operating system, Defendants are able to execute a series of actions involving abuse of Microsoft’s copyrighted declaring code.”

Cobalt Strike attack chain

Example of an attack flow by threat actor DEV-0243.

Microsoft observed more than 68 ransomware attacks, involving the use of cracked copies of Cobalt Strike, against healthcare organizations in more than 19 countries around the world.

The attacks caused huge financial damages to the attacked hospitals in recovery and repair costs, plus interruptions to critical patient care services.

Microsoft also observed nation-state actors, including APT groups from Russia, China, Vietnam, and Iran, using cracked copies of Cobalt Strike.

“Microsoft, Fortra and Health-ISAC remain relentless in our efforts to improve the security of the ecosystem, and we are collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF) and Europol’s European Cybercrime Centre (EC3) on this case. While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done.” concludes the report.

In November 2022, Google Cloud researchers announced the discovery of 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions.

Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries

InfoSec Threats
 | InfoSec books | InfoSec tools | InfoSec services

Tags: Cobalt Strike, Microsoft

Aug 12 2022

Microsoft: We Don’t Want to Zero-Day Our Customers

Category: Zero dayDISC @ 8:30 am

The head of Microsoft’s Security Response Center defends keeping its initial vulnerability disclosures sparse — it is, she says, to protect customers.

Laptop screen showing Windows Update window
Source: CC Photo Labs via Shutterstock

Jai Vijayan

BLACK HAT USA — Las Vegas — A top Microsoft security executive today defended the company’s vulnerability disclosure policies as providing enough information for security teams to make informed patching decisions without putting them at risk of attack from threat actors looking to quickly reverse-engineer patches for exploitation.

In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsoft’s Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information.

For most vulnerabilities, Microsoft’s current approach is to give a 30-day window from patch disclosure before it fills in the CVE with more details about the vulnerability and its exploitability, Gupta says. The goal is to give security administrations enough time to apply the patch without jeopardizing them, she says. “If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers,” Gupta says.

Sparse Vulnerability Information?

Microsoft — as other major software vendors — has faced criticism from security researchers for the relatively sparse information the company releases with its vulnerability disclosures. Since Nov. 2020, Microsoft has been using the Common Vulnerability Scoring System (CVSS) framework to describe vulnerabilities in its security update guide. The descriptions cover attributes such as attack vector, attack complexity, and the kind of privileges an attacker might have. The updates also provide a score to convey severity ranking.

However, some have described the updates as cryptic and lacking critical information on the components being exploited or how they might be exploited. They have noted that Microsoft’s current practice of putting vulnerabilities into an “Exploitation More Likely” or an “Exploitation Less Likely” bucket does not provide enough information to make risk-based prioritization decisions.

More recently, Microsoft has also faced some criticism for its alleged lack of transparency regarding cloud security vulnerabilities. In June, Tenable’s CEO Amit Yoran accused the company of “silently” patching a couple of Azure vulnerabilities that Tenable’s researchers had discovered and reported.

“Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service,” Yoran wrote. “After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk,” and without notifying customers.

Yoran pointed to other vendors — such as Orca Security and Wiz — that had encountered similar issues after they disclosed vulnerabilities in Azure to Microsoft.

Consistent with MITRE’s CVE Policies

Gupta says Microsoft’s decision about whether to issue a CVE for a vulnerability is consistent with the policies of MITRE’s CVE program.

“As per their policy, if there is no customer action needed, we are not required to issue a CVE,” she says. “The goal is to keep the noise level down for organizations and not burden them with information they can do little with.”

“You need not know the 50 things Microsoft is doing to keep things secure on a day-to-day basis,” she notes.

Gupta points to last year’s disclosure by Wiz of four critical vulnerabilities in the Open Management Infrastructure (OMI) component in Azure as an example of how Microsoft handles situations where a cloud vulnerability might affect customers. In that situation, Microsoft’s strategy was to directly contact organizations that are impacted.

“What we do is send one-to-one notifications to customers because we don’t want this info to get lost,” she says “We issue a CVE, but we also send a notice to customers because if it is in an environment that you are responsible for patching, we recommend you patch it quickly.”

Sometimes an organization might wonder why they were not notified of an issue — that’s likely because they are not impacted, Gupta says.

Source: We Don’t Want to Zero-Day Our Customers

Tags: Microsoft

Jul 21 2022

Microsoft adds default protection against RDP brute-force attacks

Category: Security Operations CenterDISC @ 9:37 am

“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors,” David Weston of Enterprise and OS Security at Microsoft, announced, just as the company confirmed that it will resume the rollout of the default blocking of VBA macros obtained from the internet.

Brute-forced RDP access and malicious macros have for a long time been two of the most popular tactics used by threat actors to gain unauthorized access to Windows systems.

Minimizing the RDP attack vector

The Windows Account Lockout Policy allows enterprise network admins to set a lockout threshold – a specific number of failed logon attempts – after which a user account will be locked.

Brute-forcing is a method used by attackers to take over accounts. Usually automated with the help of a software tool, the attack involved submitting many passwords in a row until the right one is “guessed”.

From Windows 11 build 22528.1000 and onwards, the account lockout threshold is, according to Bleeping Computer, set to 10 failed login attempts in 10 minutes, which should make this type of attack harder to pull off.

The revelation has set off calls for the control to be backported to older Windows and Windows Server version – a move that’s apparently in the works.


Minimizing the effect of Brute Force Attack 

Tags: Microsoft, RDP brute-force attacks

May 31 2022

Microsoft shared workarounds for the Microsoft Office zero-day dubbed Follina

Category: Zero dayDISC @ 8:21 am

Microsoft released workarounds for a recently discovered zero-day vulnerability, dubbed Follina, in the Microsoft Office productivity suite.

Microsoft has released workarounds for a recently discovered zero-day vulnerability, dubbed Follina and tracked as 

 (CVSS score 7.8), in the Microsoft Office productivity suite.

“On Monday May 30, 2022, Microsoft issued 

 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.” reads the advisory published by Microsoft. “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

This week, the cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus. The document uses the remote template feature to fetch an HTML and then uses the “ms-msdt” scheme to execute PowerShell code.

The popular cybersecurity expert Kevin Beaumont, who named the bug Follina, published an analysis of the flaw.

“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” reads the analysis published by Beaumont. “There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.”

The issue affects multiple Microsoft Office versions, including Office, Office 2016, and Office 2021.

Microsoft has now published a “Guidance for 

 Microsoft Support Diagnostic Tool Vulnerability.”

Microsoft recommends disabling the MSDT URL Protocol as workarounds, below are the instructions included in the guidance:

To disable the MSDT URL Protocol

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

  1. Run Command Prompt as Administrator.
  2. To back up the registry key, execute the command “reg import filename” 

Microsoft credited crazyman with Shadow Chaser Group, the tech giant labeled the flaw as “fixed” on April 21, 2022, and dismissed the vulnerability as “not a security issue” because the diagnostic tool requires a passkey for its execution.

Microsoft Office CVE-2022-30190 zero-day

Beginning Security with Microsoft Technologies: Protecting Office 365, Devices, and Data

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: Microsoft, Microsoft Office zero-day

Mar 03 2021

Bug bounty hunter awarded $50,000 for a Microsoft account hijack flaw

Category: Windows SecurityDISC @ 3:00 pm

Microsoft has awarded the security researcher Laxman Muthiyah $50,000 for reporting a vulnerability that could have allowed anyone to hijack users’ accounts without consent.

According to the expert, the vulnerability only impacts consumer accounts.

The vulnerability is related to the possibility to launch a bruteforce attack to guess the seven-digit security code that is sent via email or SMS as a method of verification in password reset procedure.

“To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that we will be asked to select the email or mobile number that can be used to receive security code.” the expert wrote. “Once we receive the 7 digit security code, we will have to enter it to reset the password. Here, if we can bruteforce all the combination of 7 digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission.”

The researcher pointed out that rate limits are implemented to limit the number of attempts and protect the accounts.

The analysis of the HTTP POST request sent to validate the code revealed that the code is encrypted before being sent, this means that in order to automate bruteforce attacks it was necessary to break the encryption.

Tags: Bug Bounty, Microsoft

May 06 2011

NSA publish list of recommendations for Keeping Networks Secure

Category: cyber securityDISC @ 10:27 am

National Security Agency seal

Image via Wikipedia

‘Best Practices for Keeping Your Home Network Secure’ is a new guide published by the National Security Agency. This document provides home users directions for keeping their systems secure and protected.

Users are faceing lots of security issues now a days, and trying to apply all the required security measures is complicated due to the fast pace of changes in technology and new vulnerabilities that may leave them open to new attack. Thess controls are industry best practice and mitigate most risks to safeguard your information assets.

The document is divided in 4 parts:
■ Host-Based Recommendations:
■ Network Recommendations:
■ Operational Security (OPSEC)/Internet Behavior Recommendations:
■ Enhanced Protection Recommendations:

To be safe on the internet, use these recommendaions as a best practice to reasonably safeguard your information assets. These best practice information controls may also help you to invest wisely and justify cost on security.

NSA titles for IAM and IEM implementation and certification

Tags: Best practice, Industry Standard Architecture, IPad, Microsoft, National Security Agency, Operating system, Security, United States

Sep 09 2010

DHS Cyber security Watchdogs Miss Hundreds of Vulnerabilities on Their Own Network

Category: cyber securityDISC @ 8:36 am
Seal of the United States Department of Homela...
Image via Wikipedia

By Kevin Poulsen @wired.com

The federal agency in charge of protecting other agencies from computer intruders was found riddled with hundreds of high-risk security holes on its own systems, according to the results of an audit released Wednesday.

The United States Computer Emergency Readiness Team, or US-CERT, monitors the Einstein intrusion-detection sensors on nonmilitary government networks, and helps other civil agencies respond to hack attacks. It also issues alerts on the latest software security holes, so that everyone from the White House to the FAA can react quickly to install workarounds and patches.

But in a case of “physician, heal thyself,” the agency — which forms the operational arm of DHS’s National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes (.pdf).

“The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on … computer systems located in Virginia,” reads the report from assistant inspector general Frank Deffer.

Einstein, the government’s intrusion-detection system, passed the security scan with flying colors, as did US-CERT’s private portal and public website. But the systems on which US-CERT analysts send e-mail and access data collected from Einstein were filled with the kinds of holes one might find in a large corporate network: unpatched installs of Adobe Acrobat, Sun’s Java and some Microsoft applications.

In addition to the 202 high-risk holes, another 106 medium- and 363 low-risk vulnerabilities were found at US-CERT.

“To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system-security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures,” the report concludes.

In an appendix to the report, which is dated Aug. 18, the division wrote that it has patched its systems since the audit was conducted.

DHS spokeswoman Amy Kudwa said in a statement Wednesday that DHS has implemented “a software management tool that will automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities.”

Tags: Adobe Acrobat, Computer security, Intrusion detection system, Microsoft, National Cyber Security Division, Security, United States, United States Computer Emergency Readiness Team

Mar 16 2010

Microsoft Power Point 2010 Hacks and Tips

Category: App SecurityDISC @ 1:13 pm

Image representing Microsoft as depicted in Cr...
Image via CrunchBase

San Francisco (GaeaTimes.com) – Microsoft Office 2010 is the latest version of Microsoft Office productivity suite. The new features of Office 2010 are its extended file compatibility and a refined user interface. Microsoft PowerPoint is one of the most important parts of the Office suite and has many advanced features. But Microsoft Office software has been a potential attractor for many hackers and malware publishers. Some weak code or loophole in the programming is their target so that they can get their malicious code injected into the end user computers. It has been a favorite playground for the hackers since Microsoft’s Office’s birth. But the new Microsoft 2010 comes with three new security layers that are very efficient to get rid of hacks and malwares. The three new layers are named as Protected View Mode, Binary File Validation system and Enhanced file blocking system. But we have some hacks that work on this new version.

Opening Password Protected Files through Hacking

Microsoft Office has a feature to password protect the files. But the password protected files can be opened bypassing the password. All you need to have is some hacking. If you don’t know how to hack them, don’t panic. If you don’t know anything about hacking, you can still open the file. There are many softwares available for this purpose. Office Password Remover is a good example of that. Using this software you can hack password protected files and the software will return the files without the password. The software does not take too much time either. It can remove the password within minutes.

Tags: Microsoft, Microsoft Office, Microsoft Office 2010, Microsoft Office hacks, Microsoft PowerPoint, Office 2010, office 2010 security, San Francisco

Feb 01 2010

Google attack highlights ‘zero-day’ black market

Category: Information SecurityDISC @ 2:40 pm

Beck at Yahoo! Hack Day
Image by Laughing Squid via Flickr

By Jordan Robertson, AP

The recent hacking attack that prompted Google’s threat to leave China is underscoring the heightened dangers of previously undisclosed computer security flaws — and renewing debate over buying and selling information about them in the black market.

Because no fix was available, the linchpin in the attack was one of the worst kinds of security holes. Criminals treasure these types of “zero day” security vulnerabilities because they are the closest to a sure thing and virtually guarantee the success of a shrewdly crafted attack.

The attackers waltzed into victims’ computers, like burglars with a key to the back door, by exploiting such a zero-day vulnerability in Microsoft Corp.’s Internet Explorer browser. Microsoft rushed out a fix after learning of the attack.

How did the perpetrators learn about the flaw? Likely, they merely had to tap a thriving underground market, where a hole “wide enough to drive a truck through” can command hundreds of thousands of dollars, said Ken Silva, chief technology officer of VeriSign Inc. Such flaws can take months of full-time hacking to find.

“Zero days are the safest for attackers to use, but they’re also the hardest to find,” Silva said. “If it’s not a zero day, it’s not valuable at all.”

The Internet Explorer flaw used in the attack on Google Inc. required tricking people into visiting a malicious Web site that installed harmful software on victims’ computers.

The attack, along with a discovery that computer hackers had tricked human-rights activists into exposing their Google e-mail accounts to outsiders, infuriated Google and provoked a larger fight over China’s censorship of the Internet content. Google has threatened to shut down its censored, Chinese-language search engine and possibly close its offices in China.

Pedram Amini, manager of the Zero Day Initiative at the security firm TippingPoint, estimated that the IE flaw could have fetched as much as $40,000. He said even more valuable zero-day flaws are ones that can infect computers without any action on the users’ part.

Zero days refer to security vulnerabilities caused by programming errors that haven’t been “patched,” or fixed, by the products’ developers. Often those companies don’t know the weaknesses exist and have had zero days to work on closing the holes.

In this case, Microsoft actually knew about the flaw since September but hadn’t planned to fix it until February, as companies sometimes prioritize fixing other problems and wait on the ones they haven’t seen it used in attacks.

Microsoft often fixes multiple vulnerabilities at once because testing patches individually is time-consuming and costly, said Chris Wysopal, co-founder of security company Veracode Inc.

But criminals know how the patch cycle works, and Wysopal said the Google attackers may have realized their zero-day flaw was getting old — and thus struck in December just before they thought Microsoft was going to fix it.

“They likely thought the bug would be fixed in January or February,” he said. “They were right.”

Microsoft certainly could have fixed the bug earlier and prevented it from being used on Google, but security experts caution that an adversary that is well-funded or determined could have easily found another bug to use.

“Zero days aren’t difficult to find,” said Steve Santorelli, a former Microsoft security research who now works with Team Cymru, a nonprofit research group. “You don’t have to have a Ph.D. in computer science to find a zero-day exploit. It really is a factor of the amount of energy and effort you’re willing to put in.”

In fact, such exploits are widely available for the right price. VeriSign’s iDefense Labs and 3Com Corp.’s TippingPoint division run programs that buy zero-day vulnerabilities from researchers in the so-called “white market.” They alert the affected companies without publicly disclosing the flaw and use the information to get a jump on rivals on building protections into their security products.

There’s also another, highly secretive market for zero days: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses.

TippingPoint’s Amini said he has heard of governments offering as high as $1 million for a single vulnerability — a price tag that private industry currently doesn’t match.

Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.

One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system.

Whether to pay — and seek payment — is hotly debated among researchers.

“I basically had to make a choice between doing something that would protect everybody and remodeling my kitchen — as terrible as that is, I made that choice, and it’s hard,” Miller said. “It’s a lot of money for someone to turn down.”

Companies whose products are vulnerable generally won’t pay outside researchers for bugs they’ve found. Microsoft said offering payment “does not foster a community-based approach to protecting customers from cybercrime.” The company declined further comment on its practices and the timing of the fix for the flaw used in the Google attack.

On Thursday, Google announced that it will start paying at least $500 to researchers who find certain types of bugs in its Chrome browser, calling the program an “experimental new incentive.” That mirrors a reward that Mozilla has been offering for critical bugs found in its Firefox browser.

Computer vulnerabilities are so dangerous that one day private companies such as Microsoft might be pressured into buying from the black market to prove they’re doing all they can to keep customers secure — especially the most critical ones such as the military and power companies.

“I think it’s only a matter of time,” said Jeremiah Grossman, founder of WhiteHat Security Inc. “Something really bad has to happen first, and it hasn’t yet. When a virus runs through a children’s hospital and causes loss of life, it’s going to matter a lot.”

Tags: china, Chris Wysopal, Google, Internet Explorer, Microsoft, VeriSign, vulnerability, Zero day attack

Mar 26 2009

Conficker C worm and April fool

Category: MalwareDISC @ 3:24 pm

My creation! (APRIL FOOL)
Image by david ian roberts via Flickr

Worm like conficker is a digital time bomb which is hard coded to trigger on April 1 (April fool’s day). Antivirus companies are doing their best to minimize the impact of conficker worm. Conficker first variant was introduced few months back and have already caused significant amount of damage to businesses. Conficker is using MD6 hash algorithm, first known case where this new algorithm has been used. Across the globe, there are about 15 million computer infected with conficker worm.

“In computer, a worm is a self replicating virus that does not alter files but resides in active memory and duplicates itself”

This happens to be third variant of conficker in the wild which is named “conficker c” which pose a significant threat to businesses and security expert are still trying to figure out the potential impact of this worm. In new variant, the worm has tendency to morph into something else which makes it harder for antivirus software to detect it. What is known about this worm so far is that at a predefined time on April 1st the infected machine will execute the worm which will be later be exploited by the worm originator. The originator or controller of the worm will control the infected machines and it’s anybody’s guess right now what commands will be given to these zombies. It can be to steal private and personal information, spam, DDoS, or simply wipe the infected machine hard drive. Also bad guys don’t have to give the commands to zombie machines on April 1st, it can be any time after April 1st.

Possible countermeasures:
• Keep up-to-date patches (Microsoft Ms08-067 security update)
• Keep antivirus signature files up-to-date (latest DAT)
• Disable Auto run
• Try different antivirus software to verify and take advantage of McAfee free online scan services
Free Sophos Conficker clean-up tool
• Make sure your machine is not infected with “conficker c” then you don’t have to worry about April 1st

Microsoft is offering a $250,000 reward for information that leads to the arrest and conviction of the conficker worm’s makers.



Reblog this post [with Zemanta]

Tags: Antivirus software, April Fools Day, conficker, Malicious Software, McAfee, Microsoft, Security, Viruses

Feb 13 2009

Global economic insecurity and rise of insider threats

Category: Insider ThreatDISC @ 6:04 pm


According to BBC news article by Maggie Shiels (Feb 11, 2009) the world’s biggest software maker has warned companies to expect an increase in “insider” security attacks by disgruntled, laid-off workers. Microsoft said so-called “malicious insider” breaches were on the rise and would worsen in the present downturn.

Below are the high points:
• With 1.5 million predicted job losses in the US alone, there’s an increased risk and exposure to these attacks

• Insider threat is one of the most significant threats companies face. Said Microsoft Doug Leland

• The malicious insider is classed as the greatest security concern because they have access, and relatively easy access to corporate assets

• During economic insecurity people are motivated by revenge, fear or greed

• 88% of data breaches were caused by simple negligence on the part of staff

• Employees steal information to sell to a third party, to get back at a company for being laid off or demoted or to try and get a job at another company

• Even though Insiders attacks are lower in numbers but they could be more devastating because the employee knew where “the crown jewels” were kept – unlike a hacker who had to go on something of a “fishing expedition” to find a company’s valuable assets

• The outstanding, unsolved, unaddressed risk management problem that has existed for years is that everyone is focusing on the hacker

• Data loss prevention systems specialize in the detection of precisely these events

Here is the article: Malicious insider attacks to rise

To find the correct balance between data security and data availability, organizations are urged to buy a copy Data Breaches: Trends, costs and best practices.

Even in good time management focused on driving shareholder value by increasing revenue and profits. I think during this economic downturn information security will be the last thing on their mind which will not only compound the problem but gives an edge to a attacker and simply a bad business decisions considering the circumstances. It’s about time to start paying attention to regulatory compliance for sake of securing organization assets. Good place to start is to have some sort of baseline based on information security framework and come up with a strategy to improve that baseline. ISO assessment can be utilized to baseline the organization security posture and is a great first step towards ISO 27002 compliance or for that matter any compliance audit.

What do you think board rooms are appropriately prepared to tackle or perhaps slow down the wave of data breaches coming our way?

• Related article
Unstable Economy and Insider Threats
Economic Crisis Tops Security Threats to U.S

Detecting Insider Threats

Reblog this post [with Zemanta]

Tags: BBC, Consultants, Data loss prevention products, Information Security, International Organization for Standardization, iso 27002, Microsoft, Risk management, Security

Dec 29 2008

Network Access Control and Security

Category: Access ControlDISC @ 4:24 am

Wireless Internet Access Global Map

The purpose of network access control is to protect and safeguard assets attached to network from threats of unauthorized users gaining access to organization’s assets.

Network Access Control (NAC) authenticate users to make sure they are authorized to login and following the policies and procedures for login before authorized to use organization assets. Some of the threats to assets are insider fraud, identity theft and botnet infestation, where botnet can be utilized as a launching pad for attacks to other organizations.

Various laws and regulations have been introduced for various industries to protect organization data. Organization can be held liable, if they don’t practice due diligence or have adequate protection for their assets. Before putting the policy in place to protect these assets it might help to know specific threats to environment. Today’s threats come from well organized criminals who take advantage of unprotected assets. These days most of the cyber crimes are international crimes. Even though most of the countries have cyber crimes laws today but the legal system varies from country to country which slows cooperation between countries. Today’s technology is changing fast but the legal system is not changing fast enough to tackle new cyber crimes. We don’t have comprehensive international laws yet which cover cyber crimes to prosecute these criminals; most of cyber crimes are conducted from a country whose law enforcement agency either don’t have time and training to pursue these crimes vigorously or don’t have a jurisdiction in the country where the crime is committed. Sometime law enforcement agencies get help from Interpol to prosecute these individuals, but most of the time law enforcement agencies in various countries are helpless because these criminals are not in their jurisdiction. In some cases these criminals are utilizing state of the art tools to cover their tracks.

Some Considerations to tackle NAC: adapt ISO 27002 domain 11 sub category 11.4 (NAC) controls as a policy suitable to your organization.

1. Create a network access control policy: policy on use of network services
2. User authentication for internal and external connections
3. Enforce access control policy
3a. Up-to-date signature file (anti-virus, anti-worm, anti-trojan, anti-adware)
3b. Up-to date patches
3c. Equipment identification in network
3d. Backup access control logs remotely and review regularly
3e. Multihome firewall installed which segregate networks
3f. Harden system configuration
3g. Network connection control
3h. Network routing control
4. Assess the posture of your network regularly to redefine policies
5. Gartner MarketScope for Network Access Control, 2008
6. The Forrester Wave™: Network Access Control, Q3 2008

“In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.”

Nortel Secure Network Access and Microsoft NAP integration

Reblog this post [with Zemanta]

Tags: Cisco Systems, Forrester, Gartner, iso 27002, Juniper Networks, jurisdiction, Law, Law enforcement agency, Microsoft, Microsoft Windows, NAC Policy, Network Access Control, Police, Security