AuthenticationWorld Blog

Brain Kreb's of the Washington Post has three interesting blog entries today. The first "Microsoft's Achilles' Heel: Office" covers a recent attack over the holidays that infected a utility company. The utility was infected by malware which wasn't detected by the anti-virus software the company was using.

Utility company users clicked on an email PowerPoint attachment to view a holiday PowerPoint file. This contained malware that then infected the utility's network, providing a backdoor to the utility's network, uid's and passwords. Then, when the utility realized it had been attacked and brought in a company to investigate, they found two Word files that also contained malware.

The second blog "Take Me to Your (Adobe) Reader" covers the recent security holes found in Adobe Acrobat's reader using javascript. A user may end up infecting their computer with malware or, be redirected to a phishing website and prompted to reveal sensitive identity and credit information.

My point: There are so many attack patterns into enterprises that existing intrusion detection and anti-virus software is not going to pick up. Many of these are in application documents such as MS Office and other applications like Adobe Acrobat.

Microsoft this coming Tuesday will finally release the patches for the existing three high critical Word document holes. That has taken them three to four weeks to assemble the patches. As Brian Kreb says in his previous blog "Internet Explorer Unsafe for 284 Days in 2006" for most of 2006 there were always high critical security holes in Microsoft products like IE and MS Office.

My point: Don't think you are secure waiting around for either Microsoft of your security vendors to catch up with criminals. Assume that you will be successfully attacked and begin your preparations to have a layered security defense.

Bottom line: Educate your users to "Think on it before they click on it". All of these types of attacks can be minimized if users don't click on email links and document attachments they are not expecting. An ounce of prevention in educating your users can save a pound of enterprise flesh by preventing expensive enterprise security breaches.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Here are four excellent reasons to adopt a layered identity security strategy:
1. Microsoft Word
2. Microsoft Word
3. Microsoft Word
4. Microsoft Word

...does anybody see a pattern developing here?

According to an advisory from Symantec released today, they have just discovered another zero day vulnerability in Word. IT GOES ALONG WITH THE THREE OTHER REPORTED ZERO DAY VULNERABILITIES REPORTED IN DECEMBER THAT STILL REMAIN UNPATCHED!!!!!!!!!

So there you are, the perfect enterprise, with a lot of intrusion prevention detection systems, anti-virus etc. All of this may be by-passed by a worker clicking on a Word document in an email attachment which then releases malware behind the enterprise firewall.

As my many previous blogs state, you definitely need a multi-layered identity defense in order to mitigate the risk to your enterprise. In addition to the firewall defenses, you need multi-factor authentication, stronger authentication as risk rises, transaction authentication protecting your crown jewels and monitoring on the firewall for data leaving the enterprise.

Without this, you are the naked king denying you don't have any clothes on. Just ask Microsoft.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Here are three more excellent reasons to have a layered identity defense:
1. Cisco router TCP packet problem
2. Cisco router IPv6 router header vulnerability problem
3. Cisco router IPv4 packet problems

In a story released today in Computerworld, it documents the three critical vulnerabilities.

While a patch has been issued the threat of attacks comes from so many directions. Worse, criminals may know of the weaknesses and use them on your enterprise before they are reported. If so, what are your defenses to mitigate the risk?

Having a strong layered identity defense strategy is essential in protecting your enterprise.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

The use of printers as an entry point or stepping off point for hackers into the enterprise has been documented for some time. However, enterprises need to be more aware of the security threat from printers.

Brendan O'Connor, at the Black Hat conference last summer, demonstrated how to hack into an enterprise by using the Xerox WorkCenter.

In a recent Computerworld article, Deb Radcliff outlines O'Connor's hacks and then expanded on the theme of hacking printers. As she points out O'Connor used printers to do "password-catching, password-snarfing (changing passwords), hijacking functions, grabbing print jobs and playing with a billing program." She additionally points out "Symantec logged 12 new security vulnerabilities for five network printer brands: Brother, Canon, Epson, Fujitsu, Hewlett-Packard, Lexmark and Xerox. Twelve may seem like an insignificant number, but keep in mind that it’s greater than the number of printer-specific vulnerabilities found in 2005 (10). And the number of such vulnerabilities found in the past two years account for nearly half of all printer vulnerabilities identified since 1997 (52). This means we’re in the preattack stage with printers, says Chris Wysopal, former director of research and development at @Stake Inc., a security vulnerability assessment firm that was acquired by Symantec."

Adrian Crenshaw wrote an excellent article in early 2006 "Hacking Network Printers" in which he gives step by step examples of how to hack printers.

Bottom line: Printers are rising up the list of attack vectors chosen by criminals.

All of this boils down to the following:
1. Make sure that general use printers have the default authentication passwords changed.
2. Make sure that high sensitivity printers use stronger authentication.
3. Ensure that all non-required services are shut off in printers.
4. Keep up to date with patch implementations from printers.
5. Configure your internal detection systems to watch printers for unlikely behavior.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Malware-Test.com released on January 3, their latest Spyware and Virus detection tests. The results are still pretty dismal. While there were a couple of vendors who did well in the latest tests (BitDefender 94.85%, ESET 89.12% and Kaspersky 88.86%), most of the vendors were below 50%. This trend has been the same for most of the last year and is great cause for concern.

Spyware used to be somewhat of a separate product category from virus detection software. However, over the last year, more and more spyware has become malware with the introduction of Trojan horse and other malware attacks within the spyware. Thus, in today's world, it is getting very hard to distinguish virus software from spyware software.

The trend also highlights the ability to not only detect the malware but also clean it up. If the malware has rootkit attacks within it, tests from last year indicate that most vendors have a very poor rate of success in cleaning up the rootkits.

Then, to add ore misery to the pain, people like Vinton Cerf, one of the creators of the internet TCP/IP, has recently stated that up to one quarter of all computers attached to the internet, estimated at 150 million, are likely infected with malware.

To add more fuel to the growing storm, it was reported today in CNET that phishing attacks has overtaken viruses and trojans. This confirms the trend experts warned about last summer that organized crime is now using more targeted attacks against enterprises. They are beginning to diminish the use of mass mailer worms.

Then there is the news that Microsoft Word now has four major critical flaws that enable attackers to download malware when the document is opened. Three of these have been identified since early December and still remain unpatched.

Follow this up with recent news that Cisco routers has three major security flaws (for which patches are available). This can increase the already high likelihood of denial of service attacks on an enterprise.

Then add in recent Adobe Acrobat flaws (for which patches are available).

Add to this mix the rising threat from attacks using mobile devices. Almost all experts say that attack threats from mobile devices will grow steadily during 2007.

Finally, add in attacks from things like printers. As printers become increasingly smart and document processing centers, the risk also grows to the enterprise.

Any enterprise must take note of the e-storm that they are in but may not feel the impact. As the attacks get more sophisticated it can be several months or more before an attack is realized. Just ask TJ Max, the retailer, who it's reported had millions of it's customers credit card numbers stolen several months ago but only realized it this December.

THERE IS NO SILVER BULLET FOR THIS STORM. There is no one technology you can turn to, install and then sleep well at night.

The answer is to have multiple layers of defense. This must start with repeated end user training on the risk of clicking on email links and/or attachments. It must also continue to educate them about social engineering attacks. The human link is the weakest link in the chain. By using social engineering, attackers can easily bypass millions of dollars in security defense infrastructure.

The next layer is the firewalls with anti-virus, anti-spyware and intrusion detection software installed. This must be constantly tested and for which updates are immediately installed.

Then there is the network authentication. Enterprises need to ensure that all devices attaching to the network are first, properly patched, and second, are authenticated, using the appropriate authentication strength required based on enterprise risk assessment. This must include mobile devices as well as things like printers.

Next is to have excellent user provisioning. Make sure that users only have what they need to have in order to do their job or use enterprise services. Also ensure that when they no longer need resources, they are instantly deprovisioned.

Then there is the user authentication. Enterprises must have single sign on packages installed that request stronger and stronger authentication as the user drills towards sensitive networks, buildings, applications or information.

Sensitive information must always be encrypted. Avoid the risk of having laptops stolen, like Scotland Yard did containing all their members sensitive identity data.

Then you must assume that even with all of this protection, you will be successfully penetrated. Put transaction authentication on high risk applications and information. Even if the user logs on successfully, check to ensure it is the real user by monitoring their computer hardware, IP address, geolocation, time of day and past user profile.

Your last resort is to assume that this too might be breached and have monitoring on all data leaving the enterprise firewall to spot sensitive data on its way out the door. This should also include databases with profile usage to detect anomalies in usage of the database.

This is a war you're in. Like any good general, you must plan for attacks and have many layers of defense. There is no calvary on the horizon coming to rescue you. It will likely be two to three years before regulatory laws, police forces and technology begin to catch up with the attackers.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Well, just when Microsoft has released Vista to the general public, touting it's security, their Office product suite is so full of security holes it resembles Swiss Cheese. Today, Symantec has announced yet another zero day security flaw for Word. That brings the number of high risk security flaws in Word to FIVE!

This means that since December, enterprises using Word (which is most of the planet's enterprises) are wide open to malware attacks from opening an infected Word document. There has been no patch issued for the first three discovered in early December.

HAVE A LAYERED IDENTITY DEFENSE. USE STRONG AUTHENTICATION. Don't trust Microsoft to protect your enterprise, regardless of their marketing spiels. At five strikes in Word, they should be off the team.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com