 |
The VeriSign Security Review
|
April 2006
March saw a large amount of malicious activity and the VeriSign Threat
Level is raised to 3 due to exploits of the Microsoft IE vulnerability
disclosed mid-month. According to the U.S. Department of Justice, the
number of American households victimized by identity theft has reached
3.6 million, and phishing is likely to play a larger role in increasing
that number. Phishing is growing and maturing as a crime industry, and
security professionals must seek comprehensive solutions to combat this
plague.
In this issue:
Hot Topics
Standards and Regulations
News from VeriSign
Ask a VeriSign
Consultant
Security Events
Hot
Topics
Identity Theft
Tops 3 Percent
Three percent (or about 3.6 million) of American
households became victims of identity theft in 2004, reveals the US
Department of Justice’s National Crime Victimization Survey. The survey
of 42,000 households found that young heads of households and those
in the highest income brackets are more likely targets of identity theft.
Half of the surveyed victims discovered the identity theft after unknown
charges were made against an account or after they had problems banking.
A quarter of those surveyed had problems with credit cards and one out
of six had to pay higher interest rates.
Back
to Top
March Threat Summary
The VeriSign
iDefense Threat Level remains at Level 3 due to the critical
Microsoft 06-012 vulnerability. The vulnerability targets Internet Explorer
and affects Windows 2000, Windows XP, and Windows Server 2003. Exploits
are active but limited, and third-party fixes have surfaced ahead of
Microsoft’s April 11th patch. Microsoft disclosed that it was working
with industry partners and law enforcement to remove Web sites that
are already exploiting the vulnerability.
In March, US-CERT issued an information notice
warning of increased DDoS attacks using spoofed recursive DNS requests,
which could potentially generate a multi-gigabit flood of DNS replies.
An attacker can send thousands of spoofed requests to a DNS server that
allows recursion. If the DNS server processed the requests as valid
and returned the DNS replies to the spoofed recipient (the victim),
the attacker could potentially generate a multi-gigabit flood of DNS
replies. The technique is known as an amplifier attack, because it takes
advantage of mis-configured DNS servers to reflect the attack onto a
target while amplifying the packet volume.
Back
to Top
Why Phishing Works
The A new study reveals that phishers can fool
more than 90 percent of users with a professional-looking site. In a
report entitled “Why Phishing Works”, Dr. Dhamija of Harvard University,
J.D. Tygar of UC Berkeley, and Marti Hearst of UC Berkeley suggest that
to combat phishing, behavioral elements must be considered in new security
system designs. As many as 23 percent of the participants studied did
not fully understand indicators designed to signal trustworthiness such
as the padlock icon. Instead, many relied only on the content of the
Web site to evaluate its authenticity. While all of the participants
have at least a college degree, the most polished design of a fake bank
Web site still tricked more than 90 percent of them into proceeding
further.
The study concluded that distinguishing spoofed sites from the real
ones is a sophisticated undertaking, as humans take a variety of visual
indicators as their cue to trust a third party, many of which are very
easy to spoof. The researchers are currently testing a new design that
allows a remote server to prove its identity in a way that is easy to
verify but difficult to spoof.
Back to Top
GAO Reports on Information
Security
In February of 2006, the US Government
Accountability Office released reports on information security
at the Securities and Exchange Commission (SEC), the Internal Revenue
Service (IRS), and the Department of Health and Human Services (HHS).
After the GAO’s scathing 2005 report on information
security at the SEC, the 2006 report concludes that “most of the previously
reported information security controls and program weaknesses persist.”
Chief among the weaknesses are access control and patch management.
While noting progress at the IRS, the GAO says
“significant control weaknesses,” such as excessive access and inadequate
logging, remain. One of the key concerns is that the IRS still routinely
permits “unencrypted protocols for remote log-on capability.”
The HHS, still lacking a department-wide information
security program, also received criticism from the GAO. Of note, the
report points out that system-administrative access was not always restricted
and that data was not always encrypted.
Back
to Top
Standards and Regulations
IEEE To Propose
New Wireless Security Standard
The taskforce that created 802.11i, the standard
behind Wi-Fi protected access and WPA-2, patched security holes by introducing
new cryptographic algorithms to protect data traveling across wireless
networks. Now, fast handoff, radio resource measurement, discovery and
wireless network management schemes are being introduced in the upcoming
802.11r, 802.11k, and 802.11v drafts. As new and highly sensitive information
about wireless networks will be exchanged, the IEEE is also working
on 802.11w, extending 802.11i to provide AES encryption and de-authentication.
Overall, 802.11w promises to patch security
problems created by the flow of new and detailed information over management
frames. By protecting the contents of most frames from eavesdropping,
and of certain crucial frames from forging, 802.11w should stop the
information leakage and reduce some basic DoS attacks. IEEE expects
to ratify 802.11w in the first half of 2008.
Back
to Top
House Approves
Breach Notification Bill
The US Energy and Commerce Committee approved
the Data Accountability and Trust Act (DATA), a law similar to California’s
Security Breach Information Act. Under the proposals, if a data breach
does occur, a company must notify any customers concerned and the Federal
Trade Commission (FTC), which can then demand an audit. The bill would
also allow the FTC to enforce standards on data retention and
require companies to appoint a head of security. Besides California,
17 other states also have similar laws in place.
Back to Top
News from VeriSign
VeriSign and
ACBB-BITS to Provide Banking Security
VeriSign and the technology and telecommunications
unit of Atlantic Central Banker Bank Banking Infrastructure & Technology
Services (ACBB-BITS), announced they have reached an agreement to deliver
security services to community banks throughout the five-state, Mid-Atlantic
region.
Under terms of the agreement, VeriSign and
ACBB-BITS will provide an integrated set of managed security services
(MSS), including firewall management, intrusion detection/prevention
management and vulnerability management to help regional and community
banks protect their internal networks from unauthorized access and malicious
activity.
Back to Top
Ask a VeriSign Consultant
Each month, our highly experienced security consultants
share their expertise in an area of your concern. This month, Doug Barbin
discusses third-party risk management.
Q: It’s difficult enough dealing with my own security program,
not to mention my partners and service provider. Do you have any
practical advice on managing the security of third-parties I share data
with or connect to?
A: You ask a very important question and something that there
is not an easy answer to. Companies in all industries and geographies
are struggling with the same problem. Here are a few pieces of
advice and references for more information.
1 – Security
Programs – Make sure that your business partners have a core security
program in place that includes dedicated individuals, formal roles,
responsibilities, and a documented security policy. This is bare
minimum stuff and should include all of the areas such as access control,
data protection, patching, application development, monitoring, awareness,
and others that you would find in the ISO17799 standard for information
security. It is usually pretty obvious whether or not a company
has a formal program so beware of partners where security is a part
time job for one of the “IT guys.”
2 – Data
Protection – This is probably what you are most concerned about.
Compromises happen to companies in all walks of life. What if
it happens to your partner? Is your data encrypted or otherwise
protected from loss? What kind of access controls are in place
to prevent unauthorized persons at the partner company from accessing
your data or worse, cross contamination with other customers of that
third party? When we did an analysis of the top
reasons companies failed their Payment Card Industry (PCI) assessments,
protection of data at rest was number one. Make sure you evaluate
how your data is being stored and always go in with a worst case what-if
line of thinking,
3 – Application
Security – Many outsourcing arrangements involve some sort of hosted
or COTS application that your company uses. This is a critical
area as most of the compromises we are seeing are as a result of poorly
configured applications. It is important that you are confident
that your partner has gone through the appropriate due diligence such
as application vulnerability testing and/or secure code review.
4 – Monitoring
and Response – We hear a lot about security breaches in the news but there
are many more that go unreported because they are detected in a timely
manner. Make sure your partner has the necessary monitoring capabilities
such as intrusion detection and log monitoring. Most importantly,
make sure there is process for the partner to notify you if a compromise
of your data has occurred. Many companies are now putting this
in their contracts.
These are some of the
key pieces that tend to create challenges for partnerships.
There are some interesting things going on in the industry. The
Payment Card Industry (PCI), for example, was first to the game with
Visa and MasterCard mandating how merchants and processors should be
handling credit card data. On a broader level, many of the large
institutions have developed programs to classify their third party providers
according to risk and then go through an assessment process. The
assessment process includes review of both companies and applications.
In addition, the Banking Infrastructure and Technology Services (BITS)
Financial Services Roundtable has launched a shared assessments program
in hopes that service providers can undergo a single assessment that
can be leveraged by multiple financial services institutions.
This is a very exciting program as companies spend a significant amount
of time “auditing” their partners, providers, and even customers to
a degree. See http://www.bitsinfo.org/FISAP/
for more information.
Douglas W. Barbin is part of the product management team for VeriSign
Security Services. Prior to this role, he was Director of the
western US consulting practice. A CPA and CISSP, he has extensive
experience in performing enterprise security audits and has helped many
companies develop internal risk management programs. Mr. Barbin
is on the technical advisory committee for the BITS Financial Services
Shared Assessments Program (FISAP).
Back
to Top
Security Events
April 24-26, 2006
LinuxWorld
NetworkWorld Conference & Expo
Toronto, Canada
April 26, 2006
ISSA
InfoSec Conference
Boise, ID
May 1-4, 2006
SecuritySolutions
2006
Tampa, FL
May 2-3, 2006
SecureWorld
Expo
Atlanta, GA
May 3-6, 2006
Computer
Enterprise Investigations Conference
Las Vegas, NV
Back
to Top
|
Worldwide Sites
