InformationWeek is reporting yet another network breach, this time involving internet retailer Vertical Web Media. According to the retailer’s president Jack Love, they weren’t hit by “ordinary” hackers:

“This troubles us deeply… We thought our site was extremely well protected,” Love told InformationWeek. “We were up-to-date on all our patches. We get a quarter of a million visits a month to our site. We’ve seen hacking attempts before. Anyone with a site that highly trafficked is going to see that, but we hadn’t had a problem. We had a sense of security. But the message here is you can never feel content with security. You have to be ever vigilant.” (emphasis added)

Kudos to Mr. Love for hitting the nail right on the head. Security is a never-ending process where you have to be constantly improving and on your guard 24×7. You can be up-to-date on all your patches, you can be using the latest and greatest security tools and you can be compliant with every single standard and regulation in the books. But you still need to be ready to detect and respond to a successful attack. Can you detect it as soon as it happens? Can you contain it and minimize the damage? What are your top priorities during an attack? Prevention, detection and response – all 3 are necessary.

Over at the PCI DSS Compliance Demystified blog, Michael Dahn has a post that should be interesting to anyone subject to compliance audits (which is just about everyone). Titled “How deep do your PCI auditors need to go?,” the post lays out some of the factors that auditors use to determine, as the title suggests, how deep into your security program they need to go in order to reasonably prove or disprove compliance.

From the blog:

Here are some factors they may examine:

• Can they sample similar systems?
• Will they rely on third-party reports?
• Do they need to inspect the security of every application?
• Will you need to give them copies of sensitive data for their work papers?
• Who will send the final report to the acquirer or card brand?

As you would expect from a blog dedicated to PCI DSS, the information Michael discusses is in the context of a PCI compliance audit. But many of the factors and considerations are used by information security auditors across the board regardless of their “faith”. If you’re expecting an audit soon, it’s a great quick read that provides some insight into the process.

So says a software developer producing hacking tools.

If you still have any doubts regarding the underground “business” of hacking, check out this interview by Robert Lemos over at SecurityFocus. In it, one of the developers responsible for MPack (an increasingly prevalent hacking tool) talks about his cohorts, their “project’s” profitability and their goals.Some other quotes from the interview:

“The project is not so profitable compared to other activities on the Internet. It’s just a business. While it makes income, we will work on it, and while we are interested in it, it will live. …Of course, some of our customers make huge profits. So in some ways, MPack could be looked at as a brand-name establishment project”

“Our main aim is to make the pack work better – boost the number of infections, in other words. Everything else is not so important. …We have got some other projects running and more to be realized.”

“We are just a group of people working together, but doing some illegal business”

Granted, it may not be the same language you would expect to hear from someone on a board of directors. But if that doesn’t sound like they are running a business, I’m not sure what does…

A recent federal court ruling in Pennsylvania has brought this question back into discussion amongst many security, technology and legal professionals. In Healthcare Advocates Inc. v. Harding Earley Follmer & Frailey, the court ruled that it is not considered unauthorized (and therefore illegal) access if the information in question was gathered from publicly archived or cached data. This means if your company’s data has been cached by search engines such as Google or Internet Archive that data – whether sensitive or not – can be legally accessed by anyone.

From the article posted by Law.com:

“A law firm did not violate copyright and computer anti-hacking laws when it used a Web archive search tool to recover old Web pages of its client’s adversary, says a federal judge.”

“They did not ‘pick the lock’ and avoid or bypass the protective measure, because there was no lock to pick,” Kelly wrote in Healthcare Advocates Inc. v. Harding Earley Follmer & Frailey, No. 05-3524. “Nor did the Harding firm steal passwords to get around a protective barrier. … The Harding firm could not ‘avoid’ or ‘bypass’ a digital wall that was not there.”

Several other blogs have also weighed in on the court’s decision in the context of the larger “what is considered unauthorized access?” question:

If you don’t secure your data, it’s not unauthorized access
Obligation to Secure
Robots.txt and the DMCA
Thanks for letting me circumvent

We’ve received a lot of requests for the resources we described during our recent Security 101: Getting on the Right Track, Right Away webcast. In addition to an archive of the webcast, here are the books, websites, and other resources that will help you get started in IT security:

Recommended Reading:

• CISSP All-in-One Exam Guide by Shon Harris – Start here with Harris’s primer on all things security
• TCP/IP Illustrated by Richard Stevens – Use this as a reference when examining packets.
• Building Internet Firewalls by Elizabeth Zwicky – The value here is fundamental concepts, not specifics about certain firewalls.
• Securing Windows NT/2000 Servers for the Internet by Stefan Norberg – An old but good text providing fundamental concepts for hardening Windows systems.
• Hardening Windows Systems by Roberta Bragg – A more recent complement to Norberg.

Recommended Tools:

• WireShark (www.wireshark.org/download.html) – Examine packets (use with “TCP/IP Illustrated”, above)
• Superscan (www.foundstone.com/us/resources/proddesc/superscan4.htm)
• Nessus (http://www.nessus.org/) and/or Nmap (http://insecure.org/) – Vulnerability scanners

Additional Tools:

• Sysinternals (http://www.microsoft.com/technet/sysinternals/default.mspx) – Variety of utilities
• PGP (www.pgp.com)  – Encryption, documentation is highly recommended, basically a primer on encryption.

Recommended Security News:

• SANS Internet Storm Center (http://isc.sans.org/)
• SecurityFocus (http://www.securityfocus.com/)
• FS-ISAC – Financial Services Information Sharing and Analysis Center ($$$) (http://www.fsisac.com/)
• Department of Homeland Security (http://www.dhs.gov/)
• US-CERT (http://www.us-cert.gov/)

Regulations and Standards

• FFIEC (http://www.ffiec.gov/)
• COBIT (www.isaca.org/cobit/)
• NIST (http://csrc.nist.gov)
• ISO 17799 (ISO/IEC 27002:2005) (http://17799.standardsdirect.org/)

Vulnerability Lists

• SANS Top 20 (www.sans.org/top20/)
• SANS @Risk Newsletter (www.sans.org/newsletters/risk/)
• BugTraq (www.securityfocus.com/archive/1)
• CVE (http://cve.mitre.org)
• Vulnwatch (http://seclists.org/vulnwatch)

Local Chapter Organizations

• ISSA (http://www.issa.org/)
• ISACA (http://www.isaca.org/)
• OWASP (http://www.owasp.org/)

Training Organizations

• SANS Institute (http://www.sans.org/)
• (ISC)² (http://www.isc2.org/)
• ISACA (http://www.isaca.org/)

Magazines and Publications

• Information Security Magazine (searchsecurity.techtarget.com/)
• CSO Magazine (www.omeda.com/cgi-win/cso.cgi)
• SC Magazine (www.scmagazine.com)
• ISSA Journal (www.issa.org/Members/Journal.html)
• Financial IT Security (www.financialitsecurity.com)

Feedback? blog@secureworks.com

This article�from SC Magazine takes a look at security spending. Traditionally dominated by the enterprise, security spending appears, at least to analyst Mike Rothman, to be experiencing more growth in the small-to-medium enterprise (SME) segment. Smaller financial institutions such as regional credit unions and health care organizations have increased their spending on security technologies.

Other interesting points:

• Many new technologies (UTM, etc.) are repackaged versions of older technologies
• Application security is getting traction with companies
• Access control is getting bigger “in government”�

Check�out the article

�

A couple of utilities focused articles hit recently - one proclaiming that utilities are upping security, the other claiming they are behind and even negligent.

Computerworld looks at the new reliability standards, which include cybersecurity controls, and the impact on spending in “New reliability rules put a charge in IT spending by utilities”. Good overview/updates on utility security progress.

VNUNET’s article is less helpful. The article “Utility firms sitting on hacking time bomb” is long on FUD and short on data. Take with a big grain of salt.