Global
Sarbanes-Oxley: An Opportunity for Security Professionals
by Steven Drew, EVP of Client Services, SecureWorks
Sarbanes-Oxley (SOX) is not just another regulation security professionals have to contend with in your already very busy lives. Instead, SOX should be viewed as opportunity for security teams to demonstrate your value as a key enabler of creating a sound business environment at the highest levels within your organizations. SOX presents this opportunity to every company, whether already a public entity that has to comply or private companies who fall outside mandated compliance, by providing a model for sound internal controls and a template to demonstrate the effectiveness those controls to executive management.
The first way SOX helps to demonstrate the importance of information security is that the regulation emphasizes the importance of your business critical systems. Executives typically think about sales, marketing and other revenue-centric business units when looking for ways to improve their business. However, they often overlook the critical systems that enable these units to effectively generate demand. SOX specifically points to these systems and raises the awareness of their criticality by making executives attest to the accuracy of their company's reported financial information. This attestation forces executives to ask questions regarding the activity on these systems and whether or not this activity could have altered the information they are receiving.
This leads to the second way SOX can help information security teams: creating an immediate need for security monitoring and reporting. All organizations need to implement technologies that monitor the activity on critical systems and be able to use this information to generate reports that illustrate this activity. Monitoring should be performed both at the network level using Intrusion Detection and/or Prevention Systems, as well as at the host level using log aggregation technologies that can gather security events from the appropriate log files. This information must then be consolidated to provide your team with a database of the security activity on critical network segments and information assets. With this information in hand, security teams can now easily generate reports showing the incidents targeting critical business systems and the actions taken to protect those hosts. Reports such as these can help security teams secure the funding they need to do their job by illustrating the threats facing the critical information assets and the effectiveness of the security program in thwarting these attacks. These reports can facilitate trust building between the executives and their security teams.
The last major way SOX can help security teams is by clearly justifying the need for more proactive security measures, such as vulnerability scanning and attaining threat intelligence. These measures will help you fortify your critical business systems from existing and emerging threats. Implementing robust scanning and intelligence programs will enable you to gain a better understanding of your assets' threat exposure level and provide this information to management along with the actual incidents and associated responses. Demonstrating effective proactive security measures will help build an additional layer of trust as executives see their security teams taking steps to reduce the likelihood of attacks against critical business systems, rather than merely maintaining a typical reactive policy.
All security teams should view the guidelines set forth by Sarbanes-Oxley as an opportunity. Implementing the controls and processes recommended by this Act will lead to a more secure business environment. More importantly, SOX raises executives' awareness of their critical business systems and the security surrounding these systems. This enables the security team to frequently demonstrate their value as a key enabler of business. This results in the executives gaining confidence in their security team, which will help future budgetary and personnel needs. Whether or not you have to comply with SOX, security teams should take a long look at this legislation and formulate a strategy to use it as a way to gain much needed visibility at the highest levels in the enterprise.
Managing the Vulnerability Landscape
by Corey Merchant, VP, Product Management, SecureWorks
In any given day there are dozens of software vulnerability announcements. Sorting through all these new vulnerabilities to discover which are important and which are not can be a daunting task for any security professional. This article provides a simple methodology, called the Vulnerability and Threat Handling Process, to help enterprises quickly identify the critical vulnerabilities and speed the time to remediation.
Step 1: Filter
This is the most basic, yet critical step in the Process. Security teams must keep or have access to an up-to-date inventory of all commercial software in their environment. If you are just beginning to build an inventory, start with your critical applications first and work backwards from there. With this information in hand, sign up to all appropriate vendor and vulnerability news lists. As the flood of information comes in, develop a process to sort through all the announcements and identify the ones that are pertinent to your environment. This should dramatically cut down the information you have left to analyze.
Step 2: Targets
This is the most important factor determining whether or not an outbreak is likely to occur. Historically, outbreaks typically have targeted widely used software, such as Microsoft, to ensure a high number of targets for propagation. Look through your vulnerabilities and pull aside the ones that impact software from leading vendors such as Microsoft, Cisco, Oracle, IBM, etc. If the vulnerability impacts software from these vendors you may want to adjust the rating up one notch and vice versa if impacting more obscure software applications.
Step 3: Exploit Code and Ease of Exploit
Research the vulnerabilities you have left to identify which ones already have exploit code available. Of the ones that do, determine if the exploit code is just proof-of-concept or if it is actually working in the wild. Additionally, you must determine the ease of which a particular vulnerability can be exploited. For instance, it is unlikely any outbreak will occur if you can only exploit the vulnerability locally. Once this information is determined, you should then adjust your severity to a higher priority. If the code is proof-of-concept, but can only be exploited locally, you may want to downgrade it one notch, say from medium to low. If working in the wild and can be exploited remotely, the vulnerability severity rating should be set to the highest level and remediation efforts must begin immediately.
Step 4: Time
With each new outbreak, the time between the vulnerability announcement and the initial appearance of the outbreak has been shrinking rather dramatically. In the past, this time period was a few months. Now it usually happens within a few weeks. At this step you should evaluate how long the vulnerability has been known and whether or not you have seen an increase in activity, such as an unusual spike in scanning on a particular port, which may indicate an emerging threat. If the vulnerability has been out for a while or there are indicators present, you should raise the vulnerability severity rating.
Step 5: System Criticality
The final step in prioritizing the daily vulnerability announcements you receive is to determine the criticality of the impacted software. Vulnerabilities reported in mission critical software, such as Oracle databases running an enterprise's ERP systems, should receive a higher severity rating than the software running your development systems. System criticality should be stored in your software inventory list for easy access to this information.
Using this simple methodology above, you should have an accurately prioritized list of vulnerabilities that impact your environment. The next step is to enter these into a database or ticketing system and assign accountability for remediation. If a vulnerability is highly critical, you should also evaluate "blocking" actions using your firewalls or Intrusion Prevention Systems to ensure that you do not fall victim to an attack while you are still patching your systems. At the end of the day, you should be able to use this information to deliver reports to management and auditors that demonstrate your threat level and the status of all remediation efforts.
Internet Threat Update
Provided by SecureWorks' Security Research Team
This Month's Threat Overview:
- The Future of Exploitation
- JPEG Virus -- Looking Past the Hype
The Future of Exploitation
The arrival of Microsoft XP Service Pack 2 is not just another upgrade. The security enhancements are real, and will have a long term impact on the future of hacking. There will hardly be any more simple buffer-overflow exploits, simply because Microsoft has removed many of the vectors hackers use to gain control of a program after an overflow. While no solution is 100% effective, future would-be exploiters will have to get lucky in order to find the right kind of condition to turn a memory management failure into remote code execution. When talking about the workstation, this leaves two primary hacking vectors - social engineering and application logic subversion.
Social engineering is here to stay; make no mistake. The complexity of systems will always outpace users, giving the hackers an advantage of knowledge alone. But, rarely do you see a massive outbreak where a hacker has fooled millions of users into running untrusted code. So, while it will always be a threat, it will probably never rise to the level of a Slammer or Blaster, causing widespread and costly network outages. This leaves us with application logic subversion. This type of hack is most commonly seen with Internet Explorer flaws, making the browser think that code from the Internet is running in the Local zone.
Application logic errors are far harder to prevent than buffer overflows. Because of this, application logic subversion exploits are probably here to stay as well. The cure to this problem is multifold: Heterogeneous networks, application-layer inspection firewalls, host-level IPS and other solutions all play a part. The key is making sure the programs you use don't try to "do it all". Bloatware isn't just bad for the hardware budget, it can also affect security.
JPEG Virus -- Looking Past the Hype
The JPEG vulnerability made all the headlines this summer, with some people predicting a massive worm outbreak - but was it really that big of a risk? Consider these factors:
- The exploits required you to save a malicious jpeg file to a folder, then mouseover the jpg icon later. Not exactly ideal for a worm or virus. In fact, if a self-spreading exploit was created, it might be the slowest spreading virus in Internet history.
- The exploits worked only with Windows XP SP1 - and you've upgraded to SP2 already, right?
- The drag-n-drop vulnerability in IE was still unpatched, and worked without user interaction across a wide range of platforms. It's easy to modify, yet we haven't seen a "web worm" using it yet either.
Now, you should never say never, but it clearly looked like a worm using the JPEG exploits might just be pretty non-impacting even if someone did release one. Following a proper threat research methodology will quickly help you separate the true threats from the hype.
SOC War Story: Shortage of Time, No Shortage of Vulnerabilities
Business Problem
It has been well documented in the security industry that the window of time security organizations have to fortify their critical information assets from malware is shrinking dramatically. According to some analyses, the time between when a vulnerability is announced and when exploit code appears has collapsed from weeks to days. This time compression has left security teams at a significant disadvantage in their fight to protect critical information assets from the ever-evolving landscape of threats.
On October 12th, Microsoft once again inundated security teams with a fresh batch of vulnerability announcements and patches. Security teams have grown to anticipate a busy workload when Microsoft regularly announces vulnerabilities on the 2nd Tuesday of every month, an event that has become known as "Black Tuesday." What security teams could not have prepared for though was the quantity of vulnerabilities announced on this day: 22 new vulnerabilities. Of these, 5 were rated critical and 11 were rated medium in severity according to SecureWorks security research team. With 16 potentially harmful vulnerabilities to contend with, security teams are once again forced to scramble to try and patch as many critical servers as possible before someone develops malware to take advantage these vulnerabilities.
Solution
Our client uses SecureWorks' Threat Intelligence and Vulnerability Scanning services. When the announcements were issued, SecureWorks security research team immediately began analyzing and re-prioritizing them according to which vulnerabilities presented the greatest opportunity for threat development. Through the Threat Intelligence service, the client received a consolidated, prioritized list of the new vulnerabilities and began formulating their fortification strategy.
In addition to analyzing each new vulnerability, the Threat Intelligence Group also developed new scanning rules to check for the presence of the vulnerabilities on scanned hosts. Through our Managed Vulnerability Scanning service, this client was able set up a variety of pre-defined scans such as critical Windows hosts, critical UNIX hosts, security infrastructure, etc. Once the client had developed their strategy, they immediately ran their critical Windows hosts scan to gain a better understanding of the scope of the patching effort. Less than two hours after the vulnerabilities were announced, this client now had an understanding of the vulnerabilities, a strategy to fortify their environment and a catalog of critical servers that were impacted by these vulnerabilities. With all the necessary information in hand, the client immediately set to work testing and implementing the patches. SecureWorks' Threat Intelligence and Vulnerability Scanning services enabled this client to gain valuable time in the race against emerging threats.
