Tag Archives: SC Magazine

IPS Grows Up But IDS On Life Support?

In the November 2012 issue of SC Magazine (Pg 26-28) titled “IPS Grows Up”, an article by Fahmida Rashid discusses some of the changing landscape for intrusion protection systems with a variety of experts. There are a variety of interesting topics and statistics regarding IPS such as the following:

While IPS won’t be able to block attacks exploiting zero-day vulnerabilities or thwart skilled adversaries using sophisticated tactics, it should “prevent 99 percent of push-button or automated attacks, Al-Abdulla says.”

While many can agree with that statement, what probably would not receive a great deal of agreement was the following statement within the article:

Holden predicts IDS will “fall by the wayside” in the next three to five years.

While it is understood that IDS is not detective rather than reactive, but one of the things that many businesses and agencies have a hard time tuning IPS in a way that there will not be any issues with mission or business critical traffic. The thought that IDS will no longer be necessary seems very short-sighted and limited. Granted most IPS devices are also IDS, but if defense in-depth is still a valid concept and that risk is a business decision, then IDS will remain in use for the foreseeable future.

Tagged , , , , , , , , , ,

Windows 8 is Here and So Are is the Zero-Day…

Microsoft’s new flagship operating system Windows 8 was released at the end of October, but with its release, so has a new zero-day. In a recent article in SC Magazine, the article describes how the French security firm Vupen is offering the recently discovered zero-day for sale. In fact, a mere $50,000.00 could allow you to obtain the vulnerability that has been described as affecting the new Internet Explorer 10 browser.

According to the article:

Last week, Vupen CEO Chaouki Bekrar tweeted that “various” IE10 and Windows 8 vulnerabilities had been combined to circumvent exploit mitigation safeguards in Windows 8, which was released to the public on Oct. 26. The exploit was reportedly not disclosed to Microsoft, nor was its price made public. Vupen did reveal that the zero-day could allow a particularly skilled hacker to bypass embedded security measures, which include high-entropy address space layout randomization (HiASLR), anti-return oriented programming (AntiROP), data execution prevention (DEP) and protected-mode sandbox.

According to the article, Vupen only sells the vulnerability information to governments and business, but this is very concerning. The fact that they have not shared it with Microsoft, this could become a way to hold applications, business and governments hostage. Secure coding needs to be the priority of developers and the time to market needs to be properly married to insuring limited vulnerabilities.

Tagged , , , , , , , , , , , , , , , , , , ,

Are You Satisfied With Nothing…

Are you a small business? Are you satisfied with your customer and business data security? According to a recent survey of small businesses by Symantec and National Cyber Security Alliance, 86% state that they are. In an article in SC Magazine published 10/22, some of the interesting details of the survey are discussed.

According to the article, even those 86% are satisfied with the level of security protecting the customer and business data of their businesses. In addition, 77% of those small businesses surveyed believe that their business is safe from any breach. According to the article about the survey, the following is what is most concerning:

However, 87 percent of respondents have not written a formal security policy for employees, 83 percent lack any security blueprint at all and 59 percent have no plan in place to respond to a security incident.

These statistics are very concerning. If you take this survey of 1,015 small businesses (250 employees or less) as a reasonable grouping of all small businesses this survey is frightening. Even if you take it with a grain of salt, it is scary that no planning is being put in place for most. One can only assume why a business would not put a plan, even one that is basic, in place. Is it the cost of security or the thought that “this business is too small to be hit” mindset? What ever the rationale used to make the decision, it was a decision to accept that risk of compromise and breach, but as more and more businesses begin to use cloud services and other mechanism on the Internet, they are turning from an obscure local “mom and pop” business to one with a larger footprint that can span the globe.

Preparation is always a wise decision. Regardless if you document that you buy the top of the line next-gen firewall and intrusion protection system or just change the Linksys encryption from WEP to WPA-2 and change the default admin password, the documented plan is a step in the right direction. Remember it is important to measure twice and cut once.

In closing the following quote is something for everyone to consider:

“Invincibility lies in the defence; the possibility of victory in the attack.” — Sun Tzu

Tagged , , , , , , , , , , , , , ,

Zero-Day Attacks Last Longer Than Zero…

Research from Symantec has been published in ACM on October 16. The research, which was also referenced in articles in SC Magazine and Dark Reading, looks at the amount and duration of zero-day attacks. Specifically:

A zero-day attack is characterized by a vulnerability that is exploited in the wild before it is disclosed, i.e., t0 > te. Similarly, a zero-day vulnerability is a vulnerability employed in azero-day attack. Our goals in this paper are to measure the prevalence and duration of zero-day attacks and to compare the impact of zero-day vulnerabilities before and after t0.

The research within the paper has some important considerations to business and the need for effective patching and defense-in-depth within the enterprise. Specifically, the paper found the following conclusion:

Zero-day attacks have been discussed for decades, but nostudy has yet measured the duration and prevalence of these attacks in the real world, before the disclosure of the corresponding vulnerabilities. We take a first step in this direction by analyzing field data collected on 11 million Windows hosts over a period of 4 years. The key idea in our studyis to identify executable files that are linked to exploits of known vulnerabilities. By searching for these files in a dataset with historical records of files downloaded on end-hosts around the world, we systematically identify zero-day attacks and we analyze their evolution in time.We identify 18 vulnerabilities exploited in the wild before their disclosure, of which 11 were not previously known to have been employed in zero-day attacks. Zero-day attacks last on average 312 days, and up to 30 months, and they typically affect few hosts. However, there are some exceptions for high profile attacks such as Conficker and Stuxnet, which we respectively detected on hundreds of thousands and millions of the hosts in our study, before the vulnerability disclosure. After the disclosure of zero-day vulnerabilities, the volume of attacks exploiting them increases by up to 5 orders of magnitude. These findings have important implications for future security technologies and for public policy.

Based on these findings, it will be interesting to see if the various technology vendors, programmers, and business will take this to heart and work harder in getting less vulnerable software and systems to market. Follow on research from this paper could be to evaluate the cost impact associated with zero-day attacks or vulnerabilities that were left unpatched. The reality is that security is about risk acceptance and in some cases the cost may be deemed an acceptable risk by some businesses.

Tagged , , , , , , , , , , , , ,
%d bloggers like this: