Tom Olzak

Posts Tagged ‘Patching’

Controls: The absolute minimum

In Application Security, Cybercrime, Data Security, Log Management, Network Security, Physical Security, Risk Management, Security Management on February 3, 2013 at 17:07

CSIS Logo (SANS)Lulled into false security by years of being told anti-malware is the best way to protect networks and devices, many network administrators  leave their networks wide open.  Using only anti-malware software a firewall, and an IPS leaves gaping holes in the security controls framework.  Attackers with limited experience can locate and exploit attack vectors with little regard for these venerable controls.  While firewalls and IPS devices help, they were never intended to provide a complete prevention/detection/response solution.

SANS provides an up-to-date list of 20 critical security controls (now at version 4.0).  The downloadable documentation provides guidance on in depth, layered integration of controls necessary to fill gaps left by traditional approaches to minimal security.

Important Announcement for MySQL Users

In Application Security, Data Security on May 15, 2010 at 11:34

According to Open MySQL security holes, the newest upgrade to MySQL plugs three important security holes, among others.

Trojan Defense: Configuring Your SOHO or Personal Infrastructure

In Business Continuity, malware, Patching, Security Management on April 10, 2010 at 08:46
Trojans continue to be a serious Internet threat and arguably the most insidious. As with any malware defense, making the right choices—and teaching users to do the same—is the only effective control. Further, continuous vigilance is required to detect and react to Trojan polymorphism.

The Challenge

Typically, Trojans gain access to a computer to collect data. The data collected are used by the Trojan’s distributor, directly or indirectly, to make money or for other gainful purposes. To achieve fiscal objectives, black hats go to great lengths to surreptitiously deliver their code and keep it secret.

To prevent anti-malware (AM) software from detecting and eliminating Trojans during delivery or implementation, developers are going as far as encrypting questionable payloads. According to a recent Kaspersky Labs Threat Post:

Once the malware is on the machine, anti-malware products may detect it as a malicious file. But this process is much more difficult if the Trojan itself is encrypted. Dmitry Bestuzhev, a malware analyst for Kaspersky Lab in Latin America, has been following the evolution of Brazilian banker Trojans, and has noted a recent change in their sophistication

A new (for Brazil) concept takes place between second and third stages when the Trojan.Downloader downloads and installs the Banker. On the one hand Brazilian coders obfuscate the download links using several techniques and on the other hand now they also crypt the Banker to be downloaded to the system.

It’s a crypted (specially packed) PE file. The coders from Brazil use this technique to prevent an automated malware analysis and monitoring mode by AV companies. This sample downloaded as it is on the server won’t be functional on the user machine unless it’s decrypted. The decryption mechanism in this case is included into the initial Trojan.Downloader, which first downloads malware, and then decrypts it to be able to infect the user machine (Fisher, 2010).

Once a Trojan successfully takes up residence on a computer, it begins collecting banking and other sensitive information for later transmission to its home server. And even if it is detected, cleaning steps short of a complete wipe and replace of all content will likely fail.


Security Tip: Patching must include ALL applications

In Cybercrime, Hacking, Patching on October 6, 2009 at 07:14

Once again, patching isn’t just about plugging holes in Windows.  Most if not all applications have security vulnerabilities if someone looks hard enough.  Up until now, however, finding those vulnerabilities was harder than just whacking the OS.  But Microsoft has settled into a patch release routine that, when followed, pretty well hardens servers and user workstations.  And although there are still vulnerabilities, the level of effort required to find and exploit them has become harder—more difficult than shifting focus to widely installed user applications.

Adobe is experiencing attacker-love now.  They are a good target because their reader is everywhere. 

Adobe’s software has increasingly come under attack in recent years as hackers have come to realize that it can be easier to find flaws in popular software that runs on top of Windows than to dig up new vulnerabilities in the operating system itself.

That’s led to a round of new attacks that exploit bugs in products such as Adobe’s Reader, Apple’s QuickTime, and the Mozilla Firefox browser, for example.

It’s a reality that Adobe Chief Technology Officer Kevin Lynch freely acknowledged Monday in a press conference at the company’s annual Adobe MAX developer conference, held in Los Angeles.

Source:  After attacks, Adobe patches now come faster, Robert McMillan, Computerworld, 6 October 2009

But Adobe isn’t the only end user application on your endpoints.  It’s critical to get ahead of the attack curve by developing an overall patch process today, BEFORE that new user productivity tool becomes a target.

Cloud Computing May Solve Patching Problems…?

In Patching on May 1, 2009 at 11:41

Wolgang Kandek of Qualys is quoted in a TechWorld article as follows:

“We believe that cloud security providers can be held to a higher standard in terms of security,” said Kandek. “Cloud vendors can come in and do a much better job.”

Unlike corporate admins for whom patching was a sometimes complex burden, in a cloud environment, patching applications would be more technically predictable – the small risk of ‘breaking’ an application after patching it would be nearly removed, he said.

Source: Cloud security will supplant patching, says report author, John E. Dunn, Techworld, 1 May 2009

I agree with Kandek’s assertion.  However, cloud computing doesn’t relieve managers from ensuring cloud vendors have a good patch process and that they actually follow it.

%d bloggers like this: