Showing posts with label Baselines. Show all posts
Showing posts with label Baselines. Show all posts

Office of the Secretary of Defense Calls for Emphasis on Detection and Response

Anthony Di Bello

This week, in response to the OPM breach, Chris Carpenter, the Security Director at the Office of the Secretary of Defense called for an emphasis on detection and response capabilities.

The reason, Carpenter noted, is that there is a clear window of opportunity within which to find attackers inside the network and cut off their access before they have a chance to exfiltrate data. This is backed up by the fact that the vast majority of breach disclosures note that the attackers had been inside for a period of time prior the data exfiltration.

The OPM Breach: What Went Right

Michael Harris

Today the national and federal press announced a “massive” breach of federal personnel data housed at the Office of Personnel Management (OPM) within the Department of Homeland Security (DHS). Following an earlier breach discovered in March 2014, the breach is said to have exposed the personally identifiable information (PII) of up to four million federal employees. The Washington Post reported that U.S. officials suspect the Chinese government to be behind the attack, which represents “the second significant foreign breach into U.S. government networks in recent months.”

The Heartbleed Bug: Proof of the Open-Source Concept

Jason Fredrickson

So the Heartbleed bug within OpenSSL has caused a big ruckus this week. OpenSSL is one of the most widely used encryption software programs on the planetand rightly so. This means that most of uswe billions of users of some of the most highly trafficked and trusted retail, search, and web services sitesmay have unwittingly allowed our passwords and other sensitive information to be compromised within the last couple of years or so with absolutely no idea that this was happening.

So how did this vulnerability go undetected for the past year and a half by the legions of volunteer experts who have access to the code? Isn't open-source software meant to be more secure because it has such unlimited availability for review by the best of the best?

In a word, yes.

Using EnCase Analytics to Visually Scan for Signs of the Microsoft Word 2010 Exploit

Alfred Chung

Yesterday, Microsoft issued Security Advisory 2953095 to announce a vulnerability in Microsoft Word 2010 that could allow remote-code execution, “…if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same users rights as the current user.” 

Why Signature-Based Cyber-Defenses are Bound to Fail

Sam Maccherola

You will never see an alert from your security information and event management (SIEM) tool for a zero-day attack. There is no signature in your blacklist for the malware that was custom-built for your organization and secretly colonized your mail server a month ago. No indicator, no pattern match, no alert.

Why is this the case? Because malware is constantly morphing, and because the sophisticated and dedicated minds under those black hats are working night and day to design a data breach specifically for each organization it decides to invade. When it hits you, it will be the first time its signature has ever been seen.

RDP Hacks: Thwarting the Bad-Guy Network

Jason Fredrickson

Brian Krebs of Krebs on Security just posted an article on RDP hacks that exploit weak or default login credentials, and goes on to describe how that provides the basis for a cybercrime business. His article explains that Makost[dot]net rents access to more than 6000 poorly configured and, therefore, compromised Remote Desktop Protocol (RDP)-enabled servers around the globe. As Krebs says, “…the attackers simply needed to scan the Internet for hosts listening on port 3389 (Microsoft RDP), identify valid usernames, and then try the same username as the password.” It’s a classic brute-force attack and it’s aimed directly at an extremely weak target.

Many people on first reading this would consider this capability a “vulnerability” of Windows, but that’s like saying that an automated teller machine (ATM) has a “vulnerability” that allows you to get cash from your bank account. It’s a feature of the operating system and Windows is not alone in exposing functionality like it.