August 2010

The SC Awards: How To Put Your Best Foot Forward

Key Information To Know:
 
Nomination entry fees:
Reader Trust Awards and Excellence Awards categories is $275 per entry and Professional Awards categories is $200 per entry.

Deadline for nominations:
The deadline for nominations is September 3. However, all nominations received after September 3 will incur a penalty of $115 per entry. Late entries will be accepted until September 10.
 
Finalists announced:
Finalists in each of the categories will be informed by the SC Magazine staff in the late October-early November timeframe and will be published in the January 2011 issue of SC Magazine.
 
The Awards Gala:
The winners will be announced at the 2011 SC Magazine Awards U.S. Gala, which will be held on February 15, 2011 in conjunction with the RSA Conference in San Francisco.

Posted by Tim Whitman on August 30, 2010 at 3:11 PM
| TrackBack (0)

Intel-McAfee M&A: The Big Picture

We have just witnessed the largest security acquisition in history, as Intel has approved the purchase of McAfee for $7.68 billion. To provide some perspective, according to Updata Advisors, the IT security sector has drawn $25 billion in acquisitions since 2004. At first glance, it may not make sense that a hardware company is purchasing a software company. Why McAfee? Why now?

Security threats and vulnerabilities are constantly evolving, which makes it difficult for vendors to accurately predict where they should allocate resources in research and development. In fact, the trend over the past decade has been for many major players to ignore developing niche solutions, preferring to allow entrepreneurs and start-ups to battle over these spaces.

Eventually, emerging threats become mainstream and customers turn to the major vendors for solutions. However, as these vendors often chose to forego R&D into a solution, they must instead purchase it from another company via M&A.

Even in a down economy, we have seen how successful security companies remain. Cyber criminals are more active and increasingly sophisticated than ever before. Over the past two years, web-based attacks increased dramatically. As a result, companies have been forced to put resources into acquiring web-based security, such as Cisco’s acquisition of ScanSafe in 2009.

Today, the Intel-McAfee deal is about the future of computing, primarily cloud computing and virtualization. In this future, security will be embedded directly onto the hardware, possibly even the CPU, in order to realize the benefits of virtualization and cloud computing. When you combine multi-core chips with powerful virtualization and security software, security systems can actually run under the operating system.

As technology evolves, organizations looking to solve cloud computing and virtualization security problems will turn to major vendors. Judging from the Intel-McAfee deal, these vendors will attempt to solve these problems through M&A first and perhaps R&D second. With cloud computing and virtualization becoming ubiquitous, the trend is sure to continue. Who do you think is the next company to get acquired? Which companies need to step up to compete with Intel? Share your thoughts…

Posted by Clinton Karr on August 20, 2010 at 1:58 PM
| TrackBack (0)

The Internet Kill Switch Debate: Where Do You Stand?

Cybersecurity and cyber threats are part of our daily lives. Everyone has received some sort of malicious message or has (almost) clicked on a malicious site. Botnets are attacking banks and large corporations. Social engineering techniques are effectively stealing sensitive corporate information from employees who think they are doing good. It’s everywhere.

Most recently, vulnerabilities surrounding SCADA programs have played an increasing role in recognizing the potential dangers of utilizing the Internet for so many daily activities. Just think of Live Free or Die Hard…the fire sale attack. With so many things running on or controlled by the Internet, it’s no surprise people seem to lose sleep at night when they think of the panic that could be caused by someone taking advantage of core systems controlled over the Internet.

In the event of a national cybersecurity emergency, the Protecting Cyberspace as a National Asset Act (PCNAA) was proposed. This Act would enable the President to have authority over the Internet, essentially deciding which private sectors and government networks should be shut down in the event of a cyber attack. A recent amendment to the PCNAA states that the President cannot shut down a sector or network indefinitely, but rather can control it for 120 days, after which time Congressional approval is needed.

For some, this seems like a good idea in the making. For others, this could not be a worse idea.

The Good
Believe it or not, the President already has the authority to take over communications networks as needed, stated in the Communications Act, Section 706 (the Communications Act of 1934 was amended with the Telecommunications Act of 1996). Section 706, dubbed “War Emergency—Powers of the President,” enables the President to close any facility or station for wire communication and authorize the use of the facility or station by the federal government when presented with the threat of war. This can continue for up to six months after the threat expires, without Congressional approval.

With this existing authority in mind, Senator Joe Lieberman of Connecticut explained that his proposed PCNAA bill would enable the President to respond efficiently to the threat of a cyber attack in the 21st century with a precise defense. Additionally, according to a description of the PCNAA on Joe Lieberman’s website, the PCNAA would prevent the President from over-using the “broad authority” he has over communications networks in the current law.

The Bad
The initial proposal of this bill led many to believe it would enable the President to serve as some sort of “Internet overlord,” an idea that continues to cause discomfort and breed worry in the minds of many. As a post by Adam Cohen in TIME magazine points out:

“Imagine a President misusing this particular power: If the people are rising up against an unpopular Administration, the President could cool things down by shutting off a large swath of the Internet. He could target certain geographical regions (‘We’ve heard enough from New York and California for a while’). Or he could single out particular websites.”

But the biggest problem seems to be that no one really understands what the PCNAA would allow the President, and therefore the government, to do. As Cohen states, the Internet plays such an important role in our daily lives – be it expressing the freedom of speech or running a power grid – it’s a power that shouldn’t be handed over lightly.

The Poll
The Schwartz Security Practice recently conducted an informal poll across our security clients to gather their thoughts on the Internet kill switch debate. Not surprisingly, the majority of comments we received voted strongly against the existence of the Internet kill switch. Here are just a few thoughts:

Tom Kellermann, vice president of security awareness, Core Security Technologies, explained that “ISPs only currently voluntarily cooperate with shutting down malicious IP addresses and their C2s. There needs to be executive authority to thwart these technological attacks against the U.S. This is not a question of whether we should empower the government to turn off the internet, but instead, can the government civilize a hostile cyberspace?”

Paul Kocher, president and chief scientist, Cryptography Research, explained an Internet kill switch is not workable on either a technical or political level. He explained the equipment that drives the Internet is designed to be reliable, so creating a large-scale shut-down mechanism creates a host of problems. Some questions he proposed include:

• How would the shut-down messages be broadcast (e.g., presumably “killed” equipment would no longer be forwarding these messages)? How would you test whether it worked? What would you do about existing equipment that doesn’t implement the kill switch?
• How would you inform users about what’s happening? There isn’t any uniformly-supported method by which an ISP (or anyone else) can communicate with any network-connected device or end user. There isn’t a single language spoken by all users, and many embedded devices don’t even have a “user” in the normal sense of the word. Even if you created such a protocol, it’s not clear how you’d prevent the protocol from becoming abused or clogged with spam and advertisements.
• Focusing specifically on the political side, who would control the switch and make decisions about when to use it? I’d recommend the following experiment to anybody in government considering a kill switch mandate: Get 10 large government agencies together and let them pick one agency that will control the “kill switch” for the other nine. They’ll never agree.

Anup Ghosh, founder & chief scientist, Invincea, explained that cooperation in the wild between organized communities is much more prevalent than previously thought. “These communities and major telcos monitor botnets and DDoS attacks so that when a DDoS attack occurs, the telcos cooperate fully to push back on the ISP, registrar or Autonomous System (AS) that is providing service to the offending DDoS hosts. In many cases, they will now support botnet sinkhole efforts to completely take down botnets. In other words, the private sector, along with organizations that monitor these things, is actually working together now to address these issues. So in reality, the potential for abuse probably outweighs any perceived risk of private entities not cooperating.” This echoes thoughts Cohen shared in his TIME magazine post.

Scott Cosby, vice president of products and operations, Invincea, stated “cutting off the internet would have a devastating effect on our country’s ability to function for government, industry and individuals. It strikes me that a more effective approach would be to prepare key defense organizations to function ‘off the grid,’ essentially backup and contingency planning to handle responses to a cyber attack. Flipping that type of switch would do more harm than a targeted attack.”

So where do you stand? Leave your comments below.

Posted by Kristin Forte Allaben on August 18, 2010 at 11:58 AM
| TrackBack (0)

August Wednesday Wrap-Up: Patch Tuesday in a Nutshell

It’s that time of the month again and Microsoft really came out with a bang releasing a record-breaking number of patches, tying with June for the number of vulnerabilities targeted and also tying with October 2009 for the number of critical bulletins.

In the August 2010 Patch Tuesday release, Microsoft issued 14 bulletins targeting 34 vulnerabilities. Here’s a quick overview of the bulletins:

• Eight bulletins are labeled “Critical”
• Six bulletins are labeled “Important”
• 10 bulletins involve remote code execution
• 18 vulnerabilities have an exploitability index of 1.

And now a summary of the August Patches:

• Since the sheer volume of updates and vulnerabilities can be overwhelming, Schwartz client Qualys separated the updates into three groups, identified by vulnerability targets: end-users and Internet browsing, file format vulnerabilities and Windows OS.
• Of the six vulnerabilities targeting end-users and Internet browsing, all are ranked as critical, and four have an exploitability index of 1.
• Silverlight and other media file formats are a key target for hackers due to the increasing use of video, emphasizing the importance of these updates. In a Computerworld article, Silverlight was said to be installed on approximately 60 percent of PCs, whether users are aware of the installation or not.
• Accompanying the release of the August patches was an advisory that warns of a problem that could elevate user privileges on a PC. The problem affects Windows XP, Vista, Windows 7, Server 2003 and 2008, and impacts the Windows Service Isolation feature.

Reminder!
August is the first cycle of patches to come out after the end of XP SP2 support. It’s important to note that XP SP2 users will still find themselves at risk regarding these vulnerabilities, but now they will be unable to update their systems with the latest round of patches.

Activity Beyond the Patches
The last four weeks have been busy with improvements to the status of vulnerability disclosures within the industry, a topic that has been top of mind in the last few Wednesday Wrap-Up posts. Although many vendors have not agreed to a bug bounty program, new programs in place will force vendors to fix a bug sooner rather than later.

TippingPoint’s Zero Day Initiative is a great step forward for vulnerability disclosures as it gives a firm deadline as to when the vulnerabilities will need to be fixed. According to an article by Elinor Mills, TippingPoint will give vendors six months to fix a vulnerability. If it is not fixed in that timeframe, TippingPoint will release limited details on the vulnerability. Worth noting is that extensions can be granted, but they will be decided on a case-by-case basis.

Is this a trend?
What’s most interesting is that it appears Microsoft is falling into a light-month, heavy-month trend, releasing a few bulletins one month, then a record number of bulletins—targeting double-digit vulnerabilities—the next. There also seems to be potential for an increasing number of out-of-band patches as more vulnerabilities are identified.

It will be interesting to see if this trend continues, especially with the Coordinated Vulnerability Disclosure (CVD) program and Zero Day Initiative in place.

What do you think we can anticipate from Microsoft over the next four weeks?

Posted by Kristin Forte Allaben on August 11, 2010 at 9:18 AM
| TrackBack (0)