Sony PlayStation suffers massive data breach

Last month’s Sony PlayStation Network data breach was one of the largest compromises of Internet security ever. With 77 million PSN subscribers’ personal and financial account information exposed to intruders between April 17-19, the incident has the potential to create the greatest credit card fraud to ever hit U.S. consumers and businesses.

To compound the problem, Sony’s decision not to notify customers about the breach for six days after it shut down the hugely popular PSN not only put consumers at a greater risk, but has already resulted in the first of what could be many lawsuits against the electronics giant for alleging negligent security practices, privacy violations and breach of warranty.

In the article, “Suit charges Sony breach caused by poor security,” Sony is accused of violating the Payment Card Industry (PCI) Data Security Standard for failing to implement a proper firewall and to encrypt card holder data. The suit also charges Sony for not informing their customers fast enough about the exposure of their personal account and credit card information, which increased the risk that the compromised data would be misused.

End-user ignorance weakest link in Epsilon security breach

Social engineering attacks are something we are all aware of. We understand cyber criminals target company employees through a number of different social networking sites to exploit vulnerabilities in the corporate system. Despite this knowledge and several warnings about a concerted phishing and hacking attack on the mailing list industry, an ITNews report said it was end-user ignorance that led to last month’s Epsilon security breach.

The big question is did Epsilon take the warnings serious enough to alert and educate end-users about such an attack? Could they have been better prepared to avoid an attack that resulted in millions of customer email addresses of big-name companies like Chase, Citi, Hilton, Eddie Bauer and Target to get in the hands of cyber crooks?

As evolving criminals concoct new schemes to exploit network endpoints, taking proper precautions to ensure every level of your enterprise is educated and adequately trained to avoid being victimized is critical for protecting your business, and the sensitive data of your customers and partners.

U.S. lags in working together to harden civilian infrastructure against cyber attacks

A global survey released in April found that as large-scale denial of service (DoS) attacks increase, the U.S. government lags significantly behind in working closely with private industry on cybersecurity issues compared to other countries.

In the article, “Cyber Threats to Critical Infrastructure Spike,” McAfee and the Center for Strategic and International Studies reported that while cyber threats and vulnerabilities for critical infrastructure have increased, more than 40% of U.S.-based critical infrastructure companies still have no interaction with the federal government on cyber-defense matters. That’s compared to the 5% of Chinese executives who said they had not worked with their government on network security.

“If there is a race among governments to harden their civilian infrastructure against cyberattack, Europe and the United States are falling behind Asia.”

The survey also found that 80% of critical infrastructure companies faced a DoS attack last year, which is a sharp increase from 2009, where almost half of all companies surveyed experienced no DoS attack. Of those that did in 2010, nearly 40% said they saw them monthly.

Survey finds enterprises lack ability to measure security effectiveness

While more organizations are planning and coordinating their security efforts across their security, IT operations and risk management teams, a recent security vendor survey found that improvements in measuring the amount of process coordination that is in place is minuscule, at best.

In the article, “(Slightly) More Organizations Proactively Managing Security Efforts,” a data analysis report by SenSage found that companies that planned and documented process coordination between security, operations and risk managers rose by 5%, from 42% in 2010 to 47% this year. However, despite the year-over-year increases, 53% of organizations are still left with everything from no coordination at all to “reactive triage across teams.”

While these are certainly steps in the right direction, author George Hulme says there’s still work to be done. Additional findings of the report included:

• 65% of enterprises say they have no measurement to benchmark the effectiveness of their security processes, or that this measurement is inconsistent

• 34% of respondents said they have no proactive efforts in place to improve their security processes, or that their improvement efforts have been inconsistent

• As a result of this absence of coordination, measurement, and proactivity, 57% of organizations perceive core areas of security management to be ineffective or “somewhat effective” at best

Thanks for taking the time to read this blog. Each week, I comment on the top stories from the security industry. I encourage your feedback and hope you come back soon.

2010 malware attacks permanently changed the threat landscape

Looking back, 2010 provided a mix bag of intriguing and surprising stories for the IT security industry. In December, SC Magazine put together a list of the year’s top security stories. From the top notable security breaches and network vulnerabilities to the biggest threats and corporate acquisitions, security professionals witnessed a number of incidents that permanently changed the way we approach IT security and protect our vital networks and systems from more targeted attacks.

The good news is the year’s Top 5 threats were no match for CoreTrace’s Bouncer application whitelisting solution. Throughout the year, Bouncer consistently defeated threats such as Stuxnet, Aurora and Zeus by stopping the execution of malicious software from running on protected systems, no matter how the malware was delivered.

Security experts predict more of the same in 2011

Like most security experts this time of year, PCWorld’s Tony Bradley was compelled to provide his thoughts on what 2011 has in store for IT security professionals. His predictions — from the continuing evolution of more precision malware and social engineering scams to the rise of mobile computing and how organizations are scrambling to make sure those platforms connected to their networks aren’t vulnerable to attacks — were representative of what others are saying.

While it’s true nobody has a crystal ball, others are getting more precise with their glimpse into the future. McAfee and PandaLabs both believe that as Mac users grow, botnets and trojan attacks against Mac platforms and devices will become more commonplace in 2011. But like all predictions, the only true indicator is time. Like many, we will continue to keep a watchful eye on these important security trends into the new year.

Malware attacks on the rise despite ubiquity of anti-malware solutions

In December, a survey revealed that more than two-thirds of organizations have seen the number of infections due to malicious software increase over the past year. While 98% of respondents use defenses such as antivirus and anti-malware solutions, expenses and impact on productivity seem to hinder the deployment of new defenses.

Despite these challenges, both the economy and modern threats have IT managers adopting technologies that are easier to manage, cost less overall, and consolidate anti-malware defenses. Leading application whitelisting solutions such as CoreTrace’s Bouncer combine application whitelisting for malware prevention and more traditional antivirus as a cleanup tool to remove pre-existing malicious applications. In doing so, companies can improve the visibility over their endpoint environment without impacting system performance or end-user productivity.

Regulatory compliance hogs security pros’ attention

Does it seem like meeting industry regulations takes up the majority of your work week? If so, you’re not alone. According to a recent study, “2010 Vulnerability and Management Trends Report,” one out of every two IT security professionals spend 50% of their work week adhering to regulatory compliance objectives such as PCI guidelines, SOX, and healthcare-related mandates.

The survey also found that 73% of respondents have deployed as many as 100 applications, 75% of which are Microsoft applications. While the report stated that Microsoft applications “continue to place the most impact on organizations when it comes to security, regulatory compliance and configuration management,” alternative solutions like CoreTrace’s Bouncer application whitelisting provide effective, time-saving approaches to ensure the integrity of important transactions and documents that are critical to meeting a broad range of security mandates.

Thanks for taking a few minutes to read this month’s top endpoint security stories. I look forward to discussing these and other important security topics throughout 2011.

“The Council is looking for equivalent controls that address malware and all types of threats referenced in Requirement 5, which are often found in traditional anti-virus solutions. If another type of solution (application whitelisting, for example) addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement.”

This is an important step forward for organizations who must meet PCI Data Security Standards (DSS) to prevent malware on their endpoints. Many recent attacks that have led to card holder data theft have involved a wide blend of techniques that featured placing malware on servers and other endpoints. This was certainly the case in the recent data breach involving the Heartland data breach where a variety of malware, backdoors, and packet sniffers were placed on key systems and resulted in the loss of over 130 million credit card numbers.

Application whitelisting would have gone far to thwart these types of threat. By restricting applications that are authorized on a given system, it removes the threat of a hacker using an unpatched vulnerability to place malicious code on the system because that code will not be allowed to run.

We applaud the PCI Security Standards Council for taking this step and moved their standard officially forward to address the serious threat of malware on endpoints. This is something that standards like NERC-CIP have also embraced and will certainly be more prevalent in the future. We are happy to see that our call to action in our recent post “Time For an Update of PCI Anti-Virus Requirements: Take a lesson from NERC CIP” has come to pass so quickly.

Nearly 80 percent of retailers and organizations that handle credit card transactions have been hit with a data breach, but more than 70 percent still don’t consider security strategic to their operations, according to a new report released today.

This apparent incongruity has more to do with organizations accepting a certain level of risk with doing business on the Internet, says Brian Contos, chief security strategist at Imperva, which commissioned the 2009 PCI DSS Compliance Survey conducted by the Ponemon Institute.

“Roughly 30 percent take [PCI security] seriously,” Contos says. “And the others see it as a check box.”

Despite the fact that 80 percent of retailers have experienced a data breach, only 70 percent consider security strategic to their operations and only 30 percent take PCI security seriously. The question is, is this an indictment of the retailers or the PCI standards themselves?

It doesn’t help that there have been a number of data breaches in the news recently where the victim was fully PCI compliant. In fact, Robert Carr, the CEO of Heartland, the company that was a victim of a data breach that exposed over 100 million credit cards, slammed both his auditors and PCI standards in a recent interview:

What have you learned in recent months regarding how exactly the burglars were able to get in? What have investigators flagged in terms of the big security holes that were exploited?
Carr: “The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”

How did the QSAs respond when you expressed this view?
Carr: “In the post-Enron environment, the auditors have contracts with clients that essentially absolve them of gross negligence. The false reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn’t understand the limitations of PCI and the entire assessment process. PCI compliance doesn’t mean secure. We and others were declared PCI compliant shortly before the intrusions.”

A key to this story is something that everyone should understand. PCI Compliant doesn’t mean you are secure. Carr stating that a company the size of Heartland didn’t understand this is questionable in my opinion, but the failure of their auditors to expose known vulnerabilities with clear fixes is a problem as well.

The PCI guidelines simply provide a minimum framework for establishing a secure environment. It is up to the company to provide the appropriate people and processes to support their technology investments to create a secure environment.

The culprit? Unauthorized code on their servers resulted in the exposure of the credit card data. Despite the protections employed to protect the card data on servers, they were done in by simple malware on a system in their infrastructure.

The exposure experienced by Network Solutions is not unique. One of the greatest threats to any company connected to the Internet is the prevalence of malware and the number of systems that belong to botnets. We recently blogged about two botnets formed by the new clampi trojan and the older conficker malware. Unfortunately, traditional blacklist antivirus technology is no longer capable of preventing infection and standards that target the protection of critical assets ought to take that into account.

To that extent, I would like to contrast the two requirements mandating system security in PCI DSS relative to those in NERC CIP. NERC CIP requirements calls for security that can detect, prevent, deter, and mitigate malware. The actual R4 requirement from NERC-CIP 007 is shown here:

• R4. Malicious Software Prevention – The Responsible Entity shall use antivirus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).
• R4.1. The Responsible Entity shall document and implement antivirus and malware prevention tools. In the case where antivirus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk.
• R4.2. The Responsible Entity shall document and implement a process for the update of antivirus and malware prevention “signatures.” The process must address testing and installing the signatures.

PCI on the other hand does not have this granularity and focuses instead solely on the use of antivirus. Here is the relevant PCI requirement mandating the use of antivirus:

• 5.1. Deploy antivirus software on all systems commonly affected by malicious software (particularly personal computers and servers).
• 5.1.1. Ensure that all antivirus programs are capable of detecting, removing, and protecting against all known types of malicious software.
• 5.2. Ensure that all antivirus mechanisms are current, actively running, and capable of generating audit logs.

The security of the systems in an organization’s IT infrastructure remains one of the greatest challenges to providing strong security. Application whitelisting’s purpose in life is to prevent unauthorized code from residing on critical assets. It’s time for organizations to start thinking about how they can proactively protect these devices instead of simply providing a checkbox for antivirus. Let us know what you think in the poll above.