Without further delay, here are the stories that caught my eye in November:

• Apple issues a massive security patch of its own – In November Apple issued a patch that fixed 58 holes as reported by Threatpost. The days of Apple being immune to security compromise are over. The combination of phishing and browser based attacks should make Mac users concerned and will soon drive security solutions adoption on those systems.
• Microsoft is back with it’s own large security patch – Microsoft fixed 15 separate vulnerabilities with 6 security updates in November. This is the same old story as previous months, but at least it wasn’t the record 13 updates hit in October.
• Microsoft reported an increase in worm infections, but decrease in scareware antivirus – Worm infections were up over 98% since the last Microsoft Security Intelligence report and it appears that Conficker bears a good part of the blame. Researchers believe that it is still being spread by USB keys with autoexecute capabilities. Scareware numbers are down where a user is tricked into visiting a site that says they are infected and then prompted to download “protection” from the malware.
• More news of botnet operators utilizing social networks to avoid detection – Searchsecurity.com reported that botnet writers are turning to Google and social networks. Popular social networking sites like Facebook and Twitter are increasingly prominent in security news for both spreading infection and providing a means of command and control for organized malicious software writers.
• Four people were sentenced in the UK for attacks on online banks – This is something I would like to see more of. It is a rare occurrence when cyber criminals are actually tracked down and brought to justice. Last month four individuals who were syphoning money from online accounts were caught and sentenced.
• CSO online had a nice detailed story about the fight against botnets – CSO published a nice seven page story about the individuals and organizations who research and combat botnets. It’s an interesting and informative read.
• Windows 7 is revealed to have flaw that allows DoS attacks – A flaw in the OSs Server Message Block (SMB) could be used to crash the system and could be activated when a user visits a malicious website.

There were several other interesting stories, but the fact remains that endpoints are under attack and we are in a continual catch up game with our current endpoint security.

As people search for alternatives, application whitelisting has moved to the front as the most promising technology to address today’s endpoint security failures. That said, as with any new technologies, there are challenges to be addressed. With whitelisting, this can include how to properly baseline an existing system that may be infected, as well as how to managed updates and changes to applications. Another challenge with whitelisting systems is how to address attacks that target applications that are whitelisted with memory based attacks.

Attacks that inject code into existing processes in memory can bypass most of today’s whitelisting solutions (not to mention almost all blacklist based ones) and is an important consideration for companies considering moving to application whitelisting. Ideally, a whitelisting solution should be able to look at all running processes and track the originating binary application rather than associating it to the application that loaded it. On our site, we provide a demonstration of how these attacks can work, to take advantage of a browser application for example, and explain the approach we take to stop these attacks.

Protection from these types of attacks are particularly important on servers that tend to run continuously and rarely are restarted. Single purpose machines, point of sales systems, SCADA systems and other servers are especially attractive targets for memory based attacks.

The discussion has already begun. Companies are very seriously looking at how application whitelisting can be added to their endpoint security strategy. Be sure you don’t neglect protecting against attacks that target active processes in memory.

Nearly 80 percent of retailers and organizations that handle credit card transactions have been hit with a data breach, but more than 70 percent still don’t consider security strategic to their operations, according to a new report released today.

This apparent incongruity has more to do with organizations accepting a certain level of risk with doing business on the Internet, says Brian Contos, chief security strategist at Imperva, which commissioned the 2009 PCI DSS Compliance Survey conducted by the Ponemon Institute.

“Roughly 30 percent take [PCI security] seriously,” Contos says. “And the others see it as a check box.”

Despite the fact that 80 percent of retailers have experienced a data breach, only 70 percent consider security strategic to their operations and only 30 percent take PCI security seriously. The question is, is this an indictment of the retailers or the PCI standards themselves?

It doesn’t help that there have been a number of data breaches in the news recently where the victim was fully PCI compliant. In fact, Robert Carr, the CEO of Heartland, the company that was a victim of a data breach that exposed over 100 million credit cards, slammed both his auditors and PCI standards in a recent interview:

What have you learned in recent months regarding how exactly the burglars were able to get in? What have investigators flagged in terms of the big security holes that were exploited?
Carr: “The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”

How did the QSAs respond when you expressed this view?
Carr: “In the post-Enron environment, the auditors have contracts with clients that essentially absolve them of gross negligence. The false reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn’t understand the limitations of PCI and the entire assessment process. PCI compliance doesn’t mean secure. We and others were declared PCI compliant shortly before the intrusions.”

A key to this story is something that everyone should understand. PCI Compliant doesn’t mean you are secure. Carr stating that a company the size of Heartland didn’t understand this is questionable in my opinion, but the failure of their auditors to expose known vulnerabilities with clear fixes is a problem as well.

The PCI guidelines simply provide a minimum framework for establishing a secure environment. It is up to the company to provide the appropriate people and processes to support their technology investments to create a secure environment.