The IT Security Attaché

In today’s world of technology, you’re under attack from multiple angles, products, solutions and people, yes, people, even those you may know. The threat from known and trusted sources is ever increasing because of the simple fact that because I know you I will trust that what you’re sending me is legitimate. This is a very bad analogy and one that only lead to serious issues because you never know if the message, file, document or link was intentionally sent from the person rather than an infected system being operated by a bot master.

When an infected system gets to this level where it is sending out invites, notices, links and other kind of communications from your PC, the end user is at the mercy of their common sense in thinking of whether or not to open and use it. This presents many problems for the end user because this could come to you in the form of many things, all of which are valid resources that you may normally use.

Let’s take a quick look at a few of the top ones.

Web browsing – quick, simple and easy to infect by drive-by-downloads. One of the fastest growing trends of infection today is the use of websites for infection. A drive-by-download is when you visit a website that has been infected with malicious codes and by simply viewing it the code is downloaded onto your system and builds itself into a threat. Because of its simplicity, there have been drastic increases in the number of infections from drive-by-downloads that are even bypassing anti-virus solutions and making a successful hit on the system. Many will not even know when they are hit because the payload and production is done behind the scenes and is totally transparent to the user.

Are you running the latest version of the browser?
What kind of threats am I exposed to by using this browser?
Does it have a history of successful exploits and if so, am I vulnerable to them and how can I fix them?
When was the last time you checked if you are running the latest updates, patches and fixes for your web browser?
Is the browser configured for optimal use and security while browsing the internet?
These are basic questions you should be asking yourself.

While this is a major issue today, many people still get caught up in the discussion of browser security and what is best, better, more secure or even more vulnerable. My word to you today is, all systems, applications and browsers are vulnerable if not properly patched, secured and used efficiently. Many systems are running vulnerable applications that a hacker or malicious piece of code has many entry points to be successful in hitting a mark. Many users are running security solutions that are outdated, unpatched and expired that it is scary to think they are comfortable with these things.

Email – an infected system is used to send messages to everyone in your address book pointing them to a website they need to visit that is riddled with threats of all sorts. This is one of the easiest forms of compromise because everyone knows that you should not accept emails with attachments from anyone you don’t know much less to get it from someone you know.

So what do you do when you receive an email from someone you know, love, trust and/or do business with?

So I just guaranteed myself that you will visit the link in the email because you’re thinking that it’s legit/ok and because there are no attached files in the message what are the chances of a risk, hmm, much more than you think. Drive-by-download is the fastest and most successful form of attack because of its simplicity. Most people today are not running a security solution that provides web filtering and web browser security and so the traffic goes unchecked. So as simple as that, you visit this website and because your anti-virus solution is not able to detect and block these attacks you’ve now been owned.

IM (Instant Messaging) – a growing trend that is easily exploited and with major impacts because a worm hijack the IM application and start sending out messages as if it was the user sitting at the PC doing it. So you have 200 contacts in your IM list and they are all vulnerable due to you being infected with this worm that is spreading from your PC.

Will you know this is happening?
Maybe, or maybe not depending on how you manage and maintain your system. Maybe one of your contacts will say, hey, I got this message from you to look at some pics on a website but when I went there nothing happened, it was a blank page with an error on it.

Hey, guess what, you’ve just given your friend the threat or exposed them to it unbeknownst to them. This is such an easy method of infection that it’s unnerving.

Storage and media players – now here’s one of my favorite. The use of storage devices like USB flashes drives.
Who doesn’t have one today?

They are so prevalent because of the low cost, ease of transporting, size and high storage that you can get them any and every where you go today. It is a very nice giveaway at an event where the host wants you to have the information or handouts in a soft copy. Go to any tech store or even online today and you can get a 4GB drive for under $20 and in some cases even under $10.

Media players – through the sharing of media files such as avi, mp3s and mp4, threats are easily slipping through the anti-virus systems and successfully attaching to the systems and causing all kinds of damage. One must be very cautious when it comes to sharing files such as mp3, avi and other media containers.

Back in the day we used to think of an infection as an application that has to be run (some still do today), while that was true then for most of the threats out there, it is certainly a different ball game today. You don’t have to run anything to get an infection, simply viewing a website/page is enough to cause a world of pain. Yet, unchecked, old systems with old scanning functions are being used to ward off these new threats and type of attacks.

Back in the day we used to think of email being just text messages, today email is the primary delivery mechanism for audio, video, text and many of today’s critical threats that propagate through the wires.

We need to get rid of the old mindset of thinking and wake up to a new and more sophisticated level of warfare that we would never send our children into but has come into our homes and is right there in front of our families.
We need to rise above the decadent levels of omission where one is exempt from high level meetings, discussions and events because they do not meet certain requirements, but are adversely affected and impacted by these same issues. None should be omitted as the omitted can be your weakest link or area of vulnerability.
We need to start thinking of threats as the new form of invasion from known and trusted sources. You are just as much at risk as anyone else and the threats does not care who, what, why or where you are online, you are at war now stand up and fight by educating yourself, being aware of the threats/risk and arming yourself with the proper solutions to protect you.

These are some of the needed education and awareness that we should be exposing our children and youths to today as they are as much involved as those of us in the workforce and industry.

Thank you and have a great day,

~Brett A. Scudder~

Good day to you,

I would like to take this opportunity to share some very critical information with the self employed and home based business owners about the state of The IT Security Threats Landscape ~TITSTL~ and how it affects you. This is a discussion I have every day as more and more people in these categories are finding out the real effects and impacts of these threats are not excluding them and that they fall very much into the mix of it. As the economy tightens its grip on our lives, those who are being laid off are turning to home based and self employed business thus sparking an increased growth in this area of business. The SMB space has grown tremendously since his recession and to that end has become a serious security issue for us security professionals as we look across the IT Security Threats Landscape horizon.

Therefore, the reality of the issue must be faced thus bringing the question of, what am I to do about it.

I have published numerous articles on these threats, preventative measures and how to deal with the security issues of today and tomorrow on my blogs but I am going to do this as a summary of those here.

First let me say this, if it requires a security patch (let’s just keep it at security for now), it is vulnerable.

What does this mean?

Simple, any operating system, Microsoft, Mac, Linux, Solaris, you name it, that requires a security patch for any reason is vulnerable. The patch is to prevent exploit of the vulnerability right so it is a security risk.

I had to get that out of the way so that we wouldn’t get into the ridiculous argument of which is more secure than the other. The way I see it is simply that, if a door is left open for anyone to come through it, the length of time left open versus the threat that comes through it is just as critical. So, any open door is a threat no matter where. What comes through it may differentiate the severity. They all have their insecurities at some point but how the vendor/developer addresses it lessens the impact and wide scale visibility of the issue. While some may announce these vulnerabilities and findings, other may patch/update them behind the scenes thus limiting the visibility and knowledge of the user.

Second, anti-virus alone is NOT going to protect you from the threats of today. It takes a multi-layered approach and as such, the various layers of protection must be enforced. So telling yourself that you have anti-virus protection on your PC is being as naïve as saying the threats doesn’t affect me and i’m not worried about them. While it is true that most anti-virus vendors are bundling multiple threat protection/prevention layers into their solutions, the proper configuration becomes the caveat to that solution. While many deploy with an out of the box config, there will be tweaks needed to customize it to your environment and needs. So one must understand what is being deployed and if it will provide the layers of protection needed.

So why is IT Security so serious for me as a self employed or home based business?

Well, ask yourself these questions,

What is it that you do and how do you do it?

Do you use email?

Do you send emails to customers/clients/partners/associates/potential clients?

Do you leverage the powers of social networking/media (Twitter, LinkedIn, MySpace, Facebook, Ning and the list goes on) today?

Do you use IM for personal and/or business use?

Do you browse the internet for data/information on whatever you’re working on or researching?

Do you do online banking or shopping?

Do you download multimedia contents from the web (music, movies, flash videos, etc)?

Do you download online presentations (PDF, PowerPoint)?

Did you know that PDF files presented one of the biggest security risks over the past 2 years but is the most widely distributed online document format?

Do you have a printer or some media player connected to you system(s) at home or in the office?

Do you have any applications running on that system aside from the operating system?

Do you know of the Breach Notification Law in your state and what it means for you?

When was the last time you downloaded a keygens or crack file to open full access to that app or game you really wanted but didn’t want to buy/pay for?

Maybe you didn’t crack/keygen it but someone did and opened a backdoor which planed a rootkit or some nefarious threats on your system(s). What happens when you use that for business purposes, what are you spreading to those you collaborate with?

Well by now i’m sure you’ve caught my drift and I don’t have to get technical for you to see how you’re affected. All these questions pose security risks in various ways and are able to be stopped, prevented and protected if the proper education, awareness and measures are put in place. Don’t ask if you’re affected or if I should be taking these things seriously, you must. You are as much a risk to me as I am to you if the proper steps are not implemented to secure your system and the data/information you have sitting on it about me, you and those you collaborate with.

That system is being used for personal and business use and at some point the access to/from or by a threat is heightened because of the lack of separation of the two. A system that is used by everyone in the home should not be the same used for doing your business. When someone in the home decides to crack that app and opens that backdoor, you’ll never know what can come through it and what your risk factor will be or are. Separate the two, business is business and personal is personal. The cost of a system today is much more affordable than a few years ago so it shouldn’t be a problem to get an extra one.

You are not a small business because you have 5 people working for you. You are not a small business because you only have 5 computers in your office or where you decide to conduct your business. To me as a security professional you are not a small business (home based or in an office) when you have records/information and access to 5000 people. A doctor who has an office with 5 employees and 8 systems managing 4000 patients’ info is not a small business in my eyes. If you’re a consultant running your own business and you manage systems or information for your clients you’re now there biggest risk because it’s your responsibility to control that. Every PC must be secured whether it is connected online or not as you never know if/when it will cross the line. This is how I see security.

When you decide to start doing business today you must consider the role you play with those in which you will be doing business and the kinds of interaction you will have with them. When sending an email from an infected system (whether you did or the resident worm) it is still coming from you and the possible effect on the recipient(s) can be adverse which may lead to legal issues.

When using social network can enhance your presence and what you do significantly, it is also an area of heightened risk both personally and professionally. Know the need and use it accordingly. Social networks are the future of collaboration but one must decide why the need and create the separation. If it’s for personal use one should always remember the impact on themselves as they are now putting themselves out there to the world. If for business, one should decide on how they want to be seen and what they would like the world to know about them and what they do. Social networking is a great thing to have and use, it’s the management and control of that presence that matters. The threats people face on social networks are the same they would face outside of it but just through a different medium. Educate yourself on these things and you will be ok.

As for the Breach Notification Law, most people didn’t even know of such laws about digital contents and its security. I strongly suggest you take a look at the law of your state and understand the legal and financial issues it presents for you. Learn it, know it, and understand it. If in doubt, reach out.

The active Conficker worm should be enough of an eye opener for you and if you don’t know what it is then you may have bigger problems that I thought. Security is not just about you, it’s about your way of life today both on and offline. I am not here to scare you but it is better to know before than after as the damage control, legal and financial issues after the fact is much worse and a very daunting issue.

As for the online scams, phishing and SPAM, it is only going to get worse and until you educate and make yourself more aware of and about them, you may fall victim to them as they are craftier than ever.

Ok so I have chatted enough and now you’re saying this is too much so I will leave a few articles of reference.  Feel free to contact me if you’d like to discuss further and in more details.

The Conficker Worm – my review

A grim day for browser security at hacker contest

State Security Breach Notification Laws as of December 16, 2008 and the Conficker worm

IT Security Education and Awareness 04-09 #1 – IT Security is a people problem, not an industry one

Apple Mac users warned of web-based malware threats RSPlug-F Mac Trojan horse distributed via HDTV website

TITSSN leverages the Twitter network for critical alerting, notification and network happenings (meetings and events) as of April 1st 2009

Security/Privacy Awareness 03-09 #1 – Do you understand the breach notification law is in your country/state, do you know what it means, all are affected.

Thank you and have a great day,

~Brett A. Scudder~

The IT Security Attaché

The Conficker Worm – my review

There have been many articles, reviews, information and posting about the Conf*ker as many people have started calling it. Depending on who you talk with you can replace the * with anything that suits your feelings towards it. The most interesting thing about this threat isn’t the fact that it’s neither a new one nor a new attack form, it’s the same old attackers doing the nefarious things they do but with a bit more sophistication. For me as an IT guy looking at all this, i’m getting the wow factor from some of the new developments and traits of the threat. So my take today will not be to overwhelm you with all the techno jargon and high level breakdown of the threat but just to speak on it in the most basic form so that even those who are non technical can grasp the severity of it.

So here goes.

If you get infected with the Conficker worm you’re screwed. Bottom line.

If this is a system that is on a business network it must be removed, quarantined, disinfected by any means necessary. Take no chances with this threat.

Get my drift?

Is this basic enough to understand?

Ok, let’s take it from another angle.

This worm is a blended (virus, worm, rootkit, botnet, adware, malware and the what else factor) threat in a blended threat with blended characteristics. It’s like catching a cold and getting a headache, ear ache, stomach ache, backache and chest pains all in one. It starts with a simple cold but quickly spreads to other critical areas of the body causing serious effects and harm. This threat is in a class by itself as it deploys various additional agents around the system that causes complete successful removal to be unclear.

If you have been infected with the worm you’re only real option is to completely wipe the system. Unplug, power down, power drain, complete power loss to all storage capacities of the system. This is a very serious threat.

As for those who have been asking about which anti-virus solution is best to protect against this, there isn’t one. Anti-Virus alone is not going to protect you from this threat and the blended effects. It will take a number of things to make this happen and here’s my list.

1.      System must be fully patched from all angles, the operating system, the applications, services, devices and drivers. When patching the Microsoft Windows operating system many people have auto update enabled but in different settings. Some have alert me of new updates but never apply the new updates. Some have it set to download and wait for my approval and they never approve the installation of the updates. Some have it set to download and install all updates. This is a good option to have. When patching the OS one must be prudent so as not to only apply critical patches but all software, severe and high updates as well. So I recommend if you’re doing the built in auto update please use the download and apply all. If doing it manually do a custom update which will reveal all the patches and updates needed.

2.      Anti-Virus alone will not protect you from this worm and most of the new threats in the IT Security Threats Landscape today and tomorrow. The need for an anti-malware solution is critical to combine the protective layers of web/content filtering, IDS/IPS, anomaly/heuristics based detection, network and proactive threat protections. This is a backup to the patching already performed on the system. A fully patched system can still be compromised if a targeted malicious code is allowed to reach it.

3.      Common sense if the name of the game and the winner of all security practices. Adding to the patching of the system and having the needed security solution comes the best practice of all, the user’s common sense in using the system effectively. As the person using the system one needs to pay very close attention to details in their messaging, web browsing and IM practices. Opening emails from known and unknown sources requires due diligence in thinking about the nature of the message, the contents and what is its relevance to you. A message from a known source may not have been sent by them but could have been the result of an infection on their system(s). This is the same for email and IMs. There are many IM worms that will hijack your IM client and send out messages to everyone in your contact list pointing them to a website for them to get a drive-by-download. Many people think very little of web based attacks while they are the fastest growing today because of the ease of infection and the delivery of the payload.

4.      User education and awareness. This is a very critical issue as many seem to think that these issues are a corporate or industry problem. When a threat like Conficker goes into the wild it is not targeting specific systems in specific industries only, it is doing a general attack across all systems within its path. IT Security is a people problem and we are all in its path whether we like it or not and no matter what OS vendor platform you’re on/running.

5.      Enable your built in firewall or get a third party one to put up some form of perimeter defenses.

6.      There are security suite solutions that bundles multiple security technologies and features in one suite. That may be a more viable option for you because of the integration and management options.

The fact of the matter is, we have these issues at the level they should have been years ago, in the media and across all industries as a people problem, not an industry one. I take the same approach to Conficker as I do to rogue Anti-Virus 2008/9 threat, if detected, wipe, clean, rebuild, reimage.

This isn’t something to play around with what is or if it is cleaned. The only way to be sure is to wipe it all out.

Thank you and have a great day,

~Brett A. Scudder~

The IT Security Attaché

Hey guys,

I just got final confirmation from Mr. Evan Fromberg, Director of Sales, Channel Partners at Fortinet, that they will be presenting their new FortiOS version 4 to us at our local group meeting in NYC on April 9^th at 6pm. He and his engineer will be there to present the OS and answer our technical questions. Sweet, i’m excited.

FortiOS provides the foundation for the operation of all FortiGate appliances, from the core kernel functions to the security processing feature sets. FortiOS provides multiple layers of security for a variety of applications and content including Web, Email, FTP, IM/P2P, NNTP, and others. The main security features of FortiOS include Firewall, Virtual Private Networking (IPsec and SSL VPN), Antivirus, Intrusion Prevention, Web filtering, and Antispam.

With the release of FortiOS 4.0, Fortinet has redefined network security again by extending the scope of consolidated security and networking capabilities within FortiGate® multi-threat network security platforms. With over 40 new features, FortiOS 4.0 delivers on its mission to enable secure business communications while offering the best security, performance, and total cost of ownership possible.

New in FortiOS 4.0

WAN Optimization
WAN optimization provides acceleration for applications traversing slower network connections – which are typically WANs. The combination of multi-threat security, traffic optimization, and VPN technologies provides cleaned, accelerated, and secured communications.

Application Control
Application control uses our dynamic application identification engine that recognizes applications based on their behavior. By coupling application control policies with sophisticated security features, administrators can achieve comprehensive protection with granular and more meaningful policies.

Data Leakage Prevention (DLP)
DLP uses a sophisticated pattern-matching and regular-expression engine to identify then prevent the communication of sensitive information outside of the network perimeter. In addition, DLP technology also provides audit trails for data and files, which can aid in legislative compliance.

SSL Inspection
SSL inspection ensures protection from malware infection that is camouflaged by secured protocols, allowing the FortiGate to decrypt the data passing through the SSL-encrypted connection. Once decrypted, the data can be passed to FortiOS security engines for inspection.

More info on the new OS here http://www.fortinet.com/products/fortios/.

Registration is open here http://www.clicktoattend.com/invitation.aspx?code=137146 and the meeting page will be available with details shortly.

Many thanks to Mr. Fromberg for accepting my invite/request and I look forward to the meeting.

~Brett A. Scudder~

IT Security Attaché

Good day to you,

So it’s another day in the box and now i’m looking at either hiring a few people or just cloning myself. So much to do, so much need, so much to lead/plan on, feeling quite happy and comfortable with myself.

Today I plan to finish up two project plans and get a few people involved. I have to start working on the office and restructuring it for opening up to training and development sessions over the next few months. I’m also opening up my security operations to the general public so they can see some of the technology and things we have going on here. I have a few vendors who are asking me to test and show off a few products and solutions so they will come in handy as well.

I have a few voicemails so will check on those today. I didn’t see any known or important numbers so this must be new connections which are always a good thing. Will reply and then cut the lines again. One never realize how much of an intrusion the ringing of a phone is until you turn it off for a day and feel the peace and calm it does for you. Wow, such subtle serenity is priceless. Bring on the IM, emails and txt messages.

So, do I clone myself or just try and find a few good people to help me with all this work I have on my plate, hmm, I ponder.

Anyway, it’s back to work and I hope I can finish up by tomorrow (which looks very much possible).

I am in need of someone with good web graphics designing skills in Flash to help me with the SecuriCity. There are a few things I want to do with it that i’m not skilled on. We’ll see what happens.

BTW. I have a Facebook fan page here http://www.facebook.com/pages/The-IT-Security-Attache/38575323030?ref=mf for those who are on that network and would like to follow my work.

Have a great day and I thank you for your support here on my blogs and for my organization.

~Brett A. Scudder~

The IT Security Attaché