So, going back to HBGary – why were they apparently so easy to hack?

It is not because they have no clue about security, but rather because they underestimated the risks. When:

• you are a IT security company
• your customers are governmental institutions or huge enterprises that are very sensitive to bad press
• you start a war with hackers

… you need to drastically raise your security level.

Ok, but how high?

If they would have not been vulnerable to that SQL injection, and used only highly secure passwords and had their systems fully patched, would that have been enough? The answer is yes for most companies, but probably not for HBGary.

Why is that? Because (judging by their actions) the Anonymous seemed to have had both the desire and the resources to raise the bar to a much higher level too. Probably it would have been harder for them, but when they were able to combine social engineering with SQL injection, with password cracking and exploits of missing security updates, I don’t see any reason why they would not have been capable of subtle social engineering or detection and usage of 0-day exploits.

A lot of companies would not be able to successfully defend against such an attack, but the truth is that the risk of facing such aggressive actions is minimal for the large majority of companies.

HBGary got in trouble because they started a war with an enemy that proved to be much stronger than they thought. But what are the chances for an average company to be targeted?  A common mistake that leads to the underestimation of risks is to think that you are too small or too unimportant to get attention and become a target. Again, the key is the balance between security enforcement and the potential damage a security breach will cause.

Of course, companies like Amazon or Apple have much more valuable data than a small local shop. But they also have more powerful security systems. Breaking them is extremely difficult, requires a lot of resources and the risk of being caught is high. If the security of the local shop is almost nonexistent, then it is probably a more attractive target than these big companies are. This is because hackers will get decent earnings with low efforts and low risks. If the local shop raises their security a bit higher, it will probably reach the point where hackers decide it is not profitable for them to waste time and resources to attack it.

What are the critical points to consider when building your defense?

You are as secure are your weakest point, so it is crucial to concentrate on all aspects of security:

• Restrict physical access

• Build the security software infrastructure

• Create and enforce security policies

• Train your people on how to apply these policies and how to avoid being tricked through social engineering.

People are an important part of the equation and probably the most difficult to deal with. Even if your security policies are ok, and they are correctly applied by all employees, it is virtually impossible to know and control what happens when your employees are at home. Nobody can stop them from publishing data on social networks which could compromise your security; nobody stops people from reusing the super secure passwords they use at work on a dubious site that can be very easy to hack.

To maximize correct usage and acceptance of security policies people need to clearly understand why the policies are necessary and policies need to be designed to interfere minimally with the normal working flow. Keeping the balance between security and usability is very important. Unnatural, hard to apply security policies are among the worst things that can happen to a company from a security point of view. This is because they are giving a false sense of security, while in reality people will find ways to bypass them.

Companies want their employees to use secure passwords, but very few of them are teaching people techniques to generate secure passwords that are easy to remember. So they may end up having an environment vulnerable to social engineering simply because administrators are used to and will not react when they are asked for dubious password resets.

Other risks that are hard to foresee and control are the vulnerabilities from the applications used in the business environment. The most secure approach around this is to isolate the computers from the rest of the world by restricting online access; however, this is not always possible. To mitigate the risks you need to be selective on what applications are allowed in the business environment and make sure they are fully patched.

In short, what happened is the following: the CEO of HBGary Federal wanted to increase publicity around his company by exposing the real identities of the leaders of a well known group of hackers called Anonymous. For this he infiltrated into their IRC chat rooms and researched profiles from social networks like Facebook, LinkedIn or Twitter. When he thought that he found what he was looking for, he started to make noise about his achievement by publishing articles on newspapers, setting meetings with FBI and revealing his true identity to the Anonymous. This made the group of hackers very angry and their response was devastating for HBGary, which had its servers broken, email messages published on the Internet and websites hacked. Additionally, the results of the research that generated all this trouble were revealed as not reliable.

The next, equally bad or even more disastrous, hit for HBGary were the details from the story presented by Ars Technica. Anonymous revealed how they managed to bypass their security. And what is shocking is how easy it seems to be to penetrate the security of the company that is, after all, an expert in security.

The story raises a lot of questions:

• Why was their security so weak? Aren’t security companies supposed to know how to defend against these types of attacks?
• Would have better security really saved them? Or would the attackers have adapted and used more ingenious ways to get in?
• How likely is this to happen to a small or medium-sized company? While you can imagine it happening to big players like Microsoft or Google, can it happen to small companies that did not upset the “wrong guys”?
• How prepared are companies for targeted attacks?  How many of them would remain standing after such an assault?

An important thing to mention is that the standard suite of security software (firewall, antivirus, antispyware, anti-spam, anti-phishing, patch management, etc.) does a decent job to stop 99% of the attacks: non targeted ones – the pieces of malware that are randomly scanning the Internet for vulnerable machines and infecting them, the emails with malicious attachments or those pointing to dangerous sites, the sites that simulate well known services to trick you and get your passwords, etc. They are indispensable for targeted attacks too, but here things are much more complex and they are far from being enough.

What can be done to ensure well enough security? (Well enough is the maximum you can get, there is no such thing as a perfect security system.)

It is extremely important to keep the security system defenses aligned with the potential damages that a security breach will cause.

For a small startup that is still in its early stages with just a few computers it usually makes no sense to invest massively in security. This is not only because the costs will kill the business faster than any hacker, but also because the company simply doesn’t have enough valuable assets to make the effort worthwhile. However as the company starts to have a history, they also start to have more and more sensitive data: financial data, customers’ and partners’ data, development strategies, etc. Now it becomes more dangerous to lose data or to have confidential data stolen.

The key is to keep the balance between security enforcement and the risks that usually increase over time, and this is the point where a lot of companies fail. Some common reasons for this are:

• The company is not aware of the risks simply because they don’t have the necessary expertise to evaluate them.

• The risks are underestimated. In this case the security enforcement is seen as an unnecessary cost.

• The company is aware of the risks and their efforts in the area give them a false sense of security, while they actually have a problem in applying policies.

Usually a security incident is what makes these companies realize where they really stand.

In the second part of this series I’ll talk about what happened to HBGary and what we should learn from it.

This is the list of the top most targeted applications in 2010:

As more and more businesses and applications are moving to the web, browsers are the favorite targets for hackers and security researchers. These are followed closely by Adobe tools, Microsoft Office, RealPlayer and Java Runtime Environment.

The top most targeted operating systems in 2010 are the following:

Microsoft still remains the preferred target when talking about operating systems, followed very far behind by Linux, Apple Mac OS X and Cisco IOS.

From the data above we can see that 75% of vulnerabilities are targeting applications, 18% operating systems and 7% hardware devices (i.e. Cisco). This means that patching only Microsoft products is not enough. Adobe products, web browsers and Java Runtime Environment are the minimum set of other applications that must be monitored closely to ensure they are always fully patched for adequate security.

So far this month we already have the following important updates:

• Google Chrome version 8.0.552.215 was released on 2^nd December with 13 security fixes, 4 of them high severity level
• Apple QuickTime version 7.6.9 is available from 7^th December. It contains 15 security fixes, 14 of them labeled as critical.
• Mozilla has released yesterday Thunderbird versions 3.0.11/3.1.7 addressing 3 critical security issues and Firefox 3.5.16/3.6.13 with 11 security fixes, out of which 10 are critical or high severity level.

Oracle has released Java 6 update 23, but this is a non security update.

This week we had the biggest Microsoft patch Tuesday ever. 17 new security bulleting were released, 16 of them labeled as critical or important. This is an all time record from Microsoft. The following Microsoft products are affected:

• Microsoft Windows
• Internet Explorer
• Microsoft Office
• Microsoft SharePoint
• Microsoft Exchange

More details are available here.

You need a patch management solution for proper patch management. But what are the benefits of automating patch management for these companies?

1. Security

Security is the most obvious reason as to why companies would want to have an automated patch management solution in place. One of the main reasons why software vendors release new patches is to fix security vulnerabilities that can be exploited by malicious software or people intending to damage the IT systems or network.

Applying security patches in a timely fashion highly reduces the risk of having a security breach and all the related problems that come with it, like data theft, data loss, reputations issues or even legal penalties.

2. Company Productivity

An efficient system which deploys patches network wide helps to improve the productivity of the company in many ways. Often patches come with performance improvements for the products they apply to, or fix crashes. Helping employees get rid of these issues will lead to a productivity boost. The improved security also helps productivity. In the majority of cases the worst effect of malware is not the stealing of company sensitive data, but rather the downtime that badly affects productivity. The effect varies from congested networks or slowed down systems because of malware activity, to breakdowns of business critical applications and to systems which are totally compromised and need to be reinstalled from scratch.

3. IT Department Productivity

Productivity gain is easily measured within the IT department. You just need to ascertain how many people and working hours are required to patch the systems manually, and how much you save by using software that automates the process. In fact, for companies that have more than 20-25 computers in their network, the headaches and time required to perform manual patching are so high that, if the company does not have a solution to automate patch management, they probably do not do it at all or it is limited to critical servers only.

4. Compliancy

Recently compliancy has become an important driver for companies to implement a patch management solution. There are more and more laws and regulations that are imposing security best practices on companies and having the systems fully patched is one of the most important security rules.

Government institutions, companies offering financial services and healthcare organizations are among the most affected by these regulations, but the trend is that all companies will need to be secure enough to be able to protect the privacy and data of their employees, customer and partners.

Here is a list with some of the most important standards related to IT infrastructure security: Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes–Oxley Act (SOX), Gramm–Leach–Bliley Act (GLB/GLBA), Federal Information Security Management Act (FISMA), Family Educational Rights and Privacy Act (FERPA), Government Connect Secure Extranet – Code of Connection (GCSx CoCo).

Failure to comply can result in losing opportunities, incurring legal and financial penalties or even losing your business.

5. Keep Up with New Features

Patches can contain new features, adding new functionality or extending support for additional platforms. For organizations this often translates into opportunities to improve or extend their services.

Which were the most vulnerable applications in the first half of 2010?

Below are the results after processing vulnerability data feeds as of July 7, 2010 from National Vulnerability Database (NVD), which is the U.S. government repository of standards based vulnerability management data:

Interesting highlights and remarks:

• Web browsers are the most targeted applications. They hold the top four places. Other popular targets for hackers are Adobe products, Java Runtime Environment and Microsoft Office.
• Discussions about which browser is most secure do not make much sense. They all have quite a number of new security vulnerabilities. Probably a safe web browser is one which is used by only a few people and therefore is not popular enough to get attention from hackers. However, on such a browser a lot of sites will not work simply because most developers only test their site on the top most used browsers.
• Adobe, Microsoft and Mozilla have the most products in the top 15:
  o Adobe – 5 products
  o Microsoft – 3 products
  o Mozilla – 3 products
  o Oracle – 2 products
  o Apple – 1 product
  o Google – 1 product

According to NVD new security vulnerabilities are published with a rate of 16 per day. Vendors are forced to release a lot of security updates to keep their products secure; therefore a vulnerability management tool like GFI LANguard can be very helpful. Currently LANguard can automate patching for 11 products out of the 15 mentioned above. Here is the full list of supported non-Microsoft products.

GFI LANguard 9.5 was launched at the end of May with a new and very important feature for people working in the network security area: patch management for non-Microsoft applications.

The aim is to perform from a central location network wide detection, download and deployment of missing updates for all important vendors of popular applications widely spread in corporate environments. Such applications get a lot of attention from hackers and therefore need security updates quite often.

The enhancement saves a lot of a network administrator’s time as it would take forever to patch each machine individually even for relatively small networks with 20-100 machines. To have an idea of the amount of work involved it is enough to take a look at some of the updates released last month (June 2010):

• Microsoft
  o One Microsoft Silverlight update (June 3rd)
  o 10 security bulletins on patch Tuesday (June 8th)
• Mozilla
  o Two updates of Firefox (Firefox 3.6.4/Firefox 3.5.10 and Firefox 3.6.6)
  o Two updates of Thunderbird (Thunderbird 3.0.5 and Thunderbird 3.1)
• Adobe
  o One update of Flash Player (Flash Player 9.0.277.0/Flash Player 10.1.53.64)
  o One update of Reader (Reader 8.2.3/Reader 9.3.3)
  o One update of Acrobat (Acrobat 8.2.3/Acrobat 9.3.3)

There are a total of 18 updates only from Microsoft, Mozilla and Adobe. Other vendors (i.e. Apple) have released security updates too. It becomes extremely hard to keep up with them.

So far, beside Microsoft security updates, LANguard 9.5 could be used to patch popular applications from Adobe (Flash Player, Acrobat Standard and Professional, Reader and Shockwave Player), Mozilla (Firefox and Thunderbird) and Oracle (Java Runtime Environment).

Starting on July 13, 2010 new applications are added to the supported list:

• Apple QuickTime
• Adobe Air
• Adobe Acrobat Professional Extended
• Opera Browser

The complete list of supported applications is available. Stay tuned however as new applications will be added to the list soon!

If you would like us to consider additional applications for patch management you can submit a request.

Patches are released by software vendors usually to address security issues or to provide bug fixes. Occasionally they enhance or add new features.

Software security vulnerabilities are the most common way through which malware penetrates your network. While antivirus solutions are detecting and removing malware once it is detected on your system, security patches are aimed to close the doors that malware can use to reach to your system.

The large majority of security vulnerabilities can be fixed by applying the latest patches provided by software vendors. We would never have heard about a lot of popular malware if patches had been applied in time. For example, the Conficker worm was first discovered in November 2008 and during 2009 it continued to spread, infecting an estimated 9 to 15 million computers worldwide, even though Microsoft released a patch that fixed the vulnerability exploited by the worm in October 2008!

Therefore having a proper patch management system that ensures you have the latest security patches applied on your network in time and with minimal effort is extremely important. Making use of an analogy with the automotive industry, applying the latest patches is for network security what the replacement of used brake pads is for driving safety: a maintenance task that requires some time and some money, but not doing it will end in causing damage that will cost much more time and money.

Why use GFI LANguard?

Microsoft and other software vendors have auto-updating systems (like Windows updates) that are designed to help users apply the latest patches. This is a solution that works fine for home users or for a 3-5 computer network.

However in larger networks there are a couple of reasons that makes this impractical. Administrators do not have an overview of what patches were installed on which machines, they are not notified about update failures and they cannot control which patches will be applied and which will not. Sometimes patches can have bugs or enforced security can prevent some applications from working. It is important to install them in a test environment and make sure that business critical applications are working fine before deploying them in the production environment.

Windows Server Updates Services (WSUS) is a free product from Microsoft that helps administrators to manage Microsoft updates in their network. By using this tool administrators can manage what updates, when and on which machines these need to be deployed. They are able to view the patching status of each machine from the network. Additionally the patches are downloaded only once for the entire network and stored to a central repository.

The weak points of WSUS are that it only installs on Windows servers, it is quite difficult to install and configure and it only supports Microsoft updates.

GFI LANguard is a very straightforward product to install, configure and get running. It installs on both servers and workstations and it can be used to deploy Microsoft updates as well as custom software and scripts.

GFI LANguard 9.5 comes with a new important feature for patch management. It has inbuilt support to automatically detect, download and deploy patches for non-Microsoft applications. You can use a single central console to manage security patches for all Microsoft products and patches from other vendors like Adobe, Mozilla or Oracle (and the list of supported products is continuously being expanded).

Moreover GFI LANguard is unique on the market because it is more than just a patch management tool. It also provides full vulnerability assessment and network and software audit, acting as a virtual security consultant for your network.

Click here to view GFI LANguard in action.

Security vulnerabilities in software applications are the most important factor that helps malware to spread. The number of known vulnerabilities is increasing every day. Vulnerability databases like National Vulnerability Database, SecurityFocus or Secunia publish thousands of new vulnerabilities each year.

The chart below will help getting an idea about the numbers we are talking. It shows how many new vulnerabilities have been registered by CVE starting with 1999 until 2008. Basically in the last three years there were around 7000 new vulnerabilities each year.

Due to these large numbers, the task to detect and fix vulnerabilities is extremely difficult. Tools like GFI LANguard are trying to automate the job for network administrators. Their functionality relays a lot on the industry standards established for vulnerability management and therefore it is important when dealing with vulnerabilities to know a bit about the most common standards related to them.

Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures is the most popular standard in use when someone wants to reference certain vulnerabilities. Practically it assigns a unique name (CVE Identifier) to each vulnerability, making easier for people to identify and gather more information about an item from different sources.

About CVE (excerpt from the official site):

Common Vulnerabilities and Exposures is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities.

CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

CVE is:

• One name for one vulnerability or exposure
• One standardized description for each vulnerability or exposure
• A dictionary rather than a database
• How disparate databases and tools can “speak” the same language
• The way to interoperability and better security coverage
• A basis for evaluation among tools and databases
• Free for public download and use
• Industry-endorsed via the CVE Editorial Board and CVE-Compatible Products

CVE is maintained by The MITRE Corporation and it is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Open Vulnerability and Assessment Language (OVAL)

OVAL is an XML based language used to represent in a structured manner the checks (i.e. file versions, registry values, etc.) that need to be performed on a system to determine if a vulnerability is present or not. An OVAL compatible tool can receive as input vulnerability tests written in OVAL and it will determine if the vulnerabilities are present or not on the scanned systems.

About OVAL (excerpt from the official site):

Open Vulnerability and Assessment Language (OVAL) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language.

OVAL Website and OVAL Repository are hosted by The MITRE Corporation. OVAL is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Common Vulnerability Scoring System (CVSS)

The number of known vulnerabilities is pretty large, but not all of them are equally dangerous. Some of them are easy to exploit and grant to the attacker full privileges on the vulnerable systems, while for others is impossible to create a general exploit or the probability to meet the environmental conditions that will make the vulnerability possible is extremely low. It is crucial to know which vulnerabilities have the most significant impact to able to prioritize what to fix first. Here is where CVSS helps. It is a standard to rate vulnerabilities based on their impact.

About CVSS (excerpt from the official site):

CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability.

CVSS is maintained by FIRST.org, Inc.

Passwords

Passwords are the most common authentication method. They are so popular that everyone – or at least all network administrators – should know how to use them effectively. However there are still many cases where users have passwords that are either easy to guess or they simply write their passwords on a piece of paper that is placed on the desk and therefore available to anybody who passes by.

Why is this happening? Usually it is either because the security policies do not enforce enough security or because they enforce too much security.

When there are no constraints on the complexity of passwords, users will generally set simple and easy to remember passwords and they will never change them. The usability of the system in such cases is good:  users will not have problems to access the system because they forgot their password. However, these easy to remember passwords (usually) mean that they are also vulnerable to password guessing attacks.

On the other hand if people are forced to set extremely complex passwords, a different set of problems will arise with the same effect: the security system can be easily bypassed. If passwords cannot be remembered most users will either write them down or, of course, forget them.  This is not a good thing. If passwords are written down, some users will stick the paper on a side of the monitor or put it under the keyboard. If passwords are forgotten then users will often spend time calling support or using the “Forgot your password” service. It is not difficult to find people that are annoyed by extreme security measures. And in case of services provided online this can lead customers to consider alternative services that are easier to use.

Windows User Account Control (UAC)

Windows UAC is probably the best example of how difficult is to keep the equilibrium, even for big and experienced players like Microsoft.

Windows XP does not have UAC and it is an excellent operating system from a usability point of view. This is the reason why it is still so widely used. However over the time it had important security problems.

A key factor that generated a large part of security issues in Windows XP is the over use of administrator accounts. Software developers used to assume that users have access everywhere and design their applications accordingly. Users were using administrator accounts even for trivial tasks and this was partially because lot of applications did not work otherwise. Malicious software benefited a lot from this situation. Because users were administrators, malware code was able to infect core system files causing significant, and sometimes irreversible, damage.

Microsoft realized that they had to change something and the result was Windows Vista, an operating system designed with security in mind. User Account Control (UAC) is one of the new security components that were introduced in Vista and it is a set of features that allow users to perform common tasks as non administrators.

How does it work? Basically all accounts, even administrators’, are running by default with privileges of standard users. Each time an operation that requires administrative privileges is to be executed, the user is prompted – via a secure desktop – to confirm that he is aware and wants to continue the operation. Clicking yes, or providing administrator credentials in cases where a standard user is logged on, will elevate the privileges to administrator and the operation will execute successfully. However the privileges are elevated for that program only. Each application that performs operations which require elevation will generate at least one UAC prompt.

This approach started to make users more aware about the changes performed in their system. Another effect is that most users got annoyed by the large amount of UAC prompts, thus forcing developers to fix their applications so that they will run without unnecessarily asking for administrator privileges.

While Windows Vista UAC is great from a security point of view, regarding usability it is enough to say that the first result when searching on Google using “Windows Vista UAC” is a page with the title “Disable User Account Control in Windows Vista”.

Will Windows 7 ship with an updated UAC to finally get the right balance? It seems so; however, the path is not so straight forward.

The feedback received from customers on Windows Vista UAC was processed by Microsoft and Windows 7 BETA was released with an updated version of UAC. The updates were to improve usability by reducing the number of UAC prompts. Although Windows 7 UAC can be configured to behave like Windows Vista, the default state allows Windows components to auto-elevate without prompting the user.

At first sight this solution seemed to be perfect. Huge usability improvement – the number of annoying UAC prompts reduced – while making no major compromises regarding security. Unfortunately the right balance was still not there yet. An important security flaw was discovered: through auto-elevation it was possible to disable UAC without having the user notified. Microsoft’s initial reaction to this was a bit strange for a security community. They said that the behavior was like that by design and it would not be changed. Finally Microsoft admitted that it was an issue that must be fixed and in Windows 7 Release Candidate (RC) – which is currently available – changing UAC level gets special treatment and it always prompts you if you choose to disable it.

Did Microsoft finally get it right? Time will tell. The fight is not over yet. There are still people complaining about asking non qualified people to take important decisions about security, even with the reduced level of prompts from Windows 7. And there are voices that say security should not be compromised and Windows Vista UAC is better.

Nevertheless the examples above are not isolated cases. There are plenty of other similar situations. I know people whose machines got infected even with an antivirus solution installed and up to date, just because the real time monitoring component was turned off. Why it was turned off? It was slowing down the computer…

Security applications and security policies should be designed to interfere minimally with the normal working flow of the user. If they are too intrusive people tend to bypass them and the systems will fail to achieve their main goal:  enforcing security.