The Year of the Breach

As the year is coming to a close, news headlines were dominated by reports of high-profile security attacks, some launched by “hacktivists” such as Anonymous and LULZSEC.

But something  larger was brewing. Amidst hacktivists’ attacks on Sony, HBGary and NATO, highly sophisticated, clandestine attackers—the kind with the rarefied expertise, deep pockets and specialized resources typically only seen in nation-state adversaries—were actively infiltrating a broad range of targets.

These attacks were different: they were patient, stealthy and leveraged a potent combination of technical skill and social savvy.  Some used clever social engineering to get a foothold into their target organizations, while others used zero-day vulnerabilities—previously unknown holes in software—to penetrate defenses. 

While advanced attacks have happened for years, IT security experts observed recent attacks had grown bolder and more frequent. Recent attacks were also highly targeted, customized, well-researched and, in many cases, employed both technical and social
components.

The term used to describe such complex, sophisticated attacks was
“advanced persistent threats” (APTs), but as IT security experts quickly pointed out, APTs were only as advanced as they needed to be to get the job done. A concrete definition is elusive and, as cautioned, “Defining it could limit us and lead us to be blindsided. We need to constantly revisit the characteristics because they’re always changing.”

Much of the day’s focus was on the techniques of highly organized attackers. such
advanced threats, which include APTs, span from corporate espionage to hacktivism.

This article distills certain key insights from those discussions and
aspires to advance the industry’s dialog on advanced threats, spur disruptive innovation and disseminate some of our learnings from some of the most seasoned professionals in information security.

From a Cookie-Cutter Approach to Adaptive

In 2000, the I LOVE YOU worm crippled more than 50 million Pcs. The delivery mechanism was simple but effective: an e-mail showed up in your in-box with a subject line of “iloveyou.” When people clicked on the e-mail’s attachment, titled “love-leTTer-Foryou,” they were infected with a computer worm. while the damage was significant, a
partial solution to this problem came in the form of antivirus software: a signature could be deployed to antivirus agents that would identify the file as malicious and arrest its actions.                                                                          
Today, generic malware is still profuse but signature-based defenses, at either the network or host layer, can greatly decrease the odds of infection. What makes recent
advanced threats different is their defiance of a signature. In the world of advanced threats, malware evolves quickly, and security experts have  described several cases of special-purpose malware custom-developed specifically for their targets. Some were
compiled within hours of launching the attack.

It became clear that enterprises targeted by highly organized attackers cannot depend on signature-based “bread and butter” security tools as a sole means of defence. While the payloads of some advanced threats were fairly standard, entry strategies were often custom tailored.

Attackers typically used social networking sites to gather intelligence and identify specific users within an organization. Some of the main infection vectors that cited were  e-mail, Skype and instant messages with malware payloads in the form of PDFs, compressed HTML, script files, executables and attachments.
customization of attack techniques extend through data exfiltration.

Advanced threats often use sophisticated methods for compressing, encrypting and transmitting data to other compromised organizations, leaving little evidence of the origin of the attack or the destination for stolen information. This move from generic to tailored, from cookie-cutter to adaptive, means that security organizations need to think beyond signatures and re-evaluate how effective their current defenses are.

Remember that people, not technology, were the Achilles heel in most defensive strategies.

People are the Weakest Link 
“People are the weakest link” is perhaps the biggest cliché in information security. Security experts have long understood that users make bad choices, click on links they shouldn’t and install malware through simple ruses.

Corporate IT departments deploy multiple controls to help deal with this threat: e-mail filtering solutions catch many attacks before they make it to users, malicious links are blocked by the network, network scanners look for malicious content, and host-based antivirus (the last line of defense) tries to stop what slips through the cracks.

This process works well for generic, shotgun attacks in that signatures can be updated quickly to immunize users. Advanced attackers, however, are now creating highly credible scenarios in which they convince users to click on dialog boxes warning of fake software updates, retrieve content from quarantined areas and act (unknowingly) on behalf of the attacker.

Attackers have become dangerously adroit at using our weaknesses and behaviors against us. Attackers are creatively leveraging people inside the company to help accomplish their goals. “Internet scams are supposed to be sloppy, but they work.”

Advanced threats defy that stereotype. Experts put a fine  point on it: “The perimeter is not a firewall; it’s our users. They don’t treat their computer as an adversary; they treat it as a tool—an extension of themselves—so they don’t question what it tells them.”

Addressing the people problem will take more than technology. Organizations need to
drive a sense of personal responsibility for security among employees.

Attackers Aim for Advantage, Not Infamy

Advanced attacks are typically not the product of hobbyists. These attacks often require months of planning, mapping out internal networks by looking at the fringes.

The reconnaissance can go much further: targeting key employees, deconstructing their life by scouring social media, custom-crafting an attack so that it is stealthy, patient, and very effective.

Cybercriminals, the ones who look to steal credit card numbers and other
commoditized and sellable data, have become increasingly sophisticated but advanced
attacks are different. Increasingly, they focus on espionage—stealing specialized data
that may be of high value and strategic importance to the commissioning entity, which
can be foreign governments, rival corporations and organized crime groups. The entities behind advanced attacks literally mean business.

Also, entities perpetrating many advanced attacks are substantively different from the
hacktivists groups that have attracted attention in recent times. Hacktivists want to
embarrass and expose their targets’ activities, taking pride in publishing their conquests.

Many advanced attackers, in contrast, have the goal of stealth. They do not want to be
discovered or seek publicity.

Now some advanced threats are now masquerading as hacktivist attacks, with the goal being to confuse forensics and place blame on groups that are often eager to accept it. This pattern makes it difficult to size the scale of advanced threats: a willing scapegoat makes post-incident attribution particularly problematic.

The New Normal: Act as Though You Are Already Hacked  

The events of the year have shown that determined adversaries can always find exploits through people and in complex IT environments. It’s not realistic to keep
adversaries out. Organizations should plan and act as though they have already been breached.

Three foundational principles of security are compartmentalization, defense in depth and least privilege. in combination, these three tenets dictate that if one system (or person) is compromised, it should not result in a compromise of the entire system.

While simple in concept, these tenets have proven complicated to implement in practice. Organizations have long relied on the notion of a “perimeter,” where a big thick wall—in the form of firewalls and gateway defenses—guards the organization, with good guys (insiders) on one side of the wall and attackers on the other.

Security perimeters are now considered a construct of the past. Boundaries are nearly
impossible to define in modern organizations. The inclusion of partially trusted users
such as customers, suppliers, contractors, service providers, cloud vendors and others
have made organization boundaries very porous. Beyond the eradication of traditional
organizational boundaries, the consumerization of IT has brought a rash of unmanaged
devices into the enterprise and exposed the organization to services (and suppliers) that are opaque.

IT consumerization has also blurred the line between the business lives and
the personal lives of employees. We have moved from the illusion of a perimeter-driven defense to living in a state of compromise.

Accepting that some systems, some people, and some services may already be under the control of attackers changes information security strategy. it forces a return to the core principles of compartmentalization, defense-in-depth, and least privilege.

Organizations need to focus on closing the exposure window and limiting damage through efforts to compartmentalize systems, stop sensitive data egress and contain malfeasance. This new model also demands that we rethink old habits of sharing sensitive corporate information—such as source code, product plans and strategic roadmaps—using collaborative processes that presume perimeter defenses can keep attackers out.

Security improves through greater situational awareness: gaining the ability to
understand what’s happening beyond our network boundaries to detect threats on the horizon. Organizations get smarter by looking beyond their infrastructure and observing  the ecosystem. The ecosystem approach to security relies on organizations actively sharing information with other organizations about threats. It also demands greater visibility into the security of suppliers and service providers within one’s supply chain.

The key is to know what digital assets are important to protect, where they reside, who
has access to them and how to lock them down in the event of a breach. This ability to
tighten the net before and during an attack is key, and it requires a mature process for
incident handling. Incident response should not be considered exclusively a security
function. Instead, it is an organizational competency that must be developed and
continually honed well before an attack occurs. if organizations are planning responses
as an attack unfolds, they are too late. A competency approach allows remediation
activities to kick in automatically—like a reflex.

The Road Ahead

The reality of advanced threats demands a disruptive approach to defense—one where
enterprises can be agile and thrive in a contested environment. This approach must be
applied holistically: approaching advanced threat defense not as a discrete function but
as a natural consequence of robust but agile security.

Many of the holes that exist today come from an unmanageably complex iT infrastructure. Given that information security is a “weakest link” problem, only through understanding our assets, processes and endpoints do we have a chance at effective defense. Unraveling complexity and fielding a successful defense means that we also need to think creatively about the range of attacker motivations, which can extend far beyond data theft.

With every new technology, we have the ability to weave security into its fabric, to begin anew. We are at the start of an industry-wide move to cloud-based services and systems. We stand on the precipice of a sea-change in technology. There is a new mantra that goes within the industry saying “If we can’t get it right with cloud, shame on us.”

Today more than ever, security is an ecosystem problem in which every constituent has a responsibility. Attackers are collaborating, sharing information, going after the supply chain, co-opting careless insiders and evading our long relied-upon defenses. we need disruptive collaboration and innovation in defense. Through collaboration, information sharing and increasing our agility, we can successfully fend off APTs and other advanced threats.

Happy Holidays! And a blessed new year to all!

 

Duqu

Security experts are warning of a new malware threat that it says could be a precursor to the next Stuxnet. 

The new threat, dubbed W32.Duqu, is a remote access Trojan (RAT) that appears to have been written by the authors of Stuxnet, or at least by someone who has access to Stuxnet source code, Symantec said in a report released today.

It was confirmed that Duqu is a threat nearly identical to Stuxnet, but with a completely different purpose. Duqu’s purpose is to steal data from manufactures of industrial control systems that can then be used to craft attacks against entities using such systems.

Analysis shows that the Trojan is “highly targeted” at a limited number of organizations. Though Duqu uses a lot of the same code as Stuxnet, its payload is completely different.

While Stuxnet is designed to sabotage industrial control systems, Duqu is simply a Trojan with remote access capabilities that appears to have been created specifically to gather information about industrial control systems.

News of the new Trojan is sure to reinforce concerns about targeted cyberattacks against the industrial control systems used in critical infrastructures, such as power plants, water treatment facilities and chemical plants.

The Stuxnet worm , which some security researchers call the most sophisticated malware program ever written, has already affected industrial control systems in many countries.

The worm is noteworthy as the first piece of malware known to have morphed into physical destruction of a resource,

Attackers have used Duqu to install keystroke loggers and network enumerators for stealing information that can be used in future attacks. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control system.

Duqu has already been used to carry out attacks against a handful of companies that manufacture industrial control systems.

In at least one case, the attackers were unsuccessful in their attempts to steal such data. But information is not yet available on all cases where Duqu has been used to launch an attack.

Attacks using Duqu and its variants may have been going on since last December 2010 based on a review of file-compilation times. Duqu cannot replicate or propagate on its own, Haley said. It is configured to run for 36 days after which it removes itself from the infected machine.

Note that Duqu’s propagation techniques are still unknown, there is nothing in Duqu that says it comes from USB, or look for a network share and take me there.
It just sits there and works as a remote access tool.

The new malware is named Duqu because it creates files with filenames having the prefix “DQ”.

The Trojan consists of three files — a driver file, a dynamic link library and a configuration file. The files need to be installed by a separate executable which has not yet been recovered.

Besides the link between Duqu and Stuxnet, there is no other information on who might be behind the Trojan.

Duqu uses HTTP and HTTPS to communicate with a command & control server hosted in somewhere in India.

Attackers have been using the C&C server to download key loggers, network enumerators and other information stealing programs. The stolen information is stored on a “lightly encrypted’ file and then uploaded back to the server.

reference : Symantec

Social Networking and Balancing It To Network Security Objectives

With the explosion of social networking, interaction and  collaboration, email has lost its position as the primary Internet-based
communication tool. In fact, in a related literature that I’ve recently read, it reported that there were more social networking accounts than Webmail accounts in 2009.

Today, users rely more on blogs, tweets, social networking posts and  even video clip communications to enrich both personal and professional information exchange. Even businesses are leveraging social networking to communicate with customers, employees and partners.

While these sites and services offer tremendous business benefits, they also present serious risks that have to be managed. For instance,they are often the target of malicious attacks due to their popularity. Video sites like YouTube consume tremendous amounts of bandwidth if they are not properly managed on the corporate network. And employees may intentionally or accidentally leak sensitive company data onto a social networking site, breaches that can result in lost competitive information, public relations headaches, fines, legal action and more.

The good news is, with the right security approach, these consequences can be successfully avoided.

In addition to addressing technology gaps, you also have to educate users  about social networking security problems that stem from simple human error. And while the end user will likely remain the number one security risk for any organization, dramatic results can be achieved with just general security training.

Education should begin with the basics, but can be placed in the context of social networking to make them fresh and interesting.
For example, good login and password practices are a common problem within social networking. Routinely changing login credentials and protecting the confidentiality of passwords are basic security requirements – or should be. While this may sound like common sense, there was this recent fiasco may have been caused by one scientist who actually included his password in his email signature. So even highly educated users need to be reminded about basic security measures. Cybercriminals also know that many users use the same login ID and password on multiple sites, which enables attackers to easily gain access to social networking accounts. In one instance, many Twitter accounts were hacked when users were tricked into creating an account on a fake torrent site.

Other examples that are much less dramatic, but occur much more frequently, take place when users try to share something to a select group in an appropriate way, but do not realize that the way they shared it made it available to a broader group. Some applications may be popular enough to reasonably provide in-depth application training for users. A great example of an easily avoidable issue
recently occurred when over 100 million Facebook pages were compromised simply because most users did not understand some of the security settings available.

It may be worthwhile to start surveying users to identify their needs, applications of choice and perhaps even their own list of concerns. Then prepare a plan to ensure users are aware of how to use those applications safely.

Also, users need to be reminded that there are no safe zones on the web – including social networking sites. Assume that everything revealed on a social networking site will be visible on the Internet forever. Once it has been searched, indexed and cached, it may later turn up online no matter what steps are taken to delete it.

Finally, most users are no different than IT – no one reads the manual. So many users won’t really understand security guidelines until they violate them once or twice. “Coaching screens” are informational pop-ups or browser redirects that would appear at the instant a violation occurs to inform the user they have violated a policy, someone else knows about it, and explains how to prevent it from happening again. From a product standpoint, IT should look for solutions that not only provide security, but can also support education efforts.

Conclusion
Social networking has achieved a level of popularity that requires reasonable access at work, but it is also sufficiently mature to bring value to many businesses. But safe social networking requires an aggressive and layered security strategy at the web gateway, as well as the definition of new usage policies and priorities from management and IT. Better end-user education will also be required to ensure workers use social networking applications safely and appropriately.

The combination of layered security and education can help organizations dramatically reduce the risks from malware, phishing, data loss and bandwidth abuse.

Why is all this necessary? Cybercriminals are taking advantage of social networking’s fundamental model of familiarity, trust, sharing and open communications  to dupe users and steal valuable data.”

To close these security gaps, IT and business leaders must ensure they have the right security strategies   in place to identify and protect against the rapid evolution of social networking threats.

Do we need an endpoint security?

Business owners and IT managers would think that their anti-virus software would be enough for their day to day protection needs. They think that a separate endpoint security would be an additional cost and another thing to manage.  

But what we read in the papers are constant reminders that malware attacks and data leakage incidents are really on the rise. High profile incidents that make big new might seem out of the ordinary, yet businesses of every size face similar risks in the everyday acts of using digital technology and the internet for legitimate purposes.

Then, it was the anti-virus technology and the necessary response to security’s most common, but the most riskiest aspects. Where you need more than anti-virus is a not just a technological decision….it is a business decision. The original anti-virus concepts where zero-day threats are not handled is getting to be one of the biggest headaches in the IT security world today. Before, signature-based detection was sufficient when threats were fewer, farther between and generally, less dangerous.

Now that organized (or even, non-organized) cyber-criminals relentlessly troll for vulnerabilities, the risk is always high for ANY organization that uses technology in ordinary and legitimate ways.  Because exposure lies in such situations, organizations must update their protection beyond the traditional anti-virus. As experience show, letting your guard down has dangerous consequences.

But what are these ordinary situations that can bring you staggering consequences? Let me enumerate them:

A. Zero day threats

Zero-day threats are defined as threats which wreak havoc without having the anti-virus software identify it. No signature means no detection, no detection means no removal, and no removal means havoc. Examples of these are malware which consists of different identities everytime and those threats which seem to morph everytime.

What they can do to you? They can destroy your operating systems, steal information from your databases and servers and can put down your network.

B. Letting your employees work outside of the firewall

Before, employees just use to work within the protected and comfort levels of their internal corporate network where firewalls and gateways rule. But now, people work in airport lounges, internet cafes, hotels and their own homes.

What they can do to you? Working in unprotected networks is always risky. The Conficker virus is spread in vulnerable networks and that persistent outbreak experienced last year (and even up to now) created worldwide damage.

C. The unpatched PC

Patching means putting updates because of software lacks, mostly because of security. Some people choose to ignore updates on their PCs, and some systems administrators choose not to patch their servers because of the extensiveness of the activity.

What they can do to you? Simple…. the hackers simply exploit the security loopholes…. resulting in data loss… or they can simply use these loopholes as entry points for their more damaging exploit software.

D. The uncontrolled applications

Social networking sites as well as instant messengers are one of the security holes that must be covered. People with malicious intent (or sometimes, even those without malicious intent), intentionally or unintentionally leaks information via these channels.

E. Web Insecurity

Phishing websites are now used as data leakage channels. Why? it is because people simply trust the the valid websites, so that phishers imitate these websites.

F. The Lost Laptop  

A lost laptop is one of the biggest issues in data leakage. Imagine a laptop containing years and years of accounting information. Or imagine a laptop containing information on one of your most innovative products.. Once the laptop is lost, the information stored in there now has a new owner.

G. The misdirected e-mail

One small click, and that document that you may be protecting may fall into wrong hands. Such slim margins are unacceptable if that email contains very confidential data. In some organizations, employees use email to transfer information or to steal these data that they can sell or do identity theft.

H. The infected or lost USB flash drive    

Every time a user plug a USB device into a company computer, they bypass other layers of defense such as the gateway or the firewall protection. This makes devices with USB ports an easy means of attack. If no protection is available, it is an available swinging door for malware and data loss or theft channel. Also, do not forget that these USB devices are main channels of malware.

Conclusion:

As normal incidents show, there is no longer anything unusual about malware attacks and data breaches. Most happen everyday, and the classic anti-virus software is designed to block some of the threats. The best defense at the endpoint is multiple layers of protection integrated into a single solution, including live anti-virus, behavior based detection, URL filtering, applications control, network access control, data encryption, data loss prevention and device control.

Security can’t be handled by a single solution anymore.

 


			

Now, there is FakeAV

Before, we only used to hear fake bags, fake shoes, fake movies, fake music and even fake identity. Now, there is this thing called as FakeAV. What is this new IT security lingo?

FakeAV or Fake AntiVirus, also known as Rogue AntiVirus, Rogues, or ScareWare, is a class of malware that displays false alert messages to the victim concerning threats that do not really exist. These alerts will prompt users to visit a website where they will be asked to pay for these non-existent threats to be cleaned up. The FakeAV will continue to send these annoying and intrusive alerts until a payment is made. 

During the last part of 2010, the number of FakeAVs has really grown. In fact, IT security experts have determined the quantity of these FakeAV variants from less than 1,000 late last year to around 500,000 today.  The reason for the increasing popularity of FakeAVs is because of the direct revenue source that FakeAV provides.  Compared to other malware variants, FakeAV is somewhat associated with some network communities that make large amounts of money by driving traffic toward the stores of their partners.

How will I know if I am dealing with FakeAVs?

FakeAVs use social engineering techniques to get it self installed. Normally, it goes through the routes of Windows Security updates, fake anti-virus pages and fake social network engineering applications.  Once installed, there could be several behaviors like popup messages, fake virus scanning where it usually reflects make believe files. FakeAVs usually use high-tech names so that it may sound valid like “security central”, “malware database”, etc.

How do we get FakeAVs?

There are may ways a FakeAV can get into your system, but the majority of which is that a user can be tricked into running installer executable in a way similar to how Trojans work. But the following are the most popular techniques:

  • E-mail spam campaigns
  • Infected websites
  • FakeAV downloads by other malware

Initiating a Fake Scan

Once a FakeAV is installed, it will usually attempt to contact a remote website and download the main component or a main program. This will initiate a fake system scan, where may non-existent threats will be discovered and reflected. A main FakeAV window is usually professionally created and victims can be convinced that they are using a genuine security product.

Once the fake threats have been discovered, users are told that they must register or activate the program to clean up the threats. Users are taken to a registration website where they are asked to enter their credit card number and give other confidential information. These pages are convincing, sometimes featuring the illegal use of logos and industry-recognized organizations. 

Other FakeAV behavior

Most FakeAVs also cause further effects to the victim by interfering with normal systems processes and runtime. Sometimes, this includes disabling of the task manager and use of the Registry Editor, prohibiting processes from running and even web site redirection. This behavior further convinces the victim that there is a problem on the system and increases the likelihood of a purchase being made.

Prevention and Protection

The most effective defense against FakeAVs is a comprehensive security as well as literacy. For network administrators, a layered security can and should take place at each stage.

URL Filtering : by blocking the domain and the URLs from which FakeAV is downloaded, infection can be prevented from ever happening.

Detection of Web-based Content:  it should include detection of Javascript and HTML used on FakeAV and fake webpages.

Runtime Detection: if a FakeAV executable manages to evade the other layers of protection, you should be able to detect and block the behavior of the FakeAV as it tries to execute on a system.

Spam blocking: self-explanatory, the network should recognize, detect and eliminate spam.

Conclusion:

FakeAV is a fast growing threat. The direct financial benefit gained from this threat will not go away in just one snap, in fact, it will be more widespread. FakeAVs are already being distributed via several sources and the variety and inventive distribution will only increase.



			

That USB Flash Drive

It’s pretty easy for organizations to get so wrapped up about what goes out on USB drives that they forget to protect against what comes in their environments via USB. And with attacks inflicting increasingly greater damage following uncontrolled connection, it’s time that organizations got serious about this threat.

The news today is chock full of stories about sensitive information being carried out the institutional perimeter on ‘simple’ USB devices. These powerful portable drives rightfully worry IT as a means for devastating data loss at the hands of malicious insiders. But it’s
pretty easy for organizations to get so wrapped up about what goes out on USB drives that they forget to protect against what comes in their environments via USB. And with attacks inflicting increasingly greater damage following uncontrolled connection, it’s time
that organizations got serious about this threat.  
After all, according to researchers, as many as one in four malware attacks1 is carried out through a USB device. In the past year, we’ve seen Stuxnet raise its ugly head and Conficker continue to circulate through the USB vector. And yet the proliferation of USB devices only continues to skyrocket by billions each year.

In order to keep organizations secure from threats, IT departments must bring greater scrutiny and control over how the network is exposed to potentially infected portable payloads. But let’s get real: they can’t do so by gluing USB ports shut. Portable devices as  these are business tools that are here to stay. IT leaders who refuse to recognize that fact will be seen throughout their organizations as inhibitors to success. The key to USB security is balancing productivity with protection.

Early on, USB malware was exploratory and experimental. Most of all it was just, well, random. Hackers would find ways to get malware files onto drives–either online or even manually–and cross their fingers in hope that the intended victim clicked the files to initiate infection.

But as USB platforms evolved, so did the attack methods. Functionality enhancements opened up new possibilities for hackers. For example, Windows Autorun made it simpler for users to gain immediate access to the contents of their drives but also enabled hackers to write code that could initiate without user intervention. And now, new attack platforms such as the U3 smartdrive platform made it possible to run applications directly from the drive, giving hackers another potentially untraceable attack vehicle.

This manipulation of Autorun is a common theme with many malware variants that plague IT environments today.  Any USB device connected to an infected machine would become infected and then would infect any other machine to which it was connected;
then that machine would begin infecting other USB devices plugged into it. This is how the malware is able to move from machine to machine via USB devices and this “worm like” malware propagation method copies itself to all available drives, shares, removable media and peer-to-peer software application file folders.

This can greatly increase the exposure surface of an organization that may otherwise have its network security bases covered. In fact, Microsoft recently announced its findings that Windows XP users were 10 times more likely to get infected when faced with such an attack. In addition to propagating malware, USB drives have also proven to be exceptional hacking platforms for those attackers with physical access to corporate machines. One of the many legitimate useful features of USB drives is their ability to act as a “PC on a stick” through the use of certain platform and virtualization utilities.  But again, this legitimate use can also be used for dark purposes. It also makes it possible for malicious users to replicate their entire Windows hacking lab with a USB device and run it on virtually any PC
with an available USB port. When the malicious user is done, she simply removes the USB device and leaves without a trace.

Balancing USB Usefulness with Protection

It is now difficult to return to the days of yore when IT administrators would simply glue USB ports shut and call their endpoints secure. USB devices are an everyday necessity whether you’re running a mom-and-pop business, a corporate office or a government department.

The truth is that portable devices have done great things for the business world, which leverages these devices for incredible productivity gains. A late 2010 survey found that all of nearly 230 workers surveyed own at least one USB flash drive and more than half own three to six of these devices.

Today’s workers can now use ultra-portable flash drives to easily transfer large amounts of data between locations. They can use these same devices to store important presentation information while on the road at conferences and sales meetings. And large organizations can quickly disseminate information to a large number of customers or employees by uploading data to USB devices and distributing
them to the right people.

USB Security Best Practices
So what exactly does it take to change our trust models? It starts with smart policy development. Some key policies that organizations should consider to reduce their risks right off the bat include:

  • Ensuring common PC and laptop configurations have AutoRun features disabled, limiting the efficacy of USB malware that depends on this feature to run and to propagate.
  • Requiring timely installation of security updates in order to minimize the risk of USB-borne malware taking advantage of unpatched endpoint vulnerabilities.
  • Limiting access of USB and portable devices to registered devices only, enabling better control over who, when and how devices are being utilized.
  • Preventing the initiation of some or all executables from portable devices, blocking malware from running in the first place.
  • Requiring strong passwords (and not allowing the use of default passwords) throughout your infrastructure to prevent worms such as Stuxnet from working their way further into systems.
  • Requiring proper, up-to-date AV and firewall usage to prevent malware from gaining a foothold within the endpoint and spreading to other systems in the network.

While the first battle in the war against mobile malware starts with the development of clear, in-depth policies regarding the use of removable devices and media, the ultimate fight still remains. None of those policies amount to much without solid enforcement. Unfortunately, most organizations havenot yet gotten that message.

Putting Teeth In Policies

By enforcing usage policies for removable devices such as USB flash drives and other removable media such as CDs / DVDs, you can control the flow of inbound and outbound data from your endpoints.

Devices that are not authorized should simply not be allowed to execute. Ideally, organizations should look for tools and develop processes that enable them to quickly establish and enforce device control policies as simply and as methodically as possible. The idea
is to enable users to continue to use approved devices without resorting to an outright blanket ban.

Policies should be manageable by user or user group as well as by computer, and organizations should look for capabilities that enable user groups to be immediately associated with devices “on-the-fly.” The goal is to dramatically simplify the management of endpoint
device resources through improved tracking of who, when and how devices are being used. By validating removable devices as they are used within the enterprise, you can prevent malware from being introduced into the network. This includes assigning permissions
for authorized removable devices and media to individual users or user groups and controlling the uploading of unknown or unwanted files from removable devices.

Organizations should also widen the lens a bit and think about more than just simple device control. Defense-in-depth should play a role in risk mitigation. For example, intelligent whitelisting technology can help prevent the initiation of risky applications running on the endpoints by controlling the trust factors that enable execution, such as code source, who authorized the application, whether it is running on other stable systems within the network and from where the application originated. And the use of encryption
to augment defenses could make network assets less attractive to potential attackers.

Finally, organizations should consider revisiting end user training to ensure they’re covering the risks posed by USB devices. That one-time discussion on the first day at work has likely been long forgotten by most employees and is undoubtedly obsolete anyway.

After all, these workers really are your first, last and best defense against USB attacks. That’s why IT professionals need to remember that in order to win over the hearts and minds of these line-of-business users, they’ll need to institute policies and practices that don’t
adversely affect these workers’ daily productivity. This means taking control of USB device usage without stooping to wholesale purchases of superglue.

By developing policies and implementing solutions that enable a more flexible but easily trackable environment, IT departments become partners in security and business success rather than technology mall cops to be disregarded at all costs. Enterprises with
such forward-looking technology decision-makers will gain a decisive productivity advantage while protecting their organizational endpoints.

While we’ve focused much of our attention on the ubiquitous USB flash drive, organizations need to think about threats that extend from all forms of removable media in use today. These include: CD drives, DVD drives, Blu-ray drives, FireWire, External hard disks, eSATA connected devices and Consumer products such as picture frames, MP3 players, digital cameras, etc.

Malicious Software (Malware) and Viruses on Firmware?

Just as we thought where viruses and malware are only for operating systems, think again…. these malicious software are also possible to be found on firmwares, or those small softwares that control various electronic devices, which can be within or outside the computing areas.

We can only enumerate these electronic devices that may use firmware. Among of these are : calculators, printers, TFT monitors, digital cameras, mobile phones, music instruments like electronic keyboards, electronic drumpads or synthesizers. Of course, your CMOS – those things you see while your computer is booting up, your external hard disks, your LAN and WLAN routers, also use firmwares.Your most favorite MP3 players also utilize firmwares. Your car’s computer chip also utilizes firmware.

Recently, IT security experts have found traces of these tiny software embedded within the CMOS, whose purpose is to destroy the equipments as well as for information theft. Most of these firmwares contain “logic bombs” which are timed to go off noticably or unnoticably at a specific time. The payloads of these are from a simple hardware failure, destruction of the attached devices, or if it is within your computer’s CMOS, may set off file deletions or even network intrusions.

Now, once malicious firmware has been inserted into electronic components, it can be almost impossible to detect. Because it is in the hardware, the malware will remain in place even where all the software has been upgraded or replaced. The circuits in which the malware would be hidden are microscopically small and enormously complex. What’s more, like malicious software, it is possible to look directly at malicious firmware and not see anything wrong with it.

Cleverly written malware will perform the kinds of operations that the system or the equipment is routinely supposed to perform. It will just perform those operations at exactly the wrong time, for example, running a payroll process every week, or place an electronic order to a supplier everyday.

What can be done to avoid this problem now? Nothing. One thing we can do about it is to check whether your equipment manufacturer employs strict standards on the installation of firmwares on their equipments prior to assembly. If you are in doubt on that manufacturer, do not buy the product. Please take note that there are no anti-virus solution that can detect these for these malware are embedded within the circuitry systems of each device. If an anti-virus provider says they can provide protection and solution, then, do not listen to them.. They are bluffing. Imagine putting an anti-virus program in your car’s computer system…

Since the scope of the problem is really too broad, solving the problem on our current situation may seem impossible at this time.

Now the good news… Logic bombs may only work once, but that’s also the case for real bombs. No one complains about their lack of repeatability, but to the effect of what?

It’s hard to tell if this is a realistic and growing threat that government, corporate agencies, the private sector and individual consumers should worry about, or whether it’s one of those late-night worries about risks with catastrophic consequences but no real chance of happening – like being struck by lightning while waiting for a ride home.

It is one more thing to worry about, though, and one more reason to make sure you have internal security systems designed to detect malicious activity – not just malware signatures – so they can identify and shut down attacks whose source you can not yet identify.

It’s just a little disturbing to hear that even if you build a rock-solid defense against malware entering from all those other points, an RFID chip or print-toner-monitoring component could seed your network with malware that gives someone else a porthole through which to watch you work.

No reason to panic though…..