 |
The VeriSign Security Review
|
March 2006
Critics in the consumer industry are keen to speak when a product
is “ahead of its time.” The security services business, on the other
hand, is often about staying a hair’s gap ahead of criminals, in other
words, slightly ahead of its time. One can’t help wishing that stronger
measures, e.g., strong authentication methods, were in place before
the recent wide-spread debit card fraud. This month also saw new federal
information security standards from the NIST, which urges IT managers
to understand their risks at all times, something the new VeriSign Security
Risk Profiling Service aims at helping enterprises do precisely. Timely
indeed.
In this issue:
Hot Topics
Standards and Regulations
News from VeriSign
Ask a VeriSign
Consultant
Security Events
Hot
Topics
Banks React
to Widespread ATM Fraud
U.S. police arrested a ring of ATM fraud suspects
who may have manufactured counterfeit debit and credit cards using stolen
card information. Citibank is just one of many fraud victims forced
to re-issue cards as a result of widespread card fraud. Fraudsters apparently
used stolen data from the systems of OfficeMax, North Carolina State
Employees’ Credit Union, and other organizations. Gartner research vice
president Avivah
Litan contends that the banking industry is "less than
halfway through this latest scam, which will continue to affect large
numbers of cardholders
Back
to Top
February Threat Summary
Microsoft revealed several vulnerabilities
that affect Windows Office. The critical MS06-012 vulnerability would
allow hackers to take control over PCs running the Excel application.
Microsoft has released a patch to fix several problems including MS06-012.
Adobe released a critical vulnerability affecting
Flash Player Versions 8.0.22 or earlier and Breeze Meeting Version 5.0
or earlier. Users who inadvertently load a malicious file format (SWF)
into their Flash Player could enable an intruder to execute arbitrary
code on their systems via a Web browser, e-mail client or other applications.
Adobe urges users to download its patch for this problem.
A faulty antivirus update from McAfee that
included hundreds of false positives resulted in some companies accidentally
deleting significant amounts of data from affected computers. McAfee
released a new patch (DAT 4716) to fix the problem.
Security researchers have discovered a keylogging
Trojan that captures mouse clicks as well as key strokes. PWSteal-Bancos-Q
targets customers of online banking and financial institutions in Brazil
and Australia
Back
to Top
Phishing Attacks Hosted On
Chinese Bank
A state-operated bank server in China is inadvertently
hosting phishing sites reportedly targeting U.S. sites such as Chase
Bank and eBay. China Construction Bank’s Shanghai branch hosted sites
that posed as customer survey sites for Chase Bank, for example, and
data collected is sent to a form processing service on an Indian server.
For more information, visit http://news.netcraft.com
Back
to Top
Microsoft Held Hacker Dialogue
A dialogue between Microsoft security team
and external security researchers, the 3rd annual Blue Hat conference
took place early March in Redmond, WA. Among the topics discussed are
“exploiting Web applications” and “breaking into databases,” and Microsoft
will publish some of the discussions in the Blue
Hat Security Briefings
Back
to Top
MetaFisher Trojan: New Bot
Found
VeriSign iDefense has uncovered a new, highly
sophisticated bot component of the MetaFisher Trojan. Related to a previously
found security leak against Europe banks’ Transaction Numbers(TAN) System.
MetaFisher creates a copy of itself as a DLL on an infected computer
and runs as a Browser Help Object (BHO). When Internet Explorer funs,
MetaFisher runs silently in the background. It then communicates with
a remote Web site for updates and statistics. For more information on
this bot, contact VeriSign iDefense.
Back
to Top
Standards and Regulations
NIST Sets Federal Information
Processing
The National Institute of Standards and Technology
has released two new publications on federal IT security. Federal Information
Processing Standard 200, the final standard for securing federal computer
systems under the Federal Information Security Act, sets minimum requirements
in 17 security areas.
The NIST also released its recommendation on
security controls for federal information systems in its special publication
800-53. The recommendation emphasizes risk-based policies and periodic
risk assessments, and it advocates real-time understanding of risk profile
by responsible individuals within the organization. For more information
on these new publications, visit http://csrc.nist.gov/publications/
Back
to Top
News from VeriSign
VeriSign Introduces Security
Risk Profiling Service
VeriSign launched VeriSign® Security Risk Profiling
Service, the first comprehensive service to help enterprises identify,
visualize and quantify information security risks and make better operational
and financial decisions.
With the increasing sophistication and frequency
of malicious attacks threatening sensitive corporate data, coupled with
the myriad of potential changes needed to ensure a network security
posture can defend against those threats, more and more enterprises
are looking for a service-based solution that helps them better assess
and manage risk and choose appropriate responses. The VeriSign
Security Risk Profiling Service enables a comprehensive risk management
approach that evaluates business assets, identifies likely attack sources
and paths, provides a business view of threats and vulnerabilities,
all while addressing compliance requirements affecting the industry
today.
Delivered via a real-time secure portal, the
VeriSign Security Risk Profiling Service provides more visibility and
control than traditional vulnerability management and risk assessment
solutions. By taking a holistic view of threats, vulnerabilities, network
access policies, and potential business impacts, the service allows
customers to dynamically generate a risk score, including financial
impacts, to simulate and model the effects of changes, and to measure
compliance with both internal and external policies and regulations.
This real-time view of risk and compliance
levels allows IT managers to prioritize security risks by their potential
business impact, giving them true visibility and intelligence to help
them better prioritize resources and make operational and financial
decisions.
For more information on VeriSign Security Risk
Profiling Service, visit http://www.verisign.com/mss/riskprofiling.
Back
to Top
VeriSign Introduces Secure
Mobile Device Management
Meeting wireless device management needs and
addressing security concerns, VeriSign began offering VeriSign Secure
Mobile Device Management. The service combines VeriSign’s security expertise
with mFormation’s mobile device management platform to create a secure
wireless environment, and reduce the time and resources needed to manage
devices. The fully managed service can help drive adoption and delivery
of next-generation applications and enables operators to quickly add
services that drive usage and revenues. For more information, visit http://www.verisign.com/press_releases/pr/page_037032.html
Back
to Top
Ask a VeriSign
Consultant
Each month, our highly experienced security
consultants share their expertise in an area of your concern. This month,
Branden Williams reviews best practices in securing non-employee access.
Send your questions to askverisignsecurity@verisign.com
Protect Your Network From Unauthorized
Use
Q: How do I allow vendors or other non-employees access to
the internet through my corporate network without compromising security?
A: There are multiple methods in which this can be accomplished
in a safe and secure manner. The last thing you want to do is
have your IT support group moving infrastructure ports every time you
need internet-only access for someone. Some potential solutions
include:
- Deploy an 802.1x port-level authentication setup. This type
of setup will force all of your Ethernet ports (outside of your data
center or other areas where this is impractical) into half-open state
until proper authentication has been achieved. Through 802.1q
Tagging, a port can be dynamically set up to participate in certain
networks depending on the authentication presented. If a client
presents no authentication, it can be dumped to a “Guest VLAN” that
is external to the corporate infrastructure..
- Require Wireless technology
can be deployed. Set the infrastructure logically external to your corporate
network, and through DNS Poisoning, only allow access to a VPN Concentrator
and a “login” page that requires a password to access the internet.
The concentrator provides a secure pathway for corporate users to be
wireless and still participate on the corporate network. The login
page ensures that unauthorized users cannot use corporate bandwidth.
- Physically move all common areas such as conference and break rooms to a separate “Guest VLAN”.
Should a corporate user need access back into the network, place a VPN
Concentrator on the same VLAN for access.
In each of these cases,
the corporate network is protected from unauthorized use, and your vendors
can safely dial back to their own corporate VPNs!
Branden Williams is a Principal Consultant at
VeriSign. He is a Certified Information System Security Professional
(CISSP), Certified Information Security Manager (CISM), Visa Qualified
Data Security Professional (QDSP) and Qualified Payment Application
Security Professional (QPASP), Checkpoint Certified Security Administrator
(CCSA), and Checkpoint Certified Security Expert (CCSE).
Back
to Top
Security Events
April 3-5, 2006
InfoSec
World
Orlando, FL
May 1-4, 2006
SecuritySolutions
2006
Tampa, FL
May 3-6, 2006
Computer
Enterprise Investigations Conference World
Las Vegas, NV
Back
to Top
|
Worldwide Sites
