 |
The VeriSign Security Review
|
June 2007
In This Issue
The security landscape is always evolving—and getting more dangerous.
Your best bet: stay tuned. Check the VeriSign website at regular intervals
for our latest advice—it’s free! Right now, for example, our website
has information on server security, a free SSL Certificate trial ID,
and tips on prioritizing threat response.
Hot Topics
Monthly Threat
Summary
The end of May saw the release of several “out-of-cycle”
vulnerabilities in Microsoft products. While none of these vulnerabilities
is rated by the company as critical, all VeriSign customers are encouraged
to patch them either via Auto-Update or at http://www.microsoft.com/technet/security/current.aspx.
News from VeriSign
- VeriSign and Innovative
Card Technologies Address Worries of Online Merchants with New Fraud
Protection that Fits in a Wallet.
- “.TV Showcase” to
Serve as Media and Entertainment Model for the Future of Digital Content
Distribution.
Security Events
- June 10-13, HDMA
Distribution Management Conference & Technology Expo, Boston, MA
- June 11-14, Digital
Hollywood, Los Angeles, CA
- June 14-16, eBay
Live!, Boston, MA
- September 5-6, Forrester
Security Forum, Atlanta, GA
Hot Topics
Methods, Motivations, and Mitigation
of Insider Threats
The insider threat is one of the most serious and
least preventable challenges in the field of information security. This
is especially true for major corporations, because such organizations:
- Store greater quantities
of valuable information
- Use massive information
networks that are highly complex and geographically dispersed
- Must allow a large
number of authorized users access to their infrastructure and data.
Although large corporations
may have more to lose, companies of all sizes must protect themselves
against insider threats. It’s not just the damage the employees can
do to the business—serious though that may be. It’s also the fact that,
while employees are criminally liable for insider actions, the company
may be civilly liable for those actions as well. This concept, known
as vicarious liability, is defined as “liability that a supervisory
party such as an employer bears the conduct of a subordinate or associate
such as an employee because of the relationship between the two parties.”
The current state of knowledge on insider threats
is ambiguous at best, but VeriSign’s iDefense team has created an 18-page
white paper that presents a comprehensive summary of what is known.
This white paper presents the latest data on the frequency and scope
of insider attacks, and the elements of an offense. It also provides
a classification of employees that characterizes which ones are most
likely to commit which type of security breach. This report also details
the most common
- Motives for an attack
(including financial gain, revenge, patriotism)
- Means for each type
of attack
- Opportunities for
each type of attack
Mitigation is not a technology problem, but a business
challenge. This paper spells out the elements of that challenge and
proposes a series of steps for creating a mitigation plan, plus best
practices for providing security against insider threats. For any business, reading
this white paper is an important step to coming to grips
with a security problem that’s serious and pervasive, but often frustratingly
nebulous.
Back
to Top
Wireless Data:
Up for Grabs?
Increasingly, companies in health care, manufacturing,
retail, education, and automotive are incorporating wireless connectivity
as an integral part of conducting business. But the promise of disentanglement
from wires comes with strings attached, as wireless LANs introduce new
classes of threats and risks to sensitive information and systems on
the integrated WLAN/LAN.
Wireless systems can be tapped by rogue access points.
Large organizations are particularly vulnerable to this type of security
breach: if an employee brings in an easily available wireless router,
the entire network—wired as well as wireless—can be exposed to anyone
within range of the signals.
No company can afford to repeat the experience of
TJX. This $17.4-billion retailer—which also owns T.J. Maxx, Home Goods
and A.J. Wright—had no idea that hackers were pointing a telescope-shaped
antenna toward the store and using a laptop to decode data streaming
through the air between hand-held price-checking devices, cash registers,
and the store's computers. Over an 18-month period, the hackers, who
have not been found, downloaded at least 45.7 million credit- and debit-card
numbers, the company says. They also got personal information such as
driver's license numbers of 451,000 customers—data that could be used
for identity theft. Forrester Research estimates TJX's breach-related
bill could surpass $1 billion over five years—and that’s not including
lawsuit liabilities.
Wireless
intrusion prevention systems (wireless IPS) can protect companies
from network security breaches by wireless-based attacks. These network
devices monitor the radio spectrum for the presence of unauthorized access
points. Organizations are flocking to buy Wireless IPS: Gartner
estimates that the wireless LAN IPS market was worth about $60 million
in 2006, and this is expected to double in 2007. But because the technology
is new and complex, lack of expertise to operate them effectively can
detract from their ability to provide WLAN security. Plus, even a properly
operating wireless IPS is only as effective as the individuals who analyze
and respond to the data gathered by the system.
VeriSign Wireless Intrusion Prevention Service provides
a turnkey solution that helps enterprises overcome common pitfalls in
protecting their wireless systems. Designed by the industry's leading
team of wireless and security consultants, it helps organizations confidently
and effectively architect and set up wireless intrusion prevention programs
that align with their strategy and compliance requirements. The service's
unique managed service delivery model and expert insight address compliance
with regulatory requirements and provide effective identification and
mitigation of wireless security threats. It also integrates wired and
wireless intrusion prevention data to deliver a holistic view of system
security.
VeriSign Wireless Intrusion Prevention Service can
lower an organization’s total cost of ownership for wireless intrusion
prevention, saving time and money by reducing associated staffing, training,
maintenance, and upfront capital expenditures. At the same time, it
provides a depth of compliance expertise that is otherwise simply unavailable
to most organizations. The VeriSign Global Security Consulting team
performs hundreds of security and compliance audits annually for some
of the largest organizations in the world. Consultants average more
than ten years' experience in enterprise information security and three
or more industry certifications per consultant.
While the VeriSign solution enables organizations
to take a step back from all the details involved in ensuring wireless
security, it still provides authorized users all the information they
want: the VeriSign Security Operations Centers provide prompt notification
when there is a critical security event, and at any time, authorized
users can access the Enterprise Security Portal for a detailed view
of their security devices under VeriSign management. The portal includes
reports based on device type and access to an ad hoc query engine for
sophisticated analysis of security events across multiple platforms
and locations.
Find out more about VeriSign
Wireless Intrusion Prevention Service and how it can help
your organization prevent network intrusion by wireless attacks.
Back
to Top
Security in the Any Era: Balancing
Risk, Cost, and the User Experience
Consumers can conduct business from virtually anywhere,
and they increasingly expect companies to provide access to services,
content, and information anytime, from any device. As enterprises open
and extend their networks to accommodate the demands of this “Any Era,”
threats and vulnerabilities increase. These threats target the key assets
of online business: consumers, brands, Web sites, and internal networks.
When attacks on these assets occur, they undermine consumer confidence
and growth of the digital economy.
To remain competitive in this new “Any Era,” today’s
businesses must provide an exceptional online experience that meets
consumer demands quickly, conveniently, and securely—with minimal complexity
or cost to the consumer. Security and consumer trust are vital to maximizing
opportunity. In one study, 53 percent of online consumers stated that
concerns about breaches had affected their purchasing behavior. The
same study shows that online sales are a net positive for retailing
(i.e., they don’t just cannibalize but increase overall sales), yet
more than $2 billion in sales probably did not occur last year because
of security concerns.
To help you build the security that leads to greater
confidence and increased sales, VeriSign offers a layered, systematic
approach to mitigating threats to Any Era assets. With this approach,
complementary security layers fortify each other to create a solution
that is stronger than the sum of its parts, while making the user experience
as rich and seamless as possible.
This latest white paper from VeriSign describes the
dangers to each of the key business assets of Any Era networks, including:
- Consumers
- Brands
- Web sites
- Internal networks
and application infrastructure
Instead of piecemeal asset protection for these critical
components, the VeriSign approach of layered security delivers:
- Consumer identity
protection and fraud prevention
- Brand monitoring
- Extended Validation
(EV) SSL certificates for Web site verification
- Multi-pronged network
defense
- Real-world expertise
Get your copy of Security
in the Any Era: Balancing Risk, Cost, and the User Experience
and get ready to benefit from the opportunities of the Any Era—with
confidence.
Back
to Top
Monthly Threat Summary
The end of May saw the release of several “out-of-cycle”
vulnerabilities in Microsoft products. While none of these vulnerabilities
are rated by the company as critical, all VeriSign customers are encouraged
to patch them.
All of the recently announced vulnerabilities are
related to buffer overflows. They include a medium-severity buffer overflow
vulnerability in Office 2000 that could allow an attacker to execute
arbitrary code (such as a computer virus) with user-level privileges
on the victim’s computer. Microsoft also reported two medium-level buffer-overflow
vulnerabilities in Visual Basic 6.0 that could allow attackers to potentially
execute arbitrary code or cause a denial of service (DoS) condition.
A standardized language
(XML Schema) to exchange data on phishing attacks worldwide is currently
under development within the industry and is expected to go live as
early as July 2007, according
to Heise Security, citing AusCERT. The language is called
“Incident Object Description Exchange Format” (IODEF) and is said to
be “growing at a rate of some 2.5 million attack records per month.”
In a related development, the Anti-Phishing Working Group (APWG) reports
that it saw a large increase in the number of unique phishing sites
in April 2007 to more than 55,000 sites, 35,000 more than the group
reported in March, according to the APWG’s
Phishing Activity Trends Report.
A disturbing
trend toward sophisticated new mechanisms that actively try to prevent
detection and analysis is evident in the latest variations of the “Storm
Worm” virus. Once these worms completely scan the hard drive and synchronize
with peer-to-peer (P2P) networks, they download updates that are always
evolving, with methods to alter the binaries to avoid detection and
analysis. The binaries change so rapidly that functionality updates
are hard to determine. A number of corporations stop this type of threat
at a corporate firewall by filtering the eDonkey protocol and filtering
incoming SMTP encrypted archives or outgoing SMTP traffic from unauthorized
hosts.
The latest threats indicate attempts to cause excessive
time constraints on analysts and avoid some automatic and manual analysis
techniques. This botnet is very difficult to neutralize because it has
a decentralized structure, unlike traditional botnets, where all bots
connect to a single server and listen for commands. The success of this
botnet provides attackers with a strong distribution channel that has
the added benefit of selecting hosts based on a history of activity
and hide more strategic goals from analysis efforts. One of the primary
incentives of this botnet is to expand. “Pump-and-dump” spam and other
e-mail scams appear to be widely used techniques at this point to make
money, but data harvesting and other abuse potential still exists. In
this case, the motivation to develop a strong architecture makes the
hosts that are part of this botnet less transferable. They lose their
value and effectiveness if they leave the P2P network.
The authors will probably invest more resources in
anti-analysis techniques and attempts to maintain a presence on infected
hosts. Anti-analysis techniques can increase the complexities of analysis
to a point where it becomes very difficult to analyze using today’s
methods. The Storm infection is still in its early stages, and we have
yet to see its full potential unleashed.
Back
to Top
News from VeriSign
VeriSign and Innovative Card Technologies Address Worries of Online
Merchants with New Fraud Protection that Fits in a Wallet
VeriSign
Identity Protection has integrated with ICT DisplayCard to
make it easier than ever for financial services providers and retailers
to issue and accept payment cards embedded with one-time-password (OTP)
authentication to protect their online transactions from e-fraud.
“.TV Showcase” to Serve as Media and Entertainment Model for the Future
of Digital Content Distribution
VeriSign and Lionsgate (NYSE: LGF), the leading independent
filmed entertainment studio, have teamed to produce an online
showcase to demonstrate the next generation of entertainment
distribution, tying together a seamless consumer experience across TV,
online and mobile devices. View
a beta version.
Back
to Top
VeriSign Events
June
10-13, HDMA Distribution Management Conference & Technology Expo,
Boston, MA
Connect with more than 600 market and policy leaders
at the 2007 HDMA Distribution Management Conference & Technology
Expo (DMC) to gain the most up-to-date supply chain knowledge, access
to healthcare leaders and research on current and emerging technology
solutions. VeriSign is an exhibitor at this event.
June
11-14, Digital Hollywood, Los Angeles, CA
Jeff Richards, vice president of digital content services
at VeriSign, will be speaking on Complementing Traditional Broadcast
Models, June 12, 9:00 a.m. and Next Generation P2P Music and Film, June
14, 11:05 a.m.
June
14-16, eBay Live!, Boston, MA
eBay Live! 2007 is the best place to learn the secrets
of success on eBay, network with your peers, and share your passion
for eBay with thousands of other eBay Community members. VeriSign is
a member sponsor. Please stop by and visit us at booth #1022.
September
5-6, Forrester Security Forum, Atlanta, GA
More than 200 senior security leaders from around
the globe attended Security Forum 2006, and 98% plan to return this
year as Forrester leads them in sharing innovative security practices,
predicting and preparing for the future of security, and expanding the
practice of operational risk and compliance discipline. VeriSign is
a platinum sponsor of this event.
Back
to Top
|
Worldwide Sites
