Get it here.

As many of you know, we publish a series of reports covering forensic engagements worked by Verizon’s Investigative Response team. For the past several years we’ve dug into the who, what, when, where, how, and why of organizational data breaches and passed our findings on to you in the DBIR. We’re big proponents of the belief that you can’t manage what you can’t measure and so are always looking for better ways to measure factors critical to managing security. Analyzing first-hand evidence collected during breach investigations offers a rare and powerful chance to do this.

We’ve already announced that this year’s DBIR is a joint effort between Verizon and the U.S. Secret Service. We hope you’ll benefit from (and enjoy) the results, analysis, recommendations, and commentary in the report. However, we also hope that you will recognize it as a proof point that sensitive data can be shared anonymously, responsibly, securely, and effectively between organizations. Our field is in desperate need of more high-quality accessible data and collaborating among ourselves is the only way we’re going to get there.

This report is interesting in terms of analyzing trends. Last year, we reported on our own caseload. This year, we added an entirely new dataset. It shouldn’t be surprising that this changed some of our results substantially. We discuss these changes and potential reasons for them throughout the report. Equally interesting to the those changes, however, are the results that didn’t change. We’ve always wondered (and so have you) whether certain findings were unique to Verizon’s caseload or truly indicative of the general population. The fact that Secret Service data shows many results that are very similar to our own is a compelling revelation.

Read the rest of this entry »

As you may remember, we released a beta version of the VERIS framework back in March. Since then, we’ve received helpful feedback from the public as well as organizations that have begun to implement and use VERIS. We’ve updated VERIS accordingly and now believe it is ready to move from beta to version 1. Starting today, you can access v1 at the new VERIS wiki.

This does not mean that VERIS is final; in fact, it never will be. It is meant to be an evolving framework that reflects current community input. The wiki will allow anyone to comment, post suggestions, or otherwise discuss the various elements of VERIS. This will help ensure that the framework remains a useful and viable structure for information sharing within the security community. We invite you to participate.

For those of you not familiar with VERIS, it is a set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner. It is what we use to collect and analyze case details for the Data Breach Investigations Report. The overall goal is to create a foundation for data-driven decision-making and risk management. You can view an executive summary here.

Finally, we would be remiss if we did not give a heads up on the imminent release of the 2010 DBIR. It will be released this Wednesday, July 28. VERIS is what allowed data sharing between Verizon and the United States Secret Service and we look forward to sharing our findings with you.

Tuesday, September 21st, 1976: The classic M*A*S*H* hour-long “Bug Out” episode aired. What’s that got to do with InfoSec risk this week? Not a blessed thing, and that’s the point. There’s a new vulnerability in Windows and there’s malware in the wild exploiting it. But this is not the time to strike the tents, jump in the trucks and beat feet. It’s just another worm folks. In a year we’ll remember it about as well as we remember Conficker. The silver lining might be torque on bean-counters’ arms to free up the bucks (Euro, Yen, Pounds, Riyals) to finally ditch XPSP2. Microsoft, Google and others came out with “Coordinated Vulnerability Disclosure,” and ditching the expression “responsible disclosure” in the process. Good luck with that. Society has yet to establish an accepted norm for IT vulnerability handling. Ideally this new effort will accomplish that, but there will always be individuals who reject the social contract for their own selfish, irresponsible reasons.

I was reading Richard Bejtlich’s blog today on Computer Security Incident Response Teams and he quoted the following from Gartner’s report “How to Build a Computer Security Incident Response Team”:

“A competent and adequately resourced CSIRT is an important part of an organization’s information security program. Many organizations either have nothing in place or follow inconsistent procedures. In many organizations, the goal is to recover from an incident and get back up and running with minimal attention being paid to evidence collection, analysis or postmortem reporting. Over the long term, this approach results in more security events, not fewer, as the organization is unable to discern the root causes of incidents and incorporate these lessons learned into improvements in infrastructure and process management.”

We wholeheartedly agree.  In fact, this is EXACTLY why we released the Verizon Enterprise Risk and Incident Sharing framework(pdf) for you to use.  Our hope is that the VERIS framework(1) and our Data Breach Investigations Report(2) is just what you need to mature incident analysis and post-incident reporting.   Read the rest of this entry »

Researchers at CA have an analysis for an update to the Zeus Trojan/Kit, and Kaspersky has an analysis of the Black Energy DoS malware and they are the most useful risk intelligence updates this week. Malware and other InfoSec blogs are buzzing about a new rootkit that uses “.lnk” files to run from a USB drive. Scary images of SCADA system infections and so-called (0-day) make for great press but lousy risk intelligence. Whatever it is, it isn’t “in the wild” in a meaningful way and like most just-discovered malware evolutions, it doesn’t run reliably. Microsoft and Oracle released updates and the former says 25K systems have reported attempted attacks using CVE-2010-1885 vulnerability. Note: these were not compromises and the hype surrounding this issue will finally diminish. Secunia says this could be the worst year ever for vulnerabilities, but somebody forgot to tell US-CERT’s National Vulnerability Database where this year might be 5% ahead of last year. Black Hat and Defcon hype continues unabated; it’s about attendance, sponsors and revenue–it’s not about risk. “You’re known by the company you keep.” Fine. Go to Las Vegas, but make it like a trip to the zoo or prison.

The week kicked off with attacks on YouTube , Wikipedia, iTunes, Russian banks and their customers and at least two attacks on Facebook users.  Hindsight may remember the most risk-significant development this week was EMC began shutting down their Atmos Online cloud. Next week we expect four Microsoft security bulletins covering five vulnerabilities, including Tavis Ormandy’s socialization demonstration.  Oracle will release their July CPU for 59 vulnerabilities including 21 in Solaris.  Without a security advisory, Cisco released a software update to their Adaptive Security Appliance 5580 –paying attention to version release notes pays off.  The Signal:Noise ratio in InfoSec news was remarkably poor last week, and it’s forecast to only get worse in the run up to several conferences.  Just because something “could” happen doesn’t mean it will happen. Don’t buy any anti-asteroid umbrellas and don’t lose sleep over minutiae whose primary purpose is attracting attention with no impact on risk in the world we are in.

Recently, there’s been no small amount of discussion about how the government can help defend cyber-space from catastrophic cyber-risks.  Many folks are saying that we (infosec) could have our own “Black Swan” moment and a sortof “kill switch” might provide a defense against attack.

The problem is this:  If you’re reading Nassim Taleb, and coming away with the idea that a Black Swan is a low-likelihood/high-impact event, you’re mistaken.  This is a false characterization.  I will red-card the next person who suggests such.

Rather, Black Swans are better characterized as events for which your prior distributions are COMPLETELY uninformative. BIG difference.  Oil spills, EMP disruptions, Hurricane Strength and Levy Failure, even Economic Bubbles, these all have prior distributions that, in terms of either likelihood or impact (or both) I would characterize as relatively informative at some level of abstraction.  To further press the point, regarding real “Black Swans”, the impact of a Rumsfieldian Unknown/Unknown may or may not be “high” (we just tend to worry about high-impact stuff).

Read the rest of this entry »

“Wanted: Eleven power users for international espionage positions in the United States; parenting skills and fluency in English and Russian a plus.” The Russian spies’ IT issues have distracted the technology media like a cat and a laser pointer. Those of us with Cold War Recognition Certificates have broader perspectives and are recalling KGB is now spelled SVR. The good news is the FBI’s counterintelligence agents have been on some of them for seven years. Russia may expel or arrest US “agents” to complete the tit-for-tat; the bad old days never left. In more routine InfoSec risk events: Adobe patched Acrobat and Reader but some risk may remain. Microsoft, GData and Symantec reported escalating attacks on Tavis Ormandy’s attention-seeking behavior. July 13th is due to be a monster patch Tuesday with Microsoft and Oracle (think Sun too) scheduled updates; an early, out-of-cycle patch for Help and Support Center might simplify patch management and provide more protection. The bad news, especially in hindsight, may turn out to be what’s happening to Frito-Lay. Multimillion dollar losses. How do we protect our principals from that?

The top news in IT this week was iOS4 and iPhone 4. Verizon Business Cybertrust Security customers should feel little impact from Apple’s releases as the enterprise support for iPhone is still maturing. Physical loss of the device with enterprise data on it remains the primary iPhone/iPad risk consideration. Apple’s releases, the World Cup and the anniversary of Michael Jackson’s death were found in bait messages for spam, phishing and malware attacks.  Sophos reported targeted malware attacks with PDF attachments. M86 Security warns of a new round of Asprox SQL injection attacks. An unusual and memorable report this week came from CA’s Internet Security Business Unit in Melbourne: they encountered a Wank worm infection. In more recent history, the Risk Team prompts our customers to recall the Twilight films were used as bait for malware in August, November and December of last year and also recall Santayana’s admonition. Firefox and Chrome users: time to update.

It was a tough week in the risk domain of availability. Intuit (Quicken, TurboTax), Twitter, Media Temple (Live Journal), NameCheap (domain registrar) and Virgin Blue (airline) suffered outages. The Telecoms community didn’t miss the glitch-boat, we (Verizon) had an OC-12 outage, O2 had an outage too and AT&T’s pre-order system for the iPhone 4 went something short of what I’m sure they had in mind. The good news this week included sentencing and pending deportation of three Latvians who conspired and hacked the systems of Davidson Companies, a financial services provider in the US Rocky Mountain states. They tried to extort US$80,000 to reveal how they did it and to destroy the stolen information. Cheers to Davidson, the Secret Service and the US Attorney’s office in Montana. And more cheers to the US Department of Justice, FBI, ICE and Customs for 30 convictions for counterfeit network hardware. These criminals will have their own availability problems for a few years. The Risk Team is as weary hearing the wailing surrounding AT&T and the iPad and Google and Windows Help and Support as we are tired of listening to the vuvuzela during the World Cup. Certainly others find the melodies pleasing, we just aren’t among them.

“If it is impossible to deduce a wave equation strictly logically, then the formal steps carrying on to it, are, as a matter of fact, only witty guesses.” – Max Born

Jim Tiller of British Telecom has published a blog post called “Risk Appetite, Counting Security Calories Won’t Help”.  I’d like to discuss Jim’s blog post because I think it shows a difference in perspectives between our organizations.  I’d also like to counter a few of the assertions he makes because I find these to be misunderstandings that are common in our industry.

Read the rest of this entry »

On the heels of last week’s “news” that Google was purging the Windows OS, as if that decision was independent of the forthcoming roll-out of the Chrome OS, we have more Google versus competitor security pseudo-news. Google employee Tavis Ormandy felt compelled to announce a new vulnerability in Windows Help and Support Center.  Some feel this was rude, but Tavis had the courtesy to acknowledge, in his own words, “all my other pimp colleagues.” In April, it was also Tavis who “outed” a vulnerability in Oracle’s Java Deployment Toolkit. The Risk Team continues to be unimpressed by Tavis and his “pimp colleagues.” Help and Support Center vulnerabilities have failed to manifest themselves as attacks, at least 1 , 2 , 3 , 4, 5 , 6 and 7 times before, but perhaps “eight is the charm.” So far the risk lessons are more about corporate reputation and individual socialization than technical issues.  Similarly, breach of about 5% of iPad user’s e-mail addresses is less about Apple and more about AT&T’s image.  The risk lesson is another reminder of the necessity to bulletproof web applications and monitor them for attacks.  Everyone on the Risk Team got  new “been there, done that” T-Shirts when new vulnerabilities in Adobe Flash, Acrobat and Reader were used in attacks and a new Flash version emerged from Adobe in response. Microsoft Tuesday delivered on the forecast for 10 bulletins, but the Risk Team’s recommendations to Verizon Business Cybertrust Security customers was less urgent than those of the MSRC.

You may have seen a link on our blog about a week ago to David Brooks’ excellent New York Times opinion piece titled “Drilling for Certainty”. This is a must read for anyone who thinks they do, or should do, risk assessments.

Here at Verizon Business our approach to the complexity issue Mr. Brooks’ discusses is to clear away the clutter and focus on the most important issues first. We are constantly faced with exclamations of potential security exploitation, making it difficult to clearly see where our most likely threats lie. Those exclamations are full of allegedly “expert” analysis, striking numbers, and even proof of concept, making them hard to ignore, and even harder to prioritize.

As Mr. Brooks points out, even several small and relatively insignificant events can combine to create a catastrophe. So how do you prioritize the tens of thousands of advisories, opinions, and warnings that come across your desk each year?

Read the rest of this entry »

Friday evening, Adobe issued a new security advisory for a vulnerability in Flash, Acrobat and Adobe Reader and reported it is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. Reasonable mitigations are available for Acrobat and Reader, but the only mitigation for Flash is deploying a Release Candidate for Flash Player 10.1. The recent history of criminal attacks on Adobe products indicates this is likely to get much worse before it gets better. Next week we’re expecting ten security bulletins from Microsoft. Ichitaro users in Japan should be on guard as a new vulnerability in that very popular word processing program is being exploited by a new Trojan horse and other attacks targeting Japanese-speaking users have been reported as well. In lighter news, Captain Renault renewed his honorary membership in the Risk Team this week.  We were shocked! – shocked to learn a company about to release an Operating System has decided to drop the use of a competing company’s OS.

Hat tip to Dave Kennedy for bringing this one to my attention. Great article and very relevant to those of us charged with managing security and reliability in complex systems.