To begin with, let me freely admit that I am not the fastest runner off the line. I have had the pleasure over the past few months to collaborate with Allison Miller on topics such as threat and risk modeling and fraud prevention, conversations that have provided me with much food for thought. These discussions reminded me of how over the past few years I’ve had the pleasure of listening and engaging colleagues as they patiently explain to me their frustrations with risk expression, risk management, and trying to turn their GRC programs into something useful. I have actually been told things such as, “Alex, we’re just doing GRC so that we can say, ‘yeah, we have GRC’”.  While mulling all this over, I have been trying to get my head around why current approaches to risk expression seem to be so disconnected from operational security.

(more…)

Andy Hayter, a colleague of ours from ICSA Labs (an independent division of Verizon Business) posted some information on the Stuxnet worm late last week. If you’re looking for some FUDless facts, it’s a good place to start.

The Stuxnet worm is not hiding in our closets with Sulley. The reliable primary source for the “Stuxnet targeted the Bushehr nuclear plant ” highlighted the fact it was “completely speculative“, but you’d never know it from this week’s news.  Competent intelligence analysis requires critical thinking, and we’re not buying any bridges this week or next.  We see mounting indications that the perennial problem of lazy and complicit domain registrars may improve in the near future:  Knujon is reporting on how failures in domain registration policy are enabling cybercrime.  M86 Security has an analysis of domains registered in Russia purely to host spam.  Paul Vixie and the Internet Software Consortium are introducing features for domain reputation scoring in BIND.  While it’s tempting to dismiss Monday’s Twitter worm as not impacting businesses (other than Twitter),  social media have become a key component of corporate messaging, and both Twitter and Facebook experienced convulsive disruptions this week. We have at least a full week before Adobe releases Acrobat and Adobe Reader patches–keep an eye out for a wave of malicious PDFs if the Zeus crew chooses to make hay while the sun shines. Don’t open any HTML attachments in empty messages.

The PCI Council’s 2010 Community Meeting is going on this week, which reminds us – we’ve got a new study on the PCI DSS due out on October 4. The basic research model is the same as the DBIR and ICSA Labs Report (collect data from an internal service, see what we can learn, and publish findings), but this time, we’re teaming up with Verizon’s PCI services group.

The report analyzes findings from actual PCI DSS assessments conducted by Verizon’s team of QSAs. It examines the progress of organizations toward the goal of compliance and includes topics such as how and why some seem to struggle more than others.  Also presented are statistics around which DSS requirements and sub-requirements are most and least often in place (or compensated for) during the assessment process.  Finally, the report overlays PCI assessment data with findings from Verizon’s Investigative Response services to provide a unique risk-centric slant on the compliance process. We compare the compliance status of organizations assessed by our QSAs to those investigated by our IR team and discuss the top 10 threats to cardholder data in light of the DSS requirements.

Hope you’ll check it out and that you’ll find it worth your time.

It’s been years since we last had to pass a drug test, but we’re wondering if we should routinely be screened. This was a week that called for some bi-polar meds. We went from “Here you have” mania to “normal”, and then we had nine Microsoft Bulletins and another Adobe advisory, then back to “normal.” Or maybe what’s needed is just old fashioned alcohol — ready to start drinking after reading how your house will be burglarized because you’re on Facebook? Well, put your beer mugs back down because the facts of the case reveal risk is negligible (two out of half a billion). And we bet some of JP Morgan’s IT and InfoSec staff would be ready to join us for boilermakers after suffering outages. News that there was not one, but four “0-day” (we detest that expression) vulnerabilities in the Stuxnet Trojan is just about enough to make us curl up in a fetal position and sob until we get some Prozac. Or just curl up with an InfoSec Security Blanket? Hang in there and smile.

We all witnessed an old-fashioned, mass-mailing Visual Basic worm this week. Woot!  But PC Magazine’s headline may have gone a bit too far: “‘Here You Have’ Malware Preys on the Incompetent.” Untold numbers of computer users weren’t around for Lovebug or Kournikova or even Sasser and Sober. Those of us who go back to David Smith’s Melissa need to guard against complacency – “everybody knows that, so no one will fall for it.”  Several cognitive biases can contribute to reducing relative risk for events we’ve already experienced (and the opposite is true too). Every major browser updated.  There’s another “undercover vulnerability ” in Adobe Acrobat/Reader, and one in Internet Explorer too. Microsoft will issue nine security bulletins on Tuesday.  Been there; done that; got the T-shirt. Just don’t assume everyone has the T-shirt too.

I realize it’s short notice but there are a couple of 2010 DBIR webinars happening this week that you may find interesting. On Wednesday, Peter Tippett and I will present the main findings of the 2010 DBIR.  No “new” data will be included beyond the 2010 report, but you’ll get some additional commentary, insight, and, of course, time for Q&A. On Thursday, I’m giving a webinar focused on small to medium business (SMB) and this one will cover some new ground. We’ve pulled out breaches involving SMBs from our dataset and will discuss how their findings differ from those of the main report. Details and links below.

Enterprise webinar: Wednesday, Sept. 8, 11:15 a.m. – 12:15 p.m. Eastern (See replay)

(SET CHANT=ON) Any vulnerability, no matter how severe, is zero risk if there is zero threat taking advantage of it. (SET CHANT=OFF) There is great angst and hand-wringing over untrusted DLL search path vulnerabilities but the fact remains, we haven’t seen attacks exploiting it. In previous iterations of this same problem there have been almost no attacks, and those attacks we know of were neither targeted nor widespread. Will this iteration also go unattacked? Maybe not, but anyone who believes they can accurately predict attacks using this problem should put those skills to better use by picking lottery numbers. Enterprises have relatively straightforward mitigations.  Real threats and real risks were realized by many sites that were defaced or successfully compromised or defrauded, and there were other sites that were unavailable due to DoS attacks or simply due to a spanner in the works. Last, but certainly not least, we would like to tip our hat to Sprint and the Feds for nailing a US $15 million telecom fraud operation!