The RISK Team tries to put events into context consistent with our doctrine of risk being the product of threat, vulnerability, and impact.  In that context, it’s hard to support a recommendation for the majority of Verizon Cybertrust Security customers to dedicate additional resources, especially staff time, to the RSA token problem. Also, they should avoid disruptions to operations in a reflexive response (no knee-jerking allowed).

Everything known about the RSA breach supports the inference that nation-state motivated attackers were responsible for the RSA breach.  Inferences are generally not strong support for decision making, but in this instance there is little else that’s useful.  Conjecture, innuendo and competitor’s scare mongering result in more difficult decision making.

If one accepts the premise that state-sponsored actors are the threat, then the problem statement may be along the lines of, “given our known history of attacks from what were likely state-sponsored actors and our self-assessment of our attractiveness to a state-sponsored attacker, what is the likelihood the RSA attackers will use their resources to attack us and what should we do about it?”

(more…)

This week we learned Distribute.IT, an Australian hosting company was compromised on 2011-06-11, and the data from 4,800 web sites was wiped with no local backups. StartSSL, an Israeli Certification Authority, was compromised last weekend and has ceased operations but claimed no fraudulent certificates were issued. Those were the most significant InfoSec risk developments this week. To be sure, we’re tracking many routine events including more LulzSec activity, income tax phishing, another Zeus-bearing spam campaign, insider attacks and DDoS attacks. It was an active week, except for a relative lull in vulnerability noise which is almost certainly because they’re on hold until Las Vegas. Bitcoin’s “flash crash” matters to their users, but was not significant for Verizon Cybertrust Security customers. It only reinforces the reasons for governance, regulation and oversight.

Numbers and charts courtesy of Marc Spitler

Since publishing the 2011 DBIR back in April, we’ve received a lot of questions about the dataset presented in the report. From the 761 incidents covered in the report, one gets a pretty decent view of “what this says about the general community,” but it can be challenging to figure out “what it means for me specifically.”

Though some suggest otherwise, I do not believe this is a problem inherent to our dataset; this same basic issue affects any large dataset. For instance, if we polled the global working community on some issue, the results would reveal a “middle” position that was not necessarily reflective of any particular country involved. Tracking this over time shows changes in the typical international stance on the issue and has value for many purposes. For other purposes, however, one might wish to study the views of a specific age group from a specific country.

There are nearly unlimited ways we could slice the DBIR dataset to create additional views and we can’t possibly do them all – especially for free (just being honest). We can, however, create some of the most-requested segmentations, and we are happy to preview a couple here.  Below you’ll find the top 15 threat actions for 1) organizations with at least 1000 employees, and 2) breaches of intellectual property and classified information (payment card data and personal information excluded). You can compare these to Table 8 on page 26 of the 2011 DBIR.

Are we having fun yet? Microsoft rolled out sixteen security bulletins. Adobe issued five bulletins including the second Flash Player update in as many weeks in which the vulnerability has already been found in the wild. Symantec reports one of the vulnerabilities patched this week by Microsoft’s Cumulative Update to IE is being exploited in the wild. JustSystems Ichitaro is the second-most popular word processor in Japan, and it has a new vulnerability already under attack in the wild. The International Monetary Fund, the US Senate, the CIA, another video game site, ADP and another Department of Energy facility outside Knoxville Tennessee were attacked this week. Even the good news was bad: Microsoft issued a high-profile warning over fraudulent Windows support calls deceiving users into thinking their computer is infected. Their computers were probably fine when they answered the phone, but may well have been infected by the time they hung up.

Planning to take a little time off in August? You might want to re-think that decision. In March 2010, Andrew Stroms reported Microsoft had established a big-little cadence for security bulletins. The pattern has continued with the exception of last Aug-Sep-Oct, when we went 15-10-16 with two out-of-cycles. Next week, we’ll receive 16 June Microsoft Security Bulletins for 34 vulnerabilities. Readers south of the equator are probably thinking, “so what?” The Northern Hemisphere’s residents (and stock market investors) know August is the peak of vacation season, or maybe not if you’re responsible for security of Microsoft systems. Enjoy yourself if you have a very finely tuned crystal ball which is informing you August will break the big-little pattern, or if you own enough shares of Microsoft to influence this. The Risk Team is looking at our July calendars. Hope is not a method.

InfoSec news this week was dominated by reports that Lockheed Martin, L3 and Northrop Grumman recently suffered attacks on their SecurID I&A. Wait: Northrop reportedly replaced their SecurID back in March. And neither Lockheed nor L3 have announced SecurID has anything to do with their network activities. It may be news, but the Risk Team considers it too generous to call it “intelligence.” On the other hand, Google provided a specific announcement of targeted e-mail attacks including accounts known to be used by public figures—that is intelligence. PBS did a Wikileaks special and got attacked for their trouble. Sony’s travails continue. Anonymous reportedly is displeased with Iran and the IMF, and NATO isn’t too happy about Anonymous. Little this week was actionable because robust InfoSec architectures should already be instrumented and monitored to mitigate risks like those we observed this week.

Tuesday, Jeffrey Carr posted “An Open Source Analysis Of The Lockheed Martin Network Breach.’ Carr literally wrote the book on Cyber Warfare and his analysis is probably spot on. However, I’m uncomfortable with the quantity and quality of sources supporting most of the reporting on this event, and would like to suggest a plausible alternative. I am not stating that Mr. Carr is wrong, only offering a competing hypothesis.

The first report we monitored of this event came from Robert Cringely on Wednesday evening. But Cringely makes no comments about his source(s) for his report apart from referring to an “old friend” he interacted with in March after the RSA breach came to light. He offers nothing upon which to assess if he has multiple confirming sources or none at all.

Then Reuters picked up on the event with an “exclusive” on Thursday. Their sources were described as some one “who was not authorized to publicly discuss the matter,” and another  “who also asked not to be identified.”  We have to assume these two are different people, but we have no way to assess if one or both are also Cringely’s source.

(more…)