Information Security Blog

There are two axioms that represent different sides of the same coin that are relevant to this blog post: “The cobblers children always go barefoot … ” and “eating your own dog-food.”  The good news is that because we were eating our own dog-food (and hence not going barefoot) we may have literally avoided a notable monetary loss that could have left us figuratively barefoot and eating dog-food …

As you are likely all too aware, there are a number of variants of credential stealing malware that steal banking credentials with the intent of emptying your bank account.  Several weeks back we dodged a bullet when one of our internal machines hit a web server known to propagate malware and then began to communicate with several know Zeus “command and control” servers.

Fortunately, we were eating our own dog-food and piloting a new extension to our OSCAR security event monitoring solution.  What this extension does, in short, is look at your firewall logs in real-time and send an email alert if it detects communication with known malware propagation and/or command and control servers.  As an information assurance firm, we like to think that we run a pretty tight ship – so we were a bit surprised when we got the email.

The first thing we did was to isolate the machine on a non-trusted LAN segment.

The email linked directly to the concerning events (highlighted below).  Tracing the event, you can see that one of our desktops was maliciously redirected by 208.91.196.252.  Approximately 25 minutes later that same host began communicating with 216.172.169.44.

OSCAR log monitoring detects dangerous malware

At first we were not overly worried when we realized that the redirected desktop was one of our Macs, as Zeus is known to target Windows.

Zeus Malware communicating outbound

But a quick Google search left us disappointed in our level of Zeus awareness, and a little more concerned.

Zeus malware now targeting Apple

We logged in to a number of prominent banking sites (using fake user names and passwords) and monitored our outbound logs.  Interestingly, on multiple occasions we saw “shadow traffic” outbound on port 80 to some suspicious locations.  At this point we had to make a decision – fire up a sniffer and dig in a little further, or clean this up and get back to work?  The official story line is that we chose the latter.

Fortunately, remediation was relatively straight-forward. Just to be sure we tightened up the Mac firewall running on that box (Little Snitch), kept that host on an isolated LAN segment for a while, and continued to let OSCAR observe traffic until we were confident that we were all clear.

As a side note – we were never really at any notable risk as we do not do any Internet banking on Windows or Mac systems.  We have a single, locally fire-walled Ubuntu machine that has no inbound network access, and which is only allowed access to two HTTPS banking URLs.

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!