Posted on Tue, Jun 29, 2010 @ 09:35 AM
Authored by Michael Gargiullo, Sr. Security Consultant at Pivot Point Security.
I've been working on my old Mustang for about 15 years now. 
It seems like there's always something that needs work; a light bulb here, a bit of polish there. While griping about this with an older car nut, I asked "When does it ever end?". His answer... "When you sell it.".
That term popped back up while discussing a infrastructure patch management policy with a client. We spoke about patching Microsoft servers and Red Hat Servers. We discussed the difficulty in tracking down the more elusive patches for things like switches, routers and third party software. We spoke about testing patches before deployment. Towards the end the customer looked up with a smile and asked, "When does it end?". I smiled back and said... "When you sell it."
While it can sometimes be difficult to track down needed patches for older software, as long as the device is in operation it needs to be kept up to date. So as long as you ‘own' it, you need to patch it. A number of times we've discovered a long forgotten unpatched Windows 98 or NT machine that allowed us that first foothold onto the network. So keep in mind an information security "Golden Rule" - If you can't patch it... it's time to sell it!
Posted on Mon, Jun 21, 2010 @ 09:08 AM
Authored by Marc Silverman, Sr. Security Consultant at Pivot Point Security 
ZeuS (aka Zbot, PRG, Wsnpoem and Gorhax) is a Trojan kit designed to generate a binary that installs a suite of data theft tools on a victim's system. ZeuS is most often spread via drive-by downloads or phishing attacks. Once infected with ZeuS, the victim system:
• Performs keystroke logging for HTTPS, HTTP, FTP, and POP3 traffic.
• Takes screen shots at relevant times to capture supplemental login data.
• Modifies web page content on-the-fly to hide its illicit activity.
• Transmits collected data via Jabber IM to the attacker's servers, providing real-time credential data, circumventing one-time password access controls.
• Generates SPAM.
• Monitors a pool of Command and Control (C&C) servers on the Internet for new instructions, including software updates.
If you're concerned about ZeuS, I recommend the following:
1) Browse smart. Check what you're clicking on, make sure any links or attachments you're provided are from trusted sources, and when they arrive without warning, check with the sender that they are kosher. Keep your browser, e-mail, and anti-virus patched and up-to-date.
2) Check for signs of infection. ZeuS is normally detected post infection either by communication with its C&C servers or by anti-spyware software.
• In a home or small business environment - Examine the host for signs of compromise by running anti-spyware software. I recommend scanning with both Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam.ph) and SUPERAntiSpyware (http://www.superantispyware.com/superantispyware.html?rid=3596). If both scan as clean, odds are that you're clean. If you're still concerned, you can also run GMER (http://www.gmer.net/), a rootkit detection tool, and HijackThis (http://free.antivirus.com/hijackthis/), a windows configuration and integrity checker.
• In a corporate environment - Since checking every host may not be feasible, examine any available network logs for any unexplained network connectivity. If suspect traffic is discovered, you can compare the suspect IP against the list of known infections at https://zeustracker.abuse.ch/monitor.php. If that's inconclusive, you can scan the suspect host with the above anti-spyware software.
3) Eliminate the infection. Perform the remediation recommended by Malwarebytes Anti-Malware and SUPERAntiSpyware, followed up by a full-system AV scan. Once all infections have been addressed, repeat the antimalware and AV scans until clean.
Posted on Mon, Jun 07, 2010 @ 08:46 AM
Authored by Mosi Platt, Sr. Audit Consultant, Pivot Point Security.
In this compliance-driven age of information security, regulatory requirements are increasing audit costs nearly as much as the auditors themselves. But the value of an audit is driven by the assets, not the controls. Let me explain why.
Controls have no intrinsic value - their value is determined by the assets they were put in place to protect (e.g. people, processes & technology). If you accept that as true, then the value of a controls assessment is not dictated by the controls being assessed but the value of the assets being protected by the controls under assessment. Therefore, a controls assessment is an evaluation of asset protection from loss/damage. The purpose of a controls assessment is to identify how effectively an assets' value is being protected from loss/damage. If the process itself is fundamentally asset-based, then how can the value of an assessment be legitimately based on anything else? A gap assessment is no different. It's a measurement of the gaps between actual & desired asset protection.
So with that in mind, some of the advantages of an asset-based assessment are as follows:
1. Provides a measure of asset protection from the loss/damage of value.
An asset-based assessment provides an evaluation of the impact controls have on the risks that threaten an assets' value. An assessment solely focused on the compliance of the controls' design with a standard doesn't provide an evaluation of asset protection from risk because the only "risk" that falls within the context of that type of assessment is the risk of non-compliance. That approach works for a compliance assessment like the PCI-DSS self-assessment but it doesn't work for ISO 27000 assessments because compliance is only important if the organization has already identified the necessary controls for effective asset protection and the purpose of the engagement is to support the requirements for monitoring & review. That type of engagement provides no value to an organization that doesn't already have an ISMS in place because it hasn't been established that compliance equals effective asset protection.
2. More cost-effective use of client resources.
An asset-based assessment only focuses on those controls necessary for asset protection while a compliance assessment will consume resources to evaluate controls that may not be necessary for asset protection. This extends beyond the costs of the auditor's time because the client will also spend resources reviewing the consultant's deliverables that include analysis of compliance with useless control requirements. A potential side effect resulting from this approach is waning support for the assurance effort as people begin to wonder why they're spending resources on analysis that doesn't impact actual security. Additionally, the work required for an asset-based assessment will have to be done sooner or later and will probably be cheaper if it's done up front than after an unnecessary compliance assessment.
3. Focus on long-term value instead of short-term gains.
An asset-based assessment provides long-term value by establishing a picture of asset protection that's independent of changing standards. It may be a snapshot of a point in time but it can still be used as a baseline. In a situation where compliance isn't mandatory, the only possible value of a compliance assessment is that it provides an estimate of work that may be required for asset protection. But even if the estimate turns out to be "very little work required," it's not very trustworthy because it was done outside the context of asset protection, so "very little work required" for one asset to be adequately protected may be "a lot of work" for another asset to be adequately protected.