 |
|
The VeriSign Security Review
|
November 2005
October saw the highest production of malware on record. In the physical
world, rebuilding efforts in the wake of hurricanes and earthquakes
will attract more adversaries with malicious intent. It is little wonder
then that the U.S. is thinking deeply and widely about security, with
the FFIEC issuing banking authentication guidelines and Congress
probing the safety of Supervisory Control and Data Acquisition (SCADA)
systems. VeriSign’s world-class Global Security Consulting team, combined
with its flexible Unified Authentication solution, allows the company
to help financial institutions gear up for FFIEC compliance and long-term
security strategies.
In this issue:
Hot Topics
Standards and Regulations
News from VeriSign
Ask a VeriSign
Consultant
Security Events
Hot
Topics
October Threat
Summary
October saw a new malware production
record of 112,142. Topping the list are NetSky-P, Mytob-GH (new entry),
Mytob-EX (new entry), Mytob-AS, Mytob-BE, Zafi-D, NetSky-D, Mytob-C,
Zafi-B, (re-entry), and Mytob-ER (new entry). More at http://www.theregister.com/2005/11/01/october_virus_chart/.
Administrators of Microsoft systems should
take a careful look at the affected products and risks documented in
the latest set of Patch Tuesday updates, of which three were critical:
- MS05-050 – DirectShow,
a component of DirectX, is vulnerable because of a special .avi file.
Attackers may attempt to persuade users to open attachments in instant
messages, emails, or Web links. Once executed, intruders would be able
to execute code remotely.
- MS05-051 – MSDTC
and COM+ comprise a three-part vulnerability. Each allows for privilege
escalation and remote code execution. VeriSign provides additional information
in its iDefense bulletins: http://www.idefense.com/application/poi/display?id=319.
- MS05-052 – Cumulative
security update for Internet Explorer. SANS warns that this update sets
the kill bit for affected Class Identifiers in certain COM objects.
This may not be acceptable in some enterprise environments, rendering
the update unusable.
An exploit has been published that could take
advantage of a flaw in Snort, a popular open-source intrusion protection
system. The exploit code, published to the Web by FrSirt on Tuesday,
demonstrates how vulnerabilities in a Snort sensor designed to detect
an exploit tool called Back Orifice can be subject to a buffer overflow
attack. Back Orifice is used by remote intruders to take control of
compromised systems.
Finally, the first Vista virus has appeared.
IDonut.A is a new virus that infects executable files on systems with
Microsot.NET Framework 2.0 installed, including MS Windows Vista Beta
1. IDonut.A is attributed to the rRlf virus-writing group. VeriSign’s
current severity assessment for this malicious code is Low.
Back
to Top
Infrastructure
Security a U.S. Priority
The increasing number of online attacks against
industrial control systems has triggered a series of congressional hearings
on securing the nation’s SCADA, or Supervisory Control and Data Acquisition
systems used to control and monitor critical infrastructure such as
power, utility and transportation networks.
Dr. Samuel G. Varnado of the Sandia National
Laboroatories recently testified that “it is possible to turn out the
lights in most major U.S. cities through cyber attacks on SCADA systems.”
Sandia has been investing in areas of urgent need, including integration
of cyber and physical security technology, cryptographic solutions for
SCADA systems communications, modeling and simulation of infrastructure
elements, secure control of micro grids, forensics, and new network
technologies for SCADA systems.
Several initiatives to help secure the control
systems will be rolled out by the government and federally-funded organizations
in the next year, according to Andy Purdy, acting director of the National
Cyber Security Division (NCSD) at the U.S. Department of Homeland Security.
The Department plans to release a document in 2006 outlining best practices
for control-system operators.
Legislative steps include an August energy
bill requiring that the U.S. Department of Energy create an electric
reliability organization. The frontrunner for the job is the North
American Electric Reliability Council (NERC), which has already
created a set of documents on critical infrastructure protection, known
as CIP-002 through CIP-009. The government could give NERC the ability
to levy penalties against companies that do not comply with the standards. http://www.securityfocus.com/news/11351/1
Back
to Top
SHA-1 Out By
2010?
SHA-1, the widely used Security Hash Algorithm
may be replaced by 2010, according to the National Institute of Standards
and Technology (NIST). SHA-1 is an official federal standard and is
embedded in every modern Web browser and operating system. It is used
for digital signatures in email, financial transactions, virtual private
network security, and client authentication. Due to the widespread popularity
of SHA-1, transitioning to a new standard algorithm could require heavy
investments. However, a flaw found this year by Chinese researchers
virtually necessitates its eventual replacement. There's no need
to panic yet, said Steven Bellovin, a professor of computer science
at Columbia University, who described the flaws in SHA-1 as still theoretical.
But “even if we decide that SHA-1 is good enough for today,” Bellovin
said, “someday we are going to have to deploy new hash functions.”
http://news.com.com/U.S.+mulls+new+digital-signature+standard/2100-1029_3-5924982.html?tag=nefd.lede
Back
to Top
Standards
and Regulations
New Bank Guidance to Eliminate
Single-Factor Authentication
Financial Institutions are once again told
to move beyond simple user name and password combinations and secure
its transactions with two-factor authentication. The Federal Financial
Institutions Examination Council (FFIEC),
which comprises of the Board of Governors of the Federal Reserve System,
Federal Deposit Insurance Corporation and other federal agencies, released
guidance for authenticating Internet customers. This guidance, after
an earlier FDIC advisory on Internet banking security, represents a
definitive step towards eliminating single-factor authentication by
financial institutions.
The FFIEC guidance, against which banks will
be audited starting in December 2006, calls single-factor authentication
“inadequate” as the only control mechanism; it recommends that financial
institutions employ authentication techniques appropriately matched
to transaction risks. Specifically, it identified "high-risk
transactions involving access to customer information or the movement
of funds to other parties" as the scope of the affected areas.
Where risk assessments indicate that the use of single-factor authentication
is inadequate, financial institutions should implement multi-factor
authentication, layered security, or other controls reasonably calculated
to mitigate those risks.
The Federal Financial Institutions Examination
Council (FFIEC) is a government umbrella organization overseeing policy
for all regulated banking institutions. It consists of the Federal Reserve,
the FDIC, National Credit Union Administration, Comptroller of the Currency,
and the Office of Thrift Supervision. Through their regulatory
activities, these agencies direct virtually all consumer depository
activity in the U.S. VeriSign recommends the following steps to
comply with the latest guidance:
- Assess
the various business processes that may involve transfer of funds or
access to customer information to determine the risk profile. VeriSign’s
Global Security Consulting practice actively works with the banking
community and has been conducting risk and compliance assessments for
many years. This type of assessment would involve documentation
review and interviews, business and technology analysis, risk modeling,
and reporting.
- Provide
the appropriate level of identity verification and multi-factor authentication
corresponding to the risk profile. Formally evaluate the range
of different technologies and pilot as soon as possible to achieve compliance
by the end of 2006. VeriSign Unified Authentication is an open standards-based
two-factor authentication solution with support for existing database
protocols and flexible choice of second factor credentials. Work with
a VeriSign consultant to define your deployment strategy.
- Get involved
with industry groups like the Financial Services Technology Consortium
(FSTC) and Open AuTHentication (OATH) to develop the long term roadmap
and solutions. While two-factor authentication may be the answer to
compliance next year, to minimize your risks, continue to work with
industry leaders for strategies in fraud detection and a shared infrastructure
across networks.
http://www.ffiec.gov/pdf/authentication_guidance.pdf
Back
to Top
New Data Security Laws Introduced
Amidst a new series of laws written in response
to consumer information breach, one stands out as holding data brokers
more accountable. Rep. Clifford B. Stearns, Republican of Florida, introduced
the Data Accountability and Trust Act, which proposes tough new regulations
for data brokers. The bill would force companies handling consumer data
to appoint a data security officer, draft explicit security policies
and submit them to the Federal Trade Commission, offer consumers access
to their own files and create a procedure for correcting errors.
http://news.com.com/The+battle+to+shape+data+security+laws/2100-1029_3-5925763.html?tag=cd.top
Back
to Top
Spyware Defined
The Anti-Spyware Coalition published two documents
that the group hopes will take the computer security industry a step
closer toward agreeing on a set of best practices for stopping spyware
invasion. The organization defines spyware and other unwanted technologies
as:
Technologies deployed without appropriate user
consent and/or implemented in ways that impair user control over:
- Material changes
that affect their user experience, privacy, or system security;
- Use of their system
resources, including what programs are installed on their computers;
and/or
- Collection, use,
and distribution of their personal or other sensitive information.
For more information, visit www.antispywarecoalition.org.
Back
to Top
News
from VeriSign
VeriSign and eBay Form Strategic
Alliance
The largest online auction community eBay and
VeriSign entered into agreements of strategic alliance. Under the terms
of the agreements, PayPal, an eBay company, will acquire VeriSign’s
payment gateway business and combine it with PayPal’s leading merchant
services platform. VeriSign will also provide eBay and PayPal
with a suite of security services that includes the deployment of two-factor
authentication, a security system that gives customers a one-time
password or digital certificate to help protect against online
identity theft.
Additionally, eBay agreed to deploy VeriSign
Unified Authentication to its user base. eBay will purchase up to one-million
two-factor authentication tokens from VeriSign to enable and protect
online transactions. “We’re thrilled to be working with VeriSign,”
says Rob Chesnut, senior vice president of trust and safety for eBay,
“and are proud to be one of the first e-commerce companies to give our
customers access to two-factor authentication.” http://www.verisign.com/press_releases/pr/page_035983.html
Back
to Top
VeriSign Reports Q3 Results
VeriSign reported revenue of $415 million for
the third quarter of 2005, a 28 percent increase compared to the same
period of 2004. On a GAAP basis, VeriSign reported net income of $45
million for the third quarter 2005 and earnings per share of $0.17 per
diluted share. This compares with net income of $40 million and earnings
per share of $.16 per diluted share for the same period of 2004. http://www.verisign.com/static/036041.pdf
Back
to Top
Ask
a VeriSign Consultant
Each month, our highly experienced security
consultants share their expertise in an area of your concern. This month,
principal consultant Fred Langston addresses FFIEC compliance. Send
your questions to askverisignsecurity@verisign.com.
Risk-based Approach
Q: The FFIEC guidance on authenticating online
users talks about a risk-based approach. What does that mean?
A: The old saying "you don't need to meteorite-proof
your car" refers to matching mitigation measures to the appropriate
risk level. That holds true to information security. Financial
institutions are subject to cross-regulation, cross-agency audits by
federal banking examiners. Given their broad coverage yet specific
focus, these audits are much different than your typical financial audits.
Never-the-less, examiners, whether they are looking at authentication
mechanisms or any of the other laundry list of items from monitoring
to patch management, have to take into account business risk.
What kind of data sits on the database? What assets does the firewall
protect? In the FFIEC case, for example, if someone was to compromise
a user name and password, what damage could be done? The fundamental
purpose of a security audit on a financial institution is to identify
areas where personal data is potentially unprotected. There are
lots of other things that make up a banking environment than just the
customer data, so the relative risk mitigated by a control, e.g., an
authentication system, is proportional to how closely that control protects
the personal financial data. For IT personnel, the FFIEC IT Examination
Handbook is a good starting point, as most federal banking examiners
use it.
This approach is similar to the way assessors
look at HIPAA for health care institutions. You do not need intrusion
detection on your printers unless that printer happens to store medical
records. The organization must assess whether the control is "reasonable
and appropriate" and is likely to protect Electronic Protected
Health Information (EPHI). If not, the entity must document why
it has chosen not to implement the control. The key words here
are “reasonable and appropriate.”
So does this create ambiguity and sometimes
confusion? Yes. Is it consistent across regulations? No.
Actually, what we've seen is that there is an inverse relationship between
the specificity of the requirements and the amount of risk analysis
required. Laws such as GLBA and Sarbanes-Oxley require more risk
analysis, where as standards such as the Payment Card Industry Data
Security Standard are more specific about what to do and require less
risk analysis. The key message here is that companies who perform
effective risk assessments must identify where their critical assets
and threats reside. Add to that a best-practices approach to information
security using standards such as the ISO17799 and the Information Security
Forum, and you should be able to make a good argument to management
and auditors that the controls in place adequately reflect the risks
posed to your critical assets. That's how you pass an audit.
Fred Langston, CISSP and VeriSign Principal Consultant, has over 15
years of professional information security experience working in environments
ranging from Fortune 50 multinational corporations to regional medical
centers, manufacturers, and service providers. Mr. Langston
has specialized in compliance and risk assessments since 1985. He holds
a B.S. from the University of Southern California and an M.S. from Eastern
Washington University.
Back
to Top
Security Events
November 6-8, 2005
BITS
Financial Services Outsourcing Conference
Washington, D.C.
November 9-10, 2005
Digital
ID World
New York, NY
November 13-16, 2005
Computer
Security Institution 32nd Annual Conference
Washington, D.C.
November 17-19, 2005
Financial
Services ISAC
Boca Raton, FL
Back
to Top
|
|
Worldwide Sites
