Security policy being bypassed by employees, survey finds.

Many companies have security policies and procedures in place, but the results of a recent survey found that employees are bypassing many of them, bringing sensitive data home with very few protections.

 In many cases, companies are struggling to find the right balance between strict security requirements and employee productivity as more employees work at home. Encryption and other security technologies are available, but some firms are accepting the risk and some may be unaware that end users are bringing customer data, personally identifiable information or company financial data home with them on laptops, smartphones and Universal Serial Bus (USB) flash drives.

RSA Security Inc., the Security Division of EMC Corp., conducted the survey, polling 417 individuals at separate conferences in April, May and June. 46% work in the financial services sector, 46% are IT professionals and 54% work in companies with more than 5,000 employees.

The survey found that 94% were familiar with their organizations' IT security policies, yet 53% felt the need to work around security policies in order to get their work done.

"There is a natural tradeoff between security, total cost of ownership and ease of use," said Sean Kline, director of product management in the identity access assurance group at RSA. "When you don't have a good balance between these things for particular populations of an organization, there's going to be a disharmony and they are going to try to resolve that by going around security."

Almost half of all respondents and 60% of those surveyed based in the U.S. said they frequently leave work with a laptop or mobile device which holds sensitive information related to their job. Although few reported losing a device holding sensitive information, the information is more than likely not encrypted, Kline said.

"Companies are encouraging employees to leave the office with sensitive information, the trick is how you put appropriate security controls in place so that's safe," he said.

Kline said some firms are using encryption and even business data rights management technologies to control access to business documents and ensure they can be rendered useless in the hands of a rogue employee or outsider. Other firms appear to be choosing to accept the risk instead of adding costly security controls.

Employees also sometimes send business documents to their personal email address so they can access them from home. Seventy-nine percent of those surveyed said they sometimes or frequently access business documents using their personal email address.

Security training and education is not being neglected at many organizations. Nearly 70% of those surveyed said they receive training about the importance of following security best practices.

Kline said there are best practices available to help companies find the right balance between security and productivity. The International Organization for Standardization (ISO) has a set of best practices in ISO 27002 that can aid companies in implementing or improving their information security programs, Kline said.

"It's important to first take an assessment of which information and which transactions around that information are of the highest value and then an assessment of what potential threats there are within the organization and then create policy around the risk of an event occurring," Kline said. "If you just jump to putting controls in place, that's where you have a problem."

You also risk IT security being seen as an obstacle to productivity. A study, done by research firm IDC on behalf of RSA, the Security Division of EMC, found that the majority of senior managers believe IT security risk is the largest single obstacle to innovation in their businesses.

Source: 

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1334613,00.html

Fake YouTube Pages Used To Spread Viruses!!!

Truly alert Internet users can still see the telltale warning signs with the fake YouTube pages. For one, the Web browser won't show the real YouTube's Internet address. And to even see the malicious page, you have to first follow a link that's sent to you, which is often a tip-off that you should independently verify whether the site is legitimate.

Savvy Internet users know that downloading unsolicited computer programs is one of the most dangerous things you can do online. It puts you at great risk for a virus or another time bomb from a hacker. But even some sophisticated surfers could get taken in by a sneaky new attack in which criminals create fake YouTube pages -- dead-on replicas of the real site -- to push their malicious software and make it look like it's safe stuff coming from a trusted source. A program circulating online helps hackers build those fake pages. Users who follow an e-mail pointing them to one of the pages would see an error message that claims the video they want won't play without installing new software first. That error message includes a link the hacker has provided to a malicious program, which delivers a virus. Even worse: once the computer is infected, it's simple for the hacker to silently redirect the victims to a real YouTube page to see videos they were hoping to see -- and hide the crime. "It's spot-on accurate, and that is scary," said Jamz Yaneza, threat research manager for security software company Trend Micro Inc. "If I were watching YouTube videos all day I would probably click on this one." The tactic itself isn't new: There's a constant push by criminals to build more convincing spoofs of legitimate sites to trick people into downloading harmful software. And the latest attacks don't target any vulnerability in the YouTube site. But it highlights the fact that criminals are getting better at creating bogus sites and developing so-called "social engineering" methods to fool people. Fortunately, truly alert Internet users can still see the telltale warning signs with the fake YouTube pages. For one, the Web browser won't show the real YouTube's Internet address. And to even see the malicious page, you have to first follow a link that's sent to you, which is often a tip-off that you should independently verify whether the site is legitimate.

Firefox Plug-In Updated To Fight Clickjacking Attacks

This information is based on my previous blog in which I mentioned about ‘Clickjacking’.

The NoScript plug-in for Mozilla's Firefox browser has been updated to guard against clickjacking, which security experts call one of the most dangerous problems on the Web. The well-known NoScript plug-in for Firefox is the first to be announced as a defense against clickjacking, but solutions are expected for other Web browsers.

For more info:-

http://www.enterprise-security-today.com/story.xhtml?story_id=022000RB6N64

Web Surfers Face Dangerous New Threat: 'Clickjacking'

A new Web threat has been identified: clickjacking, which can affect the Adobe Flash player and browsers like Firefox, IE, and Google Chrome. Clickjacking lures Web users into unknowingly clicking on a link and revealing private info. There are multiple variants of clickjacking; finding a solution to the clickjack threat will be challenging.

For more info:

http://www.enterprise-security-today.com/story.xhtml?story_id=62355

11 Microsoft Security Updates Due Next Week

Next week will be a busy one for system administrators as Microsoft is planning to ship 11 security updates -- four of them rated critical -- for its products.

T he patches will include fixes for critical security bugs in Windows Active Directory, Internet Explorer, Excel, and the Microsoft Host Integration Server, which integrates Windows computers with IBM mainframes, Microsoft said Thursday in a note on the patches.

The critical Active Directory bug affects Microsoft Windows 2000 Server, but not other versions of Windows, Microsoft said. The Excel bug affects both Windows and Mac OS X versions of the product.

There will also be six less-critical updates, rated "important," by Microsoft, for Windows, and a "moderate" patch for Office. All of these updates are expected around 10 a.m. Pacific time on Tuesday.

Despite the large number of patches, Microsoft hopes that customers will be a little more secure than usual next week. That's because the October Patch Tuesday will mark the debut of two Microsoft security initiatives: the Microsoft Active Protections Program (MAPP) and something called the Exploitability Index.

The MAPP program gives security vendors an edge on writing protection against new attacks by offering them an early peek at the bugs that Microsoft will be patching each month. The program is designed to help Microsoft's security partners avoid a mad scramble as they figure out how attackers might exploit the latest Microsoft flaws. October marks the first time that companies have been given this early information.

The Exploitability Index should make it easier for customers to decide which patches to install first by giving Windows users a better idea of which bugs Microsoft finds most worrying. The index, which will be published with Microsoft's security bulletins next week, will separate the flaws that will simply cause a system crash from more serious bugs that could be used to give attackers control of a victim's machine.

The vulnerabilities listed in Microsoft's bulletins will be rated as "Consistent Exploit Code Likely," "Inconsistent Exploit Code Likely," or "Functioning Exploit Code Unlikely."

Metasploit 3.2 Offers More 'Evil Deeds

TORONTO -- Hacking into systems (albeit for testing purposes) is apparently getting easier with the upcoming open source Metasploit 3.2 framework, according to its creator.
During a packed presentation at that SecTor conference here yesterday, Metasploit creator H. D. Moore detailed some of the new features in the upcoming Metasploit 3.2 release. They include names such as Browser AutoPwn, Metasploit in the Middle and the Evil Wireless Access Point.
"For http we do a whole bunch of evil things to a browser," Moore said, addressing an audience of security and networking professionals from sectors such as government and leading corporations. Many attend the conference in order to stay up to date on vulnerability assessments and how hackers exploit networks.
Metasploit is an open source attack framework first developed by Moore in 2003. With the Metasploit 3.0 release, the project has moved to an all Ruby programming base, which Moore credits with quickening development and exploits.
Take the context map payload feature, which encodes attack shellcode. Moore claimed that the new feature will make it even more difficult to detect attack code.
Getting attack code onto a target machine will also be easier on Metasploit 3.2 with improvements to the Raw Packet Tools function. A new library call PacketFu is expected by Moore to achieve packet injection for both wired and wireless end points.
It also provides improved support for exploiting multi-core CPU machines, which had been more difficult to attack with previous versions of Metasploit.
Metasploit is also able to take exploit code and weaponize it in an .EXE (executable file) that can be deployed by an attacker. Moore said the EXE template that created EXE attacks has been improved in Metasploit 3.2 in order to defeat Antivirus vendor signature detection.
Moore boasted that he is using the same resources that the anti-virus vendors are using to identify virus signatures to ensure that the Metasploit EXE template is not identified.
If that wasn't enough, Metasploit 3.2 will include a new super weapon that will make exploiting browsers a trivial matter. The new Browser Autopwn feature is a client side auto attack system that will fire up exploits automatically against a user's browser with the goal of providing a shell into the browser.
Man in the middle attacks are also addressed in the package features. Moore explained that Metasploit in the Middle Feature puts the attack framework in between the users and their intended location. The man in the middle approach could be used to spoof DNS or to create a fake access point.
"It will abuse the HTTP security model, stealing cookies and saved form data," Moore said.
And if that's not enough to give security researchers a taste of the latest developments in security vulnerabilities, there is the Evil Wireless Access Point feature. Moore said it can create an access point that consumes all other access points around it. Adding insult to evil, it has the ability to spoof any access point that is already on a user's preferred access point list. Browsers beware.
Last but certainly not least in this testing culture, Moore announced that Metasploit 3.2 now has full IPv6 support.
"The US Government has a mandate for IPv6 support, so there is at least one target there for you," Moore said.
Let the testing begin.

The most vulnerable device in the network

I was browsing some sites to comeout of boring life in chennai ... and i found someone in online discussing about most vulenrable devices in the network. Yes it was router... and those guys come up with few notes mentioning risks and hardening actions that can prevent a attacker to be successful.
I felt it as intresting and thought of sharing with u guys....
Main Risks
The most obvious risk associate with a compromised or disabled router is that all communications that are forwarded by this router will be disabled but there are others not so obvious:
Use routers to attack internal systems:
Taking control of routers allows attackers to bypass intrusion detection or prevention systems (depending on network architecture), use it to gain access to restricted networks avoiding to be logged.
Use routers to attack external sites:
Using routers to attack other networks allows a malicious person to initiate attacks very hard to be traced.
Reroute all traffic entering and leaving the network:
An attacker is able to use a compromised router to reroute network traffic to a different path to be analyzed or modified.
Some important actions that can harder a router and increase security:
Implement Access Control
Every person that access a router must use his own user/pass and the pass cannot be easy to guess.Also is important to enforce password encryption.
Implement Authorization Control
Every person shall execute only a limited set of commands related with his activity
Secure Remote Administration:
Some router allows only remote communication based on insecure protocols like Telnet so it's important to restrict it using ACL's.Other actions is to allow only console port (not always possible) or to implement a SSH gateway so all users must log in into the SSH gateway and then jump to the router.
Configure Warning Banners:
It's important to use banners in order to show that the IT department monitors all activities execute.This banner shall be legally sufficient for prosecution of malicious users, to shield administrators from liability and not leak information.
Disable Unnecessary protocols (if they're not used):
Like ICMP, Source Routing, Finger, HTTP, Proxy ARP, etc...
Improve SNMP Security:
It's important to restricted SNMP access to the router and to use non "public" communities and also is important to implement password protection.Many routers are just opened due to SNMP default configurations.Try to implement SNMPv3 or at least v2c
NTP
Configure NTP for time synchronization (it's important for log analysis and event correlation).
Logging
Deploy an effective logging police that allows security administrators to monitor events and track down intruders.
Deploy an Event Correlation Solution
It's important to use a event correlation solution that helps the SOC/NOC team to identify attackers that are trying to compromise a router. This is a powerful tool because it's possible to cross routers logs with IPS's logs, FW 's logs and others to identify threats that can't be identified using only a single source.
Use restrictive ACL'S
To protect the router from non allowed external access (administration, routing exchange info, monitoring, etc).
Implement Routing Security
Routing protocols like OSPF, BGP, IS-IS. etc has their own security best practices so it's important to have it in place if you use it.
Deploy IPS Systems
Sometimes you can deploy a IPS in front of a router (a lot of controversial about it) with specific signatures to protect the router itself.If it's a situation where is possible to do it and you have the budget to do it, why not?
Create a Incident Response Plan
Some steps that must be considered when creating a plan: Determine if the incident is an attacker or an accident; Discover what happened; Preserve the evidence; Recover from the incident; Identify root causes and manage or mitigate them to prevent from happening again.
Enforce Physical Security
It's important also to restricted access to the device itself to prevent physical attacks or accidents (like someone broking a network interface).
Its true... even i notised it when i do my penetration testing activities...
Conclusion
A router is a very important device (if not the most important one) and many companies does not put in place appropriated controls. It's important for administrators to be aware that if they do not change this scenario quickly, soon or later they'll have to face themselves with a compromised router.