More Content - Including Podcasts

Wednesday, March 31, 2010

Patch Released to Remediate More Day Zero Exploits for Internet Explorer

A critical cumulative security update for MS Internet Explorer was released yesterday (March 30) as noted in security bulletin MS10-018. This patch deals with 10 (count 'em, TEN) additional vulnerabilities within the browser, 9 previously undisclosed and one that was made public. The one known vulnerability is specifically for IE 6 & 7, although the patch in general is advised for IE 5.01 through 8, and while MS rates this security patch as "moderate" for IE 8 on servers, why would you take a chance these days?

What are the Risks?
The known vulnerability for older versions of IE, referred to by the Common Vulnerabilities and Exposures group as CV-2010-0806, was first described in an older Microsoft Security Advisory and is a vulnerability that could allow remote code execution; as for the impact of the rest of the undisclosed vulnerabilities, Microsoft states the following:

"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Recommended Actions
Microsoft rates this patch from important to critical, depending on your desktop version of the browser. If you are leveraging automatic updating, this patch will get pushed to your end-users' desktop systems; if you manage your updates, be aware of this one and take the actions you judge as appropriate for your organisation to ensure servers & desktops using Internet Explorer are protected.

What Next?
This security flaw in the code for the browser seems to be oriented again around risks developing from phishing type attacks. IT managers & IT security professionals have to take this account in understanding the risk level and possible next steps. Applying the patch seems to be a given, looking at changing the default browser used in your organisation - well I'd be surprised if you weren't already considering that but there are usually many ramifications associated with that, including end-user training and most commonly used sites & applications.

Let's face it, for most of us there's just no getting away from IE completely.
This also brings forward the considerations around the social engineering side of the issue and how much of that we can control by managing where our users can go to on the Internet, and caching/pre-qualifying sites before users first access them.

In the meantime we contain what we can by educating our users, protecting the network as best we can without crippling the users, and staying as well informed as we are able. Hang on folks, this is going to continue to be a bumpy ride; hopefully I and other like-minded professionals can keep you educated on what is happening beneath the hype.

Friday, March 26, 2010

Five Top IT Security Trends for 2010

#1 Antiviral Products Move Away from Local Signatures
With the rate that variants of viri, trojans, and other attacks are coming out (approx 50,000 per day) signature based AV tools just can't keep up without bogging down the systems on your corporate network. So what are the AV companies doing to deal with this?

The leading AV companies are making a shift to where only a small subset of signatures are downloaded to your PC/network. The bulk of the testing happens "in the cloud" where the AV companies use cloud-based technologies to identify threats and note sites/exploits that need to be blocked and send that info to your AV clients.

The philosophy behind this is that there are basically two types of attacks; social engineering (downloads, phishing, etc) & computer attacks (exploit involved - identifies & exploits a vulnerability pre-existing in your computer).The theory is that they only need to worry about protecting against the vulnerabilities, if they are effectively dynamically blacklisting the social engineering risks via their cloud-based work.

#2 Increased Use of Application Whitelisting
The concept of whitelisting is that you block everything except a concise list of sites, addresses, or ports you wish to allow access to. This technology is being led by companies like Bit9 who have been working in this area for some time. Not a good technology for home users or large organisations to use for desktops because of the nightmare in keeping the list up-to-date, but this is a great tool for appliance-like technologies - ATMs, or any other purpose-driven technology. It is also worthy of consideration for use on servers.

#3 Enhancements in Firewall Rule Optimisation
More and more IT Managers are finding that they are struggling to keep pace with the rate of change they must apply to their firewall rules. This process also leads to omissions and redundancies in the firewall rules and ACLs. Firewall vendors and third parties have been releasing tools like Skybox's Firewall Compliance Auditor that bridge simply optimising your rules for increased efficiency and now start ensuring that they meet compliance rules .

#4 Increased Social Engineering via Social Media
Social Media sites like Facebook, LinkedIn, and others are continuing to become rampant hunting grounds for cyber-crooks, whether they are associated with organized crime or just script kiddies.

Creative cyber villains will continue finding new ways to exploit people that they'd consider high-value targets - this doesn't necessarily mean wealthy people; but instead it means a combination of the "low hanging fruit" - the people who seem to put a lot of information about themselves and their employers out on the Internet - and people who can be identified as working in organizations that are targeted for attack.


#5 Continual Evolution in Regulatory Compliance
Certainly not last but it rounds off this list as an important topic in computer security for 2010. Regulatory compliance continues to be a pressing topic for the leaders of our various organisations and therefore also for IT managers. As an IT manager, there are some key things that compliance should mean to us:
  • audits & audit trails in place & working
  • documentation showing current state of network & security (i.e.: configuration management)
  • change management processes in place & operating
  • clear understanding (& documentation) outlining key business risks how those risks are managed

For more in-depth analysis of these topics please contact itManageCast for a copy of the whitepaper titled "Top IT Security Trends for 2010."

Impact of Operation Aurora on IT Managers

The IT community is still talking about APT attacks, the fall-out of Operation Aurora, and organised malicious attacks and exploits. There's a lot of information and opinions out there, but the root question to most IT managers (and more-so to the executive/shareholders they ultimately answer to) is "what does this mean to my organisation?

How do you quickly assess the impact to your organisation? What is your level of risk?

The starting point is to have a non-commercial, objective understanding of what all this discussion is about. To understand the scope and impact outside out of the fear factor associated with trying to sell you something.

What Was Operation Aurora?
Operation Aurora was a specific organised type of APT (advanced persistent threat) attack that targeted intellectual property held by Google, and was also reported to have targeted up to 34 other organisations. The true target was suspected to be the email accounts of Chinese political dissidents on the GMail servers, and while aspects of the attack were reported as successful, the true scope of what information was actually captured has not been completely divulged to my knowledge.

The exploited code was a ground zero HTML object memory vulnerability in Internet Explorer (Microsoft Security Advisory 979352), which allowed a trojan to be installed on the compromised computer; the trojan would then contact command & control servers (located in Illinois, Texas, and Taiwan) over an SSL connection. The compromised system receives commands from the c&c servers, and also uploads data that it has collected. That data primarily consists of other machines within the protected network in which it resides which are also susceptible to the exploit and any private intellectual property. In particular, it appears that a target of this aspect of the exploit was the content of source code repositories. The vulnerability exploited is known as Hydraq and has been identified by most major AV & computer security organisations including Symantec.

What is the Risk Now?
Since the exploit is now known, you as an IT manager have all the tools at hand for the remediation the exploit on your computers. If your users do not make use of Microsoft Internet Explorer you've done some serious mitigation right there. Once the patch from MS is applied you've removed the risk for this particular trojan. If you have not had this patch applied in your environment, you still are at risk. Further, any infected systems must get cleaned. If you have systems currently infected, it may be very difficult to catch the infection purely by firewall means as the systems are communicating out to the c&c servers using a well known port. However, most of your end user systems shouldn't be making SSL calls out of the firewall, so that should be a good clue there.

Tuesday, March 23, 2010

Securing the Network Perimeter with Open Source & Common Sense

A few years ago, I was consulting at a large high-tech multinational on a network management project, when I learned about how they were protecting their network using almost entirely open-source tools and common-sense methods. I had seen (and applied) this same process in a smaller scale previously at significantly smaller customer sites where we didn't have the pockets to buy all the latest and greatest tool sets from the leading network security and management vendors, but never seen the solution truly scale.

Needless to say, I was impressed. It stuck in my mind, and as recent events have brought me back into researching network security trends, methods, and tools; the first thoughts I have been exploring are best practices for maximising security while minimising cost & resource impact.

Tuesday, March 16, 2010

Olympic Calibre Team-Building

A key part to a successful Olympics is having the various teams that need to work together functioning smoothly, and supportive of each other. During my stint with the 2010 Olympics I observed a variety of different team-building approaches, and also brought my own style to the table.
There can be times in the events world - like any other high-paced occupation - where the stress levels get very near or hit the breaking point for people, so the team-building, trust, and communications all being in place BEFORE that time is a crucial element of success.
Team-building should be viewed as a way to build that trust relationship within teams and between teams, as well as learn to understand different communications styles, personalities, motivators, and stressors for each person in that team. Teambuilding should not just be about the fun & game-playing (although that is what will draw people in and keep their interest) but everyone should walk away having learned something. Learned something about themselves & each other in one or more of those categories I described.

Throughout my Olympic experience I was involved in, led, and observed several different styles of team building. It varied from formal workforce (read HR) lead exercises for the management teams to impromptu celebrations and subtly motivational sessions by small groups/teams before and during the Olympics themselves.

One of the leaders who reported to me who I observed being really good at this aspect was my Telecom Manager. I learned a great deal from observing how he interacted with his team of very diverse skills & personalities, and kept everyone functioning to what appeared from a manager's point of view as a well-oiled machine of motivated and focused people. He used a variety of techniques but the number one thing I noticed was how he would always make things seem like they were grass-roots sessions, and the team always wanted to be involved. It never came across as formal or mandatory, yet was always well organised and everyone who participated had fun and knowingly or not, walked away having learned more about each other and how to work successfully together.

Depending on your level of leadership within an organisation, this can be a challenging task to come up with and lead these sessions, and one of the keys to making this easier I have learned is to be open & receptive (and have the team learn that you ARE that way) to ideas for activities to do together. Then take those ideas and find the ways to wrap the subtle learnings around them without making it a formal knowledge transfer situation. The first couple will always be a little tough; especially with a new team, or a team that is having challenges already. But if your motives are transparent & sincere, people will eventually buy in. Few people like to miss out on fun stuff at work.

Also, think about your connections & resources available through your work & personal networks, and how you can leverage those to bring the team together for fun activities. A small example of this from my Olympic experience was having arranged for our Technical Rehearsal Helpdesk Team & officials to get together in an impromptu manner when we had completed the last day's work during our TR2 sessions in December, and get snowmobile rides for a group picture in front of the newly placed Olympic Rings on Cypress Mountain. This was arranged by asking favours from my friends in the Sport Operations team, and made a huge impact on the team. Not everyone can use such a specific example, obviously, but it's the idea behind it that counts. It's the fact that you reward the team for working their butts of for you, but share that experience with others outside of the immediate team to show that you trust & value them, and don't feel that you need to keep them sheltered away from the rest of the organisation.

So build your team Olympic style - think big, be open to and solicit creative suggestions from your team, interact beyond the immediate teams to share the corporate culture, and take risks to have some fun & build trust. That's the key to an open communication.

Monday, March 15, 2010

Post-Olympic Updates

So you may have noticed that the many posts I had during the Olympics regarding progress, technology, and other assorted items all disappeared. The organisation I was working for asked me not to blog in such a level of detail about products used for VANOC operations, and out of respect for my current employer at the time, I removed all the blog entries.

That all said, I won't mention the specific product or manufacturer, but will resume posting about my experiences as Venue Technology Manager for the ever-challenging Freestyle Ski & Snowboard venue of Cypress Mountain.

While the Olympic Games are concluded (and Cypress got a special mention from John Furlong as the most challenging venue of the 2010 Winter Games) the Paralympic Winter Games are currently underway, but this go-round there is no adaptive Snowboard events, so we've shutdown the Olympic venue services at Cypress and the Logistics & Overlay teams are cleaning up after everyone else. The Telecom team (Bell contractors & subcontractors) who reported to me pre/during/post Games are also on-site removing cabling & telecom services from temporary & permanent spaces on request of the Cypress ownership & management.

And this puts me back to the job-hunt, reflecting on the incredible experiences I shared with the VANOC teams I worked with & led to make this project so successful, and looking forward to my next interesting challenges. After thoughtfully declining an offer to go to London to participate as a Technology Manager in the 2012 Summer games there, I'm looking at my options locally in Vancouver and environs and figuring out where to press my skills & personality into service next.

But in the meantime, how did everything pull together at Cypress to end up being one of the most successful medalling venues for Canadians in history?

Top of the list would be teamwork; teamwork between myself, my fellow A/VTMs at Cypress, my fantastic Telecom manager & his relentless team, and my dedicated and energetic results teams. Second would be the sense of enthusiasm from everyone which helped us get through some very long days (read: days/nights), and lastly would be a sense of humour... those three things were essential to get through days when you start to question "what are we doing here" as the rain poured down in rivers and the snow disappeared around us.