Debra Shinder WS Blog

Think your users are too smart to fall victim to malware attacks? Think again. Even in a company like Facebook, where most of the employees are pretty technically astute, a sophisticated zero day attack that was based on a Java exploit recently rendered several laptops infected. According to reports, the same attack has impacted other companies, as well.

The Java bug that made the attack possible has been patched by Oracle in a Feb. 1 update, but this demonstrates that you should never assume anyone is safe from zero day threats. Read more here:

p://threatpost.com/en_us/blogs/facebook-says-employee-laptops-compromised-sophisticated-attack-021513

You have undoubtedly educated your users not to click links in email from questionable sources. But what about email from senders they’re used to dealing with? And do they understand that your warnings apply not just to their company email accounts but to any email accounts they access from the corporate network?

According to a survey that was released earlier this week by SafeNet, over one third of security professionals think that’s the case with their organizations, and almost two-thirds have so little confidence in the measures that are being deployed that they expect to be the victims of a data breach within the next three years. The survey included 230 security pros in U.S. companies.

So what’s the biggest problem? Over half believe management just isn’t spending enough on security, while 35 percent said they aren’t confident that the right technologies are being used.

Read more of the survey results and what experts have to say about it, here:
http://news.idg.no/cw/art.cfm?id=59402812-EB8D-AA9A-CC8AE9B04986C2F6

The second Tuesday of every month – Patch Tuesday – is a “hurry up and wait” day for me. Because I’m in the U.S. Central Standard Time zone, Microsoft’s security update release doesn’t occur until noon my time. Then I have to scramble to get my monthly summary of the patches for TechRepublic finished by the 3:00 p.m. deadline. So, like many corporate network admins, I hope for as few patches as possible (albeit for a different reason).
We didn’t get our wish this month. Instead, Microsoft delivered an early Valentine’s Day gift consisting of 12 security updates that address a whopping 57 vulnerabilities – most in Windows client and server operating systems and Internet Explorer. A few of the vulnerabilities affect every single currently supported version of Windows, from XP to RT and everything in between. Ouch.

For more information about the updates, check out my article here:
http://www.techrepublic.com/blog/window-on-windows/its-microsoft-patch-tuesday-february-2013/7249

A presidential executive order that was signed Tuesday requires the establishment of security standards for certain “critical industries'” computer networks within one year. The standards are said to be voluntary, yet “it left open the possibility that regulators may use their authority to enforce the standards.” It leaves me scratching my head and wondering how it’s voluntary if it’s going to be enforced by the government.

I also have to wonder about the provision calling for “greater sharing of cyberthreat information by the federal government with the private sector.” That sounds great. But – and you can call me a cynic – is it really going to be about the government sharing its information, or about requiring private companies to share their information with the government?

A former DHS official says ” … most private sector actors will choose not to participate.” When that happens, will this “voluntary” program become mandatory? How long until it’s applied to all networks and not just those in “critical industries?” More to the point as far as IT pros are concerned, how long until network administrators are required to meet government-mandated standards, as well, and be licensed in order to practice their profession? Think it can’t happen? It certainly appears to me that we’re headed in that direction.

http://www.washingtonpost.com/world/national-security/obama-orders-voluntary-security-standards-for-critical-industries-computer-networks/2013/02/12/e1d0a586-755e-11e2-8f84-3e4b513b1a13_story.html

According to reports yesterday and today, a new zero-day vulnerability has been discovered in Adobe’s Reader and Acrobat (version 11.0.1) PDF reading and creation products. Fireeye, a security company, also reported that this vulnerability is being exploited in the wild already, so caution your users to be even more careful than usual when it comes to opening PDF files. There’s not a lot of information available yet about the exploit, but Adobe’s own blog says their security team is currently investigating.

http://nakedsecurity.sophos.com/2013/02/13/adobe-pdf-reader-zero-day/

Many security professionals will be headed to San Francisco at the end of February for the annual RSA Conference. This year’s theme is “Security in Knowledge” and there will be sessions about the usual topics: application security, cloud and virtualization, cryptography, data security, hackers/threats, risk and compliance, and so forth.

I ran across this interesting paper over on Dark Reading, about how hackers and attackers are currently using Google code search to find vulnerabilities in application code so they can exploit them. Of course, that’s nothing new, but according to the stats it’s experiencing a resurgence.

Well, it was bound to happen: a security researcher found a way to “jailbreak” the Windows RT operating system so users can install unsigned ARM desktop applications (the problem is that there aren’t exactly a lot of those floating around right now).