nCircle Blog

Jim Acquaviva and I provided a different take on continuous monitoring in a webinar last week. While lots of agencies are doing continuous monitoring of one kind or another, the subset of those agencies that are effective in using continuous monitoring to effect dramatic risk reduction is… small at best.

This new webinar can provide insight into several successful federal implementations of continuous monitoring, detailing four key practices that are driving real organizational change. Listen in to this webinar recording to find out how these key practices can improve your security program, understand their relationship to metrics and benchmarking and how nCircle Benchmark can provide the foundation for dramatic improvements in your security posture.

Yesterday Symantec issued a security advisory for users of pcAnywhere asking users of the product to delete or disable it immediately until they release a set of updates that resolve currently known vulnerability risks.

Users of PC Anywhere may be at risk because of the theft of Symantec source code in 2006. Attackers have had plenty of time to study the code looking for vulnerabilities that could allow them to use the remote-access software to remotely access pcAnywhere installations. If attackers successfully exploit vulnerabilities in the code, it could give attackers unprecedented access to corporate networks around the world.

According to Symantec's security advisory, "All pcAnywhere 12.0, 12.1, and 12.5 customers are at increased risk, as well as customers using prior versions of the product."

The remote-access software runs on Windows, Mac OS X, Linux, and the PocketPC platform.
Symantec's PC Anywhere has also been bundled with numerous other products from Symantec and other partners.

In addition, Symantec said, "A remote access component of pcAnywhere, called the pcAnywhere Thin Host, is also bundled with a number of Symantec backup and security products."

nCircle customers can easily identify every system running pcAnywhere or pcAnywhere Thin Host on their network with IP360 or our new, cloud-based network security scanner PureCloud.

Forewarned is forearmed. Scan now; make sure your network is protected.

Calling all IT solution Providers, resellers and online communities! nCircle recently announced PureCloud our revolutionary new, cloud-based scanning service and it's been pulling in rave reviews from our customers and the industry.

Now it's time for partners to get in on PureCloud ! To make it easy for our partners to promote this new offering we've developed a complete online, click-through referral service that earns cash for every customer that makes a PureCloud purchase from your referral. As a Referral partner you receive 10% of the initial referral purchase of either a PureCloud detailed scan report or annual PureCloud subscription.

This new program makes it simple and easy for anyone with an online presence to make money with PureCloud. It literally takes minutes to sign up and you can track all your referrals and commissions online.

Referral partners have access to a wide range of marketing content designed to make it easy to immediately promote referrals through websites and social media. There are no commitments or minimums, so referral partners can get started monetizing their customer base and web presence instantly.

nCircle provides everything you need to get started. All you need to do is sign up here, get your code and start linking!

Last week a hacker by the name of 'Tama Tough' claimed he was going to release the full source code for Symantec Corp's flagship product, Norton Antivirus software. With open-source software, all the source code is always available for everyone to see, but in this case Tama Tough was threatening to disclose the commercial closed source code.

The ramifications of this threat, especially since there is an implied disclosure of source code, were huge. For example:
- If the code was published any secrets in the code could have become a problem for Symantec
- Access to source code means cyber criminals could add malicious code and compile it into a product that mimics the look and feel of the original but is designed to do a number of very bad things that are is almost impossible for end users to detect. (Beware of buying software from anything other than a trusted source because the deal with not be a good deal for you.)
- The raw logic of the program would have been exposed and, given this knowledge, an expert would probably find new kinds of vulnerabilities

Even though the disclosure didn't happen, the security implications of an intellectual property breach are enormous. This threat is a wake up call for everyone - when was the last time you reviewed your source code security protection?

If it's been a while, here are a few questions to help you get started:

- Do you know every single place this source code exists; both in operation and backups?
- What safeguards do you have in place to protect your source code and how would you know if it was taken?
- If your source-code was stolen, what is the plan to keep the business operational and your customers safe?
- Finally, do you have a plan to manage the crisis of public perception an event like this could cause considering the 24X7 news cycle and social communications channels?

If you don't have clear, specific answers to all of these questions, you have just been put on notice. Symantec just reminded all of us that it's time to revisit the security protection around intellectual property. If you've got that under control, spend some time looking at business continuity and crisis communication plans to make sure they include this scenario and involve support, sales and marketing and legal teams.

This is a tabletop exercise you really need to work into your schedule in the near future. It is the type of event that requires a companywide response and the more prepared you are, the better chance you have of containing the damage.

The problem with being a successful business is that you become more attractive to a better class of cyber criminals. It's the classic good news / bad news problem. The good news is that your intellectual property is recognized as having significant value. The bad news is that now you are attracting the attention of more sophisticated cyber criminals.

Be proactive and be the hero and leader when this type of event happens; be reactive and be the goat. Your move.

A key security initiative for government agencies is the implementation of continuous monitoring. nCircle’s new webinar can provide insight into agency implementations of continuous monitoring and detail the four key practices agencies are using to driving dramatic improvements in their security posture.

Listen to Jim Acquaviva and Keren Cummins discuss the relationship between continous monitoring best practices, metrics and benchmarking and how nCircle Benchmark can provide the foundation for dramatic improvements in your security posture.

You can find the webinar here.

A very interesting development this week for you fans of continuous monitoring: John Streufert is taking on the role of Director at the National Cybersecurity Division of DHS. This appears to be part of the administration's ongoing efforts to strengthen DHS' role in cybersecurity.

Almost everyone with an interest in continuous monitoring, security scorecards, the Consensus Audit Guidelines, or related concerns in the federal IT security space, is aware of John Streufert's seminal work as the CISO of the US Department of State. As a result of his consistent, timely, clear and actionable presentation of security risks, engaging not just IT but program and mission executives, State recorded a 90% reduction in risk across the organization in the first year, and the program has continued to evolve and improve.

Other programs based on this and similar approaches have been extremely successful in driving the changes in organizational behavior that are necessary to achieve really dramatic risk reduction. In the federal space, examples include the Centers for Medicare/Medicaid Services (CMS) and the US Agency for International Development (USAID). Commercially, services like nCircle Benchmark are premised on many of the same principles.

John's new role provides him with a broader stage, and I for one am looking forward to seeing what will be coming from NCSD - the State Department’s loss, but a gain for the rest of us.

It's stop SOPA day across the Internet. Listen to Episode 26 of our Security Slice podcast and hear Andrew Storms and Tim 'TK' Keanini discuss the flawed thinking behind SOPA.

We've got a great promotion in Spiceworks. Scan up to five IPs with nCircle PureCloud and get complete vulnerability reports, a $225 value. You can ind more information here.

But hurry, this offer is only good through January 31.

So here's the deal; just because you are a non-profit organization doesn't mean you don't have to be concerned with the threats on the Internet. Last I checked, not-for-profit also means not-for-loss. In fact, as a non-profit you may be a more attractive target for some kinds of attackers, especially 'hacktivists' if they believe your organization is 'bad'.

For example, earlier in 2011, PBS was the victim of a LulzSec attack. You can read about the drama connected with the attack, but the point I'm making is that your business model and it's relative level of altruism doesn't affect the security or insecurity of your computer systems.

While this may sound completely obvious, all too often I hear something like, 'Oh, I don't really have to lock those systems down because there is nothing on them to steal'.

Here's the problem with that line of reasoning: even if you have nothing to steal in terms of information, the systems and applications they run can be attacked, controlled and then used for criminal purposes. Your computers and computer network can be used as a weapon by the bad guys.

In fact, it's very common for organized crime to compromise as many connected computer systems as they possibly can. Once they get them all under remote control the bad guys wait for the perfect time and then use thousands of compromised computers to pull off a distributed denial of service attack on a targeted business. If attacked company pays the attackers a fee and they will stop the attack. It's a very common form of cyber extortion.

If I were a non-profit, I would do a quick scan with PureCloud just to see where my security stands. There's no excuse for lousy security anymore, if you are able to shop online, you have the skills to run PureCloud. And, at the very least, you will know if you have a security problem that you need to address.

Everyone should scan your their networks and secure their systems, and not just the ones with confidential information on them.

Take security seriously, your business and the entire Internet will thank you.

There are two words that I fear more than any other, and I imagine the same is true for most other vendors. Those magical two words that send shivers down spines of support and make grown engineers cry... 'Application Interaction'. The term, used to describe a potential negative impact that one product may inadvertently have on another, is often seen as a "Red Alert, Battlestations" type of scenario. You see, when you develop a product that's designed to identify vulnerabilities, you become more familiar with this term than most other software vendors. The problem is that 99% of the time, the issue isn't yours to fix and "Application Interaction" becomes a thinly veiled way of saying "Vulnerability Discovery". Even though we know what's going on, the nature of the term and the thoughts associated with it lead to vendors squirrelling the term away and the real problem is never discussed.

So why do I consider "Application Interaction" to really mean "Vulnerability Discovery", especially in the context of vulnerability management? Imagine an attacker sending packets to remote systems and causing those remote systems to hang or crash. That would be defined as a Denial of Service and, since we're talking about a remote service, even Microsoft would issue a patch and call it a vulnerability. The problem is that small and/or specialty vendors (like SCADA solution providers) don't always see it that way, their programs start to crash and they tell the customer that the "scanner" is the issue. However, as you can see, scanner and attacker could be used interchangeably in the sentence above. Of course, everyone aims to be non-invasive and no one purposely releases code that will crash a service, but it happens; it's a fact of life that we need to live with. The question is how do we deal with this and the answer should be urging the software developer to issue a patch.

Let's consider the most popular example, printer crashes. The TCP/IP stack in most printers is notoriously fragile, googling for 'port scan printer crash' will demonstrate this, and everyone in the industry is aware of it. Yet printer vendors will point you toward the other vendor involved because nobody wants to rewrite code.

A recent example that I encountered involved some fairly important software for a very important company. The software would crash when scanned; yet when you connected to the software via telnet or netcat, it was fine. We did some fairly extensive testing and discovered something interesting: the software -- remember how important it is -- would only crash if the source port was greater than 32767. Now, when you are using your computer and connect to another device, the ephemeral port is often below 32767. This was the case, however when you're connecting to thousands of ports across potentially thousands of hosts, it's quite easy for your source port to be higher than 32767. This is exactly what was happening, connect with a source port of 32768 or greater, and the service would crash. We'd done everything we could as a company to be non-invasive, yet a programming flaw in the other application lead to an integer being signed instead of unsigned, limiting the port range from a max of 65535 to 32767. We were able to work with the vendor in this case, and they fixed the flaw and released an update. When considering this scenario, keep in mind how important this software was... we cannot forget how dangerous a denial of service in critical software is.

So the next time you encounter an "Application Interaction", work with your vendors and help your vendors work together, the odds are the product that's causing the interaction has found a 0-day in the other application and, ultimately, that's a good thing. The flaw is identified internally, rather than being exploited by a malicious attacker. A fix can be developed, and quickly tested with the two vendors working together. The most important thing to keep in mind is that your security solution, the product that you pay for to keep you secure, is doing it's job and, at that point, possibly exceeding your expectations. You may even end up with a CVE credited to you, and there's nothing wrong with that.