Protecting Your Enterprise from Conficker

Over the last several days there have been many news reports regarding the size and spread of the Conficker worm.

Note: updated on 1/21/09 to include information from US CERT on AutoRun. See below.

The Knowns

• We know that the malware infects computers not yet patched with Microsoft MS08-067.
• We know that the worm is also spreading via removable media devices and is being helped by Windows Autorun.
• We know that with nCircle products, you can detect the vulnerability and mitigate the risk on your enterprise network.

  Risk Detection

  nCircle IP360 customers have had the ability to detect for vulnerability since the release of ASPL-270 delivered on Oct. 23, 2008 in accordance with our 24 hour Microsoft SLA. This vulnerability is named "MS08-067: Microsoft Windows Server Service RPC Handling Remote Code Execution". By using IP360, customers can easily discover hosts across their enterprises that lack the Microsoft patch. (Hint: Use Focus and search for "MS08-067")

  

  Risk Mitigation
  Public reports indicate that the Conficker worm has already made its way inside enterprise networks. On January 16th 2009, F-Secure estimated over 8.9 million hosts were infected with the worm. In addition to detecting and mitigating the risk, enterprises should also be using centralized configurations to help mitigate the risk. We know that malware has also been spreading by removable media devices. When an infected device moves from computer to computer, the malware launches automatically because of Microsoft's Autorun feature. Sound advice, even when a worm is not on the loose, is to disable Autorun. nCircle customers using Configuration Compliance Manager are able to centrally determine which endpoints lack this configuration directive.
  Setting the Policy Using Group Policy Management
  Open your favorite group policy management tool and navigate to the AutoPlay Policies section. For Windows Vista, the settings can be found under: "Computer Configuration / Policies / Windows Components / AutoPlay Policies". The two policies to investigate are named "Default Behavior for AutoRun" and "Do not execute Autorun commands".

  

  

  
  Using Configuration Compliance Manager

  A number of published standard configurations recommend disabling AutoPlay and most are already bundled with Configuration Compliance Manager. In this example, I will reference the Common Configuration Enumeration for the AutoPlay settings. CCE-44 states that AutoPlay shall be disabled for all drive types. From with the Configuration Compliance Manager, this setting is named "Disable Autorun for all drives".

  

  
  Finally, customers using nCircle Suite360 Security Intelligence Hub have the opportunity to aggregate the findings from all nCircle products to deliver an executive dashboard displaying their current enterprise risk.

  

  Update 1/21/09

  According to a US CERT technical advisory posted on 1/20/09, the Microsoft document on disabling AutoRun are not completely effective.

  Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability.

  The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF "disables Autoplay on all types of drives." Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

  
  

Economists now embrace the concept of a recession. Information security professionals embrace the breach. As pragmatism takes a larger stage in Washington, security professionals have already come to understand the truth. Security breaches have occurred, still occur each day and will continue to occur. The questions both economists and security professionals have become to be more concerned with for both are; how long and how deep?

Heartland Payment Systems represents the next institution in need of a bailout. According to news reports quoting Robert Baldwin, the president and CFO for credit card processing giant Heartland Payment Systems, the full magnitude of the breach is yet to be known. The company that reportedly handles 100 million credit card transactions each month only became aware of a problem when Visa and MasterCard alerted them to possible fraudulent behavior last fall. Between last fall and January 2009, Heartland's internal review failed to turn up anything suspicious. The case required another outside entity, a forensic investigator, to uncover the breach.

Those affected will most certainly number tens of thousands and could easily reach tens of millions. While the potential compromise of the Heartland breach is daunting, the bigger issue at hand is that discovery required outside entities, namely MasterCard and Visa, to alert Heartland to a pattern of fraudulent transactions. The tragedy of this data breach is that even after these alerts a company that processes 100 million transactions a month couldn't find the problem. Finding the breach point required the skills of an outside forensic investigator.

The questions that remain today continue to diminish our trust in American financial systems. In the same way we question why the SEC failed to recognize the under handed activities of the Bernie Madoff Ponzi scheme, everyone today is questioning how solid IT operations are Heartland. System integrity, change management and monitoring are fundamental and foundational building blocks of any infrastructure.

This is no small or medium size business that could defend their failures by cowering behind lack of experience, skills or resources. Many well performing products are available on the market today to perform system integrity monitoring. A basic email alert to an IT systems administrator could have done much to dam the flow. At about 3 million transactions a day, even a 24-hour response time would have protected millions of people.

Tragically, many Americans already in financial turmoil will soon bear even greater risks.

I have no ill will toward Heartland for being breached; I question their most basic IT security system integrity. How can it be that a company with an audacious responsibility of this magnitude was not aware that their systems were compromised? And furthermore, be unable to locate the breach once alerted? It's not the breach that matters, it's the scale and the scope of the breach that makes me ill.

* Image, "A Brewing Storm - Cloudy Sky", by me

Have the security break-ins at Heartland, TJX and twitter got you in the doldrums?
Has the pre inauguration high dwindled into a post event reality of getting back to work?
Cold weather, gas prices, home sales, Bernie Maddoff - it's nothing but bad news.

I have the answer for you; start planning for your own security break in today.

Stop focusing your attention on the news.
Stop hoping for a rosy future.
Go back to your office and work on something productive.
Develop your company's strategic vision to accepting the inevitable data breach and make yourself the next hero.

Not interested, not convinced, don't know where to start?

Consider this, Privacy Rights ClearingHouse, an independent non-profit, says that 251 million data records of US residents having been exposed due to security breaches since January 2005. That's over 80% of the US population in the last three years. It's certain your personal records have been compromised. If your business hasn't been breached, it won't be long.

Enjoy receiving new credit cards every week?
Enjoy receiving free credit monitoring?
Feel like a high roller receiving every phish, virus and credit card application available?

Do your part to stimulate the bank economy.

Today only, you can receive my 5 award winning steps to tackling those doldrums and launch yourself into a world of high stakes visionaries.

Grab a pen and paper, and I will share with you my exclusive, secret, step-by-step program to accepting your own data breach. With these 5 simple steps, you will look like the most visionary person in business.
Join the ranks of the most discussed companies in news outlets everywhere. Soon enough, your company will have its own Facebook page and blogs everywhere will be filled with discourse on your company policy and tactics. Your company name will jump to the top on Google searches.

5 Step Data Breach Readiness Program

Step 1. Buy your employees credit monitoring now. Sell it as a perk. Have HR include it in their benefit handouts. Retail price for a year of credit monitoring is less than $200. Compare that $200 with some other perks like childcare, training or hybrid car credits and executives will find it a good value for both company and employee.

Step 2. Since you never know when disaster might strike, you can offset your liability now with a cyber insurance policy. Buy security insurance and make your executives' offshore shill company the beneficiary. Protect your bottom line and invest in your future simultaneously. Having a good insurance policy may also permit you to relax your IT security budget. Your over -caffeinated IT guys are full of it anyway. They don't need new tools or education. Accept the inevitability of a breach allows you to shift today's dollars into profit centers that will shore up those bad investments you made last year.

Step 3. Admit failure before it happens. Change your company wide privacy policy to openly discuss the real possibility of failure. While your public face says you are doing your best to protect the company assets and the private data of employees, provide an internal honesty statement: "We know you are required to provide us with your private information and we will try to keep it secure, but there will probably be time in the future that your data is accidentally lost or stolen."

Step 4. Develop a security failure crisis communications strategy now. Those silly IT incident plans include pages of technical jargon, why not have the PR team develop their own nonsensical apologetic statements ahead of time? While you are at it, offer a prepaid bonus to a lower level employee for taking the fall when that security incident happens. When the time comes, make sure news cameras tape them walking out of the office with a box of personal possessions and their head covered with a jacket.

Step 5. Embrace the foreign fiend. All security breaches at good hard-working American companies should be blamed on some imaginary hacker from a foreign country. East Asia and Eastern European countries are the most fashionable at the moment. Be smart and go with the flow, but be sure your selected country that has no extradition agreement with the US.

For today only, I am offering you a generous gift of the sixth secret step to my complete package guaranteed to bring you peaceful nights and worry free days.

Step 6. Register your breach domain now. 2008breach.com was snapped up in a hurry. Grab yours now before some cyber-squatter cyber criminal tries to claim your future.

For my complete list and full step-by-step program to ensure total peace of mind, please follow these simple directions.

Send copies of all your credit cards, social security card and drivers license to:

I Want to Live in Infamy
55 No Place St.
Some Town, USA

Or call now, 1 800-Data-Breach! Operators are standing by!