Bit9

Why is it that existing security software didn't stop Operation Aurora cyber attacks from using the Microsoft IE zero-day vulnerability to hack into multiple high-profile technology providers? Is it that this level of malware sophistication has never been seen before?

 

Dennis Blair, the US Cyber Chief, testified today before Congress and called these attacks "Cyber Pearl Harbor."  Read the story in the New York Times by Mark Mazetti here.

 

Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication," he said.

 

As zero-day attacks proliferate, antivirus vendors have begun blocking websites and offering intrusion prevention features aimed at trying to stop malware before it happens and even before it is identified. The problem is development and promotion of new security features often come as a result of cyber attacks like Operation Aurora and the Hydraq Trojan. Organizations and AV vendors appreciate the need for proactive IT security solutions, but if action is taken post-breach, the damage is already done.

 

Comprehensive layered defenses against cyber threats have been announced as the "new" methodology for preventing zero-day and targeted attacks, but proactive prevention is not new. Application Whitelisting, offered by Bit9 has been around since 2002. And many more companies are beginning to offer it.

 

Gartner analyst Neil MacDonald just wrote in his blog that:  "whitelisting at the endpoints would have stopped these attacks."

 

Application Whitelisting delivers malware prevention rather than reaction by establishing a list of known and approved applications, devices and files and halting execution of everything else. We've tailored whitelisting for organizations across all industry verticals - from government and finance to retail and healthcare. So when AV reacts to new attacks with new solutions, keep in mind that it is reaction, not prevention, that distinguishes their approach.

Bit9's annual report on the Top Vulnerable Applications  for 2009 found that Adobe Acrobat, Flash Player, Reader and Shockwave showed high risk for arbitrary code execution, memory corruption and application crashing. Also rated highly vulnerable in NIST's database for 2009 were Apple Quicktime, Mozilla FireFox, Opera, RealPlayer, Sun Java and Trillian.

Microsoft's IE 6 and 7 received an "honorable mention" for a zero-day exploit that went unpatched for a period of time in August.  All applications on the list require end users to manually patch or upgrade the software to eliminate the vulnerability, and are extremely common on PCs at work and home.

Should enterprises use these apps? If it makes sense for the business - of course they should. Most businesses would find it hard not to use Adobe PDF, for instance.  And yet just today, SANS Institute's Internet Storm Center (ISC) reported that they'd received samples of a new rigged PDF document that hijacked PCs using a bug Adobe acknowledged Dec. 14.  See Gregg Keizer's story on it in ComputerWorld today. So if enterprises do in fact use these apps, they need to put some monitoring and controls in place to protect their business.

Enterprise  IT organizations that are not monitoring their endpoints have no reliable way to ensure that the patches for these applications have been properly applied.  We encourage organizations to monitor the applications being used by their end users to make sure first, that they know what is running and second, they know that they have been patched properly. And in the case of this "zero-day" attacks, IT needs to put controls in place to protect against these zero-day attacks in which no patches or fixes exist.

Organizations that take a layered approach can best protect themselves with: visibility across endpoints;  a centralized patch-management process;  and application whitelisting to prevent the use of unauthorized and potentially malicious software.
To read the report, click here

 

In an InfoWorld Product Review of Application Whitelisting Solutions, Bit9 Parity has been named the #1 Application Whitelisting Solution. Described as the "clear frontrunner" among competitors, Bit9 recieved an overall score of 9.4 out of 10 in an analysis considering effectiveness, coverage, administration, reporting and value among key Application Wihtelisting vendors.

 

Not only is this the highest score that Roger A. Grimes, the InfoWorld product reviewer, has ever given, but he goes on to say that Bit9 Parity's ability to rate individual file and overall risk, "not only raises it above the other products in this review, but above most computer security products in general."

 

 

The review is a testament to Bit9's solutions. Bit9 Parity's visibility and control capabilities have proven it's the application whitelisting solution to have. Congratulations Bit9 Parity!

 

Read the Articles: Test Center Review: Whitelisting Security offers Salvations, Application Whitelisting Review: Bit9 Parity Suite

 

SANS and Bit9 are hosting a web seminar this coming Thursday, August 27, 2009. Sign up here.

Here is the seminar description:

Learn how organizations can eliminate malware and close the security gap that leaves our nation’s infrastructure vulnerable; join us for this web seminar featuring Chris Brenton, SANS Instructor, Security Consultant and founding member of the initial Honeynet Project. Chris's presentation "Stopping Tomorrow's Cyber Attacks Today" will answer:

- What makes a system vulnerable?

- Why the rise in malware?

- Why are we losing the battle?

- How do we win the war?

In addition, Bit9 will address how several US government agencies now use application whitelisting as the cornerstone of their security projects.

Bit9 announced the Bit9 Parity for Government solution today. You can read about it here. Stephen Northcutt, the head of the SANS Institute speaks about whitelisting in it.

We are hosting an online data breach "roundtable" featuring Bob Russo, general manager of the PCI Council; Rich Baich, the former CISO of ChoicePoint who weathered the historic breach in 2004 and is now a partner at Deloitte and Touche; and Tom Murphy, chief strategy officer at Bit9, Inc.

Topics include the recent data breaches in the news and solutions.

To sign up, go the registration page here.

Criminals are getting smarter and more sophisticated, responsible for security breaches in both the public and private sector that put sensitive information in danger.  Just last month it was discovered that cyber spies repeatedly hacked critical design data in the U.S. Joint Strike Fighter project. Brian Krebs of the Washington Post writes about the Facebook and Twitter attacks  here and the Marines have just banned Facebook.

 

From state and local government to federal defense agencies, the government seems to be constantly under attack.

 

Standards such as the Federal Information Security Act (FISMA) were put in place to provide U.S. federal agencies and contractors with a uniform set of information systems processes. But compliance, as we have seen with PCI DSS standards, is never enough. Gaining control over the software that runs on government systems is more than a strategic initiative aimed at compliance; it is crucial to protect against zero day and targeted attacks that are getting past traditional, reactive defenses.

 

Application whitelisting is emerging as a layer to IT security defenses - to monitor and control unauthorized software, as well as to discover and ban certain hashes automatically.  Whether it's rogue software. Unwanted. Common software, but considered vulnerable. Or malicious.

 

This approach to endpoint security is fundamentally different from existing anti-virus methods that allow all applications to run and detect malware after it has already executed and potentially caused harm to systems. Application whitelisting lets you create an inventory of ‘permitted' software that is allowed to run and allows unknown software to run in a controlled manner - until it's deemed good or bad.  This lets workers use the real-time tools they need to get their job done, and reduces the burden of false-positives on the IT department.

 

By having greater visibility into what applications are running on their organization's endpoints (PCs, laptops, servers), IT staff is better equipped to enforce the use of authorized applications, maintain compliance with industry standards and prevent the installation or execution of malicious, illegal and unauthorized software that can create vulnerabilities and enable targeted attacks. In fact, the recently released Consensus Audit Guidelines (CAG) prescribes application whitelisting - defining and allowing only trusted software - as a best practice for achieving FISMA compliance. 

 

A well-managed application environment is also less expensive to operate, saving valuable taxpayer dollars when it matters most.  According to a recent Gartner study, "A locked and well-managed desktop PC can be 42 percent less expensive to maintain than an unmanaged one." 

 

We're seeing a fundamental shift in the way government operates, and this requires a more sophisticated, better armed approach to IT security. 

Earlier this year at EuSecWest 08, Sebastian Muñiz of Core Security has demonstrated how to unpack and repackage Cisco IOS binaries. Effectively this showcases how rootkits can be embedded inside a valid Cisco IOS image. There are valid uses for this, especially when it comes to debugging, troubleshooting or penetration testing. But the upside potential is staggering, especially given the proliferation of fake Cisco hardware sporting fake CISCO software. Even US Government is aware of tainted hardware that has made it into Government purchasing streams.

In their defense, Cisco has published a guide for Network Administrators urging them to double check MD5 hashes of their router software. Now what happens if Cisco OS components are customized?

Given that the encryption is moving into firmware of embedded chips and devices, it is just the matter of time that this types of attacks will become a common place. Researchers at Cambridge University have used paperclips and needles to tap into chip and pin terminals to record a magnetic stripe data and PIN from ATM cards. Needless to say, you do not need to break into an ATM, a typical cash register would do just fine.

Connecting onto pin terminals harks back to attacks and investigations of the past, but just as MBR Rootkits is making a comeback.

It has been touted that Virtualization is a more secure alternative to today's physical real estate approach to coming.

Yet X-Force ISS Report tells us to be prepared for new attacks against the Virtualization infrastructure. For one, discovered vulnerabilities against virtualization software are at all time high.

Report claims that "although virtual machine breakout vulnerabilities tend to get a lot of attention from the press, they are rare" and they target solutions that predominantely require a fulling blown operating system.

Hypervisor solutions are cure for this as they remove, for example, a RedHat Service Console (in VMWare's case) from the mix. Similarly Microsoft's implementation tries to remove all the unnecessary components from the stripped down OS as not to be affected by any fringe vulnerability.

It is very likely that new hypervisor compromising malware, attacks on management infrastructure, and other malicious activity will make headlines very soon. Yet, hypervisors are a very safe today. After studying their structure, we can safely challenge the world to break it and evaluate it. It will not be easy.