Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The year is hardly a month old and we have people racing around as if their hair is on fire, demanding to know if the GLibc vulnerability CVE-2015-0235 (aka GHOST) [1] affects them. Its a reasonable certainty that this wont be the only time this year someone will be hammering on your door* wanting answers. And they want them now.

Its a fair question, given the impact certain vulnerabilities can have, but seemingly a large percentage of businesses cant immediately answer this. This is the part that doesnt make much sense. Knowing what software you have and which system it inhabits should be a basic business requirement, which is supported by IT[2]. Whether it be in a fancy cloud-based database or a simple spreadsheet (CSV format even) this information should be up to date and easily accessible. shouldnt someone in the IT team/group/department/dark room in the basement know this already? Why are they asking the security team? Odd, isnt it, when a problem pops today and its something to do with security, the expectation is that the security team should know the answer? Perhaps that a simple testament to how good you are getting answers, or, more likely youre the most logical person to ask. (Well, it is an IT security problem, that nice media story/article/tweet has said so...). It becomes pretty easy to do the wrong thing here and play politics here by pointing fingers and blaming someone else. So how to avoid get in this mess in the first place?

An up to date and complete asset list is worth its weight in gold for numerous folk with in a company, so if the nice people in Audit and Compliance are maintaining it, its time to make new friends. If one doesnt exist, then go meet with the people that can help create one and show them the value of doing this. You have to show the value to them and understand their perspective as this can be a lot of work to keep current. Getting others to build and maintain the asset inventory because they see value and actual use in it avoids the Because my boss is making me do it loathing issue. Anytime someone fails to understand or realise the value of an asset inventory, it then becomes the last thing on a very long to do list. This means it never gets properly completed or updated, and were back to the same problem again.

Socializing security requirements is about building a community of people that understand and ultimately care about being part of a more secure working environment. Its about talking to your workmates and explaining helping you out with something as simple as an asset inventory, can be good for the whole company. And whats good for the company, is good for them.

So the next time someone bursts through your door, wide eyed and panting over todays wittily titled vulnerability, youll be able to give them the definitive answer. Then you can drop in this wouldnt be possible without the help of and give those other folks their due credit too.

The basics for an asset inventory lists are straight forward, it needs: what is it, where is it, who owns it and whats on it. This will get answer most of the basic questions or provide a starting point to initiate more in-depth and complex questions with the right system owners. Basic asset inventories wont give you the answer to how many systems are vulnerable to something like CVE-2015-0235, but it will show how many systems, and which systems, are potentially vulnerable. Thats a much better place to be.

Basic requirements of an asset Inventory data fields:

  • Make of the device
  • Model of the device
  • Serial Number of the device
  • Assigned asset tag number
  • System Name (assigned host name)
  • System Owner (who is responsible for the asset, both business and technical contacts)
  • Physical Location
  • Operating System
  • OS version level
  • Function (apps web server
  • Network location (e.g. internal workstation LAN, DMZ, Protected Internal network, etc.)
  • Business criticality (e.g. Low, Medium, High, Critical)">If you have any other suggestions or advice on getting a decent asset inventory in place and updated, please feel free to add a comment.

    For the Australian Readers - Support your local Con-">CrikeyCon is back!

    CrikeyConis on the Saturday,21stFebruary and held inBrisbane, Australia. For more details go to http://crikeycon.com

    ">Chris">--- Internet Storm Center Handler on Duty

    [1] Critical GLibc Vulnerability CVE-2015-0235 (aka GHOST)
    [2] And is on most of the critical controls list, including: https://www.sans.org/critical-security-controls/control/2
    * Real or virtual (email, IM, fax or telegram now seem to be doorways too)

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Verizon says it will soon offer customers a way to opt out from having their smartphone and tablet browsing tracked via a hidden un-killable tracking identifier.

The decision came after a ProPublica article revealed that an online advertiser, Turn, was exploiting the Verizon identifier to respawn tracking cookies that users had deleted.

Two days after the article appeared, Turn said it would suspend the practice of creating so-called "zombie cookies" that couldn't be deleted. But Verizon couldn't assure users that other companies might not also exploit the number—which was transmitted automatically to any website or app a user visited from a Verizon-enabled device—to build dossiers about people's behavior on their mobile devices.

Read 1 remaining paragraphs | Comments

 

British Infosec startup, Cyberlytic wins first Firestarter Trailblazer Award ...
Press Release Rocket
The Firestarter programme has been created to ensure dedicated recognition and reward for the new lean startups who are still securing major funding from VCs. This new award has attracted a large number of earlier stage startups from within the ...

 

One of the things that has concerned mefor the last few years is how we are slowly creating a click-thru culture. " />

I honestly believe the intent is correct, but the implementation is faulty. The messages are not in tune with the average Internet users knowledge level. In other words the warningsare incomprehensible to my sister, my parents and my grandparents, the average Internet users of today. Given a choice between going to their favorite website or trusting an incomprehensible warning message...well you know what happens next.

A team at Google has been looking at these issues and are driving browser changes in Chrome base on their research. As they point out the vast majority of these errors are attributable to webmaster mistakes with only a very small fraction being actual attacks.

The paper, is Improving SSL Warnings: Comprehension and Adherence, and there is an accompanying presentation.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status