|
|
|
Features
< Back
Sarbanes Oxley : Technology : Security
IT Compliance More Uptime and Less Corporate Risk Using RSS
By
Gary Miliefsky
|
|
Gary Miliefsky
President and CEO
PredatorWatch
|
While most of the dramatic growth of news syndication has currently been on the consumer side, the enterprise side of syndication is already at an inflection point and is poised to explode.
Within the past 18 months essentially all of the world's newspapers as well as online news sources and video channels have come online with RSS feeds. In many cases, a single source will have more than a hundred feeds.
Soon, more than 110 million desktops will be fully RSS-oriented, due simply to the distribution of Microsoft's new operating system, Vista. The first desktops to be upgraded will be within enterprises. This is a tipping point for RSS.
What is RSS?
RSS is a Web content syndication format. Its name is an acronym for Really Simple Syndication. RSS is a dialect of XML. All RSS files must conform to the XML 1.0 specification, as published on the World Wide Web Consortium (W3C) website.
If you are looking to be more proactive about network security, there are some things you can do by utilizing RSS feeds to help you. You'll need to download an RSS reader and know where to go online. Look for either this  or  on a website and you'll know there is an RSS feed available.
What Kind Of RSS Feeds Are Useful For I.T. Compliance?
Before I go into detail on this, I'd like to first set the groundwork on what it means to comply with regulations from an Information Technology and Network Security perspective.
To do this, we must first understand that almost all networks, including yours, are Insecure. In fact, according to USCERT.gov, 95% of downtime, data theft, network breaches and IT compliance related issues are a direct result of an exploit against a network asset (such as a laptop, desktop, server, router or firewall), yet very few are auditing or self-assessing their network assets for these holes.
First Let's Learn About CVEs
These holes in your network assets are called Common Vulnerabilities and Exposures (CVE?s). You need to clearly see and better protect your network assets, identifying with pinpoint accuracy the root causes of data leakage, regulatory compliance gaps and network downtime using MITRE's CVE standard.
So hackers write viruses, worms and other malicious computer code or ?bots? that attack the weaknesses at the heart of your network. If you didn?t know that CVEs are what allow hackers to be so successful, you are not alone.
Most people are unaware that CVEs, rather than viruses, are at the root of 95% of all security breaches.
Firewalls can?t stop most CVE exploiters. Anti-virus software can?t get rid of CVEs. Anti-virus software only cleans up viruses, while doors and windows are still open to attack because of CVEs. Hackers and their automated tools are CVE exploiters ? taking advantage of the defects in your corporate network.
All of Your Network Assets Have CVEs - Especially the Mobile Devices
According to recently published Gartner research, "Because of worms and other threats, you can no longer leave your networks open to unscreened devices and users. By year-end 2007, 80 percent of enterprises will have implemented network access control policies and procedures. To maintain the availability and integrity of the IT infrastructure in the face of a rapidly changing threat environment, you must implement a network access control process." So if you aren't screening mobile devices that come and go throughout your organization on a daily basis, you are missing the backdoors, holes and misconfigurations that allow untrusted exploiters - hackers, viruses, worms, trojans and spyware to attack your network.
How Hard Is It To Exploit Your CVEs?
Just look at the following steps a hacker took at an online bank:
1. The Hacker found an online bank web site running a version of Microsoft IIS (Web Server) that contained just one CVE.
2. The hole (CVE) is in the printer service, which is turned on by default.
3. By sending a simple message over the Internet, with too much data, the printer service crashes, allowing an attacker to gain root privileges and take remote control of the bank server.
You would think that the online bank would be more secure or could have ?patched? the problem. A patch is exactly that ? it?s a Band-Aid that may or may not work. In fact, many patches open up new vulnerabilities. Here are some other interesting hacker attacks that caused embarrassment and billions of dollars in damages:
Paris Hilton?s cell phone was hacked because of a CVE. How? Hackers used a CVE (Common Vulnerability and Exposure) to break into T-Mobile?s user website for Hilton's Sidekick phone-computer and stole her personal data.
Sasser is another intruder that takes advantage of a CVE. The truth is that Sasser uses a CVE that was around long before the worm was born.
You may never know your data has been hacked. The only way to be sure your network is safe is to lock the doors?eliminate the Vulnerabilities?the CVEs ? the weak spots ? before the attackers strike.
What Can We Do About CVEs using RSS?
Get a hold of a free RSS reader. There are many available.
I just wrote an open source one that's free to try (at your own risk) at the RSS Security Alliance website:
http://www.rsssa.org/
Once you have an RSS reader, set it up to keep an eye on IT Compliance and CVE related feeds. By using an RSS reader to know what the latest CVEs are, you can see if any of your systems have these holes. Then, you can more intelligently find a way to block an exploit that would impact your critical network assets.
Here is a list of some of the best feeds to help you keep a better eye on your network assets:
National Vulnerability Database (NVD)
NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard.
Latest Holes (CVE) RSS Feed: http://nvd.nist.gov/download/nvd-rss.xml
The United States Computer Emergency Readiness Team (US-CERT)
US-CERT is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation.
US-CERT is charged with protecting our nation's Internet infrastructure by coordinating defense against and response to cyber attacks. US-CERT is responsible for
? analyzing and reducing cyber threats and vulnerabilities
? disseminating cyber threat warning information
? coordinating incident response activities
US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public.
Technical Alerts RSS Feed:
http://www.uscert.gov/channels/techalerts.rdf
Security Bulletins RSS Feed: http://www.uscert.gov/channels/bulletins.rdf
Non-technical Alerts RSS Feed: http://www.uscert.gov/channels/alerts.rdf
Security Tips RSS Feed: http://www.uscert.gov/cas/tips/
Microsoft Corporation
The Windows operating system is the most attacked system in the world. In addition, all of the 'internet' enabled applications, from Exchange to IIS Web Server and from Outlook to Internet Explorer, are constantly barraged by exploiters. Find out how to help protect your PC against viruses, hackers, and other security issues.
Here is the latest Windows Vulnerabilities (CVEs) and Current Threats RSS feed: http://www.microsoft.com/technet/security/advisory/RssFeed.aspx?securityadvisory
Proactively Finding and Fixing CVEs for IT Compliance?
Let's say you left your keys in your car, you left the windows open, you left the engine running. Heaven forbid someone jumps in your car and hurts someone in an accident. If this happens, who is at fault? The car thief? You? In reality and in court you will both be found guilty - you enabled the criminal.
By taking precautions, buying a car alarm, rolling up the windows, locking the doors and not leaving the keys in the car, you can't be found guilty. You proactively took precautions to secure your vehicle. These steps are called due diligence (the list of things you just did to protect your car from theft) and due care (taking action of locking the doors, etc.). So, would you leave your keys in your corporate network with all of the doors and windows open? With the keys still in your critical servers hosting confidential information? How about the finance server that you plan to backup for SOX compliance?
Here's an example of an RSS Alert I received from Microsoft while I was authoring this article:
Microsoft Security Advisory (919637)
Vulnerability in Word Could Allow Remote Code Execution
Published: May 22, 2006
Microsoft is investigating new public reports of limited ?zero-day? attacks using a vulnerability in Microsoft Word XP and Microsoft Word 2003. In order for this attack to be carried out, a user must first open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.
Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted.
Microsoft is concerned that this new report of a vulnerability in Word was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
So, let's say you find out that 20 of your employees are using Word 2003 and it has yet to be fixed. Why not ask them to use WordPad or OpenOffice instead, just until Microsoft fixes this particular vulnerability. When it's fixed, you'll know because you are keeping an eye on their RSS security updates feed. If the vulnerability (CVE) is fixed, you'll see a link in the RSS channel content to the patch that fixes the problem.
If you receive an alert about a major vulnerability in your Microsoft Exchange server, why not reconfigure your firewall? By simply going into the rules table and changing the rules regarding how external employees can get at the mail server, which you could limit by MAC or IP address, you could keep random exploiters from taking advantage of this hole until it can be fixed.
You need to keep a daily, vigilant eye on these and other important information security and compliance related RSS feeds and make sure that you don't have any of the critical holes that are being attacked today, in your network. By doing so, you will prove steps of due diligence and due care. The end results will be a harder, safer, more secure corporate network with more uptime and less risk of being out of compliance with SOX or other regulations.
|
|
|
|
