Most Vulnerable Adobe or Java? You Make The Call.

As it is super bowl week / end, we thought we’d conjure up our best version of the classic ‘You Make the Call’ segments that appeared on Monday Night Football.

A recent article posted on ZDNet highlights research from Cisco’s 2014 Annual Security report.

In this report, Cisco (Sourcefire) highlights the fact that 91% of all web exploits are related to Java. Not to be out done, Cisco’s TRAC/SIO group claims different results within the same report; for those of us not familiar with that acronym. TRAC/SIO stands for Threat Research Analysis and Communications & Security Intelligence Operations group. TRAC/SIO found that Java malware encounters peaked at just 14 percent in April, compared to “all web malware”.

To be fair, Sourcefire has restricted its range of web exploits to Java; Microsoft Word, Excel, and PowerPoint; and Adobe Reader whereas TRAC/SIO has expanded their horizon to various other types of exploits.

Not to be outdone, AV-Test reported back in in December that Java, Adobe Reader and Adobe Flash have been responsible for 66% of the vulnerabilities exploited by malware on Windows platforms since the year 2000.

What’s does iScan Online See?
Well, we can tell you from working with our clients that about 60% of the Windows desktop and laptop computers scanned for vulnerabilities using iScan Online the majority of the vulnerabilities identified on those systems are attributed to Adobe and Java.

Why do these vulnerabilities go unpatched?
It’s pretty simple. At iScan Online, we are able to scan the “Dark matter” of your network. Those devices that traditional management and vulnerability scanning solutions cant assess. These devices are BYOD, used by road warriors, remote workers home workers and may never actually attach directly to your corporate network but they will interact with your applications and data via VPN, web apps and more.

If you rely on users of these devices to update and patch their own systems, they don’t know that all apps aren’t automatically updated via Microsoft Windows Update and will run update for Adobe flash but not know that they need to run updates for all other Adobe products.

Whats The Risk?
So what does this all mean? Why should I care about patching these vulnerabilities? The reality is we all have trusted access and store sensitive data. Regardless if we are interacting with web applications on a laptop, syncing files from location to location or connecting via VPN. The end result is our unpatched laptops and mobile devices are the perfect launch point for criminals to gain access to sensitive data regardless of whether the data is stored locally on the device or these devices are used as a malware launch point after compromising them through an unpatched Adobe or Java vulnerability.

You make the call.
If you are interested in seeing how to engage your user community in the security conversation that will help reduce the amount of exploits and data loss in all platforms, check out iScan Online’s simplified security report that gives users helpful information about how to resolve the issues with Java, Adobe and other apps installed on their devices.

View a sample security report: https://www.iscanonline.com/page/vuln-report

Data Breaches at The Intersection of Vulnerabilities and Data Discovery

As we learn more about the inner workings of the malware that infected Target and most likely Neiman Marcus during the holiday season I thought it would be helpful to draw some conclusions about not only protecting against malware such as KAPTOXA and BlackPOS but some insights into how you can transform your security posture to prevent becoming the next data breach victim.

iSIGHT Partners in conjunction with the U.S. Secret Service performed a detailed analysis of the KAPTOXA operation which was behind the large scale point-of sale cyber-crime breaches announced this month.

After reviewing the January 14, document published by iSIGHT Partners (http://media.scmagazine.com/documents/60/kaptoxa_14816.pdf) which highlighted the characteristics of Trojan.POSRAM and another detailed analysis and background by IntelCrawler (http://intelcrawler.com/about/press08) on BlackPOS from which Trojan.POSRAM is derived, I wanted to point out some of the more interesting facts gleaned from both reports:

• Author is believed to be around 17 years old
• First builds of the malware were offered for 2000 USD
• It scans memory for card data track1/track2
• It stores card data on a the POS device and staging server in plain text

While it hasn’t been fully determined how the malware spread to multiple POS systems within these retail environments, its safe to assume that it might have been a combination of vulnerable systems as well as weak administration controls around remote management and passwords.

But Wait! Did you say data stored in plain text?

That’s right, after slurping the data from memory Trojan.POSRAM stores the data in
%windir%\system32\winxml.dll. Then between the hours of 10am and 5pm would periodically send that file over NetBIOS to a temporary dump server. If we consider the origins of Trojan.POSRAM being based on BlackPOS we can determine that the data is being stored in this dll file and other staging files in plain text. (See insert above for IntelCrawler chat with BlackPOS author)

So this gets to the intersection of why we believe organizations are missing some of the biggest points in securing their environments against these types of threats:

– Concentrated endpoint vulnerability management
– An effort to consistently assess where sensitive data is being stored

Endpoint Vulnerability Management
In todays world of disconnected systems, remote offices and more, it is increasingly more difficult to accurately detect vulnerabilities on systems using traditional network scanning methodologies. Without having an endpoint focus, results are often impossible to gather and contain huge amounts of false positives.

Considering the retail environments, looking at Target with approximately 1921 locations to scan and manage vulnerabilities, this is an overwhelming task. Traditional network vulnerability scanning solutions require appliances, credentials and lots of network bandwidth and connectivity to accurately scan these locations.

Lets also consider not only the retail locations in these environments but the vast amount of workers who are constantly on the road connecting to various networks and never are properly assessed against vulnerabilities because they are remote when the centralized network vulnerability scans are scheduled. These endpoints become the launch point for infiltration into the corporate network. Lets say an end-user visits a malicious link that installs a piece of malware that lays dormant until its connected to the corporate network and uses this as the infection point. In the case of retailers : Game over, BlackPOS is now on the network looking for POS systems to infiltrate.

Data Discovery
So in most cases, the anti-malware, network defenses and other defense in depth technologies should detect these breaches correct? No. As attackers become more sophisticated there is a further gap between the instant a piece of malware is released and the time which proactive protection is released by security vendors. But what are some other things you can proactively do to prevent these data breaches?

I can’t say it any louder. CONSTANTLY ASSESS for UNENCRYPTED CARD DATA!!
We help organizations on a daily basis understand where they have sensitive data being stored. And to be honest we find a lot of data that organizations never knew existed in their environment. Be it unintended backup storage, accidental end user copies, or even development logging on servers. Data is there whether you want it to be there or not. It happens.

The Power Of Combined Intelligence
At iScan Online, we provide customers with combined intelligence to know what devices are at risk to compromise from existing vulnerabilities as well as the intelligence to detect if there is sensitive unencrypted data at rest on the device. Armed with these pieces of information you can then take proactive steps to reduce the risk associated with these devices by first removing or encrypting the sensitive data and secondly applying remediation to remove the discovered vulnerabilities on the device.

Take a look at these sample reports from a vulnerability scan as well as a data discovery scan:
Vulnerability Report
Data Discovery Report

If you want more information or to try out iScan Online visit:
www.iscanonline.com

What is the cost of poor cardholder data discovery?

When the topic of data breach comes up, encryption and vulnerability scanning are usually part of the solution. But most people don’t realize that getting a frequent assessment on all endpoints can be just as important as securing the payment processing gateway. In fact, many experts consider cardholder data discovery the “third pillar” for overall data breach mitigation.

Knowing the risks

Numerous studies have shown that assessing for unencrypted credit card data at rest plays a vital role in protecting customer payment data. The price we pay for negating data discovery assessments has profound ramifications for corporate branding, business success and ultimately fatal financial repercussions.

Common risks we see all too often that you should be aware of:
1) Payment gateways send/receive encrypted information from the merchant server. Due to mis-configured gateways, card data is being dumped in a text or xml file.
2) Due to the adoption of cloud syncing technologies like iCloud, Google Drive and etc., payment data stored on the desktop is constantly synchronized with smartphones and tablets proliferating beyond the perceived corporate perimeter.
3) Email hands down, is the number #1 location where card data was discovered on over 80% of endpoints.

What you can do to improve cardholder data discovery and mitigate data breaches

1) Assess both mobile and computing devices for unencrypted data
2) Be sure to scan common locations such as Email, SMS, SD Cards, Zip Files, Browsers and Contacts

What you can do after the assessment

1) Encrypt the files or use full disk encryption if retaining the data is justified
2) Properly remove and securely delete the data when no longer needed
3] Educate employees on the importance of protecting cardholder data

See sample report of what to expect after a simple and fast assessment:
Computer Cardholder Discovery Report

Treating cardholder data discovery as a priority rather than a luxury can be a huge step to help promote customer data protection and prevent your business as becoming yet another data breach headline. However, it’s important to be aware that not all cardholder assessments are so easily addressed. Card data residing on smartphones, tablets, laptops or other BYOD computing endpoints can easily be identified by reviewing your PAN or PII Scan reports with your iscanonline.com account.

iScan Online Moments in 2013

It’s day 2 of 2014 and you’ve likely started a number of resolutions you want to follow through with. Maybe it’s time to spend more time at the gym, with the family, cut down on the pizza or perhaps address mobile security threats. At this time last year, there were 6.6 billion mobile subscriptions throughout the globe. Today, both our global population and mobile subscriptions are over 7 billion. In fact, mobile subscriptions have now surpassed the total number of humans on the planet.

With the recent data breach headlines and rapid adoption of BYOD, we asked our customers how iScan Online would be incorporated into their New Years resolutions. An amazing response as everyone was in agreement. The top 3 in chronological order are listed below on how iScan Online will play a role with 2014 resolutions:

1) All Smartphones and Tablets will be scanned for vulnerabilities before joining the network.
2) All endpoints will be scanned for unprotected PII data, including BYOD and Mobile.
3) Remote home workers are to be scanned for vulnerabilities before connecting to corporate networks and applications.

2013 has been an amazing year here at iScan Online. We have had a blast changing the paradigm of how vulnerability and security scanning are being performed. This year we will continue making security scanning easier & faster while remaining affordable for both our SMB’s and MSP customers.

Check out these moments on iScan Online from 2013 in the slides below:

This slideshow could not be started. Try refreshing the page or viewing it in another browser.

From everyone at iScan Online, we wish you a Happy Holidays and a wonderful New Year!
Keep on Scanning.