Didn't have time to ask about it in our security Regcast? No problem

What on Earth is 'holistic scanning' and more... answered

Seven Steps to Software Security

Our Regcast Security: Knowing what you don't know - and what you can do about it (on demand version here) brought together Raimund Genes, CTO of Trend Micro, and Freeform Dynamics' Tony Lock, chief security nagging officer of the analyst community. They gave us a fascinating insight into how the security landscape has changed and how your behaviour – and your users’ – might have to change with it.

The slides we use, which feature a lot of best practice and the results of recent Freeform Dynamics research, are available in a Powerpoint document here.

Lock drew a comparison between friendly fire (attacks from within) and enemy fire.

"When we talk about enemy fire, it's not just one guy," Genes added. Script kiddies are now joined by hacktivists, professional criminals and even national governments, he said.

Are things getting better or worse, a reader asked Lock. "According to the chart, the answer is almost uniformly that they are going to get worse,” he replied.

So it is not surprising that there were a lot of questions, too many to answer.

There is too much information in our hour-long Regcast to summarise here so do watch the Regcast. But we brought Lock and Genes together again to talk about some of the questions we didn't have time, or were too specific, to answer in the video.

Q: Would you say there is a tendency to place more trust in technology than in procedure?

Lock: Good security must combine technology, procedures, policy and people, especially education. Many organisations put their trust in technology because it is a simple thing to sign off and audit. It is not enough.

Genes: Agreed. By implementing technology you can tick checkboxes, regardless of how good or bad the implementation is. When I talk with customers it is sometimes shocking to realise that they invest in the technology but don’t have processes in place to deal with a data breach.

Q: Users are one of biggest vulnerabilities within organisations. What is the best way to get users to buy into, and listen to, security awareness programmes and presentations?

Lock: Educating users, in all aspects of security, is one of the most effective things an organisation can do to improve its security posture.

Education needs to be ongoing and must include time spent on why security solutions are used, why some things are not permitted, and what the consequences of not following set procedures and solutions could be for the organisation and the individual.

It is important users understand why things are the way they are, especially anything that they think limits their freedom.

Q: Some virus programs claim to offer "holistic" scanning. What do they mean by that? Is it better than normal scanning?

Genes: Holistic scanning is a marketing buzzword used by some vendors. But actually every serious security player does this.

We know that just looking for a binary match does not help against variants, repacked malware, so you look at different angles.

In the Regcast I used the example that you could look for the initial handshake of Poison Ivy, that you could spot communication with a known Command and Control Server.

So security is not just about looking at files anymore, but looking for multiple events and different protocols, and then connecting the dots.

In the past companies had a strategy of buying security solutions from different vendors. But if you want to connect the dots, we think it is better to rely on one vendor, as the products talk to each other and spot the needle in the haystack faster, while reducing false positives.

Q: We hear a lot about endpoint security, which is really aimed at network measures. But surely the best protection is to encrypt data and control the keys and who has access?

Lock: I believe the use of encryption will grow, and eventually will become ubiquitous. In the past it was complex and placed too much overhead on systems, especially when a user wanted to open a document.

The overhead problem is going away but getting encryption in place across all systems is still complex, especially as managing keys over long periods of time – potentially decades, if not centuries – is a major effort.

It requires exceptionally robust solutions and operational procedures. Lose a key and that data is essentially gone.

Genes: Agreed. But as encryption should be easy and transparent to end-users, you need security solutions that shield your key management servers, the back-end infrastructure. That’s where the attackers are focusing now.

Q: Isn't allowing customers to generate their own signatures, that they don't share with the community at large, simply going to allow attackers to re-use the same tools against another target? It sounds very similar to the argument for not publishing security vulnerabilities.

Genes: Yes, it does. I would love to get all the used samples and attack vectors so that we could protect our customers better. But we need to respect our customers, and unwillingness to share normally comes from the bigger organisations and government.

But it's not all bad. If the tool is used several times, we will probably get it from other sources. If it is highly targeted, it is likely to affect only one company, and for this they need the ability to generate custom signatures.

Q: Most attacks rely on finding poor allocation of memory, which allows the attacker to overwrite adjacent memory allocation. Why have we not learned how to exercise better memory allocation to prevent this type of attack?

I use WinPatrol, which immediately informs me when any unknown or unusual activity occurs on my system. It also warns me immediately if my computer is attempting to send out data that is not authorised.

Genes: You are an expert and you can manage the log files and alerts. Unfortunately a lot of people can’t.

Think about a small company without IT experts, where someone visits once a month to ensure that the systems are up and running. Or think about a widely published case like the Target incident, where POS infections have been reported by the security solution but the warnings have been ignored by the staff.

Lock: Better use of monitoring tools is a good way to improve security but the monitoring tools must be effective and not generate too many false alarms. They must also be easy to use and not require too much time from IT professionals.

Genes: For poor allocation of memory, or buffer overflows, there are ways to prevent or spot this stuff while coding – like canary values. But few people use them because it adds to their workload.

Q: Do the new security enhancements to Java 8 successfully address the known security issues uncovered in Java?

Genes: Java 7 and Java 8 are addressing a lot of issues that we saw in Java 6. So I highly recommend you upgrade to version 7 or higher. Time will tell if new security issues have been introduced, though.

Q: Do you see a push for a "full forensics" approach to security analysis? We wouldn't switch off CCTV every five minutes to save HDD space. Why are the current gaps in many systems accepted and should this be a concern?

Lock: All gaps should be a concern. Many business managers do not understand many aspects of security and often see it as a type of insurance. They do the minimum they think they can get away with, or do not think their organisation is really under any threat.

Genes: Yes, we need to support a rethinking process. Your logs are valuable, and data collection about normal and abnormal network traffic behaviour is key.

Business owners need to accept that their neck is on the line if something is happening. They need at least to ensure that processes are in place to call for help and know who to call.

Everybody has emergency procedures posted about what to do in case of a fire. How many have done the same for cyber attacks? Unfortunately, not many. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.