Critical Watch is hiring - we have an opening in our Basecamp Labs™ team. Read more here: http://bit.ly/13QhTD0

Looking forward to a successful Gartner event in Maryland this week!

Jesper Jurcenoks director of security research and chief evangelist here at Critical Watch just published a Technical Whitepaper on changes to the PCI ASV Program Guide and how those changes can impact your organization. Here is an exerpt. 

Overview of important changes

1. PCI promises more cooperation with PCI community in regards to evolving standards
2. No grace period before new rules are in effect
3. ASVs are now explicitly responsible for: “Maintaining security and integrity of systems and tools used to perform scans”
4. Scan Customers are now explicitly responsible for: “Perform due diligence in the ASV selection process, per the scan customer’s due-diligence processes, to obtain assurance as to the ASV’s level of trust to perform scanning services” and “To the degree deemed appropriate by the scan customer, monitor Internet -facing systems, active protection systems, and network traffic during the scan, to assure an acceptable level of trust is maintained”

You can download the entire list here:   http://bit.ly/12j4Blt

Jesper Jurcenoks, our Director of Security Research and Chief Evangelist just published a Technical Whitepaper that does a great job of explaining what is new with these changes and how they might impact your organization. 

Here is snippet from the document, Jesper’s conclusion:

Easier Compliance for Merchants and Card Acquirers - An updated, less rigid - rule set for scan interference and active blocking makes it easier for merchants and card acquirers to be compliant while staying safe. New requirements for the ASVs mandate changes to scanning procedures. PCI SSC does not require that changes to the Scan Solution stemming from the new requirements be implemented at this time. The new PCI ASV Program Guide is effective immediately. 

Here is a link to get the document (yes there is a form, but you can tell us not to contact you).  http://bit.ly/12j4Blt

6’5” in the back of a Prius - gives a whole new meaning to Agile Methodology

Critical Watch™ has been designated as a Cool Vendor for 2013 by Gartner Research, the world’s leading information technology advisory company. This recognition isn’t easily awarded. To be eligible, a company must offer “innovative and forward-thinking sets of solutions designed to address emerging or newly identified security challenges” as well as “typically break boundaries between different technologies, evolve from actions within isolated silos to interactions across silos and use contextual analysis of security information across silos.” Critical Watch products meet these requirements by

• Optimizing the configuration of countermeasure devices
• Providing actionable intelligence
• Enhancing threat analytics with additional risk-to-countermeasure contextual mappings

We’re pretty excited that Gartner recognizes us as a Cool Vendor and leader in the Security Intelligence space. It’s great confirmation of our vision to link comprehensive intelligence with active mitigation Read the full story here!

For eight consecutive years, Critical Watch has earned certification as an Approved Scanning Vendor (ASV) from the PCI DSS Data Security Standards Council. Our FusionVM® Enterprise Vulnerability Management System enables companies to effectively conduct quarterly network scans in order to monitor and protect customer credit card data from theft and sabotage. We passed the three-part certification process on the first try, something that takes most companies two or three attempts to do. First, Critical Watch was validated as providing an exceptional scanning product, Next, specific employees entered an extensive ASV training program and passed the ASV exam. Finally, we participated in security testing of our FusionVM® SaaS model. Additional business and administrative requirements were met as well. Discover how we can help you meet PCI requirements!

We have seen a lot of security news regarding issues with Java. Jan 11th Homeland Security Recommended that users disable or uninstall Java until further notice.

Now it appears that Oracle has a new Java security patch that addresses about 50 vulnerabilities, 44 of them related to the plug-in for web browsers.

A couple times a month our Basecamp Labs™ research group holds a “lunch-n-learn” for everyone (well mainly us non-engineers.) Below is a summary of a recent lunch-n-learn from Amil Mpiana, one of our Basecamp Labs™ software security researchers.

—-

Description

Directory Traversal is an HTTP exploit which allows attackers to access files and directories outside the intended scope for the user.  It consists of exploiting insufficient security validation / sanitization of user-supplied input file names so that characters like ../ (representing “traverse to parent directory”) are passed through to the file APIs. Directory traversal is also known as the “dot dot slash” (../) attack, path traversal, directory climbing and backtracking. Variants of this attack takes the form of canonicalization attacks.

Web Server

Properly controlling access to web content is crucial for running a secure web server.  Thus, web servers typically provide two main levels of security mechanisms, namely: Access Control Lists and the root directory. An Access Control List (ACL) is simply a list which the web server’s administrator uses to indicate which users or groups are able to access, modify or execute particular files on the drive, etc. The root directory, on the other hand, is a specific directory on the server file system in which all the users are confined. By default, users can access directories under the root (given the user has proper ACL authentication) but are not able to access anything outside of this directory. This is where a directory traversal comes into play, because by referring to the parent directory using the ../, a user could step out of the root directory and access restricted content on the server.

Attack Impact

An attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to create, view, modify, or delete restricted files which could lead towards impersonating a user, causing denial-of-service conditions (crash/exit/restart); or, even  more dangerous, command execution possibly leading towards full compromise of the system.

Examples of Directory Traversal Attack

Some types of this attack include directory traversal attack via web application code – in which all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system. Directory traversal attack via web server – where the problem can either be incorporated into the web server software or inside some sample script files left available on the server. Directory Traversal has Common Weakness ID: CWE 23 the link illustrates more forms of this attack.

Preventing Directory Traversal Attacks

Make sure that you are always running the latest and updated version of your web server and web application software and ensure that all patches have been applied. It is also very important to ensure effective user input filtering and sanitization – remove meta characters such as ../ from user-supplied input filenames. This ensures that only the known good data is being submitted to the server. Have strong Access Control Lists (ACLs) on your server. A Web Application Firewall (WAF) agent is also a possible solution. It can intercept the directory traversal attack before it gets to the program and most WAFs will decode the URI mitigating the encoded ../ as well.

Here is the latest technical video for our ACI Platform security intelligence technology. The over-view video can be found here.

A recent study conducted for HP by the Ponemon Institute revealed challenging news for businesses, but also an opportunity for SIEM providers. The study, cited by this Channelnomics article, shows that from 2011 to 2012, the number of cyber attacks faced by businesses increased by 42 percent, costing organizations an average of $8.9 million annually. This represents a 38 percent increase in costs over the past two years. In addition, the average cyber attack takes 24 days to resolve, costing more than $500,000.

According to the study, the threats businesses face are widely varied, including malware, denial-of-service attacks, stolen devices and malicious insiders. With these and other new risks to defend against on a daily basis, businesses require effective security monitoring tools that can determine precisely where in the data stack attacks are taking place.

The article concludes that this challenging environment, along with the rising costs of cybercrime, presents the ideal opportunity for SIEM developers to provide value to their clients by helping them detect and resolve risks as soon as possible while reducing their annual costs.

In general the report indicated that security intelligence solutions would move from “high value” nice-to-have’s to “necessities” in the near future. These findings highlight the value that Active Countermeasure Intelligence, as the large number of potential attack points present challenges in coordinating data received from discrete security tools. 

Cloud-based services are revolutionizing IT today, but a new report from the Cloud Security Alliance (CSA) warns that it’s not so simple where security is concerned. In particular, the report point out that insufficiently robust, cloud-based SIEM solutions can’t offer the level of infrastructure protection necessary in case of attack.

The report by the SecaaS Working Group, as discussed here in CloudPro, notes that in the case of a denial-of-service attack, for example, “An enterprise under a distributed DOS attack will most likely lose connectivity, response, and remediation data from the SIEM if the SIEM systems share the enterprise network data flows.”

As with other cloud services, security must be layered in order for the SIEM to provide effective intelligence throughout the infrastructure. Correctly responding to remediate vulnerabilities requires the most current data generated by a wide variety of security resources, and the SIEM itself must be able to continue providing administrators with information even during an attack.

The report also includes best practices for effectively architecting and implementing a cloud-based SIEM solution, addressing the challenges of transitioning foundational SIEM principles into new environments, as part of a larger discussion on cloud-based security. Based on this information, cloud-based SIEM providers would benefit from adding functionality that supports the widest variety of third-party security tools possible, delivering full visibility into risks throughout the information stack. 

Effectively securing a business is not a simple task. More often than not, many skills and technologies are involved.

In the below interview, Audian Paxson from Critical Watch outlines security threats that businesses are facing today, as well as measures that can be taken to help organizations efficiently fight the online security battle.  read more…

Pictures of a few of our folks during our Halloween party last week. Fun stuff!

A recent report by 451 Research highlights our unique place in the risk management industry. The report calls out our practical business model of adding functionality to SIEM systems and security tools already in place:

[Critical Watch]… takes the bold step of tuning security devices to provide mitigation. Think of the product as being half GRC and half IPS. Pursuing a route to market through indirect channels, licensing and OEM agreements, it allows for vendors to enhance their existing offerings. Being modular in design aids in its appeal to partners, and has enabled Critical Watch to avoid going head-on into the crowded market against GRC and analytics vendors. If Critical Watch can continue to provide enhanced functionality at a price point that prohibits companies from developing their own variants, it should maintain a solid position.

The report goes on to discuss the unique analytic properties of the ACI Platform™ in mapping countermeasures to security responses, to address vulnerabilities automatically, as well as our work to create productive partnerships with leading security vendors. We invite you to read the full report here.

Critical Watch is hiring - we have an opening in our Basecamp Labs™ team. Read more here: http://bit.ly/13QhTD0

Looking forward to a successful Gartner event in Maryland this week!

Jesper Jurcenoks director of security research and chief evangelist here at Critical Watch just published a Technical Whitepaper on changes to the PCI ASV Program Guide and how those changes can impact your organization. Here is an exerpt. 

Overview of important changes

1. PCI promises more cooperation with PCI community in regards to evolving standards
2. No grace period before new rules are in effect
3. ASVs are now explicitly responsible for: “Maintaining security and integrity of systems and tools used to perform scans”
4. Scan Customers are now explicitly responsible for: “Perform due diligence in the ASV selection process, per the scan customer’s due-diligence processes, to obtain assurance as to the ASV’s level of trust to perform scanning services” and “To the degree deemed appropriate by the scan customer, monitor Internet -facing systems, active protection systems, and network traffic during the scan, to assure an acceptable level of trust is maintained”

You can download the entire list here:   http://bit.ly/12j4Blt

Jesper Jurcenoks, our Director of Security Research and Chief Evangelist just published a Technical Whitepaper that does a great job of explaining what is new with these changes and how they might impact your organization. 

Here is snippet from the document, Jesper’s conclusion:

Easier Compliance for Merchants and Card Acquirers - An updated, less rigid - rule set for scan interference and active blocking makes it easier for merchants and card acquirers to be compliant while staying safe. New requirements for the ASVs mandate changes to scanning procedures. PCI SSC does not require that changes to the Scan Solution stemming from the new requirements be implemented at this time. The new PCI ASV Program Guide is effective immediately. 

Here is a link to get the document (yes there is a form, but you can tell us not to contact you).  http://bit.ly/12j4Blt

6’5” in the back of a Prius - gives a whole new meaning to Agile Methodology

Critical Watch™ has been designated as a Cool Vendor for 2013 by Gartner Research, the world’s leading information technology advisory company. This recognition isn’t easily awarded. To be eligible, a company must offer “innovative and forward-thinking sets of solutions designed to address emerging or newly identified security challenges” as well as “typically break boundaries between different technologies, evolve from actions within isolated silos to interactions across silos and use contextual analysis of security information across silos.” Critical Watch products meet these requirements by

• Optimizing the configuration of countermeasure devices
• Providing actionable intelligence
• Enhancing threat analytics with additional risk-to-countermeasure contextual mappings

We’re pretty excited that Gartner recognizes us as a Cool Vendor and leader in the Security Intelligence space. It’s great confirmation of our vision to link comprehensive intelligence with active mitigation Read the full story here!

For eight consecutive years, Critical Watch has earned certification as an Approved Scanning Vendor (ASV) from the PCI DSS Data Security Standards Council. Our FusionVM® Enterprise Vulnerability Management System enables companies to effectively conduct quarterly network scans in order to monitor and protect customer credit card data from theft and sabotage. We passed the three-part certification process on the first try, something that takes most companies two or three attempts to do. First, Critical Watch was validated as providing an exceptional scanning product, Next, specific employees entered an extensive ASV training program and passed the ASV exam. Finally, we participated in security testing of our FusionVM® SaaS model. Additional business and administrative requirements were met as well. Discover how we can help you meet PCI requirements!

We have seen a lot of security news regarding issues with Java. Jan 11th Homeland Security Recommended that users disable or uninstall Java until further notice.

Now it appears that Oracle has a new Java security patch that addresses about 50 vulnerabilities, 44 of them related to the plug-in for web browsers.

A couple times a month our Basecamp Labs™ research group holds a “lunch-n-learn” for everyone (well mainly us non-engineers.) Below is a summary of a recent lunch-n-learn from Amil Mpiana, one of our Basecamp Labs™ software security researchers.

—-

Description

Directory Traversal is an HTTP exploit which allows attackers to access files and directories outside the intended scope for the user.  It consists of exploiting insufficient security validation / sanitization of user-supplied input file names so that characters like ../ (representing “traverse to parent directory”) are passed through to the file APIs. Directory traversal is also known as the “dot dot slash” (../) attack, path traversal, directory climbing and backtracking. Variants of this attack takes the form of canonicalization attacks.

Web Server

Properly controlling access to web content is crucial for running a secure web server.  Thus, web servers typically provide two main levels of security mechanisms, namely: Access Control Lists and the root directory. An Access Control List (ACL) is simply a list which the web server’s administrator uses to indicate which users or groups are able to access, modify or execute particular files on the drive, etc. The root directory, on the other hand, is a specific directory on the server file system in which all the users are confined. By default, users can access directories under the root (given the user has proper ACL authentication) but are not able to access anything outside of this directory. This is where a directory traversal comes into play, because by referring to the parent directory using the ../, a user could step out of the root directory and access restricted content on the server.

Attack Impact

An attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to create, view, modify, or delete restricted files which could lead towards impersonating a user, causing denial-of-service conditions (crash/exit/restart); or, even  more dangerous, command execution possibly leading towards full compromise of the system.

Examples of Directory Traversal Attack

Some types of this attack include directory traversal attack via web application code – in which all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system. Directory traversal attack via web server – where the problem can either be incorporated into the web server software or inside some sample script files left available on the server. Directory Traversal has Common Weakness ID: CWE 23 the link illustrates more forms of this attack.

Preventing Directory Traversal Attacks

Make sure that you are always running the latest and updated version of your web server and web application software and ensure that all patches have been applied. It is also very important to ensure effective user input filtering and sanitization – remove meta characters such as ../ from user-supplied input filenames. This ensures that only the known good data is being submitted to the server. Have strong Access Control Lists (ACLs) on your server. A Web Application Firewall (WAF) agent is also a possible solution. It can intercept the directory traversal attack before it gets to the program and most WAFs will decode the URI mitigating the encoded ../ as well.

Here is the latest technical video for our ACI Platform security intelligence technology. The over-view video can be found here.

A recent study conducted for HP by the Ponemon Institute revealed challenging news for businesses, but also an opportunity for SIEM providers. The study, cited by this Channelnomics article, shows that from 2011 to 2012, the number of cyber attacks faced by businesses increased by 42 percent, costing organizations an average of $8.9 million annually. This represents a 38 percent increase in costs over the past two years. In addition, the average cyber attack takes 24 days to resolve, costing more than $500,000.

According to the study, the threats businesses face are widely varied, including malware, denial-of-service attacks, stolen devices and malicious insiders. With these and other new risks to defend against on a daily basis, businesses require effective security monitoring tools that can determine precisely where in the data stack attacks are taking place.

The article concludes that this challenging environment, along with the rising costs of cybercrime, presents the ideal opportunity for SIEM developers to provide value to their clients by helping them detect and resolve risks as soon as possible while reducing their annual costs.

In general the report indicated that security intelligence solutions would move from “high value” nice-to-have’s to “necessities” in the near future. These findings highlight the value that Active Countermeasure Intelligence, as the large number of potential attack points present challenges in coordinating data received from discrete security tools. 

Cloud-based services are revolutionizing IT today, but a new report from the Cloud Security Alliance (CSA) warns that it’s not so simple where security is concerned. In particular, the report point out that insufficiently robust, cloud-based SIEM solutions can’t offer the level of infrastructure protection necessary in case of attack.

The report by the SecaaS Working Group, as discussed here in CloudPro, notes that in the case of a denial-of-service attack, for example, “An enterprise under a distributed DOS attack will most likely lose connectivity, response, and remediation data from the SIEM if the SIEM systems share the enterprise network data flows.”

As with other cloud services, security must be layered in order for the SIEM to provide effective intelligence throughout the infrastructure. Correctly responding to remediate vulnerabilities requires the most current data generated by a wide variety of security resources, and the SIEM itself must be able to continue providing administrators with information even during an attack.

The report also includes best practices for effectively architecting and implementing a cloud-based SIEM solution, addressing the challenges of transitioning foundational SIEM principles into new environments, as part of a larger discussion on cloud-based security. Based on this information, cloud-based SIEM providers would benefit from adding functionality that supports the widest variety of third-party security tools possible, delivering full visibility into risks throughout the information stack. 

Effectively securing a business is not a simple task. More often than not, many skills and technologies are involved.

In the below interview, Audian Paxson from Critical Watch outlines security threats that businesses are facing today, as well as measures that can be taken to help organizations efficiently fight the online security battle.  read more…

Pictures of a few of our folks during our Halloween party last week. Fun stuff!

A recent report by 451 Research highlights our unique place in the risk management industry. The report calls out our practical business model of adding functionality to SIEM systems and security tools already in place:

[Critical Watch]… takes the bold step of tuning security devices to provide mitigation. Think of the product as being half GRC and half IPS. Pursuing a route to market through indirect channels, licensing and OEM agreements, it allows for vendors to enhance their existing offerings. Being modular in design aids in its appeal to partners, and has enabled Critical Watch to avoid going head-on into the crowded market against GRC and analytics vendors. If Critical Watch can continue to provide enhanced functionality at a price point that prohibits companies from developing their own variants, it should maintain a solid position.

The report goes on to discuss the unique analytic properties of the ACI Platform™ in mapping countermeasures to security responses, to address vulnerabilities automatically, as well as our work to create productive partnerships with leading security vendors. We invite you to read the full report here.