RSA Reporter's Notebook: Time to outlaw rootkits?

A Homeland Security official says rootkits need to go; how your best employees are leaking confidential data; and the end of perimeter security.

DHS official suggests anti-rootkit legislation
Jonathan Frenkel, the U.S. Department of Homeland Security's director of law enforcement policy, suggested to 2006 RSA Conference attendees Thursday that the most appropriate response to the industry's increasing use of rootkits is to ban them through legislation.

"The recent Sony experience shows us that we need to be thinking about how we ensure that consumers are not surprised by what their software programs are programmed to do," Frenkel said. "Legislation or regulation may not be a solution in all cases, but it may be warranted in some circumstances."

Security experts have roundly criticized Sony BMG Music Entertainment since researcher Mark Russinovich, chief software architect and co-founder of Winternals Software LP in Austin, Texas, found the company's rootkit on his own machine and wrote an analysis of it on his blog at Sysinternals.com, setting off a public relations nightmare for Sony.

Experts said Sony was playing with fire by using a rootkit-based digital rights management (DRM) system to prevent CD copying and that the company's move could trigger a variety of dangerous exploits. Rootkits, tools or programs used to mask software or network intrusions, are typically used by malicious hackers.

Sony hasn't been the only company to catch flak for using hidden programs.

In January, Cupertino, Calif.-based AV giant Symantec Corp. was forced to fix a flaw in its popular Norton SystemWorks program. As Symantec put it, "Norton SystemWorks contains a feature called the Norton Protected Recycle Bin, which resides within the Microsoft Windows Recycler directory. The Norton Protected Recycle Bin includes a directory called NProtect, which is hidden from Windows APIs. Files in the directory might not be scanned during scheduled or manual virus scans."

For more information

RSA keynoters push for ID federation, harsher laws

Gates calls for an end to passwords

Symantec acknowledged attackers could use this feature to hide malicious files on computers, and updated the product so it would display the NProtect directory in the Windows interface.

Russinovich has also fingered Russian AV firm Kaspersky Lab Ltd. for using a rootkit-like feature in some of its products. Kaspersky has denied such claims.

Well-intentioned employees trump evil insiders
During an RSA Conference panel discussion Thursday on how to avoid information leakages, San Francisco-based data protection provider Vontu Inc. surprised some attendees with statistics it's collected from customers. For instance, 1 in 400 outbound e-mails at large organizations contain confidential information. Similarly, 1 in 50 files or file shares on desktops hold proprietary information. If another stat holds true, 95% of the insider data breaches that reveal that confidential information continue to come from well-meaning employees, not malicious ones.

Talk of remedies focused on encryption and monitoring, but one of the panelists also suggested IT security departments run a test to see how well employees voluntarily comply with policy changes. For instance, if the company decides to ban opening e-mail attachments, he recommended sending out a notice with an effective date -- then observing the adoption rate before making compliance mandatory through tools. The unannounced trial period will shed insight into how a workforce follows policy and single out individuals and departments that may need more nudging.

Perimeters, trusted users fading away
Endpoint security, NAC and NAP may be the technology flavors of the month, but to a group of current and former corporate CISOs huddled together Wednesday at the RSA Conference, security is not about controlling the endpoint. It's all the about data, whether it's in use, at rest or on the move.

"The workstation used to be the endpoint; now it's gone virtual," said Rhonda MacLean, former CISO at Bank of America Corp. during an panel discussion hosted by the Executive Alliance. "So if the perimeter's gone, what is it that you're controlling? It's your IP."

Defining the endpoint has proven close to impossible. With the dissolution of the network perimeter, trusted users are accessing corporate intellectual property on laptops, PDAs, cellphones and other personal devices, including home PCs. That complicates how security managers provision access to data, as well as account for its whereabouts and eventually dispose of it.

The notion of the trusted user is dissolving equally as quickly as enterprises extend their borders online to customers, partners and suppliers.

"The trusted user keeps me up at night," said Craig Shumard, CISO of insurance provider CIGNA Corp. "At the end of the day, a number of people have the keys to the kingdom. They can cover their tracks and seriously put you at risk."

Endpoint security tools that assess devices as they connect to a network can fill in some of those gaps. These tools determine whether a device is adequately patched, whether antivirus and antispyware signatures are current and whether system configurations are secure. But they don't prevent someone from walking away with the company secrets on a thumb drive.

"Securing the endpoint is letting users off the hook," Shumard said. "These solutions are not helping. They're driving [security] back to being a technology issue."

Thumbs up for open source
How do you like your penetration tools? Nitesh Dhanjani of Ernst & Young LLP likes 'em open and says you should too.

Nessus and Metaspolit, for example, are prominent in his arsenal.

"I used them because you can open Nessus and see how it arrived at the problem. You can't do that with closed-source proprietary tools," Dhanjani said. "Open source tools allow you to tweak and extend their functionality without having to wait for vendor add-ons."

While Metasploit remains free and open, Nessus 3, released late last year, was not released under the GNU General Public License (GPL) and updates and plug-ins can no longer be freely distributed. Columbia, Md.-based vendor Tenable Network Security Inc. now owns Nessus, and creator Renaud Deraison has maintained that the core engines will remain free, and only the plug-ins will come with a price.

Due diligence is a don't
Benjamin Wilson, vice chairman of the American Bar Association's information security committee and an attorney with Smith Hartvigsen PLC in Salt Lake City, highlighted some work being done among browser makers and certificate authorities to improve the vetting process for buying digital certificates for Web sites.

Wilson decried the lack of due diligence currently in place when determining if the buyer of an SSL certificate for a site is indeed an agent of the company, or even if the entity exists. This has facilitated the rise in phishing sites that carry legitimate certificates and the ubiquitous padlock that is supposed to signify the security of a site.

Wilson said future versions of Internet Explorer and Firefox, for example, will elevate the padlock to the URL address window, which will be color-coded to reflect the safety of a site. The name of the certificate authority will also be prominent, as will the relevant purchaser information.

This article originally appeared on SearchSecurity.com

Dig deeper on Enterprise information security management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close