The “P” in IPS stands for prevention, but these days it seems more like “porous,” users and experts say.

Intrusion detection systems (IDS) and intrusion prevention systems (IPS), which catch “known” threats, are hard-pressed to keep pace with today’s ever-changing, application-specific exploits, according to experts. Researcher HD Moore and colleague Brian Caswell at next month’s Black Hat conference will demonstrate just how vulnerable these security tools are to application-level attacks.

Click HERE to read complete article…

Here’s our take:

Every point in it is valid, but the issue really is this: People expect insert technology name here to be a silver bullet to solve all their problems. Plug an IDS/IPS into your network and expect every security issue to be automatically fixed. That’s not the case.

Vendors became overzealous in marketing the technology and over play the “whiz-bang” aspects of tool instead of promoting what its actually useful for- an automated audit trail of suspicious activity in an environment. When a network administrator looks at an IDS/IPS and says “it doesn’t ‘do’ anything” they are expecting the wrong things. No technology is a silver bullet, but combining multiple layers of technology creates a strong web of security. Lock down your perimeter routers, allow only known traffic. Create firewall rules that allow the proper services to have the proper access and continually monitor its activity. Place Network IDS/IPS behind the firewalls to inspect, record and stop activity and only create policies that are relevant to the environment it’s on, that means creating a policy from scratch, not relying on stock policies. Use Host Antivirus and Personal Firewalls to prevent activity at the node and enforce their use. Scan your servers and workstations for vulnerabilities and update or turn off unused services accordingly.

Most importantly of all, and before any hardware or software is placed in an environment; create a security policy that addresses how events and issues are handled, who is responsible for their remediation and what steps will be taken when an event occurs. No piece of the security puzzle is complete in and of itself, but together the goal of compressive security can be achieved.

The most popular antivirus applications on the market are rendered useless by around 80 percent of new malware, according to AusCERT.

At a security breakfast hosted by e-mail security firm Messagelabs in Sydney on Wednesday, the general manager of the Australian Computer Emergency Response Team (AusCERT), Graham Ingram, told the audience that popular desktop antivirus applications “don’t work”.

“At the point we see it as a CERT, which is very early on—the most popular brands of antivirus on the market … have an 80 percent miss rate. That is not a detection rate that is a miss rate.

“So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in,” said Ingram.

CLICK HERE to read complete article

Social engineering is a fairly new concept that has come into play the past couple of years in the financial industry. It is quickly becoming a requirement to do, at minimum, annual checks on your employees to ensure they are not providing private customer information to unknown people. But, what type of testing needs to be done?

Wait, hold up, just what is Social Engineering?

Social engineering is defined as an attack based on deceiving users or administrators at the target site. Attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems.

Some like to call it ‘human hacking’.

We actually sent our scope to the regulators and got their blessing to make sure that our scope is comprehensive enough for our clients. Be sure when selecting a vendor that they are, at least, covering these areas:

Online Reconnaissance
This is the method of attempting to gain information about an institution and its employees strictly
from the Internet. There are numerous ways to attempt to gain knowledge of an institution via the Internet that do not include the company website.

Dumpster Diving
Although consider a ‘dirty’ job, dumpster diving can provide a rich bed of information for the hacker. Hackers attempt to obtain any amount of information about the institution or its personnel to give the hacker an advantage.

US Mail Testing
Examples of this include sending fake ‘contest-winner’ mail to employees in hope of having them fill the forms out and
providing information about the user.

Phone Testing
The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack.

Email Testing
Email, in today’s world, has become a common practice in almost everyone’s daily lives. This provides
as a great avenue to attempt a social engineering attack.

In Person
In some cases, the only way for someone to gain the information they are looking for is by attempting
to socially engineer in person. This method is the most difficult and dangerous task but often can reap the most awards for hackers. People are more likely to trust someone in person than over the phone; so hackers use this as means to obtain key information.

The Garland Group would obviously love to quote you for this service but if you decide to go elsewhere, we understand, just make sure you are getting what you pay for.

Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called “two-factor authentication” - the second factor being something the user has in their physical possession like an access card - as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data.

To read article, click HERE