Microsoft is helping define the importance of patches based on exploit likelihood. This might fit with a risk assessment but it is unlikely to really change the need for rapid patching. My question is does this really help you make a prioritization? I think that with the release of a patch these indexes might change rapidly and MS will have to adjust the index.
|Exploitability Index Assessment
||Consistent exploit code likely
||Inconsistent exploit code likely
||Functioning exploit code unlikely
Exploitability Index | Prioritize Deployment of Security Updates.
The framework that NIST has created for online identity really needs ownership to be successful. The White House should encourage companies to start a consortium to prototype the concept simular to the OATH consortium. It would be disappointing to see a differing standards created that would not be compatible. NISTs framework tries to prevent that but as we know money often gets in the way of any such effort. If this is not successful – the risk to online business will continue to increase and cost of doing business will continue to rise to cover losses. Credit Card (CC) companies and banks should fund this because without decreasing risk their businesses will continue to bleed money.
White Houses Issues Online Trusted Identities Plan — InformationWeek.
RSA hackers exploited Flash zero-day bug | simplesitetutorials.org.
Advanced Persistant Threat (APT) used a 0-day for Adobe Flash and a phishing email to compromise RSA. The exploit is now being patched but it always seems like companies are helpless to protect against these attacks without severely limiting functionality. A couple products on the market claim to stop these types of attack. How would FireEye or Damballa work against these attacks? More research needs to be done in defeating or limiting the capabilities of these attacks. User training works but it is still a challenging balance to provide computing freedom when the wrong choices are often made. The power is really in each of our users’ hands.
APT Tabletop Exercise.
Kevin Liston’s post on table top exercise is much like a pentest but using an exercise to see how effective your defenders are against attacks. It is a good idea because it goes through the phases of incident response (and the attack). I might suggest augmenting this with a custom built attack using metasploit. It is the most exciting experience for defenders when they see the attack all the way through the execution. One training component might be to switch people up on the team to see how they function in each role.
Interesting but no clear evidence for this conclusion. Just because RSA doesn’t deny there is a backdoor doesn’t mean there is a backdoor.
Does RSA SecurID have a US gov’t-authorized back door?.
It is interesting that Comodo would have even allowed these certificates to be generated. In most cases there is verification of ownership of the domain before a certificate is issued. This makes me wonder where those checks failed. It is a best practice in corporate PKI to have human intervention for specifically high risk certificates. A company with the trust of Comodo really needs to go farther to prevent these issues.
Microsoft warns: Fraudulent digital certificates issued for high-value websites | ZDNet.