Important Vulnerability Basics

Use the vulnerability assessment tools to identify the vulnerabilities you need to repair. This will help protect your website or network against security breaches.

Vulnerabilities
Critical versus informational
Vulnerability assessment
Best practices

Vulnerabilities

A vulnerability is a weakness or flaw in your website or network. Vulnerabilities can be exploited to damage or compromise customer and other sensitive data, or your site. If your site were a house, a vulnerability would be an open window or door. To protect your house, you'd lock that window or door. Websites and networks have analogous entry points, as well as ways to seal off those entry points for greater protection.

  

Critical versus informational (non-critical)

While not inherently dangerous, a critical vulnerability leaves your site exposed to serious breaches. For example, someone could gain access to sensitive data, alter your site's appearance or function, or infect your visitors' systems. How critical a particular vulnerability is depends on two things:

 

1) How commonly exploited the entry point is, and

2) How much damage a breach to that area could cause.

For example, in a house, doors and windows are more commonly exploited than floorboards and chimneys. Similarly, some parts of a website or network are more commonly exploited than others. Some areas also may contain especially confidential or valuable data, so a breach of those parts would be more critical than a breach of other parts.

Vulnerability assessment

When you activate vulnerability assessment, we scan your website or network or both each week for common entry points which, if breached, could threaten your online security. You receive the results of the scan in a downloadable PDF report highlighting the most critical vulnerabilities. Non-critical vulnerabilities are listed in the section labeled "Informational."

You can activate or deactivate vulnerability assessment from within your account. Once you activate vulnerability assessment, your first PDF report should be available for you to download within about 24 hours. After that, we'll run the scan weekly, and generate each new report within about 24 hours of the scan.

Note: Only the presence of critical vulnerabilities (not informational) will trigger an alert in your console. Your report will be available for download each week whether or not you have critical vulnerabilities.

When you are logged into your account, you can set or change your email notification preferences for vulnerability assessment. For example, you can choose to receive notification emails only for critical vulnerabilities, each time a new report is generated, or when we are unable to scan your site.  You can also choose email recipients.

 

Best Practices

To help protect against security breaches, it's recommend that you:

·         Activate the vulnerability assessment service.

·         If you already have a vulnerability scanning service, use vulnerability assessment as a cross-check for your other scan's results. Scan results can differ from company to company.

·         Designate someone in your organization to review each report, and to have any critical vulnerabilities repaired as soon as possible. Set your email preferences to notify your designated person when new reports are available.

·         After making repairs, rescan your site to verify the repairs.

·         Read and follow the suggestions in the Malware Prevention article below—they also apply to vulnerability.

5 Minutes Guide to Malware

Malware is the new computer virus, the new worm, the new spam. In fact, malware is all of those and more. Malware is a genuine threat to your Web site, to your business, and to your customers. Malware leads to:

• Web site traffic loss – New customers are warned about your site and loyal customers stop coming back.
• Brand tarnishing – Your company's reputation – not just your Web site – is damaged.
• Consumer confidence erosion – Consumers will not trust your Web site, your business, or your products and services.

Instead of overt Internet vandalism and mayhem, today's malware criminals stealthily infiltrate Web sites and home computers for devious or illegal profit.

Their mission: Put malware on your site and spread the malware to your visitors for fraud and theft.

Your mission: Keep malware off your site and keep customers on your site!

Why should I care about malware?

Trust. Your customers and business partners trust that your Web site is safe. Malware on your site diminishes or eliminates that trust.

• Customers who are warned of or infected by malware on your site will no longer trust your site or your business. They may stop doing business with you through any means.
• If there is malware on your site, Web browsers like Internet Explorer and Firefox and search engines like Yahoo! and Google will show a warning that your site is dangerous when a customer tries to visit it (this is known as "blacklisting").
• Malware on your site can install malware on your customers' computers (known as "drive-by downloads"). Malware on your customers' computers can steal their personal information, track their keystrokes and activities, and spread viruses and more malware.

What is malware?

Malware is any computer program that is installed on a computer without the owner's knowledge, in order to deliberately damage the computer or perform illegal activities.

• Malware is short for "malicious software". Malware is related to the more well-known term "computer virus", but they are not exactly the same.
• Malware is a broad term used to refer to many different forms of hostile, intrusive, or annoying software, such as computer viruses, worms, trojan horses, rootkits, spyware, dishonest adware, and crimeware.

How is malware used?

For illegal profit, consumer deception, Web site vandalism, and other criminal activities.

• Adware shows pop-up ads on infected computers and the attackers collect payment based on the number of times the ads appear.
• Spam is the bulk junk mail that everyone gets in their Inbox. Spam can be sent from malware-infected computers. The attackers collect payment based on the number of emails sent or on responses to the sales or information requests in the emails.
• Identity Theft and Infostealing capture private information, such as usernames and passwords, credit card and banking information, or social security numbers. The attackers can use the stolen data directly to impersonate the theft victim, or sell lists of stolen data within their crime network.

Where does malware come from?

Like a computer virus, malware starts on a few computers and then spreads to many computers.

• To effectively distribute malware to as many computers as possible, the first goal of a malware attack is to infect your Web site.
• Unknown to you and the people who visit your site, the malware then installs more malware on the visitors' computers.
• Installation may be totally invisible to your site visitors – all a visitor needs to do is go to a certain page, and the malware can install on the visitor's computer. Installation may also be disguised as or packaged with a useful plug-in, which the visitor intentionally downloads and installs.

How do I prevent a malware infection? 

Keep your web server secure, clean, and backed up.

• Maintain an up-to-date backup server.
• Secure the Web server that hosts your Web site.
• Secure any applications or other code that is executed or distributed on your Web site.
• Know and trust the people who manage your Web site.
• Remove programs that are not needed.
• Do not use the server for other purposes, especially browsing the Web.
• Do not rely on commercial, off-the-shelf antivirus services to protect your Web site.
• See the Malware Best Practices article for more details on these prevention recommendations.
• also read important vulnerability basics

Malware Prevention - Best Practices

Preventing Malware Infections

Preventing malware on your Web site is easier than you might think. And it doesn't require too much extra time, money, and resources to protect your systems. Following best practices for prevention and using the resources that you already have, you can significantly lessen the chances of having malware on your Web site.

Discuss these tips and guidelines with your developers and server administrators. Find out if and how these best practices are applied in your company. Set administrative and development policies based on these best practices as well as the recommendations of your trusted administrators.

Back up your Web server!

• Perhaps the most significant preventive measure that you can take is actually preparing for the worst case scenario. What do you do when your Web site is infected and you can't just delete the malware? In that case, you want to make sure that you can recover everything that you use to run your Web site.
• Maintain a redundant, up-to-date backup Web server. If your active server is infected, you can switch over to the clean backup server. Your customers will not experience any downtime while you clean the infected server.
• If maintaining a redundant backup is cost- and resource-intensive, make sure that you have backup copies of all operating system and application software, including all patches and maintenance releases.
• Make especially sure that you regularly back up all of the data. If any business or customer data is compromised or damaged, you can restore the data with minimal downtime for specific features – instead of taking your entire Web site offline.

Secure your Web server.

• User access must be secure. Your administrators and developers should use strong passwords, change their passwords regularly, or use access credentials that are handed out by a trusted administrator.
• Follow the "principle of least privileges." Know who has access to your server and make sure that only those who need access have it. Additionally, restrict user privileges person-by-person; give your administrators and developers only the privileges that they need to do their job.
• File transfers must be encrypted. Use Secure FTP (SFTP) or Secure Copy (SCP) tools to transfer the files. FTP tools are not encrypted.
• Practice secure application development. In your back-end code, validate user input type and eliminate security holes (known as "vulnerabilities") such as buffer overflow, SQL injection, and cross-site scripting.
• On your customer-facing Web site, don't give away any information that your customers don't need – the information might be useful for attackers. For example, in error messages, don't show your server type or version or say that "we can't connect to the database". Don't provide specific login errors like "your password is wrong" – this message tells an attacker that an account exists with the username. 

Trust the person at the keyboard.

• Make sure that everyone with access to your Web server understands and recognizes social engineering methods. Social engineering is convincing someone to do something or reveal confidential information, typically by impersonating a person of authority or influence. A saying goes: "it's easier to hack the person than it is to hack the machine".
• Through social engineering, a malware attack starts without even touching your Web server. With just a little information about your company, an attacker can impersonate a company executive or external authority (such as the police or a lawyer) over the phone. If the attacker is convincing enough, the attacker might persuade a junior developer to unknowingly install or link to malware.
• Have confidence in and trust all of the people who have access to your Web server. But regardless of your level of trust, your server should track user logins and all actions while logged in.
• Trust and accountability are key to preventing the most direct threat – an inside job, a deliberate attack by an employee or colleague. Whether driven by personal reasons or coerced by an outsider, this person already has all of the access and privileges needed to put malware on your Web site.
• For any changes to your Web site, have a clear sign-off process. You should also have contingency plans if critical people are not available, so that everyone knows what to do when you or your server administrator can't be reached. 

Use your Web server for one thing and one thing only: running your Web site.

• Do not use the server to browse the Web, check your email, instant message, blog about your vacation, or send your mom photos from last week's family reunion. You have enough to worry about with attackers trying to get in – don't help them out by actively roaming the Internet.
• Remove all unused programs from your Web server. Popular applications sometimes have known vulnerabilities that attackers can easily exploit. If a program is not being used, remove the program so that it is not a potential point of attack.
• If possible, remove software documentation from the server and store it elsewhere. Documentation that includes application names, version numbers, and bug fixes can give attackers insight into what's on the server and how to gain access. 

Patch, patch, patch. Keep your server software, operating systems, and applications up to date.

• Know what software is on your server. Keep a list of all operating system and application software installed on the server, including version numbers.
• Keep all software on the server up to date and running the current versions. Newer versions often include fixes for known vulnerabilities. Vulnerability fixes close the loopholes that the hacker and malware communities know how to exploit.

See Malware Basics and 5 mins guide to Malware

*Important* Virus Notification

Latest Virus/ Worm Threat

We have been notified by Antivirus Advisory Labs about a latest Virus threat 'W32/Autorun.worm.aaeb-h' which has the ability to infect removable media device and network shares..!

As an action plan, we have mitigated this risk by patching our systems & desktops with the latest antivirus protection and by adding additional controls. However, the viewers of this blog are requested to:
  i)  exercise caution while opening unsolicited emails and unknown files.
 ii)  refrain from using USB drives.
iii) download and use stinger tool for remediation in case of any suspicious virus message creeps up from your system.

Follow the link to read detailed information about the worm, its characteristics, symptoms and propagation.

From: McAfee [mailto:sns@snssecure.mcafee.com] 

Sent: Wednesday, 28 November, 2012 22:37

To: Rinith KT

Subject: *URGENT* McAfee SNS ALERT: *UPDATE* Reports of W32/autorun.worm.aaeb-h infections

**Update to original message: Stinger tool now available. See Mitigation section below**

McAfee has received multiple reports of customers who are severely affected by variants of W32/autorun.worm.aaeb-h.

Impact

W32/Autorun.worm.aaeb-h has the ability to infect removable media devices and mounted network shares. It can also copy itself into .zip and .rar archive files.

The infection starts either with manual execution of an infected file or by navigating to a folder that contains infected files. This threat has the ability to download other malware or updates to itself as directed by a Command-and-Control (C&C) server.

Mitigation

McAfee has released an Extra.DAT and Stinger to detect and clean this threat.

To download the Extra.DAT and Stinger, see KB76807: 

https://kc.mcafee.com/corporate/index?page=content&id=KB76807

For more information on McAfee product coverage and mitigation for this threat, see PD24169 - Threat Advisory: W32/Autorun.worm.aaeb:

https://kc.mcafee.com/corporate/index?page=content&id=PD24169

Latest Virus: An exaggerated version of state-sponsored threat

latest virus threat dubbed as "Gauss" was forecasted by Kaspersky Lab and is an exaggerated version of state-sponsored threat. ref

as per latest crawling headlines depiction "A new cyber surveillance virus has been found in the Middle East that can spy on financial transactions, e-mail and social networking activity, according to a leading computer security firm, Kaspersky Lab. Gauss virus may also be capable of attacking critical infrastructure and was built in the same laboratories as Stuxnet". 

..don't get panicked.. make sure your enterprise level anti-virus orchestrator consoles does a regular and real-time coverage for the enterprise systems and is a licensed copy. the rest the men behind the scenes will safeguard your systems. Systems personnel should also make sure latest windows and OS updates are patched regularly.

McAfee has protection in DAT 6800 release.

read about recent Flame threat 

Latest Flame/W32 Malware protection released in market

Speculations about the ‘most sophisticated cyber weapon yet unleashed’ especially in the middle-east has remediation, exactly interpreting Newton’s Third Law of motion “For every action there is an equal and opposite reaction”. That’s why the antivirus giants are made for..!

Flame/W32 Malware

Cyber attacks are becoming increasingly sophisticated through programs that can operate many actions remotely without being detected easily. This Notice will illustrate the function of “Worm.W32/FLAME” a malware targeting Windows based systems (XP, Vista and Windows 7), presenting an incredible set of features that would capture sensitive information and send it to remote servers for criminal, espionage or other malicious activities.

I just reviewed our antivirus protection labs online which says that we are protected with this outbreak. I confirmed to my colleagues for not to be panic as that our infrastructure running McAfee ePO - McAfee DAT protection has taken care of this virus/malware coz. we were currently running 6727 Dat ver. released yesterday. The AV & ASpyware coverage for W32/Skywiper was included in 6726 version itself.

http://www.mcafee.com/us/about/skywiper.aspx << Mcafee Labs briefings

[AV / MWG Coverage is provided in the 6726 DATs released on May 29) as "Skywiper"]

http://blogs.mcafee.com/mcafee-labs/jumping-in-to-the-flames-of-skywiper

In a nutshell: (..also read my article about - Information Security Awareness)

Spreading method

The malware spreads via networks or removable media; it may also hold different names as described in a table in the Appendix B of this document.

Risks

The most direct and immediate risk highlighted by this event is the theft of sensitive information or records. In general, the risks are multiple when considering the number of existing or upgradeable functions that this malware allows to plug-in.

Detection

Watch carefully for the presence of the following files on your system:

1. Perform a search for the file ~DEB93D.tmp. Its presence on a system means that it either is or has been infected by Flame.

2. Check the registry key HKLM_SYSTEM\CurrentControlSet\Control\Lsa\ Authentication Packages.
    If you find mssecmgr.ocx or authpack.ocx in there - you are infected with Flame.

3. Check for the presence of the following catalogs. If present - you’re infected.
    C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr
    C:\Program Files\Common Files\Microsoft Shared\MSAudio
    C:\Program Files\Common Files\Microsoft Shared\MSAuthCtrl
    C:\Program Files\Common Files\Microsoft Shared\MSAPackages
    C:\Program Files\Common Files\Microsoft Shared\MSSndMix

4. Perform a search for the following files:

svchost1ex.mof

Svchostevt.mof

frog.bat

netcfgi.ocx

authpack.ocx

~a29.tmp

rdcvlt32.exe

to961.tmp

authcfg.dat

Wpab32.bat

ctrllist.dat

winrt32.ocx

winrt32.dll

scsec32.exe

grb9m2.bat

winconf32.ocx

watchxb.sys

sdclt32.exe

scaud32.exe

pcldrvx.ocx

mssvc32.ocx

mssui.drv

modevga.com

indsvc32.ocx
comspol32.ocx
comspol32.dll

browse32.ocx

Recommendations/Risk Mitigation

The following actions will help to contain and remove the infection of the malware:

·         Patch your Windows system, office applications and instant messenger applications

·         Update your antivirus/antimalware solution

·         Specific removal tools exist as vendors have started to deploy them. From McAfee Labs stinger tools are available here.

Virus detected by AV software

The malware can have various names and here is a list below with has been identified with different naming:

Antivirus          Result

AhnLab-V3       -

AntiVir             TR/Flamer.A

Antiy-AVL        -

Avast   -

AVG     -

BitDefender    Trojan.Flame.A

ByteHero         -

CAT-QuickHeal            -

ClamAV           -

Commtouch    -

Comodo           -

DrWeb             Win32.HLLW.Flame.1

Emsisoft          Worm.Win32.Flame!IK

eSafe   -

F-Prot -

F-Secure          Trojan.Flame.A

Fortinet           -

GData Trojan.Flame.A

Ikarus Worm.Win32.Flame

Jiangmin          -

K7AntiVirus     EmailWorm

Kaspersky        Worm.Win32.Flame.a

McAfee           SkyWiper

McAfee-GW-Edition    Artemis!BDC9E04388BD

Microsoft        Worm:Win32/Flame.gen!A

NOD32            Win32/Flamer.A

Norman           -

nProtect          Worm/W32.Flame.6166528

Panda -

PCTools           Malware.Flamer

Rising -

Sophos             W32/Flame-Gen

SUPERAntiSpyware     -

Symantec        W32.Flamer

TheHacker       -

TotalDefense   -

TrendMicro     WORM_FLAMER.A

TrendMicro-HouseCall           -

VBA32             BScope.Trojan.MTA.01233

VIPRE   Worm.Win32.Flame.a

ViRobot           Worm.Win32.S.Flame.6166528

VirusBuster     -

.. more Antivirus & Antispyware
.. more Antivirus Free recommended Downloads

Antivirus free Downloads

AVG (free for personal use)
Avira (free for personal use)
its very important to decide to go with a legal download, otherwise you will end up a hacker sitting virtually on your machine and sending trojans even if you were protected with antivirus. So remember which i have been always informing to my dear and nears, download only from a valid site. for ex. avg antivirus from avg website ONLY. If you download the same from say download.com or any other third party website means that there is high risk that a hidden embedded code on that download leaks your confidential infos to the external world which can later screw-up your asset.

AntiVirus & AntiSpam

this is like the fuel in your vehicle without which the engine would not start. by this time you might have noticed that without a proper and valid anti-virus and anti-spyware on your computer,  you will end up frantically wasting time and running after a support to vaccine the infected systems.
I have been using almost all top the line antivirus & antispywares both personal and corporate wide, few of them are Symantec, McAfee, TrendMicro, AVG (free for personal use), Avira (free for personal use), Sophos,.., of which I recommend McAfee for corporate use.
ePO Management is pretty simple and straight forward. rogue detection, policy assignment, patchs & dats deployment to multiple systems, querrying and management reports are all hassle free.
make sure whatsoever anti-virus you use are up-to-date on atleast a weekly basis. the related agents or plug-ins will ensure auto vaccine and protection to your workstation.