security

  • info
  • discussion
  • exploit
  • solution
  • references
IBM Security Privileged Identity Manager CVE-2016-0353 Information Disclosure Vulnerability

Bugtraq ID: 94543
Class: Design Error
CVE: CVE-2016-0353
Remote: Yes
Local: No
Published: Nov 24 2016 12:00AM
Updated: Nov 25 2016 09:04PM
Credit: The vendor reported the issue.
Vulnerable: IBM Security Privileged Identity Manager 2.0
Not Vulnerable:


SecurityFocus Vulnerabilities

Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities.

Of those found in the free security review were four high severity vulnerabilities leading to potential remote code execution, and the same number of medium risk bugs. One low risk man-in-the-middle TLS flaw was also uncovered.

A medium case insensitivity credential flaw in ConnectionExists() comparing passwords with strequal() was not fixed given the obscurity and difficulty of the attack.

The remaining bugs were shuttered in seven patches after two vulnerabilities were combined in the largest cURL fix to date.

More fixes are on the way, cURL lead developer and Mozilla engineer Daniel Stenberg says.

"While working on the issues one-by-one to have them fixed we also ended up getting an additional four security issues to add to the set [from] three independent individuals," Stenberg says.

"All these issues [made for] a really busy period and … I could get a short period of relief until the next tsunami hits."

Five Mozilla engineers from the Berlin-based Cure53 team which conducted the 20-day source code audit.

"Sources covering authentication, various protocols, and, partly, SSL/TLS, were analysed in considerable detail. A rationale behind this type of scoping pointed to these parts of the cURL tool that were most likely to be prone and exposed to real-life attack scenarios," the team wrote in the [PDF].

"At the same time, the overall impression of the state of security and robustness of the cURL library was positive."

Stenberg says he applied for the audit fearing a recent run of security vulnerability reports may have pointed to undiscovered underlying problems.

The report was finished 23 September and fixes produced over the ensuing months.

The developer says fewer checks and possible borked patches may result from the decision to audit in secret.

"One of the primary [downsides] is that we get much fewer eyes on the fixes and there aren’t that many people involved when discussing solutions or approaches to the issues at hand," Stenberg says.

"Another is that our test infrastructure is made for and runs only public code [which] can’t really be fully tested until it is merged into the public git repository." ®

Audit vulnerabilities:

  • CRL -01-021 UAF via insufficient locking for shared cookies ( High)
  • CRL -01-005 OOB write via unchecked multiplication in base 64_ encode () ( High)
  • CRL -01-009 Double - free in krb 5 read _ data () due to missing realloc () check ( High)
  • CRL -01-014 Negative array index via integer overflow in unescape _ word () ( High)
  • CRL -01-001 Malicious server can inject cookies for other servers ( Medium)
  • CRL -01-007 Double - free in aprintf () via unsafe size _t multiplication ( Medium)
  • CRL -01-013 Heap overflow via integer truncation ( Medium)
  • CRL -01-002 ConnectionExists () compares passwords with strequal () ( Medium)
  • CRL -01-011 FTPS TLS session reuse ( Low)

Sponsored: The state of mobile security maturity


The Register - Security

One of the great myths of executive travel is the benefit of racking up hospitality rewards for grand vacations in Fiji or the Swiss Alps. In reality, trips are frequent, exhausting and sometimes bound for undesirable destinations that present a slew of security issues.

Travel Security Challenges and Best Practices

While you may not have much say in when and where you travel, understanding your trip’s goals can help determine the best business security practices. A quick, one-day trip to meet a business partner might mean you can leave your computer at home, for example. A month-long globe trot to multiple satellite offices, client meetings and a little R&R would require a more rigorous approach to securing all of your devices.

It is equally important to know the purpose of your trip, the systems and access you will require while traveling, the sensitivity of information you will be handling and the available security resources. These points will determine what travel security precautions you should take before you even pull out your suitcase.

Bring a Bat Phone

Ideally, you would never take your own phone on a trip. Instead, take a burner phone that contains no personal data. Cybercriminals can use information you may not consider sensitive to facilitate attacks or steal your identity. They can use your contact list, phone call history, texts, personal email and calendar to target other members of your organization or compromise even more sensitive data.

Do not leave any IT device, including mobile phones, unattended. Hotel safes offer little protection from determined attackers, corrupt hotel employees or the host government. If you must leave your things unattended for social or cultural reasons, assign a trusted member of your party to watch all computer and communications gear. If possible, leave them secured at the local embassy or consulate.

Consider disabling your computer’s USB ports as well. You should also use a video camera cover, a laptop screen privacy cover and microphone jack disabler.

Software Security

Be sure to complete virus definition and patch update activities before your departure. Always assume your devices will be compromised upon arrival. In addition to local intelligence services, you may be targeted by agencies from other nations, criminal organizations and commercial competitors.

To avoid a compromise, review and harden the software build of all your equipment prior to your trip. This may include disabling unnecessary features such as the microphone, camera and Bluetooth capabilities.

You should expect any online services you use to be compromised the moment you arrive, but there are steps you can take to protect yourself. Have an assistant forward email to a temporary account that you will delete once you return home, for example. Forwarded emails or excerpts should never contain sensitive information.

Additionally, never update software while connected to an untrusted access point. Disable Java and all noncritical plugins and only allow JavaScript on trusted sites. Don’t click on ads or pop-ups or open email attachments from untrusted senders.

Handling Classified Information

Deleting or moving sensitive information prior to travel is not always sufficient. Take a separate device when traveling to countries of concern so you can minimize the sensitive files — including email history — on your devices. Accept no media or files from untrusted parties, including your host. You can view files on your host’s devices when required.

Bring your PowerPoint or other documents to be shared with hosts on a USB drive, then securely dispose of the device when it’s no longer needed. Do not download files to a device in-country. Most importantly, be sure to promptly and securely delete files once they are no longer needed. Never plug anything into your computer that has been in contact with untrusted systems or media. Upon return, dispose of devices used in countries of concern, or at least have them forensically wiped and rebuilt.

Use strong encryption — including full-disk encryption — on all devices that will accept it to protect data at rest. However, you must recognize that these systems can be defeated. When a device passes through customs, for example, it is subject to inspection and may need to be powered up. If so, use trusted platform module (TPM)-based disk encryption and minimum Federal Information Processing Standard (FIPS) 140-2 level 3 devices or the highest level available.

It’s easier to follow these best practices if noncritical features and ports are disabled because it eliminates the social awkwardness of a perceived lack of trust. This awkwardness can be used as a social engineering attack vector.

Destination Unknown

Have devices transported to the local embassy of your destination in a diplomatic pouch, if possible. If your party can travel with an accredited diplomat, he or she can use diplomatic immunity to protect the entire party’s devices from inspection. If you cannot travel with an accredited diplomat, try to have one meet you at the airport ahead of customs.

Assume that hotel rooms, conference rooms, etc. are under video and audio surveillance at all times. Additionally, shredders that are made available to you can have hidden scanners that deliver the documents you are trying to destroy directly to cybercriminals. Similarly, all voice, data and text carried by local telecommunications companies can be compromised. Access all information via secure tunneling with strong end-to-end encryption vetted by your IT department or a competent consultant.

If you find that this system is not working when in-country, consider that and adversary may have disabled it to force you to use a less secure form of communication. Also consider that internet activity conducted through public terminals or wireless networks may point to real or perceived vulnerabilities that intelligence services or others could leverage to provoke, recruit or embarrass you.

Obviously, all these travel security insights and recommendations are not appropriate for every employee on every trip. But maintaining a high level of awareness and pre-travel preparation always provides added security and peace of mind.


Security Intelligence

security collaborationThe escalation of high-profile hacking and data dumps recently has underscored the increasing boldness of digital threat actors, culminating in July’s Democratic National Committee email leak and its ripple effect through American politics. The group behind the hack and its attack patterns were known, and yet the attack was not thwarted, leaving many questions as to the overall state of the Internet’s security.

The dangers in cyberspace in 2017 will only increase – most likely with even more sophisticated attacks such as advanced IoT DDoS invasions and ransomware campaigns, not to mention sensitive data hacks with a variety of end goals – from stealing our most critical corporate and personal data to stealing elections.

Standard security solutions don’t seem to be working. What, if anything, can be done?

State sponsored actors as well as criminal bodies seem to have unlimited resources and extremely high levels of coordination at their disposal to carry out their pernicious attacks. But defense against cyberattacks has been characterized by a lack of collaboration within the cybersecurity community.

Moving forward, this will have to change. Cyber defenders should take a page out of the enemy’s playbook. Crowd intelligence will need to be organized and harnessed as a major tactic to improve security strategies against growing threats. Just as cyber attackers collaborate and share their attack techniques and latest methods with each other, cyber defenders should do the same with best defense practices. Cyber criminals are actually generous with each other – they welcome collaboration within their community, symbiotically enhancing each other’s methods and techniques. Shouldn’t we ‘good guys’ be doing the same?

Sure, some info-sharing databases for cybersecurity experts do exist, such as open virus databases allowing for searching and sharing of malware samples to facilitate the detection of viruses, and updated reputation sources which share information about sites associated with malware infection, phishing campaigns, and the like. But almost all of these collaborative projects focus on sharing attack-side information like specific vulnerabilities, attack techniques, or specific intrusion patterns. Sharing this kind of information is basically useless, as it takes too long for security experts to analyze the threat information, plan a defense strategy, and then deploy it.

What could be quite effective in meeting these kill chains head-on are detection solutions in the form of security orchestration models – but currently, there is no forum within the security community for creating and sharing these models. The lack of preventative collaboration is a gaping hole in the security industry which must be rectified. State actors and organized crime are just that – organized. We, the protectors, are not.

Multiple security technologies are involved in protecting against advanced attack campaigns – network security, endpoint security, threat intelligence, etc. All of these must work in synch and must be activated in the correct sequence to provide maximum protection against increasingly sophisticated threats. We need our own “generals” coordinating our security arsenal, orchestrating our battles and rallying the cyber troops.

The industry must learn to pool its resources better and develop the ability to share preemptive avenues of detection, investigation, and mitigation of advanced attack campaigns. No existing forum allows security experts to write orchestration models (which define the defense strategies) and share them with each other for collaboration and communal enhancement.

What’s needed is a platform through which the cybersecurity community can create and share vendor-neutral security orchestration models (defense strategies) which can then be internally rated by community members and updated as needed, rendering them ready for adaptation by organizations – no matter which security products they use.

If an organization is lacking a security function that the model requires, the organization can be alerted and the gap filled. Orchestration models can also be created for specific verticals and tailored to the needs of specific organization types such as banks, retail, healthcare, or critical infrastructure, for example, or developed to specifically combat known hacker groups and their attack patterns, or both.

Hacking organizations have been alarmingly successful in the scope of their attacks over the last couple of years, and they are becoming bolder, more technically proficient, and better organized, creating an air of cyber unease which has left much of the Western world unsettled. But we are far from raising the white flag to the black hats. Taking the right steps to form expert communities and impart our accumulated knowledge and innovations to preemptively combat the cyber scourge could eventually put them out of business – we just need to learn to share more effectively than they do.


Help Net Security

Security remains top of mind as over 70 per cent of consumers noted they always think about their security/privacy when shopping online, according to Centrify. Unfortunately, despite the changing attitudes towards security, some consumers are still making basic security faux pas online.

security faux pas

Password hygiene is also a continuing problem when shopping online. Nearly 14 per cent admitted that they share passwords with friends and family so they can login to their accounts, whilst over 50 per cent said they save them to the retailer’s websites so as not to forget them. Over half also said that they only sometimes use different passwords for different retailer’s websites.

Most concerning is that one in eight said they would accept discounts and special offers from retailers in exchange for their passwords, highlighting the risks consumers are willing to take in order to save money online.

83 per cent would sometimes, or never, check the security and privacy terms and conditions of the retailer, leaving them wide open to hacking and data theft if shopping with an unknown or untrusted retailer.

On top of this, more than a fifth would still not ensure there is a secure padlock icon in the browser before making their purchases, and 27 per cent said they would only do this on some occasions.

With Black Friday around the corner and the Christmas shopping season well under way for most, frugal shoppers need to consider their online safety before making any purchases.

Centrify offers ten tips for consumers when shopping online:

  • Always shop with reputable sellers, and be cautious when entering URLs. A misspelled domain, or non-‘https’ site could land you on a false site designed to steal your information
  • Ensure you read the site’s privacy policy to understand how and where your personal information is being used. Lack of an easily visible privacy policy should be a red flag to using that site
  • Be suspicious of links in unsolicited emails – always type the link directly into your browser, do not click on them within the email. Hovering over the links should highlight if the link is unsafe, as you would notice the link underneath may be different to the text
  • Deals that appear too good to be true often are, so treat them with even more caution
  • If an online retailer requests extra personal information, such as a password for your email or bank account as part of the shopping process, do not enter them
  • Secure mobile phones if you plan to use them for shopping by enabling security features such as passwords and encryption
  • Always use different, long, and complex passwords (or passphrases) for each site. If you don’t, and a hacker steals your password for one account they will have free rein over the others! This would have devastating consequences on sites that have your personal and credit card information
  • Enable multi-factor authentication where possible. This involves combining two or more different ‘factors’ for extra security when logging in – such as something an individual has (like an ATM card or smart card), something a user is (such as a biometric characteristic like a fingerprint or retina scan) or something the user knows, like a password
  • Passwords are not meant to be shared. Never give out your passwords online, on the phone or even to friends or family
  • Do not store passwords. Many browsers, programs, or web applications will offer to store your password for you so you only have to enter the password once and never again. While seemingly a convenient option, it is a bad idea to store passwords associated with personal or financial accounts. This is especially true if you use public or shared computers.


Help Net Security

Welcome to “In Security,” the new web comic that takes a lighter look at the dark wave of threats crashing across business networks, endpoints, data and users. Click here for an introduction to the team and be sure to read Episode 001 and Episode 002.

Every App team visits the X-Force Cyber Range

Now that EveryApp has seen the Pandapocalypse attacks occur in real time, will they need to sing another chorus of “Where do we go from here?” next episode? Most likely!

How the Command Center Can Help

Network and IT security is no longer a point solution placed on the perimeter. It’s no longer one simple scenario that has a linear playbook of answers. Today’s malicious actors are attackers on all fronts of the ever-expanding enterprise. When businesses make a move to enable themselves with new technology, those that would cause harm won’t be far behind in exploiting any open and available sieves.

The EveryApp team made the right call to visit the Cambridge Command Center to assess the current threat landscape and learn the steps toward rapid remediation. But tomorrow will be a different day.

What about your organization? Are you prepared for today’s threats? What about tomorrow’s unknowns?

Learn More

Interested in learning more about how IBM’s X-Force Command Centers will help clients stay ahead of the most advanced threats? You can:

  • Visit the XFCC website.
  • Read the data sheet, “How IBM X-Force Command Centers Are Changing Security.”
  • Download the white paper, “The Role of Cyber Ranges and Capture the Flag Exercises in Security Incident Response Planning.”
  • Watch the video.


Security Intelligence

%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè [email protected] &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:[email protected]? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì [email protected] QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "[email protected]\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" [email protected])[email protected];×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp [email protected]&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—

hbàÛ‘ÉÎC‡xTì<:<9 ›8< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv

<¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ[email protected]'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ][email protected]|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß [email protected]::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)[email protected]?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ[email protected]8„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:[email protected] 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰

%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè [email protected] &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:[email protected]? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì [email protected] QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "[email protected]\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" [email protected])[email protected];×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp [email protected]&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—

hbàÛ‘ÉÎC‡xTì<:<9 ›8< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv

<¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ[email protected]'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ][email protected]|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß [email protected]::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)[email protected]?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ[email protected]8„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:[email protected] 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰


SANS Information Security Reading Room

IBM launched its IBM Security App Exchange at the tail end of 2015, so it has been live for almost a year now. We always thought the App Exchange had significant potential, but we’ve been blown away by its success with our customers and other security vendors. We now have security information and event management (SIEM) customers imploring other vendors to provide a QRadar app as a prerequisite to joining their security operations. It has also helped IBM demonstrate its security immune system in a tangible way.

App Exchange Offers Market Insights

The program has been so successful that we passed our 12-month target for third-party vendors and apps on the Exchange after only seven months. We are currently seeing approximate monthly totals of:

  • 3,500 downloads;
  • 35,000 visits; and
  • 11,000 unique visitors.

These numbers illustrate the App Exchange’s value to IBM customers, partners and the overall market. We’ve also trained over 90 security vendors in app development and have a vibrant backlog of third-party and IBM apps that we are planning to launch over the next few months.

One thing that was clear from the outset was the wide variety of security operations that the apps are addressing. This offers some interesting insights into what products are hot in the security market. While the IBM Security App Exchange is product-agnostic, it is currently dominated by apps for the QRadar Security Intelligence Platform, followed by IBM BigFix and IBM X-Force. Because QRadar sits right in the center of organizations’ threat detection and response processes, most systems involved in security operations should interface with it in some way.

Since the App Exchange launched, we’ve added over 70 apps that fall into the following broad categories:

  • Visualizations;
  • Threat Intelligence;
  • User Behavior Analytics (UBA);
  • Incident Response;
  • Endpoint Detection and Response;
  • Hunting;
  • Compliance Use Cases; and
  • Other Threat Detection Use Cases.

High Demand for Use Cases

The first set of stats shows the relative number of apps on the App Exchange in each category. Apps that fall into the categories of Threat Detection Use Cases and Compliance Use Cases account for more than half the offerings. Demand is high because these are the first use cases that most organizations address when implementing security operations.

The third most common set of apps fall into the category of User Behavior Analytics. The market is piping hot for these apps due to the fact that more than 50 percent of threats fall into this category. Demand for apps that fall into the Threat Intelligence category is similarly high.

App use representation on IBM Security App Exchange

Download Ratios

The second set of stats show the relative ratio of app downloads in each category. Again, the top category is Threat Detection Use Cases. This is very closely followed by User Behavior Analytics, with both Visualizations and Threat Intelligence hot on its heels. It’s interesting that Visualizations ranks so high in downloads while the category includes a relatively small set of apps. This may represent an unmet need.

Of course, download statistics are skewed by the length of time some apps have been available on the App Exchange. QRadar UBA, for example, has only been available for four months, but is already the third most downloaded app. Some newer apps in the areas of Endpoint Detection and Response, Incident Response and Hunting, while low in volume and relative downloads, are growing quickly. It’ll be interesting to review this trend in another six months to a year.

Proportion of app downloads on IBM Security App Exchange

Key Takeaways

In summary, the key insights we can take away from this data are:

  • Threat Detection Use Cases, Threat Intelligence and User Behavior Analytics are at the forefront of most security programs.
  • Organizations place great value in threat, risk and incident visualizations, and there may be unmet demand in this area.
  • Compliance use cases are still an important foundation.
  • We’re starting to see a real pickup in areas of Endpoint Detection and Response, Hunting and Incident Response.

That’s just a sampling of the insights we can draw from the App Exchange statistics. We’ll continue to track the App Exchange’s development and shine a light on what apps are gaining traction in the market. Stay tuned!

Visit the IBM Security App Exchange


Security Intelligence

The number one challenge for security leaders today is reducing average incident response and resolution times.” — IBM IBV Cognitive Security Report

In November, IBM’s Institute for Business Value (IBV) released a report titled “Cybersecurity in the Cognitive Era: Priming Your Digital Immune System.” The report provides insights gleaned from a study of over 700 security leaders from across the globe and seeks to uncover the security challenges organizations face, all while shedding light on how to address them. The study also evaluated the impact of cognitive security solutions and gauged the industry’s current level of readiness for the oncoming cognitive era.

The study identified three main gaps that cognitive solutions might fill to improve an organization’s security posture: a speed gap to significantly improve incident response times, an intelligence gap to improve detection and incident response decision-making capabilities, and an accuracy gap to provide increased confidence to discriminate between events and true incidents.

A Short Primer on Cognitive Security

“Cognitive computing has the ability to tap into and make sense of security data that has previously been dark to an organization’s defenses, enabling security analysts to gain new insights and respond to threats with greater confidence at scale and speed,” wrote Marc van Zadelhoff in a previous article.

According to an IBM cognitive security white paper, this type of security is “characterized by technology that is able to understand, reason and learn.” In short, it is about analyzing security trends, distilling enormous volumes of data into information and further refining it into knowledge that can be turned into action.

The Incident Response Speed Gap

Respondents to the IBV study identified the speed gap as the top security challenge. Forty-five percent ranked reducing average incident response and resolution time as the top challenge today, and 53 percent identified the same area as the top challenge for the next two to three years.

45% (today) and 53% (next 2-3 years) say reducing average incident response time is the top challenge

This is somewhat surprising given the fact that 80 percent of the survey participants indicated that their incident response speeds have improved by an average of 16 percent in the past two years. Additionally, 37 percent believe that cognitive security solutions will significantly improve this response time.

Reading between the lines, security leaders have been pushing their teams to improve incident reaction times, but they also realized that the current level of improvements are inadequate to keep up with the ever-increasing pace of attacks. For that 37 percent of security leaders, cognitive security offers a ray of hope.

A Skills Gap Too?

It’s no secret that the cybersecurity field faces a skills gap of enormous proportions. In fact, Forbes estimated that the skills gap has reached 209,000 unfilled positions in the U.S. Additionally, a Cisco report tallied 1 million unfilled positions worldwide, a situation that’s unlikely to change anytime soon given the large volume of senior and highly seasoned security professionals preparing to retire and the relatively small investment in recruiting bright young minds into cybersecurity education and, eventually, cybersecurity careers.

The good news is that cognitive security solutions can help maximize the current workforce by reducing the amount of time before an anomaly is detected. They can provide better context and background information to those tasked with analyzing incidents.

Superhuman Capabilities

According to the IBM Cognitive Security white paper, “a cognitive system comprehends and processes new information at a speed that far surpasses any human.” It also noted that “cognitive computing is driving transformational change by harnessing not just data, but meaning, knowledge, process flows and progression of activity at a lightning-fast speed and scope.”

The prospect of turning over more of our incident response processes to machines might bring chills to those tasked with responding to incidents and analyzing their severity and impact. However, the goal isn’t to replace humans, but to supplement their capabilities, much like an exosuit turns a human into a superhuman. Cognitive security solutions can accomplish in minutes what would take human analysts hours or even days.

Cognitive technology is still in its infancy. Those who get there first, however, will likely reap a significant competitive advantage over those who take a wait-and-see approach. As the saying goes, you don’t have to run faster than the bear — you just have to run faster than the guy behind you. Can your business truly afford to take a wait-and-see approach?

Read the full IBM Report: Priming your digital immune system


Security Intelligence

As we approach Thanksgiving in the U.S., the one thing I look forward to the most — aside from turkey and spending time with my family — is football. As I watch the games, the security geek in me can’t help but notice some parallels between football and network security, particularly firewalls and intrusion prevention.

Network Security Playbook

During a passing play, for example, the tailback needs to protect the quarterback from any defender who breaks through the offensive line. That is critical to the success of the specific play and the quarterback’s long-term health. A firewall is like that offensive line. Even the latest next-generation firewalls (NGFW) occasionally allow threats to break through. Your organization needs a game plan for blocking those attacks that get past the firewall.

That’s why it makes sense to deploy a next-generation intrusion prevention system (IPS) behind your NGFW. By complementing the protection provided by a NGFW, the IPS can stop attacks that firewalls miss, such as those launched from within the enterprise, zero-day attacks, mutated threats, obfuscated exploits and attacks embedded in encrypted channels.

Why not use the built-in IPS capability found in most NGFWs? That’s certainly an option, if you take into the account the additional performance overhead needed to power the IPS feature and size the NGFW properly for your network. But even so, don’t forget about the internal segments of your network that need protection as well.

This an ideal use case for a standalone IPS, since it is a level 2 network device that just sits as a bump in the wire. There is no re-architecting needed to deploy it. You might also consider the fact that 55 percent of security professionals think that a standalone IPS is more effective that one built into a NGFW.

Read More About Firewalls and Securing Your Network

Teamwork Makes the Network

It is also important to remember that the IPS needs to be a good teammate to all the other security solutions you have already deployed, especially since it is capable of stopping threats at the point of attack. For example, your IPS should provide an out-of-the-box integration with your organization’s SIEM so that an attacker can be quarantined when an offense is detected.

Automating containment of threats reduces the spread of malware, halts an attacker’s subsequent lateral movement and stops additional data exfiltration. It’s important to choose an IPS that provides a web server application program interface (WSAPI) so that it can be integrated with the organization’s existing security products.

IBM Security Network Protection (XGS) is a next-generation intrusion prevention system that has a long track record of protecting against both known and unknown threats, often months or years before specific vulnerabilities are disclosed. Read our free solution brief, “A Firewall Is Just the Beginning When Securing Your Network,” to learn how you can significantly improve network security by deploying IBM XGS with your NGFW.


Security Intelligence