- Email: [email protected]
When you outsource to India, where does your data go? Not where you think…
n e w s
HP exploit s new bugs t o f ix it s syst ems Sarah Hilley
H
P exploits newly released high-risk vulnerabilities on its corporate systems in order to clean up its own shop revealed the company at a seminar at its research centre in Bristol on 27 M ay. The hardware giant’s researchers explained how the company has successfully thwarted Blaster and
Sasser by finding the causal flaws first and exploiting them before virus writers could. "We break into a system using a vulnerability and make it safe,” said Richard Brown, a labs researcher. Once HP compromises a machine, it applies remedial action. The vulnerability scanner gets the
When you outsource to India, where does your data go? Not where you think ... Sarah Hilley
remedial payload from an operations server. The payload can range from a simple pop-up message, warning a user to patch, to isolation of a vulnerable machine from the network. The company has been exploiting flaws on its 240,000 machines since CodeRed and this proactive exploitation is a core part
of its information security policy. In order to restrict damage, the company’s exploits don’t propagate. By contrast, Welchia, the socalled ‘do gooder worm’ that tried to clean up the mess left by Blaster only caused more harm than good by clogging up networks, said Brown.
Bug-fixed applications still insecure Brian M cKenna
M
Inf osecurit y Today May/June 2004
any outsourced IT services are being subcontracted from Indian providers to countries such as Sudan, Iran and Bulgaria, which increases the security risk. Risk management professionals are warning companies to stop and check that their service provider in India is actually performing contracted offshore services itself and not outsourcing further to other countries. Some companies in India are faced with a labour shortage and lack of proper infrastructure to cope with the burst of business from the west. “ They can’t deliver what they’ve signed up to deliver, said Samir Kapuria, director of strategic solutions at security consultancy, @stake, “ so they outsource to other countries where the cost is lower.” Colin Dixon, project manager at the Information Security Forum (ISF), said many ISF members have reported this problem during an ongoing investigation by the elite security club into outsourcing risks. “ Contracts should contain a clause banning offshoring companies from further outsourcing without the client’s knowledge,” said Dixon. Companies are being put in the awkward position of “ relying on the Indian provider to perform due diligence on their subcontractors and you don’t know if they are able to do that,” he said. The elongating outsourcing chain multiplies the risk. It “ leads to a high degree of separation in the development of applications for example,” said Kapuria. Compliance with corporate governance also gets more complicated as the responsibility lies with the company and not the provider. And adherence to regulations gets even harder to control if services are being outsourced twice. M ost ISF members have identified the issue and stopped it before signing a contract, said Dixon. But Kapuria said that some of @stake’s clients didn’t find out about the double outsourcing until after the contract was signed. Intrusion detection traffic coming from outside India alerted some banks that subcontracting was taking place, said Kapuria. 70% of blue-chip companies in the ISF are currently outsourcing.
Kapuria
C
ompanies are de-lousing applications only to find them even buggier one year on. Forthcoming research from Imperva, an application security vendor, will show that companies that the vendor has penetration tested over the last four years tend to be vulnerability-ridden as ever. Shlomo Kramer, Imperva's CEO, said that the reason why potential customers are shying clear of enterprise application security products is the "false conception that they are abeto overcome the problem of application level security by fixing the bugs in the programme. That is very expensive, and is also futile since in real life you always have vulnerabilities in code, and in the time that your programmers fix the bugs they will introduce others". Kramer, who co-founded Check Point, denied that app-level attacks are more theoretical than real. "We have done 300 plus penetration tests at financial organizations around the world. These are very security savvy organizations, and we found that 90% of them were susceptible to very damaging application-level attack. The company's Application Defense Center, which made the news in April with some research that demonstrated how Google
could be used to launch application level attacks, will be detailing its new findings in a forthcoming white paper.
The Pru gets smart with spam
P
rudential, a UK-based financial company, has installed a spam intelligence service from Tumbleweed, which clamps down on the number of emails being blocked accidentally by spam filters. Out of the 40,000 emails received by Prudential everyday, 14,500 are now blocked as spam by filtering software. Prudential has opted for the Dynamic Anti-spam service, (DAS) an Internet-based subscription service, which analyses spam and legitimate emails from around the world to help categorise what is and isn’t spam. “ Since DAS was installed, we see a threefold increase in blocked spam messages,” said Nick De Silva, Web hosting and M essaging M anager, Prutech. “ Before, we used Tumbleweed M M S lexical scanning (using a manually-updated word list) to detect spam,” he said.
6
HP exploit s new bugs t o f ix it s syst ems Sarah Hilley
H
P exploits newly released high-risk vulnerabilities on its corporate systems in order to clean up its own shop revealed the company at a seminar at its research centre in Bristol on 27 M ay. The hardware giant’s researchers explained how the company has successfully thwarted Blaster and
Sasser by finding the causal flaws first and exploiting them before virus writers could. "We break into a system using a vulnerability and make it safe,” said Richard Brown, a labs researcher. Once HP compromises a machine, it applies remedial action. The vulnerability scanner gets the
When you outsource to India, where does your data go? Not where you think ... Sarah Hilley
remedial payload from an operations server. The payload can range from a simple pop-up message, warning a user to patch, to isolation of a vulnerable machine from the network. The company has been exploiting flaws on its 240,000 machines since CodeRed and this proactive exploitation is a core part
of its information security policy. In order to restrict damage, the company’s exploits don’t propagate. By contrast, Welchia, the socalled ‘do gooder worm’ that tried to clean up the mess left by Blaster only caused more harm than good by clogging up networks, said Brown.
Bug-fixed applications still insecure Brian M cKenna
M
Inf osecurit y Today May/June 2004
any outsourced IT services are being subcontracted from Indian providers to countries such as Sudan, Iran and Bulgaria, which increases the security risk. Risk management professionals are warning companies to stop and check that their service provider in India is actually performing contracted offshore services itself and not outsourcing further to other countries. Some companies in India are faced with a labour shortage and lack of proper infrastructure to cope with the burst of business from the west. “ They can’t deliver what they’ve signed up to deliver, said Samir Kapuria, director of strategic solutions at security consultancy, @stake, “ so they outsource to other countries where the cost is lower.” Colin Dixon, project manager at the Information Security Forum (ISF), said many ISF members have reported this problem during an ongoing investigation by the elite security club into outsourcing risks. “ Contracts should contain a clause banning offshoring companies from further outsourcing without the client’s knowledge,” said Dixon. Companies are being put in the awkward position of “ relying on the Indian provider to perform due diligence on their subcontractors and you don’t know if they are able to do that,” he said. The elongating outsourcing chain multiplies the risk. It “ leads to a high degree of separation in the development of applications for example,” said Kapuria. Compliance with corporate governance also gets more complicated as the responsibility lies with the company and not the provider. And adherence to regulations gets even harder to control if services are being outsourced twice. M ost ISF members have identified the issue and stopped it before signing a contract, said Dixon. But Kapuria said that some of @stake’s clients didn’t find out about the double outsourcing until after the contract was signed. Intrusion detection traffic coming from outside India alerted some banks that subcontracting was taking place, said Kapuria. 70% of blue-chip companies in the ISF are currently outsourcing.
Kapuria
C
ompanies are de-lousing applications only to find them even buggier one year on. Forthcoming research from Imperva, an application security vendor, will show that companies that the vendor has penetration tested over the last four years tend to be vulnerability-ridden as ever. Shlomo Kramer, Imperva's CEO, said that the reason why potential customers are shying clear of enterprise application security products is the "false conception that they are abeto overcome the problem of application level security by fixing the bugs in the programme. That is very expensive, and is also futile since in real life you always have vulnerabilities in code, and in the time that your programmers fix the bugs they will introduce others". Kramer, who co-founded Check Point, denied that app-level attacks are more theoretical than real. "We have done 300 plus penetration tests at financial organizations around the world. These are very security savvy organizations, and we found that 90% of them were susceptible to very damaging application-level attack. The company's Application Defense Center, which made the news in April with some research that demonstrated how Google
could be used to launch application level attacks, will be detailing its new findings in a forthcoming white paper.
The Pru gets smart with spam
P
rudential, a UK-based financial company, has installed a spam intelligence service from Tumbleweed, which clamps down on the number of emails being blocked accidentally by spam filters. Out of the 40,000 emails received by Prudential everyday, 14,500 are now blocked as spam by filtering software. Prudential has opted for the Dynamic Anti-spam service, (DAS) an Internet-based subscription service, which analyses spam and legitimate emails from around the world to help categorise what is and isn’t spam. “ Since DAS was installed, we see a threefold increase in blocked spam messages,” said Nick De Silva, Web hosting and M essaging M anager, Prutech. “ Before, we used Tumbleweed M M S lexical scanning (using a manually-updated word list) to detect spam,” he said.
6