Being a Friend of SCAP and the Continuing Emergence of Security Standards

February 8, 2010

I had the privilege last Thursday to attend an informal session on the Security Content Automation Protocol (SCAP) at the Information Assurance Expo held last week in Nashville.  Attendees included representatives from the NSA, the DoD and other federal agencies, and the vendor community.  It was a positive, productive session, and I am pleased that Triumfant is actively involved in the SCAP movement, because I believe strongly in the need for standards for security. 

When I first entered the security market in early 2005, I had just come from the integration space where standards were a crucial part of doing business.  I had teamed with others at webMethods to get staff onto such groups such as the World Wide Web Consortium (W3C) effective ensuring that webMethods was in the thick of the standards process.  When I arrived at Cybertrust and built my marketing plan, I looked to identify security standards groups and was shocked to find a lack of standards activity in the market. 

While Cybertrust was diverse and global, we did not do a lot of business with the federal government, so SCAP never caught my attention.  That changed when I joined Triumfant, who had already taken steps to be SCAP compliant and was one of the very early companies (third, I believe) to obtain FDCC validation.  I quickly ramped up on FDCC, but soon realized that the broader notion of SCAP as a common language for sharing and integrating security processes was a significant subject.

SCAP is critical to Triumfant, because beyond the what we do of enforcing security configurations and detecting and remediating malicious attacks, what we are is the most comprehensive sensor grid for endpoint machines coupled with some very innovative (and patented) analytics.  So the ability to share the content we create with other consumers of security data dramatically expands our reach and value.  And clearly the only real way to predictably and practically share that data is through content standards. 

The people who have been carrying the SCAP flag the longest have done so with remarkable patience and resolve, as standards are something people clamor for right until the moment they are asked to comply.  Their patience and resolve is especially important as I am not altogether sure the security market is all that eager for interoperability because it upsets the well established ecosystem of selling product layers to address specific needs.  Of course, maybe that is another reason I like SCAP because I do love being part of something constructively disruptive.

So the SCAP faithful have soldiered on and continue to make sure and steady progress.  You could see it on the faces of those persevering souls at the NIST Security Automation Conference in Baltimore last October, when they recalled that early meetings were held in NIST conference rooms and hallways and now they were filling large halls at the Baltimore Convention Center.  They also saw representatives from private industry pick up SCAP, bridging the standard from the federal space into the commercial world.

These folks have my admiration because they are forwarding these standards not for selfish reasons or monetary gain – they are doing it because it is the right thing to do, and in the long run it will help make sensitive data for our country more secure.  The forward looking early supporters of SCAP picked up a difficult rope and have pulled tirelessly.  We at Triumfant are excited about grabbing that rope and pulling where and when we can.  I hope others take the opportunity to do the same.

Leave a Comment » | Endpoint Security | Tagged: , , | Permalink
Posted by Jim Ivers

More Thoughts on the Advanced Persistent Threat (or Adversary) Discussion

January 29, 2010

Following up on my previous post about the Advanced Persistent Threat, I continue to enjoy the discussions that have emerged from the recent Google/China incident.  The past week has seen by far some of the best analysis of APT I have seen in some time.

One line of conversation has been about how APT, specifically the threat component, is not about malware.   Specifically, this addresses the positioning around by the antivirus vendors who continue to perfect their defenses around older attack forms - a process I call “Perfecting the Obsolete” – and look to defend market position by framing APT as malware.  In Mike Cloppert’s blog he notes in a post about the Google incident that the “defense industrial base has been pleading with the AV industry for innovation to address more sophisticated threats and detection resiliency for at least 5 years, likely longer”.  The A/V vendors will continue to characterize APT as malware largely because they have no effective answer, in spite of the wildly inflated claims of their love affair with recently acquired/developed whitelisting tools and prevalence data. 

Eventually the dialogue went to the suggestion (Threatpost blog entry by Scott Crawford and Nick Selby) that APT should be called Advanced Persistent Adversary, ideas similarly expressed by an Andy Jaquith blog post and a great post by Richard Betjlich).  I have no issue with that line of thinking, because I think the nature of the adversary is what has changed IT security so dramatically, not the attacks themselves.  The new adversary is organized, skilled, relentless, opportunistic, and enormously resourceful.  They are also patient, willing to invest time in research and planning to create breaches that get to the information they want without detection and hopefully opening up a long-term conduit for extraction.  Again, it is this change in the adversary that the traditional AV suites have failed to embrace. 

I also agree on the notion that the actual attack process does not have to be exotic or elaborate.  Why spend time going through the trouble of designing and engineering a zero day when there are numerous exploits created and widely deployed through production software?  The time and energy is better spent gaining information about how and what to attack and what to do when successful.  Which of course supports the APA notion: it is the advanced profile and skill of the adversary that makes these attacks so problematic, not the attack. 

Here is where I wade into danger.  The most common thread among of these posts is the notion that there is no one vendor-produced solution for APT (or APA).  Crawford and Selby warn of the vendor “easy button” and Rich Mogull notes on an associated blog entry that “Every vendor who tells me they can ’solve’ APT instantly ends up on my snake oil list. There isn’t a tool on the market, or even a collection of tools, that can eliminate these attacks.” (emphasis from Mogull). 

We agree.  Let me state for the record that Triumfant is most certainly not a solution for APT nor can we eliminate these attacks.  What we do have is a tool that takes a completely different approach to detection, identifying changes at the granular level to trigger analysis.  And we think this approach has solid applications in detecting APT activities (or the work of the APA).

I will stop here hopefully short of pegging Mogull’s snake oil sensors.  Yes, I am a vendor and yes the company stands to benefit from using APT as a discussion point for selling our product.  But I have talked to enough people here in the DC area engaged daily against the APA that I understand that and effective method of anomaly/change detection is a necessary tool in detecting the work of the APA.  I will go deeper into our detection capabilities specific to APT in a later post.  Until then, I will continue to read the ongoing discussion with interest.

Leave a Comment » | 1, Endpoint Security | Tagged: , , , , , | Permalink
Posted by Jim Ivers

Advanced Persistent Threat: Solution – No, Effective Detection – Yes

January 27, 2010

I have enjoyed the lively discussion in blogs and on Twitter about what has been named the “Advanced Persistent Threat” or APT by industry smart guys (that is a compliment, not sarcasm) like Rich Mogull (@rmogull, Securosis), Andrew Jaquith (@arj, Forrester) and Nick Selby (@nselby, Web site).  Jaquith posted a great blog entry yesterday that provides a great definition for APT and additional clarification of what APT is not.  To paraphrase, APT is characterized by a sophisticated adversary that is engaging in long term pursuit of sensitive data or intellectual property. This contrasts to broad general attacks that leverage known exploits to pick off whatever computers that are not properly protected. 

Yesterday in a presentation to a potential partner for Triumfant, a highly experienced security person raised the subject of APT and asked me directly if Triumfant was a solution for APT.  My response was a simple “no”.  This sentiment was echoed by Rich Mogull of Securosis when he tweeted that he was not a fan of any vendor that mentioned APT and “solution” together.   The reason is simple – APT by definition is in a constant state of evolution, and unless your solution can block all attack vectors currently known and those not yet even created, you do not have a solution to APT.   Or as Jaquith points out, APT is not a specific attack or an attack vector that can be detected by a product. 

Remember that paragraph is from a vendor that has an offering that would tempt marketing types to make such a claim.  Luckily, this is not my first rodeo and all of us on the Triumfant team carefully avoid such hyperbole and will often disarm prospects by detailing our capabilities, including what we do not do.   I say this knowing eyes will roll, but our product has more than enough differentiation without having to result to hyperbole and claims we cannot support. 

It is not the fault of traditional security tools that they are not equipped to deal with APT.  They were conceived and built in a simpler time when the number of attacks was small and those attacks were broad and non-specific.  Six million signatures and the transition from basement bandits to organized cyber criminals later, no advancements to these tools can overcome their foundational flaw of reliance on prior knowledge of an attack.  APT represents an evolution of malicious activity and intent that is a full generation removed from these tools. 

Back to my answer to the question about being a solution for APT.  My answer continued from the initial, honest “no” by saying that while I would not say that Triumfant is the solution for APT, Triumfant is a very proficient technology for detecting and remediating previously unknown and/or targeted attacks that are characteristic of APT.   Triumfant’s ability to monitor over 200,000 granular attributes on every machine and detect changes to those attributes is what triggers our analysis.  There is no prior knowledge of an attack required.  So if the attack is newly minted or been around for years, we detect attacks by looking for changes. 

Most security people will tell you that the ability to comprehensively and accurately detect anomalies on a computer is one of, if not the best, methods for detecting an attack such as those associated with what woul dfall under the umbrella of APT.   The traditional impediment is the inability to solve the false positive problem.  We believe that the patented analytics that are at the core of Triumfant have solved that issue by using our unique ability to analyze all changes in the context of our adaptive reference model (explained here).  It is change that triggers the analysis, independent if that change is caused by an external attack or the work of a maliciously intended insider.   

So while we cannot, as Jaquith accurately says, detect a specific vector of an attack, we believe we have a very good chance of detecting the affects of an attack on a machine and therefore provide security professionals the situational awareness they need to respond to such an attack.  We of course also believe we can effectively remediate the attack, but just the ability to detect the attack and provide actionable data as to what it did to the affected machine is a step forward.  Given that there will never be a comprehensive shield for APT, the ability to detect a significant percentage of such threats, in my opinion, is noteworthy. 

So is Triumfant the solution for APT?  No, and we would never say so.  Is Triumfant a tool that can help security professionals detect, analyze and respond to the attacks that characterize APT?  Is Triumfant’s approach an improvement from traditional endpoint security tools?  Is the ability to go from infection (notice I did not say detection) to remediation in less than five minutes for an attack that has never been seen before of interest to organizations that face the APT?  I am comfortable saying yes with the appropriate qualifications.  We are at the very least an effective application of anomaly detection that provides a meaningful sensor grid and analysis capability in the ongoing efforts regarding APT (guys, please note I did not say war, battle, or fight).

As I said, I find this discussion energizing and I look forward to more insights on APT in the future.  Part of this ongoing discussion is the use of the term “warfare” which I hope to address in a future post.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Why I Have Doubts About Whitelisting – The Reliance on the Carbon Based Lifeform

January 25, 2010

In 2009, we heard a lot of noise about whitelisting.  Whitelisting vendors and the companies that bought whitelisting products and added then to their suite have positioned whitelisting as the panacea of all of our endpoint protection problems.  The noise got so loud you would have sworn whitelisting would cure world hunger, end male baldness, and single-handedly wipe out the national debt.  Throw in the hoopla over community based prevalence data and it sounded as if we would never have malware on any endpoint again. 

I have been on record as a doubter of these magnificent claims, largely because the tools base a lot of their efficacy on one highly flawed component – the carbon based life form. 

Let me explain.

If you read the vendor’s own materials closely, whitelist and prevalence products cannot block bad things unless you lock down yourr endpoint environment.  I know there are some organizations that have such an environment, but they are certainly not the norm.  So for the rest of the world who are not locked down, these tools can only warn.  And who do they warn you ask?  The end user – the very person who got the machine into trouble in the first place. 

I have a very dear and old friend that told me something that has stuck with me for a very long time:  “remember,” he said with total authority, “half of all people are below average.”  (Note: If you find yourself either thinking too long about that last sentence or find it really insightful, please call your PC support staff and have your admin rights revoked.)  But cynicism is not enough to prove my point.  Luckily, a new study was recently released in the New York Times that provides some real insight into the mind of the end user. 

The article speaks to a study done by software maker Imperva that examined a list of 32 million passwords from RockYou (software for users of social networking sites) that was hacked and subsequently posted on the Web.  Imperva’s research on the data shows that one out of five people use easily hacked passwords such as “123456” and “password”.  I would submit that these types will be the first in line to get to places on the web that are dodgy or fall victim to social engineering.  Gartner analyst John Pescatore has some thoughts about this study from the viewpoint of passwords, but I think the study speaks to the bigger issue of having end users involved with security processes.

I do not think that it is a reach to believe that users who would pay so little mind to their passwords will blithely skate right past any warning from a whitelist or prevalence tool.  Why stop?  I clicked on it, didn’t I? After all, there is a free iPhone waiting on the other side of that warning screen. 

My cynicism is not just genetic – it is founded by years of hard-won experience.  In the 80’s I spent some of my formative years supporting some new wild idea called the Information Center where we placed user friendly (as friendly as any mainframe tool could be) tools into the hands of the end users.  Every Monday morning I spent the first hour of my day resetting scores of passwords of people who simply could not remember their password from the previous Friday.  And I knew easily half had it written on a post-it note on the monitor. 

If you need further proof simply get on any major road during the morning or afternoon commute.  In spite of warnings that texting makes you more dangerous on the road than being intoxicated to twice the legal limit, I spend my drive dodging people who are clearly engaged in critical text conversations.  Shoot, I saw someone this morning with the newspaper opened on their steering wheel.  If these people don’t care about their physical safety, why would we believe that they can be part of the security process on their endpoint computer? 

And there you have my doubts about whitelisting and prevalence tools.  It would be fascinating to do a study on the reaction of users to warnings from such tools to really support my point, and I am confident what the results would show.  After all the proof is all around us every day.  Just ask the 1% of people that use “123456” as their password.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Grading the Worldwide Malware Signature Counter

January 6, 2010

One of the fun things we did at Triumfant in 2009 was introduce the Worldwide Malware Signature Counter as a visual representation of the number of signatures being produced to address the growing number of malicious attacks.  The counter is visible from our home page and automatically increments to keep pace with the reported growth of signatures as reported by the antivirus companies. 

While the counter was meant to be illustrative of the problem, we did perform due diligence in an attempt to make it as accurate as possible given the historical signature counts at our disposal, going so far as to bring in an MIT graduate to help create the formula.  The counter is designed to take into account that a plot of historical data shows a geometric progression as the rate of growth accelerates.  I am also told it takes into account factors such as general humidity, global warming, and the falling net worth of Tiger Woods, but I digress.

 The bottom line is that while yes, it was a marketing construct to draw attention to the ability of our product to detect malware without the need for signatures; we made a considered attempt at being accurate.  And with the start of the New Year, it is an obvious time to see how we performed. 

On December 31, Symantec showed 5,853,273 signatures, and our counter was at roughly 6,050,000.   So we were pretty close in our predictions, and charting the historical numbers explains why the counter was a bit high by year end. The actual growth rate of new signatures is below 100% (94%) for the year, in contrast to a 165% growth rate for 2008.  While this was slower than the previous year, there were still 3.2 million new signatures in 2009.

We will keep the counter running in 2010 and I made the proper adjustment to start the year at the 12/31/09 Symantec count because we want the counter to be fair and accurate.  Using the 2009 rates to extrapolate for 2010, we are looking at over 6 million new signatures and nearly 12 million total signatures by year end.  When you feed that data into the antivirus detection rate studies such as the one recently posted by Cisco, and the Signature Counter remains effective in placing the problem into perspective. 

The bottom line is that the combined weight of the growing threats and the challenges with A/V detection rates leaves a gap in endpoint protection that cannot be ignored.  There has been a lot of hype around prevalence data (Symantec Quorum) and whitelisting, but my discussions with the industry analysts all indicate that organizations are quickly finding that these technologies do not close that gap.  That is where Triumfant enters the picture, as we can detect the attacks that evade other protections.  And not only can we see the attacks, we can create a situational remediation to stop the attacks and address all of its collateral damage in five minutes or less.  Maybe you should have a look.

Leave a Comment » | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

Antivirus Detection Rates Study Shows the Real Exposure to Your Organization

December 23, 2009

I came across a blog entry from Cisco regarding malware detection rates that I found quite enlightening. My intent is to draw it to your attention now and come back to discuss it in more depth after I have a chance to review the study further. The blog entry is called “The Effectiveness of Antivirus on New Malware Samples” by Kevin Timm of Cisco.

What I really liked about the study was the portion that showed the “detection over time” chart that captured the sliding risk as new attacks are assimilated into antivirus offerings. One of the critical differentiators of Triumfant is the ability to detect malware without any prior knowledge of the attack. This graph shows how much coverage gap exists for a new attack and how long Triumfant would be standing as the first line of defense against the attack.

Posts to our blog that deal with antivirus detection rates such as “Antivirus Detection Rates – It is Clear You Need a Plan B” are consistently the most viewed entries, so I thought this study would prove a popular read.

1 Comment | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

A Condensed Guide to the Security Fails of 2009

December 23, 2009

The past several weeks I have been posting a series I called the Security Fails of 2009.  It was designed to be a look at stories that illustrated the challenges faced in IT security as well as some of the broader issues shaping the industry. 

For your convenience, here is a recap with links:

12/10 – The Marine One Breach – illustrates the threats created by unauthorized applications.

12/14 – The Strange Case of the Missing Cyber Czar – a look at the seven months that had passed since the announcement of the position in May.  Obviously the position has been subsequently filled.  Coincidence?

12/16 – Conficker Becomes a Media Darling.

12/18 – Adobe Takes the Exploit Crown from Microsoft.

12/21 – The Heartland Payment Systems Breach – Lessons learned form the largest breach of customer data to-date.

Leave a Comment » | Endpoint Security | Tagged: , , , , , , | Permalink
Posted by Jim Ivers

Cyber Czar Announcement Slipped Under the Door – What Does That Say?

December 22, 2009

Today it was announced that Howard Schmidt was appointed to the White House Cybersecurity Coordinator position otherwise known as the cyber czar.  Much has been written in our blog about this position since it was announced, and the timing and approach to the announcement has done nothing to eliminate the concerns previously expressed.  I have much reading to do before I comment directly on Mr. Schmidt, but I do have very strong impressions from the way it has been handled.

The position was originally announced at a press conference in late May on the Friday before Memorial Day.  Not exactly a day and time that you would select for something of importance or to maximize the impact.  Months passed as candidates not only turned down the position, but candidates like Melissa Hathaway left the government for the private sector. 

And now we get an announcement stating the position has been filled on the Tuesday of Christmas week, in a city where most of the government is closed because of a record setting snowstorm.  The announcement gets a mention on the White House blog with a picture of the President shaking hands with his new Cybersecurity Coordinator in what appears to be a hallway.  No press conference, no fanfare, no President standing at the side of the new Czar as a show of support to the position and a commitment to the idea of cyber security. 

I went to the White House press page at 11:00 am EST and there is no formal announcement.  There is news about the Enactment of the Airline Flight Crew Technical Corrections Act, something about agencies cutting spending by $19B, and some nominations that were sent to the Senate, but nothing about this position. 

I am sure there will be Obama acolytes that will line up to applaud the announcement, but I find myself angry today as I weigh what I see from the White House.  I have the somewhat unique perspective of being a marketing person in cyber security.  That means that cyber security is important to me and I have a taste of the threat against our country.  As a marketing person, I see the not so subtle signals being sent by the White House regarding this subject.  Put this in context of the amount of energy thrown at other items such as the Chicago Olympic bid, and it is reasonable to draw the conclusion that the White House is not committed to cyber security and this role.  

I would be a lot angrier if I had not spent the last year working with people at NIST, the NSA, the intelligence community and the DoD who are proactively and energetically looking for new and innovative ways to protect our government from malicious attacks.  Best of all, these groups are working together to share data and knowledge in a way that would make taxpayers happy and proud.  So I’ve seen real, actionable progress taking place long before Mr. Schmidt assumed this role.   

To be clear, I never viewed the cyber czar as some sort of mythical figure that could solve our cyber security problems with a wave of the hand, but I was hopeful that the role would serve as a way to focus attention on the problem and help create a sense of urgency toward progress.  And if that person was seen as having the “full faith and credit” of the President, it would give that person some authority to be something other than a figurehead. But that is exactly how I view this position today – a campaign promised fulfilled in the least effective way possible and with minimal authority, buried in slow press days.

This week we got news that our military drones had been hacked with $26 software, a plea was entered in the Heartland breach by the same person who pulled off the TJX breach (who used a simplistic and well known SQL injection technique to penetrate Heartland), and that Twitter was disabled completely by a DNS attack.  And we get a tepid announcement the Tuesday before Christmas on a position that it took them seven months to fill.  I’d hate to see what type of catastrophic, IT security based incident it would take to make the White House treat the problem with the seriousness it deserves.

Leave a Comment » | Compliance and Configuration Management, Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Security Fails of 2009 – The Heartland Payment Systems Breach

December 21, 2009

This is the fifth in the series of Security Fails of 2009.  As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009. 

In January of 2009, it was disclosed that Heartland Payment Systems had experienced an intrusion into their computers that may have compromised over 100 million customer records.  After the dust settled, the breach was found to involve 130 million customer records, pushing this breach well past the previous record represented by the 2007 TJX breach that compromised 94 million records.  Heartland processes 100 million payment card transactions per month for 175,000 merchants.

By December the attack was traced to admitted TJX intruder Albert Gonzalez who eventually entered into a plea agreement on the Heartland breach and additional charges that he hacked into Hannaford Brothers, 7-Eleven and two other unnamed national retailers.  Heartland has allocated $12.6M for the clean-up, and as of today Heartland was still settling with American Express ($3.6M) and resolving other class action suits.

The scope of the breach re-energized conversations about the efficacy of the PCI standards and the general state of fraud protection for card based transactions.  The dialogue became more interesting when Heartland CEO Robert Carr did an interview with Bill Brenner of CSO Magazine where Carr laid the blame squarely on the audits done by their Qualified Security Assessors (QSAs).  Carr’s comments were viewed by many in the security community as “disingenuous” as most believe that the source of the breach could have been eliminated if Heartland had applied some generally accepted security controls. 

PCI has long been an industry hot button, and the Heartland attack was illustrative of the issues at hand.  Heartland appeared to be in full compliance with the PCI standards, but was attacked by essentially a “garden variety” SQL injection.  In an interesting twist, Heartland’s traditional signature based tools missed the attack, but the attackers actually used antivirus software to cover their tracks and avoid detection. 

So what are the lessons learned?  Heartland demonstrates that even the most sophisticated companies in regards to IT security are still far too reliant on signature based tools and must look to new and evolved technologies to close security gaps that allow long known vectors such as SQL injection to breach their perimeters.  Heartland is also a great “exhibit A” that compliance does not equal security; it is only a temporary measure that certain standards were in place at a point in time.  Finally, in spite of calls to action to rid the card processing industry of fraud, there is not much evidence that anything other than rhetoric came from the attack, so we can fully expect to see another Heartland in 2010.

1 Comment | Endpoint Security | Tagged: , , , , , | Permalink
Posted by Jim Ivers

Security fails of 2009 – Adobe Takes the Exploit Crown from Microsoft

December 18, 2009

This is the fourth in the series of Security Fails of 2009.  As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009. 

For years, Microsoft sat comfortably atop its throne as the world’s number one source for exploits.  Malware writers around the globe fattened themselves at the Microsoft trough, turning these exploits into a vast array of attacks, including the media darling of 2009, Conficker.  For years, Microsoft sat uncontested on this Mount Olympus, issuing Patch Tuesday thunderbolts to the masses and continuing to churn out code with new exploits to replace those gaps just closed with the newest patch.

In 2009 a new contender eagerly stepped into the ring, and countered with products that were equally ubiquitous and, most importantly, full of exploits.  As we entered 2009, the list of attacks that leverage exploits in Adobe products continued to steadily rise.  Eventually stories began to break claiming that Adobe had passed Microsoft as the new top dog in regards to providing exploits to the malware community.

The problem eventually prompted Adobe to announce in May that they were initiating their own Patch Tuesday process.  Even after this announcement, Adobe continued to get heat about their questionable patching policies that allowed users to download unsecure versions of the product with the assumption that they would then apply patches in a timely manner. 

I can’t imagine that this newfound notoriety was viewed with enthusiasm by the folks at Adobe.  On a positive side, you could only knock Microsoft of its perch if you were very widely deployed.  But I somewhat doubt the Adobe exec team were having “We’re Number 1” balloons distributed. 

Microsoft on the other hand was likely very ready to give up their crown.  Seizing the opportunity, Microsoft began to note that many of the browser based exploits were not an IE problem but were instead could be attributed to third party utilities and other tools.  Of course Microsoft was able to create the exploit used by Conficker so they did not retire from the game. 

So the ascension of Adobe to the leading supplier of exploits is one of my security fails for 2009.  And Lord knows the world needs more regular patches to deploy because we all know how well the patching process performs.  It is also instructive to see that the bad guys are always looking for the road of least resistance and will happily use someone other than Microsoft as their supplier of exploits.

1 Comment | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

« Previous Entries