寄稿: Ruby Yang

ベネズエラのウゴ・チャベス大統領については、過去数カ月その生死に関する噂がメディアやインターネットを賑わせてきましたが、さる 3 月 5 日、同大統領が 2 年間にわたる癌との闘病の末に死去したことが、副大統領から発表されました。チャベス大統領の死は全世界に波紋を呼び、各国首脳から一般市民まで誰もが、ベネズエラ大統領としての彼の理想と現実についてさまざまに語っています。訃報が伝わるのとほぼ同時に、サイバー犯罪者もすかさずその機会に便乗し始めました。大統領の死についてのみならず、病気と死因をめぐる仮説まで利用して悪質なリンクを掲載したメールが送信されています。

これまでに確認されたすべてのリンク先に、マルウェアが仕掛けられていました。ドメインは、最近になって登録されたものや、乗っ取られたものです。

この攻撃で使われている電子メールの例を以下に示します。

これまでに確認された悪質なリンクの URL は、以下のとおりです。

• [http://][REMOVED].tv/bbb-compln.html
• [http://][REMOVED].su/bbb-compln.html
• [http://][REMOVED].info/images/bbb-compln.html
   

スパマーが最新のニュースを利用して、悪質な脅威へのリンクを含む電子メールを送信するのはいつものことであり、ほとんどは報道から半日足らずで始まります。

ニュースや最新の事件を検索するときには注意が必要です。迷惑メールに記載されている疑わしいリンクや添付ファイルは開かないようにしてください。また、セキュリティソフトウェアも最新の状態に保つようにしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Over the past few months I’ve noticed a disturbing trend in our industry to talk more about “offensive security.” People are writing and tweeting about “active defenses” or “strikeback capabilities” but it all points to a movement that is at best a confusing use of terminology and at worst a dangerous allocation of resources for almost any organization.

I get the appeal though. Offense is much sexier than defense. Competitions are won by scoring more points than your opponent, not having your opponent score fewer points than you. The hero in almost every action story will eventually make the bad people pay in some violent fashion. Even within security the amount of discussion around successful hacks, the results of scans and pen-tests, and what’s the latest vulnerability still dominates what we write and read.

With the increase in targeted attacks we know that there’s someone behind the attacks. There’s a real, live person running the attack and wouldn’t it be great if we could cause them some frustration and maybe even fear?

But the cold reality is affecting any network or system outside of your own organization’s responsibility will create a ton of liability for you with potentially little effect on the attacker. Do you know that the IP that is the source of the attack is owned by the attacker, or is it an unknowing bot? Is even the command and control IP ranges owned by the attacker or are you impacting another victim?

So striking back shouldn’t even be discussed but what about “active defenses?” Well in my opinion we already have maybe less sexy sounding but more accurate names for this idea: incident handling and intelligence.

Incident handling covers a wide set of activity but in my experience many organizations need to focus on the basics of Identify, Contain, Eradicate, and Recover before they get into advanced plays like honey-nets. Still, there's numerous things you can do within your own systems to frustrate and impact an attacker. Look at the whole process of targeted attacks and understand how you can respond against not only Incursion, but Discovery and Capture as well.

Intelligence is the real frontier for how we can “actively” improve our defenses. Being able to correlate the particular markers within an attack to the controlling persons is very valuable. If you know who is attacking you  in addition to what, you’re able to go beyond responding to what your logs are telling you and focus your defenses on the known methods in use and objectives the attacking persons are trying to accomplish. But intelligence can’t be done alone. We must share information in a trusted environment to create as comprehensive a picture of what those attackers are capable of doing. I’m hopeful we’ll see great strides in this area in the new year.

Have you ever wondered if your appliance issues can be resolved even before they appear at your end? ( i.e a system that proactively monitors your appliances and automates issue resolution.)  Symantec is committed to simplifying and improving support experiences for its customers. Built on the service automation strategy, Symantec AutoSupport framework provides proactive and automated support services to its appliance customers.

Starting February 4, Symantec Secure Operations Center ( SOC), an integral part of AutoSupport, began monitoring backup appliances all over the world, processing the alerts received from Symantec NetBackup and Backup Exec appliances, creating support tickets with field services for hardware related issues and Enterprise Support Services for non-hardware related issues. Symantec AutoSupport needs the CallHome functionality be enabled on the backup appliances and a registration of the appliance at the MyAppliance web portal (https://my.appliance.symantec.com/).  

Enable Symantec AutoSupport today and enjoy the benefits of proactive support.

For detailed information: AutoSupport Overview | AutoSupport FAQ

Have you ever wondered if your appliance issues can be resolved even before they appear at your end? ( i.e a system that proactively monitors your appliances and automates issue resolution.)  Symantec is committed to simplifying and improving support experiences for its customers. Built on the service automation strategy, Symantec AutoSupport framework provides proactive and automated support services to its appliance customers.

Starting February 4, Symantec Secure Operations Center ( SOC), an integral part of AutoSupport, began monitoring backup appliances all over the world, processing the alerts received from Symantec NetBackup and Backup Exec appliances, creating support tickets with field services for hardware related issues and Enterprise Support Services for non-hardware related issues. Symantec AutoSupport needs the CallHome functionality be enabled on the backup appliances and a registration of the appliance at the MyAppliance web portal (https://my.appliance.symantec.com/).  

Enable Symantec AutoSupport today and enjoy the benefits of proactive support.

For detailed information: AutoSupport Overview | AutoSupport FAQ

One question that constantly comes up in conversations about mobile web design is how to deal with images. There are several considerations when including images into a mobile web design; resolution, size, and image complexity.

Resolution

Since there are constantly new mobile devices, with bigger & better displays being introduced, image resolution (also known as pixel density) is a moving target. Currently, the highest resolution mobile device is the HTC One at a resolution of 460 pixels per inch (ppi). That will of course change; so, the visual designer needs to always be vigilant. Mobile resolutions are much higher than the good old 72ppi desktop, so although an image from a desktop site will look OK on a mobile device, the smaller ones may not look very good when the user chooses to zoom in. To prevent low quality and blurry images, multiple size options should be available so that device media queries can use the correct size.

Now wrapping one’s head around the whole resolution in relation to image size is a tough one.

As the pixel density of a device goes up, the relative size of the asset appears smaller. Imagine a 1 inch x 1 inch square image on your average 72 ppi desktop or laptop monitor. This square will contain 72 pixels across and down. Because mobile devices have much higher resolutions, that same 1 inch square will no longer appear 1 inch on the mobile screen. On the Motorola Zoom’s 160ppi screen, for example, it would appear to be just under a half-inch square. On the iPhone5 with 326 ppi, that same 72 pixel square would appear to be just under a quarter of an inch. This is because an image can never change its pixel size. This is essential to understand when making interactive assets for the web. If your image button is less than a quarter inch on a mobile device, your user will never be able to easily touch it. Buttons and links are best done in code so their sizes can adjust easily to the changing device resolutions.

Image Complexity

The best way to manage how web images are viewed from device to device is through responsive design where a completely different image and cropping can be used based on the device size and resolution, but not everyone can recode their site. One way to solve this is to use simpler images overall. Imagine a whole website viewed at a quarter its normal size. Fewer and less complex images will still be understandable at that size. With multiple size options available through media queries, the user will be able to zoom in on that image to see it more clearly. Even if the site is restructured through CSS to be better formatted on mobile devices, where the user does not have to zoom in to read the content, those images will still need to be smaller. They need to be simple enough to convey their message without interfering with navigation and content in the limited mobile space.

As you can see along with all the other considerations of relevance, appropriateness, aesthetics, brand compliance, and even cost there are also mobile considerations when choosing an image for your web site. A designer just can’t go through the average stock art repository and select any image. They must also consider the actual image size in relation to the ever-changing resolution of mobile devices, how clear it will be, and how it can simply relay the necessary information without overwhelming the rest of the small page. Choose wisely.

Related Posts: Part I: Design Considerations for Mobile, Part II: Design Considerations For Mobile – No Hover State!

The DeepSight Next Generation Portal Preview is live for all DeepSight Subscribers.

https://preview.deepsight.symantec.com

In the email that was sent there is a survey link that product management is using to collect feedback from users for continuous improvement.

Please log in and take a look around.  The new portal will be going live soon, so be prepared for these changes.

User Facing: Desktop

• Added code that allows users to save search results to the notifications system so they can be notified when new content is posted that matches their search results.
• Added a new, more visible, "alert banner" that will display at the top of Connect pages to alert users of important and/or special announcements. The alert banner will display until the user clicks a dismiss button.
• Updated the featured article carousels on Community overview pages with new, more visible, navigation.
• Updated the code behind the Facebook share widget to use the latest working code provided by Facebook.
• Changed our date logic so the "time ago" date format is never displayed on cached pages (that are served to unauthenticated users) or on pages published in the Security Response blog area.
• Added an API that allows external systems to update and display a user's status message.
• Added intelligence to the add/edit forms to keep users from posting content types, like downloads, in communities that don't support that content type (not all communities support all content types).
• Resolved an issue with the activity feed in the IT Trends communities where comments in the feed were being attributed to the author of the initial post and not the author of the comment.
• Fixed an issue with browser "jumping" when a user selected a machine translation from an article page.

User Facing: Mobile

• Fixed an issue that caused a system error when users accessed their private message mailbox via the mobile UI.
• Added featured discussion threads back to the top of forums (along with a button to easily hide them).

Admin Facing

• Fixed an issue with the "Move discussion" functionality that was not setting the timestamp on moved discussions nor was it disabling the source comments after they had been moved to a new target discussion.

Performance Wins

• Refactored the code that generates the cached "top contributors" blocks to be more efficient.

Behind the Scenes

• Added code to our RSS engine that properly escapes uploaded files that have spaces in their names. File names with spaces were causing Connect to generate invalid RSS (when the feed included an article with a file attachment that had spaces in its filename).

Today we are announcing that Enterprise Vault.cloud supports journal archiving from Microsoft Exchange Server 2013, which is great news for our customers considering an upgrade to the new platform. It is also great news for organizations that may not have an archive in place yet, but are looking to add one to help streamline their migration process (more on that here), while meeting their long-term information retention requirements and eDiscovery needs.

Any time I discuss the migration process with a customer, the conversation almost always turns to ingestion, which makes sense (if you are taking it out of one place, you likely need to put it in another place, right?).

Let’s cover what I mean by “ingestion” when talking about Enterprise Vault.cloud – this is a carefully outlined process followed by our specially-trained Data Management team that allows us to import our customers’ legacy information into Enterprise Vault.cloud. With so many organizations currently considering a move to a cloud archive, this is an important piece of the process. Some of these organizations have an existing on-premise archive and want to migrate to a cloud service, while other organizations are deploying an archive for the first time.

In either instance, these customers have legacy data that needs to be ingested into Enterprise Vault.cloud in order to meet their long-term information retention requirements. They also want to give their end users the ability to search, retrieve and restore business-critical information that may no longer reside in their inboxes.

Below are responses to some of the frequently-asked questions I get about this process -

What do you mean by legacy data?

Legacy data means information stored in an old or obsolete format that is difficult to access or process. Some examples include:

• Local archives (e.g., PST/NSF files) on desktops, laptops and servers
• Email stores (e.g., Microsoft® Exchange and IBM Domino®) on servers
• Legacy email archives (e.g., EMC EmailXtender®, Zantaz®, Mimosa®)
• Backup tapes

What formats of legacy data do you accept?

The Data Management team accepts data from customers in a variety of formats including PST, EML, MSG and NSF.

Is chain of custody preserved throughout the ingestion process?

Yes. Each team member is focused on preserving chain of custody throughout the ingestion process and working with the customer to ensure that their legacy data is properly ingested into the archive.

Is legacy data indexed and available for search in the archive?

Yes. Information is indexed as part of the ingestion process and then made available for search to end users via their personal archives and to administrators via the discovery archive.

Can you preserve folder structure for my users upon ingestion?

Yes. If you provide us with the legacy data in PST format, the Data Management team can preserve folder structure upon ingestion so that users see their legacy folder structure within their personal archives.

Can legacy data be exported out of the archive?

Yes. Information can be exported out of the archive in EML, PST, MSG, and NSF formats, with or without EDRM XML files, and this includes anything that was converted during import (it gets converted to the requested format on export when necessary).

How can I get more information on this process?

Please contact your Symantec account manager or reseller today for more information or call 877-253-2793.

Additional resources

Symantec.com: Enterprise Vault.cloud

Symantec.com: Exchange Archiving

A few days ago I hit an issue on one of my new Enterprise Vault servers that I had added to my Enterprise Vault site.  I was busily browsing different folders, and comparing via network browsing different aspects of the servers to make sure that they appeared to be the same.  I was doing this whilst multi-tasking some other tasks on a different machine.  Every now and again, whilst installing updates, changing settings and so on, I would get to a state where I browsed the remote 'new' machine and got errors like:

"Access denied"

or

"No network provider accepted the given  network path"

A reboot, and 15 minutes later when I got back to the task it seemed to work.. but then on my final bit of configuration I was *actually* concentrating, and hit these errors again.

The reason was that I was attempting to access the server, remotely, using a UNC path involving the machine alias.  And that doesn't work in Windows 2008 R2 x64. For example my second physical name was SRV18V01, but I had created a DNS alias for it... to make my life easier (so I thought) called EV2.  Browsing \\SRV18V01 seemed to work, but, browsing \\EV2 wasn't.

This is all down to Strict Name Checking and Authentication Loopback check:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
Under parameters add a new DWORD.
The name is DisableStrictNameChecking, and the value should be set to 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Under LSA add a new DWORD
THe name is DisableLoopbackCheck, and the value should be set to 1

Restart after setting both.

This fixed the problem for my network browsing by alias.

Information Technology (IT) is tightly integrated with the business; it has transformed the way we do business.  Nicholas G. Carr points out his seminal Harvard Business Review article IT Doesn’t Matter that the capital investment in IT is significant; “nearly 50% of capital expenditures by American companies and more than $2 trillion a year globally are spent on IT. …no one would dispute that information technology has become the backbone of commerce.  It underpins the operations of individual companies, ties together far-flung supply chains, and, increasingly, links businesses to the customers they serve.  Hardly a dollar or euro changes hands anymore without the aid of computer systems”.   Technology is the fundamental infrastructure for the modern business.

Carr continues with; “Today, an IT disruption can paralyze a company’s ability to make products, deliver its services, and connect with its customers, not to mention foul its reputation. …even a brief disruption in availability of technology can be devastating.”   

Roger Sessions also attempts to quantify the problem in ‘The IT Complexity Crisis: Danger and Opportunity’ in which he calculates that “IT failures are costing businesses $6.18 trillion per year worldwide. …The cost of IT failure is paid year after year, with no end in sight. … If this trend continues, within another five years or so a total IT meltdown may be unavoidable”. 

To substantiate Roger Sessions’ calculation, Gene Kim (the founder and former CTO of Tripwire, Inc.) and his colleague,  Mike Orzen (“Lean IT”) reexamined Session’s numbers and they calculated that “the global impact of IT failure as being $3 trillion annually”.  Relative to the IT-infrastructure alone, a 2010 study by the Ponemon Institute estimates a whopping 2.84 million hours of annual data center downtime worldwide; with an estimated average of $300k per hour of outage that would translate into a total loss of $426 billion a year. 

So $6 trillion, $3 trillion or even a mere $426 billion annually, the losses due to IT-failure are huge,  they are real and we don’t have to wait for a pandemic, catastrophe or “Black Swan’ event to strike.   While the numbers are based on a large number of calculations and extrapolations, the crucial point is that these losses demonstrate the staggering impact IT-failures have on business.  It is also important to note that these losses do not represent “potential for loss” or even the “expected loss”; these actual realized losses from IT-failures and they are happening now.\

The sheer size of the losses from IT-failures should serve as a wake-up for anyone that either our target or our aim is considerably off.  We absolutely must start thinking differently, not only about where we are devoting our efforts but also about where we place our emphasis.  In these difficult economic times, a lot of economic goodness can come from addressing the real and serious risks related to information technology.  Understanding how to prevent the continuing spiral of IT-failures will have substantial benefits for our companies.    

Clearly, IT is ‘too big to fail’ but it appears that to date most organizations have been merely guessing at the solutions.  We need to change our thinking to avoid the value-traps that bias our judgment on how to invest wisely in IT.  In the words of Nicholas G. Carr’s New Rules for IT Management; we need to avoid the real risks and prepare our organizations for “technical glitches, outages, and security breaches, shifting attention from opportunities to vulnerabilities”. 

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 20 vulnerabilities. Twelve of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

• Install vendor patches as soon as they are available.
• Run all software with the least privileges required while still maintaining functionality.
• Avoid handling files from unknown or questionable sources.
• Never visit sites of unknown or questionable integrity.
• Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the March releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Mar

The following is a breakdown of the issues being addressed this month:

1. MS13-021 Cumulative Security Update for Internet Explorer

   Internet Explorer OnResize Use After Free Vulnerability (CVE-2013-0087) MS Rating: Critical

   A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer saveHistory Use After Free Vulnerability (CVE-2013-0088) MS Rating: Critical

   A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer CMarkupBehaviorContext Use After Free Vulnerability (CVE-2013-0089) MS Rating: Critical

   A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer CCaret Use After Free Vulnerability (CVE-2013-0090) MS Rating: Critical

   A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer CElement Use After Free Vulnerability (CVE-2013-0091) MS Rating: Critical

   A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer GetMarkupPtr Use After Free Vulnerability (CVE-2013-0092) MS Rating: Critical

   A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer onBeforeCopy Use After Free Vulnerability (CVE-2013-0093) MS Rating: Critical

   A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer removeChild Use After Free Vulnerability (CVE-2013-0094) MS Rating: Critical

   A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer CTreeNode Use After Free Vulnerability (CVE-2013-1288) MS Rating: Critical

   A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

2. MS13-022 Critical Vulnerability in Silverlight Could Allow Remote Code Execution

   Silverlight Double Deference Vulnerability (CVE-2013-0074) MS Rating: Critical

   A remote code execution vulnerability exists in Microsoft Silverlight that can allow a specially crafted Silverlight application to access memory in an unsafe manner. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the current user. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

3. MS13-023 Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution

   Visio Viewer Tree Object Type Confusion Vulnerability (CVE-2013-0079) MS Rating: Critical

   A remote code execution vulnerability exists in the way that Microsoft Visio Viewer handles memory when rendering specially crafted Visio files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

4. MS13-024 Vulnerabilities in SharePoint Could Allow Elevation of Privilege

   Callback Function Vulnerability (CVE-2013-0080) MS Rating: Important

   An elevation of privilege vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could allow an attacker to elevate their access to the server after obtaining sensitive system data.

   SharePoint XSS Vulnerability (CVE-2013-0083) MS Rating: Critical

   An elevation of privilege vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could potentially issue SharePoint commands in the context of an administrative user on the site.

   SharePoint Directory Traversal Vulnerability (CVE-2013-0084) MS Rating: Important

   An elevation of privilege vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could allow an attacker to elevate their access to the server after obtaining sensitive system data.

   Buffer Overflow Vulnerability (CVE-2013-0085) MS Rating: Moderate

   A denial of service vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could cause the W3WP process on an affected version of SharePoint Server to terminate, causing the SharePoint site, and any other sites running under that process, to become unavailable until the process is restarted.

5. MS13-025 Vulnerability in Microsoft OneNote Could Allow Information Disclosure

   Buffer Size Validation Vulnerability (CVE-2013-0086) MS Rating: Important

   An information disclosure vulnerability exists in the way that Microsoft OneNote allocates memory from parsing a specially crafted OneNote (.ONE) file.

6. MS13-026 Vulnerability in Office Outlook for Mac Could Allow Information Disclosure

   Unintended Content Loading Vulnerability (CVE- 2013-0095) MS Rating: Important

   An information disclosure vulnerability exists in the way that Microsoft Outlook for Mac 2008 and Microsoft Outlook for Mac 2011 load specific content tags in an HTML5 email message.

7. MS13-027 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege

   Windows USB Descriptor Vulnerability (CVE-2013-1285) MS Rating: Important

   An elevation of privilege vulnerability exists when Windows USB drivers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.

   Windows USB Descriptor Vulnerability (CVE-2013-1287) MS Rating: Important

   An elevation of privilege vulnerability exists when Windows USB drivers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.

   Windows USB Descriptor Vulnerability (CVE-2013-1286) MS Rating: Important

   An elevation of privilege vulnerability exists when Windows USB drivers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

The Symantec Endpoint Protection Team is conducting customer research through a simple survey. In less than 2 minutes, share your thoughts on SEP 11 verses SEP 12, hepful resources, and provide the product team perspective on your IT security challenges. 

Please take one of the following suveys: 

Current SEP 11 Customers                                                   Current SEP 12 Customers

To thank you for your time, we'll award you 25 Symconnect points and enter you for a drawing for a $100 Amazon gift card, awarded in April 2013.

今月のマイクロソフトパッチリリースブログをお届けします。今月は、20 件の脆弱性を対象として 7 つのセキュリティ情報がリリースされています。このうち 12 件が「緊急」レベルです。

いつものことですが、ベストプラクティスとして以下のセキュリティ対策を講じることを推奨します。

• ベンダーのパッチが公開されたら、できるだけ速やかにインストールする。
• ソフトウェアはすべて、必要な機能を使える最小限の権限で実行する。
• 未知の、または疑わしいソースからのファイルは扱わない。
• 整合性が未知の、または疑わしいサイトには絶対にアクセスしない。
• 特定のアクセスが必要な場合を除いて、ネットワークの周辺部では重要なシステムへの外部からのアクセスを遮断する。

マイクロソフトの 3 月のリリースに関する概要は、次のページで公開されています。
http://technet.microsoft.com/ja-jp/security/bulletin/ms13-Mar

今月のパッチで対処されている問題の一部について、詳しい情報を以下に示します。

1. MS13-021 Internet Explorer 用の累積的なセキュリティ更新プログラム

   Internet Explorer OnResize の解放後使用の脆弱性（CVE-2013-0087）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer saveHistory の解放後使用の脆弱性（CVE-2013-0088）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer CMarkupBehaviorContext の解放後使用の脆弱性（CVE-2013-0089）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer CCaret の解放後使用の脆弱性（CVE-2013-0090）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer CElement の解放後使用の脆弱性（CVE-2013-0091）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer GetMarkupPtr の解放後使用の脆弱性（CVE-2013-0092）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer onBeforeCopy の解放後使用の脆弱性（CVE-2013-0093）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer removeChild の解放後使用の脆弱性（CVE-2013-0094）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer CTreeNode の解放後使用の脆弱性（CVE-2013-1288）MS の深刻度: 緊急

   Internet Explorer が、削除されたメモリ内のオブジェクトにアクセスする方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

2. MS13-022 Silverlight の緊急の脆弱性により、リモートでコードが実行される

   Silverlight の二重逆参照の脆弱性（CVE-2013-0074）MS の深刻度: 緊急

   特別に細工された Silverlight アプリケーションに、安全でない方法でのメモリへのアクセスを許可することで Microsoft Silverlight に影響する、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、現在のユーザーのセキュリティコンテキストで任意のコードを実行できる場合があります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。コンピューターでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

3. MS13-023 Microsoft Visio Viewer 2010 の脆弱性により、リモートでコードが実行される

   Visio Viewer のツリーオブジェクトの種類の混同の脆弱性（CVE-2013-0079）MS の深刻度: 緊急

   Microsoft Visio Viewer が、特別に細工された Visio ファイルをレンダリングするときにメモリを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。コンピューターでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

4. MS13-024 SharePoint の脆弱性により、特権が昇格される

   コールバック関数の脆弱性（CVE-2013-0080）MS の深刻度: 重要

   Microsoft SharePoint Server に特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、機密性の高いシステムデータを取得した後で、サーバーに対するアクセス権を昇格できる可能性があります。

   SharePoint XSS の脆弱性（CVE-2013-0083）MS の深刻度: 緊急

   Microsoft SharePoint Server に特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、サイトの管理ユーザーのコンテキストで SharePoint コマンドを発行できる可能性があります。

   SharePoint ディレクトリトラバーサルの脆弱性（CVE-2013-0084）MS の深刻度: 重要

   Microsoft SharePoint Server に特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、機密性の高いシステムデータを取得した後で、サーバーに対するアクセス権を昇格できる可能性があります。

   バッファーオーバーフローの脆弱性（CVE-2013-0085）MS の深刻度: 警告

   Microsoft SharePoint Server にサービス拒否の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるバージョンの SharePoint Server 上で W3WP プロセスを終了させる可能性があります。その場合、SharePoint サイトや、このプロセスの下で実行されているその他のサイトが使用できなくなり、このプロセスの再起動が必要になります。

5. MS13-025 Microsoft OneNote の脆弱性により、情報漏えいが起こる

   バッファーサイズの検証の脆弱性（CVE-2013-0086）MS の深刻度: 重要

   Microsoft OneNote が、特別に細工された OneNote (.ONE) ファイルを解析してメモリを割り当てる方法に、情報漏えいの脆弱性が存在します。

6. MS13-026 Office Outlook for Mac の脆弱性により、情報漏えいが起こる

   意図していないコンテンツが読み込まれる脆弱性（CVE2013-0095）MS の深刻度: 重要

   Microsoft Outlook for Mac 2008 および Microsoft Outlook for Mac 2011 が HTML 5 形式の電子メールメッセージに含まれる特定のコンテンツタグを読み込む方法に、情報漏えいの脆弱性が存在します。

7. MS13-027カーネルモードドライバの脆弱性により、特権が昇格される

   Windows USB 記述子の脆弱性（CVE-2013-1285）MS の深刻度: 重要

   Windows USB ドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、カーネルモードで任意のコードを実行できる場合があります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全な管理者権限を持つ新しいアカウントの作成ができる場合があります。

   Windows USB 記述子の脆弱性（CVE-2013-1287）MS の深刻度: 重要

   Windows USB ドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、カーネルモードで任意のコードを実行できる場合があります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全な管理者権限を持つ新しいアカウントの作成ができる場合があります。

   Windows USB 記述子の脆弱性（CVE-2013-1286）MS の深刻度: 重要

   Windows USB ドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、カーネルモードで任意のコードを実行できる場合があります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全な管理者権限を持つ新しいアカウントの作成ができる場合があります。

今月対処されている脆弱性についての詳しい情報は、シマンテックが無償で公開している SecurityFocusポータルでご覧いただくことができ、製品をご利用のお客様は DeepSight Threat Management System を通じても情報を入手できます。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

With the continued uncertainty lingering in the global economy, I think it is likely that spending on new information security initiatives will continue to be highly scrutinized.  This isn’t to say that security initiatives won’t go forward, just that CISOs and Security Directors will probably have to do more to justify the need for their organization to part with precious capital resources needed to fund these projects.  As a result, security leaders will have to be very intentional in their approach to security in order to secure funding needed to improve or expand security operations. As I thought about how I might approach this challenge if I were back in the role of CISO, there are three key actions I would recommend to lay a foundation for justifying any new security initiatives.
 
Take Inventory
 
Before embarking on any new initiatives, I think that it is very important for organizations to take inventory of the security solutions, processes, and controls that it already possesses.  This is important from the perspective of documenting past value delivered, and to address key questions about the existing arsenal of security technologies.  This inventory process should answer the following questions:

• Are we fully utilizing all of the capabilities of the solutions we already own?
• What overlaps exist in the capabilities of the solutions we already own?
• From a people and process perspective, who is responsible for the various security processes?  Are there overlaps in any of these or opportunities to gain efficiency in operations?
• Are the solutions well integrated and supporting processes automated to their fullest extent or is there a lot of manual effort required to get solutions to work together?
• Do the existing solutions provide you with the visibility needed to reliably determine the ongoing state of security for the organization?
• Can we demonstrate any key wins or past value delivered from prior security spending?

By determining the answer to these questions, you should have a good understanding of opportunities for better or more efficient use of existing capabilities and have identified any obvious gaps that should be addressed.
 
Assess Risk
 
Risk assessment and measurement should be part of your organization’s DNA and should be a key driver of information security governance.  If you don’t already have a formal risk management process in place, there are a number of formal methodologies available and all have their strengths and weaknesses.  My personal opinion is that risk assessment should be as lightweight as possible, tailored to the organization’s business culture, and integrated into Enterprise Risk Management.  Risk assessment and measurement should not be overly cumbersome nor require an advanced degree in quantum physics to understand.  My experience has been that simpler is better when it comes to risk assessment and measurement.  For those that like absolute precision in risk measurement, I would argue that management judgment will always be a factor regardless of mathematical precision, so education and accountability for risk management decision making is far more important than developing and using an overly complex risk scoring system.
 
As it relates to budget justification, risk assessment and measurement should serve two key purposes:  demonstrating value delivered from existing security controls and identifying gaps in security coverage.  Your risk measurement process should account for the implementation of security controls in order to demonstrate where existing controls manage risks and to what extent.  Where gaps are identified, there are a number of questions that should be asked and answered:

• What is our risk exposure in terms of quantitative and qualitative impact to the business?
• Could the business live with the worst-case scenario playing itself out for a given risk?
• Is there a legal, regulatory, or ethical requirement to address a given risk exposure?
• Can we leverage the capabilities of existing controls or re-engineer business processes to address this risk?
• How much should be spent in capex and opex to bring risk to acceptable levels?

Through this process, CISOs gain an understanding of what risks should be given priority for management and whether they need to introduce new capabilities to address those risks. 
 
Streamline and Automate
 
While I would argue that information security should be (and in many organizations already is) a business enabler, I would also argue that as managers, CISOs have a fiduciary responsibility to balance the equation of risk management, cost containment, and operational efficiency as part of the organization’s overall responsibility to deliver shareholder value.  This leads to the third action I would recommend – looking for opportunities to streamline and automate security operations. 
 
Eliminating redundancy in job functions, operational processes, and security products can provide cost savings that can be used to fund new initiatives.  CISOs should also push their teams to review operational processes to look for ways to reduce process complexity and to eliminate or streamline manual processes through workflow and process automation. 
 
Key to this action is examining the security portfolio looking for areas to improve product integrations.  There may be places where it makes sense to trade off best-of-breed functionality for improved integration and automation with other parts of the security portfolio.  This, of course, is driven through a balanced approach to risk management and operational efficiency.
 
Conclusion
 
At the end of the day, most CISOs I talk to recognize that in order to be a business enabler and to have a “seat at the table” for business decisions, they must demonstrate that they understand their business’ needs and drivers.  The actions I proposed in this post are one way to demonstrate that understanding and to demonstrate security as a business enabler.  By being highly intentional in the approach to defending requests for security spending, we can demonstrate the positive impact that security has on business operations and that we are maximizing the security investments that the company has entrusted us to make and manage.

* This article originally ran on StateScoop on March 12, 2013.

One of the frequent questions we get from state CIOs is about benchmarking:

“How are our cybersecurity efforts stacking up against other states’ initiatives, federal policies, and private-sector implementations?” our customers will ask.

It’s a difficult question to answer, especially considering how vast and varied the efforts of individual state governments and federal departments tend to be. However, thanks to some in-depth analysis from Deloitte and the National Association of State Chief Information Officers (NASCIO), we have a reasonably clear picture of how states and the private sector compare.

Sadly, that comparison isn’t pretty.

Deloitte’s study (presented at NASCIO’s conference in October) shows state governments significantly behind similarly sized private-sector entities in securing sensitive data.

(The Deloitte/NASCIO study can be downloaded here.)

Moreover, many states and private organizations (particularly large financial services firms) handle the very same types of personal financial information, and yet the IT security funding allocated by state governments is dramatically lower.

We’re not even in the same ballpark. And that, from an industry perspective, is a major problem.

For one thing, state government agencies sit near the top of the list of targets for cyber criminals. In fact, we’ve already witnessed a handful of very public health information breaches in recent months.

To shed more light on the subject, Symantec has done some internal benchmarking (in both financial and health-related areas) and found the same basic pattern as Deloitte: Even though states are managing information that’s every bit as sensitive if not more so, state investments in—and planning for—cybersecurity have been lagging significantly.

To make matters worse, most state government IT operations are still deeply federated—with each internal agency running its own IT security. Thus, when disparate IT security infrastructures struggle to communicate, it makes the state’s security posture weaker still.

On the bright side, cybersecurity issues are gaining traction among state legislators and governors. Quite often, private sector benchmarking can play an important role in making this case—reminding state officials of both steady improvements and lingering weaknesses.

And that’s a useful exercise in any sector, at any level.

The show floor at RSA was buzzing with discussion of attacks against critical infrastructure and state-sponsored attacks – the words hactivist and A.P.T. were uttered frequently.  But, while cyber-espionage was making headlines from the show, Symantec took the opportunity to survey information security pros on insider issues related to data access and mobility. The findings show that although 76 percent of businesses saw cyberattacks in the past year, increased use of mobile devices is making the insider threat more relevant than ever before.

It should come as no surprise that the top three motivators for the move to mobility are: business drivers, user demand and financial savings. And, the top risks for employee-owned devices aren’t surprising either:

• Data leakage (i.e., data taken out of company by employees via mobile)
• Theft or accidental loss of valuable or sensitive information
• Preventing unauthorized network or applications access from mobile

Overall, security pros are pretty realistic about mobility, with nearly half saying the benefits outweigh the risks and challenges. No one would dispute that employees agree on this point.

Recent end-user research on these issues found that 62 percent of employees think it’s okay to transfer work documents to personal devices (tablet, smartphone, laptop) and Internet file sharing services. They do this regularly. And, you can’t really blame them because they’re just looking to do their jobs efficiently. But, they also never clean up the data they transfer out, making it a prime candidate for data spills/leakage – the top risk according to information security teams.

The good news is that results from the survey at the 2013 RSA Conference indicate Infosec has high awareness of employees transferring work documents outside the business – a nearly equal 63 percent of Infosec respondents say employees think it’s okay to do so.

But, are security pros putting too much trust in employees to do the right thing? Sixty percent of Infosec respondents say that most employees in their organization are cautious in the use and handling of sensitive or confidential information. Only 43 percent of employees say this is so. We also found a significant disconnect when it comes to consequences for taking sensitive information against policy. Fifty-three percent of employees say their organization takes NO action when employees remove sensitive information that is against policy. But, ask Infosec the same question and 74 percent say they do.

What it comes down to is not only are employees comfortable tossing corporate data onto personal devices and cloud services, but they also think their organizations don’t care and aren’t going to do anything about it.

When 60 percent of employees will happily take your corporate data when they quit their job, information security teams need to pay as much attention to the insider threat as much as they do outside attackers. When unmanaged, the productivity benefits of all those employee-owned mobile devices make it that much easier for insiders to walk out the door with your data, permanently.

Symantec recommends organizations consider these best practices to enable mobility, while mitigating the risks posed by insiders:

• Being cautious about mobility is okay; being resistant is not. Start embracing it. Organizations should take a proactive approach and carefully plan an effective mobile implementation strategy.
• Implement policies restricting how employees can access and share sensitive data. Developing and maintaining simple policies can be a powerful step to safeguard corporate data. Make sure employees are aware that policy violations will be enforced and that theft of company information will have negative consequences to them and their future employer.
• Understand that all data is not equal. For organizations looking for a route map to get them across the minefield that is the future of IT, understanding data, its importance and risks is a good a place to start.
• Educate employees. Organizations need to let their employees know that taking confidential information is wrong. IP theft awareness should be integral to security awareness training. By maintaining oversight, you can ensure employees know how and when to use mobile devices and cloud services efficiently and securely.
• Implement monitoring technology.Support education and policy initiatives by using monitoring technology to gain insight into what IP leaving your organization and how to prevent it from escaping your network. Deploy data loss prevention software to automatically notify managers and employees in real-time when sensitive information is inappropriately sent, copied or otherwise inappropriately exposed, which increases security awareness and deters theft.

To learn more about the findings from Symantec’s survey at the 2013 RSA Conference, visit: http://bit.ly/Y94d0T

Science Buddies is dedicated to helping girls develop and maintain an interest in STEM learning.  In fact, 55% of Science Buddies' student-users are girls.  Science Buddies' project ideas and activities help girls to innovate, imagine, build, tinker, solve problems, and make things.

In addition, our organization helps to publicize and promote events and initiatives that encourage young female scientists and engineers, such as Introduce a Girl to Engineering Day, to our audience of 15 million teachers, students, and parents.

We couldn’t do this work without the support of our partners, including Symantec. Last month, Symantec announced more than $1 million in funding in support of STEM and literacy education, including to Science Buddies to allow further expansion of our computer science area to help enable and inspire student computer science projects.

Symantec has been a sponsor of Science Buddies since 2007 and has provided core program support and enabled ongoing development of the Computer Science interest area at Science Buddies. Through the years, Symantec and Science Buddies have partnered to celebrate and encourage K-12 computer science exploration both through the creation of new Project Ideas and through visible recognition of students conducting science experiments presenting their projects at science fairs both on the community and national level. In 2009, the company judged and issued "Clever Scientist Awards" at area science fairs. In 2010, they awarded the "Symantec Science Buddies Special Award in Computer Science" at the Intel International Science and Engineering Fair (Intel ISEF). One of the young computer scientists singled out for a special award was Brittany Wenger, then a middle school student and aspiring computer scientist. Wenger went on to win the 2012 Google Science Fair with her computer science project.

Thanks to this year's pledge from Symantec, Science Buddies plans to prototype a new science kit to further facilitate student computer science exploration. Last year, Science Buddies introduced its first round of convenient, all-in-one-box science project kits and launched the Science Buddies Store. Continued support from Symantec allows potential expansion of the computer science area at Science Buddies to include a hands-on computer science project kit for use with a Science Buddies Project Idea or with other science and engineering activities.

Symantec has been a terrific partner to Science Buddies. Their generous support has enabled us to give millions of K-12 students the inspiration, tools, and guidance they need to engage in hands-on science and engineering. We are thrilled to continue working with Symantec and salute their strong commitment to STEM education.
 

Ken Hess is Science Buddies’ Founder and President.

Please download the attachment.

This may cause your SMG not supported.

For testing purpose only.

Hello Partners,

As part of my new role on Connect managing the Archiving and eDiscovery Community (and Partner Community) I've just learned about a new set of documents created by the EV Content Council that you may find helpful:

You can find the necessary information on the various accounts and users that are involved in an Enterprise Vault environment, as well as the permissions required by each.
 
Enterprise Vault Accounts and Permissions
http://www.symantec.com/docs/TECH76700
 
Compliance Accelerator and Discovery Accelerator Accounts and Permissions
http://www.symantec.com/docs/TECH200788

As always, if you have any feedback on the documents or suggestions  please do leave a comment.
 
 

The following two articles provide the necessary information on the various accounts and users that are involved in an Enterprise Vault environment, as well as the permissions required by each.

Enterprise Vault Accounts and Permissions
http://www.symantec.com/docs/TECH76700

Compliance Accelerator and Discovery Accelerator Accounts and Permissions
http://www.symantec.com/docs/TECH200788