Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
Contact us>
“Patch Java and you’ll be protected against Java threats”
We seem to hear this constantly, not just in the last few months, but for years. Way back in Nov. 2011, we were told that if we had Java 6 Update 29 or Java 7 update 1, we wouldn’t be vulnerable to the security weaknesses in the headlines. Yet, with each update vulnerabilities continue to be discovered and exploited. We even had two Java 0-day exploits included in kits before Oracle had patches prepared. Yet despite the patches, we continue to hear about new vulnerabilities...
So what to do? Based on my discussions with other pros and my own experience I’ll be presenting a series on how to mitigate Java risks to protect your endpoints. We’ll look at: Proactive; Immediate; and Long-Term prophylactic measures. Here’s what you can start acting on now:
Last week we announced several new, important core security technologies that we added to our TRITON architecture. Websense ACE now includes 10 new defense innovations; seven are focused on outbound traffic to keep data theft and call-home communications contained, preventing theft or loss. Because so many of them are industry firsts, I wanted to take a moment to explain what many of these do and why we created them.
Truth is, the bad guys are stealing corporate data and avoiding detection using advanced techniques. In just the last year, we've seen key intellectual property and user identities stolen from corporations and government agencies, including some you would least expect-including entertainment (gaming) and security companies!
Below are a few examples of how cyber criminals are going undetected, stealing your IP, and how we can stop it from happening.
More
Every day, organizations worldwide are targeted by data-stealing attacks. While these attacks have evolved in frequency and sophistication, many security defenses have failed to adapt. Old techniques don’t address containment against data theft and cybercrime call-home communications. The growing prevalence of cloud apps, along with increases in SSL traffic, mobility and remote users are also adding more blind spots to traditional defenses.
It’s imperative that we continue to stay up-to-date on the latest tactics and tricks. Join me this Wednesday, August 8, 2012 from 10 a.m. - 11 a.m. PT for a webinar on the seven stages of data theft. We’ll be covering each of these steps:
Reconnaissance - Targeted attackers access credentials and research online profiles, email IDs, org. chart information, hobbies and interests from social profiles to gain insight on their victims.
Lures - Designed to prey on human curiosity, web lures often link to videos or breaking news, while email lures are more business-focused on transaction and fake delivery notices.
Redirects - Users are usually directed to a survey, rogue anti virus offer or a fake web page where an exploit kit is waiting. Traditional redirects are injection attacks, while newer ones focus on social networking wall postings, fake plug-ins, fake certificates and heavily obfuscated java script.
Exploit Kits - The exploit kit objective is like that of a sniper: take the shot with a malware dropper file only when an open door for tested vulnerabilities is found.
Dropper Files - This stage is what most people consider the focus of their forward-facing defenses: analyze every file that comes into the network for malware. The problem is dropper files use dynamic packers, so known signatures and patterns are not available.
Call-Home - This stage involves calling home for malware downloads and tools, and for sending back information, standard procedure for any successful online attack. The problem is that most defenses are only forward-facing and do not analyze the outbound traffic from infected systems.
Data Theft - This is what they are after. The ability to contain an attack and stop data theft raises many questions that we will address. Can your defenses detect password files leaving your network or the use of custom encryption on outbound files?
In addition, we’ll be covering: why current defenses are failing; today’s new security requirements; and the newest, bleeding edge advanced threat and data theft defenses to emerge thus far.
We look forward to having you join the webinar. Bring your questions and be ready to talk threats!
With all of the crazy 2011 security breaches, exploits and notorious hacks, what can we expect for 2012? Last year’s Websense Security Labs predictions were very accurate, so these predictions should provide very useful guidance for security professionals. Here are the highlights; the full report can be downloaded here.
Read more commentary and watch the video here.
The media is buzzing with stories of state-sponsored hacking and so-called advanced persistent threats, as well as high-profile data-theft attacks by cybercriminals. So what does this mean to everyday businesses owners and managers, companies that aren’t defense contractors or giant corporations?
It means watch out. The wildly successful techniques used in state-sponsored attacks are moving down a malware adoption lifecycle. Yesterday’s million-dollar, well-planned, high-profile attack quickly becomes a $25 exploit kit available online to armies of low-level hackers.
This is phase two of advanced threats. This army of profit-driven hackers is using the same advanced techniques to steal any data that they can get their hands on to sell, fence or ransom. No one is safe, because traditional defenses don’t work against advanced malware. And the cybercriminals are targeting every kind and size of business.
This is the part of the story that people need to hear: While the big-name breaches get the headlines, too many companies get lulled into a false sense of security thinking that they are safe because they don’t have state secrets. Our research shows how the advanced techniques used in APT attacks move downstream. From state-sponsored groups, to criminal gangs, and ultimately to individual hackers—they are hitting any business with anything of value. Because that’s where the money is. And it’s easy pickings because their antivirus software is defenseless against these advanced methods. Here’s how we see the malware adoption lifecycle playing out in the wild:
In the first two installments in this series, I talked about getting rid of the FUD around APTs and why they should matter to you, even if you aren’t a government agency, or one of the biggest companies on earth. Now let’s get down to the controversy that is consuming a lot of bandwidth in security circles: What is an APT and how is it any different from older malware attacks out there like botnets, blended attacks, and standard binary-based viruses? So much is written about the topic, yet many people don’t really understand it and are just rehashing an old topic under a new name.
The jaded folks in the security community say that all of the talk about APTs is FUD because true APTs are very few and far between. I beg to differ. I’d say that the APT buzz is not Fear, Uncertainty, and Doubt but rather Fear, Certainty, and Damage.
Let’s start with what makes a “true” APT (all examples are real)...
Who: This is nation-state activity to penetrate another nation or corporations computers or networks for the purposes of causing damage, disruption or exploitation with an endgame objective of disabling an opponent's military capability or stealing important source code to increase their own power. These guys are the special forces of the threat landscape; super skilled buzz-cut clean shaven expert hackers. You’d never know who they were however – because if I told you I’d have to kill you.
Why: Cyber Warfare has been described of as the fifth domain of warfare with the Pentagon formally recognizing cyberspace to be just as critical to military operations as land, sea, air and space. It is reported that at least 100 countries have been developing ways to use the Internet as a weapon and target financial markets, government computer systems and utilities. Cyber Soldiers may operate as APT (advanced persistent threat) or corporate spies at times, but everything they learn is geared toward a specific nationalist objective.
What: Stuxnet is a great example of this attack method, a text book case of an APT. The Worm was discovered July 2010 and is the first specialized complex malware to only target industrial software. It was aimed at compromising the Iranian nuclear program and believed to be the work of a well funded group of 5-10 people over 6 months. Speculation: only a nation state has these capabilities.
Early last week I was a guest of the OWASP San Diego Chapter who invited me to give a presentation on the Top Ten Web Hacking Techniques of 2010. An audience of nearly 50 filled the room, graciously hosted by Websense, and was treated to a sushi and sake dinner while I described and demoed the last year's latest research.
For those unfamiliar with this top ten, every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. The Top Web Hacking Techniques acts as a centralized knowledge base, a way to recognize researchers who contribute excellent work, and digestible way for the community keep up with the latest trends -- a look forward. After the presentation I got the opportunity to meet many new people and learn more about the things in Web security that most interest them. Lots of chatter about where OWASP as an organization should be heading, conversations about the latest hacks in the news, what various Web security vendors are up to, and of course, several personal appsec projects. If you are in the San Diego area and interested in the subject matter, you should really consider attending.
Jeremiah Grossman
Google announced a number of new technologies as part of their Google Inside Search Launch (http://www.google.com/insidesearch/). One of the more interesting elements is their idea to speed up the Web with something called "Instant Pages." The basic idea is that they are taking their ability to correctly guess what a user is going to search on, and pre-loading the content from the origin server onto your local machine. Apparently, this will only work with the Chrome browser.
On the challenging side, this leads to some interesting exploit scenarios. In the past, search algorithms have been duped to have malicious pages show up in results. In those cases, although they are dangerous, the user still has to click on one of the top results to get infected. In the new scenario, the big question is if a user can be exploited by simply searching, without even clicking on a link.
Though Google has assured in a subsequent interview that they don’t believe this will be an issue due to several aspects of their technology, there still exists an interesting possibility for exploitation of unsuspecting users, as SEO poisoning continues to be an ongoing problem. Remember from our 2010 Threat Report, searching for breaking trends and current news represents a higher risk (22.4% of search results poisoned) than searching for objectionable content (21.8%).
In slightly related news, Google also announced voice recognition to search. It will be interesting to see how the rogue AV camps will also be utilizing this to their advantage in the future.
Who: These are the heavyweights of the cybercriminal world. Corporate attack and espionage is a stealthy, organised, funded activity by professional agents operating rather like the legitimate companies they hope to steal from. The worker bees are usually found beavering away with state of the art computing equipment, multiple monitors and the blinds well drawn. While the big cheeses are well connected individuals with fingers in pies and eyes firmly on the ball. Together they make a formidable team.
Why: Big Bucks. These guys are out to target company confidential data which can then be sold on to the highest bidder. There are two distinct categories within this group; one aiming long term using Advanced Persistent Threats (APT) and the other group more focused on short- to midterm financial gains.
What: The APT attack nicknamed Operation Aurora in 2009/2010 was aimed at US high tech companies including Google and Adobe. It was thought to originate in China with speculation of Government involvement. Aurora exploited a zero-day vulnerability in Internet Explorer with a goal to steal IP and modify source code.
Since President Obama announced the events in Pakistan over the past weekend, Websense has been monitoring a large wave of scams and malicious content surrounding the death of Osama bin Laden.
Today the US Government has confirmed it will not be releasing the pictures of bin Laden’s body which should help minimize the number of people who are falling for these scams. But as the pressure builds on the US Government to release these photographs, there has been very little written on the impact this would have to the cyber-security space.
Most of these scams have so far relied on social engineering. Judging by the number of people falling for the previously mentioned scams, they have been successfully lured into believing these pictures are available. These have been successful, despite the fact that pictures have not been released.
But what if the US Government were to actually release these photographs - what would happen next?
As Chief Security and Strategy Officer for Websense my calendar is filled with customer visits, events, and meetings in different cities each month. All the time spent on planes also allows me to catch up on my reading and keep up with the latest trends and topics in the security world. While I may not have quite as many airline miles as George Clooney in Up in the Air, I like to think I am getting close. What I would like to do in this blog is share the knowledge I gain each month surrounding new insights or particularly interesting talks I have with top security executives, creating the opportunity for everyone to benefit from my travels (without the lost luggage).
If you are an IT executive, leverage me to help you with the changing landscape of IT Infrastructure and Security. My role is to listen to your needs and help you develop strong security strategies. Then I bring these needs back to Websense so that we are always on top of the latest trends and always listening to our customers and what they want out of a security solution. I also spend a significant amount of time helping CISOs develop strategies in my five areas of expertise:
This week, I am doing two presentations at CSO Perspectives 2011. I look forward to sharing the stage with two dynamic CSOs who have deep experience securing their enterprises from every attack imaginable. And they both have their own views on how to deal with a fast-paced threat environment in ”organizations without borders.”
Jerry Archer is the Senior Vice President and Chief Security Officer for Sallie Mae. We’re going to talk about what Angelina Jolie has to do with data loss prevention. Sounds interesting, right? But Jerry and I have been talking about doing this talk for some time now. It will be a great discussion.
Follow us on SpiceWorks
BlogRoll
We want to hear from you!
