Security Watch

Standards for Self-Assessed Security

The Jericho Forum proposes security vendors self-assess and certify their security capabilities. Plus: Microsoft might release IE off-cycle update; Koobface shows itself, again.

• By Jabulani Leffall
• 03/16/2010

A new self-assessment scheme proposed by The Jericho Forum and focused on security vendors could fundamentally change the way many ISVs market their operating system and network security products.

The Jericho Forum, an IT security think tank, is proposing self-policing or auto-watchdog standards for technology companies with a security niche. The SAS, in essence, gives a guarantee similar to how publicly traded companies certify their IT controls quarterly and annually after an internal review.  

If the standards -- which involve peer reviews, gathering customer satisfaction data and establishing an industry-wide validation framework -- catch on, cloud computing could be the first litmus test.

Philippe Courtot, Qualys Inc.'s CEO and Jericho Forum board member, said such an initiative will "definitively help improve the necessary transparency cloud computing vendors must deliver."

According to the SAS mission statement, the program is "designed to raise the bar for the entire security industry by asking the probing questions."

The hope here is that vendor request for proposals (RFPs) will be more honest once security firms have assessed themselves and that the peer reviews and customer comments will "expose shortcomings in the features that vendors may be claiming their offerings provide."

Again, that's the hope. Staunch opposition, legal wrangling and competing framework is sure to surface so stay tuned.

Microsoft Not Ruling Out Off-Cycle IE Update
Microsoft has added information to its previous security advisory detailing an investigation of new reports of a remote code execution bug in Internet Explorers 6 and 7.

The software giant said Friday the bug did not affect IE 8 and that it isn't and would "never rule out" issuing an out-of-band or off-cycle patch, as it has a few times before when a bug was found.

"We have seen speculation that Microsoft might release an update for this issue out-of-band," said Jerry Bryant, a senior manager with the Microsoft Security Response Center in an e-mail. "I can tell you that we are working hard to produce an update which is now in testing."

The original IE advisory had been tacked on as part of Redmond's March patch slate which was a pretty light rollout. IE has been the target of a few high-profile attacks already this year.

Bryant said that in cases like these Microsoft "never rules" out the possibility of issuing and off-cycle patch but added that the updates must be tested against all affected versions of IE on all supported versions of Windows.

Researcher: Koobface Is Back
In August 2009, a relatively new strain of malware, cleverly disguised in a scrambled moniker of a popular social networking site -- a.k.a Koobface -- first came into its own, bugging Web surfers on Facebook and Twitter.

It works like this: Once a user is infected, the worm downloads more malware on the user machine. It then spreads via sending messages to the friend's list of the infected user.

Well, Koobface has returned, according to Zscaler researchers, who said that over this past weekend, the Koobface worm "gathered steam," increasing traffic to 122 unique command and control (C&C) servers."

Botnet and automated malware operators, in this case presumably the authors of Koobface, used C&C servers to monitor, route and control attacks as well as down load critical data.

IT administrators on the lookout for Koobface can do several things to prevent their systems from being hit. Chief among them is having a defined enterprise policy on the limits and dangers of social networking. Secondly, installing more modern browsers such as IE 8, Firefox 3.x gives a processing environment better patch work and stronger security settings.

Lastly, common sense is one of the biggest deterrents of them all. If you're not sure about the link, don't click on it, unless it's a Security Advisor link giving you the low down best practices of course.