STE WILLIAMS

As is the case in any other business, IT security leaders must contend with finite resources and as a result they must depend on smart decisions about where to target their budget to ensure they leave as few gaps as possible. The only problem, one which security folk have dealt with for years, is that they tend to be seduced by the latest innovation over the fundamental management tools necessary to implement enough control over network and system infrastructure to properly manage their risks.

“When it comes to security budget, security organizations are very much like my children: they want to buy whatever they’ve seen last and is shiny and new and promises unbelievable results,” says Alan Shimel, managing partner of The CISO Group. “A serious dose of pragmatism and maybe just a little maturity would go a long way.”

Shimel says he’s written about it and stomped his feet until blue in the face, mostly to no avail. It’s a trend that Eric Cowperthwaite, former CISO of Providence Health and Services and now vice president of advanced security and strategy for CORE Security, has seen unfold time and again.

[Your organization’s been breached. Now what? See Establishing The New Normal After A Breach.]

“All too often the spending is on things that will provide for compliance with laws and regulations or that are glitzy and sexy and in the trade news a lot,” he says, explaining that an organization may make big investments in next generation firewalls or a huge single sign on system while failing to attend to simple tasks like patch management or configuration management on their systems. “We see organizations being exploited by social engineering and the compromise of systems that were not patched, even though the vulnerability was known for weeks, even months.”

On the network side, network change management and firewall rules management falls squarely within this “blue-collar, meat-and-potatoes” kind of security management market, Shimel says, “it’s just not as sexy to the guy who is looking for the security flux capacitor.”

These kind of management tools that offer more network controls and enable policy orchestration are foundational, but may be a budgetary afterthought. And the more they’re back-burnered, potentially the harder it will be politically to add them in after the fact. As Shimel explains, if an organization spends several million over the course of two to three years to pick up next generation firewalls and update traditional firewalls, coming in after that is over and asking for another half a million dollars for firewall management to keep the rules properly configured on those systems may anger the CFO or CIO.

But as IT organizations look into more iterative devops processes that require changing the network more frequently than ever and as they start to dive into projects such as software-defined networking to increase the dynamic nature of the network, they may well be forced to bake in security and change management into the budget cycle much earlier in the process, says Jody Brazil, president and CTO of firewall management firm FireMon.

“All of these great things get spun up at the click of a button within minutes of saying go and then either the access doesn’t exist, the access control systems aren’t in place,” says Brazil, “or the reverse–access is automatically allowed but now you don’t have scanning set up to run against this new system or the IPS isn’t configured in tune for the fact this is a new application,”

Brazil believes that as organizations are dragged into this more “operational world” of networking, security management is getting thrust front and center. He believes there could be a tide shifting, as he’s seen clients begin to worry more about those security management needs first before sparing change for those shiny new toys. For example, he mentions a customer in the federal space that is engaging his company before putting in a new slate of network security tools and next generation firewalls, so the agency can lay the groundwork for day-to-day controls first.

“Security management is becoming part of that budget conversation,” he says. “Whereas we often used to get brought in after the fact, they’re starting with management and saying ‘Let’s get this figured out first, then well worry about expanding the rest of the infrastructure.'”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/perimeter/rejiggering-it-security-budgets-for-bett/240162636

We get an awful lot of spam in our spamtraps.

So it’s easy to get inured to spam, if you spend lots of time looking at it for research purposes.

But from time to time we find spams that are interesting enough – or at least intriguing enough – to write about anyway, such as the time 30-year-old Alex (NS, ND, GSOH) from Ukraine tried to sell us his liver (or part of it, at least).

When spammers add sickening disrespect to their regular criminality, we sometimes can’t sit on our hands about it, as when crooks used the aftermath of the Boston Marathon bombings to spread malware.

And occasionally we find an attempt at phishing that we grudgingly have to admit shows a resourceful sense of occasion.

We don’t respect it, and we disapprove as much as ever, but we have to say, “That’s not so far-fetched that you’re bound to delete it without a second thought.”

→ Phishing, don’t forget, is where cybercrooks try to charm/trick/persuade/terrify you into logging in to verify/check/win/dispute something such as a username/setting/iPad/invoice… only for you to realise, once you’ve put in your username, password and other details and clicked [Submit], that you were on an imposter site all along.

As you’ve probably heard, and perhaps experienced first hand if you are a Windows user, Microsoft’s Patch Tuesday updates have suffered some clumsiness lately.

In September, some updates turned up over and over (or “over and over and over”, as one reader put it) until Microsoft pushed out updates to the updates and things settled down.

So this email, though not exactly expected, isn’t outrageously obviously bogus at first sight, and might even relate to problems you’ve experienced recently:

Windows Installer package update is required to automatically eliminate obsolete patches in your sequence of patches as a report on our server indicates an error code (0x700) as a result of a failed update

Every installer sequence patch is being linked to an email account. Fill in the error code and other details to automatically fix this error

The link you’re asked to follow should be outrageously obviously bogus, however, since it neither links to Microsoft, nor uses HTTPS (secure HTTP):

The lack of HTTPS is cast into harsh relief when what looks like an official Microsoft login screen appears, where you would expect a secure page:

In short, be careful with emails you weren’t expecting, and be sure to check that the details add up – in this example, the missing HTTPS and the curious domain name don’t add up at all.

If in doubt, leave it out!

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5JGEjtdzMFs/

In December 2012, Facebook announced a slew of privacy changes, one of which – the axing of the “Who can look up my timeline by name” feature – annoyed privacy aficionados.

The feature controlled whether someone could be found by typing their name into the Facebook search bar.

The setting was limited in scope and didn’t keep people from being found in other ways across the site, Facebook said at the time.

Facebook yanked the setting last year for people who weren’t using it.

For the minority of users still using the setting, the plug is now being pulled.

Facebook Chief Privacy Officer Michael Richter said in a blog posting on Thursday that the remaining ‘get the heck away from my timeline’ people will see reminders about its imminent death in the coming weeks.

Richter re-emphasized what Facebook said when it first warned of the feature’s demise: namely, that users are better off choosing the sharing status of individual postings:

Whether you’ve been using the setting or not, the best way to control what people can find about you on Facebook is to choose who can see the individual things you share.

For example, Richter wrote, the feature didn’t prevent people from navigating to your timeline by clicking your name in a story in News Feed, or from a mutual friend’s timeline, or by using Graph Search (for example, ‘People who live in Seattle’), thus making it “even more important to control the privacy of the things you share rather than how people get to your timeline.”

Oh yes, Graph Search is the super-duper find-you tool, for sure.

In fact, Facebook announced on 30 September that Graph Search can now paw through your posts and status updates – in other words, all public Facebook posts ever made since the dawn of Facebook time are now searchable.

As I said at the time, for those who haven’t cleaned up their more embarrassing tracks already, the time is ripe to lunge for the Activity Log.

In light of the most recent news about the who-can-find-me-on-timeline feature’s demise, some of us may need a refresher course on who can see what, as well as how to stay safe on Facebook.

Naked Security kicks it off with this list of 5 tips.

And since the Facebook safety saga tends to take on the epic scope of a TV mini series, here’s another 5 tips on staying safe on Facebook, plus, just because we live in tag-happy times, here’s how to check your photo-tagging settings.

Much as it did 11 months ago, the removal of this feature still seems like the wrong direction. If the original setting was limited in scope and failed to do what it purported – e.g., choose who can find you – why didn’t Facebook choose to rework it so as to actually protect people’s privacy and give them the right to not be found?

On the plus side, in the coming weeks, Facebook will send notices to people who share posts publicly, reminding them that the posts can be seen by anyone, including people they may not know. The notices will include reminders about how to change the audience for each post.

Hopefully, that will be a helpful nudge to groups such as, for example, single women who like men *and* who like getting drunk.

*And* who might not be aware that every little bit of that is public knowledge.

Are you on Facebook? Do you want to keep yourself informed about the latest Facebook developments? Join the Sophos Facebook page for news and tips.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KX6CgQ1DTnE/

5 ways to reduce advertising network latency

Wikileaks is engaged in a Twitter spat with Guardian journalist Glenn Greenwald, accusing him of profiting from NSA whistleblower Edward Snowden’s leaks to the paper.

Greenwald is planning a book on Snowden, the former NSA worker who leaked documents from the agency to newspaper and other outlets. There is also talk of a movie based on the proposed but as yet unwritten book, although no studio has announced a deal yet.

On Saturday, the Wikileaks Twitter account tweeted a link to an article about Hollywood interest in the book and accused Greenwald of “cashing in” on Snowden.

Snowden cash in comenses. None involved are contributing anything to Snowden’s defence fund or Mr. Snowden http://t.co/zUeHSzpvmk

— WikiLeaks (@wikileaks) October 12, 2013

The organisation also tweeted that it was the only one that had the real story, because The Guardian had “abandoned” Snowden.

It should be noted that only Mr. Snowden and WikiLeaks have the inside story, Guardian abandoned him in Hong Kong.

— WikiLeaks (@wikileaks) October 12, 2013

So far, Greenwald has not responded to Wikileaks’ Twitter taunts on the blogging site, making the spat a bit one-sided. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/14/wikileaks_greenwald_twitter_spat/

Do the National Security Agency’s online espionage capabilities provide good value for money?

Recent reports have disclosed that the NSA uses a fleet of high-latency — codenamed “Quantum” — servers to redirect targeted systems to another fleet of servers, codenamed “FoxAcid,” that launch tailored drive-by attacks. The agency’s malware reportedly targets a range of vulnerabilities, from publicly known flaws to zero-day bugs that only the NSA possesses.

That information comes via former NSA contractor Edward Snowden’s leak of top secret documents that detail many of the agency’s operating practices. What’s struck some information security experts is just how similar the NSA’s techniques are to those of cybercrime gangs and advanced persistent attack (APT) groups sponsored or run by other nations.

Read the full article here.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/nsa-hack-attacks-good-value-for-money/240162598

BALTIMORE, MD–October 15, 2013–Riskive, the Social Risk Management company, today unveiled FriendGuard, a free app that leverages advanced math and science to protect individuals and families against social identity theft and malware attacking their social accounts.

According to Riskive data, cybersecurity attacks have increased by 700% in the past year with more than 90% of hacks leveraging social media platforms.

FriendGuard is the first consumer-facing product developed by Riskive, which earlier this year secured funding to protect users and organizations against social-based cyber threats. Riskive is backed by Genacast Ventures (a fund in partnership with Comcast Ventures), Core Capital and multiple prominent angel investors.

“We are proud to announce the immediate availability of FriendGuard to protect families and everyone at risk from social network cyber threats,” said James C. Foster, CEO of Riskive. “The data our team compiled throughout this year demonstrates the severity of a silent, yet very dangerous threat assaulting the safety of our personal information online.”

A single compromised social account can also lead to the compromise of other social accounts and real-life accounts – like bank accounts. Compromises occur at an alarming rate- one new social media account is compromised every three seconds. Until now, there was no functional product on the market that can protect any consumer, on any device, at any time, from anywhere, on any network, on social networking platform from hackers and viruses–anti-virus is not for social networks and cannot provide real-time support.

“We are in the early stages of a new era of cyber attacks,” said Richard Stiennon, Chief Research Analyst at IT-Harvest. “Social platforms have opened up a window for cyber thieves to steal and harvest personal information of individuals and businesses for profit.”

FriendGuard leverages advanced algorithms to detect if individuals are connected to hackers. Individuals who activate FriendGuard are provided with a FriendGuard Score, like a credit score but for security. This score is derived from our expansive database of malware and other compromising networks and real-time analysis of evolving threats in an individual’s network. Users receive alerts when someone posts malware or a click-jacking scam on their wall or a friend’s wall, suspicious connections, and other malicious content.

FriendGuard is free for individuals and can be activated at http://friendguard.com for immediate protection against social cyber threats. Subscription pricing applies for families ($3.99 per month) that allows parents to protect their kids from cyber attacks as well as other suspicious connections.

“While its human nature to give our friends and closest contacts the benefit of the doubt, the reality is that most cyber attacks put us at risk because the people in our social networks have been compromised,” said Foster. “FriendGuard provides proactive threat detection to ensure your social network information remains safe.”

###

About Riskive

Riskive, the Social Risk Management Company, is a Baltimore, Maryland-based startup with a mission of protecting the social enterprise. Businesses and government organizations leverage Riskive’s cloud-based technology and predictive analytics to identify and prevent malicious cyber attacks before they occur. Please visit: http://riskive.com/.

Article source: http://www.darkreading.com/end-user/riskive-unveils-free-app-for-social-iden/240162590

When it works normally, the Automatic Identification System (AIS) used by ships can be a captain’s best friend, helping him or her avoid collisions on the high seas. Under the control of a hacker however, AIS could become a captain’s worst enemy.

At the upcoming Hack in the Box Security Conference in Malaysia, a team of security researchers are preparing to demonstrate how an attacker could hijack AIS traffic and perform man-in-the middle attacks that enable them to turn the tracking system into a liability.

AIS is an automatic tracking system intended to help identify and locate vessels electronically to help avoid collisions on the water. AIS transponders on the ships include a GPS receiver and a VHF transmitter, which transmits information to other vessels or base stations. AIS is required on many vessels, including international voyage ships weighing 300 tons or more and all passenger ships regardless of size.

According to Trend Micro’s Kyle Wilhoit, one of the researchers who worked on the project, says the attacks can be broken up into two categories: those that target the AIS Internet providers that collect and distribute AIS information, and those targeting flaws in the actual specification of the AIS protocol used by hardware receivers in all the vessels. Without getting too deep into the vulnerabilities ahead of the presentation, which is slated for Oct. 16, Wilhoit explains that the upstream providers fail to authenticate AIS sentences coming from ships.

“I could go out and I could pretend to be a boat, and they don’t even fact-check it,” he says. “They don’t look at, OK… is this AIS sentence actually a boat? They don’t check any of that. So it’s all accepted as-is. It’s accepted as true.”

According to Wilhoit, these conditions could allow an attacker to tamper with valid AIS data and do everything from modify a ship’s position to creating a fake vessel with the same details to fool anyone monitoring ships at sea.

The researchers are also prepared to demonstrate how the other set of attacks could be used to perform a variety of malicious actions, including a fake “man-in-the-water” distress beacons — which would trigger alarms on any vessels using AIS within approximately 50 KM — as well as fake a CPA (closest point of approach) alert and trigger a collision warning alert.

“The complexity of the attack is what I would consider ‘somewhat complex,'” Wilhoit says. “This is because the AIS protocol(s) are typically not…researched by security researchers. Therefore, there’s a learning curve with the protocols, uses [and] implementations of AIS. However, once you gain access to the AIVDM sentences, it’s in clear text, which makes it somewhat easy to modify. Also, you have to reverse engineer the AIVDM sentences, and be able to put them back together in order to correctly perform attacks- which proved to be somewhat difficult.”

The cost of performing the attack is relatively cheap: the necessary equipment can be purchased for between $100 and $300 depending on the attack.

The researchers are working with upstream providers and others on addressing the vulnerabilities, Wilhoit says.

“From the online Web providers such as Marinetraffic.com implementing authentication from every vessel submitting sentences would help mitigate the problem fairly quickly,” he notes. “However, the fundamental problem(s) with the AIS protocols would require a complete overhaul — which is difficult because it’s implemented worldwide in thousands of devices.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/researchers-highlight-security-vulnerabi/240162568

Simplexo, a British pioneer of security search technology has been shortlisted in two categories of the SVC awards – Cloud Company of the Year and SaaS Solution of the Year, demonstrating its commitment to driving secure search technology to the forefront of the cloud, virtualisation and storage markets.

Taking place at a gala award ceremony on Thursday 21st November at the prestigious Jumeirah Carlton Tower, in Knightsbridge, London, the SVC awards recognise the achievements of end-users, channel partners and vendors who are powering innovation across the cloud and storage sectors over the past 12 months.

Simplexo technology provides secure universal access to electronic content – whether in the form of documents, emails, corporate systems, databases or web content. The technology is developed entirely in-house and is based on a methodology, which has been successfully deployed in bespoke business solutions for over the last 10 years.

Its recognition at the SVC awards is in light of the launch of SearchYourCloud, a new application that enables people to securely find and access information stored in Dropbox, Microsoft Exchange, SharePoint or Outlook.com with a single search, while also protecting their data and privacy in the cloud.

Simon Bain, founder of Simplexo states that the recognition received in being shortlisted is a testament to the work of Simplexo in bringing the issues of search security to the mainstream of IT security:

“Many people believe that there is a trade off between ease of access to information and security. In reality, finding information from mobile devices has been both extremely convoluted and not secure. We have solved the access and security problem in an easy to use service – SearchYourCloud.

“The Simplexo team has worked long and hard to deliver a remote access solution that does not require users or businesses to compromise productivity, privacy or security and it’s great to receive our efforts being acknowledged.”

– ENDS –

About Simplexo

Simplexo Ltd is focused on delivering a new experience in federated search, and is founded on a solid history in electronic document management and retrieval. Today, Simplexo technology is delivering value to individuals and organisations in many industry sectors, including financial services, healthcare and local government. For more information, please see: http://www.simplexo.com/

Article source: http://www.darkreading.com/simplexo-recognized-for-driving-secure-s/240162553

Download Dark Reading‘s October 2013 Digital Issue

For Vigilant, it started in 2009. And as with most companies, it started small.

The security services startup, now part of audit and consulting firm Deloitte, wanted a way to bring information about external threats to clients that were using SIEM (security information and event management) systems to monitor their own environments. The Vigilant team knew that the combination of external threat data with internal security event data could be a powerful way to improve enterprise defenses, but crunching all that data would be a monumental task.

Vigilant began combining threat intelligence feeds, filtering the data to pull out the most important information for each client, and then transmitting the data to their clients’ SIEM systems. The company started with two threat lists: domains serving malware, and domains compromised by the Trojans SpyEye and Zeus. To reduce false alarms and aid in analysis, the company began adding more data feeds.

Vigilant’s analysts quickly became addicted to the analysis. Each new source of data gave them the ability to tease out additional information on threats. By 2011, the company was processing about 50 to 100 GBs per day. But the company’s systems couldn’t keep up with the flow of data, and it started missing performance deadlines, says Joe Magee, co-founder and former CTO of Vigilant, who is now a director at Deloitte.

“We were not able to catch up,” Magee says. “We were not able to process the information and push it out fast enough, and that’s when it became a big data issue for us. We needed to be able to rip through this data in Google-like fashion.”

The volume of data and rate of change caused the problem, because most of the data came in the form of feeds updated daily with gigabytes of data. It overwhelmed the company’s initial database built on top of Postgres. In 2011, Vigilant moved to Hadoop and became one of many companies — both vendors and enterprises — that are advocating the use of big data analytics to improve the response to security threats.

Big Data Still Just A Promise

For security teams, the use of analytics on massive quantities of security data — from device and application logs to collections of captured network packets and operational business data — promises better visibility into the security threats that elude current defenses.

Big data analytics can be more complex than the log collection and analysis conducted by most SIEM systems, so automating the number crunching is often needed to let security pros more easily use statistical correlations to discover trends and anomalies. Tracking days or weeks of business activity allows the system to find outliers — a user who accesses far more data on a daily basis than the average employee, or a system that has a sudden spike in resource consumption. Analysts then can dig deeper into the large data sets of security information for any flagged events.

“Big data is not just about gaining insights, it’s about helping remediate issues faster,” says Jason Corbin, director of security intelligence strategy for IBM Security Systems. “The big problem is that [security teams] are overwhelmed with information they have. All that information goes to some guy who has to sift through tons of incidents or vulnerability reports and decide what they need to patch or virtually patch or fix. Security teams fall behind, and that’s how companies suffer breaches based on known but unpatched vulnerabilities.”

But for many companies, the promise of big data in security is just that — a promise. While security teams hope to gain more awareness of what is going on in their networks by collecting and analyzing more of their data, the technology is still in its adolescence. “Hadoop has been around for a while, but it is still figuring out what it is and what is wants to be,” says Adrian Lane, CTO for security consultancy Securosis.

Still, the potential is huge, Lane adds. Companies that kick off a big data project for security can collect an immense volume of data and have a security analyst poke through the information, ask queries of the data and make important discoveries.

Article source: http://www.darkreading.com/monitoring/big-data-detectives/240162537

In the course of one afternoon at last week’s Virus Bulletin conference in Berlin, two major cross-industry telemetry projects were presented which, it’s hoped, should improve the quality of anti-malware products.

The first is designed to up the standard of anti-malware testing, which in turn encourages better products, and the second aims to help reduce the chances of products mis-identifying clean files as malware.

Real time threats

First up, and closest to my own specialty, was a presentation on behalf of the Anti-Malware Testing Standards Organisation (AMTSO), given by AMTSO CTO Righard Zwienenberg of Eset and my colleague on the AMTSO board of directors, Thomas Wegele of Avira.

The subject of their talk was a new system called the Real Time Threat List (RTTL).

For many years there has been an industry standard system of listing a base subset of the threat landscape, known as the WildList. This has been used as the basis for a range of testing systems, including Virus Bulletin’s own VB100 certification.

Since its founding in 1993 the WildList has seen some gradual evolution and improvements, but has been criticised for being slow to adapt to the faster pace and diverse range of attack techniques of modern cybercrime.

The RTTL aims to provide an alternative to the WildList which offers a much more accurate and up-to-the-minute picture of the latest and most important threats.

It operates as a community telemetry-gathering and sharing system – registered data providers (mostly the anti-malware vendor companies) submit information on what they are seeing, including details such as how many of their customers have been hit by a given threat, how long they think it’s been around, which geographical regions it’s appeared in, and much more besides.

Testers can then query the list on their own terms, pulling out data to best suit their style of testing. Some might suggest that relying on prevalence information provided by vendors biases tests in their favour, but this seems to be a necessary evil – they are the only people with the raw information this sort of system can be based on.

The flexibility of the system also allows testers to make use of it in different ways, to either mitigate or leverage the vendors’ own access to the information.

For example, in the case of a certification scheme like the VB100, or those offered by other labs such as the ICSA, a basic list of the most significant threats over a given time period can easily be generated.

This kind of baseline test expects any decent solution to provide full and reliable coverage of all these major items at all times, and as we’ve seen over the years with the WildList such expectations are not always justified.

Despite most vendors having access to the WildList data, there have been many instances of missed or mis-classified samples in public tests, even from the most reliable of vendors.

So, a test with what appears to be a fairly easy target can give a good indication of which vendors are managing to keep up with the pace and targeting the most important areas, and which are falling behind. More flexible data should allow us to fine-tune such tests to provide a more accurate picture of who’s doing well.

There are other ways of making use of the RTTL data too, for example in tests which aim to measure the other end of the scale, looking for samples which are very rare, perhaps highly targeted to a particular sector or organisation and unlikely to have been seen by vendors until their job has been done.

In such a test, the tester could throw the samples they manage to turn up against the products under test, then later on look them up in the RTTL system to find out if they were indeed as new, rare and specialised as they were thought to be. Their results could then be derived only from the examples which best fit their intended design for the test.

As the system will include records on malicious URLs as well as files, it will allow tests to more closely approximate real-world use cases, covering all the layers of protection in modern solutions, while still using a standard and repeatable sample selection process.

The RTTL is currently at a late beta stage, and we hope to see its influence coming online early in the new year.

Clean file metadata

The second talk was on behalf of the IEEE Industry Connections Security Group (ICSG) malware research group, and was given by IEEE-ICSG members Igor Muttik (McAfee) and Mark Kennedy (Symantec). Their topic was another data-sharing initiative, this time covering clean files rather than malicious ones.

False positives have always been a problem for anti-malware solutions. With the explosive growth in the quantities of malware being produced, new techniques have had to be adopted to cover the glut.

Ever more aggressive heuristic and generic detection methods are of course more likely to cause false alarms, while automated systems which add detection for items based on features such as multiple detections by other products can cause snowball effects, spreading false positives from product to product.

Cloud-based reputation systems can also cause unnecessary alarm by alerting on items due to rarity or newness.

The IEEE-ICSG clean file metadata sharing system (CMX) is designed to help address these issues. Data will be fed into the system by legitimate software developers, providing details of every file they produce. This can be used to help ensure their files are not detected by anti-malware products, even if they are brand new or have only the smallest numbers of users.

This will help the vendors populate whitelists, mainly cloud-based, and will also help guide the building of clean sample sets used in quality assurance (QA).

Any good anti-malware QA process should include running over as much known-clean stuff as possible, to spot false alarms in new detection algorithms. While the CMX system does not plan to include actual copies of files (mainly for copyright reasons), it will at least provide enough information to show QA teams where their sourcing of samples is falling behind.

It also simplifies the process of liaison between anti-malware firms and software developers, by providing a simple conduit for communications.

At present, each AV vendor has to build a relationship with all the major software producers, and any software developer who has a problem with their wares being flagged by AV needs to find someone who can help them out (a lot of them approach me for introductions).

The CMX system should make this all much easier, meaning not only fewer false positives to start with but also swifter resolution of any issues which do emerge.

This will make everybody happy – the anti-malware firms will suffer less embarassment from false positive incidents, software makers will get fewer complaints from their customers, and end users will be less likely to have their business interrupted unnecessarily.

It’s great to see how much collaboration there can be between the technical people at companies which are on the face of it in tough competition. We all need to work together to put up the strongest defence possible against the tidal wave of threats.

Follow @VirusBtn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/x3kYjI5pKok/