CERT Blogs

CERT Basic Fuzzing Framework 2.5 Released

Mon, 30 Apr 2012 11:00:00 -0500

Hi folks, Allen Householder here. In addition to the recent introduction of our new Failure Observation Engine (FOE) fuzzing framework for Windows and Linux Triage Tools, we have updated the CERT Basic Fuzzing Framework (BFF) to version 2.5. This post highlights the significant changes.

CERT Linux Triage Tools 1.0 Released

Wed, 25 Apr 2012 10:21:00 -0500

As part of the vulnerability discovery work at CERT, we have developed a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity. Version 1.0 of the extension is available for public download here. This blog post contains an overview of the extension and how it works.

CERT Failure Observation Engine 1.0 Released

Mon, 23 Apr 2012 16:39:17 -0500

Hello, this is David Warren from the CERT Vulnerability Analysis team. In May 2010, CERT released the Basic Fuzzing Framework, a Linux-based file fuzzer. We released BFF with the intent to increase awareness and adoption of automated, negative software testing. An often-requested feature is that BFF support the Microsoft Windows platform. To this end, we have worked to create a Windows analog to the BFF: the Failure Observation Engine (FOE). Through our internal testing, we've been able to help identify, coordinate, and fix exploitable vulnerabilities in Adobe, Microsoft, Google, Oracle, Autonomy, and Apple software, as well as many others. Our office shootout post is a good example of this testing.

Vulnerability Severity Using CVSS

Wed, 11 Apr 2012 22:10:10 -0500

If you analyze, manage, publish, or otherwise work with software vulnerabilities, hopefully you've come across the Common Vulnerability Scoring System (CVSS). I'm happy to announce that US-CERT Vulnerability Notes now provide CVSS metrics.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

Fri, 23 Mar 2012 13:12:07 -0500

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Addison-Wesley Professional has recently been published. The book is available for purchase at Addison-Wesley’s InformIT website at http://www.informit.com/store/product.aspx?isbn=9780321812575.

Insiders and Organized Crime

Wed, 15 Feb 2012 15:29:24 -0500

The term organized crime brings up images of mafia dons, dimly lit rooms, and bank heists. The reality today is more nuanced; especially as organized crime groups have moved their activities online. The CERT Insider Threat Center recently released a publication titled Spotlight On: Malicious Insiders and Organized Crime Activity. This article focuses on a cross-section of CERT’s insider threat data, incidents consisting of 2 or more individuals involved in a crime. What we found is that insiders involved in organized crime caused more damage (approximately $3M per crime) and bypassed protections by involving multiple individuals in the crime.

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage

Thu, 26 Jan 2012 13:15:42 -0500

The Insider Threat Center at CERT recently released a new insider threat control that is specifically designed to detect the presence of a malicious insider based on key indicators to Information Technology (IT) sabotage activity. This blog post provides an overview of the control and the rationale behind its development. For more details describing the development of the control and the statistical analysis used and applied in this signature please refer to the technical report: http://www.cert.org/archive/pdf/SIEM-Control.pdf

CNAME flux

Thu, 05 Jan 2012 16:15:00 -0500

Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP address, CNAME records are the only other location a domain may have in the DNS. Instead of an IP address, a CNAME record is a redirection or alias service that points to another name.

Preparing for Negative Workplace Events - Managing Employee Expectations

Thu, 15 Dec 2011 10:00:00 -0500

Hello, this is Randy Trzeciak, technical team lead for the Insider Threat Research Team at the CERT^® Insider Threat Center. This blog post is intended to serve as a reminder to organizations about the impact that an organization’s actions can have on employees. Additionally, I want you to ask yourself the following question, what are you doing to manage employee expectations during negative workplace events?

Insider Threat Controls

Wed, 16 Nov 2011 09:30:00 -0500

The mission of the CERT^® Insider Threat Lab, sponsored by the Department of Homeland Security Federal Network Security Branch, is to create new technical controls and standards based on our research, as well as to determine lessons learned from our hands-on work doing assessments, workshops, and working with technical security practitioners.

Data Exfiltration and Output Devices - An Overlooked Threat

Mon, 17 Oct 2011 13:40:00 -0500

Hi, this is George Silowash and recently, I had the opportunity to review our insider threat database looking for a different type of insider threat to the enterprise…paper. Yes, paper. In particular, printouts and devices that allow for extraction of digital information to paper or the management of paper documents. This area is often overlooked in enterprise risk assessments and I thought I would share some information regarding this type of attack.

Challenges in Network Monitoring above the Enterprise

Fri, 23 Sep 2011 10:06:00 -0500

Recently George Jones, Jonathan Spring, and I attended USENIX Security '11. We hosted an evening Birds of a Feather (BoF) session where we asked a question of some significance to our CERT^® Network Situational Awareness (NetSA) group:

Is Large-Scale Network Security Monitoring Still Worth Effort?

The CERT Insider Threat Database

Mon, 15 Aug 2011 10:00:00 -0500

Hi, this is Randy Trzeciak, technical team lead for the Insider Threat Outreach & Transition group at the Insider Threat Center at CERT. Since 2001, our team has been collecting information about malicious insider activity within U.S. organizations. In each of the incidents we have collected, the insider was found guilty in a U.S. court of law.

Theft of Intellectual Property and Tips for Prevention

Thu, 21 Jul 2011 13:29:00 -0500

One of the most damaging ways an insider can compromise an organization is by stealing its intellectual property (IP). An organization cannot underestimate the value of its secrets, product plans, and customer lists. In our recent publication, An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases, we took a critical look at the technical aspects of cases in which insiders who stole IP from their organization. Insiders commit these crimes for various reasons such as for the benefit of another entity, to gain a competitive business advantage, to start a competing organization or firm, or for the personal financial gain. By understanding the specific technical methods that insiders use to steal information, organizations can consider gaps in their network implementation and can identify ways to improve controls that protect their IP.

Insider Threat Deep Dive: Theft of Intellectual Property

Mon, 27 Jun 2011 13:47:07 -0500

This entry is part of a series of “deep dives” into insider threat. The previous entry focused on IT sabotage.

Hi, this is Chris King. From our research, we realized that malicious insiders do not all fit into a single category. We found that there are individuals who steal or commit fraud for financial gain, others who steal intellectual property because of a sense of entitlement or to obtain a position with a competitor, and some who want to exact revenge against an organization because they are angry. We noticed a pattern in the ways insiders acted and were able to separate them into three main categories of crime: IT sabotage, theft of intellectual property (IP), and fraud. This update focuses on theft of IP.