Valid Adobe Certificate Used to Sign Malicious Utilities Common in Targeted Attacks

Adobe announced today it was the victim of an APT-style attack after two malicious utilities commonly used in targeted attacks for privilege escalation and pivoting within a network were discovered signed by a valid Adobe digital certificate. Adobe said it will revoke the certificate next week.

Adobe products and services senior director of security Brad Arkin said in a statement that a build server with access to the Adobe code signing infrastructure was compromised and is the source of the issue.

The certificate will be revoked on Oct. 4; this affects only Adobe software signed with the cert after July 10 running on Windows, as well as three Adobe Air applications that run on Windows and the Macintosh platform.

“Customers should not notice anything out of the ordinary during the certificate revocation process,” Arkin said. “Our investigation to date has shown no evidence that any other sensitive information—including Adobe source code or customer, financial or employee data—was compromised.”

 

Arkin said Adobe does not believe the certificate was used to sign widespread malware, and is limited to the two utilities discovered.

“We believe the vast majority of users are not at risk,” Arkin said.

The two utilities in question are pwdump7 v7.1, which extracts password hashes from Windows and sometimes links the OpenSSL library libeay32.dll, and myGeeksmail.dll, a malicious ISAPI filter that runs on the Microsoft Web server software IIS. ISAPI can be used to modify IIS’ functionality.

Mikko Hypponen, chief research officer at F-Secure, said on a Twitter post that his company's sample repository has more than 5,000 files signed by the compromised certificate. Hypponen said only three of the files were malicious.

IT administrators can try to mitigate the threat by creating a software restriction policy via Group Policy that prevents the utilities from executing. However, moving the certificate to the Windows Untrusted Certificate Store, according to Adobe tests, will not block an attacker from executing the utilities on a compromised machine. This will also hamper performance of legitimate Adobe products signed with the certificate.

Adobe has decommissioned the code-signing infrastructure and instituted a temporary code-signing service for re-signing components signed with the compromised key. It is investigating how the signatures were created.

So far, Arkin said, Adobe has identified malware on the build server in question and how the attackers gained access to it, in addition to having forensic evidence linking the server to the signing of the malicious utilities. He said the private key was not extracted from a hardware security module, stored in a physically secured location.

“We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” Arkin said.

 The compromised build server had access to source code for only one product, Arkin said, who added it was not Flash, Reader, Shockwave or AIR.

“We have reviewed every commit made to the source repository the machine did have access to and confirmed that no source code changes or code insertions were made by the build server account,” Arkin said. “There is no evidence to date that any source code was stolen.”

Courtesy by Michael Mimoso

Tiny Evil Maid CHKDSK Utility Can Steal Passwords

Stealthy malware that can sneak onto machines during the boot process and remain undetected indefinitely is one of the brass rings of security research. There have been a number of tools developed over the years that aimed to accomplish this goal, with Joanna Rutkowska's Evil Maid attack being perhaps the most famous. Now a developer in Canada has produced a similar tool that  impersonates the CHKDSK utility and can grab a user's password and then exit without the user's knowledge.

The utility is designed to look like the Windows CHKDSK tool, which looks for errors or problems with a hard disk before a machine boots. CHKDSK will execute if the system detects a logical error and then attempt to fix it, and anyone who's been a Windows user for more than a year or two definitely has seen the utility pop up. 

The Evil Maid CHKDSK utility written by Alex Weber is designed to load from a USB device and will present the user with a screen that looks just like the actual CHKDSK screen, saying that the tool is checking the volume on the C: drive for errors. The tool shows a message saying, "One of your drives needs to be checked for consistency. You must perform this check before rebooting."

The tool then asks the user to enter his password, which is the hook. The actual CHKDSK utility doesn't make this request. Once the user enters her password, the fake utility will write the password to the USB drive and then exit. Weber said in an email interview that the tool could be adapted to run on operating systems besides Windows.

 

"It makes use of standard PC BIOS interrupts and 16-bit real-mode assembly, which is I think supported by every x86/x86-64 PC out there. It doesn't rely on (or even know about, truthfully) the operating system on the computer, so yes, it could target other operating systems with very little work. It basically comes down to changing the messages that the user sees," Weber said.

Obviously, the attacker would need physical access to the victim's machine in order to execute this attack. Weber said that he considers his utility a work in progress.

Security researchers--not to mention attackers and malware authors--have been working on various forms of stealthy, low-level malware such as bootkits for years now. The idea, of course, it to place the malware on the victim's machine quietly and in such a privileged position on the PC that it will survive reboots and system reinstalls. This gives the attacker control of the machine at its most basic level and the ability to, for example, record user actions.

The Evil Maid attack implemented by Rutkowska in 2009 was designed to defeat the TrueCrypt full-disk encryption program in a manner similar to the one Weber's utility uses. Booted from a USB drive, Rutkowska's tool installs a small sniffer that waits for the user to enter his TrueCrypt passphrase, which it then records. The user would not see any indication that the attack had taken place. The tool is named Evil Maid in reference to a malicious hotel maid implementing it against an unsuspecting hotel guest.

Weber said his utility works silently, as well, but after the compromise there is an indication that something has happened.

"There is one very obvious indication of compromise that I haven't found a solution to - Windows will ask the user to format the drive because the drive won't contain a (valid) partition table. I don't know of a way around that, but that's why the code is on Github :) Perhaps writing a bare-bones partition table to the drive along with the password would prevent that," Weber said.

"I don't think it's a terribly useful tool until that's resolved, but my main design goal was to only use the MBR [master boot record] - I literally used every single byte available."

Courtesy By Dennis Fisher

Hotmail Limits Passwords to 16 Characters

Passwords, unfortunately, still are the main authentication mechanism on most Web sites, including all of the popular webmail services, such as Hotmail, Gmail and Yahoo Mail. Many sites encourage users to pick complex and long passwords, so it's surprising to see that Microsoft now has limited Hotmail passwords to no more than 16 characters. Even more surprising, however, is that Hotmail will accept the first 16 characters of an existing, longer password, indicating that the company may have been storing users' passwords in plaintext.

Microsoft officials say that there has been a 16-character limit for Hotmail accounts for some time. But security researchers who looked at the requirement found it odd, to say the least. Sixteen characters is a somewhat arbitrary limit, but the more interesting bit is why Microsoft chose to make the change at all.

The real question, however, is what the implications of the change are. As Costin Raiu, head of Kaspersky Lab's GReAT research team, wrote in an analysis of the issue, one possibility is that Microsoft has been truncating longer passwords to 16 characters all along and then hashing those first 16 characters. The other possibility is somewhat more troubling.

"My previous password has been around 30 chars in size and now, it doesn’t work anymore. However, I could login by typing just the first 16 chars," he wrote.

"To pull this trick with older passwords, Microsoft had two choices:

* store full plaintext passwords in their db; compare the first 16 chars only
* calculate the hash only on the first 16; ignore the rest

Storing plaintext passwords for online services is a definite no-no in security. The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password. To be honest, I’m not sure which one is worse."

Microsoft officials did not respond to questions on this issue.

In order to keep passwords safe from snooping, many Web sites run users' plaintext passwords through a hash function, which obscures them. Depending upon which hash function is being used, and what kind of computers is used to do the cracking, the length of time needed to crack a password hash can vary greatly. 

"Please note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we’ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites – none of which are helped by very long passwords," a Microsoft spokesman said. 

"Sixteen characters has been the limit for years now. We will always prioritize the protection needs of users’ accounts and we will continue to monitor the new ways hijackers and spammers attempt to compromise accounts, and we design innovative features based on this. At this time, we encourage customers to frequently reset their Microsoft account passwords and use unique passwords that are different from other services."

Courtesy By Dennis Fisher

Flame C&C Server Analysis Reveals New Malware in the Wild

Forensic analysis of a number of Flame malware toolkit command-and-control servers revealed an additional three unidentified pieces of malicious code are under the control of the attackers, including one in the wild. Researchers at Kaspersky Lab, Symantec, CERT-Bund/BSI, and the International Telecommunication Union's Impact Alliance said today they also pinpointed the first work done on the Flame espionage campaign was carried out in 2006, much earlier than the 2010 date development was initially thought to have begun.

In June, Kaspersky Lab reported they'd found a definitive connection between Flame and Stuxnet; researchers said the unidentified malware reported today has no connection to either Stuxnet or Gauss, another nation-state threat discovered by Kaspersky last month.

Analysis also determined at least four programmers are on the team behind the attacks, each with varying levels of expertise; additional confirmation was also made that sophisticated cryptography is being used to encrypt data as it's sent between the victims' machines and the C&C servers. The C&C code also handles three communications protocols, and researchers saw evidence of a fourth under development.

Alexander Gostev, chief security expert at Kaspersky Lab, called the discoveries examples of cyber espionage conducted on a massive scale.

 

The attackers, researchers said, spent significant resources covering their tracks and disguising the project from hosting providers. The C&C platform used by Flame was made to look like an ordinary content management system and unlike most botnet control panels that rely on labels such as malware command and infection, these attackers used common terms such as data, download, client, news, blog, ads and more. Also, the C&C panel was not set up to send commands to the victim, instead, the attackers uploaded special tar.gz archives and scripts were processed by the server that extracted the archive contents. The script also encrypted all the files received from a zombie machine using Blowfish, and the Blowfish key is then encrypted. No one other than the attacker would have the private key to decrypt the files.

Communication was carried out over four protocols: OldProtocol; OldProtocolE; SignupProtocol; and RedProtocol (under development). Four different types of malware clients were revealed: SP, SPE, FL and IP. FL, researchers determined, is Flame and concluded the three remaining client names are similar malware tools. The researchers used a sinkhole--the networking equivalent of a honeypot--to catalog connections into two categories, those coming from Flame and another set from the SPE malware client, confirming that one in the wild as well.

For one week, starting March 25, 5,377 unique IP addresses connected to a C&C server owned by a European country with data centers in another EU country. More than 3,700 connections were made from Iran, another 1,280 from the Sudan. Researchers deduced this was a targeted campaign against these two nations since no large amount of activity had been detected originating from the Sudan in particular before. Less than 100 connections were made from each of the United States, Germany, India, Pakistan, the United Kingdom and several other countries, most from the Middle East.

The server had limited functionality and infected machines supported few commands, including some that would fetch updates and new Flame modules, some storage commands and some directory commands. Researchers also found that the four respective developers left their nicknames and timestamps in the scripts; the earliest timestamp being Dec. 3, 2006. One developer in particular worked on a majority of the files and seemed to be the more experienced of the four. "He coded some very smart patches and implemented complex logics; in addition, he seems to be a master of encryption algorithms. We think [developer] was most likely a team lead," the report said.

The C&C server was running a 64-bit version of the Debian operation system; researchers got a server image which was an OpenVZ file-system container. Most of the code was written in PHP; some Python and bash was used. All data was stored on a MySQL database with InnoDB tables. The Web server was Apache 2.x with self-signed certificates. The last modification to the C&C server was made May 18.

The forensics also found automated scripts that would wipe log files and disable further logging. Researchers also found the chkconfig tool present, a Debian version of a popular Red Hat tool RedHatCentOS found in Duqu. A shred tool also used by the Duqu team was used here to wipe information. Other scripts were found that downloaded new data and removed old data every 30 minutes.

Courtesy By Michael Mimoso

Fake ADP and FDIC Notifications Leading Users to Blackhole Exploit Kit

With the latest iteration of the Blackhole Exploit Kit hitting the web this week, attackers are going to great lengths to spread around links to get unsuspecting victims to click through to the first version of the kit.

E-mail notifications claiming to come from Microsoft Exchange, ADP, the Federal Deposit Insurance Corporation and other purported “trusted sources” have been spotted this week leading web users to pages hosting the original exploit kit.

A post by Ran Mosessco, a Security Analyst at Websense on the firm’s Security Labs blog breaks down some of the deceptive emails.

A notification claiming to come from payroll services company ADP tries to trick employees into clicking through to what appears to be their Online Invoice Management account to “protect the security of [their] data.”

Elsewhere an email disguised as a voicemail notification from Microsoft Exchange Server tries to get users to double click a link to listen to a voicemail and an email that appears to come from the FDIC tries to get users to follow a link to download “a new security version.”

 

While all these links eventually lead to pages hosting the Blackhole Exploit Kit, Mosessco writes that it likely won’t be long until they begin directing to Blackhole 2.0. The latest version of the kit surfaced online earlier this week and was updated to remove old exploits that have already been fixed. It also came with new features that make it tricky for researchers to reverse-engineer the kit.

 

Courtesy By Christopher Brook

Black Hole Exploit Kit 2.0 Released

The developer behind the notorious Black Hole exploit kit has released a new version of the software, adding in several new features designed to prevent security researchers from getting access to new exploits or reverse-engineering the kit's inner workings. Conveniently, the pricing for Black Hole has stayed the same, so hackers get more value for the same amount of money.

Black Hole is one of a number of readily available exploit kits distributed in the cybercrime underground that make it simple for attackers of all skill levels to exploit a wide variety of vulnerabilities. With a few mouse clicks, users can pick out a specific exploit, say the recently disclosed CVE-2012-1723 Java vulnerability, and begin compromising vulnerable browsers. The kit has been around for some time, as have similar kits such as the Phoenix exploit kit and Eleonore, and the trend of late has been that exploit code for newly discovered bugs is being added more and more quickly to Black Hole.

The new Black Hole version 2.0 release was announced recently on underground site Exploit.In, and the list of new features and functionality is extensive. One addition to the main Black Hole software is the use of short-term random URLs for delivering the exploits in the kit. Attackers often will compromise legitimate Web sites via SQL injeciton or some other common method and load their malicious code on the sites and rig it to attack users' browsers with specific exploits as they hit the site. One problem with this technique from the attacker's point of view is that if the compromised page is detected or removed for some other reason, the attack dies.

Enter random domain generation. This feature will generate a new, random URL for the attacker's code to live on, sometimes with a shelf life of just a few seconds. This makes detection of malicious pages far more difficult for site owners and security companies. There's also a new feature that obfuscates the outgoing traffic from a compromised site, making it more difficult to identify.

 

Black Hole 2.0 also removes all of the old exploits for vulnerabilities that have been fixed--even though those can still be useful against many users--and includes a new batch of exploits. The new release also includes the ability to recognize more types of operating systems, including Windows 8 and several mobile operating systems, giving the attacker the ability to break down the amount of traffic he's getting from machines running each individual OS.

"To the list of operating systems added to Win 8, and mobile devices, in order to see how much of your traffic is mobile, and mobile traffic, you can redirect to the appropriate affiliate," a translated version of the original Russian announcement says. The announcement was posted on the Malware Don't Need Coffee site on Wednesday.

All of this functionality doesn't come for free, of course, but the prices for various iterations of Black Hole have stayed the same as they were for version 1.0. So an attacker wanting to rent an instance of Black Hole from the author's server will pay $50 per day, up to 50,000 hits. A monthly rental will run you $500 with a limit of 70,000 hits per day. A one-year license for unlimited domains is $1,500.

This article was updated on Sept. 12 to correct the source of the Black Hole 2.0 announcement and details about the domain-generation algorithm.

Courtesy by Dennis Fisher

Attackers Using Anime Character to Spread Malicious Android App

Symantec is warning Android users of a new malicious application posing as a famous Anime character that steals personal contact information stored on the device and sends it to a third party.

The Anaru application is in fact the Android.Maistealer malware, a Trojan designed to steal data such as contact names and email addresses from Android mobile devices.  It is now hosted on third-party marketplace designed to look like Google Play. Symantec researcher Joji Hamada said the app is not available on Google Play. Upon its discovery July 24, the initial infection rate was low, but now that it has a dedicated site from which it's distributed, a ramp-up is expected.

Users are unaware the application, which features one of the lead characters in a popular 2011 Japanese anime, is malicious. It behaves as promised by allowing the user to manipulate the character Anaru's body by touching the device screen.

The problem, however, appears much earlier during installation when the app asks the user to allow it access to storage, network communication and personal information, Symantec said, adding that such an application would have no need for access to personal information.

The same group is also spreading the Android.Enesoluty data-stealing Trojan via spam messages enticing recipients to download a phone battery-saving application called EnergyHelper1 from another phony marketplace. Symantec said these battery-saving applications are becoming popular among scammers.

We now know that this criminal group was not just playing around with the Anaru app in July," Hamada said. "They have been busy developing another app, as well as setting up dedicated sites to imitate legitimate app markets."

Courtesy by  Michael Mimoso

Google Adds Online Malware Scanner VirusTotal To Security Lineup

Google made a significant addition to its security lineup Friday with its acquisition of online malware scanning service VirusTotal. Experts say the malware intelligence Google will have at its disposal would enhance not only existing products and services, but will backbone site safety rankings.

Terms of the deal were undisclosed.

VirusTotal's service allows users to upload files or URLs that are scanned for malware. The five-year-old company uses more than 40 antimalware engines on the back end to perform scans. VirusTotal shares data with affected security companies as well in order to enhance scanning capabilities on both sides.

"Given Google's visibility to everything, having a service like this lets them see and possibly interpret malware long before they might have recognized it themselves," said IANS CTO Dave Shackleford. "With their efforts to notify Google users of nation state attacks and other security events, this adds some serious heft to their response and notification efforts."

 

Google, a VirusTotal partner before today, already flags suspicious sites and files in its search queries. It also offers the Safe Browsing Diagnostic tool which scans websites and returns data as to the safety of the page, including current status, whether a site is hosting or distributin malware and whether it has done so in the past.

“Security is incredibly important to our users and we’ve invested many millions of dollars to help keep them safe online," a Google spokesperson said in a statement. "VirusTotal also has a strong track record in Web security, and we’re delighted to be able to provide them with the infrastructure they need to ensure that their service continues to improve.”

A post on the VirusTotal site welcomed the acquisition and said the company will continue to operate independently and maintain existing partnerships with other security companies.

"This is great news for you, and bad news for malware generators, because the quality and power of our malware research tools will keep improving, most likely faster; and Google’s infrastructure will ensure that our tools are always ready, right when you need them," the post said. "This is an exciting step forward. Google has a long track record working to keep people safe online and we look forward to fighting the good fight together with them."

Google has made several high-profile security acquisitions since picking up sandboxing specialist GreenBorder and messaging security service provider Postini in 2007. Two years later, Google added reCAPTCHA as a CAPTCHA technology for its services. Last year, it scooped up Zynamics, a vulnerability research company that specializes in reverse engineering software.

 

 

Courtesy by Micharl Mimoso

Newest Java 7 Update Still Exploitable, Researcher Says

Oracle last week patched the two zero-day vulnerabilities in Java that attackers had been exploiting in targeted attacks, but it didn't take long for researchers to poke more holes in the software. A new bug that allows a complete Java sandbox escape has been identified already, the latest in what has become a long line of flaws haunting the Java software running on hundreds of millions of machines.

Adam Gowdiak, a researcher at Security Explorations, a Polish firm that said it sent more than a dozen security vulnerabilities in Java to Oracle several months ago, said that upon downloading and inspecting the Java 7 update 7 file, he found that one of the changes made to the application as part of the update enabled another bug to become exploitable.

"One of the fixes incorporated in the released update also addressed the exploitation vector with the use of the sun.awt.SunToolkit class. Removing getField and getMethod methods from the implementation of the aforementioned class caused all of our full sandbox bypass Proof of Concept codes not to work any more (please note, that not all security issues that were reported in Apr 2012 got addressed by the recent Java update)," Gowdiak wrote in a post on BugTraq.

"Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again."

In addition to the newly disclosed vulnerability in Java 7, the team at Security Explorations says that it sent a number of other bug reports to Oracle in April--including the initial report of the CVE-2012-4681 bug--some of which have not yet been addressed. 

Gowdiak said via email that the vulnerability he found in Java 7 is an entirely new issue and not just a reemergence of an older bug.

"That's a completely new vulnerability. It however makes our past, not yet addressed issues possible to exploit again in the environment of the recent Java 7 Update 7," Gowdiak said.

He also said that the company has not received any indication from Oracle when this flaw might be addressed with a patch.

"We only received information from Oracle that it planned to address the remaining 25 issues by the means of Oct 2012 and Mar 2013 Java CPUs," Gowdiak said, referring to the larger group of bugs that Security Explorations reported to Oracle earlier this year.

Courtesy by Dennis Fisher

Mobile Malware Is Up - Way Up - in McAfee Q2 Threat Report

McAfee Labs researchers today announced a surge in malware samples this year - particularly threats that take advantage of mobile networks to launch drive-by downloads, control botnets using Twitter and spread ransomware that locks down infected machines and demand payments from users.

The Santa Clara-based company released its Q2 Threat Report, in which its researchers say they've unearthed 1.5 million new pieces of malware this year, or an average of nearly 100,000 malware samples a day. More and more malicious code is targeting Google's Android OS, though Apple users are far from immune too. More than 100 new Mac-oriented samples were discovered last quarter.

"Attacks that we've traditionally seen on PCs are now making their way to other devices. For example, in Q2 we saw Flashback, which targeted Macintosh devices and techniques such as ransomware and drive-by downloads targeting mobile," said the Labs' senior vice president, Vincent Weafer, in a prepared statement.

The findings in today's report come from McAfee Labs' 350 researchers scattered across 30 countries.

 

Among the emerging threats gaining traction is "signed malware," in which attackers attempt to evade detection and encourage open rates by using digital signatures from stolen certificates. "In our 2012 Threats Predictions we predicted that this technique, likely inspired by the success of Duqu and Stuxnet, would rise in 2012. That opinion seems to be a successful example of crystal-ball gazing," researchers wrote in the quarterly report.

The past quarter was also the busiest ever for ransomware, which holds part or all of a victim's data hostage and demands anonymous payment methods to restore it.

"Ransomware is particularly problematic because the damage is instant and commonly a machine is rendered completely unusable. So not only is the victim’s data destroyed, but some of the victim’s money is also gone if he or she attempts to pay the attacker’s ransom. And although it is a personal disaster for a home user to lose years’ worth of data, pictures, and memories, the situation can be much worse in an enterprise if the malware encrypts all the data that a victim has write-access to on a corporate network," the report  states. The authors advise users to be be careful opening file attachments and back up systems regularly. Enterprise-level admins should consider establishing access protection rules in their security products.

Botnets reached a 12-month high last quarter, with more attackers using Twitter to send out commands and get all infected devices to follow them. Additionally, thumb drives containing malware - particularly password-stealing code - remain a popular conduit to infect machines.

Spams growth rate slowed in most parts of the world, with the exceptions being Columbia, Japan, South Korea and Venezuela. Among those with more than 10 percent growth in spam, social media proved a useful channel to peddle adult products, drugs, lonely women and phish scams.

More Web sites that host malware are gaining bad reputations. "Reputations can be based on full domains and any number of subdomains, as well as on a single IP address or even a specific URL. Malicious reputations are influenced by the hosting of malware, potentially unwanted programs, or phishing sites. Often we observe combinations of questionable code and functionality. These are several of the factors that contribute to our rating of a site’s reputation. By the end of June, the total number of bad URLs referenced by our labs overtook 36 million! This is equivalent to 22.6 million domain names."

The authors note that their figure is at odds with the 9,500 new malicious web sites Google announced in a June blog post.

Courtesy by Anne saita

Survey Tracks Security’s ‘Bad Mood’ Trend, Need for Improvement

The bulk of security teams face a relentless uphill battle when it comes to dealing with security risks and are sorely lacking when it comes to tracking, measuring and maintaining data access, according to new research.

The majority of those interviewed in a survey published today, “The Buried Truth: State of Security Information and Even Management Processes,” carried out by security firm Sensage, found that security professionals are having a rough go of it these days. It’s the third time the California-based firm has polled the industry but the first in which the survey’s results have marked such a downward slide for its respondents.

This downward trend was clear after Sensage analyzed what it’s referring to as security’s “bad mood.” After taking respondents’ optimism and other factors into account, the firm notes the mood is likely reflective of increasingly complex threats and a decrease in confidence. The mood continues to trend downward when looking at the last three years of responses.

“By 2012, proactive teams were starting to do the heavy-lifting needed to absorb and analyze data across more systems, processes and people than they considered doing in the past,” one part of the survey reads.

That “heavy lifting” refers to the need for better coordination, compliance reporting, incident response and data access.

Fully 79 percent of the survey’s respondents claimed they need better, faster data access and analysis - a big jump from last year, when only 57 percent of security teams claimed they wanted more trustworthy data.

When it comes to tracking improvement, security teams continue to be at a loss. A mere five percent of those who answered the survey felt like they had a “consistent and adequately staffed process improvement program.” Those numbers weren’t great to start with; the statistics are down from a measly 18 percent in 2010. Conversely, only 40 percent of respondents asserted that their security teams maintained consistent process improvement, down from 65 percent last year.

Overall, 96 percent of those who answered claimed their teams either had no process improvement, inconsistent process or understaffed process.

Some of these security teams aren’t entirely equipped to handle problems that come their way. Seventy-eight percent of security practitioners who responded claimed they were under less than ideal circumstances when it comes to dealing with security risks.

Less than a quarter, 22 percent, said they were “very effective” when tackling security risks.

Courtesy by Christopher Brook