Multiple Layers Of Security Will Help Prevent Exploit Of New Flaw, Says Security Methods Inc.

Security Methods Inc., a leading information security provider based in Virginia’s Dulles technology corridor, is urging Microsoft Word and Excel users to shore-up security to ensure that they are not affected by recently discovered encryption flaws.

A Chinese academic has revealed a major problem with the way Microsoft’s encryption tool handles Word and Excel files, according to a January 28 report in the TechRepublic. The flaw could allow a cracker with basic cryptography skills to decrypt the files, warned the academic.

“Even basic cryptography skills won’t be required when exploit tools are developed,” said Carson Sweet, Principal Director at Security Methods. “Point-and-click exploit tools tend to appear rapidly after an issue like this is exposed.”

Microsoft is downplaying the problem, arguing that it poses a very low threat for users because an obscure situation would be needed to exploit the problem.

But Security Methods officials warn that the situation happens more frequently than many would expect. Officials with the Fairfax-based firm say a common situation that’s ripe for exploit is when a sensitive file is received via e-mail, edited, and then forwarded to another user.

“This issue is not as obscure as one would hope,” said Sweet, a CISSP and CISM-certified security specialist.

Sweet points out that most computer users receive files via e-mail, make changes using the same filename, and forward them to others on a daily basis. Sensitive Word or Excel files handled in this way would provide an optimal situation for an attacker with access to the victim’s PC through a Trojan horse or other means.

“Companies that counted on Word and Excel to protect sensitive data could be facing significant risk, particularly where multiple versions of a vulnerable document have been stored or distributed. If these files had been protected by properly implemented encryption, it wouldn’t matter at all. At this point, it matters quite a lot.”

Sweet also said that these types of problems go well beyond Microsoft’s issues and that true assurance cannot be attained by depending on just one layer of protection.

“It’s easy to blame one vendor, but it’s also unrealistic to think that any vendor’s security QA process can be 100 percent certain. Just as with any other technology, you never know when a security mechanism might fail,” Sweet said. “Just because the mechanism exists doesn’t mean that it is correctly implemented. Multiple layers of properly implemented security are critical. Companies assuming they’ve found a ‘silver bullet’ are betting against very long odds.”

About Security Methods Inc.
Security Methods is a leading information systems security provider that has met the protection needs of private industry and government agencies since 1996. Our mission is delivering direct, tangible, and cost-effective results to organizations demanding a higher standard of information security assurance. The company’s sole focus is providing specialized automation, skills, and strategies that achieve powerful and sustainable information security.

From its headquarters in Virginia’s Dulles technology corridor, Security Methods offers security solutions fitting a broad range of financial and operational situations. Our practical approach maximizes existing protection capabilities, expanding them as required through skilled development and integration of information security technologies.

Contact Information:
Communications Department
Security Methods Inc.
11350 Random Hills Road
Suite 800
Fairfax, Virginia 22030

(t) 703-831-4151
(f) 703-637-1148
www.securitymethods.com

Author:  

Email:    

Topic:    

Content: