Category: Uncategorized

To some extent, that’s the nature of the Internet beast; if you have a door open to the world, then it’s inevitable that someone will try to open it up. Dan Ingevalson, the director of professional security services at Internet Security Systems, says that enterprises have gotten better at managing security vulnerabilities, but the increasing complexity of networks and network-borne applications make perfect protection impossible. Having said that, some open doors are bigger and more common than others.

Network edge devices: Though well-publicized, worms and viruses continue to be a common and, to some extent, under-appreciated network threat says Yankee Group senior analyst Jim Slaby. “We haven’t seen a really big, really pervasive worm like Blaster or Slammer in some time, but they are waiting in the wings,” he says. “Signature defenses only work against things that you’ve seen before, or someone has seen before you, and they proliferate quickly.” Although the high-profile worms of the last years have trained network security personnel to respond quickly and apply patches diligently, penetration tests still find perimeter holes — big, gaping holes, according to Curphey. One company left a particularly flagrant open door to its networked printers, despite locking down every other process with a virtual private network (VPN). “The reasoning was that people could print without having to deal with the VPN,” Curphey says.

Web servers and Web applications: The Web is usually the meeting point between the enterprise and the outside world, and it is here that many organizations leave themselves vulnerable. “Attacks have typically moved up into the application layer, and that’s one of the hardest things to protect against because there’s no one-size fits all solution.

Unprotected mobile and off-site endpoints: Even with the edgdevices and Web servers locked up, one of the most common oversights is the vulnerabilities that organizations bring inside their networks.

Wireless networks: None of this is helped by the increasing prevalence of wireless networks.

Voice over IP: For all of the potential points of attack on enterprise networks, it’s sobering to think that the technological push for Voice over IP [VoIP] has added one more.

http://www.informationweek.com/story/showArticle.jhtml?articleID=163701258

When perimeter security is lax, attackers will exploit promiscuous connectivity or weak password discipline; when users are careless and/or clueless, opportunistic attacks such as e-mail worms will have free rein. In the current environment, though, there are three reasons that line-of-business applications are ever-more-attractive targets.

First, increasingly complex business logic and growing integration among application modules that were not specifically designed to work together create a rising number of places where error may lurk or where unexpected interactions may arise. Second, the costs of finding and fixing vulnerabilities in a vertical application must be borne by the relatively narrow community of users in a specific commerce or industry segment Finally, supply chain pressures dictate that enterprise online presence, in the form of network-facing applications, must be accessible to the largest possible number of potential users and must meet aggressive targets for rapid development and deployment.

None of these measures addresses the fundamental problem of an application that’s intentionally exposed to an authorized user or invited customer but that offers unintended access to information or opportunities to do harm. The development team’s definition of success must therefore be the extent to which risk is shifted from the domain of technical flaws to the domain of business practices, not the degree to which all risk is removed.

http://www.eweek.com/article2/0,1759,1816536,00.asp

Critical patches are announced at the whim of vendors. Security and operations teams must drop everything to close holes in software before attackers exploit the vulnerability. Even in the best of circumstances, patch management requires close cooperation across operational disciplines that include security, operations, applications, and business units. Patches must be tested to ensure that they don’t affect essential business systems, tracked to ensure that they’ve been deployed, and reported on for executives and auditors who want bottom-line summaries of risk posture and compliance.

Patch management products can provide immediate relief, but a new trend is emerging that folds patch management into a larger security or configuration management system.

Pure-play patch management vendors that don’t respond to this trend will find themselves marginalized, whether by Microsoft and its automated patching systems, or by established software distribution and asset management vendors that are adding patch management to a larger portfolio of security and configuration management features. These systems track changes and remediation efforts and continually monitor the state of the assets to detect machines that fall out of compliance.

To help him answer that question, Hoff has an extensive set of tools at his disposal, including a vulnerability management service from Qualys, a risk analysis system from Skybox Security, and a collection of patch management products, including PatchLink and Microsoft’s Software Update Service (SUS).

Aaron Merriam, a systems service specialist for Hannaford, a New England grocery chain, has his hands full. Before turning to a tool to automate deployment, Merriam created and distributed patches manually. He also likes that BigFix can track the status of the anti-virus clients on the desktops. At this point, Merriam says there’s no clear policy in place that gives one group or another final say over a change. Disputes between himself and the applications group have to be mediated by supervisors, which complicates his ability to deploy patches during regular maintenance windows.

Some products begin from a patch deployment perspective, while others are born from an asset tracking or systems management perspective. What they all have in common is a move away from simple patch automation toward policy-driven monitoring. For instance, with an automated patching tool you associate a patch with a specified group of desktops or servers, and the patch is deployed. Using an agent-based architecture, BigFix lets administrators distribute software, start or shut down specific services, close file shares, track software licenses, and change registry and file settings on host machines.

BMC’s Marimba includes a suite of products, such as OS Management, Application Management, Patch Management, and Configuration Discovery, which can be purchased à la carte or as a set. It also ties into BMC’s popular Remedy ticketing and workflow system so that changes can be managed through normal procedures.

Many organizations find that their IT department’s priorities aren’t set by the staff, but by software vulnerabilities and the attackers who exploit them. “A process is needed so that organizations can identify vulnerabilities and other weaknesses in the environment and fix them before they are exploited or attacked,” says Mark Nicolett, vice president and research director at Gartner, a consulting firm.

While a patch management tool can help, the problem is that the root cause of a vulnerability isn’t always related to a patch. Root causes generally come in two forms: known vulnerabilities (which may or may not have an associated patch), and configuration policies that affect the risk posture of an asset.

Step one of the process is to create policies regarding the secure configuration of assets. This paves the way for assessing the environment to find assets that are out of compliance. Once you have a baseline, you can bring assets back into compliance.

However, because IT resources are limited, you’ll have to set priorities. Priorities will differ from enterprise to enterprise based on the value of the assets, their effect on business processes, the criticality of the vulnerability, and regulatory issues.

On the technical side, the vulnerabilities must be analyzed to determine how critical they are, if an exploit currently exists, whether patches are available, and what other steps can be taken. If patches are available, the organization must decided whether to deploy them immediately or during regular maintenance cycles.

In many organizations, the security staff is tasked with finding and analyzing vulnerabilities, but redressing those vulnerabilities often falls to IT operations, which in turn must answer to application owners and business managers if services are disrupted.

After remediation comes monitoring, in which assets are continually assessed to ensure that previous patches are still in place, that configurations are correct, and that changes haven’t been made that affect an asset’s compliance.

At this point, the process starts all over again, resulting in a process-based cycle that drives the organization, rather than the organization being driven by vulnerabilities, patches, or attackers. They now focus on new capabilities for configuration management, such as dealing with registry and system settings, security policy enforcement, and so on.

The majority of solutions are agent-based and will thus require some deployment effort, though network scanner-based products are also available. Patch management is also most efficient when rolled into a policy-driven security or configuration management system. Such a system requires considerable effort up front to create and deploy across the multiple silos (security, IT operations, application managers, and so on) in today’s network environment.

The most significant risk from a patch deployment system is the potential for a patch to adversely affect the host’s OS or applications.

http://www.securitypipeline.com/160701482

“In the last three years the amount of interest in e-mail hygiene has increased dramatically, especially in light of regulatory compliance issues,” said Cain, who acknowledged that message hygiene is a broad topic and spans multiple tiers. “It is more than just a security issue. Mail hygiene effects all parts of the organization, and Cain suggested that the legal department be brought in as organizations establish an overall e-mail policy. There should be a common policy engine that stitches everything all together,” said Cain who suggested that the policy-based approach is necessary to manage this very complex environment. Many regulations are specific to e-mail activity within an organization,” Cain said. “Not everyone in an organization requires the same kind of hygiene.”

There are more pushes for increased privacy and everyone wants to have encrypted messages with no effort from the user.

“I’m not sure that magical target will ever be reached, but you do need something sitting at the gateway that recognizes key words,” he said. “From a regulatory compliance perspective, archiving has been a particularly fascinating topic over the last 12 months, and there has been quite a bit of acquisition activity and consolidation in this market, according to Cain, who points out that finding the right vendor is not easy. Too many organizations focus on the initial cost of software and fail to consider the whole lifecycle and resultant storage costs,” he said.

“Budgets need to be expanded to accommodate growing hygiene and management complexity. Policy driven e-mail services are required to lower overall costs.”

Before introducing his company’s product mail security product Pure Message, Mark Borbas discussed the role of archiving and content management since e-mail has become de-facto record storage. “E-mail architecture has been restructured in the last five years. Very few of us delete e-mails and we are asking a system to do a lot more than it was designed for,” Borbas said.

Organizations are looking to automated identity management systems to fulfill the privacy and access requirements of regulations like HIPAA and Sarbanes-Oxley.

http://www.compliancepipeline.com/showArticle.jhtml?articleID=161601086

Those aren’t convergence; they are merely dumb ideas. And like a lot of dumb ideas—rooted in an insufficient respect for reality—they provoke objections that miss the point, such as: “IT security is too complicated and important to entrust to those ‘guns and holsters’ guys.” Or “How can a technogeek possibly manage an executive protection strategy?” (For a list of five common convergence objections just begging to be overruled, go to www.csoonline.com/printlinks.)

It may be more revealing to think in terms of integrated or holistic security management. In fact, while physical and information security are the cornerstones of holistic security, they aren’t the whole ball of wax. Depending on which industry they serve, CSOs need visibility into fraud and loss-prevention efforts, investigations, process-control systems, business continuity, pieces of regulatory compliance, some aspects of the human resources function and audit.

But reworking the organizational chart isn’t really the end goal, according to Timothy Williams; it’s just one possible means of establishing the necessary accountability and processes that make security effective. Williams is the CSO at Nortel Networks, where he has been leading a centralized, multifaceted security program since 1990. “If you don’t trust the person you’re giving the group to, forget it; it will never work. It’s about how we manage risk and the processes between the domains,” he says.

A case of intellectual property theft doesn’t fit neatly into any of the domains of IT, corporate security or legal; it crosses all of these functions. To Williams, convergence is about “what we are doing to make sure we’re not creating or missing an interdependency between the various areas.” In some cases, the CSO (by whatever title he or she goes) has direct oversight of two or three branches of security, plus dotted-line reports to well-placed employees in other branches. Which lines are dotted and which are solid can depend on the circumstances and priorities of each company, and on the expertise of the CSO.

Steve Hunt, a CPP-toting former Forrester Research analyst, goes so far as to say the leadership role is best handled by a committee, an idea he says is gaining traction particularly in Europe. Hunt says he has seen it work, though it’s worth noting that leadership by committee generally has a checkered history in the corporate world.

Having noted that convergence isn’t accomplished by remaking reporting relationships, Williams circles back to reemphasize that convergence is not the same as “having lunch once in a while. Constellation Energy Group CIO Beth Perlman, who handed the reins of information security to ex-Marine John Petruzzi, sums it up: “If you don’t trust the person you’re giving the group to, forget it; it will never work.”

Another key leadership requirement, Williams adds, is the ability to articulate security and risk issues in the context of business activities and in the language of the corporate boardroom.

Today’s corporate security department is an evolution of what used to be referred to as physical security; over time, forward-thinking practitioners demonstrated the value of putting surveillance, fraud investigations, executive protection, and an assortment of other activities (each requiring different knowledge and skills) under a single umbrella.

http://www.csoonline.com/read/041505/intro_moment_3536.html

IT managers should either integrate the new wireless piece into the overall company security policy, if one already exists, or take the opportunity to create a plan for the entire IT infrastructure, security experts urged Wednesday at the event, being held in Cambridge, Massachusetts.

Instead of considering wireless security in isolation, technology managers should think of defending their existing wired network against a new set of threats that emanate from the wireless world, said Craig Mathias, principal at advisory and systems integration company Farpoint Group, based in Ashland, Massachusetts.

It used to be the case that corporations weren’t embracing wireless technology because of security concerns. Now, however, the leading barrier to adoption is the perceived complexity of wireless security, according to Lisa Phifer, vice president of consulting firm Core Competence in Chester Springs, Pennsylvania. The situation is beginning to change, as vendors build more functionality into wireless LAN switches.

Mathias singled out Ann Arbor, Michigan-based Interlink Networks Inc.’s LucidLink, an enterprise-level wireless security application designed to be easily deployed by small business and home office users. Mathias stressed that wireless will likely form only a small piece of a company’s security policy, mostly in terms of specifying which mobile devices and intermediary networks for remote access meet desirable corporate security standards.

“We have a saying (here) that if you could just get rid of the end-users, you could have perfect security,” quipped Jim Burns, senior software developer at Portsmouth, New Hampshire-based network authentication software developer Meetinghouse.

http://www.infoworld.com/article/05/04/21/HNexpertsurge_1.html