Category: Uncategorized

Critical patches are announced at the whim of vendors. Security and operations teams must drop everything to close holes in software before attackers exploit the vulnerability. Even in the best of circumstances, patch management requires close cooperation across operational disciplines that include security, operations, applications, and business units. Patches must be tested to ensure that they don’t affect essential business systems, tracked to ensure that they’ve been deployed, and reported on for executives and auditors who want bottom-line summaries of risk posture and compliance.

Patch management products can provide immediate relief, but a new trend is emerging that folds patch management into a larger security or configuration management system.

Pure-play patch management vendors that don’t respond to this trend will find themselves marginalized, whether by Microsoft and its automated patching systems, or by established software distribution and asset management vendors that are adding patch management to a larger portfolio of security and configuration management features. These systems track changes and remediation efforts and continually monitor the state of the assets to detect machines that fall out of compliance.

To help him answer that question, Hoff has an extensive set of tools at his disposal, including a vulnerability management service from Qualys, a risk analysis system from Skybox Security, and a collection of patch management products, including PatchLink and Microsoft’s Software Update Service (SUS).

Aaron Merriam, a systems service specialist for Hannaford, a New England grocery chain, has his hands full. Before turning to a tool to automate deployment, Merriam created and distributed patches manually. He also likes that BigFix can track the status of the anti-virus clients on the desktops. At this point, Merriam says there’s no clear policy in place that gives one group or another final say over a change. Disputes between himself and the applications group have to be mediated by supervisors, which complicates his ability to deploy patches during regular maintenance windows.

Some products begin from a patch deployment perspective, while others are born from an asset tracking or systems management perspective. What they all have in common is a move away from simple patch automation toward policy-driven monitoring. For instance, with an automated patching tool you associate a patch with a specified group of desktops or servers, and the patch is deployed. Using an agent-based architecture, BigFix lets administrators distribute software, start or shut down specific services, close file shares, track software licenses, and change registry and file settings on host machines.

BMC’s Marimba includes a suite of products, such as OS Management, Application Management, Patch Management, and Configuration Discovery, which can be purchased à la carte or as a set. It also ties into BMC’s popular Remedy ticketing and workflow system so that changes can be managed through normal procedures.

Many organizations find that their IT department’s priorities aren’t set by the staff, but by software vulnerabilities and the attackers who exploit them. “A process is needed so that organizations can identify vulnerabilities and other weaknesses in the environment and fix them before they are exploited or attacked,” says Mark Nicolett, vice president and research director at Gartner, a consulting firm.

While a patch management tool can help, the problem is that the root cause of a vulnerability isn’t always related to a patch. Root causes generally come in two forms: known vulnerabilities (which may or may not have an associated patch), and configuration policies that affect the risk posture of an asset.

Step one of the process is to create policies regarding the secure configuration of assets. This paves the way for assessing the environment to find assets that are out of compliance. Once you have a baseline, you can bring assets back into compliance.

However, because IT resources are limited, you’ll have to set priorities. Priorities will differ from enterprise to enterprise based on the value of the assets, their effect on business processes, the criticality of the vulnerability, and regulatory issues.

On the technical side, the vulnerabilities must be analyzed to determine how critical they are, if an exploit currently exists, whether patches are available, and what other steps can be taken. If patches are available, the organization must decided whether to deploy them immediately or during regular maintenance cycles.

In many organizations, the security staff is tasked with finding and analyzing vulnerabilities, but redressing those vulnerabilities often falls to IT operations, which in turn must answer to application owners and business managers if services are disrupted.

After remediation comes monitoring, in which assets are continually assessed to ensure that previous patches are still in place, that configurations are correct, and that changes haven’t been made that affect an asset’s compliance.

At this point, the process starts all over again, resulting in a process-based cycle that drives the organization, rather than the organization being driven by vulnerabilities, patches, or attackers. They now focus on new capabilities for configuration management, such as dealing with registry and system settings, security policy enforcement, and so on.

The majority of solutions are agent-based and will thus require some deployment effort, though network scanner-based products are also available. Patch management is also most efficient when rolled into a policy-driven security or configuration management system. Such a system requires considerable effort up front to create and deploy across the multiple silos (security, IT operations, application managers, and so on) in today’s network environment.

The most significant risk from a patch deployment system is the potential for a patch to adversely affect the host’s OS or applications.

http://www.securitypipeline.com/160701482

“In the last three years the amount of interest in e-mail hygiene has increased dramatically, especially in light of regulatory compliance issues,” said Cain, who acknowledged that message hygiene is a broad topic and spans multiple tiers. “It is more than just a security issue. Mail hygiene effects all parts of the organization, and Cain suggested that the legal department be brought in as organizations establish an overall e-mail policy. There should be a common policy engine that stitches everything all together,” said Cain who suggested that the policy-based approach is necessary to manage this very complex environment. Many regulations are specific to e-mail activity within an organization,” Cain said. “Not everyone in an organization requires the same kind of hygiene.”

There are more pushes for increased privacy and everyone wants to have encrypted messages with no effort from the user.

“I’m not sure that magical target will ever be reached, but you do need something sitting at the gateway that recognizes key words,” he said. “From a regulatory compliance perspective, archiving has been a particularly fascinating topic over the last 12 months, and there has been quite a bit of acquisition activity and consolidation in this market, according to Cain, who points out that finding the right vendor is not easy. Too many organizations focus on the initial cost of software and fail to consider the whole lifecycle and resultant storage costs,” he said.

“Budgets need to be expanded to accommodate growing hygiene and management complexity. Policy driven e-mail services are required to lower overall costs.”

Before introducing his company’s product mail security product Pure Message, Mark Borbas discussed the role of archiving and content management since e-mail has become de-facto record storage. “E-mail architecture has been restructured in the last five years. Very few of us delete e-mails and we are asking a system to do a lot more than it was designed for,” Borbas said.

Organizations are looking to automated identity management systems to fulfill the privacy and access requirements of regulations like HIPAA and Sarbanes-Oxley.

http://www.compliancepipeline.com/showArticle.jhtml?articleID=161601086

Those aren’t convergence; they are merely dumb ideas. And like a lot of dumb ideas—rooted in an insufficient respect for reality—they provoke objections that miss the point, such as: “IT security is too complicated and important to entrust to those ‘guns and holsters’ guys.” Or “How can a technogeek possibly manage an executive protection strategy?” (For a list of five common convergence objections just begging to be overruled, go to www.csoonline.com/printlinks.)

It may be more revealing to think in terms of integrated or holistic security management. In fact, while physical and information security are the cornerstones of holistic security, they aren’t the whole ball of wax. Depending on which industry they serve, CSOs need visibility into fraud and loss-prevention efforts, investigations, process-control systems, business continuity, pieces of regulatory compliance, some aspects of the human resources function and audit.

But reworking the organizational chart isn’t really the end goal, according to Timothy Williams; it’s just one possible means of establishing the necessary accountability and processes that make security effective. Williams is the CSO at Nortel Networks, where he has been leading a centralized, multifaceted security program since 1990. “If you don’t trust the person you’re giving the group to, forget it; it will never work. It’s about how we manage risk and the processes between the domains,” he says.

A case of intellectual property theft doesn’t fit neatly into any of the domains of IT, corporate security or legal; it crosses all of these functions. To Williams, convergence is about “what we are doing to make sure we’re not creating or missing an interdependency between the various areas.” In some cases, the CSO (by whatever title he or she goes) has direct oversight of two or three branches of security, plus dotted-line reports to well-placed employees in other branches. Which lines are dotted and which are solid can depend on the circumstances and priorities of each company, and on the expertise of the CSO.

Steve Hunt, a CPP-toting former Forrester Research analyst, goes so far as to say the leadership role is best handled by a committee, an idea he says is gaining traction particularly in Europe. Hunt says he has seen it work, though it’s worth noting that leadership by committee generally has a checkered history in the corporate world.

Having noted that convergence isn’t accomplished by remaking reporting relationships, Williams circles back to reemphasize that convergence is not the same as “having lunch once in a while. Constellation Energy Group CIO Beth Perlman, who handed the reins of information security to ex-Marine John Petruzzi, sums it up: “If you don’t trust the person you’re giving the group to, forget it; it will never work.”

Another key leadership requirement, Williams adds, is the ability to articulate security and risk issues in the context of business activities and in the language of the corporate boardroom.

Today’s corporate security department is an evolution of what used to be referred to as physical security; over time, forward-thinking practitioners demonstrated the value of putting surveillance, fraud investigations, executive protection, and an assortment of other activities (each requiring different knowledge and skills) under a single umbrella.

http://www.csoonline.com/read/041505/intro_moment_3536.html

IT managers should either integrate the new wireless piece into the overall company security policy, if one already exists, or take the opportunity to create a plan for the entire IT infrastructure, security experts urged Wednesday at the event, being held in Cambridge, Massachusetts.

Instead of considering wireless security in isolation, technology managers should think of defending their existing wired network against a new set of threats that emanate from the wireless world, said Craig Mathias, principal at advisory and systems integration company Farpoint Group, based in Ashland, Massachusetts.

It used to be the case that corporations weren’t embracing wireless technology because of security concerns. Now, however, the leading barrier to adoption is the perceived complexity of wireless security, according to Lisa Phifer, vice president of consulting firm Core Competence in Chester Springs, Pennsylvania. The situation is beginning to change, as vendors build more functionality into wireless LAN switches.

Mathias singled out Ann Arbor, Michigan-based Interlink Networks Inc.’s LucidLink, an enterprise-level wireless security application designed to be easily deployed by small business and home office users. Mathias stressed that wireless will likely form only a small piece of a company’s security policy, mostly in terms of specifying which mobile devices and intermediary networks for remote access meet desirable corporate security standards.

“We have a saying (here) that if you could just get rid of the end-users, you could have perfect security,” quipped Jim Burns, senior software developer at Portsmouth, New Hampshire-based network authentication software developer Meetinghouse.

http://www.infoworld.com/article/05/04/21/HNexpertsurge_1.html

You need to decide how you will get from where you are now, possibly a Windows NT domain(s), to Windows 2000 or Server 2003 Active Directory domain(s). The pressure and work that goes along with moving from one network operating system to another network operating system can be intense. You will be required to make many decisions during your journey.

Will you have Windows 2000 or Windows Server 2003 domain controllers?
Will you run some of each type of domain controller?
What client operating system will you run for the IT staff, executives, and other employees?
How many Active Directory domains will you end up with?
How many Active Directory forests will you end up with?
How will you get from your Windows NT domains to Windows Active Directory domains?
What tools will you use to get to your Windows Active Directory domains?
Are there any security concerns that you need to consider during your move to Windows Active Directory?

It is this last question that is focus in this article. They discuss the primary options for going from Windows NT domains to Windows Active Directory domains. It then talks about each of the options, focusing on the different security considerations that you need to contemplate. When you are done reading this article, you should be able to pinpoint the key security considerations that you will face along your journey.

You have two primary options for moving from Windows NT domains to Windows 2000 or Server 2003 Active Directory domains. The second option is to perform a migration. A migration is more complex than an upgrade. With a migration, you will need to create your Active Directory domain(s) in conjunction with your Windows NT domain(s). This will require that you purchase additional hardware and server licenses.

The overall concept of the migration is to gradually move objects (user, group, and computer accounts) from Windows NT to Windows Active Directory.

An upgrade is much simpler in all aspects. With an upgrade you work with the existing Windows NT domain and domain controllers. You will take the Windows 2000 Server or Windows Server 2003 installation CD and place it in the Windows NT Primary Domain Controller. You follow the steps in the wizard and when the computer restarts, you have a Windows Active Directory domain. All of the objects that were once in the Windows NT domain have completely been retained and are immediately available in the Windows Active Directory domain.

If you choose to perform a migration, you most likely are consolidating multiple Windows NT domains into a few (hopefully one) Windows Active Directory domains. It is the method that is available for moving accounts from multiple domains into just a few domains. However, as you perform your migration, you will have unique security concerns that you need to consider during the process.

Here are some of the most prominent security concerns that you will run into.
As you migrate user accounts from NT to Active Directory, you will end up with duplicate user accounts, with one in each domain. Most tools will allow you to control the state of both of the accounts after the migration. There might be times when you want the source user account to be active, and other times when the target user account should be active.
Regardless of your decision, you need to be aware that there are two user accounts in two domains.

When you migrate a user account from NT to Active Directory, you need to consider how the new user account will continue to access resources that exist in the Windows NT domain. This new property is referred to as SIDHistory. During a migration, the primary objects that you will migrate include user, group, and computer accounts, as well as trusts. However, the other configurations that you once had in Windows NT are not transposed to the Active Directory domain. This includes the account policy settings, which include the password min age, max age, min length, and password complexity.

Derek Melber manages http://www.auditingwindows.com, the first dedicated Web site for Windows auditing and security.

http://www.windowsecurity.com/articles/Security-Concerns-Migrations-Upgrades-Windows-Active-Directory.html

For too long now we’ve seen security threats have a negative impact on internal networks, and as a result, a harmful effect on employee and company productivity. And for far too long, enterprises of all sizes have neglected to focus enough resources and energy on securing these valuable internal network resources. And this year, the information technology industry will see this phenomenon further evolve as organizations begin to focus on securing their internal networks with the same vigor they have applied at the perimeter.

Internal security refers to a focused effort to secure resources on internal networks, or LANs. These resources can include applications, data, servers, and endpoint devices.

Meta Group has observed that “only 10-20 percent of organizations with relatively mature security programs have managed to address internal security to a meaningful extent.” Why is internal security finally becoming a priority?

First, there are business drivers prompting more focus on internal security. Around the globe, companies are being forced to comply with regulations that ensure the privacy of customer data and the security of intellectual property that resides on internal networks. These regulations drive an increased need for internal security.

Second, there is increased awareness about internal hacking. Organizations can no longer take a “don’t look, don’t tell” approach. Instead, many are now required to provide proof that they are continuously looking for internal hackers. How large has the internal hacking threat become? The CSI/FBI Computer Crime and Security Survey showed that 66 percent of organizations suffered an insider attack in 2003.

At the same time, the financial impact of worm and other new types of destructive threats has increased and become more visible in the industry. Having the ability to protect against and contain worms, is perhaps the No. 1 problem driving the investment in internal security solutions. It is estimated that the Slammer worm alone resulted in more than $1billion in damage, for example.

Furthermore, as security vulnerabilities in software have become more proactively communicated by Microsoft (Nasdaq: MSFT) and other sources, the timeline from vulnerability to exploit is shrinking. The time to patch the announced security holes remains ever-present — and just takes too long. So companies are searching for ways to protect their LAN resources during this period of susceptibility – until the holes can be filled with properly patched software.

Lastly, IT organizations have realized that endpoint devices — whether a personal computer, PDA or other device, must be as secure on LANs as they are when connecting from outside the perimeter (such as on a VPN connection.) Once these endpoints are secure internally as well as externally, they will no longer inadvertently introduce malicious code and other security threats.

Companies of all sizes are beginning to shift their attention to the topic of internal security. They are starting to initiate change in how they protect resources on the LAN, and in turn, protect their employees’ productivity.

2005 is the year of internal security.

A combination of business and technology drivers are triggering this revolution, including worm outbreaks, privacy regulations, reduced windows of time to react and a multitude of new types of threats. There are simple steps organizations can take to get started on protecting their internal network resources. For the organizations who make these moves, in 2005 they will reap the benefits of having more secure and stable LANs, and in turn, a more productive workforce.

http://www.technewsworld.com/rsstory/42227.html

See Terms of Use and Privacy notice.