Category: Uncategorized

Speaking at the Wireless/RFID Conference and Exhibition in Washington, D.C., Kwon said the most secure layered approached would use the latest wireless grid technologies in combination with wireless intrusion-detection systems.

Because of the insecurities inherent in wireless technologies, a lot of fear exists, said Capt. “We’re a rather risk-averse bunch,” she said.

But attitudes toward wireless networks are changing as Defense Department officials learn more about managing risk with new technologies, she added. Few agencies, he said, are using layered security or “defense in depth” correctly when deploying wireless technologies. And on the policy side, he said, agencies need to ask who has the authority to accept risk for the organization when people begin using such technologies.

Wireless expert Bill Neugent, chief engineer for cybersecurity at Mitre, a nonprofit engineering organization, said that the proliferation of wireless technologies such as radio frequency identification chips and nanoscale “smart dust” will cause both privacy losses and productivity gains.

According to other wireless experts who offered tips on security technologies and policies, open-source products are the most popular for auditing the security of wireless networks. For the most part, wireless networks become open to attack because administrators fail to properly configure wireless access points with password protection, use no encryption, have no virtual private network protection, and do not disable the infrared ports and peer-to-peer features of their wireless networks, Kwon said.

http://www.usatoday.com/tech/news/computersecurity/infotheft/2005-03-02-security-layers_x.htm

Enterprise PCs, once nestled behind perimeter security devices, are the new security frontier for 2005. Roving laptops may return to the corporate mother ship with malware that propagates itself throughout the soft chewy inside of the enterprise network. Even stationary desktops can fall victim to rogue programs that exploit OS and application vulnerabilities or are downloaded by end users.

While desktop anti-virus software has become the de facto security standard on enterprise PCs, it’s clear that anti-virus alone can’t protect these assets. For instance, spyware programs that track user surfing habits often aren’t covered in anti-virus signature libraries and usually get passed over during search-and-destroy scans.

And when it comes to zero-day attacks, all signature-based solutions are helpless until malware researchers can identify and distribute patterns to detect the new exploits. At the top of the list is anti-spyware technology, which aims to detect and remove keystroke loggers and Trojans, as well as the annoying adware programs that violate privacy and affect PC performance.

Lastly, vendors are putting together integrated suites that start with a personal firewall, then add multiple security features into a single product to simplify desktop security management.

All three categories offer stronger protection for enterprise PCs than anti-virus solutions can alone, but savvy network architects know that every silver lining carries a dark cloud.

Hosted Intrusion Protection Systems (HIPs) are notoriously finicky and require careful tweaking and tuning to ensure that harmless applications are allowed to run unhindered.

In a recent reader poll conducted by Network Magazine, 93 percent of respondents said spyware was a serious problem, even though nearly 100 percent had anti-virus software installed. In fact, a crop of upstarts, abetted by incumbent anti-virus vendors’ slow response to the spyware problem, carved out market share by protecting consumers and corporations from this new breed of intrusive software.

“There’s a liability issue with spyware,” says Bob Hansmann, product marketing manager at Trend Micro. Spyware researchers at Trend Labs have to coordinate with Trend Micro’s legal department before including software in a detection database.

Finally, spyware (and adware in particular) is often more difficult to remove than viruses. Sygate licenses detection and removal technology from Lavasoft, which makes the popular Ad-Aware detection and removal software, to power the spyware engine in its Sygate Secure Enterprise suite.

Because a HIPS can block both known and unknown exploits, administrators can test and deploy software fixes during regular maintenance windows instead of during emergencies. The dominant technology for HIPSs is behavioral analysis, which uses various methods to examine the kinds of actions taken by a program or application. Actions that appear malicious, such as attempting a buffer overflow or opening a network connection, will trigger the HIPS agent.

While eEye wants to differentiate Blink from its system call brethren, version 2.0 of the product hedges its bets by also including a buffer overflow protection module similar to those found on Entercept and other system call interceptors.

HIPSs also aren’t a replacement for anti-virus and anti-spy software. They won’t catch macro viruses, file infectors, boot sector viruses, and e-mail worms because these classes of malware tend to operate inside known good applications. Also, HIPSs can’t prevent malware from being loaded onto a machine; they have to wait until a program executes before they can check for malicious behavior.

And while HIPSs can catch keystroke loggers, Trojans, and other malware that gets lumped into the spyware category, they have difficulty identifying user-tracking adware.

Lastly, HIPSs don’t remove any of the malware they detect.

One of the problems with PC security solutions is that they multiply the administrators’ management burdens. Every security agent that sits on a machine requires policy, signature, and software updates, not to mention the licenses that need to be tracked. And of course, it goes without saying that deploying multiple solutions can be prohibitively expensive.

In short, agent-based cures can almost be as much trouble as the disease.

2005 saw an explosion of new products that combine multiple functions into a single package, including anti-virus, firewall, HIPS, and anti-spyware features.

Andre Gold, director of information security at Continental Airlines, was looking into eEye’s Blink 1.6 to run on a limited number of workstations. But after learning that version 2.0 was going to include a new anti-spyware capability, he decided to roll it out across 20,000 devices, including customer-facing kiosks, reservation servers, and corporate desktops and laptops.

A popular combination includes anti-virus software to detect viruses and other malware and a personal firewall to control which ports the computer can use for network communication. If an unknown application starts, the security agent can alert an administrator or simply prevent the application from running. However, administrators would be wise to quiz vendors carefully regarding bundled solutions. For instance, many of the products listed in the table have anti-spyware capabilities, but you have to dig deeper to find out just what that means. Check Point’s Integrity 6.0, for example, can detect and quarantine some spyware (that is, prevent the spyware program from operating), but it can’t actually clean the files off your machines–you’ll need another product to do that.

eEye’s Blink 2.0 includes host vulnerability assessment, so you can scan each of your hosts for problems that may lead to security exploits. However, to aggregate scan results and remediate the vulnerabilities you discover, you’ll need eEye’s REM management console.

Despite the maturity issue, anti-spyware and HIPSs can still be deployed in the enterprise, especially on PCs that face significant risks, such as laptops that spend significant time outside the corporate network. Any software that tinkers with registries, excises executables, or generally deletes files runs the risk of damaging computers.

http://www.networkingpipeline.com/shared/article/printablePipelineArticle.jhtml;jsessionid=DNUAIIN4HSGH2QSNDBCCKH0CJUMEKJVN?articleId=60403206

Enterprise PCs, once nestled behind perimeter security devices, are the new security frontier for 2005. Roving laptops may return to the corporate mother ship with malware that propagates itself throughout the soft chewy inside of the enterprise network. Even stationary desktops can fall victim to rogue programs that exploit OS and application vulnerabilities or are downloaded by end users. For instance, spyware programs that track user surfing habits often aren’t covered in anti-virus signature libraries and usually get passed over during search-and-destroy scans.

And when it comes to zero-day attacks, all signature-based solutions are helpless until malware researchers can identify and distribute patterns to detect the new exploits.
2005 may also be the year that Host-based Intrusion Prevention Systems (HIPSs) lay claim to a significant chunk of real estate on enterprise desktops.

At the top of the list is anti-spyware technology, which aims to detect and remove keystroke loggers and Trojans, as well as the annoying adware programs that violate privacy and affect PC performance. HIPSs are notoriously finicky and require careful tweaking and tuning to ensure that harmless applications are allowed to run unhindered.

Lastly, vendors are putting together integrated suites that start with a personal firewall, then add multiple security features into a single product to simplify desktop security management.

All three categories offer stronger protection for enterprise PCs than anti-virus solutions can alone, but savvy network architects know that every silver lining carries a dark cloud.

In a recent reader poll conducted by Network Magazine, 93 percent of respondents said spyware was a serious problem, even though nearly 100 percent had anti-virus software installed. In fact, a crop of upstarts, abetted by incumbent anti-virus vendors’ slow response to the spyware problem, carved out market share by protecting consumers and corporations from this new breed of intrusive software. “There’s a liability issue with spyware,” says Bob Hansmann, product marketing manager at Trend Micro. Spyware researchers at Trend Labs have to coordinate with Trend Micro’s legal department before including software in a detection database. Finally, spyware (and adware in particular) is often more difficult to remove than viruses.

Sygate licenses detection and removal technology from Lavasoft, which makes the popular Ad-Aware detection and removal software, to power the spyware engine in its Sygate Secure Enterprise suite.

Microsoft AntiSpyware, is being offered as a free beta to consumers, but has been hardcoded to expire at the end of July.

Because a HIPS can block both known and unknown exploits, administrators can test and deploy software fixes during regular maintenance windows instead of during emergencies. The dominant technology for HIPSs is behavioral analysis, which uses various methods to examine the kinds of actions taken by a program or application. Actions that appear malicious, such as attempting a buffer overflow or opening a network connection, will trigger the HIPS agent.

While eEye wants to differentiate Blink from its system call brethren, version 2.0 of the product hedges its bets by also including a buffer overflow protection module similar to those found on Entercept and other system call interceptors.

HIPSs also aren’t a replacement for anti-virus and anti-spy software. They won’t catch macro viruses, file infectors, boot sector viruses, and e-mail worms because these classes of malware tend to operate inside known good applications. Also, HIPSs can’t prevent malware from being loaded onto a machine; they have to wait until a program executes before they can check for malicious behavior. And while HIPSs can catch keystroke loggers, Trojans, and other malware that gets lumped into the spyware category, they have difficulty identifying user-tracking adware. Lastly, HIPSs don’t remove any of the malware they detect.

One of the problems with PC security solutions is that they multiply the administrators’ management burdens. Every security agent that sits on a machine requires policy, signature, and software updates, not to mention the licenses that need to be tracked. And of course, it goes without saying that deploying multiple solutions can be prohibitively expensive. In short, agent-based cures can almost be as much trouble as the disease.

2005 saw an explosion of new products that combine multiple functions into a single package, including anti-virus, firewall, HIPS, and anti-spyware features.

Andre Gold, director of information security at Continental Airlines, was looking into eEye’s Blink 1.6 to run on a limited number of workstations. But after learning that version 2.0 was going to include a new anti-spyware capability, he decided to roll it out across 20,000 devices, including customer-facing kiosks, reservation servers, and corporate desktops and laptops.

A popular combination includes anti-virus software to detect viruses and other malware and a personal firewall to control which ports the computer can use for network communication. Subsequently, if an unknown application starts, the security agent can alert an administrator or simply prevent the application from running.

However, administrators would be wise to quiz vendors carefully regarding bundled solutions. For instance, many of the products listed in the table have anti-spyware capabilities, but you have to dig deeper to find out just what that means.

Check Point’s Integrity 6.0, for example, can detect and quarantine some spyware (that is, prevent the spyware program from operating), but it can’t actually clean the files off your machines–you’ll need another product to do that.

eEye’s Blink 2.0 includes host vulnerability assessment, so you can scan each of your hosts for problems that may lead to security exploits. However, to aggregate scan results and remediate the vulnerabilities you discover, you’ll need eEye’s REM management console.

Despite the maturity issue, anti-spyware and HIPSs can still be deployed in the enterprise, especially on PCs that face significant risks, such as laptops that spend significant time outside the corporate network. Any software that tinkers with registries, excises executables, or generally deletes files runs the risk of damaging computers.

http://www.securitypipeline.com/showArticle.jhtml?articleId=60404895

You fail to take into account that threats will move where you are weakest, and not where you have strengthened your defenses. You don’t have to be the most secure, you simply have to be secure enough to either effectively block reasonable threats or convince attackers to attack someone else.

Mistake One: No Security Goal
If you don’t know where you are going it is reasonably certain you won’t get there. You should go beyond simple data security or physical plant security and include the security of traveling executives, branch offices, home offices, and key partners.

Mistake Two: No Risk/Security Assessment
The first step (after assuring you have good people), is to understand where you need to go. To do this, you typically need a security expert to come in and provide you with an assessment of just how exposed you are. You need to set the goal first, because the security expert needs something to set context, otherwise the assessment will showcase exposures that you don’t need to correct and miss exposures that could be relatively important to address. By using someone that is independent of your company and your provisioning security vendor, you help insure that they are focused on your company’s needs and not their own.
This is not a one-time event either, threats are rapidly changing and you will need to change your security plan to address these changes. In his view you should do this annually; this allows the assessment entity to remain up to date on your firm and gives you a relatively current assessment to use as a baseline to help determine needs when looking at changes or purchases addressing your security needs.

Mistake Three: No Plan
You often see failure to plan at national borders; they will spend a lot of money securing the border-crossing. while people continue to cross the border illegally, out of sight of the border station. This is the same as security the front door and datacenter but allowing rouge wireless access points in the company, which can bypass this physical and electronic security.

Mistake Four: Linux/Firefox
Actually, the mistake here is not implementing Linux and Firefox, but rather leading with the product and not leading with the plan. Products come last. You may, in fact, decide to move platforms, but that decision should come as a result of the plan and not despite or without it.

In the end, your company has layers of security around it, much like a home surrounded by fences, with locked doors and windows, and with a panic room inside (a secure room with hardened walls you can lock yourself into if someone breaks into your home). The nature of the exposures you face, your resources. including the skill sets of your people, and your access needs define the nature of the security solution you provide.

http://www.networkingpipeline.com/60403185

The IT trade organisation said that human error is the primary cause of IT security breaches, and in many instances security breaches can be traced back to poor password security.

CompTIA warned that people should use multiple passwords, because if one is compromised or stolen they could become the victim of identity theft or financial loss. And if the lost password is the same one used at work, the organisation warned that “the consequences for your employer could be disastrous”.

“As we have incorporated computer use into more and more of our lives at home and at work, the number of passwords we use has grown exponentially,” said John Venator, president and chief executive at CompTIA.

The organisation recommends that users maintain four passwords. The first should be easy to remember for use on general websites. The same password can be used in many low-risk places because the consequences are minimal if the password is compromised.

The second password should be more complex, with a mix of numbers and letters, for e-commerce websites. But if this password is compromised, CompTIA warned, there may be financial implications, such as credit card theft.

Thirdly a “very complex” password is required for banking websites. This password should contain lower case letters, uppercase letters, numbers and punctuation marks, or at least three of these four categories. If this password is compromised, identity theft is possible.

Finally a separate password should be used only at work, which should not resemble any of the passwords used for home and personal computing. All passwords except the easy website password should be changed at least every 90 days, the trade body advised.

http://www.vnunet.com/news/1161436

In a new book, “Business Under Fire: How Israeli Companies are Succeeding in the Face of Terror—and What We Can Learn from Them,” author Dan Carrison interviewed consultant Danny Halpern, who said, “In Israel, I believe we invest more in the quality of our security people and less in the mechanics.

In America, because of the huge numbers, the investment is in the mechanics—the system—and then they hire minimum wage security staff.” This focus on mechanics has brought us the turf wars between the CIA and FBI, elderly women being forced to remove their shoes at airports and other counterterrorism security nonsense. Similar nonsense—the result of merely going through the motions of physical security—exists in information security.

Security guru Marcus Ranum made this observation to me about poorly configured firewalls and noted that “eventually, if enough data is going back and forth through your firewall, it is no longer a firewall, it’s a router! Deploying security products without first performing such an assessment is like taking medication without knowing what disease you have. Effective risk assessment and analysis ensure that your organization is dealing with real threats. The fact is, the most dangerous threats come from inside, contrary to the widespread perception that they come from the outside.

Hundreds of millions of dollars were wasted on PKI systems because organizations deployed them without understanding what their problem was or what a PKI system could do to solve it.

Too often, organizations go through the mechanics of purchasing and deploying security software and hardware items without knowing why.

http://www.eweek.com/article2/0,1759,1765060,00.asp