Category: Uncategorized

If that weren’t bad enough, many “so called” security experts propagated these myths through speaking engagements and publications and many continue to this day. Many wireless LAN equipment makers continue to recommend many of these schemes to this day. One would think that the fact that none of these schemes made it in to the official IEEE 802.11i security standard would give a clue to their effectiveness, but time and time again that theory is proven wrong. To help you avoid the these schemes, the writer has created the following list of the six dumbest ways to secure your wireless LAN.

MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person’s name tag and compares it to his list of names and determines whether to open the door or not. All someone needs to do is watch an authorized person go in and forge a name tag with that person’s name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.

SSID hiding: There is no such thing as “SSID hiding”. You’re only hiding SSID beckoning on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, you re talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all you ve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. Hidden SSIDs also makes wireless LANs less user friendly. You don t need to take my word for it. Just ask Robert Moskowitz who is the Senior Technical Director of ICSA Labs in his white paper Debunking the myth of SSID hiding.

LEAP authentication: The use of Cisco LEAP authentication continues to be the single biggest mistake that corporations make with their wireless LAN because they leave themselves wide open to attack. Cisco still tells their customers that LEAP is fine so long as strong passwords are used. The problem is that strong passwords are an impossibility for humans to deal with. If you doubt this, try a password audit of all the users in your organization and see how long it takes to crack 99% of all passwords. 99% of organizations will flunk any password audit for most of their users within hours. Since Joshua Wright released a tool that can crack LEAP with lighting speed, Cisco was forced to come out with a better alternative to LEAP and they came up with an upgrade to LEAP called EAP-FAST.

Disable DHCP: This is much more of waste of time than it is a security break. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address.

Antenna placement: I’ve heard the craziest thing from so called security experts that actually tell people to only put their Access Points in the center of their building and put them at minimal power.

Just use 802.11a or Bluetooth: Fortunately, I haven’t heard this one for a while.

In light of recent developments within the last 6 months, it takes only a few minutes to break a WEP based network which makes WEP completely ineffective and a good potential future candidate for the wireless LAN security hall of shame. Where it currently fails to be in the hall of shame is that it still holds up for a few minutes, requires a little skill to launch the packet injection attacks, and isn’t propagated as an urban legend for a secure wireless LAN.

This blog wasn’t just meant to be funny, it’s serious business that so many organizations waste their time and money on worthless security schemes that give them a dangerous false sense of security.

http://blogs.zdnet.com/Ou/index.php?p=43

This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to purchasing justifications that companies use like: “Yes, we will buy this machine because it makes twice as many diamond rings per hour and we’ll be able corner the Valentine’s Day market in North America.”

This article will help guide Computerworld readers from a current state of reaction and acquisition to a target state of business value and justification for information security, providing both food for thought and practical ideas for implementation.

Most companies don’t run their information security operation like a business unit with a tightly focused strategy on customers, market and competitors. Most security professionals and software developers don’t have quotas and compensation for making their numbers. Information security works on a cycle of threat, reaction and acquisition.

It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share. With measurable improvement, we’ll be able to prove the business value of spending on security.

– Is your digital asset protection spending driven by regulation?

– Are Gartner white papers a key input for purchasing decisions?

– Does the information security group work without security win/loss scores?

– Does your chief security officer meet three to five vendors each day?

– Is your purchasing cycle for a new product longer than six months?

– Is your team short on head count, and not implementing new technologies?

– Has the chief technology officer never personally sold or installed any of the company’s products?

Start by implementing a consistent set of activities, for example, standardizing on diskless thin clients, remote desktops and Windows Terminal services. Segment the network into virtual LANs, put the application servers on one segment, the data servers on another and client workstations on departmental segments and so forth.

For instance, if you want to evaluate cash flow, then measure cash flow from operations or free cash flow (FCF), which is cash from operations minus capital expenditures. FCF omits the cost of debt, but it is an objective indicator that can be measured every day.

http://www.computerworld.com/securitytopics/security/story/0,10801,100413,00.html

Speaking at the Wireless/RFID Conference and Exhibition in Washington, D.C., Kwon said the most secure layered approached would use the latest wireless grid technologies in combination with wireless intrusion-detection systems.

Because of the insecurities inherent in wireless technologies, a lot of fear exists, said Capt. “We’re a rather risk-averse bunch,” she said.

But attitudes toward wireless networks are changing as Defense Department officials learn more about managing risk with new technologies, she added. Few agencies, he said, are using layered security or “defense in depth” correctly when deploying wireless technologies. And on the policy side, he said, agencies need to ask who has the authority to accept risk for the organization when people begin using such technologies.

Wireless expert Bill Neugent, chief engineer for cybersecurity at Mitre, a nonprofit engineering organization, said that the proliferation of wireless technologies such as radio frequency identification chips and nanoscale “smart dust” will cause both privacy losses and productivity gains.

According to other wireless experts who offered tips on security technologies and policies, open-source products are the most popular for auditing the security of wireless networks. For the most part, wireless networks become open to attack because administrators fail to properly configure wireless access points with password protection, use no encryption, have no virtual private network protection, and do not disable the infrared ports and peer-to-peer features of their wireless networks, Kwon said.

http://www.usatoday.com/tech/news/computersecurity/infotheft/2005-03-02-security-layers_x.htm

Enterprise PCs, once nestled behind perimeter security devices, are the new security frontier for 2005. Roving laptops may return to the corporate mother ship with malware that propagates itself throughout the soft chewy inside of the enterprise network. Even stationary desktops can fall victim to rogue programs that exploit OS and application vulnerabilities or are downloaded by end users.

While desktop anti-virus software has become the de facto security standard on enterprise PCs, it’s clear that anti-virus alone can’t protect these assets. For instance, spyware programs that track user surfing habits often aren’t covered in anti-virus signature libraries and usually get passed over during search-and-destroy scans.

And when it comes to zero-day attacks, all signature-based solutions are helpless until malware researchers can identify and distribute patterns to detect the new exploits. At the top of the list is anti-spyware technology, which aims to detect and remove keystroke loggers and Trojans, as well as the annoying adware programs that violate privacy and affect PC performance.

Lastly, vendors are putting together integrated suites that start with a personal firewall, then add multiple security features into a single product to simplify desktop security management.

All three categories offer stronger protection for enterprise PCs than anti-virus solutions can alone, but savvy network architects know that every silver lining carries a dark cloud.

Hosted Intrusion Protection Systems (HIPs) are notoriously finicky and require careful tweaking and tuning to ensure that harmless applications are allowed to run unhindered.

In a recent reader poll conducted by Network Magazine, 93 percent of respondents said spyware was a serious problem, even though nearly 100 percent had anti-virus software installed. In fact, a crop of upstarts, abetted by incumbent anti-virus vendors’ slow response to the spyware problem, carved out market share by protecting consumers and corporations from this new breed of intrusive software.

“There’s a liability issue with spyware,” says Bob Hansmann, product marketing manager at Trend Micro. Spyware researchers at Trend Labs have to coordinate with Trend Micro’s legal department before including software in a detection database.

Finally, spyware (and adware in particular) is often more difficult to remove than viruses. Sygate licenses detection and removal technology from Lavasoft, which makes the popular Ad-Aware detection and removal software, to power the spyware engine in its Sygate Secure Enterprise suite.

Because a HIPS can block both known and unknown exploits, administrators can test and deploy software fixes during regular maintenance windows instead of during emergencies. The dominant technology for HIPSs is behavioral analysis, which uses various methods to examine the kinds of actions taken by a program or application. Actions that appear malicious, such as attempting a buffer overflow or opening a network connection, will trigger the HIPS agent.

While eEye wants to differentiate Blink from its system call brethren, version 2.0 of the product hedges its bets by also including a buffer overflow protection module similar to those found on Entercept and other system call interceptors.

HIPSs also aren’t a replacement for anti-virus and anti-spy software. They won’t catch macro viruses, file infectors, boot sector viruses, and e-mail worms because these classes of malware tend to operate inside known good applications. Also, HIPSs can’t prevent malware from being loaded onto a machine; they have to wait until a program executes before they can check for malicious behavior.

And while HIPSs can catch keystroke loggers, Trojans, and other malware that gets lumped into the spyware category, they have difficulty identifying user-tracking adware.

Lastly, HIPSs don’t remove any of the malware they detect.

One of the problems with PC security solutions is that they multiply the administrators’ management burdens. Every security agent that sits on a machine requires policy, signature, and software updates, not to mention the licenses that need to be tracked. And of course, it goes without saying that deploying multiple solutions can be prohibitively expensive.

In short, agent-based cures can almost be as much trouble as the disease.

2005 saw an explosion of new products that combine multiple functions into a single package, including anti-virus, firewall, HIPS, and anti-spyware features.

Andre Gold, director of information security at Continental Airlines, was looking into eEye’s Blink 1.6 to run on a limited number of workstations. But after learning that version 2.0 was going to include a new anti-spyware capability, he decided to roll it out across 20,000 devices, including customer-facing kiosks, reservation servers, and corporate desktops and laptops.

A popular combination includes anti-virus software to detect viruses and other malware and a personal firewall to control which ports the computer can use for network communication. If an unknown application starts, the security agent can alert an administrator or simply prevent the application from running. However, administrators would be wise to quiz vendors carefully regarding bundled solutions. For instance, many of the products listed in the table have anti-spyware capabilities, but you have to dig deeper to find out just what that means. Check Point’s Integrity 6.0, for example, can detect and quarantine some spyware (that is, prevent the spyware program from operating), but it can’t actually clean the files off your machines–you’ll need another product to do that.

eEye’s Blink 2.0 includes host vulnerability assessment, so you can scan each of your hosts for problems that may lead to security exploits. However, to aggregate scan results and remediate the vulnerabilities you discover, you’ll need eEye’s REM management console.

Despite the maturity issue, anti-spyware and HIPSs can still be deployed in the enterprise, especially on PCs that face significant risks, such as laptops that spend significant time outside the corporate network. Any software that tinkers with registries, excises executables, or generally deletes files runs the risk of damaging computers.

http://www.networkingpipeline.com/shared/article/printablePipelineArticle.jhtml;jsessionid=DNUAIIN4HSGH2QSNDBCCKH0CJUMEKJVN?articleId=60403206

Enterprise PCs, once nestled behind perimeter security devices, are the new security frontier for 2005. Roving laptops may return to the corporate mother ship with malware that propagates itself throughout the soft chewy inside of the enterprise network. Even stationary desktops can fall victim to rogue programs that exploit OS and application vulnerabilities or are downloaded by end users. For instance, spyware programs that track user surfing habits often aren’t covered in anti-virus signature libraries and usually get passed over during search-and-destroy scans.

And when it comes to zero-day attacks, all signature-based solutions are helpless until malware researchers can identify and distribute patterns to detect the new exploits.
2005 may also be the year that Host-based Intrusion Prevention Systems (HIPSs) lay claim to a significant chunk of real estate on enterprise desktops.

At the top of the list is anti-spyware technology, which aims to detect and remove keystroke loggers and Trojans, as well as the annoying adware programs that violate privacy and affect PC performance. HIPSs are notoriously finicky and require careful tweaking and tuning to ensure that harmless applications are allowed to run unhindered.

Lastly, vendors are putting together integrated suites that start with a personal firewall, then add multiple security features into a single product to simplify desktop security management.

All three categories offer stronger protection for enterprise PCs than anti-virus solutions can alone, but savvy network architects know that every silver lining carries a dark cloud.

In a recent reader poll conducted by Network Magazine, 93 percent of respondents said spyware was a serious problem, even though nearly 100 percent had anti-virus software installed. In fact, a crop of upstarts, abetted by incumbent anti-virus vendors’ slow response to the spyware problem, carved out market share by protecting consumers and corporations from this new breed of intrusive software. “There’s a liability issue with spyware,” says Bob Hansmann, product marketing manager at Trend Micro. Spyware researchers at Trend Labs have to coordinate with Trend Micro’s legal department before including software in a detection database. Finally, spyware (and adware in particular) is often more difficult to remove than viruses.

Sygate licenses detection and removal technology from Lavasoft, which makes the popular Ad-Aware detection and removal software, to power the spyware engine in its Sygate Secure Enterprise suite.

Microsoft AntiSpyware, is being offered as a free beta to consumers, but has been hardcoded to expire at the end of July.

Because a HIPS can block both known and unknown exploits, administrators can test and deploy software fixes during regular maintenance windows instead of during emergencies. The dominant technology for HIPSs is behavioral analysis, which uses various methods to examine the kinds of actions taken by a program or application. Actions that appear malicious, such as attempting a buffer overflow or opening a network connection, will trigger the HIPS agent.

While eEye wants to differentiate Blink from its system call brethren, version 2.0 of the product hedges its bets by also including a buffer overflow protection module similar to those found on Entercept and other system call interceptors.

HIPSs also aren’t a replacement for anti-virus and anti-spy software. They won’t catch macro viruses, file infectors, boot sector viruses, and e-mail worms because these classes of malware tend to operate inside known good applications. Also, HIPSs can’t prevent malware from being loaded onto a machine; they have to wait until a program executes before they can check for malicious behavior. And while HIPSs can catch keystroke loggers, Trojans, and other malware that gets lumped into the spyware category, they have difficulty identifying user-tracking adware. Lastly, HIPSs don’t remove any of the malware they detect.

One of the problems with PC security solutions is that they multiply the administrators’ management burdens. Every security agent that sits on a machine requires policy, signature, and software updates, not to mention the licenses that need to be tracked. And of course, it goes without saying that deploying multiple solutions can be prohibitively expensive. In short, agent-based cures can almost be as much trouble as the disease.

2005 saw an explosion of new products that combine multiple functions into a single package, including anti-virus, firewall, HIPS, and anti-spyware features.

Andre Gold, director of information security at Continental Airlines, was looking into eEye’s Blink 1.6 to run on a limited number of workstations. But after learning that version 2.0 was going to include a new anti-spyware capability, he decided to roll it out across 20,000 devices, including customer-facing kiosks, reservation servers, and corporate desktops and laptops.

A popular combination includes anti-virus software to detect viruses and other malware and a personal firewall to control which ports the computer can use for network communication. Subsequently, if an unknown application starts, the security agent can alert an administrator or simply prevent the application from running.

However, administrators would be wise to quiz vendors carefully regarding bundled solutions. For instance, many of the products listed in the table have anti-spyware capabilities, but you have to dig deeper to find out just what that means.

Check Point’s Integrity 6.0, for example, can detect and quarantine some spyware (that is, prevent the spyware program from operating), but it can’t actually clean the files off your machines–you’ll need another product to do that.

eEye’s Blink 2.0 includes host vulnerability assessment, so you can scan each of your hosts for problems that may lead to security exploits. However, to aggregate scan results and remediate the vulnerabilities you discover, you’ll need eEye’s REM management console.

Despite the maturity issue, anti-spyware and HIPSs can still be deployed in the enterprise, especially on PCs that face significant risks, such as laptops that spend significant time outside the corporate network. Any software that tinkers with registries, excises executables, or generally deletes files runs the risk of damaging computers.

http://www.securitypipeline.com/showArticle.jhtml?articleId=60404895

You fail to take into account that threats will move where you are weakest, and not where you have strengthened your defenses. You don’t have to be the most secure, you simply have to be secure enough to either effectively block reasonable threats or convince attackers to attack someone else.

Mistake One: No Security Goal
If you don’t know where you are going it is reasonably certain you won’t get there. You should go beyond simple data security or physical plant security and include the security of traveling executives, branch offices, home offices, and key partners.

Mistake Two: No Risk/Security Assessment
The first step (after assuring you have good people), is to understand where you need to go. To do this, you typically need a security expert to come in and provide you with an assessment of just how exposed you are. You need to set the goal first, because the security expert needs something to set context, otherwise the assessment will showcase exposures that you don’t need to correct and miss exposures that could be relatively important to address. By using someone that is independent of your company and your provisioning security vendor, you help insure that they are focused on your company’s needs and not their own.
This is not a one-time event either, threats are rapidly changing and you will need to change your security plan to address these changes. In his view you should do this annually; this allows the assessment entity to remain up to date on your firm and gives you a relatively current assessment to use as a baseline to help determine needs when looking at changes or purchases addressing your security needs.

Mistake Three: No Plan
You often see failure to plan at national borders; they will spend a lot of money securing the border-crossing. while people continue to cross the border illegally, out of sight of the border station. This is the same as security the front door and datacenter but allowing rouge wireless access points in the company, which can bypass this physical and electronic security.

Mistake Four: Linux/Firefox
Actually, the mistake here is not implementing Linux and Firefox, but rather leading with the product and not leading with the plan. Products come last. You may, in fact, decide to move platforms, but that decision should come as a result of the plan and not despite or without it.

In the end, your company has layers of security around it, much like a home surrounded by fences, with locked doors and windows, and with a panic room inside (a secure room with hardened walls you can lock yourself into if someone breaks into your home). The nature of the exposures you face, your resources. including the skill sets of your people, and your access needs define the nature of the security solution you provide.

http://www.networkingpipeline.com/60403185