Category: Uncategorized

Intrusion detection systems–the primary source of warnings that attacks are under way–are critical pieces of network-security infrastructure, providing detailed records of attacks, intrusions and unexpected network activity. For most enterprises, the IDS has become the central piece of security hardware, certainly the most visible piece to the staff. Without an IDS, the security staff must gather forensics information from firewall, server and router log files.

The mission of IDS is changing, however. Many IDS vendors are improving their products so that the IDS doesn’t simply give you the details on an event that has occurred. Instead, the system will help prevent intrusions from happening in the first place.

Even within the reporting realm, IDS is becoming more active as anomaly detection, vulnerability assessment and forensics come under the broad label of IDS’s reportable events. The growing number of attacks and attack types makes it more important for the IDS to correlate with logs and reports from other network-security components for context and ease of interpretation.

Schemes such as Cisco’s Network Admission Control (NAC) and Microsoft’s Network Access Protection (NAP) have, among many other capabilities, IDS and firewalls sharing some of the features of an IPS (intrusion prevention system), with the IDS feeding control information to a central authority, which then gives instruction to the firewall for connection reset and address blocking.

Last year, the verdict on IPSs was “don’t believe the hype.” As a piece of a multilayer security approach, an IPS can join the IDS, enterprise firewall, desktop firewall and application firewall to protect your key network assets.

For some, the blocking of even one piece of legitimate traffic is unacceptable.

As an incremental tool that can help cut down on the volume of attack traffic, intrusion prevention from vendors including Check Point Software, Internet Security Systems, Lucid Security, Radware and Tipping Point should be seriously explored in 2005.

The various governmental regulations, including HIPAA and GLB, make it business-critical for a company to protect customer and patient data from any theft or intrusions, and make it just as important that the company demonstrate that the protection is in place and effective.

Outside the conventional perimeter, software firewalls installed on mobile clients help move protection outside the bricks and mortar of the corporate boundaries, to slow the spread of mal-ware that can gain entry in Starbucks, traverse a VPN and run loose in the network core.

The intelligent integration of security functions, controlled by software that enforces intelligent policies, will be one of the great migrations of the year. Ask any vendor claiming to have an enterprise policy framework how many companies have partnered with them to let their products be queried and/or controlled by the central management console. The partnership issue should be more readily resolved by the industry giants that have introduced their own policy and access-control systems.

Both Cisco Systems with its NAC and Microsoft with NAP are building network-control frameworks on the basis of technology and products that are in the field, though neither company expects to have production deployments before the middle of the year.

At the same time, agencies and organizations have begun the work of building standards–the National Institute for Standards and Testing published ANSI INCITS 359-2004 (for role-based access control) in February 2004, and other organizations have committees beginning to look at the requirements for standards.

Although, in some ways, authentication is the boring brother-in-law of the security world, there is room for excitement as the world moves closer to the promised nirvana of single sign-on.

To comply with regulations, data must be protected from external threats and even successful intrusions cannot result in the release of protected data. Therefore, IDS and IPS must look at traffic flowing in both directions in order to defend the database and its supporting applications from giving up critical data.

Data storage devices that can take data away are also a significant concern. “Thumb drives,” small USB storage devices, have replaced floppy disks as the portable storage medium of choice for mobile professionals carrying presentations, software updates or small applications from office to office.

Instead of network security, more professionals are becoming involved in data assurance, network assurance or even business assurance, helping to protect the information against network intrusion, physical disaster or device theft.

http://www.securitypipeline.com/shared/article/printablePipelineArticle.jhtml;jsessionid=SLLOOGDEM1DNQQSNDBGCKH0CJUMEKJVN?articleId=55800918

“There is an element of appearances to security, and I don’t mean this in an unfavorable way,” says the famously unflappable de Becker, who has guarded his image as closely as the Hollywood stars he is hired to protect. “Precautions that are expected to deter often draw some of their effectiveness from appearing to be this or that.”

Once an assortment of stereotyped “geeks” and “guards” who’d been promoted up a few tax brackets, CSOs are now struggling to become—and be recognized as—businessmen and women who take a strategic view of risks across the enterprise.

On the first level are CSOs themselves—you—who are learning that to be taken seriously as executives, you have to act like your peers from other parts of the business. Just look at what eBay’s Howard Schmidt, one of the country’s most prominent CISOs, has done to his look over the years.

Closely tied with the CSO’s personal image is a second level: how other business executives and their staffs view the security department and its leader. Michael Assante, CSO of American Electric Power, is candid about the kind of forethought that goes into this transformation. “I knew that image was going to be an important part of being able to have success,” says Assante, who two years ago became the first person at AEP to have control over both corporate and information security.

“Image is 100 percent important,” says Schneier, author of Beyond Fear and a prominent observer of the security industry’s evolution. If you don’t deal with everything around the politics and socialization, you never get to the actual security.”

In other words, it’s not style over substance.

http://www.csoonline.com/read/120104/image_intro.html

For the purpose of this article, they define the EPS that can be accommodated by an SEM tool more precisely as the number of security-related events a product can receive, normalize, analyze/correlate, and display or act on in the form of results within an acceptable time frame.

This direct or indirect allusion to EPS is intended to impress the prospective buyer with the performance capabilities of the product, and, beyond that, to help buyers make informed decisions that will ultimately lead to satisfaction with their purchase. For example, a very simple part of a security policy, and one that is used by most large organizations may entail logging all successful and unsuccessful login attempts from network devices such as routers, servers, firewalls, switches, etc. So for every one of these devices listed, a log message must be generated and sent to a logging server or SEM product whenever a successful or unsuccessful login attempt is made.

A more complex policy would include the information from the simple example above and in addition, might include logging Network Address Translation (NAT) entries on firewalls and routers.

Any user traversing a firewall or router with NAT logging turned on would generate a log message for each packet/session that traverses these devices.

This policy would generate significantly more events per second, and, if the information were used correctly, would also provide an additional level of information for event correlation and detection of security threats.

In either case, as soon as each of the security devices is successfully generating the correct number of log events to reflect the policy, you are ready to determine the total EPS generated by your network.

The SEM device collects this data and normalizes the signature part of this message (“Inbound TCP Denied) into a format that is independent of the vendor originating the message. If the SEM tool is not scalable (i.e., an incremental rise in frequency and total accumulated data will slow analysis), then it probably does not satisfy the requirements: a serious network event may lag significantly behind the SEM tool’s ability to analyze the problem and convey the results to the user in a meaningful amount of time.

It is fairly easy to use a tool like Nessus in “go-asfast- as-you-can mode” to cause an IDS to produce a lot of output.

Some SEM tools have the ability to suppress data from these “noisy” devices (and to then output a message like “1500 bad messages detected from IDS ….).”.

Although this is a worthwhile feature, the heuristics used to determine whether or not to deploy it need to be intelligent enough to determine when a device is genuinely noisy and when a hacker is just trying to DOS (Denial of Service) the SEM tool by flooding it with IDS messages or causing it to ignore IDS messages in order to mask malicious network activity.

The frequency of security event messages is an important factor when evaluating SEM products, not only because of your own performance expectations under normal circumstances, but also because of the potential for security messages to be maliciously generated as part of an external attack for the explicit purpose of exceeding the SEM vendor’s abilities to handle them.

If a SEM tool advertises it can handle 40,000 EPS, then the SEM vendor should provide the ability to deploy 10 SEM devices throughout the network to distribute the workload, correlating events on each device and also across devices.

Scalability is a complex topic that requires in-depth discussion that is beyond the scope of this article.

EPS is to security what miles per hour is to a sports car. EPS is an easy concept to grasp since, in the context of SEM devices, it’s just a number used to quantify the results that can be produced by a complex real-time correlation process. Networks and their security devices generate a certain number of events per second.

In order to assure a satisfying customer experience with an SEM product, it is essential to match the EPS generated by your network with the EPS that can be correlated by your SEM purchase.

The bottom line is that SEM products with higher EPS numbers at each of the relevant transition points (reception, normalization, correlation, and display) are more likely to meet the expectations and performance requirements of most networks.

The information in this article has been written for the purpose of educating the SEM tool buyer about the decision-making process that a well-informed buyer uses when evaluating SEM tools.

These questions should be asked with respect to a configuration where one SEM tool is used, then applied to a distributed configuration where numerous SEM tools are used together to handle correlation requirements beyond the capability of one SEM tool.

How many EPS are generated by the security devices on my network?

What is the EPS of SEM tool I am considering?

What was the duration of EPS testing?

http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=7a042281-34b1-446a-9148-f58e05bd11ba&newsType=Features

This quickly adds up to a rather tidy sum for managers trying to maximize their often decreasing budgets. They believe that if they provide training for their analysts that they will lose them to other firms.

While this can be a very valid argument, it is also one on the razor’s edge – by that I mean you run the risk of your employee becoming irritated at any lack of investment in them and their future, and they simply leave.

As a security analyst, for example, you must not only stay current with technology, but also improve your core skill set.

Right or wrong, many employees believe that it is up to the employer to provide that training – and with that same reasoning, most believe it should not be the employee who pays out of pocket for these courses.

Reality dictates that most companies simply do not provide adequate training for their staff simply due to financial constraints – and in fact, it may not be important to their long-term objectives.

If you own or manage staff in a small-to-mid size company, it would pay you great dividends to set aside some money for training. These initiatives would show your next prospective hire that you are definitely serious about helping to maintain their skills and investing in them as an employee. It is largely due to the fact that because the latest worm or virus has not affected them, and thus they do not see the need to provide training for their security staff. However, we all know that the very reason they were not affected is because they had trained and competent security staff.

For the many people out there who pull double or triple duty at times, getting the latest training is even more important.

Nowadays having the system administrator deal with related technology such as routers, in addition to all his other security functions, is all too common.

Learning on the job is a good way to learn, but it still cannot replace the proper training – yet so few want to shell out the money for it.

I believe this is why you see so many network security jobs with an insanely long list of required skills, often starting with a particular certification.

http://www.theregister.co.uk/2004/11/05/cost_of_security_training/

Gathered at the Millennium Hilton across the street from the site, attendees of the Fall 2004 Biometrics Summit heard about the challenges and benefits seen by those who would implement biometrics, both before and after the 9/11 attacks that put a greater focus on security needs.

Acknowledging that most of the 9/11 attackers used driver’s licenses to board the airplanes they would use as weapons, one presenter said biometrics should be a key tool, in conjunction with better verification of identity-proving documents, in the process of obtaining driver’s licenses.

Illinois was the first to use facial recognition technology in its DMVs, four years before 9/11, and the state is currently preparing an upgrade to its systems, said Beth Langen, administrator of the policy and programs division of the Driver Services Department in the Illinois Office of the Secretary of State. The measures have helped combat fraud, catching those who try to get multiple licenses for different identities. In all, 1,700 cases of fraud have been discovered using the facial recognition software, with 173 people claiming three or more identities.

Originally, the department had considered using fingerprint readers, but went with facial recognition for several reasons. It now contains 16 million pictures, and it is growing by 8,000 to 12,000 every day. The department had used a sign-up sheet before that, but employees who didn’t want anyone to know they came in late started ripping out pages, said Malachy Higgins, chief of administration. The office tried using card readers, but found that administering the cards was a big headache, and if they were going to be late, employees could give cards to others who went in earlier to make it appear that they were on time.

Scott Sykes, group managers of strategic technology at Capital One, encountered a lot of resistance to his ideas for bringing biometrics technology into the financial services firm. The fundamental point of resistance was whether the reduced risk, cost savings and increased efficiency outweigh the expense required, Sykes said. Biometrics readers aren’t built into laptop or desktop computers, making the readers a hassle to add into a network.

Until these hurdles are overcome, biometrics will have a hard time getting a foothold in most enterprise companies, Sykes said.

http://www.nwfusion.com/news/2004/1028biometrics.html

In a blog post titled “Why you shouldn’t be using passwords of any kind on your Windows networks”, Robert Hensing argues that the inclusion of password-cracking tools in recent worms and trojans illustrates the need for sturdier authentication schemes.

Hensing notes that Windows 2000 and Windows Server 2003 support passphrases of up to 127 characters, including spaces and unicode characters.

Some older Unix versions using the Data Encryption Standard (DES) only support passwords up to eight characters, or ignore any characters after the first eight.

Epps suggests an alternative method: select a passphrase, type out the first letter of each word, and any numbers and punctuation that come out of it.

Even longer passphrases are not immune to crackers who are persistent with dictionary attacks, powerful processors and social engineering, as noted in the passphrase FAQ, which emphasizes that good passphrases should be obscure. “The short version on common phrases is don’t use them ever,” it advises.

Microsoft will have more to say on passphrases, according to Hensing, whose blog post has been widely discussed on mailing lists in recent days.

http://news.netcraft.com/archives/2004/10/21/microsoft_blogger_replace_windows_passwords_with_passphrases.html