Category: Uncategorized

An emerging class of security compliance gateways can scan networks to ensure that any new machines being hooked onto the network comply with an organization?s security policies and are configured properly, said Alan Paller, research director at the SANS Institute, a security training and education organization.

The four essential items are:
1. Vulnerability Management
2. Automated Patch Management
3. Enterprise firewalls and intrusion prevention
4. Token Based Identity Management

http://www.fcw.com/fcw/articles/2004/0920/tec-4sec-09-20-04.asp

If you want your security organization to be supported (or at least tolerated) by management, the department must become a communication station. Avoid subjective interpretations or even anecdotal information; instead, focus on metrics that are objective and indisputable.

As an example, to calculate the impact of spam filtering, the team began counting e-mails the filter rejected. Despite a few user complaints, the metrics showed these were isolated incidents and proved that a great majority of legitimate mail was getting through. This correlation of traffic to outbreaks would later help the IT staff react faster to outbreaks, because they could see worm signs before it spread.

Most infrastructure metrics are designed for gearheads, and the data is not useful to business managers.

Start with the message you want to communicate to management, then figure out which metrics would support that point. A mix of good news and bad news is to be expected–any manager knows that an employee who communicates only great news is probably a liar. If your security reports are always full of sunshine, expect management to become suspicious–and with good reason.

For instance, clients who use desktop-management and antivirus software appreciate being able to perform a “check-in”–that is, every workstation on the network “phones home” to the master console, ensuring each is in compliance with policies, such as pattern updates. This type of report is a good indicator that (a) your software investment is functioning; (b) the majority of users haven’t cleverly disabled the agent so they can download porn and install cute screensavers; and (c) you can, if necessary, invoke additional software functionality.

Indeed, any process you monitor will show that you’re on top of things–particularly if the process is new to your organization, such as vulnerability remediation, server- configuration compliance, unsuccessful login monitoring or log-exception monitoring.

When you must express dollar figures, try to associate some measure of probability with them–IT security is equivalent to risk management, after all.

Ultimately, use caution and be conservative when estimating dollar payback or you risk damaging your credibility.

Finally, in security and in business, timing is everything.

http://www.securitypipeline.com/46200070

USB flash drives, MP3 players and the like are everywhere nowadays. Giving your staff free rein to use them at work could lead to breaches of security and loss of data.

Businesses are increasingly putting themselves at risk by allowing the unauthorized and uncontrolled use of portable storage devices. The use of unauthorized portable storage devices poses many dangers, not least for the malicious code that they can introduce. High data capacity and transfer rates, and broad platform support mean that a Universal Serial Bus (USB) or FireWire (IEEE 1394) device has the capacity to quickly download much valuable corporate information, which can be easily leaked to the outside world.

Portable devices include any kind of pocket-sized portable FireWire hard drive, like those from LaCie or Toshiba, or USB hard drive or keychain drive, such as M-Systems’ DiskOnKey. They also include disk-based MP3 players, such as Apple’s iPod, and digital cameras with smart media cards, memory sticks, compact flash and other memory media.

The devices pose two kinds of threat. Intentionally or unintentionally, users can bypass perimeter defenses like firewalls and antivirus at mailserver, and introduce malware such as Trojan Horses or viruses that, if not discovered, can cause serious damage. Also, companies are at risk of losing intellectual property and other critical corporate data.

The impact of the latter goes beyond the commercial value of the data for two reasons. There are different privacy laws in different countries. This means there is more risk of legal action if personal information – belonging to corporate clients or employees – ends up in the hands of an unauthorized third party. Companies’ reputations may be damaged as a consequence of information leaks. This is particularly the case for those operating in areas where client privacy must be preserved, such as the financial market.

Managers should advise on the main procedures to be followed for the eventual use of such devices; for instance, to confirm the need for password and security protection (encryption) of stored corporate data.

Adopt personal firewalls to limit what can be done on USB ports. Leading products to consider are from vendors like Sygate Technologies, Zone Labs and Symantec. Vendors like Pointsec Mobile Technologies, Information Security Corporation and PC Guardian Technologies offer alternative specialist solutions.

On a broader level, and especially for those industries where intellectual property is of critical importance, the use of digital rights management software ensures the persistent protection of digital assets by maintaining constant control over their use and distribution.

http://www.csoonline.com/analyst/report2714.html

As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks. Forrester says now is the time for IT to take a more active role in such management.

As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks. Where a limited support policy was appropriate two years ago, IT must now take on a much more active role in provisioning, supporting, and managing mobile devices. Because many employees use their own devices to store company information or otherwise ignore company mobile usage policies, companies often don’t have control of the devices, what information is stored on them, or how the information is protected.

Unmanaged mobile devices represent one of the most serious and often overlooked security threats to the enterprise. As several incidents over the past year demonstrate, the risk of information loss or theft from laptops, PDAs, phones, converged devices, and tablets is increasing rapidly. Organizations should balance the growing requirement for mobility with sensible policies on mobile usage and security, along with technology to enforce the policies.

While more organizations have mobile policies than two years ago, comparatively few companies have invested in technology to manage and protect the devices. The proliferation of laptops, PDAs, and other mobile devices in the enterprise, coupled with the explosion of wireless connectivity options, has led to significant support issues and security risks. Mobile devices are vulnerable to theft and loss, with most companies budgeting for a 20% or higher loss and failure rate for PDAs.

While the cost of replacing the devices is relatively insignificant, more and more users store sensitive information on the devices. Additionally, mobile devices can introduce viruses or worms to the corporate network.

Based on a recent Forrester survey, only 9 percent of companies have deployed mobile management tools; another 20 percent are piloting or plan to deploy mobile management tools within the next 12 months (see Figure 1 on source web page). This report will outline both the challenges posed by mobility and the steps companies can take to manage and secure the devices.

Many of corporate IT’s challenges regarding provisioning and supporting remote workers, including predominantly mobile or untethered ones, can be resolved by articulating – and periodically revising – a formal written corporate mobile usage policy. If the company is not willing to set and enforce standards, the costs and risks associated with the mobile device population could quickly spiral out of control.

Managing and Securing Mobile Devices: Best Practices

Mobile Usage And Security Policies
– Be convenient and easy for the user to follow.
– Balance productivity requirements against security and costs.
– Vary by the users’ roles and type of information they handle.
– Specify how users should synchronize information with mobile devices.
– Include guidelines for data usage and transfer.
– Summarize proper use and care of company-owned or -supported mobile devices.
– Have a definition of corporate standards for hardware selection.
– Outline standards for support of employee-purchased equipment.

Communication and User Education
User education is also critical.
Give users some accountability.
Make it clear what is at stake, including the user’s own information.
Give users the necessary tools and easy means to secure the devices.
Raise awareness by demonstrating real security risks.

Selcting Mobile Management and Security Tools
Asset discovery to identify and track devices on the network.
Synchronization tools for PIM, email, or enterprise data.
Antivirus.
Password policy enforcement.
Remote device kill for any PDAs, laptops, or tablets with potentially sensitive data.
Encryption.
Client firewalls.

Forrester Recommendation: Take Immediate Steps to Secure and Manage Mobile Devices

http://www.csoonline.com/analyst/report2794.html
http://www.gigaweb.com/

Consider this: Gartner Inc. estimates that more than 70 per cent of unauthorized access to information systems is committed by employees, as are more than 95 per cent of intrusions that result in significant financial losses. The “2003 Computer Crime and Security Survey,” meanwhile, compiled by the Computer Security Institute and the FBI, found that 62 per cent of respondents reported a security incident involving an insider, up from 57 per cent in 2002. In such an environment, which is also increasingly beset by so-called blended threats that dynamically target the vulnerabilities of isolated security products, enterprises must adopt an integrated strategy that addresses network security at all tiers: gateway, server, and client.

The traditional perimeter firewall no longer provides adequate protection against intrusions and threats. In part that’s because the very definition of “perimeter” has become blurred. The addition of remote access servers, peer connections to partners’ networks, VPN servers, and wireless access points means that a once well-defined network boundary is no longer so well-defined. As a result, there are now multiple outside paths into the corporate network.

Integrated security uses the principles of defense in depth and employs complementary security functions at multiple levels within the IT infrastructure. By combining multiple functions, integrated security can more efficiently protect against a variety of threats at each tier to minimize the effects of network attacks.

Secures connections beyond the perimeter, enabling organizations to safely communicate across the Internet.

With these security technologies integrated into a single solution, an enterprise is better able to withstand a modern-day network threat, be it a malicious code attack, a denial-of-service attack, unauthorized access (either internal or external), or blended threat.

A client firewall that also includes intrusion detection and antivirus technology works this way: as information is received by the client, it is passed through the client firewall and scanned for network attacks and viruses by the intrusion detection and antivirus technologies.

Moreover, proper controls can be put in place so that, should an incident occur, they can act in a timely fashion.

Enterprises should have a policy outlining their information assets and all access rights to that information.

If relationships with outside contractors call for them to access the network, make sure the access is designated only for the specific services required.

http://www.ebcvg.com/articles.php?id=256

A wide variety of these products stands ready to help identify and troubleshoot security and performance issues related to wireless technology. However, based on our tests of a range of these solutions, we believe companies should carefully assess their wireless security needs because their existing infrastructure devices may already fulfill them.

Wireless IDS solutions range from handheld products that are designed for on-the-spot troubleshooting at a point in time, to capabilities integrated into existing access points and managing switches, to distributed fleets of sensors that provide round-the-clock coverage.

Defensive overlay products enable a host of security and performance monitoring capabilities and have strong policy options that alert administrators to any signs of trouble. Defensive overlay network vendors are rapidly adding features that not only alert but also can be configured to isolate and block wayward connections over the wire or over the air.

Despite recent reports of vulnerabilities in the RADIUS (Remote Authentication Dial-In User Service) authentication mechanism upon which 802.11i is based, 802.11i goes a long way toward equalizing the security of known, managed devices on wireless networks and on wired ones. 802.11i does so by delivering strong standard;s-compliant encryption via AES (Advanced Encryption Standard) and port-based 802.1x authentication to WLANs (wireless LANs). [Editors note Also look to 802.1x]

However, many threats remain outside the scope of 802.11i, including access points and client nodes that are loosely maintained (or are completely outside IT’s control). Employees installing their own unsecured access points on a corporate network leave a wide-open vector for LAN attacks that bypass network firewalls and wireless security measures implemented by IT. And misconfigured and unsecured client devices also represent a significant threat. With the proliferation of WLAN hot spots and wireless devices in the home, users are leveraging their wireless connections in a multitude of locations.

In tests, eWEEK Labs has encountered interesting results from a misconfigured client bridging the internal wired network and an unknown wireless network.

http://www.eweek.com/article2/0,1759,1633282,00.asp