Monday, January 30, 2012

BYOD, BYOT, IT Consumerization: A Burning Issue

I've been beating the bushes looking for someone to pen a book on BYOD, without success.

Sometimes I think I have a hard time separating media and conference hype--the need to cover something and create some level of FUD--and reality, or what people in the trenches think. Frequently, media-generated FUD is backed up by survey data, which may or may be valid, fueling the fire.

So, not I ask, "Is BYOD, BYOT, IT consumerization, or whatever you call it really a burning issue?

Friday, January 27, 2012

World IPv6 Launch. Yawn.

The World IPv6 Launch takes place on June 6, 2012. IPv4 addresses have run out, although workarounds exist, and new top level domains have been created. There's no easy migration path from IPv4 to IPv6. With the growth of M2M, IoT, and Smart Grid, the need for new IP addresses seems obvious. So, does anyone care? Based on book purchases, I'd say no. What's the next step?

Thursday, January 26, 2012

Is Network Security an Oxymoron?

As recent events have clearly demonstrated, no matter how highly-defended a network is, someone will find a way to penetrate it. If RSA and Symantec can’t keep intruders out, and APTs (an euphemism for Chinese-sponsored attacks?) continue to plague public, private, and government systems, what hope is there?

Remember PPT—people, process, and technology? We can throw technology at the problem and achieve middling success. If we are eternally vigilant and paranoid, we may realize great success. But what about people and process?

Despite comprehensive signed policies and awareness training, users still click on email attachments or embedded links, and willingly provide their user IDs and passwords to people calling from tech support. And this is without the burgeoning BYOD and BYOT problem. Who know what users are introducing to the network when they connect their USB drives, tablets, and smartphones to their desktops?

What’s the solution? Jim Tiller, now Head of Professional Services, Americas at HP Enterprise Security, suggests that regulations and compliance, and now insurance, are trying to do what PPT couldn’t. He thinks that government has accepted that because we have been doing hasn’t worked, then increasing the regulatory burden will. So, has network defense become notification and remediation once an organization has become compliant? Yes, it’s a loaded question.

Under this scenario, security becomes strictly a cost/benefit analysis. If the cost of an intrusion is, say, $1 million to cover notification and remediation, and the cost of preventing the intrusion is $1.5 million, then an organization would decide to accept the risk of an intrusion rather than take actions to prevent it. And now that an organization can obtain insurance, the insurers will determine the risk, instead of using the standard infosec risk formulas.

Assuming the organization was compliant with all regulations, then it’s done all it’s required to do to protect its network and information. It no longer has to compete in an ever escalating arms race against hackers of all ilks, from privately to government sponsored.

Of course, an enterprise could simply disconnect critical systems and employees from the Internet, which would prevent intrusions from the outside, but do little against insider threats. (It still amazes me that SCADA and other ICS are Internet-facing, and that things will inevitably get worse as M2M and the Internet of Things creates more points to attack.) As Jim concludes, efforts to protect and defend networks won’t go away, but response may well take precedence.

Wednesday, January 25, 2012

How to Use a Vulnerability Scanner

Vulnerability scanners can do so many different tasks that not having a clear strategy how to use them on your network can result in a lot of wasted time. So how does one use a vulnerability scanner?

A vulnerability scanner will search your network for various vulnerabilities and it does this by analyzing a number of things, including:

• Open Ports
• Applications
• Configurations
• Scripts
• Devices
• Users
• Shares
• Groups
• Ports
• Security Software

Once a vulnerability scanner finishes analyzing a particular machine it will use the data collected to determine and report on vulnerabilities and potential vulnerabilities. There is an important distinction to be made here.

If your vulnerability scanner were to detect a user who hasn’t logged on in quite a while, this will be reported as a vulnerability. While this could certainly be the case, there may be a legitimate reason for it and it is up to the administrator to decide which reported vulnerabilities are to be acted upon and which can be ignored for business purposes (potentially incurring minor risks).

After a scan the administrator now has a list of vulnerabilities sorted according to what needs to be done and what level of risk wehave to accept because of legacy elements in the system and other reasons.

The vulnerabilities we want to act upon require a straightforward approach. The vulnerability scanner will most likely provide an explanation on what the issue is and suggest resources that the administrator can refer to for more details and how to solve the problem.

Sometimes not all vulnerabilities can be fixed and the administrator must decide whether the benefits outweigh the risks. Vulnerabilities may be left untreated for various reasons: it may be due to legacy applications that have known vulnerabilities but are considered important for the business or system configurations and protocols with known insecurities are required. The administrator’s role is to identify what the risk is and find ways to limit the risk without compromising business operations or security.

For example, let’s say that for legacy purposes you need to support SSH protocol Version 1, which has numerous known vulnerabilities. The application you are using that requires SSH 1 support has no viable replacement and is critical to the business. In this example, you have no choice but to leave the vulnerabilities in the system. However, although you cannot really avoid using a vulnerable application or protocol, you still need to do something to minimize the risk.

You need to analyze how the application is used and, where possible, restrict its use and access. If you need to support SSH 1 for a legacy application make sure your firewall only allows exclusive access from the location where the application is runningand blocks any other source.

Security is a process. A vulnerability scanner is not simply a matter of running a program and following the onscreen instructions; you could miss out on important details and create additional risks. As an administrator you need to ask: how do you use your vulnerability scanner? How do you tailor the security process to your needs? Once you have the answers to these questions you can effectively secure your environment from a huge range of threats.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs.

Tuesday, January 17, 2012

Why should Bradley Manning defend himself?

The Christian Science Monitor ran a piece suggesting how Manning may try to weasel out of his alleged actions.

Sure, let's play good defense and muddy the waters. The question is whether or not he purposefully leaked classified documents. It doesn't matter whether or not they should have been classified, or if the leak did damage. There was a rule; someone broke it; someone should pay. If Manning is guilty and wants to be a counterculture hero, then he should man up. If he's not guilty, then make the plea and prove it.

Kierkegaard writes about a knight of faith who knowingly acts counter to law to achieve what he perceives is a greater good, and he takes responsibility for the act. A knight of faith is an admirable character regardless of whether or not one agrees with his actions. No snivelling cowardice allowed. If Manning did what he's accused of doing, he's now baser than a scrawny little runt who teases the bigger kids and then runs to hide behind his mother.

Monday, January 16, 2012

Does cyber insurance offer IT peace of mind?

It was only a matter of time.
The real challenge is for security organizations to get too big to fail, and let the citizens underwrite the risk.

Friday, January 13, 2012

Book Review Went Viral, but Do Books Matter?

This is about Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It. Jesse Varsalone and Matthew McFadden wrote it, we published it, Ben Rothke reviewed it, and the review went viral. I love it when that happens, but it doesn't happen too often.

Speaking of which, is anyone reading this still reading books? Buying books? Downloading pirated copies of books? Do books play any role in your working life?

Monday, January 9, 2012

Symantec says some source code stolen, no customer information exposed

As reported on VentureBeat, a group of Anonymous members based in India has stolen the source code for Symantec’s anti-virus software. Is nothing sacred? If major security vendors are getting hacked, is it lights out for the rest of us?

Wednesday, January 4, 2012

ASIS-ISAF research pinpoints move towards security convergence

There's long been talk about security convergence. As the physical security world became more digital, it made sense that the prototypical security director, a former cop with black shoes, white socks, and a crew cut, would have to cede his domain to his information security counterpart. This, of course, hasn't happened, and likely won't. While it takes IT guys to install and maintain access controls, surveillance cameras, sensors, etc., there's still the physical world of guards, fences, and walls. This survey only addresses access controls.

Monday, January 2, 2012

Chinese government to crack down on phishing schemes

It was a busy weekend, with new hacks of commerical and political sites.

A couple of recent items (here and here) highlight China's attempts to protect its citizens from the evils of phishing. Maybe they should dial back their espionage, IP theft, and cyberwar efforts instead. China's apparant ham-handed approach to everything is a wonder to observe. Why do something subtle when you can use a cudgel? Sitting on top of all that money, they really don't care what the world, or its citizens, thinks. If the money threat doesn't work, there's always the new carrier-killer missles.