Is there an innovation crisis in IT Security?

01. May 2010 · Comments Off on Is there an innovation crisis in IT Security? · Categories: Innovation, IT Security 2.0, Next Generation Firewalls · Tags:

Peter Kuper posted an interesting article on fudsec.com claiming that there is an "Innovator's Crisis" in IT Security. I disagree. There are several new, innovative solutions coming from start-ups that do mitigate the new risks created by the explosion in "web 2.0" applications.

Large enterprises are facing huge challenges though. First, capital investments made in security during the last several years must be written down because the technology is obsolete. For example, stateful inspection firewalls have become essentially useless.

Second, the new solutions require these enterprises to reorganize their security staff. For example, most large enterprises have separate groups to manage firewalls and intrusion prevention systems. The "next-generation" firewalls which can reduce the risks associated with the employee usage of "web 2.0" applications, combine the firewall and intrusion detection function and also integrate with directory services, which touches a third security group – Identity and Access Management.

Separately, while this may be obvious, there is a good reason why these large diversified information technology manufacturers are not acquiring security start-ups. They have gotten so large that security revenue does not significantly move the revenue needle. Cisco and Juniper come to mind. Peter mentioned IBM's botch of ISS. We'll see what HP does with TippingPoint.

Four questions to ask your firewall vendor and Gartner on the future of firewalls

30. April 2010 · Comments Off on Four questions to ask your firewall vendor and Gartner on the future of firewalls · Categories: Application Security, Innovation, IT Security 2.0, Network Security, Next Generation Firewalls, Web 2.0 Network Firewalls · Tags: ,

Gartner's John Pescatore blogged about his view on the future of firewalls today. Many pundits have opined about enterprise deperimeterization. Not so says Pescatore, although the functionality of the firewall is changing to respond to the changes in technology and the threat landscape. Gartner calls this new technology, "next-generation firewalls."

It is really just border control – we don’t declare countries
“deperimeterized” because airplanes were invented, we extend border
control into the airport terminals.

Unfortunately every firewall vendor in the industry has jumped on the term. So in order to help you separate marketing fluff from reality, whenever you are speaking to a firewall vendor, be ready with these questions:

  • How have you adapted your stateful inspection engine in your next-generation firewall?
  • When in the firewall's packet/session analysis is the application detected?
  • Is all packet analysis performed in a single pass?
  • How does your appliance hardware support you analysis approach?
  • is there a single user interface for all aspects of policy definition?
  • What is the degradation in performance as functionality is turned on?

If you like the answers, ask for more thing – show me.

The most overrated security technologies and what to do about them

13. March 2010 · Comments Off on The most overrated security technologies and what to do about them · Categories: Authentication, Malware, Network Security, Next Generation Firewalls, Theory vs. Practice · Tags: , , , , , ,

CSOonline published an article entitled, "What Are the Most Overrated Security Technologies?" At the head of the list are, no surprise, Anti-Virus and Firewalls.

Anti-Virus – signature based anti-virus products simply cannot keep up with the speed and creativity of the attackers. What's needed is better behavior anomaly based approaches to complement traditional anti-virus products.

Firewalls – The article talks about the disappearing perimeter, but that is less than half the story. The bigger issue is that traditional firewalls, using stateful inspection technology introduced by Check Point over 15 years ago, simply cannot control the hundreds and hundreds of "Web 2.0" applications. I've written about or referenced "Next Generation Firewalls" here, here, here, here, and here.

IAM and multi-factor authentication – Perhaps IAM and multi-factor authentication belong on the list. But the rationale in the article was vague. The biggest issue I see with access management is deciding on groups and managing access rights. I've seen companies with over 2,000 groups – clearly an administrative and operational nightmare  I see access management merging with network security as network security products become more application, content, and user aware. Then you can start by watching what people actually do in practice rather than theorize about how groups should be organized.

NAC – The article talks about the high deployment and ongoing administrative and operational costs outweighing the benefits. Another important issue is that NAC does not address the current high risk threats. The theory in 2006, somewhat but not overly simplified, was that if we checked the end point device to make sure its anti-virus signatures and patches were up-to-date before letting it on the network, we would reduce worms from spreading.

At present in practice, (a) worms are not major security risk, (b) while patches are important, up-to-date anti-virus signatures does not significantly reduce risk, and (c) an end point can just as easily be compromised when it's already on the network.

A combination of (yes again) Next Generation Firewalls for large locations and data centers, and cloud-based Secure Web Gateways for remote offices and traveling laptop users will provide much more effective risk reduction.

FTC warns 100 organizations about leaked data via P2P

23. February 2010 · Comments Off on FTC warns 100 organizations about leaked data via P2P · Categories: Breaches, Next Generation Firewalls, Privacy · Tags: , , , ,

CNet News reported yesterday afternoon that:

The U.S. Federal Trade Commission has notified nearly 100
organizations that data from their networks has been found on
peer-to-peer file-sharing networks, the agency said on Monday.


The FTC notices went to private and public entities, including schools
and local government agencies and organizations with as few as eight
employees to as many as tens of thousands, the FTC said in a statement.
The sensitive information about customers and employees that was leaked
could be used to commit identity fraud, conduct corporate espionage,
and for other crimes.

Unfortunately file sharing based on peer-to-peer technology is only a part of the problem. Some firewalls and most intrusion prevention systems (IPSs) can block peer-to-peer file sharing. However, the problem is actually much worse – the growth of browser-based file sharing applications designed to bypass most firewalls and IPSs.

Palo Alto Networks, a next-generation (as defined by Gartner) firewall vendor, recognizes and can control or block 88 different file sharing sharing applications. Of these, 40 use peer-to-peer technology, 39 are browser-based, and 9 are client-server. Therefore if your network security infrastructure can control or block peer-to-peer file sharing, you are solving less than half the problem.

For more information about the hundreds of applications that ought to be controlled or blocked, go to Palo Alto Network's Applipedia.


Operation Aurora analysis

26. January 2010 · Comments Off on Operation Aurora analysis · Categories: Advanced Persistent Threat (APT), Breaches, Data Loss Prevention, Database Activity Monitoring, Malware, Next Generation Firewalls, Phishing, Secure Browsing, Security Information and Event Management (SIEM) · Tags: ,

A week later, "Operation Aurora," which I discussed in detail here, is still the most important IT security story. PC Magazine provided additional details here.

Early in the week it appeared that the exploit took advantage of a vulnerability in Internet Explorer 6, the version of Microsoft's browser originally released on August 27, 2001. Larry Seltzer blogged about Microsoft's ridiculously long support cycles demanded by corporate customers. Why any organization would allow the use of this nine year old browser is a mystery to me, especially at Google!!

Later in the week, we found out that the exploit could be retooled to exploit IE7 and IE8.

In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:

  • Next Generation Firewall
  • Secure Web Gateway
  • Mail Server well configured
  • Desktop Anti-malware that includes web site checking
  • Latest version of browser, perhaps not Internet Explorer
  • Latest version of Windows, realistically at least XP Service Pack 3, with all patches
  • Database Activity Monitoring
  • Data Loss Prevention
  • Third Generation Security Information and Event Management

Intranets becoming high priority again. What about security?

05. January 2010 · Comments Off on Intranets becoming high priority again. What about security? · Categories: Application Security, Next Generation Firewalls · Tags: , ,

ReadWriteEnterprise is reporting, via Jakob Nielsen's annual report, that Intranets, "are becoming a higher priority for organizations. Intranet
teams are growing in size, and the best of them are embracing new
trends such as mobile accessibility and social networking."

Unfortunately there is no mention of security. These intranet applications like SharePoint are not well protected by traditional firewalls. You need to look to "next generation" firewalls, as defined by Gartner, Forrester, and others.

Update: The Gartner link above will only work for Gartner customers unless you want to pay for the report. Fortunately, Palo Alto Networks, a next generation firewall vendor, has posted the full Gartner next generation firewall report.

Koobface launches new Christmas message attack on Facebook

06. December 2009 · Comments Off on Koobface launches new Christmas message attack on Facebook · Categories: Application Security, Botnets, IT Security 2.0, Malware, Network Security, Next Generation Firewalls, Risk Management, Security Policy, User Activity Monitoring · Tags: , ,

Symantec's Hon Lau, senior security response manager, is reporting that the Koobface worm/botnet began a new attack using fake Christmas messages to lure Facebook users to download the Koobface malware.

This again shows the flexibility of the command and control function of the Koobface botnet. I previously wrote about Koobface creating new Facebook accounts to lure users to fake Facebook (or YouTube) pages.

These Facebook malware issues are a serious security risk for enterprises. While simply blocking Facebook altogether may seem like the right policy, it may not be for two reasons: 1) No access to Facebook could become a morale problem for a segment of your employees, and 2) Employees may be using Facebook to engage customers in sales/marketing activities.

Network security technology must be able to detect Facebook usage and block threats while allowing productive activity.

Koobface botnet creates fake Facebook accounts to lure you to fake Facebook or YouTube page

22. November 2009 · Comments Off on Koobface botnet creates fake Facebook accounts to lure you to fake Facebook or YouTube page · Categories: Botnets, IT Security 2.0, Malware, Network Security, Next Generation Firewalls, Risk Management, Security Policy · Tags: , ,

TrendMicro's Malware Blog posted information about a new method of luring Facebook users to a fake Facebook or Youtube page to infect the user with the Koobface malware agent. 

The Koobface botnet has pushed out a new component that automates the following routines:

  • Registering a Facebook account
  • Confirming an email address in Gmail to activate the registered Facebook account
  • Joining random Facebook groups
  • Adding Facebook friends
  • Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. 

Here is yet another example of the risks associated with allowing Facebook to be used within the enterprise. However simply blocking Facebook may not be an option either because (1) it's demotivating to young employees used to accessing Facebook, or (2) it's a good marketing/sales tool you want to take advantage of.

Your network security solution, for example a next generation firewall, must enable you to implement fine grained policy control and threat prevention for social network sites like Facebook.