30. April 2010 · Comments Off on Four questions to ask your firewall vendor and Gartner on the future of firewalls · Categories: Application Security, Innovation, IT Security 2.0, Network Security, Next Generation Firewalls, Web 2.0 Network Firewalls · Tags: ,

Gartner's John Pescatore blogged about his view on the future of firewalls today. Many pundits have opined about enterprise deperimeterization. Not so says Pescatore, although the functionality of the firewall is changing to respond to the changes in technology and the threat landscape. Gartner calls this new technology, "next-generation firewalls."

It is really just border control – we don’t declare countries
“deperimeterized” because airplanes were invented, we extend border
control into the airport terminals.

Unfortunately every firewall vendor in the industry has jumped on the term. So in order to help you separate marketing fluff from reality, whenever you are speaking to a firewall vendor, be ready with these questions:

  • How have you adapted your stateful inspection engine in your next-generation firewall?
  • When in the firewall's packet/session analysis is the application detected?
  • Is all packet analysis performed in a single pass?
  • How does your appliance hardware support you analysis approach?
  • is there a single user interface for all aspects of policy definition?
  • What is the degradation in performance as functionality is turned on?

If you like the answers, ask for more thing – show me.

05. January 2010 · Comments Off on Intranets becoming high priority again. What about security? · Categories: Application Security, Next Generation Firewalls · Tags: , ,

ReadWriteEnterprise is reporting, via Jakob Nielsen's annual report, that Intranets, "are becoming a higher priority for organizations. Intranet
teams are growing in size, and the best of them are embracing new
trends such as mobile accessibility and social networking."

Unfortunately there is no mention of security. These intranet applications like SharePoint are not well protected by traditional firewalls. You need to look to "next generation" firewalls, as defined by Gartner, Forrester, and others.

Update: The Gartner link above will only work for Gartner customers unless you want to pay for the report. Fortunately, Palo Alto Networks, a next generation firewall vendor, has posted the full Gartner next generation firewall report.

I like the idea of maturity models as they can help an organization improve the state of a process in an organized fashion and enables the organization to compare itself to others. The granddaddy of maturity models is Carnegie Mellon University's software development Capability Maturity Model which was started in 1987. Now comes the Building Security In Maturity Model which is focused on building security into the software development process.

Here is the opening paragraph of their web site:

The Building Security In Maturity Model (BSIMM) described on this website is designed to help you understand
and plan a software security initiative. BSIMM was created through a process of understanding and analyzing
real-world data from nine leading software security initiatives. Though particular methodologies differ (think OWASP
CLASP, Microsoft SDL, or the Cigital Touchpoints), many initiatives share common ground. This common ground
is captured and described in BSIMM. As an organizing feature, we introduce and use a Software Security Framework
(SSF), which provides a conceptual scaffolding for BSIMM. Properly used, BSIMM can help you determine where
your organization stands with respect to real-world software security initiatives and what steps can be taken to make
your approach more effective.

The organizers are Gary McGraw and Sammy Migues of Cigital and Brian Chess of Fortify. Cigital and Fortify are both leading vendors in the software security market. Please do not interpret this as a negative. Putting out valuable information for free and enabling two-way communications with users is about as ethical marketing as there is.

They are promoting the very worthwhile and intuitively obvious notion that your software will be more secure if you build security in during design and development rather than bolt it on afterward.

BTW, Carnegie Mellon's Software Engineering Institute is still very active with respect to maturity models. Check them out here. Wikipedia provides a nice summary here.

06. December 2009 · Comments Off on Clientless SSL VPN design officially acknowledged as a vulnerability · Categories: Application Security, Secure Browsing, Vendor Liability · Tags: , , ,

On November 30, 2009, the US-CERT classified the design of the popular Clientless SSL VPN class of products as a vulnerability – US-CERT Vulnerability Note VU#261869. In other words, the method by which Clientless SSL VPNs work creates a vulnerability for which there is no direct fix. The issue is that Clientless SSL VPNs, by design, subvert the "same origin policy" of web browser programming languages. The policy is described here and here.

This is by no means the first time this vulnerability has been written about – see Michal Zalewski's article of June 6, 2006, which provides a lucid attack example. Cisco acknowledged MZ's references to Cisco's SSL VPN here.

All software products contain security flaws. Most of them are implementation bugs that are more or less straightforwardly fixed in a patch or a new release. Occasionally a vulnerability is the result of a design flaw. However, this is the first time that I am aware of when a security product class is architecturally flawed at it's design level.

Symantec's Hon Lau, senior security response manager, is reporting that the Koobface worm/botnet began a new attack using fake Christmas messages to lure Facebook users to download the Koobface malware.

This again shows the flexibility of the command and control function of the Koobface botnet. I previously wrote about Koobface creating new Facebook accounts to lure users to fake Facebook (or YouTube) pages.

These Facebook malware issues are a serious security risk for enterprises. While simply blocking Facebook altogether may seem like the right policy, it may not be for two reasons: 1) No access to Facebook could become a morale problem for a segment of your employees, and 2) Employees may be using Facebook to engage customers in sales/marketing activities.

Network security technology must be able to detect Facebook usage and block threats while allowing productive activity.

22. November 2009 · Comments Off on OWASP Top Ten 2010 Release Candidate 1 available for review · Categories: Application Security, IT Security 2.0 · Tags: ,

The OWASP Top Ten 2010 Release Candidate 1 is now available for review. Security Ninja has comprehensive summary of the vulnerability list and excellent comments.

OWASP is far and away the most comprehensive information source for secure web application development guidance. And it's free!!

22. November 2009 · Comments Off on Microsoft IE8 XSS prevention feature enables XSS attacks · Categories: Application Security · Tags: , , , , ,

Dan Goodin at The Register reports that Microsoft's IE 8's Cross Site Scripting prevention feature can be used to create an XSS attack.

IE8 attempts to block XSS attacks by modifying the response, i.e. the content of the web page generated by the web server coming to the browser in response to a request. The NoScript Firefox add-on, takes the opposite approach by modifying the content of the request from the browser to the web server. Here is more information. It appears that this vulnerability is not easily fixed because it's a design flaw rather than a coding flaw.

BTW, NoScript is the second most popular Firefox Privacy & Security add-on.

NetworkWorld has an interesting article today on the perils of social networking. The article focuses on the risk of employees transmitting confidential data. However, it's actually worse than that. There are also risks of malware infection via spam and other social engineering tactics. Twitter is notorious for its lax security. See my post, Twitter is Dead.

Blocking social networks completely is not the answer just as disconnecting from the Internet was not the answer in the 90's. Facebook, Twitter, and LinkedIn, among others can be powerful marketing and sales tools.

The answer is "IT Security 2.0" tools that can monitor these and hundreds of other web 2.0 applications to block incoming malware and outgoing confidential documents.

I just received an email advertisement from a "Web 2.0 security" vendor recommending that I use its product to block the evil Facebook. This is rather heavy handed.

Sales and marketing people want to use Facebook to reach prospects and interact with customers.
Sure there are issues with Facebook, but an all-or-nothing solution does not make sense. A more granular approach is much better. I discussed this issue recently in a post entitled, How to leverage Facebook and minimize risk.

30. September 2009 · Comments Off on Twitter is dead · Categories: Application Security, Breaches · Tags: , , ,

According to Robert X. Cringeley, long time computer industry pundit, Twitter is dead. Why?

"Twitter is dead because it is now so popular that the spammers and
the scammers have arrived in force. And history tells us that once they
sink their teeth into something, they do not let go. Ever.

Twitter scams aren't new. But I've never seen so many hit in a single week or with such rigorous precision."

Symantec has a nice blog post about one of the underlying problems with Twitter, i.e. since Twitter is limited to 140 characters, people use "URL shorteners" instead of the actual URLs to which they are referring. Therefore you have no idea where you are going when you click on the shortened URL.

Cringely closes with this:

Spam will kill Twitter's usefulness for everyone but relentless
Internet marketers, unless the brainiacs at TwitCentral can figure out
a better way to block it. Smart people have tried and failed everywhere
else, though. I don't hold out much hope.

My view is that just as with any new technology, if there are real benefits people will tolerate the risks for some period of time and third parties will develop solutions to mitigate the risks. This is the history of the whole IT security industry.

Take email for example. Email has been so valuable that people tolerated spam for some time. Then third parties developed anti-spam solutions for which enterprises were willing to pay and consumers got as a feature of either their email client or anti-malware product.

On the other hand, there is still a huge amount of email spam, which means that email spamming is still profitable. Therefore there are tons of people who either are not availing themselves of anti-spam filters or for some reason still fall for spam scams.

Yet with all that spam, there is no sign of email dying due its immense value.