01. May 2010 · Comments Off on Is there an innovation crisis in IT Security? · Categories: Innovation, IT Security 2.0, Next Generation Firewalls · Tags:

Peter Kuper posted an interesting article on fudsec.com claiming that there is an "Innovator's Crisis" in IT Security. I disagree. There are several new, innovative solutions coming from start-ups that do mitigate the new risks created by the explosion in "web 2.0" applications.

Large enterprises are facing huge challenges though. First, capital investments made in security during the last several years must be written down because the technology is obsolete. For example, stateful inspection firewalls have become essentially useless.

Second, the new solutions require these enterprises to reorganize their security staff. For example, most large enterprises have separate groups to manage firewalls and intrusion prevention systems. The "next-generation" firewalls which can reduce the risks associated with the employee usage of "web 2.0" applications, combine the firewall and intrusion detection function and also integrate with directory services, which touches a third security group – Identity and Access Management.

Separately, while this may be obvious, there is a good reason why these large diversified information technology manufacturers are not acquiring security start-ups. They have gotten so large that security revenue does not significantly move the revenue needle. Cisco and Juniper come to mind. Peter mentioned IBM's botch of ISS. We'll see what HP does with TippingPoint.

30. April 2010 · Comments Off on Four questions to ask your firewall vendor and Gartner on the future of firewalls · Categories: Application Security, Innovation, IT Security 2.0, Network Security, Next Generation Firewalls, Web 2.0 Network Firewalls · Tags: ,

Gartner's John Pescatore blogged about his view on the future of firewalls today. Many pundits have opined about enterprise deperimeterization. Not so says Pescatore, although the functionality of the firewall is changing to respond to the changes in technology and the threat landscape. Gartner calls this new technology, "next-generation firewalls."

It is really just border control – we don’t declare countries
“deperimeterized” because airplanes were invented, we extend border
control into the airport terminals.

Unfortunately every firewall vendor in the industry has jumped on the term. So in order to help you separate marketing fluff from reality, whenever you are speaking to a firewall vendor, be ready with these questions:

  • How have you adapted your stateful inspection engine in your next-generation firewall?
  • When in the firewall's packet/session analysis is the application detected?
  • Is all packet analysis performed in a single pass?
  • How does your appliance hardware support you analysis approach?
  • is there a single user interface for all aspects of policy definition?
  • What is the degradation in performance as functionality is turned on?

If you like the answers, ask for more thing – show me.

28. April 2010 · Comments Off on Blippy’s security/privacy strategy – do they deserve to survive? · Categories: Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management · Tags: , ,

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our
services in a manner that does or is intended to mislead, confuse,
deceive, or harass others.

Serial Accounts: You may not create serial accounts or
relationships in order to evade the block tools or to otherwise disrupt
the Services.

Name Squatting:You may not engage in name-squatting (creating
accounts for the purpose of preventing others from using those account
names or for the purpose of selling those accounts). Accounts that are
inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content
that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link
to malicious content intended to damage or disrupt another user.s
browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a
variety of ways for users to interact with one another. You may not
abuse these tools for the purpose of spamming users. Some of the
behaviors we look at when determining whether an account is spamming

  • The user has followed and unfollowed people in a short time
    period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

25. April 2010 · Comments Off on Facebook accounts for sale starting at $25 for 1,000 accounts · Categories: IT Security 2.0, Privacy · Tags:

Dark Reading published a story based on VeriSign's iDefense's research of an underground black market for stolen social networking credentials. One criminal was selling 1,000 Facebook accounts with 10 or less friends for $25, while the price for 1,000 Facebook accounts with 10 or more friends is $45.

While this should not be surprising, it is worth noting again the level of cybercrime organization.

Symantec's Hon Lau, senior security response manager, is reporting that the Koobface worm/botnet began a new attack using fake Christmas messages to lure Facebook users to download the Koobface malware.

This again shows the flexibility of the command and control function of the Koobface botnet. I previously wrote about Koobface creating new Facebook accounts to lure users to fake Facebook (or YouTube) pages.

These Facebook malware issues are a serious security risk for enterprises. While simply blocking Facebook altogether may seem like the right policy, it may not be for two reasons: 1) No access to Facebook could become a morale problem for a segment of your employees, and 2) Employees may be using Facebook to engage customers in sales/marketing activities.

Network security technology must be able to detect Facebook usage and block threats while allowing productive activity.

22. November 2009 · Comments Off on OWASP Top Ten 2010 Release Candidate 1 available for review · Categories: Application Security, IT Security 2.0 · Tags: ,

The OWASP Top Ten 2010 Release Candidate 1 is now available for review. Security Ninja has comprehensive summary of the vulnerability list and excellent comments.

OWASP is far and away the most comprehensive information source for secure web application development guidance. And it's free!!

22. November 2009 · Comments Off on Koobface botnet creates fake Facebook accounts to lure you to fake Facebook or YouTube page · Categories: Botnets, IT Security 2.0, Malware, Network Security, Next Generation Firewalls, Risk Management, Security Policy · Tags: , ,

TrendMicro's Malware Blog posted information about a new method of luring Facebook users to a fake Facebook or Youtube page to infect the user with the Koobface malware agent. 

The Koobface botnet has pushed out a new component that automates the following routines:

  • Registering a Facebook account
  • Confirming an email address in Gmail to activate the registered Facebook account
  • Joining random Facebook groups
  • Adding Facebook friends
  • Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. 

Here is yet another example of the risks associated with allowing Facebook to be used within the enterprise. However simply blocking Facebook may not be an option either because (1) it's demotivating to young employees used to accessing Facebook, or (2) it's a good marketing/sales tool you want to take advantage of.

Your network security solution, for example a next generation firewall, must enable you to implement fine grained policy control and threat prevention for social network sites like Facebook.

03. November 2009 · Comments Off on The new insider threat – lifestyle hackers · Categories: IT Security 2.0 · Tags: , ,

CSO Online published an article yesterday called Lifestyle Hackers. It simply points out that younger employees who are very active with Web 2.0 applications like Facebook and peer-to-peer, like to use these applications while at work in the name of productivity enhancement.

The use of these Web 2.0 applications by insiders increases the risk of security breaches. In most cases, these breaches are not malicious, rather inadvertent, but nevertheless damaging. 

It's a well written article but not news. I have written about the increased IT Security risk due to Web 2.0 applications several times:

Social Networking's Promise and Peril

Block Facebook?

Empirical evidence show that the top cyber security risks are related to Web 2.0

How to leverage Facebook and minimize risk 

Two more high profile Web 2.0 exploits – NY Times, RBS Worldpay

If Web 2.0, then IT Security 2.0


NetworkWorld has an interesting article today on the perils of social networking. The article focuses on the risk of employees transmitting confidential data. However, it's actually worse than that. There are also risks of malware infection via spam and other social engineering tactics. Twitter is notorious for its lax security. See my post, Twitter is Dead.

Blocking social networks completely is not the answer just as disconnecting from the Internet was not the answer in the 90's. Facebook, Twitter, and LinkedIn, among others can be powerful marketing and sales tools.

The answer is "IT Security 2.0" tools that can monitor these and hundreds of other web 2.0 applications to block incoming malware and outgoing confidential documents.

12. October 2009 · Comments Off on IBM CIO study ranks Risk Management and Compliance #3 of 10 CIO visionary plans · Categories: IT Security 2.0, Risk Management · Tags: , , ,

On September 10th, IBM released the results of a global study (registration required) they conducted of 2,500 CIO's from around the world. Of the ten top "visionary plans," these CIO's ranked Risk Management and Compliance third. Business Intelligence and Analytics was first followed by Virtualization. Also, I found it significant that Customer and Partner Collaboration came in fourth.

Unfortunately, the report did not divulge details of the methodology used beyond saying that over 2,500 CIO's were interviewed. If one grants that IBM is an able marketing organization, it genuinely wants to understand the priorities of CIO's so it can respond with the right services to increase its revenue. Therefore these priorities do represent what CIOs are thinking.

A more cynical opinion would be that this study is simply a marketing tool of IBM Global Services. In this case, IBM Global Services is advising CIOs that Risk Management and Compliance should be their third highest priority. Either way, this report highlights the importance of Risk Management and Compliance.

Looking at the study as a whole, it correlates the use of information technology to drive innovation with higher corporate profits. (Reminder – correlation and causation are not the same thing.)  In addition, information technology creates new risks which must be understood and mitigated.

Perhaps I am writing this because it supports my previously stated position that risk management enables innovation, e.g. Web 2.0 creates new risks which if not mitigated completely outweigh the value.