26. October 2010 · Comments Off on Easy fix for Firesheep creates a problem for enterprises · Categories: Malware, Palo Alto Networks · Tags: , , , , ,

Using SSL encryption to connect to social networks like Facebook and Twitter mitigates the risk of your credentials being stolen when you are using public WiFi networks to connect to the Internet. But it creates a problem for enterprises attempting to control the use of social networking because most firewalls and Intrusion Prevention Systems are blind to SSL traffic.

The recent publication of Firesheep, and the subsequent download of over 104,000 copies of the Firefox plug-in in the last 24 hours, highlights this well understood security flaw in the way social networking sites communicate with their users. Firesheep sniffs the WiFi network traffic to capture your user name and the established session ID for any of 26 sites including Facebook, Twitter, Amazon, and the NYTimes. This allows the Firesheep user to access any of these sites as you!! This not only will reveal your personal information to the Firesheep user, but allow him/her to impersonate you.

This article, Firefox Add-on Firesheep Brings Hacking to the Masses, provides a very good detailed explanation of how Firesheep works. The article also describes several readily available tools which enable or force the use of SSL for all traffic to sites that accept SSL. In other words, rather than just encrypting the exhange of identification and password credentials, all traffic is encrypted.

There is no doubt that using SSL is a good privacy protection control. However, SSL encrypted sessions will make it more difficult for enterprises to control the use of social networking because most firewalls and IPSs are not capable of decrypting SSL traffic. In other words, most firewalls and IPSs are blind to SSL traffic. An exception is Palo Alto Networks, the industry leading Next Generation Firewall.

06. October 2010 · Comments Off on Defending against Stuxnet · Categories: Malware, Palo Alto Networks · Tags: ,

Palo Alto Networks Stuxnet – SCADA malware blog post describes all four Stuxnet vulnerabilities and how to defend against them.

The answer is a combination of policies which:

  • Block .LNK and .PIF files coming from the Internet to a private network
  • Disable RPC application traffic from the Internet to a private network
  • Deploy vulnerability protection profiles using the specific Palo Alto vulnerability signatures they developed to detect all four of the Windows vulnerabilities Stuxnet exploits.

This week Palo Alto Networks is releasing two new signatures which protect against the last of the four vulnerabilities, CVE-2010-2772. Microsoft does not have a patch for this one yet.

13. September 2010 · Comments Off on Consumerization and Corporate IT Security · Categories: FireEye, Malware, Next Generation Firewall, Palo Alto Networks · Tags: ,

Bruce Schneier’s article last week entitled, Consumerization and Corporate IT Security, postulates that IT security has no choice but to loosen control in response to the consumerization of IT. In other words corporate use of consumer IT products cannot be controlled by IT Security.

Here at Cymbel, we became aware of this issue back in 2007 and began searching for solutions to this issue. There is no doubt that corporate employees must be allowed to take advantage of Web 2.0 applications and social networking. However, the enterprise can surely do this in a controlled manner and provide protection against the risks of using these applications.

Here are four solutions we offer to corporate IT Security to protect the organization while enabling the use of consumer IT products:

Palo Alto Networks provides a next generation firewall designed and built from the ground up to enable controlled use of Web 2.0 applications and social networking and protection against web-based malware. In the last 18 months, they’ve grown from 200 customers to 2,000 and they are now cash-flow positive. I would expect an IPO in the next 12-18 months.

FireEye provides protection against web-based zero-day and unknown threats using heuristics rather than signatures. It minimizes false positives by using VMWare based sandboxes on its appliances to run suspicious executables prior to alerting.

NexTier Networks is the first Data Loss Prevention system that uses semantics to classify documents rather than traditional fingerprinting. Therefore it can protect against malicious attempts at intellectual property exfiltration as well as structured data without massive pre-scanning or pre-tagging.

Zscaler provides cloud-based proxy services for protecting against web and email-based malware without having to deploy any premises equipment. This is especially suitable for organizations with many small locations. Zscaler also provides a lightweight agent for traveling users so their web and email traffic is also routed through their cloud-based service.

In addition, we recommend Sentrigo, a database protection solution, as another layer of our next generation defense-in-depth architecture focused on applications, users, and information.

Enhanced by Zemanta
02. August 2010 · Comments Off on To block or not to block social media like Facebook · Categories: Palo Alto Networks, Policy Management · Tags:

Via ReadWriteWebEnterprise, Cisco’s Mid-Year Security Report notes that:

50% of end users admitted to accessing social media tools at work, in spite of company rules, at least once a week. Another 27% have changed the settings on a company device to access prohibited sites or applications. The report notes the security risks, and potential for lost productivity, Facebook and other social media sites present, but doesn’t recommend enterprises block social media sites entirely.

Citing both worker morale and the potential to use the tools for work-related activities, Cisco recommends better security education and social media policies in the work place instead of technical restrictions that employees would likely route-around anyway.

The article also notes Palo Alto Networks’ social media policy capabilities. We believe that Palo Alto Networks, our partner, by far has the most complete social media policy options available.


05. July 2010 · Comments Off on Koobface trojan continues to plague Facebook · Categories: Malware, Next Generation Firewall, Palo Alto Networks, Security-Compliance, Social Engineering · Tags: ,

Trend Micro’s research lab is reporting that the Koobface trojan continues to put unsuspecting Facebook users at risk. Because Koobface is really a bot, its Command & Control infrastructure can and does change the message and the link you receive to lure you a page that will download the Koobface trojan onto your system.

You could ask, why can’t Facebook eradicate Koobface? Apparently, they are not seeing a significant number of users canceling their accounts due to Koobface and other malware to warrant the investment.

Why not simply block Facebook? If the business side of the organization (sales and marketing) is OK with that, then blocking Facebook in the office is a reasonable step. There are two issues to consider:

  1. Increasingly, sales and marketing departments want to take advantage of Facebook and other social networking sites to reach current and prospective customers.
  2. Even if you do block social networking sites in the office, laptop users who travel or just use their laptops at home are at risk of being exploited by malware from social networking sites.

Palo Alto Networks’ next-generation firewall solves the first issue today and has announced GlobalProtect, which will solve the second issue in its next release at the end of 2010.

23. June 2010 · Comments Off on Palo Alto Networks Introduces GlobalProtect for roaming users · Categories: Next Generation Firewall, Palo Alto Networks

As good as Palo Alto Networks next-generation firewalls are, their value ended when you left the location it was protecting. When you’re in a hotel or a Starbucks, you had to rely on your laptop’s host based protection capabilities. And from your organization’s perspective, it lost the Palo Alto Networks policy controls. When you are remote, you can visit any website you want.

In order to remedy this limitation, Palo Alto announced GlobalProtect today. Here is Palo Alto’s description:

Unlike traditional approaches to endpoint security, Palo Alto Networks GlobalProtect ties application-, user-, and content-based policies to roaming users through a persistent thin client that can be pre-installed or installed on demand. Similar to a VPN, remote traffic is sent over a secure tunnel. However, unlike typical VPN deployments, which direct traffic to a few geographically centralized gateways, the GlobalProtect client automatically connects to the nearest corporately-managed Palo Alto Networks next-generation firewall deployed at a hub, branch, or in a private cloud. This results in faster throughput, easier management, and better protection.

For the first time, organizations will be able to maintain their policies regardless of a user’s location. John Pescatore of Gartner says it this way:

The Next Generation Firewall will follow the same pattern – extending to NGFW as a service (or what we used to call ‘In the Cloud Firewalling’ before the cloud term got ripped away from the Internet carriers) to inject the same firewall policy between the users and the Internet and in between the cloud-based services we consume that used to be inside the data center.

I look forward to trying GlobalProtect.


21. June 2010 · Comments Off on HTTPS Everywhere – Will it increase risk? · Categories: Malware, Palo Alto Networks, Security-Compliance

The Electronic Frontier Foundation (EFF), in conjunction with The Tor Project, has announced a new Firefox plug-in called HTTPS Everywhere, which will automatically provide encrypted SSL sessions to major web sites that support HTTPS. Obviously, this is an effort to improve browsing privacy, but is it also increasing risks to those users? The answer could be yes.

If you are a road-warrior and use HTTPS Everywhere from your hotel room, I would agree that you are reducing the likelihood of a third party sniffing your traffic. However, HTTPS will increase risk for corporations whose firewalls or intrusion prevention systems do not have the ability to decrypt SSL. For example, one of the default sites encrypted by HTTPS Everywhere is Facebook. If you have policies that allow certain employees to use certain features of Facebook for marketing/sales purposes, you surely want to monitor that traffic for threats. Given the amount of malware on Facebook, an employee could inadvertently go to a page that downloads a trojan onto the employee’s workstation. If your firewall or IPS cannot decrypt SSL then it will not be able to detect the malware.

21. June 2010 · Comments Off on World Cup Soccer – work day timewaster? · Categories: Malware, Palo Alto Networks, Security-Compliance

The excitement of World Cup Soccer is increasing. Do you know how many people in our organization are watching matches during the work day? How much Internet bandwidth is being consumed? What about the active malware campaigns leveraging the tournament?

Palo Alto Networks has a blog post detailing its World Cup Soccer video controls and protection capabilities called Prepare for Soccer Hooliganism 2.0.

08. June 2010 · Comments Off on Facebook – Read-Only · Categories: Palo Alto Networks, Security Management, Security-Compliance

What kind of access to Facebook do you give your employees? What about those in Marketing who want to use Facebook to monitor a competitor’s social marketing efforts? Or just gather competitive intelligence? Completely blocking Facebook for everyone in the organization may not make sense anymore because there are legitimate business uses for Facebook.

Palo Alto Networks has been a leader in enabling fine-grained policy control of web-based applications. Today, they extended their Facebook policy capabilities by creating a “Read-Only” option. I have no doubt that this was a customer driven enhancement to their already robust Facebook policy capabilities.

This is a great example of enabling business value while minimizing risk.

04. June 2010 · Comments Off on SANS Twenty Critical Controls · Categories: Palo Alto Networks, Security Management, Security-Compliance

An important part of Cymbel’s approach to IT Security and Compliance leverages the SANS Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines (20CC). We have embraced 20CC for the following reasons:

  • Comprehensiveness – All the major critical IT Security functions are covered.
  • Credentials – The document was generated by a strong group of experienced security professionals from government and industry.
  • Concreteness – The document provides very specific recommendations.
  • Automation – Fifteen of the twenty controls are readily automated.
  • Metrics – One or more simple, specific, measurable tests are provided to assess the effectiveness of each recommended control.
  • Phases – Each of the twenty controls have sub-controls which can be implemented in phases. In fact, each control describes at least one “Quick Win.” This lessens the potentially overwhelming nature of other security models.
  • Brevity – The current version of the document is only 58 pages as compared to other approaches which are spread over multiple books.
  • Price – The document is free.

If there is any weakness to the 20CC, it’s the consensus nature of it. However, in our opinion this weakness is only reflected in its understandable unwillingness to recommend a solution that would inure to the benefit of a single manufacturer. This is particularly reflected in the “Boundary Defense” control which recommends stateful inspection firewalls and separate Intrusion Prevention Systems.

For boundary defense, Cymbel recommends the only next-generation firewall on the market – Palo Alto Networks. That’s not just us saying it. Gartner said it in its 2010 Enterprise Firewall Magic Quadrant.

I would love to hear your opinions on the SANS Twenty Critical Security Controls.