23. July 2011 · Comments Off on Lightweight Portable Security LPS-A Linux distro from the US Department of Defense | Unixmen · Categories: blog · Tags: , ,

Lightweight Portable Security LPS-A Linux distro from the US Department of Defense | Unixmen.

Lightweight Portable Security (LPS), created by USA’s Department of Defence, is a small Linux live CD focusing on privacy and security, for  this reason, it boots from a CD and executes from RAM, providing a web browser, a file manager and some interesing tools. LPS-Public turns an untrusted system into a trusted network client.

The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so no trace of work activity can be written to the local computer.

If you’ve been doing online banking on the same computer which you use for general browsing and social networking, you need to switch your banking activities to this.

During the last several years we have observed dramatic changes in the identity of attackers, their goals, and methods. Today’s most dangerous attackers are cyber criminals and nation-states who are stealing money and intellectual property. Their primary attack vector is no longer the traditional “outside-in” method of directly penetrating the enterprise at the network level through open ports and exploiting operating system vulnerabilities.

The new dominant attack vector is at the application level. It starts with baiting the end-user via phishing or some other social engineering technique to click on a link which takes the unsuspecting user to a malware-laden web page. The malware is downloaded to the user’s personal device, steals the person’s credentials, establishes a back-channel out to a controlling server, and, using the person’s credentials, steals money from corporate bank accounts, credit card information, and/or intellectual property. We call this the “Inside-Out” attack vector.

Here are my recommendations for mitigating these modern malware risks:

  • Reduce the enterprise’s attack surface by limiting the web-based applications to only those that are necessary to the enterprise and controlling who has access to those applications. This requires an application-based Positive Control Model at the firewall.
  • Deploy heuristic analysis coupled with sandbox technology to block the user from downloading malware.
  • Leverage web site reputation services and blacklists.
  • Deploy effective Intrusion Prevention functionality which is rapidly updated with new signatures.
  • Segment the enterprise’s internal network to:
    • Control users’ access to internal applications and data
    • Deny unknown applications
    • Limit the damage when a user or system is compromised
  • Provide remote and mobile users with the same control and protection as itemized above
  • Monitor the network security devices’ logs in real-time on a 24x7x365 basis

Full disclosure: For the last four years my company Cymbel has partnered with Palo Alto Networks to provide much of this functionality. For the real-time 24x7x365 log monitoring, we partner with Solutionary.

22. April 2011 · Comments Off on Extended Validation SSL Certificates still has tiny marketshare · Categories: blog · Tags:

First let me amend a comment I made in my last post, How is SSL hopelessly broken. I said that browsers need to alert users about which type of SSL Certificate a web site is using. Actually browsers do alert you to when an Extended Validated (EV) Certificate is being used by turning all or a portion of the displayed URL green. Here are Paypal examples using Firefox and Internet Explorer (via Netcraft):

However the rest of my recommendation stands because the browsers do not provide any positive indicator of Organization or Domain Validated Certificates.I  recommend Yellow for DV and OV certs indicating caution.

Second, Netcraft just published a survey showing that EV Certs represent only 2.3% of all sites tested. Of the 1,000 highest traffic sites, 81 accepted HTTPS and “nearly a third of these certificates used Extended Validation.”

The good news is that the use of EV certs is growing:

 

12. April 2011 · Comments Off on How is SSL hopelessly broken? Let us count the ways • The Register · Categories: blog · Tags: , ,

How is SSL hopelessly broken? Let us count the ways • The Register.

Excellent article discussing the flaws in SSL – mostly problems with Certificate Authorities.The Comments are also worth reading.

However, the deeper problem is that most end users don’t understand the three types of certificates – Domain Validated, Organization Validated, and Extended Validated.

Browsers need to alert consumers to the three types and indicate the low level of trustworthiness of DV certs, Consumers would begin to shy away from sites using DV certs. This would push web sites to use OV and EV certs. Without this, web sites are going to continue to use DV certs.

While this won’t solve all of the SSL problems Dan Goodin identified, I think it would be a big improvement.

03. April 2011 · Comments Off on Massive Breach at Epsilon Compromises Customer Lists of Major Brands | SecurityWeek.Com · Categories: blog · Tags: , , , ,

Massive Breach at Epsilon Compromises Customer Lists of Major Brands | SecurityWeek.Com.

Epsilon’s breach is the latest in a string of breaches at Email Service Providers. The ESPs respond by saying it’s only email addresses. However, RSA’s latest update on its SecureID breach said it was started with a spear phishing attack.

 

19. March 2011 · Comments Off on The Five Competitive Forces That Shape Strategy · Categories: blog · Tags:

In 1980, Michael Porter published, Competitive Strategy explicating the five competitive forces that shape corporate strategy. This book is still must reading, although it is not universally accepted as the definitive book on corporate strategy.

Here is a January 2008 HBR article by Michael Porter showing that Porter is as strong a believer in his approach today as he was 30 years ago.

19. March 2011 · Comments Off on The Four Personas of the Next-Generation CIO · Categories: blog · Tags:

Ray Wang’s guest blog at Harvard Business Review cites The Four Personas of the Next-Generation CIO:

  1. Chief “Infrastructure” Officer
  2. Chief “Integration” Officer
  3. Chief “Intelligence” Officer
  4. Chief “Innovation” Officer

is it possible to do all four? Would it make sense for the CIO to assign a “deputy” CIO for each of these four functions?

19. March 2011 · Comments Off on IT in the Age of the Empowered Employee · Categories: blog · Tags: , ,

I recently came across this blog post from Harvard Business Review, IT in the Age of the Empowered Employee. The author, Ted Schadler, who recently co-authored a book entitled, Empowered, seems to have coined the term, “highly empowered and resourceful operatives (HEROes).” These people represent 20% of the employees in an organization who aggressively seek out information technology solutions on their own without the IT department’s support.

Schadler recommends managers and IT support HEROes’ efforts:

What caught my eye of course is, “Provide tools to manage risk.” Yes, enable the use of Web 2.0 applications and social networking by mitigating the risks they create. Next Generation Firewalls come to mind.

19. March 2011 · Comments Off on SIEM resourcing – in-house or outsource? · Categories: blog · Tags: ,

Anton Chuvakin wrote an article on the costs associated with Security Information & Event Management SIEM and log management which will help you decide whether you should do SIEM in-house or outsource to a Managed Security Services Provider. Anton breaks the costs down into the following categories:

  • Hard costs
    • Initial costs
    • Ongoing operating costs
    • Periodic or occasional costs
  • Soft costs
    • Initial costs
    • Ongoing operating costs
    • Periodic or occasional costs

BTW, in my experience, I have seen the total cost of a SIEM project (hard + soft) range from 10% of SIEM license costs (for shelfware SIEM “deployments”) to a mind-boggling 20x of license cost.

19. March 2011 · Comments Off on SSL Traffic Monitoring is a must-have security control · Categories: blog · Tags:

More and more web traffic is being encrypted, which is blinding organizations to potential threats. The Goldman Sachs programmer who was sentenced to 8 years in prison used SSL to encrypt his file transfers.

If your firewall cannot decrypt SSL, you must upgrade. It’s as simple as that.