Blog posts tagged with 'security'
I read several articles about research on the behavior of IT professionals recently. The research was sponsored by security vendor Cyber-Ark. Amazing stuff! A third of all IT professionals surveyed could still access the company's network after they left the job. A third admit to snooping and peeking at information like people's personal emails, salary info and other juicy tidbits. Most shocking: 50% of all IT professionals still keep passwords on Post-It notes. These are administrative passwords!! The really omnipotent accounts!!
The press release from Cyber-Ark has more details. The survey was of 200 IT professionals at April 2008's Infosecurity Exhibition Europe, and it was entitled "Trust, Security and Passwords".
Interestingly, these folks admitted these things in an anonymous survey, but aside from that they might never be detected in their snooping - admin passwords generally give privileged and anonymous access to systems.
One point: there's a difference between snooping and corporate-policy-based monitoring of company IT assets. The survey was pointing out the fact that IT administrators can inappropriately access information and they count on not being caught.
In case you missed it there is a really interesting story circulating on the Net, best told by Jim Louderback the CEO of Revision3 and victim of a DDOS attack over Memorial day weekend ( his Blog & CNET interview ). If you're a fan of Revision3 you already know that they got taken off-line for 3 days, if your not you may want to check out their site. They represent perhaps the best example of new Media and the future of TV, including HD video, channels, live and on-demand, etc, all delivered via the web. In order to achieve high quality video Revision3 utilizes BitTorrent technology legitimately for distributing content to users. The problem came about when a "legitimate" media tracking company identified a Revision3 server as a potential source of " questionable " BitTorrent traffic. Once Revision3 was made aware of this situation ( by a forum poster ) they appropriately locked down the server, what happened next was the strange part...
As reported by Revision3, the media tracking company ( presumably automatically ) launched a DDOS attack on Revision3's site flooding it with as many as 8,000 packets per second taking down the site by exceeding the capacity of limited web servers. Complicating the matter was the long weekend and unreachable staff at the offending company. Once they were finally able to get in contact the company stopped the attack and they both started to unravel what had happened.
The NetScaler system may not be positioned as protection from "good" guys ( vs. typical bad guys ) but this situation exemplifies why it is worth consideration as part of a comprehensive protection plan. That is why web based media companies like Google, MSN, CNET, Digg, and many others rely on NetScaler's to protect their infrastructure. Among other features NetScaler protects sites from SYN flood DDOS attacks by handling all requests and only forwarding legitimate ticketed traffic to the web server, all other SYN flood requests are dropped before ever reaching the company Web Servers.
So for the next review of your security infrastructure, keep in mind who are the "good" or bad guys and are you protected either way.
Many news reports have recently identified the increased threat to web sites and applications from SQL injections, the most recent example being the Nihaorr1 script that resulted in over 600,000 sites being infected even including the Department of Homeland Security and the UN. Although initially identified as a Windows IIS server vulnerability, the root cause of the recent exposure goes beyond IIS and has identified lax web application coding as the culprit. A Register interview with the DHS assistant secretary for Cybersecurity is quoted as saying " our networks are only as strong as the weakest link " which makes sense but also identifies how vulnerable web applications are on the web. If a company is relying on the variability of programmer security knowledge and limited QA testing to protect their web app from yet to be defined threats, it's no wonder that so many sites are exposed and hacked.
Perhaps one of the ways to better protect an organization from the next undefined attack is to look at minimizing the impact of variability. A common best practice in the manufacturing industry is to evaluate every process and implement techniques and tools to reduce variability so as not be overly dependent on a final test or inspection which always has some level of escapes. This is the core of the Six Sigma technique that many world class manufacturers utilize to improve product quality.
As applied to IT protecting Web Applications, a tool that can be implemented to reduce the impact of programmer variability is to utilize a Web App firewall such the positive security model feature of the NetScaler Application Firewall. This feature recognizes best coding practices for HTML and Industry HTTP standards and automatically blocks Web App behavior and variations outside a known-good model. The result is a significant reduction in the risk created by variable programmer skills and expensive but incomplete QA testing. In the specific example of the Nihaorr1 attack, a recent test validated that the NetScaler Firewall was indeed able to block the Nihaorr1 script using the default configurations. Additionally the learning features of the App Firewall can be used for more granular configurations and protection as well.
So before the next threat to your web applications is discovered, it may be worth further investigation as to the human influence of variability in IT operations and consider steps to mitigate the risks.
Should government employees be allowed to use personal systems? Many government CIOs/CISOs are reluctant and prohibit employees from using non-government furnished equipment. This is problematic for many reasons including:
- Organizations have an increasingly mobile workforce that needs to be able to work from anywhere. On the government side, it may be the census taker, the CDC scientist in a 3rd world country, a DEA agent in the field or our soldiers in the Middle East. All of these roles need access to the applications and information critical to their mission (and sometimes, even their lives).
- The government has had a strong telework mandate for years now, but the scope of outfitting every employee with government-furnished equipment (GFE) at home is cost prohibitive. And requiring a GFE doesn't fit how today's workforce operates nor does it address the need for emergency ad-hoc access.
- Many agencies' continuity of operations plans aren't practical as they require a "check-out of GFE resources". Two years ago, during the Potomac River floods, many of our agencies were under water and unable to supply GFE to their workforce...same was true during Hurricane Katrina.
- A younger workforce, or "Echo Boom" generation, doesn't want to use GFE, they want to use their personal systems! The ability to utilize a platform of choice is increasingly a recruiting/retention issue - especially with mobile devices. The US Government is expected to lose 70 percent of its existing workforce by 2011 and needs to address all of the factors that lead to attrition. This is one of the largest issues in government. (See my recent blog posting)
Aside from the mounting pressure for unfettered access, security concerns for government systems often greatly exceed those of civilian systems. How do you hand someone a laptop with a large hard disk, give them access to a wealth of information, allow that information to be distributed and maintain needed security controls? Even with encrypted hard drives, the control of physically distributed data continues to lead to data loss and distribution worries. The root problem transcends the GFE vs. personal debate.
The reaction we're seeing from the government in disallowing the use of personal systems and tightly controlling GFEs is indicative of a bigger problem: the client/server computing model implies the deployment of a "trusted client". Increasingly, the inability to provide and maintain a trusted client at all times has resulted in data loss and compromise. It's because the "trusted client" model does not allow for the security controls that are necessary and essential for a distributed workforce.
To accommodate security for today's distributed workforce, consider a model where defined applications and services are delivered - not deployed. By adopting the delivery model, stringent controls can be applied to applications and desktops that remain under the protection of the datacenter, with only keystrokes, mouse clicks, and screen refreshes traversing the network. In this delivery model, authentication, logging, the ability to copy, paste and print can all be controlled on an application-by-application and user-by user basis. Combined with the abstraction and isolation of virtualization, resources and systems are separated from each other with a security boundary that allows sensitive data to be accessed on personal systems.
Embracing delivery and virtualization allows the government (and other organizations) to provide users the freedom of a "platform of choice" and the organization to maintain the required security controls. Don't make a federal case out of the laptop debate - deliver a solution that truly addresses the underlying needs.
[by Kristin Taylor and Kurt Roemer]
Everybody has heard the stories and wants to believe - but there's no such thing as "PCI Compliant" products*.
People are constantly asking the question: Is "Product X" PCI compliant? The short answer is: No.
The long answer requires some careful explanation.
PCI sets forth 12 major requirements for an organization to meet, with the result of meeting these requirements culminating in an attestation of compliance. The PCI auditor verifies that the intent of PCI has been met, and compliance is granted. (OK, I know I just oversimplified a very complex set of processes - but the result is the same: the organization is deemed compliant or not)
But, what about the products that are used to support organizational PCI compliance? Network firewalls, antivirus, IDS/IPS, and application firewalls are listed in the PCI specification as core products whose functionality is required to obtain PCI compliance. Don't these products have to be certified as compliant? No, there is no provision for product compliance in the PCI DSS v1.1 specification.
So, given that PCI doesn't directly certify products, what should an organization do to provide audit assurance that products can be used for the intended PCI purpose?
- Verify vendor claims - just because a salesperson says it, it doesn't make the statement true.
- Rely on trusted third-parties - organizations like ICSA Labs, NSS Labs, WASC and OWASP have detailed product capability matrixes, testing and certification criteria, and comparative data.
- Discuss concerns with your auditors - because PCI auditors make the final decision on compliance, they should be involved in key decisions leading up to the certification event.
There have been some wild claims with PCI - including the notion of "PCI certified products." When faced with conflicting information, work with trusted vendors and partners, press your auditor or PCI QSA for the documented facts, and escalate ambiguity as necessary through to the PCI Security Standards Council.
With factual information and proper actions, we can all help PCI reach its lofty goal: Increase trust in credit card usage by holding merchants to a high standard - the PCI DSS.
PCI Backgrounder
PCI DSS, the Payment Card Industry Data Security Standard (or simply PCI) specifies compliance standards for credit card usage. If your organization stores, processes, or transmits credit card data, PCI applies to you. The PCI Security Standards Council maintains and publishes the standard at www.pcisecuritystandards.org.
*Note: There is a "Listing of PCI Security Standards Council Approved PIN Entry Devices" at: https://www.pcisecuritystandards.org/pin/pedapprovallist.html_. The PED's are the only products to have PCI SSC approval._
Looking back at the 2008 US RSA Security Conference, there was a tremendous amount of interaction, but not a readily apparent amount of innovation.
I spent the bulk of my time in meetings with customers, partners, press, and analysts. All seemed to echo the same sentiment - there's not any single "wow factor" at this year's RSA. But, that's not to say that there weren't hot topics, the two most obvious being DLP and Virtualization Security.
DLP
DLP, or Data Loss Prevention (also sometimes known as Data Leakage Prevention) is the capability to keep sensitive data from inadvertently leaving the organization. The concept and message around DLP is rather simple, but the architecture and management of DLP is where the difficulty comes into play.
When you consider all the sensitive data in most organizations, where it exists, and how it's used, you get a feel for just how big of a problem DLP needs to address. In most organizations, data isn't even regularly classified and labeled as public or non-public information. And, data has been over-distributed onto any media that can hold it (e.g. laptops, USB keys, iPods), often without any control. DLP technologies purport to get a handle around this problem and manage the access to and distribution of sensitive data.
On the surface, DLP seems like it's facing a really tough problem. And it is - if you're just trying to add controls to the existing model of data access and over-distribution. Looking at the problem with virtualization in your toolbox, though, can change our basic assumptions and bring us closer to the elusive goal of DLP.
Combining application virtualization and DLP allows authorized users to access a view of sensitive data, while providing additional context-sensitive controls around access to the data. As an example, a user in the office might be given the ability to use a data housing sensitive application on their corporate managed device only after submitting strong credentials and passing necessary security checks. A policy would prohibit them from using the application in ways that violate policy, such as printing sensitive info. Because the DLP software is integrated with the application virtualization environment in the data center, the DLP software has full control over usage of sensitive components data, and the data never leaves the datacenter. DLP can be much more effective when managed from the datacenter and the management of sensitive data on endpoints is eliminated from the equation. The same concept holds true for both application virtualization and desktop virtualization.
Virtualization Security
As the above DLP example shows, virtualization is stimulating innovative thoughts and challenging the status quo. There were many questions posed at RSA about upcoming client and desktop virtualization opportunities, in addition to current server virtualization security challenges.
On the server front, most of the discussions were around how network-level security objectives can be achieved in a virtual server environment. Organizations that have implemented server virtualization have watched as the proliferation of these environments have reduced security visibility for legacy network controls. The network folks want to know how to "see" into the virtual server environment, and how to control VM-VM communications. This is being accomplished for the most part through "security virtual appliances" or "security virtual machines" that duplicate physical network controls in the virtual realm. There appeared to be many vendors touting capabilities for scanning, IDS/IPS, and virtual firewalls with techniques borrowed from the physical realm.
The real breakthroughs appear to be just in front of us and will involve how we utilize virtual applications and desktops. The capability to virtualize and abstract for security isolation, as well as usability appear to be driving real change. These changes promise to allow user functionality to follow them anywhere, without cumbersome user configuration and management. And, with security policies built in, maintained and verified, we should see the trust models change for the better. Microsoft introduced some very interesting concepts and considerations around End-to-End Trust at the beginning of the show that extend well into virtualized client capabilities.
As the security industry matures, we'll probably witness less of a "wow" factor with each conference. But we'll all sleep a little better knowing we're getting closer to the goals of true security.
Autonomic security, AKA, self-healing, self-defending, situation aware security, or feedback-based security management, has long been a dream in distributed IT computing. It could be the reason that this dream was not realized is that it is too hard to do in distributed computing.
Enter virtualized computing, with centralization and much greater control over the [wily careless security-ignorant only-cares-about productivity] user. Now does that change the complexion of the problem?
The enemy is the usual: malware, such as worms, viruses and trojans, plus future attacks we don't even know about now. Malware designers unfortunately have the upper hand, with ever stealthier approaches to evil. Most security countermeasures are simply responses to known threats. Thus the bad guys are controlling the game.
With virtualized computing, IT asserts more control. Might it not be possible to realize autonomic security more effectively? One of the problems distributed computing has is relentless complexity and lack of control. With distributed computing, the end user is in the driver's seat! Maybe if all end users were very diligent about security this would be fine. This is sadly not the case.
Autonomic security affords the luxury of not relying on a human to notice things are stealthily going amok. It is possible to monitor what is going on in the network, applications, OS's, processors, and so on. With a virtualized environment, does this not become easier?
To be clear, it is possible autonomic computing actually creates additonal security challenges, dong things automatically like changing system configurations, interconnections and so on, creating interesting entrees for malware designers.
I'd very much enjoy a dialog on the following thought: in a centrally controlled virtualized environment, is security innovation possible? Given that we can get better information about what is going on, for example anomolous behavior such as a processor being hit abnormally, or other anomolies such as buffer overflows or abnormal accesses or sensitive data being touched in any way, could we not modify the enterprise security policy on the fly? Could we have software to look at the collective of information now at our fingertips and change security policy appropriately?
The model I have in mind is human behavior. If you are walking down the street and it's daytime, and it's a cheerful sunny day, and nothing suspicious is going on, we behave in a way to maximize productivity and pleasure. In contrast, if you're walking down the street and it's dark and late, and there are strange- looking people about, and they are looking at you with too much interest, your security posture changes and security becomes more important than productivity and pleasure (until you get out of the situation.)
So could we not use that model and have an adaptive security policy that intelligently changes, based on the information available. Not attacks per se, as there is software that does that already. What if we could look at the health of the network and applications and decide that situation is not normal and a more restrictive security policy is now required? Productivty and pleasure take a back seat when it's "code red".
I'd like to hear from folks with thoughts in this area!
Several striking aspects:
- All presentations about security in a virtualized environment were mobbed. People were pretty angry when turned away at the doors of the presentation rooms, but fire marshall regulations prevented people from standing at the back. It appears this is the "next interesting thing" in security, and there is great curiosity. On the reality side, there were very few products / technology for sale to address the potential issues. I believe there are a great many startup companies currently in stealth mode in this area.
- The days of radical and revolutionary change in security from the late '90's and early '00's are way over. The big vendors seem to be just pulling together "fix it all" suites as best they can through acquisitions.
- Michael Chertoff's presentation was a tad scary: he mentioned that government agency computers are all interconnected, and that security is not consistent across all agencies (some have 24/7 monitoring for security and some don't). This is bad for the obvious reason - just like in the movies, the bad guys can find an innocuous-looking, under-protected entrance and get to the agencies of interest. The other scary part was that Mr. Chertoff seemed to think 24/7 monitoring was the main thing. I'd tend to focus on preventative measures, vulnerability assessment, intrusion detection, user training, Identity and Access Management, strong authentication and other areas as well, but they were not mentioned.
- Bruce Shneier's presentation on security rationalization was provocative. He focused on the separation between reality, feelings and models by "experts" when it comes to assessing security risks. One example was the Tylenol scare, and it was successfully addressed from a commercial standpoint by adding hermetic seals to bottles. It made people feel better. The reality is that a syringe could inject poison pretty easily, but people feel better. He also introduced the notion of "security theatrics", where the media and security vendors exaggerate risks and cause people to feel bad when the reality just doesn't match. Interesting concept.
RSA Conference is growing: attendance was estimated at 17,000
This is a little-known fact that may be very interesting for customers who want SSO, but realize Password Manager does not natively support your language. We have an SDK available for partners to do their own translations of the CPM UI. It is available for free, and has already been requested by partners in Russia, Czeckoslovakia, Sweden, Italy and Poland.
This SDK can be used with standalone CPM and XenApp Platinum (Single Sign-on powered by Password Manager.) Both offerings are the same code base.
Our terms are intentionally simple: the local Citrix rep approves the partner to me, partner signs a EULA, I give the partner access to the SDK via FTP, and the partner owns the resultant work effort (of course CPM licenses are still required for the customers purchasing translated versions from the partner.)
The caveats are that the business partner is responsible for keeping up with changes as new releases are provided from Citrix, and the local Citrix account team vouches for the integrity of the partner. We need to be sure the UI delivered is of quality, hence the local team involvement.
If you're interested, please have your Citrix rep contact kate.brew@citrix.com
Would also appreciate comments on this approach - yea or nay!
Most people don't realize the value of the answers to their personal security questions (Citrix Password Manager calls this Question Based Authentication.) As it turns out, those answers are more valuable than passwords. If someone learns enough answers to your personal security questions, they very often can reset your password and have access to your accounts. Yes, that includes your online bank account and it's a very real problem. In fact, I have a friend so paranoid about this that he swears his favorite color is "three."
Some of the issues around personal security questions are kind of interesting. For example, I've dealt with customers where personal privacy of employees is a big consideration in selecting the questions. Let's call that one "sensitivity". Another issue is what I'll call "changeability" - your favorite movie may change from month to month. Then another issue is what I'll call "detectability" - my place of birth is public record, if somebody happens to know where I was born and what my maiden name was. Both of those are completely unguessable in my case so I am probably safe on that problem.
Then there is always my favorite, "guessability" - there are only so many colors, even if you count teal and puce.
We can't forget the punctuation marks either. Tricky to remember whether I indicated a teacher's name as Mrs. Winters, Ms. Winters, Mrs Winters or Ms Winters when I signed up for a web account. Have to be careful on that one.
We are finding that the more flexibility you can allow the better on these personal security questions for CPM. Let companies write their own personal security questions that are more obscure than place of birth. Let people choose between a number of security questions that they find unique and easy to remember.
In fact, I'd love some comments on pet peeves and helpfuls suggestions on personal security questions!
Page: 1 2 Next >>
-
Subscriptions
