Friday, January 25, 2008
Why Block Skype?
Blocking Skype with security devices seems to be a very emotional subject for some people. I guess I can’t blame folks for being ticked off about this. From their standpoint they can make free calls and the service is always up. Very nice. But before you hang your security administrators for blocking Skype read on…..
Please make sure you understand the downside of Skype however before you quickly judge those who are skeptical. Skype has security evasion behavior built into the software, it changes ports to avoid being blocked by firewall policies and it encrypts it’s payload so conversations cannot be “grabbed”.
Now consider a security administrators job which is basically to enforce company internet security policies. Now consider that most enterprise have in place called “acceptable use”. Most “Acceptable Use” security policies state that an acceptable application must use a well defined port and an established RFC protocol, this guarantees that an enterprise can have visibility into outbound data streams which helps them to protect against data-leakage. Skype clearly doesn’t work in a way that’s acceptable for many enterprises.
Again is Skype bad – no, it’s great. Is it acceptable to run in corporate environments? Maybe, maybe not, it’s up to the enterprise to make this decision. Just keep in mind that if an enterprise chooses to block Skype, they aren’t doing it as a personal attack against anyone and it doesn’t make them bad guys, they are just doing their job. A more effective use of your energy may be to petition the folks at Skype to enable acceptable behavior into their product.
Please make sure you understand the downside of Skype however before you quickly judge those who are skeptical. Skype has security evasion behavior built into the software, it changes ports to avoid being blocked by firewall policies and it encrypts it’s payload so conversations cannot be “grabbed”.
Now consider a security administrators job which is basically to enforce company internet security policies. Now consider that most enterprise have in place called “acceptable use”. Most “Acceptable Use” security policies state that an acceptable application must use a well defined port and an established RFC protocol, this guarantees that an enterprise can have visibility into outbound data streams which helps them to protect against data-leakage. Skype clearly doesn’t work in a way that’s acceptable for many enterprises.
Again is Skype bad – no, it’s great. Is it acceptable to run in corporate environments? Maybe, maybe not, it’s up to the enterprise to make this decision. Just keep in mind that if an enterprise chooses to block Skype, they aren’t doing it as a personal attack against anyone and it doesn’t make them bad guys, they are just doing their job. A more effective use of your energy may be to petition the folks at Skype to enable acceptable behavior into their product.
Friday, March 30, 2007
TJ Maxx - Largest ID Theft Ever!!!
It happens folks, if I hear one more time that security engineers spread FUD I'm going to scream!!!!!
TJ Max reported the largest identity theft ever. If you are a customer keep a very close eye on any account or credit card that may be exploited. As an IT or security professional this is a case you may want to keep an eye on. The number of potential IDs lost in this exploit is huge.
Of course there is no report of what security was in place. Keep this event in mind when making decisions about a security architecture. If you are using point products as a single line of defense and no host intrusion prevention or network intrusion prevention, you are NOT secure!!!
THINK LAYERS-OF-DEFENSE!
http://ezinearticles.com/?Identity-Theft-Problems-for-TJ-Max-and-Marshalls-Customers&id=431633
TJ Max reported the largest identity theft ever. If you are a customer keep a very close eye on any account or credit card that may be exploited. As an IT or security professional this is a case you may want to keep an eye on. The number of potential IDs lost in this exploit is huge.
Of course there is no report of what security was in place. Keep this event in mind when making decisions about a security architecture. If you are using point products as a single line of defense and no host intrusion prevention or network intrusion prevention, you are NOT secure!!!
THINK LAYERS-OF-DEFENSE!
http://ezinearticles.com/?Identity-Theft-Problems-for-TJ-Max-and-Marshalls-Customers&id=431633
Monday, February 12, 2007
Computer Theft of Loss - Equals Game Over for Security
Ever ask you self the question, what is the MOST IMPORTANT aspect of host security?
Consider this for an answer. It has nothing to do with Software Firewall, Hardware Firewall, Network Intrusion Prevention, Anti Virus, Network Anti Virus Protection, Host Intrusion Prevention and Anomaly Detection. You can have all of this security in place, but if lose a machine or a machine get stolen, the game is over. A PC in the hands of a capable hacher is basically defenseless. If you have PC with critical data the best you can do is protect the critical data with very strong encryption, even then if the hacker is REALLY good, your chances of losing that data is high.
Losing computers happens to everyone, see article below, but that doesn't mean you should not do your absolute best to ensure that PC's are locked down or kept in secure places when not in use.
http://www.cnn.com/2007/US/02/12/fbi.laptops/index.html
Consider this for an answer. It has nothing to do with Software Firewall, Hardware Firewall, Network Intrusion Prevention, Anti Virus, Network Anti Virus Protection, Host Intrusion Prevention and Anomaly Detection. You can have all of this security in place, but if lose a machine or a machine get stolen, the game is over. A PC in the hands of a capable hacher is basically defenseless. If you have PC with critical data the best you can do is protect the critical data with very strong encryption, even then if the hacker is REALLY good, your chances of losing that data is high.
Losing computers happens to everyone, see article below, but that doesn't mean you should not do your absolute best to ensure that PC's are locked down or kept in secure places when not in use.
http://www.cnn.com/2007/US/02/12/fbi.laptops/index.html
Friday, February 9, 2007
Vista Security Dies on the Vine
I don't usually like to make a big deal out of Microsoft vulnerabilities. For Microsoft to secure all of their products is probably one of the toughest jobs in the world. When you own 90% of the operating install base on the planet, there will be thousands of people trying to exploit your applications.
I was shocked at RSA this week that I had people who I thought to be knowledgeable tout Vista as being the end-all to security vulnerabilities. When I argued, that exploits would be coming soon and frequent, I was unceremoniously scorned:) - ha ha - to those people I say "sit down so you don't faint and read the following article".
Don't get me wrong I'm not happy about this in any way. But learn the lesson, NO operating system with as many features and flexibility offered by ANY vendor are vulnerability proof.
I was shocked at RSA this week that I had people who I thought to be knowledgeable tout Vista as being the end-all to security vulnerabilities. When I argued, that exploits would be coming soon and frequent, I was unceremoniously scorned:) - ha ha - to those people I say "sit down so you don't faint and read the following article".
Don't get me wrong I'm not happy about this in any way. But learn the lesson, NO operating system with as many features and flexibility offered by ANY vendor are vulnerability proof.
Tuesday, February 6, 2007
RSA 2007 San Francisco - Meet the author please!!!
Hey blog-readers. Sorry I've been off line for so long. I had the web hits up to over 100 per day and then I got invoved in getting ready for the RSA security conference and my blog time when away.
If you get a chance please come by the Cisco booh at RSA and see the demo's on CS-MARS, IPS 6.0 and ASA 8.0 I setup the demo's and will pretty much be there the entire time answering questions about IPS.
Please let me know if you are a reader of the blog, I know very few people who log it and it will be good to me you. I'll geek out and talk as much security as you like......
Thanks,
Greg
If you get a chance please come by the Cisco booh at RSA and see the demo's on CS-MARS, IPS 6.0 and ASA 8.0 I setup the demo's and will pretty much be there the entire time answering questions about IPS.
Please let me know if you are a reader of the blog, I know very few people who log it and it will be good to me you. I'll geek out and talk as much security as you like......
Thanks,
Greg
Thursday, January 25, 2007
Host Intrusion Prevention versus Host Anti Virus - Now is the time for change
Host anti virus is a traditional security mitigation software used by millions of computer users across the globe. Anti Virus does a great job of stopping known security exploits through the use of signature type definition files. Unfortunately for the general computer user, the word “known” is the key to this conversation. This means that Anti Virus is only as good as attacks that you already know about. If you use Anti Virus, you are still highly susceptible to a new computer attacks.
Contrast that with Hosts Intrusion Prevention (HIPS). HIPS looks at the behavior of hosts and decides if that behavior could be consistent with the action of malicious code. If the hips software besides that the behavior is suspicious, it will either stop the behavior or query you on whether you want to allow the behavior. Bottom line is that HIPS does not use signature definition files, it uses rule files that don't require updates and will stop viruses and worms whether they are known or not. My experience with hips software is that it is 100% reliable.
The downside of Host Intrusion Prevention software is that the versions that are available are targeted for larger customers with a professional security team that can manage and analyze events seen win rules trigger. Generally it's too complex to be managed by the average end user.
This article is little more than a call to action for security developers. Security engineers readily accept that HIPS software is superior to Anti Virus, now is the time to commercialize the software. Take the complexity out of the existing hips software, and tone it down so that the average home user can use it, and be protected at all times as opposed to the current scenario experience while using antivirus. This isn't that huge of a task. Shoot for the low hanging fruit, and only deploy rules such as, stopping code that is executed after a buffer overflow, stopping code that is being run for the first time, stop browsers from acting as servers, stop the average computer from opening any listening port, stop traffic related to port scans. These are just ideas I'm sure there's more. If you do happen to read this article, please encourage your local hips vendor to commercialize their product, maybe even encourage them to market it to huge service providers such as Comcast, and AOL.
Contrast that with Hosts Intrusion Prevention (HIPS). HIPS looks at the behavior of hosts and decides if that behavior could be consistent with the action of malicious code. If the hips software besides that the behavior is suspicious, it will either stop the behavior or query you on whether you want to allow the behavior. Bottom line is that HIPS does not use signature definition files, it uses rule files that don't require updates and will stop viruses and worms whether they are known or not. My experience with hips software is that it is 100% reliable.
The downside of Host Intrusion Prevention software is that the versions that are available are targeted for larger customers with a professional security team that can manage and analyze events seen win rules trigger. Generally it's too complex to be managed by the average end user.
This article is little more than a call to action for security developers. Security engineers readily accept that HIPS software is superior to Anti Virus, now is the time to commercialize the software. Take the complexity out of the existing hips software, and tone it down so that the average home user can use it, and be protected at all times as opposed to the current scenario experience while using antivirus. This isn't that huge of a task. Shoot for the low hanging fruit, and only deploy rules such as, stopping code that is executed after a buffer overflow, stopping code that is being run for the first time, stop browsers from acting as servers, stop the average computer from opening any listening port, stop traffic related to port scans. These are just ideas I'm sure there's more. If you do happen to read this article, please encourage your local hips vendor to commercialize their product, maybe even encourage them to market it to huge service providers such as Comcast, and AOL.
Tuesday, January 16, 2007
How effective is Anti Virus software at stopping worm attacks?
Host Anti Virus software and Network Anti Virus appliances can both be used to stop worms. But there are a few caveats.
1. New exploits may not be stopped by many Anti Virus packages
2. You must use auto-update features of your AV software to ensure that definitions of current worms are activated.
3. Host anti virus will not stop worms destined for any devices except the device they are installed on.
When it comes to stopping worms I recommend a full blown IPS and also behavior based Host Intrusion prevention software. Network IPS mitigates worms against all network assets and behaviors based intrusion prevention does not depend on signature updates to stop threats.
Yes I'm a Cisco bigot check
www.cisco.com/go/asa
www.cisco.com/go/ips
Check adds on this page for other credible AV and IPS vendors that can mitigate work behavior.
Ha ha, did I really say mitigate work behavior? Ah that should be WORM behavior but I suppose mitigating work behavior wouldn't be a bad idea for some of us......
1. New exploits may not be stopped by many Anti Virus packages
2. You must use auto-update features of your AV software to ensure that definitions of current worms are activated.
3. Host anti virus will not stop worms destined for any devices except the device they are installed on.
When it comes to stopping worms I recommend a full blown IPS and also behavior based Host Intrusion prevention software. Network IPS mitigates worms against all network assets and behaviors based intrusion prevention does not depend on signature updates to stop threats.
Yes I'm a Cisco bigot check
www.cisco.com/go/asa
www.cisco.com/go/ips
Check adds on this page for other credible AV and IPS vendors that can mitigate work behavior.
Ha ha, did I really say mitigate work behavior? Ah that should be WORM behavior but I suppose mitigating work behavior wouldn't be a bad idea for some of us......
Subscribe to:
Posts (Atom)