Archives for June 2010

Palo Alto Networks Introduces GlobalProtect for roaming users

As good as Palo Alto Networks next-generation firewalls are, their value ended when you left the location it was protecting. When you’re in a hotel or a Starbucks, you had to rely on your laptop’s host based protection capabilities. And from your organization’s perspective, it lost the Palo Alto Networks policy controls. When you are remote, you can visit any website you want.

In order to remedy this limitation, Palo Alto announced GlobalProtect today. Here is Palo Alto’s description:

Unlike traditional approaches to endpoint security, Palo Alto Networks GlobalProtect ties application-, user-, and content-based policies to roaming users through a persistent thin client that can be pre-installed or installed on demand. Similar to a VPN, remote traffic is sent over a secure tunnel. However, unlike typical VPN deployments, which direct traffic to a few geographically centralized gateways, the GlobalProtect client automatically connects to the nearest corporately-managed Palo Alto Networks next-generation firewall deployed at a hub, branch, or in a private cloud. This results in faster throughput, easier management, and better protection.

For the first time, organizations will be able to maintain their policies regardless of a user’s location. John Pescatore of Gartner says it this way:

The Next Generation Firewall will follow the same pattern – extending to NGFW as a service (or what we used to call ‘In the Cloud Firewalling’ before the cloud term got ripped away from the Internet carriers) to inject the same firewall policy between the users and the Internet and in between the cloud-based services we consume that used to be inside the data center.

I look forward to trying GlobalProtect.

HTTPS Everywhere – Will it increase risk?

The Electronic Frontier Foundation (EFF), in conjunction with The Tor Project, has announced a new Firefox plug-in called HTTPS Everywhere, which will automatically provide encrypted SSL sessions to major web sites that support HTTPS. Obviously, this is an effort to improve browsing privacy, but is it also increasing risks to those users? The answer could be yes.

If you are a road-warrior and use HTTPS Everywhere from your hotel room, I would agree that you are reducing the likelihood of a third party sniffing your traffic. However, HTTPS will increase risk for corporations whose firewalls or intrusion prevention systems do not have the ability to decrypt SSL. For example, one of the default sites encrypted by HTTPS Everywhere is Facebook. If you have policies that allow certain employees to use certain features of Facebook for marketing/sales purposes, you surely want to monitor that traffic for threats. Given the amount of malware on Facebook, an employee could inadvertently go to a page that downloads a trojan onto the employee’s workstation. If your firewall or IPS cannot decrypt SSL then it will not be able to detect the malware.

Is unified Security Operations and IT Services possible?

In this era of limited IT budgets, can organizations afford separate Security Operations and IT Services? In reality both groups benefit from common services such as discovery, configuration management, availability and performance analysis, flow analysis, log analysis, and business service management.

AccelOps has a nice blog post discussing this issue called Security Operations and IT Services, Competition or Cooperation?

World Cup Soccer – work day timewaster?

The excitement of World Cup Soccer is increasing. Do you know how many people in our organization are watching matches during the work day? How much Internet bandwidth is being consumed? What about the active malware campaigns leveraging the tournament?

Palo Alto Networks has a blog post detailing its World Cup Soccer video controls and protection capabilities called Prepare for Soccer Hooliganism 2.0.

HoneyBot – Automated IRC Social Engineering

IRC-Junkie is reporting that researchers at TU Wien (Vienna University of Technology, Austria) have developed a software program that performs a “man-in-the-middle” attack between IRC users causing them to click on malicious links at a 76% click rate. As opposed to impersonating a user and attempting to perform one side of the conversation, this program sits between two users and simply makes changes to the words and inserts malicious links.

The so called “HoneyBot” is capable of influencing the ongoing conversation by “dropping, inserting, or modifying messages” and the researchers assert that “if links (or questions) are inserted into such a conversation, they will seem to originate from a human user” and therefore the click-probability will be “higher than in artificial conversation approaches”.

It seems to me that the high click rate is due to the lack of knowledge that such an attack is even possible and therefore people are not in the least bit suspicious. If HoneyBots become more prevalent, people will be more on guard.

In any case, approach each link cautiously – hover over the link and inspect the URL that is displayed at the bottom of the browser. If you cannot determine exactly where the URL is going to take you, don’t click on it.

Another thought, how long before we see this type of attack in the wild on Facebook?

Facebook – Read-Only

What kind of access to Facebook do you give your employees? What about those in Marketing who want to use Facebook to monitor a competitor’s social marketing efforts? Or just gather competitive intelligence? Completely blocking Facebook for everyone in the organization may not make sense anymore because there are legitimate business uses for Facebook.

Palo Alto Networks has been a leader in enabling fine-grained policy control of web-based applications. Today, they extended their Facebook policy capabilities by creating a “Read-Only” option. I have no doubt that this was a customer driven enhancement to their already robust Facebook policy capabilities.

This is a great example of enabling business value while minimizing risk.

California Casualty replaces Cisco MARS

Network World has a story about California Casualty replacing Cisco MARS with AccelOps, a Cymbel partner. The AccelOps founders were the founders of Protego, the company that developed MARS and sold their company to Cisco.

One of the key issues was California Casualty’s frustration with Cisco’s appliance business model. If you are running on an older MARS appliance, apparently you have to buy a new appliance at a price significantly higher than the underlying server would cost from a server vendor. AccelOps is sold as a virtual appliance or SaaS.

While we at Cymbel surely like the virtual appliance approach, there were other important reasons we selected AccelOps for Log Management, Security Information and Event Management (SIEM), and IT/Business Service Management. Once you can meet an organization’s scalability and compliance reporting requirements, the biggest value add this class of solution can provide is actionable information.

Actionable information requires context. And there is no better solution than AccelOps at providing context. It starts with Device and Software Discovery. If you don’t know the devices on your network and the software they are running, you are working in the dark. Next you must be able to understand configuration changes. For that you need a Configuration Management Database (CMDB). Device Discovery, Software Discovery, and Configuration Management are the first four controls defined in SANS Twenty Critical Controls for Effective Cyber Defense; Consensus Audit Guidelines (TCC). Cymbel uses TCC as a core component of its approach to Defense-in-Depth. And you must be able to group your devices by Business Service.

Prior to AccelOps, you were looking at a seven figure capital expense to get there and a huge amount of professional services to integrate several different tools. AccelOps provides all of the above plus performance and availability management in one unified solution.

According to Network World. AccelOps unified solution enabled California Casualty to decommission several monitoring tools they were using because they had become redundant. Read the whole story here.

The End of Malware? Hardly.

Slate recently published an article entitled, “The End of Malware?” The sub-title is, “How Android, Chrome, and the iPad are shielding us from dastardly programs.” The premise trotted out the usual, Windows is insecure; Android, Chrome, and the iPad are more secure because they deploy sandboxing technology, i.e. restricting an application’s access to operating system resources.

While this may be a good thing, it is hardly the “end of malware.” Not even close.What the author is missing is the intent and motiviation of the bad guys. They go where the money is, i.e. where there is the opportunity to steal cash from people’s bank accounts, steal credit card information, steal intellectual property they can sell. At present, these opportunities are minimal on Android, Chrome, and iPads. Once there is critical mass for profitable hacking, you will definitely see an increase in exploits on these devices.

Now even with limited opportunities for profitable hacking we are starting to hear about vulnerabilities on these devices. Just yesterday I wrote about a Massive iPhone Security Issue where passcode protected content on the iPhone can be accessed by simply attaching the device to a computer running Ubuntu or OSX. Therefore, if you lose your iPhone, your passcode protection is useless.

If you need to hear more, check out the June 3 article in the Wall St. Journal, Dark Side Arises for Phone Apps. Here are some key quotes, first on Google:

In one incident, Google pulled dozens of unauthorized mobile-banking apps from its Android Market in December. The apps, priced at $1.50, were made by a developer named “09Droid” and claimed to offer access to accounts at many of the world’s banks. Google said it pulled the apps because they violated its trademark policy.

The apps were more useless than malicious, but could have been updated to capture customers’ banking credentials, said John Hering, chief executive of Lookout, a mobile security provider. “It is becoming easier for the bad guys to use the app stores,” Mr. Hering said.

And on Apple:

Apple vets applications before they appear in its App Store, but risks still exist. In July 2008, Apple pulled a popular game called Aurora Feint from its store after it was discovered to be uploading users’ contact lists to the game maker’s servers. More recently, it yanked hundreds of apps it said violated its policies, some out of security concerns.

In conclusion, while sandboxing is a good idea, there is no silver bullet when it comes to security.

Massive iPhone Security Issue

ReadWriteEnterprise is reporting that:

Content stored on an iPhone 3GS with passcode protection can be accessed without the passcode simply by attaching the device to a computer running the latest version of Ubuntu or a Windows or OSX system running off the shelf software such as iPhone Explorer. This flaw was discovered by Bernd Marienfeld, an information security professional and blogger, last week. Recently, the enterprise has seen a steep increase in the adoption of the iPhone and iPad. But Apple will need to aggressively address security concerns such as these in order to gain and hold market share.

Read the whole article here.

SANS Twenty Critical Controls

An important part of Cymbel’s approach to IT Security and Compliance leverages the SANS Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines (20CC). We have embraced 20CC for the following reasons:

  • Comprehensiveness – All the major critical IT Security functions are covered.
  • Credentials – The document was generated by a strong group of experienced security professionals from government and industry.
  • Concreteness – The document provides very specific recommendations.
  • Automation – Fifteen of the twenty controls are readily automated.
  • Metrics – One or more simple, specific, measurable tests are provided to assess the effectiveness of each recommended control.
  • Phases – Each of the twenty controls have sub-controls which can be implemented in phases. In fact, each control describes at least one “Quick Win.” This lessens the potentially overwhelming nature of other security models.
  • Brevity – The current version of the document is only 58 pages as compared to other approaches which are spread over multiple books.
  • Price – The document is free.

If there is any weakness to the 20CC, it’s the consensus nature of it. However, in our opinion this weakness is only reflected in its understandable unwillingness to recommend a solution that would inure to the benefit of a single manufacturer. This is particularly reflected in the “Boundary Defense” control which recommends stateful inspection firewalls and separate Intrusion Prevention Systems.

For boundary defense, Cymbel recommends the only next-generation firewall on the market – Palo Alto Networks. That’s not just us saying it. Gartner said it in its 2010 Enterprise Firewall Magic Quadrant.

I would love to hear your opinions on the SANS Twenty Critical Security Controls.