Posts Tagged ‘Security’

No complete and accurate inventory? == No Security

December 15, 2008

IT networks are commonly referred to as a modern jungle by their own IT managers. The traditional inventory and asset management tools an organization may use simply cannot cope with the complexity and the dynamic nature of the IT networks. At best they provide information about 50%-60% of the organizational devices. On most organizations one may plug in a device without the knowledge of IT, receiving an IP address and being able to interact with the rest of the network.

The worst part is the effect over the Security of the IT networks. If one is unaware of a certain device then it is also unable to defend it, or defend against it. The security products we buy, and let’s assume they are all best of breed, are deployed only against known devices and entities.

This creates a dangerous situation in which we secure what we know about only. A large number of devices, 20%-50% of additional devices the organization is unaware of,  jeopardizes the stability, the availability and the integrity of the IT networks and the data they carry.

In order to truley security our IT networks we must have a compelte and accurate knowledge with regards to the inventory of the devices that are attached to our networks. an inventory that reflects a true picture of the currently connected devices and must be used as the basis for any security operations.


Apple and Security: When will this bubble blow up?

December 6, 2008

Apple is thinking that security through obscurity is the right way to handle security on their products. The latest example is with their KB article on the support site related to anti-virus. A KB which was posted last year, and only now being discovered by the media.

So, what is wrong saying you may need an anti-virus for your operating system?

Does Apple think that malware and other security hazards would not hit Mac OS X for ever? This is a very bad assumption. What happens is that as the popularity of Apple based products are on the rise so does the number of people with direct access and interest.

What would the future would look like? Well, not as it is with Windows, but in my opinion it would certainly drive sleep away from Apple users as well. Treating security as another something that needs to be taken care of can cost Apple dearly especially if it would hurt those that use its products because of their related simplicity.

All-in-one Vs. best of breed

June 15, 2007

Very early in my professional career I have learned the rule and the importance of best of breed. The rule is simple, if there is one vendor better then the other, technology wise, for a particular product you go with the best of breed solution (there are other parameters to the equation like price, deployment, etc.).

This rule also nicely combines with another. The defense-in-depth rule which mandates the use of multiple solutions from multiple vendors for the same problem. It is to prevent a situation in which a flaw or a technological limitation would prevent a solution from defending the organization against a certain attack.

For example, the use of firewalls from multiple vendors, the use of different A/V product on the GW, on the mail server and on the desktop, etc.

Today, the best of breed approach is sometimes shadowed by the all-in-one approach.
Putting everything, or a lot of things, inside a single box, sometimes look as an advantage for many. Firewalls with embedded IPS, A/V, and anti-spam are a good example. Are all of those features can be considered best of breed?

In most cases they are not.

For the majority of vendors the protection level these all-in-one products provide is not more then the average. The false sense of security is the one winning the battle for many here.

Security takes time – Sometimes for a reason

March 15, 2007

Tim Green’s latest article at Network World titled “Security takes time” discusses the NAC admission process and patience of users.

Tim argues that a longer NAC admission (and remediation) process might trigger a user to be impatient and not use the network resources.

I generally agree with the assumption that the NAC admission process of an element to the network should not take long. But, I believe Tim may have mixed up several things in his article.

Tim writes about NAC admission, the process of evaluating whether a new element attached to the network complies with a defined security policy. The process might include examining service pack information, patches installed, installed applications, running applications, A/V (installed, running, updated), FW status and more.

This is Admission.

If the element does not comply with the network admission security policy, the user, or the NAC solution, should remediate the issues preventing the element from accessing the network.

This is remediation. And here Tim mixes up two issues, self-remediation and automatic remediation.

If the user is to perform self-remediation, time is less problematic. It is since the user must be aware that s/he needs to take an action in order to access the network. During the remediation process the user is made aware of what exactly is happening with its system and what it is undergoing (and why it takes longer to access the network).

If automatic remediation is performed the user will not always be knowledgeable of the processes running in the background causing its machine not to connect to the network. This, in some cases, would result with users getting impatient not understanding what is going on.

This is what Tim Green suggests to his readers:

“… Customers should also test the gear with end users in various departments to find out whether the technology eats up too much time for some users, and whether some dispensation from NAC should be allowed in critical cases.”

NAC, according to my definition, is a security and compliance solution. The fact that an element is checked to verify it is inline with the network access security policy of an organization means that a certain risk to the stability and integrity of the enterprise LAN is minimized. When we start to put exceptions to the rule, we end up where some organizations are – lack of control over the enterprise LAN.

If we will take into account user complaints with security-based products we will never have them in place (i.e. firewall blocking P-2-P applications).

On IPv6 Stacks Security

March 14, 2007

The release of the Core security advisory regarding a remote kernel buffer overflow with OpenBSD’s IPv6 implementation is an indicator of what is expected to come next regarding the security and stability of IPv6 stack implementations.

In my opinion, when (and if) IPv6 will become more widely adopted and exposed we will experience an increase with this type of advisories and consequently with the number of incidents involving stack implementations of IPv6.

As more security researches will have the opportunity to examine and test IPv6 stack implementations questioning their strengths and weaknesses we should expect a number of these advisories with regards to the stability and security of these implementations.

It would take some time until the majority of theses issues will be exposed to the public and fixed, like with any other technology, which is new.

VoIP and Home Security Systems – A match made in Hell

February 15, 2007

Like there aren’t enough integration and usage problems with VoIP, this post in the community blogs of Network World details the problems using VoIP at home and the issues it may cause for home security systems.

The blog post lists several issues with the usage of VoIP at home, which I have addressed with my previous VoIP presentations (dating back to 2001). The worst issue, in my opinion, is no power no service (no phone, no alarm system, and no emergency services).

The Vulnerability Market Place

January 31, 2007

It sure was a matter of time until a major newspaper (Brad Stone for the New York Times) would pick up on the subject of trading vulnerabilities (article). Specifically selling vulnerabilities to companies, which provide some kind of a service around it.

On a recent blog post at Matasano (iDefense Underbids on Vista Vulnerabilities) I commented that: “No one guaranties the so-called 0-day is really is 0-day. The seller could have used it before, or sold it before, and still the knowledge of the existence of this vulnerability/exploit is not widely known”.

Theoretically speaking one can sell a vulnerability to multiple parties, and/or abuse it for other needs, without the buyer knowing that.

The market place for vulnerabilities does bring up interesting legal, and ethical questions regarding the actions of those companies who are buying these vulnerabilities and the source(s) they are buying these from.

Network Discovery – The first building block of internal network security

January 6, 2007

One of the things I have learned about network security is that you cannot defend something or against something you are not aware of its existence.

Ask yourself the following questions:

  • Do I know what elements reside on my network(s)?
  • Do I know who is on my network(s)?
  • Do I know what is being done on my network(s)?
  • Does the information I have, if at all, is current?

Don’t be surprised if you have answered no to some of these questions.

Apparently knowing the network is one of the most neglected fields within network security.

Let’s take patch management as an example.

  • How many of your Microsoft Windows-based elements are currently using a patch management solution?
  • How many of your Microsoft Windows-based elements operate outside of an organizational domain?
  • To how many Microsoft Windows-based elements the patch management solution do not have access to?
  • Can you tell how many Microsoft Windows-based elements reside on your networks?

If your organization is requiered to comply with a certain regulation the organiztion is required to demonstrate its ability of controlling and knowing all of its assets…

Real-time contextual information regarding the IT infrastructure should serve as the basis for different management and security applications such as: Asset Management, CMDB, Compliance & Audit, Helpdesk, Intrusion Prevention and Intrusion Detection, NAC, Patch Management, Vulnerability Management, Etc.

Without knowing the network, one simply cannot manage or secure it.