Infosecurity Europe 2007.A selection of papers from exhibitors at Infosecurity Europe 2007, Europe's dedicated Information security event. Now in its 12th year, providing an education programme, new products & services, over 300 exhibitors and 11,600 visitors from every segment of the industry. 24th-26th April 2007, Grand Hall, Olympia. www.infosec.co.uk Enterprise Guide: 7 Steps to Securing USB Drives A flash memory card that plugs into the computer's USB port. Small enough to hook onto a keychain, it emulates a small disk drive and allows data to be easily transferred from one machine to another. Nimrod Nimrod, in the Bible, descendant of Cush who is recorded as a mighty hunter. Nimrod Biblical hunter of great prowess. [O.T.: Genesis 10:9; Br. Lit.: Paradise Lost] See : Hunting Reichenberg, Enterprise Solutions, m-systems Tiny Storage Devices--Big Convenience Means Bigger Challenge Personal storage devices such as USB flash drives See USB drive. are more powerful than ever and have become ubiquitous in the enterprise environment. Originally designed for consumer use, these devices typically lack security, control and auxiliary management tools. Many employees don't think twice about taking work home or out of the office on the personal thumb drive See USB drive. they purchased at a local center for office supplies Office supplies is the generic term that refers to all supplies regularly used in offices by businesses and other organizations, from private citizens to governments, who works with the collection, refinement, and output of information (colloquially referred to as "paper work"). . With millions of people carrying around personal storage devices, these gadgets are being used both innocently to increase productivity and for other less legitimate purposes such as smuggling smuggling, illegal transport across state or national boundaries of goods or persons liable to customs or to prohibition. Smuggling has been carried on in nearly all nations and has occasionally been adopted as an instrument of national policy, as by Great Britain information out of the enterprise. Even when used with the best intentions, the data stored on USB drives is generally not covered not covered Health care adjective Referring to a procedure, test or other health service to which a policy holder or insurance beneficiary is not entitled under the terms of the policy or payment system–eg, Medicare. Cf Covered. by routine company procedures, such as backup, encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. , or asset management. How can companies keep track of the data coming in or leaving the company via these devices? Keeping company data secure has become a significant challenge for any corporate IT department. Recent Incidents Recent events in the industry have been cause for concern, leading IT professionals to understand that new policies and technologies must be set in place to protect information being stored on personal storage devices. The following are just a few episodes that have driven the message home. * When a professor from the University of Kentucky The University of Kentucky, also referred to as UK, is a public, co-educational university located in Lexington, Kentucky. discovered that his flash drive was stolen, private information for 6,500 former students was suddenly at risk. The data, including names, grades and Social Security numbers, left thousands of individuals exposed to the threat of identity theft, not to mention the violation of their privacy. * Flash drives with classified military information were up for sale at a bazaar outside Bagram, Afghanistan. The US Army realized they had to secure USB drives, find a way to keep track of the devices, and ensure that the information could not be accessed by unauthorized personnel. Security Implications When company information is stored on non-secure and personally owned devices, employees put their company at risk every time they step out the door. Auditing companies are at risk of exposing account numbers, hospitals can be exposed if patient information falls into the wrong hands, and finance companies need to ensure that mission critical data is not lost. Once company data falls into the wrong hands, the possibility of threats and risk are almost infinite. Companies lose credibility, leave themselves open to lawsuits, and expose employees to ID theft or fraud--just to name a few. The risks from personal storage devices can be classified as follows: * Data exposure due to device loss or theft * Unauthorized data extraction Data extraction is the act or process of retrieving (binary) data out of (usually unstructured or badly structured) data sources for further data processing or data storage (data migration). * Introduction of malicious code Enterprise Concerns Regarding the Vulnerability of USB Drives With millions of USB USB in full Universal Serial Bus Type of serial bus that allows peripheral devices (disks, modems, printers, digitizers, data gloves, etc.) to be easily connected to a computer. storage devices in the marketplace, confidential company data is constantly on the move--and simultaneously at risk to loss or theft. The potential for damage caused by the loss of sensitive company data grows exponentially every day, underlining un·der·lin·ing n. 1. The act of drawing a line under; underscoring. 2. Emphasis or stress, as in instruction or argument. the need for proper security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security that cover these handy mobile storage devices. The following are some of the major security concerns related to the use of these devices: * Data Leakage--To minimize the threat of data leakage, enterprises can start by limiting the use of USB drives to company-authorized devices. * Regulatory Compliance--All organizations should ensure they comply with government and security regulations--such as SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. , HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, , GLB (Gramm-Leach-Bliley Act) Enacted in 1999 and effective in mid 2001, the GLB stipulates that every financial institution shall protect the security and confidentiality of its customers' confidential personal information. , California SB and FISMA--to minimize the risk of data loss. The first step is to set clear security policies, publicize pub·li·cize tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es To give publicity to. publicize or -cise Verb [-cizing, -cized] among employees and enforced through use of technology that audits, tracks and backs up all information on mobile drives. * Lost data and support costs--Despite security measures, data may be lost or stolen, leaving the organization in a position to minimize the damage done. Issuing company-authorized USB devices will enable the initiation of procedures to recover lost data and reduce the subsequent damage. Possible Solutions What can enterprises do to beef up security measures for personal storage devices? There are a number of hardware and software solutions used, ranging from data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign to authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. , anti-virus protection, and other monitoring options. There are a few solutions, such as blocked ports, encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science storage devices and software encryption of data; however these solutions do not address all that is required to ensure a comprehensive secure solution for the majority of removable devices. 7 Steps to Securing Personal Storage Drives The following steps will help your enterprise secure personal storage drives, both on and off the network. 1. Always define and publicize your company policy for personal storage devices. 2. Institute company-issued personal storage devices 3. Make sure devices are fully encrypted. 4. Ensure that users cannot circumvent cir·cum·vent tr.v. cir·cum·vent·ed, cir·cum·vent·ing, cir·cum·vents 1. To surround (an enemy, for example); enclose or entrap. 2. To go around; bypass: circumvented the city. security measures. 5. Maintain an audit trail of data stored on devices. 6. Have the ability to recover data that resides on personal storage devices 7. Make sure your enterprise solution is comprehensive enough to provide you with the ability to store information on secure USB drives, control the use of all removable devices both inside and outside the corporate environment, and centrally manage company-issued USB drives. The value of portable storage devices in today's business Today's Business is a show on CNBC that aired in the early morning, 5 to 7AM ET timeslot, hosted by Liz Claman and Bob Sellers, and it was replaced by Wake Up Call on Feb 4, 2002. environment is clear. Equally clear is the initiative corporations must take to integrate these devices with their storage and security policies. By taking the right steps, today's enterprises can secure their data by choosing the right technology that can both secure and monitor data, developing robust policies that protect company data to comply with regulations, and ensure the use of enterprise-ready personal storage devices. www.m-systems.com The Truth about Patching Dispelling five common myths Mark Shavlik, President and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Shavlik Technologies, LLC (Logical Link Control) See "LANs" under data link protocol. LLC - Logical Link Control As arguments continue to rage about whether an agent-based or agentless patching technique is more effective, see which side you're on after we dispel five common myths. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. an April 2006 report from the Yankee Group (the Yankee Group, Boston, MA, www.yankeegroup.com) A major market research, analysis and consulting firm founded in 1970 by Howard Anderson. It provides general consulting and strategic planning in the computer and communications field. consultancy in Boston, Mass., the various security investments enterprises have made do, indeed, make it more difficult for "criminals, spies and miscreants" to break into corporate networks. However, the report says the criminal element is focusing on new attack strategies, one of which is "quickly creating and launching exploits to vulnerabilities before enterprises can patch against them." The so-called (0 day) attack, where an attack is launched against a vulnerability before a patch is created to plug that vulnerability, has long been a great fear of any security professional. With the criminal element actively seeking out opportunities for such an exploit, it's more important than ever for organizations to take stock of their patching strategy. In so doing, you are likely to come across an age-old argument regarding which type of patching solution is more effective, agent-based or agentless. In many respects, the argument is a red herring Red Herring A preliminary registration statement that must be filed with the SEC describing a new issue of stock (IPO) and the prospects of the issuing company. Notes: because you can do most of the same things with one architecture that you can with the other. They are simply different ways of performing the same job, either using a small software "agent" or polling from a central location to collect data on the target system. Despite these similarities, many myths are floating about that need dispelling. Here we focus on five, which fall into the categories of accuracy, scalability, bandwidth, speed and coverage. Myth No. 1: Agent-based systems are more accurate. Some IT professionals believe that being a resident on the client or server enables agent-based systems to collect more information, and ensures they won't miss machines that are turned off. Accuracy has to do with the logic behind the scan engine and the quality of the data sent to it for analysis. You can gather the exact same data from a client or server by polling with a resident agent. It' s what you do with that data that matters. And while it's true that an agentless architecture cannot poll a machine that's turned off, it's also true that end users can--and do--disable software-based agents. Additionally, if a user attaches a rogue machine to the network, it won't have an agent and may not be found unless the company has another means of detecting such machines. Myth No. 2: Agent-based systems are more scalable. Another argument for agent-based systems is that agents help perform some of the processing load, thereby enabling these systems to handle larger networks. But with the power of today's servers, configuring one that can handle agentless scans for any number of machines is not a problem In fact, large organizations are more likely to struggle with installing and managing agents on all their machines. Myth No. 3: Agent-based systems consume less bandwidth. Even an agent-based system still needs to evaluate data that the agent collects, which means that data must flow over the network at some point--so it does need a certain amount of bandwidth. But even though some older agentless systems did consume significant bandwidth because they had to read entire copies of files across the network to check versions, more advanced agentless systems have overcome this shortcoming short·com·ing n. A deficiency; a flaw. shortcoming Noun a fault or weakness Noun 1. and now consume only moderate amounts of bandwidth. It's a trade-off: Whether agent-based or agentless, doing a thorough, accurate scan will require more bandwidth to complete as compared to a superficial scan, but which would you rather have? Myth No. 4: Agent-based systems are faster. You may hear that agentless systems scan each machine sequentially, which means it takes them longer to scan an entire network and limits their ability to patch for a critical vulnerability in a timely fashion--as opposed to an agent-based system. This argument is flawed on two fronts. For one, agentless systems typically use multi-threaded processes that enable them to scan multiple machines simultaneously. The real heavy lifting happens at the server, which has to examine all the gathered data. In an agent-based scenario, if all agents are reporting in at once, you should ask whether that server can keep up. And in practice, it's not likely that the scanning tool will be the gating factor in how quickly you can get a patch out--it's how quickly the third-party vendor makes the patch available. Myth No. 5: Agent-based systems offer better coverage. This is true to the extent that agent-based systems are better-suited for machines such as laptops that are often disconnected from the network. It's also why most agentless patch system vendors also offer an agent-based option. Yet here again, there's a tradeoff: For every laptop user who may benefit from an agent-based approach, you might have a desktop user who turns off the desktop's agent, or closes the port used to connect to it. The truth is: There's a place for both agent-based and agentless patching technologies. In an ideal world, your vendor will offer both--along with the sophisticated scanning technology that is at the heart of a quality patching solution. www.shavlik.com Ensuring Software Asset Compliance with Whitelisting Software Dennis Szerszen, VP of SecureWave "A study of 1,000 UK employees carried out by YouGov in 2006, revealed that 60% of users accessed personal web and email applications from corporate endpoints at least once a week. Unless carefully managed, these applications can expose the corporate network to malware (MALicious softWARE) Software designed to destroy, aggravate and otherwise make life unhappy. See crimeware, virus, worm, logic bomb, macro virus and Trojan. infection, eating up available bandwidth and increasing the risk of running software targeted at stealing customer, product or financial data. In addition, the proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous pro·lif·er·a·tion n. in low cost, high capacity USB devices, particularly those that can launch applications directly from the device, are creating an additional headache for IT managers. Compliance is front of mind for most IT managers and software asset management forms a core part of this. A recent IDC survey found that 27 per cent of PC software used in the UK is illegal. However, in this age of consolidation, connectivity and mobility, IT environments are constantly changing, so companies have difficulty keeping track of exactly what software employees are using. An increase in applications, coupled with complex licence arrangements are making it more difficult for IT chiefs to maintain correct licencing. So how do IT managers get a handle on the issue? Some have taken on a bouncer mentality, stripping staff of user privileges See user permissions. and effectively putting them on lock down when it comes to downloading files from outside the firewall or using USB devices, to prevent unauthorised software from running. This has created frustration among workers that have become accustomed to a plug and play lifestyle, causing some to flout flout v. flout·ed, flout·ing, flouts v.tr. To show contempt for; scorn: flout a law; behavior that flouted convention. See Usage Note at flaunt. v.intr. security policy just to be able to get on with the job. Life could be so much easier if we turned the problem on its head. Instead of trying to list every executable file See executable code. that could fall foul of regulations, infect your network, or leak data from it, why not employ end point security software that only permits authorised and legal applications and devices to run? At the heart of this whitelisting best practice is the justified assumption that anything not specifically authorised by the IT manager must therefore be regarded as potentially illegal or harmful. Just like a good doorman with a guestlist, if your application or device isn't down, it doesn't join the party. So if a new virus starts doing the rounds, it will simply not be able to run. Likewise, if you are concerned that staff are using up bandwidth playing with Google Earth A 3D mapping program from Google that covers the entire globe from satellite images. Requiring a download for Windows, Mac and Linux desktops, a street address can be searched, and the views can be zoomed down to the individual building all the way up to a satellite's view of the globe. , or if you're worried that the version of Windows being run in Marketing isn't strictly legal, this whitelist approach will put a stop to this. By employing the whitelist approach, IT managers can sleep at night knowing that nothing can be done on their networks without their specific authorisation. Illegal, unproductive or unlicensed software would not be able to run. If such a solution could also audit and report on what was running and automatically repopulate the whitelist whenever a patch update is undertaken, you could ensure you were running secure, licensed software throughout the organisation. Whitelisting end point security software should now be seen as not only the new frontline front·line also front line n. 1. A front or boundary, especially one between military, political, or ideological positions. 2. Basketball See frontcourt. 3. Football The linemen of a team. defence against malware, but also an effective route to ensuring software asset compliance. This enables IT managers to take full advantage of connectivity and mobility, without risking the business. www.securewave.com Email content security: filtering out the hype Ed Macnair, CEO, Marshal Ltd. Corporate email is at risk. Vulnerable to external attack from viruses, spam E-mail that is not requested. Also known as "unsolicited commercial e-mail" (UCE), "unsolicited bulk e-mail" (UBE), "gray mail" and just plain "junk mail," the term is both a noun (the e-mail message) and a verb (to send it). , spyware and phishing Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their ISP, bank or retail establishment. technologies. And vulnerable to abuse from within, which could result in: acceptable use policies being compromised; regulatory compliance violations; and/or confidential corporate data being leaked externally. The recent DVLA DVLA Brit Driver and Vehicle Licensing Agency DVLA n abbr (BRIT) (= Driver and Vehicle Licensing Agency) → organismo encargado de la expedición de permisos de conducir y matriculación de vehículos disciplinary action demonstrated all too clearly what can happen when acceptable use policies are flouted by a large number of employees. A plethora of email content security technologies has emerged in recent years to address such vulnerabilities. Companies currently have the choice of two major types of email content security solution: software or appliances. Software solutions have been available for about ten years, while appliances appeared on the market around five years ago. Appliances are purpose-specific email content security servers, typically based on industry-standard server hardware and running a security-hardened Unix/Linux OS to provide the platform for the mail-screening software. Since their inception, appliances have been touted by some as the holy grail Holy Grail: see Grail, Holy. A very desired object or outcome that borders on a sacred quest. There are several Holy Grails in the computer business. of email content security, winning over many customers in the process. Today, however, the tide is turning. Plug and play? The major selling point selling point n. An aspect of a product or service that is stressed in advertising or marketing. Noun 1. selling point - a characteristic of something that is up for sale that makes it attractive to potential customers for appliances has always been based on the perception that they provided a 'plug and play', purpose built, email security hardware solution. The idea was that a company could order a pre-configured email scanning system that would simply plug into its email environment and instantly start cleaning spam and viruses from email. In practice, appliances can be difficult and time-consuming to install. The biggest selling appliance product on the market can take up to six hours to install, compared to between 1-2 hours for an equivalent software-only installation. In some cases, an appliance vendor-approved technician must perform the installation because it is so complex, with customers having to pay extra for this service. By contrast, most software solutions can be easily installed by any in-house IT person with a reasonable understanding of email configuration, MS Exchange and firewall administration. Performance, Scalability and High Availability Also called "RAS" (reliability, availability, serviceability) or "fault resilient," it refers to a multiprocessing system that can quickly recover from a failure. There may be a minute or two of downtime while one system switches over to another, but processing will continue. Performance, scalability and high availability are clearly important factors to consider when choosing how to secure a business-critical tool such as email. Email scanning should be a transparent process, with no perceivable delay in email performance and should also be scalable--able to manage 10,000 users as easily as it can manage 100. Ideally, it should also be capable of clustering and load-balancing in an array environment, to ensure high performance throughput scanning, and also redundancy for high availability. Performance is often claimed as a strength by many appliance vendors on the basis that the hardware is dedicated to a specific task. However, performance is really dependent on a range of factors such as processor speed, available memory, disc I/O (Input/Output) The transfer of data between the CPU and a peripheral device. Every transfer is an output from one device and an input to another. See PC input/output. I/O - Input/Output , volumes of email and the type of email your business sends. Appliances are commonly marketed as suitable for "up to 1000 users," based on a simple calculation of how much email the average person sends per hour and how much email the server can process. Often this calculation assumes that the average email size is less than 10Kb. In our experience most typical businesses average around 40Kb per email. As a result, a single appliance purchase really only supports 25% of that claim. In order to actually process the true volume of email the business requires, companies often need to upgrade to a higher specification appliance, or purchase a second appliance. Usually, customers have already made a significant investment in the appliance hardware and are compelled to upgrade, again at significant additional cost and installation disruption. As a result, many appliance customers are becoming disillusioned dis·il·lu·sion tr.v. dis·il·lu·sioned, dis·il·lu·sion·ing, dis·il·lu·sions To free or deprive of illusion. n. 1. The act of disenchanting. 2. The condition or fact of being disenchanted. with the weaknesses and disadvantages inherent in some of these appliances. In contrast, the top performing software solutions provide multi-threading functionality, which removes potential bottleneck A lessening of throughput. It often refers to networks that are overloaded, which is caused by the inability of the hardware and transmission lines to support the traffic. It can also refer to a mismatch inside the computer where slower-speed peripheral buses and devices prevent the CPU issues by scanning emails much faster than single-threaded solutions. These high-end software solutions are also able to increase performance throughput by managing multiple email processing node servers in an array. In this set-up, load balancing The fine tuning of a computer system, network or disk subsystem in order to more evenly distribute the data and/or processing across available resources. For example, in clustering, load balancing might distribute the incoming transactions evenly to all servers, or it might redirect them tools balance the email processing load intelligently between different nodes, all at no additional cost to the customer. One appliance vendor does market a multi-server controller for linking two appliances together and load balancing them to share the task of processing large volumes of email. However, this controller has to be bought separately--yet another additional cost that most customers are unaware of when they make the initial decision to purchase an appliance. Flexibility and cost-effectiveness As well as the normal risk assessment, companies reviewing their messaging security solution also need to consider flexibility and cost-effectiveness. By their very nature, even the best designed, feature-rich appliances are inflexible because they are locked into a hardware platform. Functionality is not transferable, and in any case, most do not have the same depth of functionality or power for policy enforcement as equivalent software options. Often, new technologies become available which require higher specification hardware, such as anti-spyware scanning, encryption, messaging scanning, image classification or new anti-spam technologies. In such a situation, the only option for appliance customers is to bite the bullet and upgrade to a new system. Going down the appliance route also opens up the possibility of hardware failures, which can be very expensive and may leave a company exposed while a replacement appliance is shipped in. Conversely, if there is a hardware failure with the server hosting a software-based solution, there should be minimal downtime The time during which a computer is not functioning due to hardware, operating system or application program failure. . Either the software can be running in a load-balanced, failover configuration on two (or more) servers which means no downtime at all, or it can be swapped onto another box and be up and running again in less than two hours. Hardened O/S Another perceived strength of appliances is that they generally have a hardened operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. which protects the appliance from common vulnerability exploits. This is certainly a valid security practice. Most viruses and spyware in the wild are designed to exploit vulnerabilities in desktop versions of popular Windows operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. . So, using another operating system theoretically makes you less susceptible to infection. However, there are still viruses in the wild for other operating systems such as Linux, which is popular with some of the appliance vendors. But more importantly, the argument for hardened operating systems is somewhat overblown o·ver·blown v. Past participle of overblow. adj. 1. a. Done to excess; overdone: overblown decorations. b. . Microsoft provides exhaustive information for free on how Windows operating systems on dedicated application servers can be locked down and hardened, and it is relatively easy to do. Conclusion The perception that appliances are the holy grail of email content security solutions is changing rapidly. The risk of downtime and the potential lag between new vulnerabilities and the ability to install dedicated appliances to counter them is forcing many companies to re-evaluate their choices. Customers looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. easy-to-use, flexible, scalable and cost-effective email content security products with a good ROI (Return On Investment) The monetary benefits derived from having spent money on developing or revising a system. In the IT world, there are more ways to compute ROI than Carter has liver pills (and for those of you who never heard of that expression, it means a lot). are realising that software solutions can often be a better bet for the long term. www.marshal.com |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion