Category Archives: security

Why small businesses need firewalls

Posted on by
Reply

I have been spending time this week at a small media company called Mercury Labs. Despite their name, they don’t normally test anything, but ironically that is what I have been doing there. I was testing a bunch of integrated network security devices for Network World.  These devices cover what is called unified threat management, but you can think of them as network firewalls with additional features, such as the ability to scan incoming and outgoing traffic for viruses and spam, blocking phishing URLs, and being able to set up a secure virtual private network connection when you are on the road.  I’ll call them advanced firewalls here for convenience.

I have a long history of testing these tools. Almost seven years ago, one of the Techtarget publications had me looking at them for larger enterprises, and I went out to the central IT department at Stanford University to put them through their paces. This time around, I wanted to find a small business site for the tests that I was going to be doing for Network World. That’s why I was over at Mercury this past week.

They have about 10 Macs connected to an Apple Airport, which is the center of their network, providing IP addresses, wireless connections and a shared hard drive to the entire office. The Airport is attached to a cable modem and the Charter broadband network.

Wait a minute. Don’t you need a firewall if you are going to connect your network to the badass Internet? Yes, and Mercury knew they were taking chances. A firewall is just the basic separation that keeps the bad guys from getting inside your network and causing havoc. That is why they were the perfect testing site. They were vested in my review and what I would find out about these products and their specific needs.

Interestingly, it isn’t just small businesses that don’t have firewalls. When I arrived at Stanford, the central network didn’t have any either. Partly that was because of some odd notion of academic freedom, but back then they realized they had to get better protection. Ironically, while I was doing my tests there we saw someone try to reach out from Germany one morning. Luckily, they had other defenses that prevented them from doing any damage, but it emphasized the reason why I was there testing these products. And coincidentally, when we brought up the advanced firewalls at Mercury, we could see all the network traffic where folks were continually scanning and looking for ways to enter their network too. It was a sobering illustration of why these products are essential.

When I first arrived on scene, I went into their phone closet where I tried to suppress a gasp. Yep, this was your typical small business: part storage room, part cable jungle, and mostly a mess. It was clear that trying to figure out the network topology was going to be a challenge, and my first act was to leave everything alone.

Inside the closet were two small gigabit switches from DLink that looked like they had been around since the days of DOS. This worried me, but since things were working, I wasn’t too concerned. Yet.

One of the vendors that were part of the test insisted on sending a product engineer to help with my testing, and I am sure glad that he was there. When we cut over to his device instead of the Airport, things initially went south. Turns out we found a bug in their firmware. Once that was fixed, all of the wireless Macs were quickly brought up on the network behind the new firewall. But the wired Macs had trouble connecting. It took a few reboots later before we got everyone back on board. It was ironic that the wireless portion of their network was easier to bring up than their wired portion. That was thanks to the wonky cabling in the closet.

So what are some takeaways from this experience?

If you are running gigabit Ethernet to your desktops, make sure your cable plant is up to snuff. Part of my problems had to do with the older cables used to connect things in their wiring closet. There is a difference between Cat5 and Cat5e, especially if you want to run the faster networks these days. Make sure you are using the right cables.

Disconnect any unused wired ports in your office.  This is just basic security practice, but bears repeating. And if your wiring contractor hasn’t done so, you should label your ports in the walls and in your closet so you can track things down more easily.

Understand the limitations of your core network gear, including switches, routers, firewalls, and wireless access devices. Your network installer should explain these things in terms that you can understand.

Have a separate guest network with the appropriate security measures. The Mercury folks were using the Airport guest network features, which were bare bones. One of the reasons they wanted to go to the advanced firewall was to provide better protection from their frequent guests and contractors who were going to be connecting in their offices.

Oh, and what happened with my review for Network World? Well, you will have to wait and read about it in their pages. I can tell you that I learned some interesting things about all the products that I tested.

The future of IAM according to Gartner’s Earl Perkins

Posted on by
Reply

Earl Perkins, the Gartner IAM analyst, spoke today at SailPoint’s Navigate conference about the future of the technology. He covered how businesses are evolving to take the best advantage of managing their identity collections. One item was his opinion on how some IAM projects fail because “IT tries to find a group to stick an IAM project onto and justify its own purchase. Projects stall because they are poorly planned out, or because IT didn’t get an executive level sponsor who gets what they are trying to do. It is also difficult to measure an IAM program’s success.”

Despite these obstacles, IAM is evolving into becoming more of a business decision, where a few years ago it was mired in the tech area exclusively. “We have moved beyond handling simple compliance justifications into a new realm, where we are more concerned about the aspects of risk management. People are ready for that now, and its time has come,” he said during his presentation.

What does this mean? Take the use case of BYOD, and the issues around what devices IT should bless and manage for the enterprise. This comes down to evaluating relative risk of various IT actions. “BYOD is really a risk issue: how much risk as an enterprise are you willing to accept for the number of devices you are willing to support?” Perkins says it really doesn’t matter what the eventual decision is, because ultimately the enterprise is going to pay for the consequences one way or another. Instead of hiding one’s head in the sand, IT should “embrace mobiles because the business has spoken.” Instead of anointing particular devices, he says enterprises should be “willing to divide up their support into different trust and service levels. This is all part of having the right corporate culture which needs to be able to have conversations about relative risk.”

Perkins had some good advice for IT: “make it a business decision and remove the passionate and emotional arguments. Then it just becomes a math problem.”

Perkins picked several emerging trends:

  • Cloud options are beginning to mature, grow in scale, and become more numerous and varied in their support options too.
  • Greater support for new mobile identity options is making increased demand for integrated asset management.
  • IAM is moving into more analytics and integrating with Big Data approaches. “We still suck at what data we need to collect as we move through the IAM process,” Perkins said during his presentation.
  • Socialization of data is expanding the various options available to enterprises. He mentioned today’s SEC ruling that allows public companies for the first time to mention news using social media channels.
  • As IAM matures, processes and organizations are finding new uses and it is becoming more mainstream. He did say that part of this maturation is that eventually the customization demands for IAM will decrease.

You can also read some of the things Perkins has written about the future of IAM on Gartner’s blog here.

Time to clean up your identity data

Posted on by
Reply

At the SailPoint user conference this week, I heard from many people who run large retail banking establishments. One thing they have in common is too many places that store their user’s identities. In some cases, they have to first filter their Active Directory data into a spreadsheet to make sense of who has what rights to which particular datasets. That is just insanity. It may be time to start to clean up your identity data.

SailPoint’s customers should know about these sorts of problems. They sell identity governance and management software and to some pretty big companies. SailPoint is installed in the world’s largest bank, the world’s largest insurance company, the world’s largest packaged goods company, the world’s largest oil company, and the world’s largest food services company. Do you detect a trend here?

Many of these large corporations have had a hard time getting a handle on where they store their identity information. For example, one customer has more than 65,000 employees and another 20,000 or so contract workers. For the employees, they have minimal information in Active Directory, and most of the personal data is stored in their ERP system. That is fine, but the opposite is the case for the contractors: their personal data is mostly in AD, with just the barest of details in the ERP system. And just when you get your head around that, they also have several spreadsheets that sit on various managers’ desktops that are manually maintained. That is a disaster waiting to happen.

One way to deal with this is what Gartner identity analyst Earl Perkins says to lose the mindset: “Stop talking about identity management as an IT problem and start talking about it as a business problem.” Make identity issues more visible to business-unit managers, so they can see the value of having a good identity governance process that can benefit their own bottom lines.

But given that the average identity management tool is a six-figure sale, you also need top-down support too: getting your board and upper management in on the deal is absolutely essential.

Certainly, figuring out how many HR and other databases you really have can be tedious, especially if you are a large multinational company with dozens of business units scattered all over the planet. At one large bank, they have spent the past decade acquiring lots of smaller banks on every continent, with the result that what started in North America with an predominantly English-speaking staff they now have almost as many Spanish-speakers in other pockets around the world.

Retailers have large influx of temporary workers towards the end of the year, when they hire up for the holiday shopping season. But the time to clean this up is now. Don’t wait until yearend when it is too late to start on a project like this. As one of the conference presenters said, “The drama among IT, info security and the business units can be overwhelming if you don’t have good identity management in place.” Truer words were never spoken.

Solution Providers for Retail: Time to Clean Up Your Identity Data

Posted on by
Reply

At the SailPoint user conference this month, I heard that one common problem they have is too many places that store their user’s identities. In some cases, they have to first filter their Active Directory data into a spreadsheet to make sense of who has what rights to particular datasets. That is just insanity.

It may just be time to start to clean up your retailers’ identity data. You can read more about what I have to say and what I heard at the conference on my post for the Solution Providers for Retail blog here.

Blogger in residence at SailPoint’s Navigate user conference

Posted on by
Reply

One of the more fun gigs I have is being the blogger on the ground during an event, and posting commentary and analysis in near-real-time on the sponsoring company’s blog. Today I am in Austin, along with a few hundred other identity geeks from the world’s largest companies at the SailPoint Navigate13 user conference. You can read my posts here on SailPoint’s blog:

And this article:

  • How do you future-proof your business?

At the Navigate opening session today, SailPoint CEO Mark McClain spoke to how to future proof your IAM. He mentioned several tenets that the company keeps in mind while rolling out new products and Web services. First, it has to have a user interface that is consumer-grade dirt simple with friendly UIs and nothing to learn. Second, it should build in governance from the start. It should make use of the existing access roles and policies that are already created elsewhere in the enterprise. This is indeed how SailPoint has built its business over the years. “Anything we build should have a range of built-in analytics too.” Next, it should function across the entire applications domain, spanning public and private clouds and handle all on-premises servers, too.

In addition to this work, I also have written this about what I saw at the conference:

Top ten security stories of last week

Posted on by
Reply

Over at Dice.com, I manage the security community where I curate each week my favorite stories in the IT media, blogs, and news sites. Here is my list for last week’s stories, in no particular order.

Time to Stop Sweethearting

Posted on by
Reply

 

As we move in February, our thoughts turn towards the 14th and celebrating our sweethearts. But one place where sweethearts aren’t welcome is in the retail store checkout lane. There the practice refers to confederates who allow shoppers to steal merchandise.

As more retailers deploy self-checkout lanes, the temptation to steal goods increases markedly. As someone who tries to use the self-checkout in my local grocery store, I can report that I have done this on occasion but not deliberately: just because the self scanning machines can be so agonizingly frustrating to use.

Sweethearting can be found in any retail establishment, and stopping it isn’t easy. Checkout clerks can skip ringing up a particular item or items, or override the automatic scanned price with something lower, or just scanning one item in a group. All it takes is a fraction of a second and a nod of the head and your items are literally walking out the door, free of charge.

Some analysts state that the practice racks up more than $13 billion of annual losses worldwide, with more than 40% of all checkout clerks doing it at one time or another during their employment. That’s not just a bunch of candy hearts and chocolates! Indeed, the more that stores investigate the practice, the more they find that pretty much all kinds of items are stolen through sweethearting.

 

In the past there were mostly behavioral mechanisms with very observant loss prevention security personnel to watch for personal interactions or to examine the sales volumes per employee. But these methods are inexact and not very dependable.

So technology has a better mousetrap, or should I say candy trap? A variety of computer vision vendors are involved in selling anti-theft systems, including StopLift.com, 3VR.com and Brickstream. All three sell through the channel. The systems coordinate recorded video images with analysis of the checkout lane actions, and discover when an item hasn’t been scanned properly or when a clerk has overridden the posted price.

As an example, the StopLift ScanItAll product is setup to monitor the video feed from the store security cameras. It is looking at the interaction between shoppers and their intended purchases. It then flags suspicious transactions for the loss prevention department to review. The system also identifies the specific cashier, the date and time of the incident. Users of the system can jump to specific incidents in the video, or can click on a transaction receipt and then call up the revelant video stream around that transaction. And of course, everything is Web-based too so you don’t need anything besides a browser to use it.

In places where these systems have been deployed, retailers report that the losses from sweethearting have been eliminated almost completely. Part of the success is that people know they are being watched, but certainly a bigger part is that you can get actionable data quickly on thefts.

So enjoy your valentine, and think about taking a closer look at these technologies to have in your retail security portfolio.

 

Managing your reputation

Posted on by
Reply

ipv

On the Internet, no one knows you are a dog, but they certainly know your IP address. And there are a growing number of reputation management products that can track your address, interpret what you have been doing with it, and pre-screen your traffic if you are abusive. This is like stopping junk mail when the sender delivers it to the local post office before it enters the mail stream.

These services all operate the same way: the vendors deploy a bunch of sensors either at their customer’s sites or at major Internet peering points where they can examine traffic that is passing by. Each service screens for malware behavior, known virus signatures, and other anomalous actions. They then block all traffic from this IP address.

These services aren’t new, but they are getting more popular as they get more effective. Being proactive can save a lot of time, a lot of bandwidth, and provide a lot of protection before the bad stuff hits your corporate network.

When I was doing some work last month at Cisco with their intrusion prevention products, I saw how just turning on their reputation management tool (called Global Correlation) would stop more traffic than creating any other protection rule. It is a delicate balance. If you don’t have many malware signatures enabled, more traffic will slip through that sensor and will hit the reputation sensors and be blocked there. You have to ensure that both types of sensors work together to provide the best possible network threat protection.

There are several ways to get more familiar with reputation management. The easiest way to see what kind of information is being collected is to go to one of the reputation service management tools online. Cisco has its Senderbase.org, McAfee has its Trustedsource.org, and CommTouch.com has a third service. All are places where you can lookup particular domains and IP addresses and research what kinds of reputations they have and what traffic each vendor has observed coming from these domains. You can watch a screencast video that I did for McAfee from four years ago that shows how to use these services.

That is fine for one-off kinds of queries, but if you want to implement this type of protection on a consistent basis you will have to purchase a network security device. This typically involves using an intrusion prevention or unified threat management product from one of many vendors that build in reputation awareness. Apart from the usual suspects like Cisco, Blue Coat, Websense and others, there are a few other vendors on the landscape worth taking a closer look. These include Network Box, Alien Vault and Norse Corp.

Network Box is a managed UTM box that works with its own collection of malware sensors spread across the Internet and runs more than a dozen different anti-virus scanning engines. One nice feature is the product is geared towards VARs and managed service providers. I did a screencast video review that shows how it works.

Alien Vault ‘s Open Threat Exchange is building an open source intrusion detection system with built-in reputation management. They claim to have more than thirty different products that are part of the collection process.

Norse Corp. has two different products that can be deployed in this arena, IP-Venger and IP-Viking. Both make use of a very wide global sensor network to monitor and block threats. The IP-Venger service is a WordPress plug-in so you can stop malicious traffic and spammers proactively. I had some trouble with its beta version but it looked promising. A screen cap of its console is shown above.

As I said, this isn’t a new area, but one worth exploring if you aren’t familiar.

Solution Providers for Retail: A Better Firewall Can Help Protect Your Retailer’s Network

Posted on by
Reply

In the past, if you had a problem on your network, you had to look through mountains of log data with lots of patience and skill. If you wanted to figure out if your clients were spending too much time checking their Facebook accounts, or if they have sufficient network bandwidth to handle video conferencing, or why certain business apps were slowing down recently, it was an effort. Today’s retail business is more online and uses more connected applications, and that means finding a better firewall and knowing how to use it. And if you can develop this particular practice, you can become a trusted advisor and add value to your consulting services that you offer your clients.

The firewalls of yesteryear were relatively simple devices: you specified a series of firewall rules that listed particular ports and protocols, and whether you wanted to block or allow network traffic through them. That worked fine when applications were well behaved and used predictable ports, such as file transfer on ports 20 and 21 and email on ports 25 and 110. Those days seem like a fond memory now. With the rise of Web-based applications, ports and protocols don’t work any longer. Everyone is running their apps across ports 80 and 443, and it is hard to distinguish between apps that are mission-critical and someone who is running a rogue peer-to-peer file service that needs to be shut down.

The newer firewalls from Cisco, Intel/McAfee and Palo Alto Networks can gather deeper insights because they are applications-aware. They understand the way applications interact with the network and the Internet, and can report back to you in near real time with easy to view graphical representations of your network traffic.

Here is an example from Cisco’s ASA CX firewall configuration screen. You can see that there is a lot of granularity when it comes to monitoring and controlling how your users interact with Facebook, just one of thousands of applications that it can handle.

Palo Alto Networks has its “applipedia” reference of more than 1500 applications behaviors catalogued. You can look up whether the app is prone to misuse, can evade standard firewall ports, and is employed by malware.

 Another aspect of advanced firewalls is being able to look at changes to the network and see what were the root causes, or time-series effects as your traffic patterns differ from when things were working yesterday and are broken today. Finally, you want to drill down to particular users, or particular aspects of an application, such as allowing all users to read their Facebook wall posts but not necessarily send out any Facebook messages during working hours. (Not to keep picking on them, but they are a nice illustration.)

The goal is to quickly learn about your client’s traffic patterns and translate them into implemented and useful policies. Most of the newer firewall products offer this ability, but you will want to check out how easy it is to create and modify a policy from the automated start-up wizards that they provide. In some cases, you will need to use command-line parameters to fine-tune the policies that are created by the wizards.

Another good place to start is to read up on these products from OWASP here. This is a consortium of vendors and leading Web security developers who have tried to put down in one place what you need to know to build the best possible Web applications and protect them from harm. They have a comprehensive vendor list, a collection of best practices, sample “top-ten” attacks that you can use to harden your own applications and an evaluation guide.

Finally, when you are ready to spec out a unit for your client, look closely at how much inbound and outbound capacity you need. Firewall vendors offer different-sized models to match your bandwidth and throughput requirements. What will these firewalls cost? Most of them start somewhere north of $20,000. While this seems steep, given the consequences of an exploit raging through your client’s network, it could be money well spent.