Category Archives: security

Trust but verify: understanding online seals of approval

Posted on by
Reply

Most of us know by now that the online world is full of fakers: phishing sites set up to look like your bank’s, come-on emails filled with nasty links that will turn your PC into a zombie for someone else’s control, disinformation Web sites for pleasure (such as the fake accounts for BP and AT&T Wireless on Twitter that have recently been created) or pain (such as fake sites supporting particular candidates that were created by their opponents).

So, when you go online to buy something or get expert advice, you probably know the drill by now. Don’t click on any link that someone emails you, bring it up and type it in your browser yourself. Look for a secured site with HTTPS if money is changing hands. Find a trusted seal at the bottom of the page. Check on a domain’s whois information to see the actual site owners that are registered. Check your browser to make sure it has been set on stun to warn you when you visit a phishing site.

Oh, for those easy days in the mid-1990s when the net was so naïve.

Despite all these efforts, you can still find untrustworthy sites that meet all of the above criteria. And it isn’t just because of the internal (and eternal) cynic in me, but because there are lots of folks out there that want to grab your clickstream or try to take advantage of you in some very subtle ways.

For example, look at DrugWatch.com, a site that has information on all sorts of drug interactions that my sister sent my way last week. It looks legit, it has a seal of approval from some Swiss entity called Health On the Net (hon.ch) and they even have more information about who actually owns the site, a Florida law firm.

My antennae started quivering as soon as I started scrolling around. I had never heard of this seal of approval, and was suspicious. I mean, Switzerland? Hmm, law firm, let’s Google them, and we find out they have been in the lead on a lot of medical liability issues. So they assemble this site on drug interactions, have an open phone line for people to call, and collect potential litigants for lawsuits. Oh, and they have obscured their whois information too.

I haven’t spent enough time on Drugwatch to determine if it is net net good or bad. But what is clear is that the entire online medical world is a true snake pit, with many nasty surprises that lurk, even for a rather aware and cynical sort. As another example, let me pose two questions and see how you answer them:

  • First, how many legit online pharmacies are there that will sell you medicines that you can trust?
  • Second, how many others are out there that are fakers?

The answer to the first isn’t that hard to figure out. You go to vipps.nabp.net and enter the URL to verify. There are less than 30 of them. When I did a report for MarkMonitor, which looks at domain reputation management among other things, I was surprised to find this out. The total number of fakers is in the hundreds, if not thousands by now.

Yes, there are some good programs that try to keep up with the bad guys by providing independent seals of approval, such as from the Better Business Bureau or Truste. But even if the site uses a real seal of approval, it can be a case where they are trying to trick you. Te Smith from Markmonitor told me: “Fraudsters are clever. They have been known to post ‘seals’ on their own sites, sometimes even generating pop-up windows that supposedly show the ‘official site’ when the consumer clicks on the link. In these cases, of course, the pop-up is taking the consumer to another area of the fraudster’s site where info about the seal is being mimicked.”

In the final analysis, it pays to be a skeptic. Yes, we all cite Wikipedia as if it were the World Book Encyclopedia, but there are some times when it isn’t true. (Shocking, I know!) And Snopes.com makes for some interesting reading of dozens of old Internet chestnuts that keep coming back in my email, year after year. (That formerly sick kid is still getting so many business cards that the post office no longer delivers them.)

Smith and I both subscribe to the theory that says trust but verify. Because you can’t be too careful.

eSecurityPlanet: 8 Whole Disk Encryption Options

Posted on by
Reply

With improvements to Windows 7 BitLocker and with USB drives getting bigger and cheaper (you can get a 64GB drive for not much more than $120), now is the time to take a closer look at whole disk encryption products. If you’ve employed whole disk encryption, then even if your laptop or USB drive falls into the wrong hands, no one besides you will be able to read any of the files stored on it; when you try to access these files you need to enter a password, otherwise the data in each file is scrambled.

I look at eight different whole disk encryption products for this article in eSecurityPlanet.com.

ITexpertVoice: Is It Time to Consider the Cloud for Anti-Virus Protection?

Posted on by
Reply

Cloud computing is everywhere these days but one of the more mundane places is in providing anti-virus/anti-spam endpoint protection. The idea is that you don’t have to worry about your users forgetting to install the latest virus signatures or turning the protection off, or in the case of last week’s McAfee fiasco where a legit file was incorrectly tagged as malware. You can instantly see what is happening across your network and find out which PCs are protected. Cloud-based AV simplifies deploying new PCs, too because there is less software to install on each one. AV scans happen more regularly, since they are initiated by the cloud service and again don’t depend on individual user behavior. And it costs about the same or in some cases less than the traditional desktop AV software.

The cloud AV services all operate the same way: a small agent or client piece of software runs on each desktop, and makes a connection to the central monitoring server in the cloud. As long as you have an Internet connection, updates to the virus signatures happen automatically and frequently. The client uses as little memory footprint as possible, since most of the heavy lifting is happening in the cloud in terms of protection and processing.

There are two types of services: ones for single PCs that are sold by Microsoft, and ones that are geared towards enterprises that are sold by the major security vendors. The latter typically have a Web-based or some other type of management console to monitor your users’ PCs and see if anything is amiss.

Some of these advantages are not new nor exclusive to cloud-based AV services: Symantec and others for a several years have had client/server AV products which offer many of the same things as a hosted AV service, just with a central server that you have to run on your local area network. The difference is that the central server doesn’t have to maintained with a cloud-based service, and it also is more useful for those occasionally-connected laptops: most central-server AV products require that the server and the laptop be on the same local area network, or connected via a VPN, to perform the updates. If you have a lot of frequent travelers, this could be an issue.

Here are some of the things you should look for:

  • How lightweight is the client really? Check the running programs in Windows (CTRL-ALT-DEL and choose Task Manager) to see how many different executables are installed and how much RAM and system resources does each one consume.
  • How much information is the central management console reporting and is it meaningful to your situation? In Trend’s case, they charge extra for any console users ($8/year per user), the others include their management console as part of the price tag. Not all consoles are created equally: this is where conducting a free trial is worth the trouble to see how each service is managed. Things to check include what kinds of reports are available, how the central service alerts you to exploits or potential trouble PCs, and how flexible the settings are for these tasks to your particular needs.
  • What protective features does it share with the client or client/server solutions from the same vendor? For example, the Trend TRVprotect shares the same software code base with its desktop OfficeScan product line, and the new Microsoft Intune shares its protective code with their Forefront security services. This can be either a blessing or a curse, depending on what you think of the thick client versions.
  • Does it work on all Windows versions that you have in your shop, or do you need patches or additional software? Some of the services require XP SP3, for example, or other supporting software from Microsoft, to work. Most of the products work with both 32-bit and 64-bit versions and some also work with Windows Server versions, but again this is worth checking. Some want a more recent browser than IEv6 to run the central management console, too.
  • What happens if your users don’t regularly connect to the Internet? All of these products assume a more or less continuous Internet connection to do their business on the desktop for updates and sending back alerts. Without this, they are pretty useless since a PC could become infected and not let anyone know for some period of time while it is offline. If you have some of your end users that are infrequently online, you might want to consider a traditional desktop AV solution.
  • What else comes with the service besides AV? Some of these products offer separate add-ons to include email scanning, OS patching, Web site phishing protection and desktop firewalls. The Microsoft products, for example, are tied into the Windows Update process, as you would expect. Panda has a confusing array of cloud-based service offerings that could be better explained on their Web site.
  • Do they really offer zero-day protection? One of the potential benefits of the cloud AV services is that they can get an update out very quickly, in some cases just in time for any new threats that have been observed. It is worth looking at how often they update their protection signatures too.
  • Finally, what does it all cost? Each product has quantity site discounts, but in some cases you can save money over purchasing the desktop versions.

Single point of failure

Posted on by
Reply

I spent last week visiting a data center tucked into an anonymous office park in Champaign, Ill. The data center is operated by Amdocs, a company that makes its money doing managed back office applications for telecom companies, such as Sprint, Metro PCS, and others. The visit was part of a general press briefing about what Amdocs is doing, but the term “single point of failure” kept coming up.

If you are going to host apps for telecom vendors, you have to know what you are doing in terms of providing uptime. You need redundant everything, from the plug that a router connects to for power to the backup of the backup diesel generator that has to fire up when you lose main AC power from the utility.

Actually, the most impressive part of the tour was the empty “situation rooms” that Amdocs has built. They are empty because there wasn’t any crisis going on – each room is dedicated to a particular customer and is where the account team gathers when they have a problem to work on. Think “24” but with far nerdier people. And that brings up a good point: what is the rest of CTU doing to protect the other 300 million of us that aren’t directly threatened by the current plot? All the action is happening on the main stage. But I digress.

I started thinking about other IT managers who haven’t completely thought through this issue that I have met down through the years.

There was one manager at a very large financial services firm near Washington DC that I interviewed a few years ago. Gazillions of dollars a day pass through its computer networks, and as you might imagine the firm had three Internet providers – not just two, but three – to provide connectivity. Each provider had a separate path and pole for their line from the firm’s server room. Well, that sounded all well and good until the day that a truck collision happened in the Baltimore Harbor Tunnel – a main north-south artery about 50 miles away. Trouble was all three of the Internet provider’s lines went through that tunnel and the firm was offline from the Internet until they got things re-routed. Now they have four Internet providers, and they got them to share their route maps (try doing this with yours, and good luck) to make sure there was no single point of failure.

Another time I was helping another firm in Florida upgrade one of its high-end network servers back in the late 1990s. This was a Tricord server, which took an ordinary Intel CPU and wrapped it around all sorts of redundant things: two power supplies, RAID hard drives, two physical processors, separate memory, and so forth. We had to pull and replace the network cards from this $40,000 server. This required powering down the beast and opening it up. Sadly, the one thing that wasn’t redundant was the physical power plug that went from the server into the wall – and the $25 part that the ordinary plug fit into went south when we powered the unit down. It took a few white-knuckle hours to locate a new part and get it over to us before we could bring the Tricord up again. I bet no one thought that probably the least sophisticated part in the whole machine was going to fail.

These days, you see lots of gear that have two physical power plugs, and at Amdocs’ data center they have two separate power paths just in case one goes out. That means taking that path back to a generator and line conditioning gear too.

Here is a story from my own mistakes, lest you think I am just harping on my subjects here. Several years ago, I was running this email list server on a friend’s Linux server that was in his California basement. The friend is one of the original Internet heavyweights, and knows his systems and has plenty of backups. However, the day came when a lot of flooding in his area knocked out all of his Internet connections, and I wasn’t able to access my list. Well, I thought I had all sorts of backup procedures in place and had saved copies of the server list configuration, so I could bring it up on someone else’s server. However, I had neglected to do one simple task – make a copy of the names of everyone on my list. Now I do. You would think something this simple would not have eluded me but you would think wrong.

So single point of failure: it is easier to say than to do. And when you see what Amdocs had to do to deliver on this maxim, you would be impressed.

eSecurityPlanet: How to choose a DLP provider

Posted on by
Reply

Every day, data is leaking out of your network. You may not know it; you may even pretend to ignore it. But doing so carries high risk: a batch of stolen credit card numbers can be instantly published on a hacking Web site, and more targeted attacks can compromise your employees’ banking information or other identity thefts. Disgruntled terminated employees may decide to leave the premises with your customer or confidential data on their last day. And the threat of potential lawsuits has never been higher, especially with the economy in free-fall in the past year.

Luckily, there are more than ten different data loss prevention (DLP) products that are available, some from the major security vendors like McAfee, Symantec, and Trend Micro.

To help you in your quest, here are some questions to ask before you start evaluating your next DLP product:

  • Where does the product sniff out your data across your network? Does it find sensitive data just traversing your network, on your database and file servers, or does it inspect local desktops for stored Word documents on personal hard drives as well?  Can it look inside encrypted data streams too?
  • Can the product search for data without any endpoint agents installed, or can it be as thorough as it can with these agents installed? Some of the solutions can scan a lot of different file systems and a lot of different endpoint sources.
  • Can the DLP agents accomplish other security-related things on the endpoints? Some of the vendors offer port-blocking or can turn off USB connectors to block someone with a thumb drive removing all of your customer data in their pocket. Others can control which applications can and can’t be run on your endpoints.
  • What protocols can be blocked or analyzed? Certainly the ones involving email (SMTP, POP and IMAP), but what about Web and file transfers and Instant Messaging too?
  • How hard is it to create – and then change – protection rules?  Some products have wizards for easy creation, but then fall down when it comes time to change them outside the wizard. Others have more intuitive and graphical rules creation screens to make it easy to zero in on what you are trying to protect.
  • What happens when a rule is violated? Can you figure out who did the deed, where the offending information is stored, and what kinds of automated responses can be kicked off? Does the product come with lots of pre-set templates to make all of this easier?
  • Is the content analysis portion a separate or integrated piece of the product? In some cases, such as McAfee’s DLP solution, you are going to need several different products to be installed to enable a complete solution.
  • How fast can data pass through the appliance? Typically, you trade off effectiveness for performance. Some of the products can scale to fairly large networks, some can’t.
  • What kinds of reports are available, and how easy are they to interpret or import into your existing reporting systems? Does the product offer any real-time reporting capabilities and how flexible are these reports anyway?
  • How is the DLP solution integrated with endpoint security and proxying solutions? Some of the products in this list, such as Safend, began their lives as primarily endpoint protection solutions and have added DLP features to their protective measures. Others work hand-in-hand with the vendor’s endpoint products or proxies. Some will even integrate with third-party security products to varying degrees, such as Code Green which works with Blue Coat’s Web proxy products.

ITworld: How to buy a Web Application Firewall

Posted on by
Reply

We all know that the Web is a nasty place, with denial of service attacks, SQL injection, cross-site scripting and other malware invented hourly to try to pry into your networks. Over the years, a number of vendors have come up with various solutions that go under the broad heading of Web application firewalls, or ways that they can help prevent the bad stuff from entering your user’s desktops. It’s worth diving into these products because they offer a great deal of protection that can save you aggravation down the road.

I talk more about how to buy these web app firewalls at ITWorld here.

eSecurityPlanet: Online Backup Buying Guide

Posted on by
Reply

By now, you probably know that you can choose from more than two dozen different online backup services that take your desktop data and make copies of it in “the cloud.” (I maintain a list of many of them here.) They all work in a similar fashion: a small software agent monitors any new files that you create on your PC and it makes copies of them over an encrypted link to the provider’s Internet data center. With so many similar contenders in the field, how do you know which to choose? Here is an article that I wrote for Internet.com that reviews your options.

IT Expert Voice Webinar: Understanding Windows 7 Security Features

Posted on by
Reply

What has changed for the better and worse with Windows 7 when it comes to endpoint security? There are some improvements to the built-in firewall and encryption features, remote management as well as better integration with Microsoft’s Network Access Protection services in Windows Server 2008. This panel will discuss these and other topics and talk about what are the security implications when you make the migration to Win 7 in your enterprise.

Join me as I moderate this webinar panel on March 11th at noon CT. You can register for this free event here, and check out other content on ITExpertVoice.com about Windows 7 topics too while you are at it.