MIEM

December 2nd, 2005

Security Topics for 2005

Goal & Format

Goal: 20,000 foot overview of key 2005 security concerns, and options for solutions.

Will be as vendor neutral as possible, listing multiple options from many vendors.

Concerns are in no particular order.

Format:• Concern• Current existing options• Budgetary approximate cost (if known)

SPAM

Unsolicited "junk" e-mail sent to large numbers of people, often to promote products or services

Concerns:

• Clogs mail severs• Wastes productivity• Pornographic content = potential legal liability• Phishing• Offends people

SPAM SolutionsDesktop software products – Install software on each computerApproximate Cost: $50/seat

Examples:– McAfee Spamkiller– Norton Anti-Spam– Microsoft Outlook 2003

Pros: – Non-technical/simple– No additional hardware required/cost

Cons:– Designed for SOHO only– Requires end user maintenance– Marginal results

SPAM SolutionsServer software products – Software installed on 1 serverApproximate Cost: licensed per user, qty break, $50/seat

– McAfee Spamkiller– Symantec

• BrightMail• Enterprise License w/Symantec Mail Security or AV Gateway

– Postini– Spam Assassin (free!)

Pros: – Border solution, allows for centralized management & rules– Good quality results– In some cases can reside on mail server

Cons:– May require additional hardware, OS, maintenance– Increases administrative overhead– User control may suffer

SPAM SolutionsAppliance products – Combined hardware/software solutionApproximate Cost: $2,000-$10,000

Examples:– McAfee Spamkiller Appliance– Trend Micro (Postini) Spam Appliance– Barracuda SPAM Appliance

Pros: – Border solution, allows for centralized management & rules– Good quality results– Simplified support by using appliance technology

Cons:– Increases administrative overhead– User control may suffer

SPAM SolutionsOutsource – Redirected DNS to outside service providerApproximate Cost: $1-5/mailbox

Examples:– Symantec Hosted Mail Security– MX Logic (http://www.mxlogic.com)

Pros: – No capital purchase to initiate– Very good quality results– Ability to combine with AV filtering– Zero maintenance or staff time required– Excellent end user interaction

Cons:– Large environment cost may be prohibitive– Security

Web Application Vulnerabilities

Study Shows Most Web Applications Have Vulnerabilities

(5 February 2004)

A four-year test of more than 250 Web applications found that at least 92% of them were vulnerable to attacks including cross-site scripting,SQL injection and parameter tampering. WebCohort's Application Defense Center conducted the test, which looked at applications on "e-commerce, online banking, enterprise collaboration and supply chain management web sites."

http://www.vnunet.com/News/1152521

SPI Dynamics

WebInspect™ for Application Developers

SPI Dynamics’ WebInspect™ Application Developers for Microsoft Visual Studio™ .NET Version enables application and Web services developers to automate the discovery of vulnerabilities - bugs or defects with a security implication - as they build applications, access detailed steps for remediation of those Web application vulnerabilities and deliver secure code for final quality assurance testing. Early discovery and remediation of security vulnerabilities reduces the overall cost of secure application deployment, improving both application ROI and overall organizational security.

http://www.spidynamics.com/products/App_Dev/Microsoft/index.html

Cost: ~ $1,000

Web Application Security Assessment

In addition to a standard vulnerability assessment, Analysts’ security engineers will: Test for web application flaws using multiple Open Source

and commercial tools Analyze target system for Hidden Input variables Analyze target system for URL variables Analyze target system for the use of cookies Analyze target system for the use of client-side scripting

and input validation Analyze target system for cross-site scripting

vulnerabilities Analyze target system for SQL injection vulnerabilitiesCost: Approximately 60 hours

SpyWare/MalWare

What is SpyWare?

A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have been known to use SpyWare to gather data about customers.

How does SpyWare infect your system?

Commonly through web code executed while browsing web sites on the Internet.

CoolWebSearch

Browser Hijacking

Browser Hijacking is a particularly nasty variant of SpyWare that change system and user settings in order to drive traffic to certain servers.

• Most hijackers change your Internet Explorer start page and favorites to the hijacker's own site

• Many hijackers change your computer's Internet settings so that all of your Internet activity is funneled through the hijacker's servers

• Block you from web sites that can help remove the software or run Anti-Virus or Anti-Malware software

• Install "toolbars" or "browser helpers" that funnel all of your search requests through their own so-called "search engines."

• Forbid you from accessing, for example, Internet Options, to undo the hijacker's damage.

SpyWare Desktop SoftwareCost: Ranges from free to seat license fee `$25

Example software tools (dozens of options):Ad-Aware http://www.lavasoftusa.com/

Spybot http://www.safer-networking.org/en/index.html

StopZilla http://www.stopzilla.com/info/home.asp?AID=10136&S=5&type=HOME&topic=&source=&AAID=&dre=

SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html

Pros: – Low cost or free– Removes most SpyWare

Cons:– Mostly reactive, not proactive– Requires manual activity on each desktop– Lacking centralized management– Really was designed for the end user, not the Enterprise

SpyWare – At the Border?

• WebSenseCost: Licensed per user, requires WebSense Enterprise

Websense Launches New Database Category to Combat Spyware; Product Prevents Posting of Company Data Back to Marketer Servers Spyware Found to Create Security Holes and Severely Drain Corporate Bandwidth SAN DIEGO Nov. 21, 2002 -- Businesses battling the proliferation of spyware onemployee desktops now have a new weapon at their disposal. Websense Inc. (NASDAQ: WBSN) today announced the launch of a new databasecategory that blocks spyware programs from sending potentially sensitive data back tomarketer servers. The category, which is included in the Websense Premium GroupIII (PG III) database, helps IT managers prevent spyware from compromising corporatedata security and draining valuable corporate bandwidth. Spyware - such as Gator, BonziBUDDY and others - works by collecting Web surfingpatterns, keystrokes and other information from employee computers, usually foradvertising purposes. This information, once gathered, is sent via back-channelInternet connections to Web servers, where it can be used for market research orworse. In some cases, spyware secretly installs itself onto desktops withoutpermission and performs other activities hidden to the user.

SpyWare – At the Border?

• WebSenseOne way to prevent SpyWare is to stop people from

browsing to sites that deposit SpyWare. WebSense is

best known as a content filtering solution. It addresses

SpyWare using its content filtering ability by

restricting access to sites that have been put in the

SpyWare database as a dangerous site.

SpyWare – Border Appliances

Vendors are quickly updating Intrusion Prevention and security appliances to incorporate anti-SpyWare capabilities at the border.

Approximate Cost: $2,000-$30,000Examples:

Symantec 7100 seriesMcAfee IntruShieldBarracuda SpyWare Firewall

Pros: Enterprise managementEase of deployment

Cons:Lack of individual user control

SpyWare – AV Integrated

Enterprise managed by existing AV platform• Symantec v10• McAfee Anti-SpyWare

Cost: List = $15/node

– Uplift to McAfee Anti-Virus, Does not stand alone– Not bundled in any AV packages– Centralized management, billed as the first Enterprise class solution– McAfee says they have been in close communication with MSFT– Detects key-loggers, much more capability than current AV product– Works with 7.1 & 8.0– Anti-Phishing filter coming

Wireless Installations

Wireless networking technology has been widely deployed over the last several years.

Phase 1 – Make it work!

Site surveys, test coverage, etc.

Wireless Phase 2 – Uh oh!

It works too well!• Signal leakage

• No authentication required

• Data interception

This lead to a migration to various encryption & authentication methods.

Wireless Phase 3 – Uh ooh!Valid users can quickly spread attacks to the network! We don’t control policies on guest laptops.

Approximate Cost: $5,000-$50,000 (based on users)

Examples:Cisco Clean AccessCheckPoint (Zone Labs) Integrity

Pros: – Stops threat propagation– Enforces consistent polices even on non-managed systems– Allows multiple levelsCons:– Requires end-user intervention– Could increase help-desk traffic

Access Policy Enforcement

Wireless Phase 3 – Uh ooh!

Users set up their own unauthorized WAPs in our network! How do we manage the wireless security?

Approximate Cost: $7,000

Examples:Air Magnet Enterprise

Pros: – Enables wireless security management

Cons:?

Wireless Intrusion Detection

Threat Propagation

Organizations continue to struggle withkeeping all systems free of knownvulnerabilities, as well as protecting againstzero day threats.

Directions to combat this problem include:

• Access Policy Enforcements (see previous slides on wireless policy enforcement)

• Clientless SSL VPN• Intrusion Prevention products

Clientless SSL VPN

Allow remote access via a standard web browser (i.e. no custom client required) utilizing an appliance or software product.Cost: $0-$50,000

Examples:– Cisco 3000 VPN Concentrator series– Symantec 4400 Series– Juniper Neoteris & Netscreen products– Citrx Secure Gateway (CSG)Pros: – Much more difficult to transfer threats than IPSec VPN– Typically low cost– No custom client required, so no little administrative impactCons:– May not support all applications– Typically not as full featured as IPSec VPN

Intrusion Prevention (Host)

Software which protects the operating system, analyzing systemcalls for inappropriate requests, including attacks such as bufferoverflows. Can prevent known and unknown attacks (also deployed as an

anti-Spyware mechanism).Cost: ~ $5,000 for 3 serversExamples:

– Cisco Security Agent (CSA)– McAfee EnterceptPros: – Excellent protection level– Can protect sensitive data – Centralized managementCons:– Must be installed on each machine– Large deployments can be expensive

Intrusion Prevention (Network)

Appliance which protects network segments, analyzing trafficcalls for both known and unknown attacks, as well as DOS

attacks.Cost: $5,000-$30,000Examples:

– McAfee IntruShield– Symantec 7100 series– Cisco IDSPros: – Can protect many servers with one device– Can protect against DOS– Passive inline deployment can fail and still pass trafficCons:– May require many appliances for multiple location environments– May not fit small locations

Information Overload/Log Consolidation

How do you handle the multitude of security events and security systems that you have deployed?Approximate Cost: $10,000-$100,000

Examples:– Cisco MARS– NetIQ Security Manager

Pros: – Consolidates security events to a central point– Provides baseline and reduces need to evaluate all eventsCons:– Good product support, but might not support every product in

your environment

Computer Evidence• The problem: Organizations have an increasing need for

computer evidence that is admissible in court, and need high-end technical assistance for hacking incidents.

– Crime involving technology continues to increase– Law enforcement is over-burdened and has big backlogs– Computer data is increasingly becoming central to civil lawsuits

(fraud, problems with the SEC, intellectual property, etc.)– No standards for forensic methodology, especially for volatile

data (data that is in memory such as network connections that is lost when the computer is powered down)

– I.T. security consultants do not always have a good understanding of legal concepts such as the chain of custody

– Information about non-technical crimes is increasingly stored on PCs and devices such as Cell phones and PDA’s, requiring specialized software

Administrator Termination• The problem: I.T. staff members have an unprecedented level

of access to key organizational data, and this access must be managed when they leave the organization– Passwords exist on numerous disparate systems, usually not

recorded– Most organizations have difficulty identifying all of the steps that

need to be taken– I.T. administrators frequently know the passwords of regular

users– Dial-up, VPN, Internet-facing systems need to be closed off

ASAP– I.T. administrators may have organizational property (data,

hardware, software, intellectual property, etc.) that needs to be retrieved

– In some cases, the termination is hostile, and an immediate threat is perceived

Security Policy

• Most organizations have little or no security policies. Due to improving awareness and regulatory requirements, organizations must develop comprehensive I.T. security policies.

• Many types of policies and procedures must be developed:– Change control and programming standards– Disaster recovery and availability– Logical security of networks, hosts, etc.– Remote access security, malware, anti-virus, trojans– Log collection and review procedures– Server build and hardening procedures– And many more….

Discussion

Mark LachnietAnalysts International(517) 336-1004 (voice)(517) 336-1100 (fax)

jbrahce@analysts.com

Email me to request copy of presentation.