Tag Archives: Symantec

March 18, 2013

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

Network reconnaissance
Network interior malware proliferation
Command and control traffic
Data ex-filtration

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading →

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Security Management & Analysis

Tagged as aamir, Aamir Lakhani, Accelus eGRC, Access Control, Cisco, Cisco NAC, cisco security, Clean Access, cloudcentrics, Compliance, cyber security, cyber threat defense, Enterprise Security Manager, Federal Cyber Initiatives, GRC, Home, Identity Services Engine, ISE, ISE1.0, Joey, Joey Muniz, joseph, joseph muniz, Lakhani, LanCope, McAfee, McAfee ESM, mobile, mobile device, Muniz, NAC, NAC appliance, netflow, NetWitness, network access control, Network reconnaissance, network security, network visibility, RSA, Security, Security Logging Events, situational awareness, Stealth Watch, StealthWatch, Symantec, Threat Defense Visibility, World Wide Technology, world wide technology inc., wwt

December 28, 2012

Protect Your Communication Using Free Tools: Secure E-mail and Hiding Messages with Steganography

Is There More To This Image?

How we communicate has become extremely easy in today’s digital society. Most mobile devices offer software that integrates with social networks, business applications and e-mail. People share anything from where they are eating to what they are about to eat in near real-time (personally I find it annoying). This convenience makes securing communication more difficult since most digital messages leave a digital fingerprint as well as usually transmitted over nonsecure sources. My team has demonstrated how hackers can steal data in transit using man-in-the-middle attacks with tools like the Pine Apple (more HERE), BeEF (more HERE), and compromising mobile devices to pull up old text messages and e-mails.

How can you protect your communication? Best practice is investing in multifactor authentication to trusted systems, VPN technology for communication outside of a secure network, data loss prevention monitoring what data is permitted to leave a secure network, internal network security products and host based security to stop key loggers and other threats. Communication solutions should offer a mix of confidentiality (protecting the information), integrity (can’t modify the message), availability, authenticity (message is genuine) and non-repudiation (guarantee sent and received).

Meeting best practice typically requires investments in multiple technologies however what about the average user looking to send a sensitive message? There are methods to send messages securely using free tools. One option is using a secure e-mail solution. Hushmail offers free PGP-encrypted e-mail and file storage. If you look at the image below, you will see the checkbox for encrypting the outgoing message as well as how Hushmail enforces a strong passphrase promoting secure e-mail standards. The downside of Hushmail is it doesn’t offer some of the flashy features other e-mail services include such as chat or customizable backgrounds.

Setting up a Hushmail account

Sending Encrypted E-mails Continue reading →

Rating: 0.0/5 (0 votes cast)

7 Comments

Filed under Data Loss Prevention, General Security

Tagged as Access Control, authenticity, Cisco, communicate, communication, Compliance, confidentiality, Data Loss Prevention, DLP, encryption, end point management, hidden message, hide message, Home, hushmail, image steganography, Invisible Secrets, iPad, iPhone, Joey, Joey Muniz, joseph, joseph muniz, LanCope, mobile, mobile device, mobile device management, Mobilefish, Muniz, network access control, network security, non-repudiation, RSA, secure passwords, secure-email, securing communication, Security, spam, spammimic, Steganography, Symantec, wireless security

December 18, 2012

Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Most Security solutions leverage a combination of signature and behavior based technology (more HERE). This worked in the past however today these solutions are not good enough regardless if you layer multiple products that are built upon similar scanning methods. There are many ways to bypass point Security products such as throttling behavior and masking the known fingerprint of the attack code. A example of a technique used to hide malware from popular Anti-Virus packages is leveraging Dynamic Obfuscation software.

Obfuscation software was designed to protect source code from piracy by making the original code more complicated to read while retaining functionality. There are commercial obfuscation software packages available for programmers looking to hide their source code which is also obtainable for malware developers. This is bad for anti-virus vendors responsible for developing methods to fingerprint malicious code.

Malware producers can make things even more difficult for Anti-Virus vendors by adding dynamic elements that randomizes malicious code and encryption keys on the fly. For example, a victim accessing a malicious website could see a different variation of the same exploit each session. Dynamic obfuscation provides an endless number of variants making it almost impossible for signature based Security to identify the threat.

There are dozens of examples for commercial Java obfuscator packages. Some common packages are Zelix KlassMaster, Dash-O, ProGuard, Smokescreen, Thicket and Allitori. Popular penetration toolsets such as Metasploit also include malware obfuscating modules such as the VoMM module. Research on VoMM from a few years ago can be found HERE .

Examples of Java Obfuscation Software Continue reading →

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security, Internet Defense, Penetration / Hacking, Security Management & Analysis

Tagged as Access Control, Allitori, anti-malware, Cisco, Dash-O, Data Loss Prevention, DLP, Dynamic Obfuscation software, end point management, fireeye, Home, Joey, Joey Muniz, joseph, joseph muniz, KlassMaster, LanCope, Malicious software, malware, malware defense, Metasploit, Muniz, netflow, netflow security, network assessment, network security, Obfuscates, Obfuscates Malware, packet capture, ProGuard, RSA, Security, SIEM, SIEM Technology, Signature Based Security, signature security, Smokescreen, software piracy, Sophos, Stealth Watch, StealthWatch, Symantec, Thicket, virus, viruses, VoMM, wireless security, World Wide Technology, world wide technology inc., wwt, Zelix

July 2, 2012

Enforcing Network Policy Internally, Remotely And To Mobile Devices

Many corporations fail to establish and enforce a network policy. A network policy is a set of conditions, limitations, and customized settings designed to control how authorized subjects use network resources. Common examples of a network policy are controlling access to adult, gambling, hacking, blacklisted and other website categories that violate human resource (HR) and security standards. Network Policy requirements can change based on device type, time of day and user role. Its key that network policy is automatically enforced rather than something end-users choose to abide by or most likely will fail when most needed.

Users are the weakest link in any network. Hackers know this and target the majority of attacks at this vulnerability. I constantly hear customers complain about phishing attacks (users clicking a link in a email) or users bringing devices infected with malware most likely obtained while surfing websites that violate network policy. Its also common to see users violate security controls if it impacts their work flow. I had one audit identify internal users VPNing from their workstations to bypass internal network policy due to lack of controls for remote users. Poorly enforced policies will impact your security, reduce workflow and become very costly as a result of failed audits and compromised systems.

Common solutions for enforcing network policy are layer 7 / application layer firewalls, content filters and bolt-on technology such as cloud applications or agent technology that control network traffic from end-points. I wrote a post about the concepts behind web-gateway solutions HERE. The standard offering provides content categories (Gambling, Social Networks, Hate, Sex, etc.) that can be denied, limited or monitored. The more advanced solutions include security components such as anti-virus / anti-malware, layer-4 monitoring, website reputation scoring and other features.

The problem with these solutions is scalability. Most content filers require either user devices to be configured inline (hardcoding proxy settings) or routing traffic to the device (example WCCP). These solutions become difficult to enforce outside of the internal network as well as on devices that are not cooperate assets such as mobile devices.

ScreenShot2012 06 04at92743PM Enforcing Network Policy Internally, Remotely And To Mobile Devices

(Cisco’s Web-Security Portfolio)

A common solution that addresses external devices is VPNs routing traffic through network policy enforcement solutions (example Cisco AnyConnect with Ironport or ScanSafe). An alternative is using sandbox-based methods such as remotely controlling internal machines (example Citrix). Sandboxes work well however may encourage the wrong user behavior such as emailing information to a g-mail account to bypass the sandbox. One solution I like is Cisco’s OEAP which extends the internal network (including corporate SSIDs) to my home office. ScreenShot2012 06 30at110329PM Enforcing Network Policy Internally, Remotely And To Mobile Devices

Agent and cloud based technology can enforce network policy for laptops and desktops however fail for most mobile device types such as androids and apple devices. The reason is most mobile device manufactures give power to the end-user meaning users can opt out of security (more on this HERE). Some MDM vendors such as Zenprise offer the ability to force network traffic through a VPN tunnel, which is great when devices are managed by a MDM provider but fail when the MDM agent is not present. The only protection that can be applied for mobile devices not using MDM is controlling access to sensitive data through data loss prevention, sandbox sessions or encryption technology. I personally like the MDM enforced by Access Control technology approach.

Network policy can be enforced many ways but must meet your overall business goals and extend to all devices regardless of location. The technology is available however requires investment from leadership to properly build a policy and purchase the necessary tools to enforce it. Most failures in network policy are caused by a lack of focus from leadership.

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security, Host And Mobile Device Security

Tagged as Access Control, anyconnect, audit, Cisco, cisco cx, citrix, Compliance, content filer, continuous monitoring, Data Loss Prevention, DLP, Home, Identity Services Engine, ironport, Joey, Joey Muniz, joseph, joseph muniz, mobile, mobile device, mobile device management, monitoring, Muniz, NAC, network access control, network monitoring, network policy, network security, OEAP, palo alto, phishing, phishing attack, phishing defense, phone home, remote work policy, RSA, sandbox, scan safe, scansafe, Security, security audit, ssl, Symantec, Telework, Teleworker, virus, VPN, vpn technology, web security, web washer, websense, wireless security, World Wide Technology, world wide technology inc., worm, wwt

December 15, 2011

Addressing Bring Your Own Device (BYOD): How to manage and secure mobile endpoints

The majority of today’s workforce uses multiple devices such as laptops, tablets and smartphones (IE brings their own device or BYOD). Leadership from most industries is being asked to permit these devices on the network in some limited or full fashion. Common BYOD questions are “how do I support growth for users with multiple devices?”, “what type of access should guest and employees use for mobile devices?”, “how do I provision corporate mobile devices?”, and “what security vulnerabilities am I exposed to by permitting mobile devices?”. All are good questions and can be addressed by focusing on three core BYOD concepts: Infrastructure, Access Control and Device Management.

The first thing to consider for BYOD is if your wireless network can support growing from one device per user to potentially 2-4 devices. The best way to find out is by performing a wireless assessment to verify capabilities and potential risks caused by obstacles and nearby rouge networks (IE Starbucks using a similar RFID channel). Security features such as wireless intrusion detection and prevention (WIDS /WIPS) as well as controlling the number of permitted associated devices per user should be considered for BYOD to guarantee scalability and service.

Another common area of concern for BYOD is provisioning access to employees and guests. The first BYOD question typically asked is “should all mobile devices be handled by a separate network or should employee owned mobile devices share the same core network while guest devices use another network?”. However you plan to permit mobile devices, best practice for BYOD is to automate the process based on multiple factors such as device type, user authentication and risk status. Policies permitting employee access using personal devices should have a process to register and track those devices (IE web registration page like in hotels) rather than an “employee wireless password” that could get compromised and not associated to a device. Many solutions such as Cisco Identity Services Engine (ISE) offer self-registration to eliminate the need for employee or guest users to deal with an IT member to gain network access. Solutions that leverage profiling technologies can automatically assigned specific access types based operating system, device type and other details (IE provide different access for iPhones and Androids) so you know who and what is on your network. “Knowing is half the battle”, GI JOE

The final piece to the BYOD puzzle is device management. Most mobile hardware vendors give power to device owners meaning Apple, Android, etc. device users can take themselves out of compliance at anytime (blackberry is the only exception). Solutions such as Mobile Iron and AirWatch provide methods to assess devices for high risk factors such as jailbreaking or using unapproved applications which is crucial for BYOD. Application based endpoint management solutions verify devices and either permit or deny corporate services such as providing email based on policy status (IE no email service while angry birds is installed). Common BYOD policies are enforcing the use of passwords, remote locking devices, denying hacked devices, provisioning specific applications and having the ability to remote wipe only corporate data. The mobile security market leaders offer a breath of operating systems and hardware options as well as easy methods to communicate when end users fall out of compliance.

Addressing Bring Your Own Device (BYOD): How to manage and secure mobile endpoints

Industry leaders for security are focusing on BYOD by developing solutions for mobile devices. RSA and Symantec recently released data loss prevention (DLP) for mobile devices to deny sensitive information such as social security numbers from moving to or from mobile devices. Network vendors such as Cisco are partnering with mobile manufactures to address BYOD by offering VPN technology that encrypt traffic from mobile devices while off the corporate network. There are many options for endpoint security when looking at BYOD, which the investment for mobile security should match protecting laptops and desktops regardless if the employee owns the asset.

Rating: 5.0/5 (1 vote cast)

5 Comments

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security, Network Admission Control

Tagged as 802.1x, Access Control, ACS, ACS5.0, ACS5.1, ACS5.2, air watch, Airwatch, android, angry birds, anyconnect, bring your own device, bring your own technology, byod, BYOT, Cisco, Cisco Identity Services Engine (ISE), Cisco NAC, Clean Access, Data Loss Prevention, DLP, end point management, endpoint management, Good Technology, Guest Server, Identity Services Engine, Infrastructure, iPad, iPad2, iPhone, iphone 4, iphone 4s, ISE, ISE1.0, jailbreaking, jailbroken, Joey, Joey Muniz, joseph, joseph muniz, mobile, mobile device, mobile device management, mobile endpoints, Mobile Iron, Muniz, NAC, NAC appliance, network access control, network security, Profiler, remote password lock, remote wipe, RSA, Security, Symantec, VPN, WIDS, WIPS, wireless security, work from home, World Wide Technology, world wide technology inc., wwt

November 25, 2011

Test The Strength Of Your Security

Many agencies spend millions on security each year. Security investments range from firewalls to contractors, which spending is typically based on weighing risk of loss against cost to protect. Sometimes it’s difficult to evaluate the return on investment for security since the desired end result is not being compromised rather than a particular outcome that can be measured. Studies show regardless of the level of spending for security, the majority of IT management doesn’t know how effective their defenses are against today’s threat landscape. Here are some ways to evaluate the strength of your security.

Secure all access points to your network

* Security is as strong as your weakest link. Make sure all access points are secured or you will eventually be compromised. The common access points are Email, Web, LAN, Wireless, VPN, Data Center, Endpoint (laptops, desktops, etc.) and Mobile Devices.

Scan desktops and servers for vulnerabilities

* Tools are available for penetration testing such as Saint, Tenable, Core Impact and Rapid 7. The concept is simple … test for the same vulnerabilities hackers use to access your network. Penetration tools look for open ports, unpatched servers and other means hackers could use to compromise your equipment. The industry leaders typically can test all network nodes and include recommendations for remediation.

Evaluate network traffic for malicious intent

* Network forensic tools are available for capturing and categorizing network traffic (Example HERE). You will not know you are compromised if none of your security devices are triggered. Looking at traffic at the packet level can identify unknown communication through unrecognized ports, traffic with foreign entities or other red flags that indicate you have been compromised. Typically forensic skillsets are required to identify threats however manufactures like NetWitness offer great tools for simplifying packet level analytics.

Include failsafe security solutions that rate your existing toolsets

* Best practice is to test the effectiveness of your existing security toolsets. The most popular method is placing honeypots on your network with the goal of luring hackers who bypass your security into highly monitored systems. Other toolsets are available for testing your signature and behavior based tools such as Spectrum by NetWitness that can flag if specific threats could bypass your security. Another interesting tool is by FireEye that runs threats in a virtualized honeypot to identify malicious behavior.

Standardize and monitor your network device configurations

* Enforce a baseline template for all network devices to avoid vulnerable configurations and software. Network management tools by SolarWinds, Cisco, EMC, etc. can enforced standardized code and configurations as well as monitor if changes are made. I personally like 360GRC’s ConfigScan for evaluating configurations for vulnerabilities specified by industry standards.

Profile all devices on the network.

* Use a profiling tool such as Cisco ISE or Greatbay to identify what types of devices are on your network based on how they communicate. You may be surprised to find a few Xboxes hidden in a corner office.

Categorize Sensitive Data.

* Data Loss Prevention (DLP) leaders such as RSA and Symantec offer various tools that locate and categorize sensitive data. Make sure sensitive data is controlled and protected.

Test your staff with social engineering attacks.

* People will always be your weakest link. The only way to improve this is through training. I’ve seen customers use social engineering attacks on their users and show the results as a means of training. There are many online forums that can assist with developing your social engineering training strategy.

Periodically audit your network.

* Use unbiased consultants to help you understand how vulnerable you are.

Rating: 0.0/5 (0 votes cast)

4 Comments

Filed under General Security, Security Management & Analysis

Tagged as 360GRC, Access Control, ATP, audit your network, Categorize Sensitive Data, Cisco, Cisco Network Compliance Manager, ConfigScan, core impact, Data Loss Prevention, DLP, EMC, EMC Voyence, end point management, fireeye, Greatbay, honeypot, Identity Services Engine, ISE Profiling, Joey, Joey Muniz, joseph, joseph muniz, mobile, mobile device, mobile device management, mobile device security, NAC, NCM, NetWitness, NetWitness Investigator, network access control, Network Compliance Manager, network forensic, network security, Opsware, rapid 7, RSA, Saint, Security, security audit, Security investments, social engineering, Spectrum, Symantec, Tenable, test security, Voyence, vulnerabilities, wireless security, World Wide Technology, world wide technology inc., wwt

November 11, 2011

Developing A Continuous Monitoring Solution

There isn’t a single “silver bullet” product that addresses Continuous Monitoring. There are too many factors to consider, which require multiple security elements to function as a single solution. A good approach to continuous monitoring is securing all threat vectors and having those solutions provide data to a central reporting engine. Once data is centralized, things like risk level auditing and policy enforcement can take place. My team has developed a Continuous Monitoring Reference Architecture based on research from customer requirements and testing various security products.

The first step to build a continuous monitoring solution is identifying what should be monitored. A complete continuous monitoring architecture should consider everything from network access alerts to software installed on endpoints. Most networks have gaps in process or technology, which leave holes in desired monitoring reports. For example, administrators may use scanners to audit server vulnerabilities however not monitor configuration changes on routers. Network devices, servers, printers and other network elements offer various forms of risk that need to be detected before a complete continuous monitoring solution can be put into place.

Here are some questions to think about regarding what could be monitored:

1) Do you have a continuos monitoring solution for devices accessing the network?

Does that solution cover all access avenues (LAN, VPN, WIRELESS)?
Is everything continuously verified or is it a one-time verification?
Are policies enforced for different users and devices (guest, contractors and employees)?
Do you scan devices for threats / risk before or while on the network?

2) Do you have a continuos monitoring solution for enforcing endpoint policy?

Do you have a solution for checking what is installed on devices?
Are laptops, desktops, etc. continuously monitored or randomly scanned?
Are policies enforced?
Are all endpoints considered (mobile phones, laptops, USB drives)?

3) Do you have a continuos monitoring solution for critical data control?

Does this include Server, Email and Web data?
Are policies for data loss enforced on and off the network?
Does security follow the data (IE copy a sensitive file to a USB drive)?
Is data limited to users with access credentials or open to all employees?

4) Do you have a policy for physical access to critical areas?

Are all access points monitored?
Do you monitor all users entering and leaving a controlled environment?
Do physical access controls match with logical controls (who walked in and logged into a server)?

5) Do you have a continuos monitoring solution for network devices?

Do you monitor who makes configuration changes?
Do you have policies for code versions, configuration templates, etc. that are mandated for network devices?
Do you collect logs and react to events?

6) Do you adhere to legal or company mandates?

How often to you test for compliance?
Do you meet all aspects of mandate requirements?
Do you know the impact of daily changes to your mandate requirements?

Some examples of solutions for the questions above are : Network Admission Control, Scanners (Nessus, Retina, etc), Data Loss Prevention, Network Management Applications (Cisco LMS, EMC Ionix, etc.) Desktop Management Applications (Altiris, BigFix, etc), Physical Access Controls, Authentication Solutions, Email and Web Solutions, etc.

Once security toolsets are established to capture security events, the next step for a continuos monitoring solution is centralizing all alerts to single management system. A common solution is a security information and event management tool (SIEM). The benefits of most SIEMs are correlating events into one threat, aggregating millions of events into readable data, identifying top problems to remediate and quickly searching through millions of logs for specific data. Some SIEMs offer other features such as compliance reports and workflows however few offer a complete C-level reporting package. An example of a C-level deliverable is alerting the impact of adding a router to the overall FISMA status or determine the cost savings of replacing the router with a more efficient model. There are complimentary solutions to SIEMs to provide this type of data.

To summarize a continuous monitoring architecture, first identify all threat vectors on your network. Develop security solutions to address threat vectores with near real-time reporting capabilities. Build a centralized event management infrastructure that offers various reports that meet business requirements. Most likely it will take time to understand what the desired end result should be so expect many revisions as you develop your continuous monitoring infrastructure.

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Security Management & Analysis

Tagged as Access Control, c level, Chief executive officer, Cisco, Compliance, compliance and risk, Continuous Audit, Continuous Controls Monitoring, continuous monitoring, Continuous Monitoring Architecture, Continuous Monitoring Solution, Continuous Transaction Inspection, Data Loss Prevention, DLP, end point management, FISMA, GLBA, HIPAA, Joey, Joey Muniz, joseph, joseph muniz, mobile, mobile device management, monitoring, Muniz, NAC, network access control, operations and controls, pci, reporting, RSA, Sarbanes-Oxley Act, Security, Security Information And Event Management, SIEM, SIEM Technology, sox, Symantec, wireless security, World Wide Technology, world wide technology inc., wwt

October 17, 2011

What To Look For In A Mobile Device Management MDM Solution

IT administrators are being asked to come up with ways to permit mobile devices onto the corporate network in a secure fashion (via MDM Solution or other technology) . This subject touches a few technology areas such as access control, secure wireless, data protection and secure management of mobile devices however the focus for this piece will be mobile device management. Members of my team have tested the MDM leaders such as Mobile Iron, Airwatch, Zenprise, Good Technology, McAfee, Symantec, etc. and summed up the following as things to consider when evaluating a Mobile Device Management solution.

The first thing to consider is your desired MDM Solution Policy. Typically there are three scenarios to address:

1) GUESTS / PERSONAL DEVICES – Devices coming on the network as guests that you don’t manage or access internal data

2) CONTRACTORS / PERSONAL DEVICES ON NETWORK- Devices coming on network with partial access to corporate data

3) EMPLOYEES / CORPORATE DEVICES - Devices with full network access and managed by corporate.

The target of most MDM solution requirements is addressing items 2 and 3 while item 1 is typically covered by an access control technology. The two common approaches taken by MDM vendors are a sandbox or endpoint management offering. Sandbox or secure container technologies provide the most security by protecting corporate data within a sandbox application. Policies for encryption, data loss prevention and limiting data access can be controlled through MDM issued access methods rather than what is offered by the device manufactures. Most mobile device offerings give power to users (all but blackberry) however sandbox technology protects the data regardless of rights provided to users. The main con against the sandbox approach is not utilizing native device applications such as built in email, which tends to impact user acceptance. Good Technologies is an example of a sandbox based MDM solution.

MDM solutions that offer an endpoint management approach support specific vendors (Apple iOS, Android, etc) and compliment existing native applications. Application management MDM solutions leverage an agent on mobile devices to control applications as well as issue commands such as remotely wiping sensitive data. Its hard to say application management MDM solutions address a specific threat category however risk is dramatically reduced by using them to remove hacked / jail-broken devices, permitting approved applications and managing native security options such as passwords and data removal. Application management MDM solutions tend to be more suited for “Bring your own device” requirements while sandboxed MDM solutions favor corporate issued mobile devices.

Other factors to consider are provisioning mobile devices and proper control of data access. Consider the activation and enrollment options for the three use cases listed above (Guests, Contractors and Employees). Can employees register personal devices for access via a GUI or will it require an administrator? How well does the MDM solution assign and manage corporate controlled devices? What are the maintenance options regarding standardizing and upgrading mobile device software for corporate managed assets? Can the MDM solution provide reports listing all applications on mobile devices accessing the network? A strong MDM solution should handle all of these, which specific data access is controlled based on how users authenticate via local authentication or advance access control solutions.

The final thing to consider is MDM security features which usually are common across the leading vendors. Top features include verifying device configuration policies such as checking for hacks or jailbreaks. Policies should be flexible depending on if devices are corporate or personal. Mobile device applications should be verified and controlled to avoid vulnerable software such as a game with backdoor malicious intent. Remote wipe capabilities should be available and focus only on corporate data (IE do not wipe personal email, contacts, etc. without the end-users’ permission). Data protection such as password enforcement should be enabled through a centralized platform. All of these features should be displayed in a report so leadership can verify the security status of mobile devices accessing corporate data.

Every MDM vendor has their own way to accomplish its features so it’s a good idea to develop your policy and match it to MDM solution rather than an open comparison between products. Hopefully this gives you some points to consider for your MDM evaluation. Also note subjects like access control, two-factor authentication, secure wireless and other technologies should be considered for a complete solution.

Rating: 5.0/5 (3 votes cast)

16 Comments

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security

Tagged as Access Control, Airwatch, android, android security, apple security, application sandbox, black berry, corporate iphone policy, Data Loss Prevention, DLP, end point management, enterprise iphone policy, enterprise mobile device, Good Technology, iPad, iPhone, iphone 4, iphone s, iphone security, Joey, Joey Muniz, joseph, joseph muniz, laptop, McAfee, MDM, mobile, mobile device, mobile device management, mobile device security, Mobile Iron, mobile phone, mobile policy, mobile sandbox, Muniz, sandbox, securing iphones, Security, Symantec, wireless access control, wireless security, World Wide Technology, world wide technology inc., wwt, Zenprise

September 19, 2011

Internet Defense Technology : Web Proxy / Content Filter / Application Firewalls

The web is a dangerous place so its extremely important to have web proxy / content filter technology protecting users that access it. I had a roommate years ago who purchased a computer and within hours had every virus, malware and what not clogging his new machine. I’m sure he didn’t have the best surfing habits however that doesn’t mean the average user is less likely to be infected. What most people don’t realize about websites is they are like a Paint By Numbers canvas leveraging other websites to fill in the colors. For example, if you see a RealAudio video on a website, guess what … you have surfed both that embedded video’s website and the host website. The same goes when there are hidden links that download malicious malware on what you believe is a safe website.

The standard defense for Internet based threats is a web proxy / content filter solution or similar features imbedded in a firewall, IDS/IPS or SAS offering. The baseline solutions offer Content Filtering meaning the ability to monitor or block web content that violates specified policy. The major players do this well (Bluecoat, Websense, McAfee, Iron Port, etc.) by grouping web content into categories. For example, an administrator can deny all adult websites by blocking the adult category, which is an up-to-date list of the known adult sites. Smaller players work like an access-list manually blacklisting websites, which is a nightmare to manage. In the end, this is a commodity feature for the real players and should come standard for web proxy / content filter solutions with little management to maintain content categories.

Besides denying policy, web security / content filter solutions should have a method to check web traffic for threats. Many vendors offer anti-virus, anti-malware and content scanners that look for malicious traffic inline by redirecting network traffic through a web security / content filter or by endpoint proxy settings forcing endpoint web traffic to the security solution. Some verify content for hidden attack vectors in a closed environment prior to permitting access to the website (also known as sand-boxing). The best web security / content filter solutions offer a mix of signature and behavior sources since no single source can cover the entire gamut of web attacks properly. It’s also important that the web proxy / content filter solution is capable of viewing https IE secure channels or you will miss end user traffic that is encrypted.

Reputation or website “credit scores” is becoming a popular factor utilized by web security / content filter solutions. My blog on this subject explains this HERE. Reputation is key for speeding up the security process since many harmful websites can be denied based on reputation rather than scanning and identifying threat signatures or malicious behavior. I’ve used solutions such as IronPort Web Security Appliance (WSA) and usually 90-95% of the websites denied are identified as malicious based on reputation rather than passing the reputation check and caught by other security defenses.

The final point about securing access to the Internet is to consider email and web as equal targets since they are the most common cyber attack vectors. Web proxy / content filters need the same investment as Email Security and must be designed as a unified solution. I’ve had customers say “we get phishing attacks that send clean emails with links to malicious websites”, which users clicking the links is a Web Security vulnerability … not email. Other investments should be made in post compromised technology such as botnet / malware detection technology (Netwitness, Wireshark, Ironprot WSA botnet scanner, FireEye sandbox technology, etc.), Data Loss Prevention and host based security. No solution is a silver bullet so a layered defense will dramatically reduce risk if the overall design compliments each solution rather than operates individually.

Rating: 4.5/5 (2 votes cast)

9 Comments

Filed under Internet Defense

Tagged as anti-malware, anti-virus, application firewall, application firewalls, blue coat, Bluecoat, botnet, botnets, Cisco, Cisco IronPort, content filter, Data Loss Prevention, DLP, fireeye, GTI Proxy, Internet based threats, Internet Defense, internet security, Iron Port, ironport, Joey, Joey Muniz, joseph, joseph muniz, layer 7 firewall, layer 7 firewalls, malware defense, McAfee, Muniz, palo alto, palo alto networks, phishing defense, popup defense, Security, spam defense, stop spam, stopping botnets, stopping popups, Symantec, symnatec email proxy, web defense, web proxy, web security, web sense, websense, World Wide Technology, world wide technology inc., wwt

August 31, 2011

Securing Teleworkers: Building A Remote Access Solution For Teleworking

Securing Teleworkers is at the top of the to do list for many organizations. President Obama signed a bill aimed to significantly boost teleworking by federal employees. There are lots of business benefits from teleworking however permitting remote access to internal resources increases risk. Here are some tips to consider when securing your teleworkers.

The most common method for Securing Teleworkers is using a Virtual Private Network (VPN). The concept is establishing an encrypted tunnel between remote endpoints and the internal network so endpoints are serviced like an internal resource. Leading vendors utilize endpoint agents or web-based VPN portals that control what can be accessed. Best practice is to adjust the level of access based on how users authenticate, data being accessed and network they are connecting from. Strong solutions auto establish VPN connections outside the cooperate network and scan endpoints for key loggers prior to permitting access.

A popular enhancement to Securing Teleworkers through a VPN is Network Access Control (NAC) technology. NAC verifies who is accessing the network, captures information about the devices and distributes access based on policy. NAC is like airport security verifying people’s identity and risk level BEFORE permitted access to the plane. Best practice is to increase policy requirements as you increase access rights. For example, permit employees if they are using cooperate laptops with a specific version of antivirus while limit contractors with any version of antivirus. Automating remediation for teleworkers who don’t meet policy is key to reducing NAC trouble tickets.

Another recommended solution for securing teleworkers is filtering all VPN traffic through a Content Filter. Content Filters enforce web usage policies such as denying adult websites or tracking hours wasted on social networks. Research shows users involved with popular social media games like Farmville spend hours each day that may take place during business hours if not tracked. Leading Content Filters also offer security features to protect users from malicious websites that aim to breach the internal network through compromised workstations.

A popular alternative to using VPN solutions for Securing Teleworkers is adopting a virtual desktop infrastructure (VDI). Data is kept on the protected network and accessed through a server-client model. The security benefit is clients never directly access the inside network so risk of infection is reduced. A common obstacle for virtual desktop infrastructures is user demands for direct access to data. Permitting direct access could jeopardize VDI benefits unless proper access control and data security transfer methods such as encryption are enforced.

Other options to consider for securing teleworkers are Data Loss Prevention (DLP), host security applications, encryption, and patch management solutions. Best practice recommends DLP for endpoints, email, network and servers that have access to sensitive data. Encrypting sensitive data can add a lot of value as long access rights are enforced. Hardening endpoints with features like disabling wireless when physically connected, limiting USB access to approved devices, forcing sensitive data through encrypted channels and updating endpoints without user intervention is important. The best way to manage security features like these is to limit remote access to corporate issued devices. It’s also a good idea to have all teleworkers sign an agreement specifying your telework policies prior to permitting remote access.

There are many solutions for Securing Teleworkers so it’s important to understand your business operations before selecting a technology. Rushing into a technology could expose your organization to unnecessary risk or an unreliable solution.

Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security, Network Admission Control

Tagged as Adaptive Security Appliances, asa, Cisco, content filter, Data Loss Prevention, DLP, encryption, endpoint security, farmville, Iron Port, Joey Muniz, joseph, joseph muniz, Muniz, NAC, network access control, network admission control, obama telework bill, obama telework enhancement act, remote access, remote work policy, secure teleworker, securing remote workers, securing teleworkers, Symantec, symantec nac, telecommunication, Telecommuting, telecommuting program, Telework, Teleworker, Teleworking, virtual private network, VPN, web proxy, web security, web security appliance, work from home, World Wide Technology, world wide technology inc., wsa

Tag Archives: Symantec

Situational Awareness For Cyber Threat Defense

Protect Your Communication Using Free Tools: Secure E-mail and Hiding Messages with Steganography

Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Enforcing Network Policy Internally, Remotely And To Mobile Devices

Addressing Bring Your Own Device (BYOD): How to manage and secure mobile endpoints

Developing A Continuous Monitoring Solution

What To Look For In A Mobile Device Management MDM Solution

Securing Teleworkers: Building A Remote Access Solution For Teleworking

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll