Narrowing the gap Across the line

Transcription

FEBRUARY 2011 • WWW.SCMAGAZINEUS.COM
REVIEWED IN GROUP TESTS
DragonSoft P55
Sourcefire P65
GFI P56
Launches scans from
a simple interface
Provides IDS/IPS
functions at nice
price point.
Solid scanning and
analysis tool.
FEATURES:
INTERNAL
REVIEW
Some in the security industry are working
to stem the malicious insider threat, says
Dawn Cappelli of Carnegie Mellon P20
Narrowing the gap
The $1 trillion cybercrime industry is expertly - and
competitively - run, but the good guys aren’t sitting
on their hands P28
Across the line
Canada and the United States will shortly announce a new
agreement on border security involving biometrics P32
VOLUME 22 NO. 2 • February 2011 • WEBSITE WWW.SCMAGAZINEUS.COM • EMAIL [email protected]
REGULARS
PRODUCT REVIEWS
4
51 Products section
8
Editorial An accounting of the
insiders
This month we are looking at two
groups that, at first blush, don’t look
as if they belong together: vulnerability
assessmant and IDS/IPS
Threat report The Peoples
Liberation Front has taken
responsibility for an attack that shut
down a county website in California
52 Group Test 1:
Vulnerability assessment
With the evolution in today’s array
of tools, the enterprise can now
have vulnerability assessment any
way it wants
11 Threat stats Fraudsters are using
hijacked websites to host attacks
14 Update An email management
provider was hacked
60 Group Test 2: IDS/IPS
15 Debate The model of ‘trust but
Intrusion detection systems (IDS)
and intrusion prevention systems
(IPS) are evolving in capabilities
to deliver protection against more
sophisticated threats
verify’ is effective at mitigating the
insider threat
16 Two minutes on… The evolution of
the DDoS
66 First Look: ActivIdentity
17 Skills in demand Mobile threats
4TRESS Authentication Appliance for
Banking v 7.0
present job openings
18 From the CSO’s desk Think like
Dawn Cappelli P22
Nessus ProfessionalFeed P59
a chess player, says Zynga’s Ward
Spangenberg
FEATURES
20 Opinion The great malware coverup, by Marc Maiffret, chief security
architect, FireEye
21 Letters From the online mailbag
22 Internal review
Some in the security industry are
working to stem the malicious
insider threat, says Dawn Cappelli
of Carnegie Mellon.
68 Calendar A guide to upcoming
courses, shows and IT security events
70 Last word Smart mobile app
development, by Sean Martin
28 Narrowing the gap
The $1 trillion cybercrime industry
is expertly – and competitively – run,
but the good guys aren’t sitting on
their hands.
32 Across the line
Canada and the United States will shortly
announce a new agreement on border
security involving biometrics
McAfee Network Security Platform v6.0 P62
SC Magazine™ (ISSN No. 1096-7974) is published 12 times a year
on a monthly basis by Haymarket Media Inc., 114 West 26th Street,
4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax
646-638-6110. Periodicals postage paid at New York, NY 10001 and
additional mailing offices. POSTMASTER: Send address changes
to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2011
by Haymarket Media Inc. All rights reserved. Annual subscription
rates: United States: $98; Canada and Mexico: $110; other foreign
distribution: $208 (air service). Two-year subscription: United
States: $175; Canada and Mexico: $195; other foreign distribution:
$375 (air service). Single copy price: United States: $20; Canada,
Mexico, other foreign: $30. Website: www.scmagazineus.com.
www.facebook.com/SCMag
Michael Singer P17
A. N. Ananth P15
Cover photo by Karen Myers
www.twitter.com/scmagazine
Editorial
who can turn security into
“know” instead of “no”?
An accounting of the insiders
N
o matter your view of Julian Assange –
First Amendment hero or unapologetic
traitor – his WikiLeaks controversy is
the story that just keeps on giving.
As U.S. government officials in late January looked to close out their assessments of
how they handle classified data, which likely
will result in the strengthening of existing
but questionable security practices, still more
fallout is coming. This time, the targets play in
the private sector though.
The British magazine New Statesman
reports in a recent Assange interview that
the WikiLeaks founder has additional classified files from both the government and
some media outlets that will be made public
if something happens to him or WikiLeaks.
Meantime, he says data files from another private entity, likely Bank of America, are next in
line to be revealed on the WikiLeaks site [data
from Swiss bank Julius Baer was reportedly
given to WikiLeaks on Jan. 17]. So now the
plot thickens, bringing into the mix corporations, their electronic communications and
subpar information security practices.
Insider risks have been ever-present, but
attention only seems to be given to them
during economic downturns when layoffs
result in intellectual property thefts or lingering disgruntled employees expose customer
information. However, the importance of having both robust end-user security policies in
place, which are then enforced and supported
by strong technologies within the corporate
infrastructure, can neither be overstated nor
ignored. Check out this month’s
h’s cover story
by our Executive Editor Dan Kaplan to get
the latest information on whatt works best
in dealing with both malicious
us insiders
and error-prone employees.
Moving on from the potential
tial problems wrought by some internal
al staff,
I wanted to call out the tremendously
ndously
positive contributions the strongest
ongest
among them can make – especially
cially
those of one respected industry
ry player
we lost too soon. Justin Peltierr was a
longtime contributor to SC Magazine,
testing countless products in our
SC Lab. After starting his inforormation security career at a large
ge
consultancy, he began teaching various classes, including
popular courses on pen testing, for CSI and institutions
like Norwich University. His
work with our publication
was stellar and “his knowledge of various product types
and individual products was
encyclopedic,” says our Technology Editor Peter Stephenson.
on.
We here at SC Magazine were
re
privileged to know Justin. Hiss wit,
intelligence, humor and the vast
ast
technological experience he openly
shared with the entire IT security
urity
community will be sorely missed.
sed.
Saying “no” to unauthorized access is important.
But “know” is far more important.
Content-Aware Identity and Access Management from
CA Technologies brings the power of “know” to IT
environments—virtual, physical or cloud—all the way
down to the data level.
Identities. Access. Information. Compliance.
A smarter, more secure solution.
That’s the power of know.
To put the power of know to work for you, visit www.security.com
we can
This time, the [WikiLeaks]
targets play in the private
sector...”
Copyright ©2011 CA. All rights reserved.
Previous
4 • February 2011 • www.scmagazineus.com
Next
WHAT IS SCWC 24/7
SC MAGAZINE EDITORIAL ADVISORY BOARD 2011
SC Magazine has created a free virtual
environment that is open year-round.
Each month we host an event focused
on a subject that you as an IT security
professional face on a regular basis.
Rich Baich, principal, security & privacy,
Deloitte and Touche
THIS MONTH
Jaime Chanaga, managing director,
CSO Board Consulting
Greg Bell, global information protection and
security lead partner, KPMG
Christopher Burgess, senior security adviser,
corporate security programs office, Cisco Systems
Rufus Connell, research director information technology, Frost & Sullivan
Dave Cullinane, chief information security officer,
eBay
JAN. 25:
INSIDERS WITH ACCESS
IT administrators and information
security professionals can use their
power for evil by accessing confidential
information that’s not pertinent to their
duties. Given that they oversee corporate systems, their abilities to access
human resources data, for example, or
the personally identifiable information
of customers can be virtually unlimited. How should organizations ensure
they’re keeping in check even privileged
users and what, overall, should they do
to combat insider threats? We take a
look at the trends.
UPCOMING
WEB APPLICATION SECURITY
We talk to experts about the trials and
tribulations of safeguarding web applications, finding out practical steps for
protecting this too-often-used entré into
business networks.
MANAGING DATA AGAINST
INSIDER THREATS
Whether their actions are intentional or
accidental, insiders are a risk and companies must protect their critical assets
against them. We learn from experts.
FOR MORE INFO
For information on SCWC 24/7 events,
please contact Natasha Mulla at
[email protected]
For sponsorship opportunities,
please contact Mike Alessie at
[email protected].
Or visit, www.scmagazineus.com/scwc247-environment/section/1223/
Mary Ann Davidson, chief security officer,
Oracle
Dennis Devlin, chief information security officer,
Brandeis University
Gerhard Eschelbeck, chief technology officer and
senior vice president, engineering, Webroot Software
Gene Fredriksen, senior director, corporate
information security officer, Tyco International
Maurice Hampton, information security & privacy
services leader, Clark Schaefer Consulting
Paul Kurtz, partner and chief operating officer,
Good Harbor Consulting
Kris Lovejoy, director of Tivoli strategy, IBM
Tim Mather, board member at Cloud Security
Alliance
REAL-TIME LOG ANALYSIS - WHY SETTLE FOR JUST FORENSICS?
Stephen Northcutt, president,
SANS Technology Institute
Marc Rogers, associate professor and research
scientist, The Center for Education and Research
in Information Assurance and Security, Purdue
University
Randy Sanovic, former general director,
information security, General Motors
* Howard Schmidt, cybersecurity coordinator,
U.S. White House; president and chief executive
officer, Information Security Forum
Justin Somaini, chief information security officer,
Symantec; former director of information security,
VeriSign
Craig Spiezle, chairman, Online Trust
Alliance; former director, online safety
technologies, Microsoft
Hord Tipton, executive director, (ISC)2;
former CIO, U.S. Department of the Interior
Amit Yoran, chief executive officer, NetWitness;
former director, Department of Homeland Security’s
National Cyber Security Division
* emeritus
WHO’S WHO AT SC MAGAZINE
EDITORIAL
EDITOR-IN-CHIEF Illena Armstrong
[email protected]
EXECUTIVE EDITOR Dan Kaplan
[email protected]
MANAGING EDITOR Greg Masters
[email protected]
REPORTER Angela Moscaritolo
[email protected]
TECHNOLOGY EDITOR Peter Stephenson
[email protected]
SC LAB MANAGER Mike Stephenson
[email protected]
DIRECTOR OF SC LAB OPERATIONS John Aitken
[email protected]
SC LAB EDITORIAL ASSISTANT Judy Traub
[email protected]
PROGRAM DIRECTOR, SC WORLD CONGRESS
Eric Green [email protected]
CONTRIBUTORS
Deb Radcliff, Beth Schultz, Stephen Lawton,
DESIGN AND PRODUCTION
ART DIRECTOR Brian Jackson
[email protected]
VP OF PRODUCTION & MANUFACTURING
Louise Morrin
[email protected]
SENIOR PRINT AND DIGITAL CONTROLLER
Krassi Varbanov
[email protected]
SC EVENTS
SENIOR EVENTS MANAGER Natasha Mulla
[email protected]
EVENTS COORDINATOR Anthony Curry
[email protected]
U.S. SALES
EASTERN REGION SALES MANAGER Mike Shemesh
(646) 638-6016 [email protected]
WESTERN REGION SALES MANAGER
Matthew Allington (415) 346-6460
[email protected]
SENIOR SALES EXECUTIVE
Brittany Thompson (646) 638-6152
[email protected]
NATIONAL ACCOUNT MANAGER - EVENT SALES
Mike Alessie (646) 638-6002
[email protected]
SALES/EDITORIAL ASSISTANT Brittaney Kiefer
UK ADVERTISEMENT DIRECTOR
Mark Gordon 44 208 267 4672
[email protected]
LICENSE & REPRINTS SALES EXECUTIVE
Kathleen Merot (646) 638-6101
[email protected]
EMAIL LIST RENTAL
EMAIL SENIOR ACCOUNT MANAGER
Frank Cipolla, Edith Roman Associates
CIRCULATION
GROUP CIRCULATION MANAGER
Sherry Oommen (646) 638-6003
[email protected]
SUBSCRIPTION INQUIRIES
CUSTOMER SERVICE: (800) 558-1703
EMAIL: [email protected]
WEB: www.scmagazineus.com/subscribe
MANAGEMENT
CHAIRMAN William Pecover
PRESIDENT Lisa Kirk
DEPUTY MANAGING DIRECTOR Tony Keefe
“
The recent intrusions...are a wake-up call to those who have not taken this problem seriously.
New cyber security approaches must continually be developed, tested, and implemented to respond
to new threat technologies and strategies - Dennis C. Blair, Director of National Intelligence 2/2/10
”
Real-Time Log Analysis for Proactive Network Defense
Logs have to be analyzed. Regulations such as PCI, HIPAA, NERC CIP, SOX and GLBA require it, but let’s face
it - traditional log analysis is reactive. You have a choice: You can pick a product that is forensically focused:
gathering logs, storing them in a database and offering search and reporting, OR you can choose TriGeo SIM.
TriGeo SIM is the ONLY log analysis solution that combines real-time
log analysis with active response for true Proactive Network Defense.
Real-time, in memory, analysis is the key. TriGeo’s enterprise-wide view
of the network makes it possible to capture, correlate and actively
respond to network attacks and insider threats - at network speed.
For proactive network defense, there is only one choice.
2010
Seeing is believing...
OVERALL RATING
Group Test: SIEM
Find out why this award-winning technology is so highly rated
by reviewers and loved by customers.
Join us for a live webinar where you’ll see TriGeo SIM in action
under real-world conditions. Watch as we capture, correlate and
respond to network attacks and policy violations - all in real-time.
Register today at www.TriGeo.com or call 1-866-664-9292.
© 2010 TriGeo Network Security, Inc. All rights reserved.
TriGeo SIM is a trademark of TriGeo Network Security, Inc.
Previous
Next
DataBank
ThreatReport
Cybercriminal activity across the globe, plus a roundup of security-related news
Colored spots on the map indicate levels of spam delivered via compromised computers (spam zombies). Activity is based on the frequency with which spam messaging corresponding with IP addresses is received by Symantec’s network of two
million probes with a statistical reach of more than 300 million mailboxes worldwide.
HIGH-LEVEL ACTIVITIES
MEDIUM-LEVEL ACTIVITIES
LOW-LEVEL ACTIVITIES
IRELAND – The hacker group Anonymous
is believed responsible for hacking the website
belonging to one of the nation’s largest political
parties, Fine Gael, resulting in the exposure of email
and IP addresses and phone numbers belonging to
at least 2,000 registered site users.
ROCHESTER HILLS, MICH. – A 33-year-old
man is facing up to five years in prison after being
charged with hacking into his now ex-wife’s Gmail
account to discover she was having an affair. Leon
Walker, was charged with felony computer misuse.
CHINA – An online auction site removed
ESTONIA – The Baltic Region state
formed the Cyber Defense League to
serve as a volunteer army in the event of
internet war. Volunteers train on weekends and are tasked with protecting the
country from things such as DDoS.
SANTA CRUZ, CALIF. –The People’s Liberation Front took responsibility for an attack that shut
down the Santa Cruz County government website.
The group said it launched the attack to object the
prosecution of demonstrators who protested a city
ordinance that bans sleeping outdoors.
the listings of some 50,000 hacked iTunes
accounts, many belonging to U.S. users.
Winning bidders were able to buy media, such
as music and movies, at the expense of the
original account holder. The stolen accounts
urged prospective buyers to act quickly.
GERMANY – The country is plan-
COLUMBUS, OHIO – A 22-year old
DENVER – A recent audit of state computers
turned up thousands of records containing personal
information, including Social Security numbers, birth
dates and income levels. Though auditors said the
Centennial State is at “high risk” of a cyberattack,
the governor’s IT office disagreed.
student recently paid $12,500 to settle
a copyright claim with Conde Nast after
hacking into the publishing giant’s computer
system and downloading hundreds of files.
The student, Ross Ulrich, confessed to the
intrusion to FBI agents.
ning a cyberwarfare center that will
help defend against espionage attacks.
The center will be staffed by government and intelligence experts, who also
will work with the business community
to protect the country from attack.
SOUTH KOREA – Two men running an illegal
gambling website on behalf of the mafia were
charged with launching distributed denial-of-service attacks against rival sites. Prosecutors said
the men, ages 32 and 37, leveraged a 50,000-node
botnet in November and December to take down
more than 100 competitor sites.
BRASILIA, BRAZIL – Hackers attempted
to disrupt the government’s website a day
after President Dilma Rousseff was sworn in
last month. The attack caused the website to
become unstable, but it was not knocked offfline.
No confidential information was compromised.
The Netherlands was top producer of zombie IPs
During the past month, the EMEA region (Europe, Middle
East, Africa) was the leading source of all zombie IP
addresses. Of the countries making up the EMEA region,
the Netherlands was the top-producing country. For the
other regions, the top-producers were Brazil in South
America, the United States in North America and India in
the Asia-Pacific region. Source: Symantec
Previous
February 2011 • www.scmagazineus.com • 9
Next
DataBank
ThreatStats
The biggest increases in month-over-month zombie activity occurred in India
Top 10 malicious programs Kido still tops
BALANCE
Risk with Reward
Position
Name
Change
Number of
infected
computers
1
Net-Worm.Win32.Kido.ir
0
468,580
2
Net-Worm.Win32.Kido.ih
0
185,533
3
Virus.Win32.Sality.aa
0
182,507
4
Trojan.JS.Agent.bhr
0
131,077
5
AdWare.Win32.HotBar.dh
New
122,204
6
Virus.Win32.Sality.bh
1
110,121
7
Virus.Win32.Virut.ce
-2
105,298
8
Packed.Win32.Katusha.o
0
100,949
9
Porn-Tool.Win32.StripDance.b
New
92,270
10
Worm.Win32.FlyStudio.cu
-4
88,566
('/@KK\c\Zfddle`ZXk`fej
('+I\kX`cN_fc\jXc\
0)>fm\ied\ek
//9Xebè^=èXeZ\
-0?\Xck_ZXi\
'
,'
(''
(,'
)''
),'
*''
Phishing A slight drop
Top breaches of the month Data loss
Earn ISACA’s Certified in Risk and Information
17,935
16,813
16,782
16,756
TM
16,274
16,000
Apply for grandfathering until March 2011.
15,000
July
August
Sept.
Oct.
Nov.
Dec.
During December, the global volume of phishing attacks remained unchanged, decreasing by a mere 0.2 percent compared with November.
December marks the sixth consecutive month through which no proxy-based
phishing attacks were launched. It appears fraudsters do not invest in fastflux infrastructures, but rather use hijacked websites to host attacks.
Source: RSA Anti-Fraud Command Center
Previous
Number of
records
Name
Type of breach
deviantART,
Silverpop
Systems
(Hollywood, Calif.)
Hackers exposed the email addresses, 13,000,000
usernames and birth dates of the
entire deviantART database.
Ohio State
University
(Columbus, Ohio)
Students, professors and other
university affiliates were notified that
their information may have been
accessed by a hacker.
750,000
Western Colo.
Drug Task
Force
(Grand Junction,
A former employee accidentally
posted sensitive information in a
place that was publicly accessible on
the internet.
200,000
16,047
rewards of recognition and career advancement.
www.isaca.org/crisc-scmagazine
The right balance for your career.
(-)=ff[9\m\iX^\
The chart above reflects the encounter rate of web malware across a selection of industry verticals. Rates above 100 percent reflect a higher-thanmedian rate of encounter and rates below 100 percent reflect a lower-thanSource: Cisco ScanSafe
median rate.
17,000
Systems Control (CRISC ) designation and gain the
),+<[lZXk`fe
There were no major malware incidents to talk about in December. However,
throughout the month, 209 million network attacks were blocked, 67 million
attempted infections via the web were prevented and, 197 million malicious
programs were detected and neutralized
Source: Kaspersky Lab
18,000
TM
Malware Vertical encounter rate
Total number of records containing sensitive personal information
involved in security breaches in the U.S. since January 2005:
511,134,665
(as of Jan. 4)
Source: Privacy Rights Clearinghouse (data from a service provided by DataLossDB.org,
hosted by the Open Security Foundation)
Next
DataBank
Zombie IPs Global distribution
Top 5 attacks used by U.S. hackers
1. Torpig trojan
@e[`X(-%+
Fk_\i<lifg\(.%)
2. Koobface
3. TDL3 trojan
4. Rustock trojan
Iljj`X('%0
Fk_\i8j`X
(/%+
5. Clampi trojan
Top 5 attacks used by foreign hackers
9iXq`c.%.
GXb`jkXe)%-
K_X`cXe[*%*
:_èX*%.
1. Torpig trojan
2. Koobface
LbiXè\,%)
M`\keXd,%(
3. TDL3 trojan
4. Butterfly bot
The biggest increases in month-over-month zombie activity occurred in
India, Russia, Ukraine and Thailand, while the largest decreases occurred
in Brazil, Vietnam and other Asian nations.
Source: Commtouch Software Online Labs
5. ZeuS trojan
There were 864 attacks in the United States last month, primarily
originating from Farley, Iowa; New York; Garden City, N.Y.; Scranton,
Pa.; and Woodstock, Ill. There were 15,738 foreign attacks last month,
primarily originating from Taipei, Taiwan; Beijing; and Shanghai,
Nanjing, and Guangzhou, China.
Source: SecureWorks
Spam rate Compared to global email
-'
Top 10 spyware threats Win32 still wins
;\k\Zk\[XZk`m`kp
,'
Threat name
+'
*'
1
Trojan.Win32.Generic!BT: A generic risk that
covers a wide variety of unwanted and malicious apps.
2
Trojan-Spy.Win32.Zbot.gen: A generalized
description of a password-stealing trojan.
3.79%
3
Trojan.Win32.Generic.pak!cobra: A generic
detection for a wide variety of malware.
3.14%
4
Trojan.Win32.Generic!SB.0: Generic detection
for password-stealing trojan programs.
2.78%
5
Exploit.PDF-JS.Gen (v): A detection for threats
that exploit a security flaw in PDF files.
1.79%
6
INF.Autorun (v): Uses Autorun.inf files to automatically launch backdoors and trojans.
1.63%
7
Worm.Win32.Downad.Gen (v): A detection for
the Downadup worm.
1.27%
The world’s leading SSL now gives you even more protection.
8
Trojan.ASF.Wimad (v): A detection for a group of
trojanized Windows media files.
0.77%
9
FraudTool.Win32.FakeVimes!delf (v): An
heuristic detection for the FakeVimes family.
0.73%
VeriSign® SSL, now from Symantec, includes more than just industry-leading authentication and encryption.
You can add a daily website malware scan for increased protection. You can make your customers feel more
protected and generate more site traffic by displaying the VeriSign seal in search results. All at no extra
cost. Chosen by over 93 percent of the Fortune 500®, VeriSign SSL is setting a whole new standard for online
security and trust. See for yourself with a 30-day free trial at verisign.com/ssl/free-30day-trial
Trojan.Win32.Meredrop: A generic detection for
a number of trojans that install and run malware.
0.72%
)'
('
'
((&))&('
((&)0&('
()&-&('
()&(*&('
()&)'&('
Received spam Top five spam regions
;\k\Zk\[XZk`m`kp^cfYXc
LJ80%*.
=iXeZ\0%((
AXgXe-%..
KX`nXe*%//
@kXcp*%'*
'
)
10
+
-
/
('
Spam rate indicates the accumulated emails tagged as spam.
Source: Fortinet Threatscape Report
Previous
Percentage
21.93%
The majority of these threats reported last month propagate through stealth
installations or social engineering. Source: Sunbelt Software
Next
Shouldn’t you be demanding more from
your SSL solution than just encryption?
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. VeriSign, VeriSign Trust, and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and
other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners.
Update
2 minutes on...
Me and my job
Skills in demand
DDoS attacks
have gotten slicker
over time P16
Managing endpoints
should be a top
priority P17
Mobile threats
present job
openings P17
Data pop
replicated a botnet to study its
behaviour, infecting 3,000 virtual
machines with the Waledec malware.
The research, led by a team at
the École Polytechnique de
Montréal, involved collaborators at Carlton University,
Canada. It also enlisted the help
of researchers at Nancy University, France, along with antimalware company ESET.
Scientists used a $1 million,
98-machine server cluster as a
platform to create 3,000 virtual
machines, each of them simulated with a different IP and email
address. They then infected
the machines with Waladec to
measure statistics including how
quickly it spread.
The project, described in MIT’s
Technology Review, was carried
out earlier last year and discussed
in December in a paper entitled
“The case for in-the-lab botnet
experimentation: Creating and taking down a 3,000-node botnet.
One significant finding from the
experiment was that the Waledac
botnet’s weak cryptographic protection in the wild was a necessity.
The botnet’s command-and-control
infrastructure used the same
Advanced Encryption Standard session key for all bots for 10 months.
Hackers compromised
the email addresses of
millions of Honda Motor
Co. customers. The
incident is believed to
be related to a database
breach at Silverpop Systems, a third-party firm
that provides marketing
services to more than
105 corporate clients.
Seperate announcements
by McDonald’s and Walgreens that customer
data was compromised
also is believed related to
the Silverpop breach.
Previous
Personal data of Honda customers was exposed, though no financial data.
THE QUOTE
We’re scared to
death of the man
in a black suit
and briefcase –
the auditor.”
– James Arlen, principal,
Push Stack Consulting,
on the over-reliance
on compliance versus
security
when the games were awarded in
2002, eventually cost the Canadian taxpayer nearly $854 million.
Twelve departments contributed
to security at the games, which
included an elaborate computer
security mechanism operated by
contractor Atos Origin.
National Defence spent $231
million, while the Canadian Security and Intelligence Service (CSIS)
spent $11 million to help screen
officials. Canada Post spent
$652,000 screening the mail,
while Public Health was allotted
$900,000 for health surveillance.
Significantly, the Royal Canadian
Mounted Police (RCMP), which
spent the lion’s share of the security budget at $522 million, felt
considerably pressured by a lack
of resources, according to U.S.
diplomatic cables obtained this
month by the whistleblower site
WikiLeaks.
“Law enforcement representatives working at the U.S. Consulate
in Vancouver are reporting that
more and more of their contacts
are being pulled to work on Olympics security issues,” said the
cable, quoting Consul General
Philip Chicola, a year before the
Olympics opened.
The security bill for the Olympics, which were held in March
2010, was significantly revised
last year to $900 million, meaning
that the final bill came in under the
revised budget.
The Vancouver Olympics Organizing Committee claimed to have
broken even in its final budgetary
analysis of the Olympic games,
although critics pointed out that
it had returned for more money
since the games were awarded,
inflating its budget. The budget
for the Olympics games eventually
cost $1.8 billion.
Photo by Stan Honda/AFP/Getty Images
»Scientists in Canada have
ver Olympics ballooned almost
five times over the course of the
games’ preparation, according to
a report issued in the Canadian
parliament last month. Security,
originally estimated at $175 million
effective at mitigating the insider threat.
The emergence of WikiLeaks
has focused attention on the
insider attack, yet it is not a new
problem. While not as common
as external attacks, insiders can
be highly destructive to an enterprise’s credibility and security.
Completely disabling functionalA. N. Ananth
CEO,
ity (e.g., removable media) in the
Prism Microsystems
name of hardening is impractical, inefficient and eventually noncompetitive.
Ignoring the issue is just as bad. It is not a
question of “if” the insider attack will happen;
it is only a question of “when.” Responsible
organizations should “trust but verify” when
it comes to insiders – trust that employees are
doing what is right, but verify that information
is handled correctly.
Insider threats must be balanced with information needs by following several key steps.
First, identify critical assets and establish
access control based on need. Second, publish
acceptable-use policies and educate users.
Last, enforce these policies with effective
monitoring of all access. Ideally, use behavioral
analysis to identify variations and abnormalities from a running baseline.
FOR
NEWS BRIEFS
»Security costs for the Vancou-
Debate» The model of ‘trust but verify’ is
sanct mantra of modern infosec
– has failed our profession. It is
a joke – literally. It comes from
President Reagan’s speech commemorating the signing of a
historic nuclear weapons treaty
between the United States and
John Kindervag
senior analyst,
the former Soviet Union:
Forrester Research
President Reagan: We have
listened to the wisdom in an old Russian maxim.
And I’m sure you’re familiar with it, Mr. General Secretary, though my pronunciation may
give you difficulty. The maxim is: Dovorey no
provorey — trust, but verify.
Gorbachev: You repeat that at every meeting.
Reagan: I like it.
Our profession misunderstood the joke and
implemented trust and forgot to verify, thereby opening the door for numerous insider
breaches, with WikiLeaks/Bradley Manning
being the most prominent.
Trust is not a concept that should be
anthropomorphized down to the packet
level. We must quit trusting and start verifying. Until then, the joke is on us. Dovorey no
provorey.
THE STATS
How do you expect your information
security staff to change in 2011?
(0%)*
C\jjjkX]]
IE zero-day
AGAINST Trust, but verify – the sacro-
THE SC MAGAZINE POLL
,'
JkXpk_\
jXd\
69%
increase
in information security
jobs compared to last year
47%
of hiring
managers say they are
seeking recruits who are
well versed in information
risk management
*'%..
Dfi\jkX]]
To take our latest weekly poll, click on www.scmagazineus.com
THREAT OF
THE MONTH
Source: Dice.com (above)/(ISC)2 2010 Career
Impact Survey
What is it?
An unpatched vulnerability in Microsoft Internet
Explorer is currently being
actively exploited. The
vulnerability was initially
reported via public mailing
lists as a browser crash
(DoS). However, it was
quickly determined by various researchers, including
internally at Secunia, that
the vulnerability allows
execution of arbitrary code
on a user’s system when
viewing a specially crafted
web page.
How does it work?
Internet Explorer supports
CSS style sheets, which
may be included via an @
import CSS command.
However, a use-after-free
error within mshtml.dll
when handling recursive
CSS style sheet references (i.e., when a CSS
style sheet references
itself) can be exploited to
de-reference already-freed
memory in a manner that
makes it possible to gain
control of the program flow.
How can I prevent it?
Microsoft has yet to patch.
However, in the meantime,
a temporary Microsoft FixIt solution has been made
available. This implements
a check in mshtml.dll to
prevent recursive loading
of CSS style sheets.
Source: Carsten Eiram, chief security
specialist, Secunia
Next
Update
2 MINUTES ON...
The evolution of the DDoS
T
he temporary takedown in December of
a handful of websites
that cut ties with controversial website WikiLeaks,
including Visa and MasterCard, made national news.
The reality, though, is that
similar attacks, motivated by
a variety of reasons, occur
thousands of times each day,
thanks in part to the ease by
which website disruptions can
be accomplished.
Hackers have been carrying
out distributed denial-ofservice (DDoS) attacks for
more than a decade, and their
potency steadily has increased
over time, said Jose Nazario,
senior security researcher at
Arbor Networks.
Due to internet bandwidth
growth, the largest such
Briefs
attacks have increased from
a modest 400 megabytes per
second in 2002 to 100 gigabytes per second recently,
according to Arbor Networks.
Massive flooding attacks in
the 50 Gbps range are powerful enough to exceed the
bandwidth capacity of almost
any intended target, but even
smaller attacks can be surprisingly effective.
“There has been a dramatic increase in the past
five years of easy-to-use tools
in the DDoS attack space,”
Nazario said.
The vast majority of DDoS
attacks occur in the world of
online gaming, where individuals use tools to boot competitors from the game to gain
an advantage, Nazario said.
Attacks also have widely been
102%
Growth in DDoS
attack size year-overyear since 2002.
Source: Arbor Networks Sixth
Annual Worldwide Infrastructure Security Report
JOBS MARKET
Me and my job
Michael Singer
executive director of security
technology for AT&T Services
How do you describe your
job to average people?
The work that I do with my
team centers around protecting our network and customers. We help customers solve
their security problems in
a variety of ways. We have
made many security features
available within the network.
In other cases, we manage
dedicated security solutions
for customers, whether it is
on their premises or in one of
our hosting centers.
Why did you get into IT
security?
I wanted to work in an area
where there would always
be new challenges. I have a
great deal of confidence that
there will be new security
challenges every step of the
way going forward. There are
so many threats to deal with.
Cyberattacks are increasing not only in volume, but
also in sophistication. In my
opinion, what we find when
solving security problems is
far more interesting than the
stuff people make up.
What was one of your
biggest challenges?
I had to fi nd a way to take
billions of event logs and
make sense out of them.
First, we developed a
method to “de-duplicate”. I
was able to lean on the great
minds down the hall from
me in AT&T Labs Research.
We leveraged their experience with data compression
and mining techniques. We
now have the ability to pick
the needles out of the haystack, using the equivalent
of a security event metal
detector.
What keeps you up at
night?
Administration of the endpoints. That is the great burden that we all face not only
for our enterprises and our
customers, but also in our
own homes. What is scanned
and cleaned, patched and
hardened can become vulnerable and compromised
overnight. I think that it will
stay that way unless we can
move to endpoints that are
much simpler.
Of what are you most
proud?
I am a co-inventor on two
U.S. patents.
Skills in demand
With more workers using mobile
devices, companies are becoming increasingly concerned
about the security of these
smartphones and tablets. So, it
is no surprise that we are noticing more positions opening up
in mobile security. I would not
be surprised to see these needs
explode in companies that have
intellectual property or compliance concerns.
What it takes
Experience developing security
interfaces with apps that work
on iPhone, BlackBerry and
Android. At least three to five
years in internet security with
exposure to mobile security.
Compensation
Pay for security architect with
a focus on mobile secrutiy
ranges from $95k to $135k.
– Michael Potters, CEO, The Glenmont
Group, www.glenmontgroup.comcom
Company news
»Verizon has named Marcus Sachs vice president for
national security policy. He will be
tasked with leading the telecom
giant’s policy development and
advocacy, focusing on issues
ranging from critical infrastructure asset protection to emergency preparedness. He will work
with Congress and administration
officials. Sachs previously served
as Verizon’s executive director
for national security and cyber
policy. He takes over for Michael
Hickey, who is retiring.
www.verizon.com
Previous
used in extortion schemes
against gambling and pornography sites.
Meanwhile, a rapidly growing subset of attacks are
politically or ideologically
motivated, such as those
targeting WikiLeaks and the
ensuing retaliatory attacks
against web properties that
stopped doing business with
the site.
While large organizations
may have the funds to pay for
costly DDoS mitigation services or enlist the assistance of a
hosting provider, smaller businesses, such as human rights
and independent media outlets, often lack the tools and
resources to deflect attacks,
according to The Berkman
Center for Internet & Society
at Harvard University.
The burden of responsibility
also falls on individual users,
whose unpatched machines are
sometimes infected to amass
botnets used to flood websites
with unwanted traffic.
“I do not see a real solution
to this problem right now,”
Jonas Frey, owner of Probe
Networks, a German security
firm, recently wrote on the
North American Network
Operators Group mailing list.
“There’s not much you can
do about the unwillingness of
users to keep their software/
OS [up to date] and deploy
anti-virus/anti-malware software.” – Angela Moscaritolo
a collaborative and open environment for global supply chain
players to create and promote
guidelines for manufacturing,
sourcing and integrating trusted
and secure technologies. The
objective is to shape procurement
strategies and best practices.
www.opengroup.org/ogttf
Marcus Sachs, vice president for
national security policy, Verizon
»The Open Group, a vendorand technology-neutral consortium, has formed the Trusted
Technology Forum to provide
»Aveksa, provider of enterprise access governance and
management solutions, has
named Vick Vaishnavi president and CEO. He will lead all
business operations and work
with senior management to grow
the company’s worldwide strategy. Previously, he served as VP at
BMC Software.
www.aveksa.com
»Gazzang, a cloud infrastructure software firm, has secured
$3.5 million in Series A venture
capital funding to create management solutions to secure opensource software, such as Linux
and Apache, and promote adoption of public, private and hybrid
cloud environments.
www.gazzang.com
»Lee Parrish has joined Parsons, an engineering and construction firm, as VP and CISO.
He will be charged with leading
the Pasadena, Calif.-based company’s information security program. Parrish recently served as
director of information assurance
for a defense contractor.
www.parsons.com
»Johannes Ullrich has been
named director of the SANS
Internet Storm Center, an
all-volunteer service that detects
and analyzes global security
Marcus Sachs, who has served
as director since 2003.
isc.sans.edu
»Blue Coat Systems, pro-
Steve Daheb, chief marketing officer
and senior VP, Blue Coat Systems
threats. Ullrich, the chief research
officer of the SANS Institute
and former CTO of the Storm
Center, will take over for
vider of web security and WAN
optimization, has appointed
Steve Daheb as chief marketing officer and senior VP. He will
oversee global marketing initiatives, corporate branding, communications and marketing. Most
recently, Daheb served as CMO of
Emulex, a storage networking
business.
www.bluecoat.com
»
ThreatMetrix, provider of
fraud prevention solutions, has
appointed Phil Steffora as
CSO and VP of global networks.
He previously served as CIO and
VP at Collarity, provider of onsite behavioral segment targeting
for web publishers.
www.threatmetrix.com
Follow us on Facebook
and Twitter
Next
From the CSO’s desk
Think like a chess player
Ward Spangenberg,
T
he media reported on
several DDoS attacks
against credit card
providers, search companies,
government agencies and
independent organizations in
2010. We also heard about a
number of organizations that
lost sensitive information that
ultimately helped to support
a thriving stolen data market.
We cannot eliminate the
attacks and stop all malware,
but somewhere along the line,
we should have stopped and
reminded ourselves to “be
prepared!”
We build firewalls, deploy
IDS, review and check for
compliance, but are we really
prepared? Have we built a
significant knowledge set to
protect us against a major outage? A flooded data center?
Lost power? Zombie attack?
How do you prepare for something you don’t even know is
coming? Let us look at how I
define being prepared.
To begin with, we must
know the most significant
vectors for attack and know
strategy. Imagine
how you
I
would att
attack the infrastructure. What
Wh would you break?
Occasionally,
you are going
Occasi
to discover
that
all
the soludiscove
tions you have deployed are
worthless.
worthles It is important to
remember
this: An attacker
remem
may have
access
to limith
less people,
machines
p
and bandwidth, while
you only have what has
been
bee engineered into
supporting
day-to-day
sup
operations
with
some
ope
growth
potential.
This
grow
is where
good
plans
come
whe
into play.
Know
how
to
shut
pla
off and p
protect resources –
disabling sections of the network, shutting
down access to
shu
critical resources,
and slowing
re
and mitigating
as
much
dammitig
age as possible
will
guarantee
po
that after the attack subsides,
the busin
business can return to
normal operation.
op
Your last
la line of defense
will be your
yo people – exercises, trainin
training and the occasional
cold beer with your team to
see what you are missing will
fill in those
tho last few holes. Be
that leader.
leade
that all the security technolnology won’t stop all the attacks.
acks.
Next we must ensure that
at the
support team has reviewed
wed
and practiced handling
attacks with defined processcesses across the known vectors.
tors.
Additionally, we must ensure
nsure
that users are educated to
o
look and report things that
hat
don’t look right.
Understanding significant vectors for attack
k
could be an column in
itself, but there are somee
areas that are continually highlighted every year.
ar.
Code needs to be reviewed
wed
– whether it is examined
d for
SQL injections, cross-sitee
scripting or proper authorizaorization and access from accounts
ounts
and services. Patching vulnerulnerabilities remains high on
n
everyone’s list – vendors are
constantly looking for models
to help get information to
o us
more quickly.
A good chess player will
ill
l tell
you that they can see several
eral
moves into the game based
ed
on their opponent’s moves.
es.
Adopt this philosophy with
ith
regard to your own security
rit
iy
´<RXVSHOOHG¶FRQÀGHQWLDO·ZURQJµ
Photo by Bob Adler
director, security operations,
Zynga
3M™ Privacy Filters offer you a crisp, clear view of your laptop, desktop computer or mobile device
screen while blocking wandering eyes from seeing sensitive data. To learn why visual privacy is an important
part of any data security plan, download the white paper at: 3MPrivacyFilters.com/security
30seconds on...
»Know thy vectors
»No silver bullet
»Damage control
»Leader of the pack
Build secure code, Spangenberg says, to prevent attackers
from taking advantage of vulnerable holes in your perimeter.
If you can’t build it in, then
don’t forget to patch.
More important than leveraging a particular solution
is quantifying risk, he says.
That means thinking ahead
to understand your enemy’s
expected next move.
There is no way for an organization to stop all breaches, Spangenberg says, so a security
pro’s job also is to know how to
respond if something does happen – to minimize the fallout.
Gain the trust of your team by
teaching and training them.
And spend time with them –
maybe out of the office – to
learn where the gaps are in the
business’ security posture.
3M Privacy Filters. Display good judgment.
© 3M 2011
Previous
Next
Opinion
Letters
Got something to say?
Privacy laws must change
C
onsumers have adopted personalized applications of all
varieties, yet the way things stand, they must be prepared
to sacrifice something at least as valuable: their privacy.
Congress is just beginning the complex process of developing
legislation to protect consumer privacy, while nurturing innovation in products and services. An important way to achieve the
delicate balance between encouraging technology and preserving privacy is for Congress to expand the capabilities of the
Federal Trade Commission (FTC) to ensure that it can keep up
with the rapidly evolving marketplace.
In the mid- to late-1990s, the FTC began reviewing how websites collected and managed consumers’ personally identifiable
information. This led to the creation of a set of self-regulatory
rules, known as the Fair Information Practice Principles, which
created four basic obligations, such as that consumers must be
notified as to whether their online information is being collected.
Now, the FTC should be provided with the discretion and
flexibility to adapt, update and strengthen the Fair Informa-
Todd Thibodeaux and
David Valdez, CompTIA
tion Practice Principles, as well as its own role in safeguarding
consumer privacy in response to changing technologies and
consumer needs.
The FTC, in partnership with the private sector, should
create privacy notices that are easy to read and understand, in
conjunction with an education campaign to inform consumers
about their rights. Congress, meanwhile, should provide the
FTC with the resources to create an online consumer protection
bureau that focuses exclusively on online crimes.
As policymakers continue to deliberate the best path for
balancing the various stakeholder interests around the issue of
online privacy, they must remember that any proposed legislation should not be absolute. The current set of privacy principles adopted by the FTC has worked well for over a decade and
should serve as a framework for any new legislation.
Todd Thibodeaux is CEO and president, and David Valdez is
senior director of public advocacy at CompTIA.
The great malware cover-up
M
Marc Maiffret, chief security
architect, FireEye
There is a growing
gap between
security defenses
and modern
malware attacks.”
Previous
alicious software, or malware, has
become a very sophisticated weapon
in illegal cyber businesses. The steady
flow of news about data breaches and lost
identities shows there is a clear and growing
gap between conventional security defenses
and the reality of modern malware attacks.
So what does the $4 billion network security
industry do when a new attack, such as Operation Aurora, is exposed? It plays “the great
malware cover-up.”
After the attack has been uncovered by victims and/or the media, vendors gather samples
of the malware and spend resources analyzing the threat. After a few days/weeks, these
vendors release out to customers new (often
untested) signatures. Following that, they put
senior executives into the field to offer commentary and discuss the dangers of malware.
But, this achieves little other than distracting the user base from the fact that anti-virus
and intrusion prevention products did not
secure their customers during the outbreak –
when it counted. They are sure to point out,
however, that they offer customer protections
now that the outbreak is over. Meanwhile,
criminals have moved on to exploit the next
undisclosed vulnerability.
An examination of the communication plan
will show critical details left out, such as any
claim that customers were protected before
the new malware was exposed. Also missing is
any meaningful discussion of evolving past signatures, which would provide true protection
against modern malware. As well, post-exposure signatures are too late to stop the attack.
Today’s security products are designed to
fight a conventional cyberwar, when, in reality, the criminals have moved on to modern
malware attacks. The great malware coverup will continue until more of us call these
outdated technologies out and then move on to
re-investing the time, money and effort to truly
modernize IT security.
Send your comments, praise or criticisms to scfeedbackUS@
haymarketmedia.com. We reserve the right to edit letters.
SC World Congress
On behalf of Online Trust Alliance, I
want to thank you for a very well-run
event and for allowing OTA to participate. The level of discussions both in
the sessions and on the floor was outstanding. One of the points which resonated very well is the need for greater
public, private and non-governmental
organization collaboration and sharing
of best practices. The SCWC delivered
on this promise and I am happy to have
participated.
of American freedom and the need, in a
democracy, for a government that obeys
our Constitution including our Bill of Rights.
Erik
[“Shining the spotlight on social media,”
special issue, Nov. 2010, available as
download on scmagazineus.com]. This
is very valuable content to share with
management regarding aspects of social
media that many companies are dealing
with from a policy and use perspective.
The research and statistics are especially
helpful when presenting to management
to obtain support and understanding of
the associated risks.
Linda Williamson,
Michelin North America
Social media issue
I just wanted to pass along a big “thank
you” for excellent material on this topic
The opinions expressed in these letters are
not necessarily those of SC Magazine.
Craig Spiezle, executive director, Online Trust
Alliance
We wanted to reach out and say thanks. We
are thrilled with our results in the Security
Innovators Throwdown and believe that the
trip turned out to be quite valuable for us.
Thanks again for all your support.
Rama Moorthy, CEO, Hatha Systems
editor’s note: Hatha Systems (software
analysis) and Silver Tail Systems (fraud
prevention) were each runners-up in the
2010 Security Innovators Throwdown, a
competition produced by SC Magazine and
held during SC World Congress. The event
is designed to judge and recognize those
fledgling vendors with the most robust
business plans and tools to attract buyer
interest and financial investment.
WikiLeaks aftermath
In response to a Dec. 16 blog post by Dan
Kaplan on the website, Save the U.S.
anti-hacking law for the real hackers, not
Assange:
I agree with you, Dan. And to those in the
U.S. who say Assange should be assassinated because he is a “terrorist,” I advocate a refresher course on the principles
Next
Some in the security industry are working to stem the malicious insider
threat, says Dawn Cappelli of Carnegie Mellon. Dan Kaplan reports.
Photo by Karen Meyers
B
ruce Wignall, CISO of Teleperformance, operator of 300 call
centers spanning some 50 countries, nicknames his largest torment
“Fraud 2.0.”
Thanks to robust perimeter technologies and stringent legislation
and industry guidelines that have
forced organizations to become better
equipped to handle the external attacker, cybercriminals have begun shifting
their modus operandi to leveraging
insiders to perpetrate data heists.
Combine this new hacker strategy,
Wignall says, with a sputtering economy
that has some people desperate for a
buck – and for a 120,000-employee
company such as Teleperformance that
serves hundreds of clients, many in the
banking and health care verticals, a particularly dangerous prospect emerges.
“Frankly, it is frightening,” Wignall
says. “It has forced to me say, ‘We’ve
got some pretty good technologies and
laws that we comply with, but it is certainly not enough. Let’s start predicting
how bad things can happen and what
we can proactively do to either prevent
it or detect it early.”
The last two years, really, have been a
perfect storm for the insider threat risk.
With the economy still in tatters, the rise
of sophisticated cyberespionage rings
and the arrival of WikiLeaks as, love
it or hate it, a viable outlet for sensitive
information exposure, never before have
organizations had so much reason to care
about the motives of their employees,
contractors and partners.
Most studies, in fact, now point
to security professionals being more
concerned about internal threats than
external attackers. According to the 2010
Verizon Data Breach Investigations Report,
which studied some 900 cases of data
leakage incidents, 48 percent were attributed to users who, for malicious purposes, abused their right to access corporate
information. Studies also conclude that
these types of breaches typically are more
costly than an outside attack.
“Definitely people are very concerned
about insiders,” says Dawn Cappelli,
technical manager of the Computer
Emergency Response Team (CERT)
Insider Threat Center, a federally funded
research-and-development entity at
Carnegie Mellon University’s Software
Engineering Institute in Pittsburgh.
“The technology has become really
good at keeping outsiders out, but your
insiders walk right in every day,” she says.
For more than a decade, she and her
team have been studying the problem,
beginning when the U.S. Secret Service approached CERT to be a partner
on securing a number of major public
events, such as political conventions, the
presidential inauguration and the 2002
Olympics in Salt Lake City.
“Traditionally, they had looked at
gates, guards and guns, and then they
realized they had to start looking at
cyber issues,” says Cappelli. “We realized that insiders are a big threat. If you
wanted to bring down an event, you
could use a disgruntled insider or financially motivated insider to do that.”
Cappelli says she and her team
embarked on a project never done before
in the cyber era: studying the insider
threat from both a technical and behavioral standpoint.
“We worked with the Secret Service
to find every insider threat case we could
find,” she says. “We tracked everything
we could think of about those cases.”
The group divided the caseload –
believed to comprise only a small fraction
of the actual numbers because many
intentional insider incidents go unreported or undiscovered – into four categories:
IT sabotage, theft of intellectual property, fraud and national security espionage.
“We’ve talked to some vendors out
there,” Cappelli says, “and from what
we’ve seen, nobody has really done a
functional requirement analysis for
insider threat detection. Different
vendors have their niche…but we’re
looking across 550 cases in our databases. So based on what has happened
in the past, if we could stop the crimes
that already have happened, that would
go a long way to stopping and detecting
the insider threat.”
A deeper analysis
By 2008, the Insider Threat Center was
ready to offer countermeasures.
CERT developed its fi rst model for
IT sabotage, defi ned as an incident
when a employee intentionally attacks
IT systems. The culprits are almost
always disgruntled employees with a
deep technical skill set, usually system
administrators.
INTERNAL REVIEW
Previous
Next
Photo by Joel Saget/AFP/Getty Images
Insider threat
French trader Jerome Kerviel (right), who faces up to four years in prison for covert stock trades that
Société Générale bank says cost it almost five billion euros, arrives for his verdict hearing.
Sometimes they plant “logic bombs,”
which are pieces of malicious code set
to execute on a specific date. Other
times, they set up unknown access
points, which allow them entry to the
network even after their privileges have
been revoked. On still other occasions,
they devise backdoor accounts or password crackers.
CERT’s model determined that most
of these cases carry a “distinct pattern”: Usually the employees either have
announced their resignation or have
been formally reprimanded, demoted or
fired, Cappelli says. In other words, the
ZERO-TRUST:
A network overhaul
When it comes to battling the insider
threat, part of the reason organizations
have been so unsuccessful is that they are
treating the symptoms, not the disease,
says John Kindervag, senior analyst at
Forrester.
For example, he says, businesses are
often quick to take drastic measures, such
as eliminating removable media usage,
but fail to recognize that an aging network
model is the underlying cause of the prob-
human resources department is aware of
these high-risk personnel.
“We try to tell organizations,” Cappelli
says. “You need to recognize that when
someone is on the HR radar, you need
to have controls in place to look at what
they’ve been doing. You can’t look at
everything everyone does, but when you
have someone on the HR radar, you need
to go in and say, ‘What has this person
been doing?’”
The center also has devised a model
investigating those employees who steal
intellectual property. In these cases,
Cappelli says, the offenders typically are
lem. But many information and security
professionals don’t care to investigate,
choosing to take a “plausible deniability”
mindset by ignoring what goes on in their
network.
“In all my years of being an engineer and
consultant, I’ve never been in a network
where people adequately looked at their
internal traffic,” Kindervag says. “Everyone
wants to solve this on the edge, and you
have to solve it on the center.”
To stem the risk of malicious insiders,
organizations must drop their dependence
on perimeter controls, such as network ac-
scientists, engineers, programmers or
salespeople whose motive is not sabotage,
but belief that they are the owners of the
data on which they have worked.
Traditionally, they strike within 30
days of resignation – either a month
before or after leaving the organization,
Cappelli says. The malefactors can fall
into two groups: either those who are
moving to a new job and want to take
their work with them or, more maliciously, those who are part of a wellcoordinated spy ring bent on ripping off
the crown jewels, such as entire product
lines, usually for the benefit of a foreign
government or organization.
The CERT Insider Threat Center
Lab, which opened last year, is working
on offering technology that can assist
organizations in their efforts against
IT vandalism and intellectual property
pillaging. The lab leverages CERT’s
caseload to simulate actual events.
At this month’s RSA Conference in
San Francisco, lab representatives plan
to demonstrate “how configuration management controls could have detected
and thwarted an insider’s attempt to
plant a logic bomb in critical systems
and modify logs in order to conceal his
activity,” Cappelli says. The lab also
has previously created scripts that can
be integrated with email logs within an
account management system to detect
incidents of intellectual property theft.
cess control, and invoke a network refresh
– known as zero-trust – that encapsulates
accessing all resources securely, inspecting
all traffic and gaining situational awareness
for analysis and visibility, Kindervag says.
“We can do it with existing technology,” he says. “[It’s about] taking building
blocks off our network and putting them
in more logical places so your network is
more structurally sound and secure so we
can solve some of these problems before
they actually become problems. It’s all
vendor neutral and essentially technology
agnostic.”
Trust Matters
Who do you trust to safely enable applications on your network?
Palo Alto Networks
Check Point
Next-Generation Firewall App Blade
Years of Trusted
Deployment
Enterprises Trusting
the Solution
Number of Safely
Enabled Apps
3+
0
3,000+
0
Countless
0
Would you trust your critical network security infrastructure to a vendor
with no experience? We are the trusted vendor to thousands of enterprises
worldwide. We are Palo Alto Networks, the Network Security Company.
Visiting the RSA Conference
in San Francisco?
the network security company
tm
Stop by the Palo Alto Networks booth #2145
to get your free copy of the “Next-Generation
Firewalls for Dummies” book.
Copyright © 2011, Palo Alto Networks. All rights reserved. Other names are the trademarks of their respective owners.
Previous
Next
Insider threat
“The last thing we want to do is tell
an organization they have to go out and
spend millions of dollars on a new tool,”
Cappelli says. “You already have these
technologies in place. Here’s how you can
use them differently.”
Another academic organization, the
Institute for Information Infrastructure
Protection (I3P), part of Dartmouth College in New Hampshire, recognizes that
the insider threat is a complex problem
that no silver-bullet policy or technology
can solve, and that empirical studies are
the only ways to unearth answers.
“We don’t think there is a one-size-fitsall approach to the insider threat without
understanding the nature of the threat,”
says Shari Lawrence Pfleeger, I3P’s director of research. “Without understanding
the nature of the threat, we don’t know
what an appropriate response is.”
Specifically, the 27- member consortium, consisting of universities, national
laboratories and nonprofits, has developed a taxonomy used to classify the
nature of insiders and the undesired
actions they may commit. This has
allowed I3P to come up with hundreds of
insider threat scenarios.
Among their current efforts, consortium members are studying the effec-
tiveness of awareness and training and
researching how to design non-security
systems so that security fits “naturally into
the functionality of what users need in the
first place,” Lawrence Pfleeger says.
In addition, I3P partners at Columbia
and Cornell universities are devising a
language that specifies certain actions
security teams want to know about if they
happen on their networks. To complement this, the researchers are creating
software that can record when these
actions take place.
“A lot of existing [commercial leakage
technologies] generate so much data, so
the problem becomes: How do you find
the needle in the haystack,” Lawrence
Pfleeger says. “They are trying to specify
what the needle looks like.”
Perhaps most interestingly, the
organization is now turning to social
scientists for help.
“Employees have misbehaved for a
lot longer at work than computers have
existed,” Lawrence Pfleeger says. “We’re
just trying to shed more light on the
nature of the insider threat and find solid
ways to evaluate the technologies and
the approaches so we have some science
underpinning the decision-making about
how to deal with the insider.”
Profiling the insider
At Teleperformance, one of Wignall’s
most proud accomplishments has not
been the implementation of a particular
solution. Instead, it has been his introduction of a fraud risk assessment conducted for each prospective call center.
“I don’t think you’re going to catch
people with technology,” he says. “You
need to go out and be part of your business and understand what’s going on.”
The assessments have turned up some
major vulnerabilities, including internal banking applications that can be
accessed publicly or ones that allow call
center employees to drop money – pennies at a time – on their own debit cards.
The investigations also have enabled
Wignall and his team to implement what
he believes is the most effective antidote
to the insider threat – policy and procedure changes that force employees to fear
punishment should they act maliciously.
For example, at call centers in
which employees deal with warranty
exchanges, Wignall says there have been
instances where workers have delivered
new products to their own homes if
the application they are using failed to
“tie warranty replacements back to the
original purchasers.”
“If there is a flaw in our client’s applications and controls, you can count on
not-so-honest employees to eventually
find it,” he says. As a result, Teleperformance managers now sit down with
employees each week to review each warranty exchange they have processed.
“I want them to immediately think
that on Friday, they are going to be questioned about that particular transaction,”
he says. “I’m proud to have people quit
that are fraudulently minded.”
A new type of insider
But it is not just the employee desiring riches with whom businesses must
be concerned. Whistleblower website
WikiLeaks has forced organizations to
look beyond the traditional profile of a
malicious insider.
In a way, Bradley Manning, the
U.S. Army private who leaked roughly
250,000 secret U.S. State Department
diplomatic cables to WikiLeaks, revealed
a new type of high-risk insider: the one
with morals that can’t be repressed.
“Nobody assumed that anybody in
the military would have a conscience, a
different kind of motivation,” says John
Kindervag, a senior analyst at Forrester
Research. “Everybody assumed [Man-
ning] would do the right thing because
he was a trusted user. People might have
a different morality than you. They might
see trust and righteousness differently
than you.”
Indeed, in a partial release of chat logs
between Manning and Adrian Lamo, the
hacker whom the Army soldier confided
in, but who later turned him in, Manning
explains his reasons for lifting the data to
which he had access.
“[I] want people to see the truth…
regardless of who they are…because
without information, you cannot make
informed decisions as a public,” wrote
Manning, according to Wired.
Ted Julian, principal analyst at the
Yankee Group, says the WikiLeaks
episode has created a new channel for
data leakage, one that nearly all security
professionals had never considered.
“It can really turbocharge data loss,”
he says. “You now have WikiLeaks and
others like them that can get this out to
a mass market incredibly quickly. There
is no putting the genie back in the
bottle now.”
Julian, meanwhile, says he expects
to see “dramatic spending” this year
on technologies, such as data leakage
prevention [DLP], that are designed to
sniff out and prevent information exposure. DLP, in particular, has matured
to the point where most solutions now
offer discovery and categorization
functionality.
Back at the CERT Insider Threat
Center, lab personnel are trying to
create solutions that make life easier
on businesses. In addition, researchers
have published a best-practices guide
and recently began maintaining a blog
devoted entirely to the threat.
“Our mission is to raise awareness
of the risks of insider threat and to
help identify the factors influencing an
insider’s decision to act, the indicators
and precursors of malicious acts, and
the countermeasures that will improve
the survivability and resiliency of the
organization,” Cappelli wrote in an
introductory post. ■
INSIDER STRIKE
Global dilemma:
Four recent instances of when trusted
users, for various motives, abused their
privileges to cause big headaches for
their employers.
LOS ANGELES: A former UCLA Health System employee,
apparently disgruntled over an impending firing, was
sentenced to four months in federal prison after pleading
guilty to illegally snooping into patient records, mainly
those belonging to celebrities.
BALTIMORE: A former Fannie Mae programmer was sentenced
to 41 months in prison after he sought to destroy more than
4,000 company servers by planting a malicious script that was
scheduled to activate roughly three months after he was fired.
Previous
FRANCE: A mid-level trader at Societe Generale managed to
lose more than $7 billion on bad stock bets but used his knowledge of the bank’s computer security system to temporarily
conceal the losses through fake transactions. He was sentenced
to three years in prison.
IRAQ: A U.S. Army private Bradley Manning accessed secret
U.S. diplomatic cables and download them onto rewritable
CDs. A portion of the documents have been released by
whistleblower website WikiLeaks and several media partners. Manning is awaiting trial and faces 52 years in prison.
Next
Underground
NARROWING THE GAP
The $1 trillion cybercrime industry is expertly - and competitively - run,
but the good guys aren’t sitting on their hands. Deb Radcliff reports.
W
hile monitoring botnet traffic
and controllers back in mid2009, volunteers working for
The Shadowserver Foundation noticed
a new tactic being taken among the
Waledac family of bot trojans that
would usher in a new era of criminal
sophistication. Waledec was exploiting
DNS (domain name system) providers
to self-register sites with names that
seemed associated with legitimate service provider Blizzard Image Hosting.
Then it used Blizzard’s real addresses
and URLs to blast the spam that also
included links to the malicious, preregistered domains.
“At this point we immediately suspected that Blizzard either bought sleazy
advertising from the spammers behind
Waledac, or else they were being Joe
Jobbed,” says Steven Adair, Shadowserver volunteer and co-author of Malware
Analysis Cookbook. “Joe-Jobbed means
Blizzard upset someone who started
blasting out their website and services in
order to cause a lot of grief.”
SOS postings from Blizzard on its site
and in multiple online forums seemed
to confirm the latter theory. Blizzard
claimed it was under a distributed denial-of-service (DDoS) attack and was not
the one actually doing the spamming.
Shortly after, Blizzard went offline.
This leveraging of legitimate businesses
to lure people into clicking malicious
links shows a new level of criminal planning and sophistication that would dominate 2010, says André DiMino, one of the
founding members of Shadowserver.org,
Previous
whose volunteers have been analyzing
botnet behaviors since 2004.
Fortunately, he adds, the good
guys are getting more automated
and organized as well – with better
information-sharing and legal channels at their disposal. For example, in
the Waledac case, Microsoft in February 2010, received a federal injunction
demanding registrars to shut down 277
.com domains used to control more than
75,000 Waledac-infected computers,
effectively putting the botnet operation
out of business.
The other good news is that, unlike
the good guys, there is no honor among
thieves: Crimeware developers are pirating and modifying each other’s malware
for their own nefarious uses. Criminal
operators providing cloud services for
hosting servers to hold stolen data are
stealing the data their clients are collecting. And herders continue to take over
each other’s botnet power, say experts.
Cutthroat bad guys
In 2010, the cybercrime industry hauled
in about $1 trillion, says Joseph Menn,
in his book Fatal System Error. So it is no
surprise that advancements in cybercriminal organization and sophistication
have everything to do with getting a
larger slice of that pie, says Noa BarYosef, senior security strategist for
application security firm Imperva.
“The point is to increase revenues
while lowering costs,” she says. “As a
result, there is a pyramid scheme that is
emerging in these criminal roles where
only the master hacker really makes any
money.”
Last July, Imperva researchers
observed how a master hacker created
and tested a new, undetectable phishing kit and advertised it on forums,
claiming “No need for storage,” because
the master hacker would store all data
collected in the cloud. Two clicks and
the “proxy hackers” (front-end hackers)
could get the phish site, start obtaining
credentials and send them to their cloud
storage provider. However, the master
hacker put a back door on the phishing
kit, giving access to every credential the
proxy hackers collected.
“Thousands of proxy hackers taking
the risk, doing the dirty work, getting
credentials and giving the data they
collected back to the master hacker
— that’s certainly efficient from a cost
perspective,” says Bar-Yosef. “This
pyramid scheme is an example highlighting the technical extremes hackers
are deploying.”
This cutthroat mentality is creating more discord than normal among
criminals, say experts. Accusations are
hurtling back and forth among underground forums, adds Alex Cox, senior
security researcher at NetWitness.
“Messages including ‘This guy’s a
ripper,’ or ‘Don’t use this one, it is a
ripoff,’ or ‘This one’s backdoored,’ are
common postings where malware kits
are being shared,” Cox says. “A lot of
times, criminals can get this exploit
for free and install it, but the coder
has backdoored it. So criminals create
botnets and, in effect, give access to
those bots to the guy they bought this
software from.”
Another dog-eat-dog tactic happening among malware producers is that
developers are also stealing each other’s
zero-days to customize and use for
their own purposes, says Derek Manky,
projecet manager for cybersecurity and
threat research at Fortinet.
For example, he points to a Slovenianbuilt botnet kit called Butterfly, a
zero-day that was later re-engineered to
create the Mariposa botnet long after
the original developer was sent to jail.
The toolkits eventually lose value and
are given away for free for re-engineering, he continues, and are given away to
anyone smart enough to run a compiler
and push a few buttons to get started,
he adds.
In addition to developers, there are
also providers that often sell their botnet
services as “affi liate programs,” Manky
said. The affi liate will pay $40 per 1,000
compromised machines, for example.
Top earners in these programs make
upward of $140,000 a month on volume,
he adds.
Turning stolen data into money is
the final process in these cybercriminal
syndicates.
This, too, has become so efficient that
criminals can go from stolen credentials
to ATM card withdrawals in a matter
of hours, rather than days and weeks,
as in the past. According to a report by
internet security firm Trusteer, 60 percent
of stolen credentials are harvested within
60 minutes of when phishing emails are
received by victims. Within five hours of
email receipt, more than 80 percent of
stolen credentials are usable by criminals.
One such example is the RBS WorldPay heist, in which several Russian
defendants are accused of siphoning at
least $9.5 million in less than 12 hours
from the time of the data breach. In that
The criminal chain
DXjk\i_XZb\iZi\Xk\j
]i\\nXi\n`k_YXZb[ffi
N_\e]ifekcè\_XZb\ik_\eki`\jkfdfe\k`q\f]]k_Xk[XkX#gfc`Z\
Xi\Xci\X[pnXkZ_è^Y\ZXlj\è`k`Xc]iXl[YpDXjk\i_XZb\i%
=ifekcè\_XZb\i]\\cjk_\_\Xk&DXjk\i_XZb\ijc`gjXnXp
=i\\nXi\XmX`cXYc\kf
è\og\i`\eZ\[&]ifek
cè\Zi`dèXcj
@e\og\i`\eZ\[&]ifekcè\
Zi`dèXcj[\gcfpk_\YfkjXe[
Zfekifcc\ij#jkXikjZfcc\Zkè^[XkX
LeY\befnejkkf]ifekcè\_XZb\i#DXjk\i_XZb\i
Zfcc\Zkj[XkXk_ifl^_YXZb[ffiXe[dfe\k`q\j
f]][XkXljlXccpk_ifl^_dlc\j_\_ì\j
Next
Underground
Some hacker forums (right), offer phishing kits for sale, while others, such as the Ethical Hacker Network
from NetWitness (above) provide threat analysis and frank discussion.
time, they were able to create 44 counterfeit cards and hire cashers to use the
cards in 2,100 ATMs around the world.
“You still have the coders, the operators, those who draw the data and those
who monetize the data,” says Fred
Touchette, senior security analyst for
AppRiver. “Now, the RBS case shows
how quickly all these people can be
orchestrated to create the plastic cards,
recruit the money mules to hit the
ATMs, take their cut and give the rest to
their managers standing on the corner.”
Leading the pack
“Deloitte led the pack because of its maniacal customer focus and deep technical expertise”.
-The Forrester Wave™: Information Security and Risk Consulting Services, Q3 2010, Forrester Research, Inc., August 2010
For more information, visit the Center for Security and Privacy Solutions online at
www.deloitte.com/us/securityandprivacysolutions or email us at [email protected].
As used in this document, “Deloitte” means the member firms of Deloitte Touche
Tohmatsu Limited. Please see www.deloitte.com/about for a detailed description of
Deloitte Touche Tohmatsu Limited and its member firms.
The good guys
The level of automation, optimization
and distributed architectures of these
criminal operations makes shutting
them down more difficult. For example,
DiMino points to redundancies, proxies,
domain name generation algorithms and
other technologies that make cybercriminal networks extremely resilient and
therefore persistent.
Cybercriminals are also making it
more difficult to observe and learn from
them, says Dmitry Samosseiko, senior
manager of Sophos Labs Canada.
“Cybercriminals used to operate
in more open forums that researchers and law enforcement could browse
and observe to find out what the crime
networks and their affi liates are up to,”
he says. “Now that activity is happening in closed chat rooms and it is harder
to get into forums and infi ltrate their
networks.”
It is also harder to protect against
cybercriminal activity with traditional
signature and behavior-based monitoring technologies, say experts.
For example, zero-day attacks, which
typically are undetectable to signaturebased monitoring, are on the rise,
according to an endpoint risk survey
by the Ponemon Institute, released
in December, of 564 U.S. IT security
practitioners. In the survey, 34 percent of
respondents reported frequent zero-days
in their networks and 35 percent said
zero-days were their biggest headache.
“Zero-days, plus lack of patching on
increasingly mobile endpoints [where
many attacks enter from] is where much
of the operational challenge comes in,”
explains C. Edward Brice, senior vice
president at Lumension (which sponsored the survey).
Fortunately, the good guys have been
forming partnerships to combat cybercrime, DiMino says. Grassroots moni-
CYBERCRIMINAL:
Structure
In an article about the industrialization of
hacking, Noa Bar-Yosef, senior security
strategist at Imperva, discusses the three
pillars of cybercriminal industrialization:
The supply chain: consisting
of malware researchers, botnet
farmers, dealers, monetizers and the
cybercrime lord;
Automation: using Google to find
vulnerable systems, malware packages,
cloud services providers, and more; and
Optimization: more computing power
under control, dashboards, the co-joining
of malware tools.
– Deb Radcliff
toring groups, such as Shadowserver
and the Anti-Phishing Working Group,
along with law enforcement and legal
communities, the security community,
as well as public-private partnerships
across all verticals – are established and
expanding their outreach.
“Like never before, we’re seeing
experts in the community for malware
analysis mixing with those who understand routing and architectures, those
who understand criminal enterprises,
those who work in law enforcement, and
those who work with external network
service provider,” says DiMino.
By sharing information and providing
remediation and protection recommendations, the good guys are becoming
more nimble at response communications, remediation and notification to
law enforcement, say experts. And as a
result of improved response and enforcement, says Bar-Yosef, criminals are
indeed “feeling the heat.” ■
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited
Previous
Next
Border policy
ACROSS THE LINE
Canada and the
United States will
shortly announce
a new agreement
on border security
involving biometrics.
Danny Bradbury
reports.
Previous
Photo by Alex Wong/Getty Images
B
order relations between Canada
and the United States have been
a source of contention for years.
Now, the two countries look set to
announce a new policy on border integration, provisionally termed “A New
Border Vision”. Exact details have yet
to be revealed, but policy-watchers are
hoping for a significant normalization of
border security between the two countries. What would that look like – and
how far have we come already?
The September 11 attacks kicked off
a pivotal period in U.S. security policy.
Canada and the United States came
together three months later to create the
Smart Border Declaration (SBD), which
was an agreement to normalise border
security. The 30-point plan included a
joint approach to biometric identifiers,
along with a single inspection system.
Some of these plans have already
played out. In 2008, British Columbia
established an enhanced driving license
that included biometric information,
and which enabled BC residents to travel
across the border by road. This became
Early this month, U.S. Sen. Joseph Lieberman (I-Conn.) and Sen. Susan Collins (R-Maine) discuss a report
that says less than one percent of the 4,000-mile U.S.-Canada border is monitored by U.S. border officials.
an exception to a U.S. mandate which
required a passport rather than a driving
license to enter the country.
However, concerns have been raised
about cards such as these. Researchers
at the University of Washington hacked
enhanced driver’s licenses used in that
state with off-the-shelf RFID readers.
And Canada’s Federal Privacy Commissioner has argued against the use
of a national ID card. Some regard the
BC driving license as a stepping stone
toward such a possibility.
“The privacy commissioner asks in
the introduction of any new technology, is this proportional to the threat?”
argues Stuart Trew, trade campaigner
at the Council of Canadians “Even for
something as innocuous as an enhanced
drivers license, I’d say no.”
The inspection systems outlined in
the SBD are also in place. Nexus is
a fast-track clearance system for frequent travelers between Canada and
the United States, administered by the
border agencies in each country.
The SBD also mandated sharing of
Advance Passenger Information and Passenger Name Records, so that high-risk
passengers travelling between the two
countries would be known by the other
party pre-flight.
Other measures in the SBD included a
plan to develop approaches for customs
and immigration clearance away from
the border, to speed up transit at what
remains the longest unprotected border
in the world. And, notably, they vowed
to speed up commercial transit using an
initiative called Free and Secure Trade
(FAST) that remains in place today.
Under that scheme, shippers who pass a
risk assessment process can be expedited
across the border by using dedicated
lanes at crossings.
With that level of harmonisation, what
still remains to be done? A lot, according to Jane Moffat, executive director of
the Canadian American Business Council (CABC). Pre-clearance and expedited
commercial trade are still largely pipe
dreams at present.
“Right now, trucks are lined up at the
border,” she says. “Getting pre-clearance
before goods leave the facilities where
they’re manufactured would be great.
Such activities are still relatively limited.”
So, what’s the problem? “It is one border and the infrastructure is old, and the
same border crossings are used for both
trade and for people,” she explains.
Moffat also laments the patchy
implementation of shared biometric
data. “The East Coast still hasn’t got its
act together,” she says, referring to the
enhanced driving license.
Some of these problems could be
addressed by the new deal. Documents
describing the New Border Vision call
for an integrated cargo security strategy
with pre-clearance measures, and a
joint screening mechanism for people
including biometric technology. Crossborder sharing of information on serious
offenders would also be put in place, and
the two countries would share the task
of modernizing border facilities.
Such measures would please Birgit Matthiesen, special adviser to the
president, U.S. government relations at
Canadian Manufacturers & Exporters.
In spite of schemes such as FAST, a program that helps speed along commercial
shipments at the northern and southern
borders of the continental United States,
the U.S. Trade Act of 2001 stymied crossborder trade by imposing heavy audit
requirements on components and goods
crossing U.S. borders, she says.
“Every 1.2 seconds, a truck goes over
the border northbound or southbound,”
she says. “That is a vast distinction compared to a huge container arriving from
the Pacific Rim, and yet these 1.2 second,
24/7 transactions are subject to the same
compliance and data reporting requirements,” says Matthiesen.
Alexander Moens, professor of political science at Simon Fraser University
in Vancouver, and a senior fellow in
American policy at the Fraser Institute, calls for separate border crossings
altogether for pre-cleared goods. Moens
wants deeper market integration with
the United States as a means of increasing prosperity.
“It is not undoable,” Moens says, but
admits that attempts at ‘deep integration’
failed under a prior initiative, the Security
and Prosperity Partnership of 2005. That
initiative died in 2009, leaving a yawning
gap in U.S./Canada security relations.
One of its failures was that it failed to
improve cross-border traffic.
One problem, says Moens, is that the
doctrine advanced by the SPP focused
on a continental security perimeter,
crippling itself by trying to encompass
Mexico and Canada – countries with
very different security issues – in the
same security partnership with the
United States. In 2005, the Independent
Task Force on the Future of North
America (a committee created by the
U.S. Council on Foreign Relations)
encouraged the creation of a continental
security perimeter by 2010, with a common border pass.
Thomas Tass, executive director of the
World Border Organization, disagrees.
The WBO is an international nonprofit
comprising border security professionals.
“The operation and the law is exactly the
same on the Mexican border as it is on the
Canadian border,” says Tass, adding that
the border policy will not diverge.
Neither will the agreement extend
beyond a core goal of improving commercial pre-clearance, Tass warns, arguing that easing individual passage is not
on the U.S. agenda.
“It will not make the border thinner
than it is now, and this is something that
most Canadians don’t understand,” he
says. “The United States could care less
about what Canadians think of what
they have to do to get into the U.S.”
More information will emerge when
the New Border Vision is officially
announced, but the two countries look
set to put measures in place that will
help to continue some of the original
goals set out by both the SBD and the
SPP. The question is, can the countries
appease businesses with new technological and policy measures while also satisfying the worries of privacy and human
rights advocates? ■
Next
ADVERTISEMENT
ADVERTISEMENT
Technology Report
The evolution of malware, security
technologies and services
There are few who are unaware of the malware
landscape changing since the release of the first few
viruses decades ago. But it seems there are just as
few people outside the computer security industry
who understand the nature of that change. No longer
is malware as ethereal a threat as an urban legend,
and no longer is the virus outbreak of the day making
the evening news. Threats now come not by ones and
twos but by the many tens of thousands each day
with the known total hovering in the tens of millions.
And threats come quietly, remaining as far below the
radar as possible to maximize their stay on an affected
machine. Corporations are now victims of targeted
attacks, as well as the regular masses of malware, and
have specific needs for the protection of corporate
information assets.
Lysa Myers, Director
of Research at West
Coast Labs. Lysa can be
contacted at lmyers@
westcoast.com
While malware activity has increased, security budgets
certainly have not. Many corporate security staff find
themselves facing a tidal wave of new threats without
extra personnel or resources. They need security
software to work faster, harder and require less manual
interaction while providing detailed reports as to what
actions have been taken. Machines which are infected
need to be cleaned completely to get systems back
up and running quickly and painlessly. Anti-malware
software is only as good as its research and support
departments. They are vital in order to have excellent
response times to new threats and to provide topnotch customer assistance. As focus in corporate
networks shifts away from the desktop into mobile,
cloud and virtual computing resources, security
software needs to protect these environments too.
The way malware spreads has also changed – there
is less concern for infecting oneself with a floppy disk
VP US Sales: Scott Markle - [email protected]
US Sales: Rochelle Carter - [email protected]
UK/Europe Sales: Sebastian Stoughton - [email protected]
China/Japan Sales: Jesse Song - [email protected]
India/ROW Sales: Chris Thomas - [email protected]
1 Technology Report
or via poorly worded and spelled mass-mailer viruses.
When malware authors discovered there was profit to
be had in spreading their malicious wares, they began
to take many of the tactics used by Search Engine
Optimizers and improved their social engineering
craft, placing files where people were most likely to
run across them. Consequently, the web is now where
the majority of people become infected with malware
and, given the extent to which the internet is such an
integral part of all corporations’ business activities, the
web is a potent threat vector. Company’s websites are
regularly targeted for defacement or infected to spread
malware to the site’s visitors.
Given that the internet is operating system agnostic
and because current scripting languages allow for
queries of the specific browser version of each visitor,
malware can be spread in a manner which infects any
particular visit. In the last few years, this has been a
tactic which has proved increasingly popular with
malware authors, increasing their reach as the market
share of new technology increases.
Obviously, anti-malware products had to change with
the times as the onslaught of malware has increased
and the tactics of malware authors has shifted. The
first anti-malware products were designed strictly
as signature scanners, which only ran when a user
specifically initiated a scan. In short order, this was
changed to allow the scanner to run continuously in
the background so that each file was examined as it
was accessed, without users having to think about
it. This approach has become more widespread, so
that products require little interaction – users can
automatically have the most up-to-date protection
running at all times.
No longer are anti-malware products simply signaturebased scanners. They now include advanced heuristic
technologies and generic signatures which can
proactively detect new variants of existing families
and new malware families. The best products include
a variety of security features, such as web or spam
filtering, behavioral analysis or a firewall technology
which can help protect against brand new threats. With
these new, intensive scanning technologies, vendors
have come up with many ways to decrease the overall
www.westcoastlabs.com
processing load, so that scanning will not noticeably
decrease access times or interrupt workflow.
As both the malware landscape and anti-malware
products have changed, so has the security testing
industry. When products under test were updated
periodically, used on-demand scanning and the
total known malware was in the thousands, it made
sense to have only a single pass or fail test which was
performed a few times a year over a static test-bed of
samples. This is no longer the reality of the current user
experience. While it can be a meaningful baseline test
of anti-malware functionality, it is far from a complete
picture of overall product performance.
In order to accurately reflect a user’s experience with
malware, it is important to gather the full spectrum of
malware from a variety of sources from throughout
the internet, which circulate on various protocols. This
means including not just email-based malware, but
malicious files on P2P networks, as well as on the web
and other attack vectors. Because malware does not
stop when the work day ends nor does it recognize
geographic boundaries, threats must be collected all
day from around the world.
As anti-malware products have begun to include more
wide-ranging technologies, including ones which
are initiated upon execution of a file, testing must
incorporate dynamic functionality by running threats
on test machines. This naturally takes more time than
scanning an immobile directory of files, so one must
take care to select the most relevant sample set which
a customer is most likely to encounter. This takes
into account not just prevalence, but attack vector
popularity on which it’s spread, potential for damage
on an infected system, as well as geography.
Malware authors are always abreast of technology
trends – where do people share their information, how
do people share files? At West Coast Labs, we’ve
already begun to see an increase of attacks on things
like digital picture frames, USB thumb drives, mobile
phones and on popular Web 2.0 sites. So, suffice to
say, if you know a few people who use one or other
or all – malware authors are looking to exploit them
for financial gain. Likewise, anti-malware vendors are
developing technologies to protect them and testers
like West Coast Labs are developing methodologies
to mirror the user’s risk and potential infection
experience. In order to keep up to date on the evolving
malware landscape, one need only see which new
widgets are being used in home and business network
environments.
“As both
the malware
landscape and
anti-malware
products have
changed,
so has the
security testing
industry.”
But in the corporate world, keeping updated on
the latest threats and technologies is not enough
– TCO and ROI need to be considered. How well do
advanced technologies proactively detect? How
quickly are new threats added? How is customer
support response? How easily can the solution be
managed remotely? How much CPU time is used
for scanning? To find the answers to many of these
questions, take a look at product performance data
from leading independent test organizations, such
as West Coast Labs, and the performance validation
programs they deliver – such as Real Time Testing.
You can also take a close look at how individual
vendors are responding to the changing threat
landscape and the implications for the security of
corporate networks. Nowadays, vendors are defining
‘protection’ differently. No longer is it just product
performance-related, but also related to business
and customer service issues, delivering a higher
value overall service to meet not just security, but also
business needs.
When considering product performance in a
corporate network environment, ‘protection’ is more
than current malware detection capabilities, it’s also
about the extent of a vendor’s product research and
development strategy that anticipates threats and
trends to ensure proactive network protection. It can
be further defined as the extent to which malware
protection is delivered for a multiplatform infrastructure
through efficient and easily managed solutions with
wide interoperability capabilities. ‘Protection’ is also
about the extent to which business interests are
protected through vendor service strategies that
now include optimized and cost-effective security
plans tailored to individual corporations’ needs
for maximizing business productivity, lowering the
total cost of ownership and maximizing the return
on investment. Also, given that corporations are
operating in a worldwide ‘e-economy’ all this needs
to be supported by trusted and responsive global
support plans.
Yes, the threat landscape is continuing to evolve
with new malware threats spawned at an alarming
rate, but no longer is malware protection and
information security in general just a technical issue
– it’s a business issue. That’s why vendors’ product
and service solutions are evolving to suit these
changing needs and West Coast Labs is developing
independent product performance programs that
ensure that these products and services are tested
and validated accordingly.
■
Technology Report 2
ADVERTISEMENT
ADVERTISEMENT
Technology Report
Kaspersky Lab Corporate Security Solutions
WEST COAST LABS' EXECUTIVE SUMMARY REPORT
The launch of the Kaspersky Lab’s
range of anti-malware products for the
corporate network environment provides
security managers with an extended
choice of effective solutions for dealing
with threats in attack vectors across
multiple operating systems.
West Coast Labs’ independent testing
and performance
validation of the
products confirm that they combine
ease of use and management with high
levels of performance, all of which is
driven by Kaspersky Lab’s own research,
development and customer support
programs.
Kaspersky Lab has made a significant
commitment to the
independent
validation of its products’ efficacy and
performance through West Coast Labs’
Checkmark Certification System. This
provides a range of static, dynamic
and real-time tests which make these
Kaspersky solutions possibly the most
intensively tested corporate anti-malware
solutions available anywhere in the world
today.
Details of the specific tests to which the
products are exposed are published
elsewhere in this report, but the overall
outcome of the certification testing is the
achievement of the Platinum Product
Award for these products, which is the
highest level of independent validation
possible for an anti-malware solution from
West Coast Labs.
This is complemented by very respectable
malware detection test results which
position the performance of Kaspersky
Lab products very favorably alongside
more widely recognized corporate
security solutions.
The specific malware detection capability
testing of both Kaspersky Lab and a
number of competitive anti-malware
solutions was carried out in September
and October 2010 while the Checkmark
Certification testing of its products is
performed on an ongoing basis with
confirmation of the results available at
www.westcoastlabs.com.
■
Kaspersky Security 8.0 update
process
In a heterogeneous network situation
it is important to know that a security
solution is both compliant and
compatible.
Throughout the comparative test
program for ISA/TMG, Linux, Lotus
Domino and WSEE, WCL utilized
the following network configuration
to simulate a corporate network
environment:
Kaspersky Security 8.0
for Microsoft Exchange
Servers (Kaspersky
Security 8.0)
Kaspersky Security 8.0 provides antimalware and anti-spam protection for
mail traffic on corporate networks. Its
integration with Exchange allows for
detection and removal of malware and
spam at the gateway level.
The product is easy to install and its userfriendly interface, flexible administration
and
straightforward
configuration
and reporting system does not place
excessive demand upon administrator’s
time. No extra setup is required on
Exchange and malware protection began
immediately.
Management of the solution is simple
as Kaspersky Security 8.0 employs a
Microsoft Management Console (MMC)
snap-in, providing an intuitive interface
with full access to all features. Database
and signature updates run automatically,
as often as every two hours, but if required
may be run on-demand. Although there
are fewer options available compared to
other corporate products on the market,
it can be argued that all the necessary
options are available thus leading to a
streamlined user experience.
▼
DEVELOPER'S STATEMENT
Kaspersky Lab has developed highly-effective anti-malware solutions for use in medium
and large-scale corporate networks with complex topologies and heavy loads. Combining
ease of use with high standards of performance across multiple attack vectors, the
products are cost-effective solutions which
meet both business and technical needs
worldwide.
Test Networks
and Methodology
In the ongoing Checkmark Certification
Static and Real Time tests, like all the
Kaspersky products, this solution has
achieved consistently high standards
of performance. For the comparative
performance testing to measure the
product’s
detection
capability
of
malware known to propagate over
SMTP, Kaspersky Security 8.0 achieved
100% detection rate of the 8,042
malware samples used in the test. This
performance is equivalent to and matches
that of the competitor products included
in the test. We also test HTTPS.
■
Kaspersky Anti-Virus 8.0
for Microsoft ISA Server
and Forefront TMG
Standard Edition
Kaspersky Anti-Virus 8.0 sits on top of
Microsoft Forefront TMG 2010. While
TMG acts as a standalone security
solution in its own right, the addition of
Kaspersky Anti-Virus 8.0 provides a multilayered security solution.
Installation of Kaspersky Anti-Virus 8.0 is
simple, using a standard Windows Installer
and settings imported from TMG during
the install process. The default settings
provide fast protection, but a more tailored
installation can be achieved if required.
The solution is managed via MMC with an
additional central monitoring screen and
network policies which can be be added
to complement those of TMG; making
the whole process of management,
administration and ongoing use very
straightforward.
Kaspersky
Anti-Virus
8.0
allows
permission or denial of various traffic
types – HTTP, FTP, SMTP and POP3 –
plus the ability to define what, if any, of the
protocols should be subject to scanning.
Data on network status – including the
protocols which are being blocked,
numbers of files scanned, and the number
of resulting infections, is readily available.
In the performance testing over the HTTP
and FTP attack vectors, the combination of
Kaspersky Anti-Virus 8.0 and TMG provided
99% detection of the range of malware
samples which were included in the test. ■
• 64-bit Windows 2008 machine
running as a gateway/DNS server
hosting Forefront TMG/ISA Server
running Lotus Domino mail server
• 64-bit servers running Linux and
Windows 2008, both acting as file
servers. While each of the solutions
were tested independently of one
another, results of these tests and
the observations made point to the
various Kaspersky Lab solutions
providing a multi-faceted security
framework for a corporate network.
Taking a hypothetical network into
account, as below, one can see how
each of the solutions would interact
with and secure the network. Antimalware protection, at the gateway
level, is provided by scanning email
coming into the ‘corporate network’
over SMTP with an initial scan by
Kaspersky Anti-Virus 8.0 sitting on the
TMG server. In turn, the email is then
received by the Exchange or Domino
server and a further scan conducted
by the appropriate solution. Should
any user require the downloading of
email from an external POP3 server, the
Kaspersky for TMG solution scans the
traffic as it passes through the gateway.
When dealing with any files that are
downloaded over HTTP/FTP, they are
scanned on the TMG/KAV combined
server. Should any network user then
attempt to upload any files to either a
Windows or Linux based file server,
then here the respective Kaspersky Lab
solution will provide further defensein-depth.
3 Technology Report
Technology Report 4
ADVERTISEMENT
ADVERTISEMENT
Technology Report
Kaspersky Lab Corporate Security Solutions
WEST COAST LABS' EXECUTIVE SUMMARY REPORT
The launch of the Kaspersky Lab’s
range of anti-malware products for the
corporate network environment provides
security managers with an extended
choice of effective solutions for dealing
with threats in attack vectors across
multiple operating systems.
West Coast Labs’ independent testing
and performance
validation of the
products confirm that they combine
ease of use and management with high
levels of performance, all of which is
driven by Kaspersky Lab’s own research,
development and customer support
programs.
Kaspersky Lab has made a significant
commitment to the
independent
validation of its products’ efficacy and
performance through West Coast Labs’
Checkmark Certification System. This
provides a range of static, dynamic
and real-time tests which make these
Kaspersky solutions possibly the most
intensively tested corporate anti-malware
solutions available anywhere in the world
today.
Details of the specific tests to which the
products are exposed are published
elsewhere in this report, but the overall
outcome of the certification testing is the
achievement of the Platinum Product
Award for these products, which is the
highest level of independent validation
possible for an anti-malware solution from
West Coast Labs.
This is complemented by very respectable
malware detection test results which
position the performance of Kaspersky
Lab products very favorably alongside
more widely recognized corporate
security solutions.
The specific malware detection capability
testing of both Kaspersky Lab and a
number of competitive anti-malware
solutions was carried out in September
and October 2010 while the Checkmark
Certification testing of its products is
performed on an ongoing basis with
confirmation of the results available at
www.westcoastlabs.com.
■
Kaspersky Security 8.0 update
process
In a heterogeneous network situation
it is important to know that a security
solution is both compliant and
compatible.
Throughout the comparative test
program for ISA/TMG, Linux, Lotus
Domino and WSEE, WCL utilized
the following network configuration
to simulate a corporate network
environment:
Kaspersky Security 8.0
for Microsoft Exchange
Servers (Kaspersky
Security 8.0)
Kaspersky Security 8.0 provides antimalware and anti-spam protection for
mail traffic on corporate networks. Its
integration with Exchange allows for
detection and removal of malware and
spam at the gateway level.
The product is easy to install and its userfriendly interface, flexible administration
and
straightforward
configuration
and reporting system does not place
excessive demand upon administrator’s
time. No extra setup is required on
Exchange and malware protection began
immediately.
Management of the solution is simple
as Kaspersky Security 8.0 employs a
Microsoft Management Console (MMC)
snap-in, providing an intuitive interface
with full access to all features. Database
and signature updates run automatically,
as often as every two hours, but if required
may be run on-demand. Although there
are fewer options available compared to
other corporate products on the market,
it can be argued that all the necessary
options are available thus leading to a
streamlined user experience.
▼
Kaspersky Lab has developed highly-effective anti-malware solutions for use in medium
and large-scale corporate networks with complex topologies and heavy loads. Combining
ease of use with high standards of performance across multiple attack vectors, the
products are cost-effective solutions which
meet both business and technical needs
worldwide.
Test Networks
and Methodology
In the ongoing Checkmark Certification
Static and Real Time tests, like all the
Kaspersky products, this solution has
achieved consistently high standards
of performance. For the comparative
performance testing to measure the
product’s
detection
capability
of
malware known to propagate over
SMTP, Kaspersky Security 8.0 achieved
100% detection rate of the 8,042
malware samples used in the test. This
performance is equivalent to and matches
that of the competitor products included
in the test. We also test HTTPS.
■
Kaspersky Anti-Virus 8.0
for Microsoft ISA Server
and Forefront TMG
Standard Edition
Kaspersky Anti-Virus 8.0 sits on top of
Microsoft Forefront TMG 2010. While
TMG acts as a standalone security
solution in its own right, the addition of
Kaspersky Anti-Virus 8.0 provides a multilayered security solution.
Installation of Kaspersky Anti-Virus 8.0 is
simple, using a standard Windows Installer
and settings imported from TMG during
the install process. The default settings
provide fast protection, but a more tailored
installation can be achieved if required.
The solution is managed via MMC with an
additional central monitoring screen and
network policies which can be be added
to complement those of TMG; making
the whole process of management,
administration and ongoing use very
straightforward.
Kaspersky
Anti-Virus
8.0
allows
permission or denial of various traffic
types – HTTP, FTP, SMTP and POP3 –
plus the ability to define what, if any, of the
protocols should be subject to scanning.
Data on network status – including the
protocols which are being blocked,
numbers of files scanned, and the number
of resulting infections, is readily available.
In the performance testing over the HTTP
and FTP attack vectors, the combination of
Kaspersky Anti-Virus 8.0 and TMG provided
99% detection of the range of malware
samples which were included in the test. ■
running as a gateway/DNS server
hosting Forefront TMG/ISA Server
running Lotus Domino mail server
• 64-bit servers running Linux and
Windows 2008, both acting as file
servers. While each of the solutions
were tested independently of one
another, results of these tests and
the observations made point to the
various Kaspersky Lab solutions
providing a multi-faceted security
framework for a corporate network.
Taking a hypothetical network into
account, as below, one can see how
each of the solutions would interact
with and secure the network. Antimalware protection, at the gateway
level, is provided by scanning email
coming into the ‘corporate network’
over SMTP with an initial scan by
Kaspersky Anti-Virus 8.0 sitting on the
TMG server. In turn, the email is then
received by the Exchange or Domino
server and a further scan conducted
by the appropriate solution. Should
any user require the downloading of
email from an external POP3 server, the
Kaspersky for TMG solution scans the
traffic as it passes through the gateway.
When dealing with any files that are
downloaded over HTTP/FTP, they are
scanned on the TMG/KAV combined
server. Should any network user then
attempt to upload any files to either a
Windows or Linux based file server,
then here the respective Kaspersky Lab
solution will provide further defensein-depth.
3 Technology Report
Technology Report 4
ADVERTISEMENT
ADVERTISEMENT
Technology Report
TrustPort AV
Threat Manager r12
TrustPort
CA
Threat Manager combines a full-featured
network anti-virus solution with policydriven endpoint access control to protect
networks from malicious software and
unauthorized access.
also saves valuable administration time
and resources easing the burden on any
overstretched IT department.
The client is locally managed from either
an intuitive GUI interface or from a central
server, depending on the individual
administrator's preference and the security
policies are created and deployed from
the Threat Manager server. There is also
an update option, which enables the
administrator to either run updates ondemand or decide to schedule them to
suit.
CA Threat Manager is specifically
recommended for small to medium
sized business models and is designed
essentially to protect client machines
residing on a corporate network. With
its anti-malware protection, CA Threat
Manager will provide an important and
much needed extra layer of security your
business deserves.
The CA Threat Manager can be installed
and managed via a central server, giving
the administrator more time to concentrate
on other tasks on the IT infrastructure.
CA Threat Manager is a server-client
solution and the installation can be
managed via a separate executable
installation. Alternatively, CA Threat
Manager can be installed from a central
server and as it is extremely straightforward
and well documented, which is always
an added benefit, the process can be
accomplished with relative ease.
This installation can be automated from
a network-wide roll out and though the
default options suffice there is some
flexibility in the install options available.
With a good variety of installation methods
available and wide ranging system-support,
Settings and options are available on the
central server and if you are looking for a
solution that provides a ‘good-fit’ with any
existing network architecture, then CA
Threat Manager can provide this.
Product
Threat Manager r12
Manufacturer
CA
Contact Details
www.ca.com
Certification
there are practically no pre-requisites
needed other than those already found on
a standard client machine for instance SP2
on XP Professional. CA Threat Manager
can also be configured to automatically
deploy to any systems joining the network
for the first time for instance DHCP; this
The test engineer recommends that for
a uniform security policy set, across the
network, then CA Threat Manager is best
managed from the server, however it can
be accomplished via the client, making it
pretty flexible.
With CA Threat Manager there is further
flexibility with On-Access scanning that
can be scheduled to suit the needs of
the network or permanently activated/
deactivated. Also, On-Demand scans can
be launched locally or via the central server.
CA Threat Manager additionally provides
real-time reports, giving users at-a-glance
updates of the current network state while
also offering all the options you would
expect from this type of solution.
WEST COAST LABS VERDICT
CA Threat Manager offers a variety of deployment models and offers endpoint
protection against malware. The central management console offers flexibility
combined with good reporting over and allows for the overview of endpoints on a
corporate network of small to medium size.
7 Technology Report
TrustPort AV detects viruses and spyware
at all entry points to the computer and
prevents attempts by hackers to access
the computer. It enables not only the
continuous monitoring of files being
opened, but at the same time also scans
files from incoming electronic mail or
downloaded from the web.
This particular security solution is designed
for home users and could also provide
an invaluable layer of security for home
workers or the self-employed. With its low
system requirements, TrustPort is an ideal
solution for providing malware protection
for local files, web downloads and email,
and also offers firewall protection along
with a URL filter. TrustPort is installed and
managed directly on the client as it is purely
a client-side-only solution, making it user
friendly for the less well initiated.
Users can purchase and install TrustPort
from a separate executable that is
downloaded from the TrustPort website,
with the license provided at the point of
sale; making it extremely accessible. We
all know the importance of ease of use with
the single user client-based products and
TrustPort doesn’t disappoint with a quick
and painless installation that is easy to
follow.
The available options contain good
descriptions and there is also some
flexibility in the installation options available
to the user, however if you are happy not
usual scheduling as required, or if preferred
they can be run on-demand. TrustPort also
allows various actions to be configured for
detected malware samples. WCL noted
that the product management is in keeping
with other products traditionally found in
this category, however, it should be noted
that what it actually does, it does very well.
TrustPort is a security ‘bundle’ providing
anti-malware protection for local files,
email, and web. It also includes URL
blocking and a firewall, enabling control of
what can be viewed on the client.
Product
TrustPort AV
Manufacturer
TrustPort
Contact Details
www.trustport.com
Certification
to tinker, all of the default options happily
suffice. TrustPort supports all the usual
Windows client platforms and the West
Coast Lab’s (WCL) engineer stated that this
traditional client-side installation manages
everything with minimal fuss.
The URL filter contains a variety of site
classifications, such as adult and gambling,
to prevent viewing this type of content
if required and this product includes a
‘Portable Antivirus’ solution that allows a
version of the TrustPort AV solution to be
deployed to a USB stick, thus protecting
any files you wish to transport; excellent for
those on the move.
Observations from the WCL engineers
include comments on TrustPort being a
really good all-round package with the
‘Portable Antivirus’ helping it stand out in
an already crowded market.
This type of capability is important for
anyone relying on technology when on the
move, and should not be underestimated
as it will protect their credibility and keep
their security in one piece when it could
otherwise be compromised.
The client is managed via a local GUI
interface with the updates capable of the
TrustPort AV is aimed at home users, but can equally offer protection for SOHO workers. Including anti-malware
protection in the suite of protection that it offers, the solution is well documented and is easy to configure for
flexible protection levels dependent upon the requirements of the individual user.
Technology Report 8
ADVERTISEMENT
ADVERTISEMENT
Technology Report
IWSVA v5.1
IMSVA v5.1
Trend Micro
Trend Micro
Trend Micro InterScan Messaging Security
Virtual Appliance is a hybrid SaaS email
security solution that integrates an onpremise virtual appliance with in-the-cloud
SaaS email security.
On the initial configuration of IMSVA, local
firewall rules permitting, customization of
the solution is carried out via the web-based
GUI, which can be accessed anywhere on
the network.
The West Coast Lab’s engineer again
commented on the excellent web-based
GUI, however, emphasized that access to
the management interface will depend upon
existing firewall rules.
IMSVA is designed specifically for enterprise
size business models. It provides traditional
malware protection, but it does not stop
there, with the addition of extended
technologies, such as firewall, web threats
and POP3 scanning.
IMSVA ensures a cloak of security for any
credible business looking to secure itself
from potentially damaging security breaches.
This also gives the administrator peace of
mind in knowing that no glitches will occur in
this security as there will not be any issues
with compatibility.
The IMSVA solution is initially installed on the
server and can then be managed from there;
this is prior to rollout to the endpoint clients.
The security policies are also managed on
the central server then pushed out to the
client machines, so the administrator does
not have to configure each individual client
machine, saving time and money.
Designed for VMware ESX/ESXi servers
IMSVA is a virtual machine with the images
being loaded into the ESX Hypervisor server.
IMSVA does require some basic setup via a
Linux-based command line when running
the virtual machine for the first time.
Product
IMSVA v5.1
Manufacturer
Trend Micro
Contact Details
www.trendmicro.com
Certification
http://www.cctmark.gov.uk/
As our engineer observed during his initial
encounter with it, the IMSVA setup and
configuration is carried out via a web-based
GUI. Of course, for any administrators
with experience of Trend's IMSS and IWSS
solutions, utilizing a web GUI will already be
familiar to them, and for those with limited
or no such experience, it still offers ease-ofuse.
Providing full anti-malware capability, as well
as providing URL filtering for those URLs
found inside emails, IMSVA has the same
malware capability as IWSVA while also
providing anti-spam support.
Working at the gateway level, IMSVA scans
inbound traffic before it reaches the endpoint
and blocks any traffic it finds to be malicious,
thus protecting the whole enterprise. This
ensures nothing is left to chance and endusers are not bogged down with header
messages they understand little about or
decisions on what is expected of them in
respect of malicious and unwanted email.
The West Coast Labs' engineer also
commented on the product's overall
ability as a solid, reliable gateway-level
defense. This is an important point, as any
experienced IT manager will tell you, having
full confidence in the security product's
capability along with ease of use goes a long
way when you have a large network to run.
Trend Micro's IMSVA solution comprises a virtual machine that handles messaging traffic
and includes a number of core technologies, such as spam, anti-malware and anti-phishing.
These are combined to offer a scalable and flexible solution which can be deployed in a
number of network scenarios.
9 Technology Report
Trend Micro InterScan Web Security
Virtual Appliance is a consolidated web
security solution that combines awardwinning malware scanning, real-time web
reputation, powerful URL filtering, and
integrated caching.
As with IMSVA, IWSVA is designed for
the enterprise. IWSVA is installed and
managed directly on the server with no
further client installations necessary. The
security policies are also managed on
the central server and pushed out to the
client machines to allow IWSVA to provide
traditional malware protection, as well
as incorporating extended technologies
such as firewall, web threats and POP3
scanning.
These are all indispensable components
of a versatile security solution and the
centralization provides the ease of use
and flexibility administrators have come to
expect, especially useful when running a
large network efficiently.
Designed
for
VMware
ESX/ESXi
servers, this is a virtual machine, with
the virtual images being placed on the
ESX Hypervisor server. IWSVA requires
some fairly basic setup via a Linux-based
command line when you run the virtual
machine for the first time, but again,
this is an uncomplicated process; and
as you’d expect with a virtual machinebased technology the product's setup
and configuration is carried out via a web-
not so experienced, it should still prove
easy to use and therefore it does not limit
you to a specific member of your IT staff
being on hand.
This, as described by the WCL engineer,
is again a good user-friendly web-based
GUI, but he also observed that access to
the management interface will depend
upon any existing firewall rules, which is
important to remember when setting up
IWSVA for the first time.
Product
IWSVA v5.1
Manufacturer
Trend Micro
Contact Details
www.trendmicro.com
Certification
based GUI.
With the ability of accessing it anywhere on
the network, local firewall rules permitting,
IWSVA customization may be carried out
via the web-based GUI once the initial
configuration has been accomplished.
IWSVA not only provides full anti-malware
capability, but also provides URL filtering;
it also offers the same malware capability
as IMSVA.
Working at the gateway level, IWSVA
scans all of your enterprise's inbound
traffic before it reaches the endpoint and
blocks any traffic it finds suspicious so
that malicious entities are blocked and
your systems remain secure. This requires
no client-side intervention and is therefore
less prone to user error.
West Coast Labs found that during test that
this was again a solid, reliable gatewaylevel defense solution worthy of the job
in hand. So overall, IWSVA offers a wellrounded security blanket protecting the
enterprise at the gateway, which frees up
IT staff to concentrate on other business at
hand.
For any administrators familiar with Trend's
IMSS and IWSS solutions they will be
accustomed to the web GUI, but for those
Trend Micro's IWSVA solution offers the ease of virtualization and the flexibility to handle
web traffic in a number of types of network. The technologies at work that contribute to the
operation of this solution include anti-malware, and URL content filtering, and allow for very
fine grained control.
Technology Report 10
ADVERTISEMENT
ADVERTISEMENT
Technology Report
OfficeScan v10.0
ScanMail for Exchange v10.0
Trend Micro
Trend Micro
Trend Micro OfficeScan is a comprehensive
endpoint security and malware protection
solution for medium sized businesses and
enterprises and is normally used in a clientserver configuration.
If you are an administrator running an
enterprise and you are charged with
finding a suitable security solution, how
do you weigh up the protection you require
without compromise? With OfficeScan
you can protect the enterprise by
providing traditional malware protection,
incorporating extended technologies
– such as firewall, protection from web
threats and POP3 scanning – all in one
solution.
This must make OfficeScan one
such product worthy of noting to IT
administrators. OfficeScan is installed and
managed on the server, and when ready
to deploy it is simply rolled out to your
endpoint clients to provide the layer and
level of security required. With security
policies managed on the central server,
the administrator can push them out to the
client machines, making it an easy task to
accomplish - job done.
Simply put, OfficeScan is a server-client
solution and OfficeScan is initially installed
on a central server before being sent out to
the client machines around the network.
Deployment can be carried out either by
targeting specific client machines from the
server console, downloading the install
It was also noted that OfficeScans has
pretty low system requirements and that
it also offers good support to the virtual
desktops.
Product
OfficeScan v10.0
Manufacturer
Trend Micro
Contact Details
www.trendmicro.com
Certification
package to the client, or by incorporating
the solution utilizing the Active Directory.
The client installation is silent, so neither
the administrator nor the end-user has
to intervene on the client machine and,
as you’d expect, OfficeScan supports all
common Windows client platforms, as well
as VMware workstations.
During
installation,
the
engineer
commented on the various choices and
variables available as deployment methods.
OfficeScan is managed via an MMCstyle interface with all common options
available, such as scanning actions,
schedules and targets, with various
security policies being catered for; so in all
this is a versatile product. Although there
is nothing revolutionary in the way that
OfficeScan is managed, it certainly does
not detract from the solution in any way. It
does however seem to pack a lot into one
package.
As its name suggests, OfficeScan provides
protection against viruses, trojans, spyware
and rootkits, with the further inclusion
of firewall, web threats and a hostintrusion prevention, so in all this is a fairly
comprehensive barrier against potential
threats. OfficeScan can also scan inbound
POP3 traffic.
This product utilizes the Trend SPN system
to provide cloud-based detection of
malware.
During WCL’s extensive testing, the
engineer observed that OfficeScan really
did offer a good level of defense and he
also said it was in-depth, with numerous
combined security technologies included.
That has to put OfficeScan in a strong
position, with its comprehensive security,
as being a solution worthy of a place in any
security-conscious enterprise.
Trend Micro's OfficeScan offers anti-malware technology at its core, with the possibility
of central reporting and administration in an enterprise level setting. The deployment and
management of remote endpoints is streamlined through the central management GUI
offering an easy way for IT staff to ensure that hosts are protected.
11 Technology Report
Trend Micro ScanMail for Microsoft
Exchange
provides
Industry-leading
scan engines to help stop the widest
possible range of threats, while innovative
Web Reputation and Email Reputation
technologies use a unique cloud-client
architecture accessing up-to-the-minute
threat intelligence to thwart the latest
attacks.
ScanMail for Exchange is designed as an
umbrella for email protection, including
content filtering, spam, recipient filtering,
URL detection (within emails) and
phishing, which is specifically produced
for enterprises running Exchange servers.
ScanMail for Exchange is an obvious
choice for securing your incoming content
as the system requirements are relatively
low when considering the security this
solution provides and the market it's aimed
at.
This particular product is installed and
managed on the server. While ScanMail
for Exchange can be deployed to the
Exchange server if necessary, it is also a
server-based solution with no client-side
aspect.
The installation itself is carried out directly
on the server and can be placed on the
Exchange server, however this is not
recommended for the larger business
model because of the impact on resources,
but if so required, the option is there. At the
installation stage, a number of possible
The engineer commented on ScanMail
for Exchange's good installation routine,
effective deployment and integration
options; something to be considered when
deciding on time to deploy.
Product
ScanMail for Exchange v10.0
Manufacturer
Trend Micro
Contact Details
www.trendmicro.com
Certification
configurations can be achieved, however
the main installation routine itself is welldocumented.
Although, some experience with Exchangebased systems will be necessary, this is
assumed given the target market. ScanMail
for Exchange supports a number of
Windows server platforms and Exchange
versions, providing support for various
network configurations, such as Server
2000/3/8 and Exchange 2003/7/10.
Managed via an MMC-style interface,
ScanMail for Exchange offers numerous
options for each of the available features,
which can be tailored to fit a range of
company security policies. Of course,
all the usual options are available, such
as scanning, schedules and targets.
Administrators take note, the engineer
says the numerous configuration options
are very useful and will help tailor the
protection on offer, so you can ensure your
systems are protected to the enterprise's
requirements.
ScanMail for Exchange also provides
protection in an email ‘reputation filter.'
This allows emails from a list of known
‘unwanted senders’ to be automatically
blocked, saving valuable time and
resources. With the ability to scan emails
for URLs/links to known-bad or malicious
websites and to block any that are found,
this increases its effectiveness somewhat.
According to the West Coast Lab
engineers, ScanMail for Exchange
incorporates into Trend Micro's Smart
Protection Network (SPN) which adds to
the level of protection on offer.
Trend Micro's ScanMail – here considered in the integration with Microsoft Exchange Server
– offers gateway protection against email-borne threats. It includes all the components that
might be expected, such as anti-spam, anti-malware and phishing protection, administered
with ease through a central management console.
ADVERTISEMENT
ADVERTISEMENT
Technology Report
SecureWeb
Webroot Web Security Service
K7 Computing
Webroot
K7 SecureWeb provides end-to-end
protection for personal information
right from the keyboard to the website
and specifically aims to secure online
transactions.
Designed to provide end-to-end protection
for personal information – such as
username, password, and credit card –
right from the keyboard to the website, and
to secure online financial transactions. In
addition to protecting internet users against
various threats, such as screenscrapping
and keylogging, SecureWeb also provides
SSL certificate verification and website
authentication. And the automatic browser
launch is a great feature as it prompts users
whenever they browse to online bank and
shopping websites.
SecureWeb was tested using a network
consisting of a primary network attached
directly to the internet and a secondary,
aggressor network. A standard desktop
machine was used as the host for
SecureWeb housed on the primary
network.
To prevent theft of passwords and bank
details SecureWeb provides an additional
layer of security. It does not provide antivirus or URL filtering, however, what it
protects is done extremely well.
To protect against keyloggers, SecureWeb
encrypts all keystrokes so that any data
that is captured is unintelligible. When
dealing with screen grabbers, West Coast
SecureWeb address space and as such all
user data remained protected.
SecureWeb also protects against the threat
of DNS poisoning, which alters the IP
address associated with the URLs for such
sites, so that a user is instead directed to a
website controlled by the attacker.
Product
SecureWeb
Manufacturer
K7 Computing
Contact Details
www.k7computing.com
Certification
Labs found that each screenshot was
redacted so that any potential attacker
captures a blank screen.
DLL injection can disrupt a security solution
and lead to the theft of user data. Attackers
will often target the solutions themselves
as a first port of call to try to circumvent
protection on a local machine, whether this
is anti-virus, URL/website filtering or data
protection. In order to protect against this,
SecureWeb continuously monitors its own
processes for signs of malicious behavior.
WCL's engineers attempted to load
malicious and harmful DLLs, but were
unable to inject malicious code into the
To test, a list of well-known e-commerce
and financial domain names were added to
the host's file. Each domain was associated
with an IP address of various web servers
owned and controlled by WCL. However,
SecureWeb does not rely on information
contained within the system's host files.
All attempts to redirect SecureWeb to an
incorrect webserver/webpage proved
unsuccessful.
Many transaction websites use SSL
certificates (HTTPS) for privacy assurance.
But, attackers will often try to create
fraudulent certificates to pass-off spoofed
versions as legitimate.
SecureWeb provides a means of checking
the authenticity of SSL certificates,
reporting if they are self-signed and
therefore not legitimate. To display this
information, SecureWeb employs a
SiteBand™ that uses colored warnings to
provide an at-a-glance report on whether
the site can be trusted or not.
Throughout testing, SecureWeb accurately
identified those sites that were using
legitimate SSL certificates from those that
weren't.
With up to 85% of malware now distributed
via the web, proactive web security is a
necessity. Webroot Web Security Service
provides better manageability and better
malware protection than on-premise
solutions. Organizations can get the most
advanced protection against viruses,
spyware, phishing and data loss while
easily enforcing internet acceptable use
policy—all without the hassle of purchasing
and managing additional hardware and
software.
Webroot Web Security Service is
recommended for the larger business and
enterprise-sized models and as its name
suggests is a managed solution, therefore
there is no hardware requirement. Webroot
Web Security Service (WWSS) provides
gateway-level security to protect against
web-based threats as a managed service.
These threats could include file downloads
and URL filtering, which can be a real
headache for corporate credibility.
WWSS is managed from a web-based
interface with each client machine being
directed to use the proxy address of
WWSS. As far as setting up the service, it
is an extremely quick and easy affair and
requires an administrator providing basic
network information to Webroot.
Various settings can be defined by
the administrator, such as which URL
categories to block, the amount of time
each user is permitted to spend online as
well as giving information to the user of their
K7 SecureWeb is a good example of a solution to a specific problem that fulfills its
remit very well. This is not a general use web browser, but in terms of protecting
users when entering financial details it has been shown to succeed.
Product
Webroot® Web Security Service
Manufacturer
Webroot
Contact Details
www.webroot.com
Certification
company's individual internet acceptable
use policy. The deployment to client
machines is also completed quickly and
as already noted, as a managed service
the installation is almost non-existent. The
West Coast Lab’s engineer commented
that once the account has been finalized
with Webroot, end-user machines simply
have to be configured to begin using the
Webroot service.
As far as the management of the service,
this is accomplished remotely by logging
into the Webroot management portal
allowing protection and internet use
policies to be created and rolled out rapidly.
As the service is hosted by Webroot, there
is no need for the administrator to run
updates for either software or security
definitions, making it less time-consuming.
As WCL’s engineer pointed out, although
management is only possible via the web
interface, the options available do allow for
a tailored approach.
The scanning and features available to
the network include provision for URL
and content filtering, and uses preset
categories. Vulnerability scanning has
also been added to the service, however,
this aspect was not tested by WCL. In
addition, WWSS also provides antiphishing protection as well as standard
malware scanning. During testing, WCL’s
observation was that it offered a good
multilayered protection against a range of
web-based threats.
The Checkmark testing WWSS underwent
was on the AV Gateway certification, the
Real Time system for malicious URLs and
WWSS also passed WCL's Web Threats
certification making it a platinum product.
WWSS promises fast internet browsing
with minimal latency, a proactive scan
ahead and safe search facility that colorcodes search engine results to allow users
to see if the sites are allowed, blocked or
could contain malware. There is also realtime reporting and web activity logging;
this can be used to view the network or
individual users or groups, providing
flexible viewing of network activity. Add
all that to the rapid deployment of WWSS
across your entire network, which requires
no software or hardware purchase, and the
ability to use preconfigured policy options
based on your chosen level of security,
and you can see that all in all a managed
service could provide a viable alternative
to reduce IT resources and offer costeffective security fast.
Webroot’s Web Security Service offers web threat protection as a managed service and protects
against a variety of threats whilst allowing the administrator central control through a web portal.
The use of a managed service also means that administrators no longer need concern themselves
with remembering updates.
ADVERTISEMENT
ADVERTISEMENT
Technology Report
Shell Control Box (SCB)
syslog-ng Store Box (SSB)
BalaBit
The Shell Control Box by BalaBit is an
activity monitoring solution for privileged
access that controls access to remote
servers, virtual desktops, or networking
devices, and records the activities of the
users accessing these systems.
One of the two BalaBit products to be
reviewed under West Coast Lab’s (WCL)
new Performance Validated program is
Shell Control Box (SCB). As with syslogng Store Box, the SCB test allowed WCL
to provide an independent review of the
solution.
BalaBit
Product
Shell Control Box (SCB)
Manufacturer
BalaBit
Contact Details
www.balabit.com
Certification
WCL downloaded SCB from the BalaBit
website as a virtual machine, then SCB was
imported onto a server running VMPlayer.
Before full deployment, SCB requires basic
network configuration (Host IP address,
gateway address, and so on) and the
license is imported to SCB at the end of the
initial configuration.
to integrate with ease, offering high
availability and is configured via a clean,
intuitive web interface. The roles of each
SCB administrator are clearly defined
using a set of privileges. SCB receives
connection attempts for a specific target
host then forwards the connection. The
solution enables the creation of rules
allowing the administrator to permit
or deny connections based on set
criteria, and provides for the auditing of
network connections. SCB also works in
conjunction with BalaBit’s Audit Player to
allow logged network traffic to be replayed
in real time and supports the following
protocols: Secure Shell (SSH), Remote
Desktop (RDP), Telnet and terminal
emulators using the standard TN3270, VNC
and VMware View. WCL only examined the
following during the test period: VNC, RDP,
SSH, and Telnet.
SCB is an independent appliance designed
The recorded audit trails can be replayed
To test SCB, WCL was provided with a
x2200 Sun Microsystems server running
SCB. WCL also tested a virtual version of
SCB.
Testing of the SCB solution was conducted
on a custom-built network at WCL’s UK
facility. The network itself consisted of
a variety of client and server machines
running a range of both Windows and
Linux-based operating systems.
like a movie using the aforementioned
Audit Player enabling a review of events
exactly as they occurred. The audit trail is
indexed to make searching for events and
automatic reporting possible, enabling
identification of misconfigurations and
other human errors during forensics
analysis. SCB works in conjunction with
network firewalls and can supplement
further security devices benefiting
network and IT security administrators by
controlling all remote connections on a
given network.
SCB acts as a proxy gateway, and any
transferred connections and traffic
are inspected on the application level
(Layer 7 in the OSI model) giving control
over protocol features such as the
authentication and encryption methods or
permitted channels.
In order to test SCB it was necessary
to establish inbound connections over
a network to a specific machine. VNC,
SSH, RDP and Telnet connections were
established; each of the connection types
and combinations were tested using
access control lists.
These included machines with various
access permissions and, once connections
had been established, WCL also tested
the solution’s ability to terminate the
connections successfully. WCL then
replayed the network traffic logs through
the Audit Player for verification.
The syslog-ng Store Box (SSB) from
BalaBit is a network log server that offers
the capability to remotely collect and store
logging entries and records from a variety
of sources, including syslog and SNMP,
and is designed to run alongside other
security products.
As part of its Performance Validated testing
program, West Coast Labs (WCL) reviewed
the syslog-ng Store Box (SSB) solution
from BalaBit. The aim of the testing was
to provide an independent means of
validating the features and capabilities of
SSB.
To test SSB, WCL was provided with a
x2200 Sun Microsystems server running
SSB. WCL tested a virtual version of SSB,
deploying the virtual machine SSB image
that had been downloaded from the
BalaBit website under the VMware Player
application.
This deployment of the machine was
straightforward, and should prove simple
to anyone familiar with networking or
virtualization technologies. On first
boot, SSB requires some basic network
configuration, such as designated IP,
gateway and DNS addresses along with
the application of the SSB license key. With
this complete, the administrator is free to
log in to SSB, via a web browser, and to
begin any required customization of the
solution.
Testing of the SCB virtual machine showed that all connections were received and
handled correctly, the administrator was able to terminate established connections
and the logged files were 100% accurate. Tests also showed the capability of Audit
Player to recreate the data from the session in an accurate movie-like format.
Product
syslog-ng Store Box
Manufacturer
BalaBit
Contact Details
www.balabit.com
Certification
The test networks on which SSB was
evaluated contained client machines
running Windows XP along with AV
software, various network security
appliances, and a number of routers.
Added to this were aspects of WCL’s
proprietary Real Time system.
SSB’s ability to monitor, in real time, the
incoming log files and flag any that do
not match an expected pattern makes
it extremely useful; providing an early
indicator to any deviation in network
traffic and/or usage. While not a security
solution in its own right, SSB can work in
conjunction with those security solutions
already deployed to a given network and
provide a means of monitoring any security
events that may occur.
SSB allows the administrator to capture
redirected log files from various devices
such as routers, security appliances,
and various servers. These logs can be
either analyzed, using integral tools,
or stored for later retrieval. Use of a
proprietary encryption algorithm means
that only authorized personnel can access
information via the SSB interface.
Log files can also be redirected to either a
separate analysis device, or to a different
log server.
To test SSB’s ability to correctly receive log
files, traffic from client machines residing
on the Real Time system were configured
so that logs relating to system restarts,
network events and so on were redirected
to SSB. Gateway security appliances,
one on the Real Time system and one on
a separate network, were configured to
deliver all logs to SSB. A group of client
machines, residing on a separate WCL
network, had BalaBit’s client software
deployed to them in order to capture and
forward client logs to SSB.
To validate SSB’s ability to manage
and secure the log files received by the
solution, WCL ran tests to ensure all log
files received from the various networks
were correctly captured. Searches were run
looking for known, specific log events such
as machine restarts and network security
events. WCL also attempted to open log
files locally, without the use of the SSB
interface, and found that the controls in
place allowed access only via the interface,
as expected. Log files were not human
readable when accessed directly from the
underlying operating system.
SSB received several thousand logs, all from various sources, and WCL concluded
that all log files were received with a 100 percent success rate. All log files that were
received were accurately classified and grouped.
Product Section
McAfee
Sourcefire
NetVigilance
Full-scale and
configurable
Network
awareness
suite P65
Scanning from
the outside in
P57
Keeping the bad guys out
T
his month we are looking at two groups
that, at first blush, don’t look as if they
belong together. However, the idea of
managing intrusions is a complicated one that
would be good to simplify. If we think of intrusion management in four layers, we have avoidance, assurance, detection and investigation.
That last category sometimes is subdivided into
investigation and recovery. Our two groups this
month fall directly into this framework.
Our IDS/IPS group addresses detection and avoidance, while vulnerability analysis addresses assurance. So IDS addresses detecting
attempts at intrusion, IPS is a mechanism for avoiding the consequences of an intrusion, and vulnerability assessment (VA) is what we do to
ensure that IDS and IPS are functioning properly.
All of these tools can help us in our investigation and recovery as
well. Vulnerability and penetration testing can tell us where weaknesses exist in our enterprise. That would, logically, be the starting point
for any intrusion investigation. They also tell us how to remediate. In
fact, many of today’s VA tools are morphing toward vulnerability management, and that is the epitome of the vulnerability aspects of intrusion management.
While I doubt that the IDS, as a notify-only tool, has much life left
in it, I see no end in sight for traditional vulnerability and penetration
testing tools. The reason is simple: response. The IDS, plus human
response, is way too slow for today’s attacks and nowhere near discriminating enough for subtle attacks that are becoming the rule rather than
the exception. An automated system, properly tuned, is going to become
– if it hasn’t already – the only sane approach to the problem.
Not so with VA and pen test tools. What we are most likely to see is
VA tools morphing into a combination of vulnerability and penetration
testing. There already has been some of that and, in fact, some moves in
the other direction as well: pen test tools embracing VA. Sophisticated
analysis of exploitable vulnerabilities will always, in my view, require
human ingenuity and intervention. Vulnerability management is a necessary function in today’s enterprises, just as the IPS is. But unlike the IPS,
vulnerability management can’t carry the whole load by itself. Yet.
—Peter Stephenson, technology editor
Previous
P58
How we test and score the products
Our testing team includes SC Magazine Labs staff, as well as external experts who are respected industry-wide. In our Group Tests, we
look at several products around a common theme based on a predetermined set of SC Labs standards (Performance, Ease of use,
Features, Documentation, Support, and Value for money). There
are roughly 50 individual criteria in the general test process. These
criteria were developed by the lab in cooperation with the Center
for Regional and National Security at Eastern Michigan University.
We developed the second set of standards specifically for the
group under test and use the Common Criteria (ISO 1548) as a
basis for the test plan. Group Test reviews focus on operational
characteristics and are considered at evaluation assurance level
(EAL) 1 (functionally tested) or, in some cases, EAL 2 (structurally
tested) in Common Criteria-speak.
Our final conclusions and ratings are subject to the judgment
and interpretation of the tester and are validated by the technology editor.
All reviews are vetted for consistency, correctness and completeness by the technology editor prior to being submitted for
publication. Prices quoted are in American dollars.
What the stars mean
Our star ratings indicate how well the product has performed
against our test criteria.
★★★★★ Outstanding. An “A” on the product’s report card.
★★★★ Carries out all basic functions very well. A “B” on the
product’s report card.
★★★ Carries out all basic functions to a satisfactory level.
A “C” on the product’s report card.
★★ Fails to complete certain basic functions. A “D” on the
product’s report card.
★ Seriously deficient. An “F” on the product’s report card.
LAB APPROVED
What the recognition means
Best Buy goes to products the SC Lab rates as outstanding.
Recommended means the product has shone in a specific area.
Lab Approved is awarded to extraordinary standouts that fit into
the SC Lab environment, and which will be used subsequently in
our test bench for the coming year.
Next
GROUP TEST l Vulnerability assessment
Vulnerability assessment
Product
PICK OF THE LITTER
Again this year, we are pleased to
select Core Impact Professional as
SC Lab Approved.
For top value, performance and
ease of use, we make netVigilance
Internal Scan – Cloud Edition our
Best Buy this month.
Solid performance and a full
feature set make Critical Watch
FusionVM Virtual All-in-One Appliance our Recommended product
for vulnerability management.
For its solid performance and
value, SAINT integrated vulnerability
assessment and penetration testing
is our Recommended choice for
vulnerability assessment and
pen testing.
Another perennial favorite,
Tenable Network Security Nessus
ProfessionalFeed, is our Recommended choice for pure-play
vulnerability assessment.
LAB APPROVED
Previous
V
ulnerability assessment has been one of
my favorite groups for
as long as I’ve been writing
this section. I have enjoyed
watching the market grow
and change for several years.
This year we are seeing a more
mature market than in previous years. The products that
we saw this year are the most
capable ever. That’s the good
news. The bad news is that
it was extremely difficult to
select a Best Buy and a Recommended product.
All of the products we ran
through the lab performed
beautifully, did exactly what
they claimed to do, and were
extraordinarily easy to use.
With that in mind, we selected
one Best Buy and three Recommended products, along with
an SC Lab Approved product.
The Recommended products
are in pure-play vulnerability
assessment (VA), hybrid VA
and penetration testing and
vulnerability management.
The VA market is evolving
into three segments: pure-play
vulnerability assessment, combined VA and pen testing and
vulnerability management. I
have taken the position in the
past that most VA products
would, eventually, evolve into
vulnerability management
tools. I missed that one, but
only by a little.
There are some vendors
that have focused on making
their products the best they
can be within their domain.
These vendors have no inter-
est in moving their pure-play
products into the vulnerability
management domain. Looking at these tools, we fi nd that
they are beginning to improve
beyond simply adding more
vulnerabilities.
In a VA of a large distributed
enterprise, there are numerous challenges. Some of those
include accessing the network,
selecting device candidates
and maintaining currency with
exploits. Today’s pure-play VA
tools focus on ease of use, VA
functionality and certainty that
they have the latest vulnerabilities covered. Almost all serious
VA tools have references for
common vulnerabilities and
exposures (CVE), Bugtraq and
other vulnerability sources.
This allows a closer inspection of potential remediation
beyond the short suggestions
given by the tool.
More and more, we also are
seeing references to CVSS –
Common Vulnerability Scoring
System. This is a standardized
scoring system that helps one
determine the real level of
seriousness of the hole. This is
vastly superior to the vendorspecific scoring systems that
are inconsistent from vendor to
vendor. Just remember that the
CVSS as shown usually is only
the base score. That is because
the full score adds the dimension of the environment.
This takes us to the concept
of risk. I have ranted about the
misuse of this term by VA vendors for years. Vulnerabilities
are vulnerabilities. They are
䢇=yes 嘷=no
Specifications for vulnerability assessment tools
With the evolution in today’s array of tools, the enterprise can now have vulnerability assessment
any way it wants, says Peter Stephenson.
not risks. In order for a risk
to exist, there must also be a
threat and an impact. That is
where the CVSS comes in. The
National Institute of Standards
and Technology (NIST) has a
CVSS calculator at http://nvd.
nist.gov/cvss.cfm?calculator.
I highly recommend using it.
There are three components
to a full CVSS score: base,
environmental and temporal.
Loosely, we can think of the
base as the level of the vulnerability, the environmental as
the impact, and the temporal
as the threat.
When we talk about vulnerability management, we
generally expect to see some
form of VA scan automation,
automatic analysis and reporting – much as with a pure-play
VA tool – some form of patch
management or other type of
remediation management and,
on the most complete tools,
some way of automatically
retesting to make sure that the
remediation took. A capable
vulnerability management tool
needs solid, detailed reporting
to meet regulatory reporting
requirements.
In a full-fledged vulnerability
management program, one
will want either a VA tool or
a vulnerability management
tool – depending on the enterprise – as well as a penetration
test tool. Pen testing is critical
to validating vulnerabilities for
reachability, exploitability and
whether they need to be part
of a chained exploit or may be
exploited alone.
Scans
Windows
systems
Scans
Linux
systems
Scans
Mac
systems
»
» PRODUCT SECTION
Shows
remediation
information
Performs
remediation
Performs
configuration auditing
Performs
penetration
testing
Core Security Technology
Core IMPACT Professional v11
䢇
䢇
䢇
䢇
嘷
䢇
䢇
Critical Watch FusionVM
Virtual All-in-One Appliance
䢇
䢇
䢇
䢇
嘷
䢇
嘷
Cyberim Limited
Dragonsoft Vulnerability
Management v4.3
䢇
䢇
嘷
䢇
䢇
䢇
嘷
eEye Digital Security Retina
CS v2.0
䢇
䢇
䢇
䢇
䢇
䢇
嘷
GFI LANguard v9
䢇
䢇
䢇
䢇
䢇
䢇
嘷
Lumension Scan v6.4.8
䢇
䢇
䢇
䢇
䢇
䢇
嘷
ManageEngine Security
Manager Plus v5.5
䢇
䢇
嘷
䢇
䢇
嘷
嘷
McAfee Vulnerability
Manager v7.0.1
䢇
䢇
䢇
䢇
䢇
䢇
䢇
netVigilance Internal
Scan - Cloud v1.9.298
䢇
䢇
䢇
䢇
嘷
䢇
嘷
SAINT Enterprise
SAINTbox v7.5
䢇
䢇
䢇
䢇
嘷
䢇
䢇
SecPoint
Penetrator v7.7.9
䢇
䢇
䢇
䢇
䢇
嘷
䢇
Tenable Network
Security Nessus
ProfessionalFeed v4.4
䢇
䢇
䢇
䢇
嘷
䢇
嘷
Next
Core Impact Professional
Vendor Core Security Technologies
Price
Annual subscription license
starts at $30,000
Contact www.coresecurity.com
very year we look at this
group and, whether we
mean to or not, Core
Impact Professional becomes
our benchmark. First, the
premise behind
this product has
always been efficient penetration
testing. That is what it does,
what it focuses on, and how
its developers present it to the
market. This philosophy has
worked well for Core.
Impact Professional is, at first
blush, an extremely capable pen
testing tool. But it really is a lot
more. Integration with a vulnerability scanner is an option and
it can do a penetration scan
or one can select individual
exploits. This allows a tiered
approach to pen testing for
large organizations. Operational
personnel can perform regularly
scheduled penetration scans and
vulnerability specialists can pick
up after the scan and perform
more in-depth analysis.
Core Impact Professional
covers network vulnerabilities,
email, Wi-Fi and web applications. Client-side vulnerabilities
also can be simulated, allowing
a full picture of exploitable
vulnerabilities in today’s enterprises. The depth into which a
E
Previous
penetration tester can go with
this product is another solid
benefit. Since exploit scripts are
accessible and written in a standard language, the tester can
modify them or create entirely
new ones. This allows development of tests for zero-day
exploits as they are discovered.
Documentation is complete.
Allowed IP ranges are embedded in the product on a percustomer basis, limiting the
likelihood that the tool will
be used improperly by a rogue
employee. We have used Impact
Professional in the SC Lab for
the past few years and have
found its performance to be first
rate even on underpowered platforms. For pen testers on the go,
laptop installation is no problem. That said, it will use all the
resources that one allows it, so
if installed on a large, powerful
computer, it works with blazing
speed. We also have used it successfully in a VMware vSphere
4.x environment.
Core Impact Professional is
not cheap, but given its performance, support and ease of
use – which is considerable – we
fi nd it to be an excellent value.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
OVERALL RATING ★★★★★
Strengths Power, flexibility, ease of
use...this one has it all.
Weaknesses None that we found.
Verdict Again this year, we are
pleased to select Core Impact
Professional as SC Lab Approved.
FusionVM Virtual All-in-One
Appliance
Vendor Critical Watch
Price
$19,900 for 500 IPs
Contact www.criticalwatch.com
usionVM from Critical
Watch provides a full-featured vulnerably management and configuration auditing
platform that can be customized
to manage vulnerabilities throughout
the enterprise. With
this product, an
administrator can find and manage vulnerabilities throughout
the environment based on customizable policies that can be set
up with a few clicks.
This tool can be deployed as
hybrid software-as-a-service
(SaaS) or as an all-in-one virtual
appliance. The appliance itself
is installed into VMware ESX
Server as an Open Virtualization
Format (OVF) template. After
the template is deployed as a
virtual machine, there is some
brief configuration to be done to
set IP and network information.
Further configuration is done
though the easy-to-use web GUI.
This product provides a multitude of vulnerability management tasks beyond just simply
scanning and reporting back
flaws. Administrators can easily set up an organizational tree
and hand out remediation tasks
based on specific groups or users.
The FusionVM also can interface
with a TippingPoint IPS to help
finetune both the IPS itself, as
well as tune scan results based on
F
already existing IPS filters.
Documentation included an
installation guide and a full user
manual, both in PDF format.
The installation guide, with
clear step-by-step instructions
and screen shots, illustrates the
steps necessary to get the virtual
appliance downloaded and running on an ESX Server. The full
user manual provides a good
amount of detail on configuring
the product after deployment,
setting up scans and managing
users and remediation tasks. We
found all the documentation to
be easy to understand.
Critical Watch offers annual
agreements that include
phone and email support, as
well as access to vulnerability
updates and an early warning
service. Users also can fi nd a
large research library built into
the GUI.
With a price just shy of
$20,000 for 500 IP addresses,
this product does have a decentsize price tag, but we find it an
excellent value for the money
based on its solid ease of use and
management flexibility.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
Strengths Easy-to-use vulnerability
scanning and management with
many flexible options.
Verdict Solid performance and a full
feature set make this our Recommended product for vulnerability
management.
DragonSoft Vulnerability
Management
Vendor Cyberim Limited
Price
Starting at $7,140
Contact www.dragonsoft.com
he DragonSoft Vulnerability Manager provides
network scanning, vulnerability evaluation, centralized risk assessment, reports and
remediation in one easy-to-use
tool. With this tool, an administrator can easily launch various
types of scans from the simple
management interface to target
and pinpoint vulnerabilities
throughout the environment.
Installation is straightforward
and is done via a short wizard.
After installation is complete,
scans are configured and run
from the application itself, and
can be installed on a Windows
XP or Server operating system.
We found the application to be
quite simple and easy to navigate. Launching top-level scans
is seamless with a few scan templates already built in.
This product allows some indepth scanning right out of the
box as it comes with many policy
templates ready to go. These policies can be modified to meet the
needs of the organization, or a
policy can be built from scratch
to provide even more flexibility
and granularity. It also comes
with a built-in wizard that allows
administrators to run configuration audits quickly and easily.
T
The only thing we found to be a
little daunting was sometimes the
interface temporarily froze for
a few seconds when navigating
through the dialog boxes.
Documentation included a
user guide, which details the full
product lifecycle from installation through configuration
and management. We found the
documentation to be well organized and easy to follow.
Cyberim offers no-cost,
90-day, telephone-based installation support included with
the purchase. Further support
can be acquired as part of
an annual agreement, which
includes 24/7 phone and email
aid. Customers also can access
various technical resources via
the website at no cost.
With a price starting just over
$7,000, we fi nd this tool to be a
good value for the money. This
product can offer a quick and
easy way to do some comprehensive vulnerability assessment
right out of the box with the
added benefit of flexibility for
custom scanning.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★✩
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★✩
Strengths A lot of prebuilt policy
templates make scanning easy
right out of the box.
Weaknesses Performance when
navigating between dialog boxes
is slow.
Verdict If you can tolerate some
limited performance slowdowns,
this one deserves a close look.
»
» GROUP TEST l Vulnerability assessment
Retina CS
Vendor eEye Digital Security
Price
$8,000 for 256 IPs
Contact www.eeye.com
he Retina CS from eEye
Digital Security is the latest vulnerability management tool in an ever-changing
offering from eEye. This scanner
takes the combination of the
Retina Network Security Scanner
and the Retina Insight reporting
module and puts them together
in a full Compliance and Security
Management Console.
We found this solution easy to
install, but it does require a fairly robust machine. The Insight
reporting module requires a
64-bit installation of Windows
Server and a lot of memory.
This tool is a beast when it
comes to flexibility. If loaded
up on good hardware with
some add-on modules, this
product can become a full-scale
vulnerability and compliance
management hub for an organization of any size. Furthermore,
this product includes patch
management capabilities for
added value.
Documentation included
installation and users guides for
all the components. We found
all these guides to be nicely
organized and easy to follow,
with many clear, step-by-step
instructions and procedures.
However, we did fi nd them to be
T
lacking in visual support. A few
more screen shots and examples
would have been helpful.
eEye offers standard and
platinum options for phone and
email tech support. Customers
also can access a vast support
portal with resources, such as
documentation downloads and a
knowledge base.
At a price of $8,000 for 256
IPs, we fi nd this product to be a
fairly good value for the money.
The combination of scanning
and vulnerability management
tools that this product provides
make it a solid value by itself.
However, it does require some
robust hardware to run on,
which adds to the overall cost.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★✩
Support
★★★★★
Value for money
★★★★✩
Strengths Robust scanning, auditing and reporting capabilities.
Weaknesses Requires hardware
with large memory resources.
Verdict A mainstay in the vulnerability tool market, eEye has done
an excellent job with this one. Fully
loaded, it may be all one needs for
vulnerability management. A little
pricey, though.
Next
GFI LANguard
Vendor GFI LANguard
Price
Starting at $32 per IP
for 10-24 IPs
Contact www.gfi.com
FI LANguard has grown
over the last few years to
become a fairly robust
vulnerability scanning and
remediation tool. With this
product, administrators can
quickly launch scans, analyze
the results and deploy suggested remediation to vulnerable
machines throughout the enterprise – all from one easy-to-use
application.
We found this offering to be
a quick install. The installation
is launched from an executable,
which goes through a short
setup wizard. After setup is
complete and the application is
launched, it is basically ready to
begin scanning. Scans can be
prebuilt as quick or full, or the
user can defi ne a custom scan
by going through the wizard.
At the end of the scan, the user
then can move to the analysis
section and begin to decide on
remediation.
This product is very well organized with an intuitive interface.
At the heart is a dashboard view
that gives a quick overview of the
status of the health of the environment by showing the network
security level and most vulnerable computers. We also found
G
Previous
Lumension Scan
this tool to be quite configurable
with a multitude of easy-tochange options.
full user manual, which covers configuring and using the
product after installation. This
manual illustrates step-by-step
how to configure and perform
scans, as well as information on
how to analyze scan results. We
found this documentation to be
easy to follow with many screen
shots and examples.
GFI provides 30 days of
no-cost support following
installation. After 30 days, customers can purchase additional
support as part of an annual
agreement. The fi rst year of this
assistance is included in the
purchase price of the product
and includes 24/5 phone and
email technical support.
At a price starting at $32
per IP for up to 24 IPs – with
volume discounts available for
more IPs – we find this solution to be a good value for the
money. LANguard provides
some solid scanning and analysis
tools at a reasonable price.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★✩
Strengths Easy-to-use scanning
and remediation tools.
Verdict A solid product with a lot of
flexibility.
Vendor Lumension
Price
$8 per node per year
Contact www.lumension.com
umension Scan is a small
piece of the much larger
Lumension Vulnerability
Management platform. With
Lumension Scan, administrators can easily run comprehensive vulnerability and
configuration assessment scans
across the entire network environment. This tool allows the
user to identify assets in the
enterprise and run a number of
checks for weaknesses on network machines.
We found this tool to be quite
simple to install and use. The
installation took only a few
minutes and we were scanning
as soon as it was completed.
The application has an easy-tonavigate interface, and configuring and launching a scan is done
just by clicking a button. The
scan configuration dialog box
pops up to start a new job and,
after some fields are fi lled in, it
is ready to go.
The power of this product
comes in its ability to create dozens of reports on the fly. After
a scan was complete, all we had
to do was select the completed
job, click the reports pane and
generate the report we needed.
Navigating through specific
scan results for a target or a full
vulnerability list is also quick.
Documentation included user
guides for both the scanning
L
engine itself, as well as the configuration management piece
of the product. We found these
to be quite comprehensive, but
the format was organized more
like a book rather than a manual. There are no step-by-step
instructions or examples, just
paragraphs explaining features
and functions. While the format
was a little uncomfortable, the
language was quite clear, which
made it fairly easy to follow.
Lumension provides two
support levels: standard is available at no cost, and premium is
purchased annually as part of a
plan. Both offer varying levels of
phone and email technical support, as well as access to updates
and other resources.
At a price starting at $8 per
node per year, this product can
become quite expensive for just
a vulnerability scanner in large
environments. We fi nd this solution to be an average value for
the money. While it does have
some excellent features, it is just
a vulnerability scanner without
the extra modules, and the extra
modules add cost to an already
expensive product.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★✩✩
Support
★★★★★
Value for money
★★★✩✩
OVERALL RATING ★★★★✩
Strengths Solid vulnerability scanner with an easy-to-navigate GUI.
Weaknesses High price point for
just a scanner.
Verdict Lots of features and solid
performance, but it comes at a
pretty hefty price.
ManageEngine Security
Manager Plus
Vendor ManageEngine
Price
Starting at $695 annually
for 25 systems
Contact www.manageengine.com
he ManageEngine Security Manager Plus is just
what it sounds like. This
application can run vulnerability scans, detect open ports, run
patch management and manage
changes to Windows fi les, folders and registries.
We found this tool to be a very
simple install. All we had to do
was run the installer, follow a
few short steps in a wizard and
we were up and running. The
installer automatically supplies
all the necessary components,
such as the web GUI and database server, with no interaction
needed. After the install is complete, management is all done on
a clean web GUI.
On the home tab of the
GUI, the user can easily view
at a glance several informative
dashboard items. Some of these
items include vulnerable assets,
prevalent vulnerabilities in the
network, patch status and inventory information. We most liked
the fact that we could drill down
into the most vulnerable host
on the dashboard and see a full
overview of that asset’s health at
the time of the last scan. Additionally, we could even click a
button to download and deploy
T
patches or service packs directly
to the machine.
Documentation was an
HTML help fi le, which included
all the installation and configuration information necessary
to get the product up and running, but that was pretty much
the extent of it. We found this
guide to lack depth, step-bystep instructions, screen shots,
examples or anything other than
a brief overview.
ManageEngine offers free
24/5 telephone and email support included in the purchase
price of the product. After the
first year, additional support
may be purchased as part of an
annual agreement.
At a price starting just under
$700 per year for 25 systems,
we fi nd this offering to be an
average value for the money.
While it does have some very
powerful features, it can get
expensive as an annual fee for
larger environments.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★✩✩
Support
★★★★★
Value for money
★★★✩✩
Strengths Powerful tool for vulnerability assessment, as well as patch
and system management.
Weaknesses Documentation
could have a little more substance.
Expensive.
Verdict As with all of our products
this month, this one is extremely
capable. The annual license can be
a bit expensive, though, and the
documentation could be rethought
to make it more effective.
»
McAfee Vulnerability Manager
Vendor McAfee
Price
$16,800
Contact www.mcafee.com
he McAfee Vulnerability
Manager provides a full
vulnerability management
tool for the large enterprise.
This solution features the ability
to discover new vulnerabilities,
analyze potential risk and remediate as needed throughout the
environment. This appliance is
also highly configurable. While
it can scan with a default set of
policies out of the box, it also
can be fi ne-tuned to provide
deeper accuracy.
The install of this appliance is
almost plug and play. The base
of the appliance is the Windows
Server 2008 operating system,
which then has all the applications and web interface already
preinstalled, so everything is
pretty much ready to go out of
the box from an installation
standpoint. Configuration is a
whole other story. This product
can be run with a default configuration to establish a base to
build off of, but then it can be
fi netuned with granular controls for a true sense of vulnerability and risk throughout the
enterprise.
Once a base scan has been
completed, the administrator
can go in and manage discov-
T
ered assets and group them
based on their criticality and
other settings. This helps more
accurately determine risk, as
well as level of vulnerability. All
these settings, as well as other
configuration of the appliance,
is done through an easy-tonavigate web GUI.
full installation guide, as well as
a product manual. Both these
PDF guides provided in-depth,
easy-to-understand details.
McAfee provides many levels
of support to customers to meet
the needs of various environment
types. Some features include
24/7 phone and email technical
support, hardware warranty and
online interactive support.
At a price just shy of $17,000
for the appliance, software
licenses, scanning of 1,000 IPs
and a year of the gold support
program, we fi nd this appliance to be a good value for the
money. This product offers a
multitude of features wrapped
up together in an easy-to-useand-manage appliance.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★✩
Strengths Full-scale and highly
configurable vulnerability management appliance.
Verdict Just what one would expect
from McAfee: Solid performance,
appliance-based and good support.
If you’re a McAfee shop, don’t pass
on this one.
Next
netVigilance Internal
Scan – Cloud Edition
Vendor netVigilance
Price
$11,994 for 1,024
IP addresses
Contact www.netvigilance.com
art of the fun of doing
these product reviews is
getting to see new takes
on the same old problem.
Sometimes a product comes
along in a space
that has reached
maturity and
changes the game
a bit. This is one of those products. The Internal Scan – Cloud
Edition from netVigilance
provides vulnerability assessment from the outside looking
in. This solution performs
scans from the cybercriminal’s
perspective and scans internetfacing systems, providing a
clear picture of vulnerability.
We found this tool to be
easy to install, configure and
manage. The only installation required is a small client
that can be loaded inside the
enterprise on a Windows XP
machine. After the client is
installed, all other management
is done via a web browser that
connects to the netVigilance
cloud service. From this web
GUI, scans can be run and
reports generated just as if it was
running inside the environment,
but there is no overhead and no
P
Previous
expensive hardware to buy.
This service provides a robust
scanning platform as well. There
are several prebuilt policies
readily available – including
a Safe Scan mode all the way
through high risk and several
compliance-based scans. After
scans are complete, reports can
easily be downloaded in several
formats.
single, easy-to-follow PDF on
how to use the cloud service.
Support offered by netVigilance includes no-cost phone
and email technical help Monday through Friday, as well as
access to updates and product
upgrades for the first 12 months.
After then, customers can
purchase additional assistance
through support agreements.
At a price just shy of $12,000
to scan 1,024 IPs, we fi nd this
product to be an excellent value
for the money. The netVigilance
Internal Scan – Cloud Edition
provides a true vulnerability
picture in an easy-to-use, low
overhead product.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
Strengths Cloud-based vulnerability scanning from the outside in.
Verdict For top value, performance
and ease of use, we make
netVigilance Internal Scan – Cloud
Edition our Best Buy this month.
SAINT integrated vulnerability
assessment
Vendor SAINT
Price
$19,000
Contact www.saintcorporation.com
hose familiar with
SAINT know that it has
in the past been a software application that had to
be installed on a Linux-based
machine somewhere in the enterprise. While this is
not usually a problem, in certain environments
there may not be somebody who
is very comfortable with installing and managing Linux applications, or there just may not
be a box available on which to
install Linux. Enter the SAINT
Box. This appliance brings all
the features of SAINTscanner,
SAINTexploit and SAINTmanager into one box that is ready to
go right off the shelf.
We found this tool to be easy
to install, as it comes pretty
much already configured. All
we had to do was plug in the
box and attach a keyboard and
monitor to go through a quick
setup wizard and we were ready
to go. All administration is done
through a web GUI, which we
found to be easy and intuitive to
navigate. This GUI is also where
configuration for scanning and
reporting is done.
The SAINT platform itself
is a powerful vulnerability and
penetration testing tool. With
T
the combination of SAINTscanner and SAINTexploit, users are
able to scan and try to exploit
almost anything with an IP
address, as well as web and database applications. After the scan
is complete, SAINTwriter provides equally robust reporting
with many compliance templates
ready to go.
Documentation included
a well-organized user guide,
which provides information on
how to configure and use all of
the SAINT components.
SAINT includes basic phone
and email support to all customers, but 24/7 support can be
purchased at an additional fee.
Customers also can access an
online knowledge base, as well
as product documentation.
While $19,000 may seem steep,
we find this tool to provide a nice
combination of powerful vulnerability scanning and penetration
testing tools, as well as robust
reporting, in an easy-to-use box,
which is why we find it to be a
great value for the money.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
Strengths Powerful vulnerability
scanning and penetration testing
combined onto an easy-to-use
platform.
Verdict For its solid performance
and value. this venerable pioneer
is our Recommended choice for
vulnerability assessment and pen
testing.
The Penetrator
Vendor SecPoint ApS
Price
Starting at $1,200 for
eight IPS/one year
Contact www.secpoint.com
he Penetrator from
SecPoint is exactly what
it says it is. This product
has been designed to scan for
vulnerabilities and to try to
penetrate them. This appliance features the ability to
scan and exploit anything with
an IP address – going beyond
just systems, but also routers,
switches, firewalls and many
other devices.
This solution has been
designed in such a way that it is
very simple to use. Installation
takes just a few minutes and is
guided by a setup wizard. After
the initial setup is compete, users
can begin scanning immediately.
All scanning and administration
is done through a simple and
intuitive web GUI. The appliance also comes equipped with
several preconfigured scanning
templates and easily selectable
scanning options.
This product is straightforward and easy to use. It has
many clickable options, which
makes vulnerability scanning and penetration testing
intuitive. This, combined with
a multitude of vulnerability
checks, detailed remediation
information and easy-to-read
reporting, make this product
a solid tool. The only problem
we ran into is that when a user
T
»
Nessus ProfessionalFeed
logs on to the web GUI from
an unauthorized IP, it will not
allow the logon without going
through a check fi rst. But we
had to go through the check
several times before we could
access the GUI.
full user manual, as well as a
quick-start guide. The guide
provided a few simple steps
for getting the product up and
running. The manual then
provided detailed configuration and feature information.
Both guides also included many
screen shot examples.
SecPoint includes in the price
of the yearly subscription 24/7
live chat, email and Skype technical support, as well as access to
an online forum. There are also
a few free resources available on
the website for customers.
At a price starting at $1,200
per year for eight scanable IPs,
this product is not an inexpensive option. We fi nd it to be an
average value for the money
based on its simple design and
excellent feature set.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★✩
Documentation
★★★★★
Support
★★★★★
Value for money
★★★✩✩
Strengths Very easy to use and
manage vulnerability scanning and
penetration scanning.
Weaknesses Quite expensive.
Verdict Excellent product, but it
comes with a steep price tag.
Vendor Tenable Network Security
Price
$1,200 per scanner per year
Contact www.tenable.com/nessus
he Nessus ProfessionalFeed from Tenable
Network Security is a
lightweight, no-frills network
vulnerability scanner. It features
the ability to scan
local and remote
systems for the latest vulnerabilities.
With the ProfessionalFeed, users
also get access to a compliance
configuration audit pack, which
can add credential-based auditing for NIST FDCC/SCAP,
DISA STIG, CIS, and PCI compliance, along with many others.
This tool is a very straightforward install. The small server
component can be installed on
a medium-size machine with
at least 2 GB of memory. The
installation itself is easy and only
takes a few minutes after launching the executable installer.
After the server is installed,
licensed and started, it instantly
downloads the latest vulnerability checks and is ready to go. The
web GUI can be accessed from
any machine on the network,
and scanning can begin.
We found the web GUI to be
intuitive to navigate with a clean,
organized layout. Scanning policies can easily be created, as well
as highly customized for excellent flexibility. While this tool
may be small, it does pack a sig-
T
nificant punch. To further add
punch, multiple scanners can be
managed from the Tenable Security Center to meet the needs of
any size environment.
Documentation included nicely organized installation and user
guides. As part of the ProfessionalFeed subscription, Tenable
offers no-cost email support, but
only users that have purchased
Security Center can access eighthours-a-day/five-days-a-week
phone support.
This product has been the old
standby for years, and we find
it is still the good dog when it
comes to straight-up vulnerability assessment. While this solution does not have the frills of
some others, it does what it does
very well and is quite flexible
when it comes to configuring
polices and running scans.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
Strengths Straightforward vulnerability and configuration auditing in
an easy-to-use tool.
Verdict Another perennial and
well-deserved favorite, this is our
Recommended choice for pure-play
vulnerability assessment.
Next
GROUP TEST l IDS/IPS
IDS/IPS
PICK OF THE LITTER
Top Layer Security IPS 5500 Model
75EC v6.12 offers a lot of value
for the money. It makes IDS/IPS
easy to deploy, use and manage.
This solid product gets our Best
Buy this month.
The NitroGuard Intrusion
Prevention System (IPS) device is
a very strong offering, a solution
to consider seriously for an
enterprise deployment. We make
this our Recommended product
this month.
LAB APPROVED
䢇=yes 嘷=no
Specifications for IDS/IPS tools
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are evolving in
capabilities to deliver protection against more sophisticated threats, says Michael Lipinski.
I
think I installed my fi rst
IDS back in 2000 and my
fi rst IPS in 2002. Back then,
we had software- or appliancebased offerings, and we chose
to install them either in front
or just behind our fi rewalls for
an added level of security. The
technologies back then were a
bit challenging to deploy and
did not offer a wide array of
configuration or management
options. As these technologies
morphed into stateful firewalls
and, eventually, unified threat
management (UTM)-style
products, the traditional intrusion detection/intrusion prevention systems have continued
to provide a valuable service in
our layered defense/security
architectures.
These technologies have
evolved to support enterprisewide deployment models,
allowing admins to deliver an
added layer of protection across
any LAN segments or host
systems they wish to protect. So
instead of focusing our intrusion technologies strictly at the
gateway traffic, we now have
technologies that allow us to
gather and manage information as it moves around our
networks and to mitigate risks
wherever they are found.
Through easy-to-use policy
tools – allowing admins to
create custom rules and threat
descriptions – and added technologies, such as sophisticated
risk and threat modeling and
behavioral analysis, these solutions bring us much closer to
protecting our enterprise from
zero-day threats. The distributed architectures allow for far
greater deployment and protection options, while maintaining
a central policy management
and log collection.
How we tested
We tested these products by
configuring our lab into a
three-zone setup inclusive of
firewalled internet connection
and internal LAN and DMZ,
also off a firewalled port. The
DMZ consisted of a patched
Windows 2003 domain controller and SQL server. The
internal LAN consisted of an
unpatched Windows XP SP2
PC and a CentOS Linux server.
It is important to note that we
were not testing the products
for their ability to stop various
threats. We reviewed the signature- and rule-based and zeroday capabilities to compare
features and functions only.
We ran Nessus and NMAP
scans against various hosts to
generate alerts and log data
so that we could evaluate the
management, reporting, dash
boarding and alerting capabilities. We tested the policy
creation and deployment features and reviewed how each
product kept its threat and
vulnerability databases up
to date. Of the five products
reviewed, four shipped to us
as appliances and one was a
software deployment requiring
a dedicated Linux server.
We didn’t assume these
products would be simple to
deploy. All of the products we
reviewed this month took quite
an effort to deploy and configure. These technologies are
defi nitely not plug and play, but
what good security product is?
Once deployed, all the products delivered graphical tools
for configuration and management of the sensors. Some were
more intuitive than others.
We found vast differences in
reporting, dashboarding and
alerting. Most of the products
had inline and passive modes
for monitoring traffic. There
were things we liked about
each solution we reviewed,
which means it will be very
important to understand what
one really wants in an IDS/IPS
solution before deciding which
platform to acquire. All the
solutions delivered base IDS
capabilities. The differentiators
came in the form of the IPS
capabilities and the technologies used to combat sophisticated and zero-day threats.
The documentation was not
quite what we wanted to see
from each of the participants.
That forced us to use the support options available to us, and
those were all very impressive.
The product sets we
reviewed were flexible and
delivered so many options –
from out-of-the-box protection
to elaborate, customized policy
rules and risk and threat heuristics. If one has the time to
evaluate multiple technologies,
these are defi nitely tools that
justify a full evaluation to help
determine the best solution for
the enterprise’s needs.
CounterSnipe
»
» PRODUCT SECTION
McAfee
Nitro
Sourcefire
TopLayer
Appliance
䢇
䢇
䢇
䢇
䢇
Software
䢇
嘷
嘷
䢇
嘷
IPS capabilities
䢇
䢇
䢇
䢇
䢇
IDS capabilities
䢇
䢇
䢇
䢇
䢇
Zero-day threat protection
䢇
䢇
䢇
䢇
䢇
Inline protecting
䢇
䢇
䢇
䢇
䢇
Passive monitoring
䢇
䢇
䢇
䢇
䢇
Support for custom policies
䢇
䢇
䢇
䢇
䢇
Real-time alerting
䢇
䢇
䢇
䢇
䢇
Central management
䢇
䢇
䢇
䢇
䢇
Compliance grade reporting
䢇
䢇
䢇
䢇
䢇
INFORMATION
ASSURANCE
DEFEND NETWORKS AND INFORMATION.
IMPRESS POTENTIAL EMPLOYERS.
EgZkZci^c\YViVi]Z[i#GZVhhjg^c\XjhidbZgh#8dbean^c\lî][ZYZgVagZ\jaVi^dch#
?jhihdbZd[i]ZgZVhdchl]nhZXjg^c\^c[dgbVi^dc^hhjX]V]^\]eg^dgîn[dg
ZbeadnZgh#HZôZndjgdeedgijcîn!lî]VXZgi^ÃXViZdgVbVhiZg¼hYZ\gZZ[gdb
Jc^kZghînd[BVgnaVcYJc^kZghîn8daaZ\ZJBJ8#L]Zi]Zgndj¼gZVbVcV\Zg
dgVc>Iegd[Zhh^dcVa!ndj¼aaaZVgc]dlidegdiZXihnhiZbhVcY^c[dgbVi^dcV\V^chi
YZa^WZgViZViiVX`hdgVXX^YZciVaYVbV\Z#
Enroll now.
9Zh^\cViZYVhVCVi^dcVa8ZciZgd[6XVYZb^X:mXZaaZcXZ
^c>c[dgbVi^dc6hhjgVcXZ:YjXVi^dcWni]ZCH6VcYi]Z9=H
GZXd\côZYVhVEgd[Zhh^dcVaHX^ZcXZBVhiZg¼h
Wni]Z8djcXâd[<gVYjViZHX]ddah
;^cVcX^VaV^YVcYVc^ciZgZhi"[gZZbdci]aneVnbZci
eaVcVkVâVWaZ
Egd\gVb^hd[[ZgZYZci^gZandca^cZ
800-888-UMUC umuc.edu/data
Copyright © 2011 University of Maryland University College
Previous
Next
Vendor CounterSnipe
Price
$500/site license
Contact www.countersnipe.com
ounterSnipe Active Protection Software (APS)
provides network-based
intrusion prevention security.
The APS from CounterSnipe
is a combination of intrusion
prevention software, host/application discovery, vulnerability
detection and intelligent alert
management.
The solution is delivered
as software and needs to be
installed on a Linux-compatible
server. The process to fully load
and configure the server took
about 30 minutes, but it was
very easy and did not require
substantial Linux expertise as
the product is downloadable as
a Debian ISO that the admin
uses to create a bootable CD.
Booting to the CD starts the
fully automated process of loading the operating system and
application, which gives way to
a menu-driven configuration
interface for setup.
The software includes Snort
as the IDS engine and detects
and compares the network traffic with a constantly updated
database of IDS/IPS, spyware
and malware signatures. As
with Snort, admins have various alerting and remediation
options available. These actions
range from dropping or rejecting traffic (close the connection)
to alerting to the presence of
the malicious packets. A total of
C
Previous
nine different actions are available to provide admins with a
truly flexible incident response.
A web-based user interface
is used for management and
configuration of the sensors.
The interface provides a console
dashboard and config bar for
navigating between devices,
classifications, alerting and signature management.
Support can be purchased
for 20 or 25 percent of the purchase price and includes hourly
updates. We did not fi nd any
description of what was covered
under support on the website.
Documentation was fairly sparse
but gave us enough to run
through the setup.
There is defi nitely a place for
this technology. If one without a
large budget has an environment
that requires the deployment of
dozens of sensors, this is a very
nice alternative to going without
protection.
SC MAGAZINE RATING
Features
★★★★✩
Ease of use
★★★★✩
Performance
★★★★✩
Documentation
★★★★✩
Support
★★★★✩
Value for money
★★★★✩
Strengths Low-cost (if deployed on
a low-end server) IDS/IPS solution
that adds a nice user interface
with basic reporting and alerting
to Snort.
Weaknesses Signature based and
can customize classification sets,
but no real rule engine.
Verdict This is a nice option to using Linux- or Snort-based solutions.
It gives one an easy-to-use management console for overseeing all
those deployed sensors. It works
best as a traffic analysis solution.
McAfee Network Security
Platform v6.0
Vendor McAfee
Price
Range from $10,995
to $229,995
Contact www.mcafee.com
cAfee Network Security
Platform (NSP) v6.0
provides threat protection for demanding networks.
This network intrusion prevention system delivers inline
threat prevention and detection
capabilities through a combination of protocol discovery and
analysis, heuristics, behavior
analysis and cloud-based
reputation feeds. The offering
is delivered on a purpose-built
appliance platform. The sensor
is a content-processing appliance
built for accurate detection and
prevention of intrusions, misuse
and distributed denial-of-service
(DDoS) attacks. The platform is
managed with McAfee Network
Security Manager, which is part
of the NSP integrated security
offering that also includes network access control, network
threat behavior analysis and full
integration with McAfee endpoint solutions. We evaluated
the intrusion detection/intrusion prevention component with
the network security manager as
the management platform.
The solution provided to us
included the IDS/IPS sensor
and a preconfigured Windows
server loaded with the Network
Security Manager. We had the
server set up and talking to
the sensor in no time. There
are default policies that come
as part of the base setup that
M
provide basic protections. The
device examines the header and
data portion of every network
packet, looking for patterns and
behavior in the network traffic
that indicate malicious activity.
Creating policy and managing the sensors is done through
a web-based user interface. We
really liked the threat analyzer
capabilities. This feature discovers hosts on the network and
creates a nice map showing
security events that violate configured policies.
McAfee Network Security
Platform models range from
100Mbps throughput to
10Gbps-plus. List prices range
from $10,995 for the M-1250
(100 Mbps) model to $229,995.
Support is provided at a cost
of 20 percent of the price of the
solution. Several upgraded support offerings are available.
NitroGuard IPS 4245 v8.4.2
Vendor NitroSecurity
Price
$54,495 as tested (lower
performance models start
at $6,495)
Contact www.nitrosecurity.com
he NitroGuard Intrusion
Prevention System (IPS)
device is an intelligent
packet-fi ltering system that
detects sophisticated network
intrusion attempts
and actively records
and/or stops such
attempts. The
NitroView Enterprise Security
Manager or Enterprise Security
T
System (ESM/ESS) is the central
point of administration and
configuration. The ESM/ESS
allows network administrators to
keep all configuration settings,
user and access group profiles,
and event and flow data in a
single location. These two components are part of a full unified
security management system.
However, we only evaluated
the ESM and the NitroGuard
Intrusion Prevention System in
a standalone deployment. The
intrusion prevention appliance
actively detects, analyzes and
protects the network from an
array of security threats, including viruses, worms, spyware,
denial-of-service (DoS) attacks,
and other forms of malware, as
well as unknown or zero-day
attacks.
The user interface is one of
the more attractive interfaces
I have used. There are userconfigurable views on the dashboard, and tools, options and
a tree-based selector for managed appliances are all within
a couple of clicks of where
one needs to be. Reporting is
strong, with built-in reporting
templates available, including
compliance reporting. One also
has the ability to design custom
reports. Also new to this release
is a “what if” alert action. As
an added benefit, the product is
both FIPS and Common Criteria certified.
Support fees were not included, but we did open a ticket to
assist in the initial deployment
easy to deploy, configure and
manage.
Weaknesses As a standalone IDS/
IPS, relies mostly on signature- and
rule-based protection.
Verdict Good solution for adding
IDS/IPS to a layered security architecture. Strong offering if deployed
with other NSP components.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★✩
Strengths Full-featured with a great
presentation of data, strong reporting, and SCADA and distribution
control system (DCS) protocols.
Weaknesses None that we
identified.
Verdict A very strong offering; a
solution to consider seriously for an
enterprise deployment. As part of
the overall solution, the price would
not be excessive. Just a bit pricy
as a standalone IDS/IPS solution.
We make this our Recommended
product this month.
PE N N STAT E | ON L I N E
Lead with
'SRÁHIRGI
Penn State’s online
graduate programs
in information
security can help you
understand the theory,
skills, and technologies
associated with
information assurance.
SC MAGAZINE RATING
Features
★★★★✩
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★✩
Value for money
★★★★✩
Strengths Nice IDS/IPS features,
and received a fast response,
and the support resource was
knowledgeable and helpful.
Web application security
Why do vulnerabilities in web
apps still linger?
Find out the answers on Feb. 24
QFree registration and on-demand viewing
QEarn 4 CPE credits
QGain the most up-to-date IT security education
Visit www.scmagazineus.com/scwc247
for more information
Information Systems Security Certificate
Master of Homeland Security, Information Security
and Forensics Option
w w w.wo r l d c a m p u s . p s u . e d u/
ITSecurityEducation
Next
U.Ed.OUT 11-0523/11-WC-267bkh/sss
CounterSnipe APS v4.0.3
»
» GROUP TEST l IDS/IPS
»
Chris enjoys playing soccer.
Chris is an IT professional.
Sourcefire Next-Generation
IPS v4.9
Chris is motivated.
Chris gets recognition.
Chris achieves more.
Chris has an ISACA certification.
www.isaca.org/certification-scmagazine
Recognition • Success • Growth
June Exam Date: 11 June 2011
Early-Bird Registration Deadline: 6 April 2011
Vendor Sourcefire
Price
$8,995
Contact www.sourcefire.com
he Sourcefire NextGeneration IPS v4.9 is
a distributed appliancebased offering modeled on the
Snort detection engine. It is part
of the Sourcefire 3D System
that provides a suite of tools
for delivering real-time user
and network awareness. The
Sourcefire Intrusion Prevention
System (IPS) is one of the components of the Sourcefire 3D
System that runs on the 3D Sensor. IPS allows one to monitor
a network for attacks that can
affect the availability, integrity
or confidentiality of hosts on the
network. By placing 3D Sensors
on key network segments, one
can examine the packets that
traverse the network for malicious activity. Each 3D Sensor
uses rules, decoders and preprocessors to look for the broad
range of exploits that attackers
can develop.
A typical Sourcefire IPS
deployment consists of one or
more physical Defense Center
management console appliances
deployed on a trusted network
and multiple physical IPS appliances distributed throughout
the environment. The appliance
can be installed in either a pas-
T
Previous
sive, inline, or inline with failopen deployment option. IPS
and Defense Center appliances
also can be deployed as software
on VMware vSphere and open
source Xen hosts to monitor
VM-to-VM traffic.
The appliance is accessed via a
web-based browser connection.
Nice alerting features allow for
SNMP, email or syslog automated response. There is also
support for automated firewall
response, but it is limited to
Check Point OPSEC compatibility. We liked the incident management feature that allows one
to create and manage an incident
through the lifecycle of the
incident management process.
Reporting is good and includes
the ability to generate reports
from various event views.
Support is included for a fee of
18 or 22 percent of the purchase
price. This solution would make
a nice addition to any environment that wants to add IDS/IPS
to a layered security solution at a
reasonable price point.
SC MAGAZINE RATING
Features
★★★★✩
Ease of use
★★★★✩
Performance
★★★★✩
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★✩
Strengths High availability features,
incident management, customizable, and integration to other
products.
Weaknesses As a standalone IDS/
IPS, lacks analysis tools for combating zero-day threats.
Verdict If your enterprise already
owns a SIEM, this would make a nice
addition for providing IDS/IPS functions at an attractive price point.
IPS 5500 Model 75EC v6.12
Vendor Top Layer Security
Price
$12,495
Contact www.toplayer.com
he IPS 5500 Appliance
from Top Layer Security
is a standalone, purposebuilt IPS. The EC-Series models
have copper network interfaces
and built-in zero
power bypass functions. The Model
75EC, considered
for this Group Test review, is
optimized for cost-effective,
remote-site deployments.
Typically installed inline, IPS
5500 units can be deployed in
a variety of modes, including
detection-only, pre-emptive
blocking or a combination of
both. The Top Layer IPS detection/protection capabilities use
integrated three-dimensional
protection to perform thousands of inspections to fi lter out
malicious traffic. The solution
consists of three main modules:
a stateful analysis firewall providing network-level protection,
a denial-of-service protection
engine and a deep packet inspection engine providing protection
against vulnerabilities, worms
and application-level attacks.
The IPS unit is managed
through a Java-enabled web
browser or through the IPS
controller management software. The user interface is
attractive with tree-based
navigation of confi guration and
management items and a full
graphical dashboard.
T
Enterprise features for redundancy, failover and scalability
are all available. Reporting is
granular and based on templates
that allow admins to create type
and frequency of reports. PCI
compliance-level reporting is
also available. Event logging
configuration is very granular
and gives one the flexibility to
log as little or as much information as required for each sensor.
The documentation resources
are very good, complete and
nicely laid out, making deployment and management of the
solution very easy.
The list price includes a threeyear threat update subscription,
three-year support, maintenance and upgrades, three-year
advance hardware replacement,
and two-day remote installation
and deployment service. Additional support options are available for a fee.
SC MAGAZINE RATING
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
Strengths Ease of use, support
included for three years, nice
integrated offering.
Verdict Lot of value for the money.
Makes IDS/IPS easy to deploy, use
and manage. This solid product gets
our Best Buy this month.
Next
» FIRST LOOK
Moving authentication to the
infrastructure
t would be nice – and convenient
– if we could standardize all of the
authentication methods for our
enterprise on a single product or, at
least, product type. But the fact is that
we cannot. For example, a bank might
have very strong authentication for
system administrators, another type
of strong authentication for senior
managers, ID and password for most
other employees, and some form of
simple, but strong, authentication for
customers of the online banking system. That is at least four different types
of authentication. Add some layered
methods – such as strong authentication for the database administrators
and passwords to the applications for
the same administrators – and the
authentication scheme starts to get a
bit complicated.
The thrust of ActivIdentity 4TRESS
is to allow a diverse array of authentication methods – as well as provide
a policy-driven tool for managing
authentication – all in a single appliance. The management piece is very
nice. The policy approach allows
administrators to manage user profi les
down to a fi ne granularity, and those
policies are consistent across multiple
service channels and lines of business
or user communities. Thus, the authentication process becomes part of the
enterprise’s infrastructure rather than
part of an application.
The secret is that 4TRESS abstracts
away from the application and deals
only at the user level. That means that
no matter what the app requires, if a
user is authorized on it, the authentication requirements are tied to that user.
I
Previous
Another benefit of the 4TRESS appliance is simplicity of deployment. A typical deployment consists of appliances
with load balancing across a cluster of
applications. Users can be associated with
h
their authorized applications through an
application programming interface (API)
or through standard mechanisms, such
as RADIUS. Since the 4TRESS appliance
can connect to multiple user repositories
– Active Directory, among others – this
tool is ideal for bringing diverse environments together.
Setting up users is simple. User profi les contain all credentials and rights
associated with those credentials.
Virtually any type of authentication is
accepted, including static passwords,
smart cards, USB tokens, one-time
passwords, certificates, out-of-band
transaction verification and transaction
signing. Of course, any particular user
can have multiple methods and password policies associated.
4TRESS is reasonably priced, especially considering what it does and the
environment – banking – in which it
does it. The website is plain and simple
to navigate with quite a few resources –
from managed services, such as consulting information, to application notes,
case studies and white papers.
There are two available support
options. The standard option includes
eight-hours-a-day/five-days-a-week support and free upgrades. The premium
option expands support availability to
24/7, again with free upgrades.
Overall, this is a very good product
– one that is somewhat unique in its
capabilities, especially in the nuances of
how it executes those capabilities. The
AT A GLANCE
Product: ActivIdentity 4TRESS Authentication Appliance for Banking v 7.0
Company: ActivIdentity
Price: Starts at $7,500 for 4TRESS
Authentication Appliance; $33,000 for
4TRESS Authentication Appliance with embedded HSM, plus per user SW license fee
What it does: Provides a single authentication-method-agnostic appliance that
also allows management of users’ access
control requirements
What we liked: This tool is a one-stop
shop that manages user authentication,
user access policies and everything associated with access control.
What we didn’t like: Nothing. The only
caveat is that before one deploys this product it is necessary to know what is desired,
especially if some enterprise-centric authentication already is in place that needs
to be integrated into the new system.
tool is well thought-out, and the requirement it addresses is real. I liked it and,
really, could find no fault with it. As
with all systems that interact with users
and the enterprise, though, one needs
to understand one’s goals in deploying it thoroughly. That said, there is no
question that the ActivIdentity 4TRESS
Authentication Appliance for Banking
paradigm is to bring the functionality
of authentication management solidly
inside the enterprise infrastructure,
rather than thinking of it as a standalone
security application.
– Peter Stephenson, technology editor
Next
Events Seminars
FEBRUARY
»RSA Conference 2011
Feb. 14-18
RSA Conference 2011 celebrates
its 20th anniversary with
dozens of presentations, panels,
workshops and courses broken
down into several tracks. Keynote
speakers include Ari Juels, RSA
Laboratories; Dave Hansen, CA
Technologies; Philippe Courtot,
Qualys; Scott Charney, Microsoft;
Tom Gillis, Cisco; Enrique Salem
and Francis deSouza, Symantec.
President Bill Clinton will be the
closing keynote presenter on
Feb. 18.
Venue: San Francisco
Contact:
rsaconference.com/2011
MARCH
»Gartner CIO Leadership
Forum
March 20-22
Gartner CIO Leadership Forum
offers an interactive, workshopcentric experience to exchange
ideas and receive actionable
guidance from prominent CIOs,
Gartner experts and senior executives from leading technology
providers. This gathering focuses
on business and IT alignment, CIO
and IT leadership, IT modernization, IT strategic planning and
project management.
Venue: Phoenix
Contact: gartner.com/EventsCal
»Web 2.0 2011
March 27-28
This event showcases the latest Web 2.0 business models,
development paradigms and
design strategies for the builders
of the next-generation web. This
annual multitrack conference
brings together people, ideas,
connections, contacts, products
and companies to foster stronger
Web 2.0 communities. The event
features keynotes and speakers,
detailed workshops, a Launch Pad
start-up program, an expo show
floor, a Web2Open unconference
and networking events.
Venue: San Francisco
Contact: web2expo.com
APRIL
»InfoSec World
Conference & Expo 2011
April 19-21
This annual event will deliver more
than 70 sessions, dozens of case
studies, multiple tracks, in-depth
workshops, two co-located summits and more than 100 exhibitors.
Providing education to all levels of
information security pros — from
CISOs to system administrators
— this gathering offers practical
sessions that provide the tools to
strengthen security implementations without interfering with
business operations.
Venue: Orlando, Fla.
Contact: misti.com
»Counter-eCrime
Operations Summit 2011
April 26-28
This fifth annual gathering will
be hosted by the Anti-Phishing
Working Group (APWG) along
with its sponsors, CyberSecurity
Malaysia and MyCERT. It will
engage questions of operational
challenges and the development
of common resources for first
responders and forensic professionals who protect consumers
and enterprises from the e-crime
threat every day. Presenters will
offer case studies of national and
regional economies under attack,
narratives of successful transnational forensic cooperation, as
well as models for cooperation
Start here for a calendar of events.
To have your event included, contact
[email protected]
and unified response against
e-crime and data resources for
forensic applications.
Venue: Kuala Lumpur, Malaysia
Contact: apwg.org
»Gartner Business
Process Management
Summit 2011
April 27-29
This is a meeting place for IT
and business executives and
professionals who are responsible
for implementing, managing or
maintaining business process
management. Learn more about
technologies that enable business
agility. Gather best practices on
the art of process control. Become
more efficient, consistent and
competitive.
Venue: Baltimore
Contact: gartner.com/EventsCal
MAY
SuperStrategies 2011
May 10-13
More than 70 topics will be
presented at this gathering,
including: How information assurance contributes to meeting
the organization’s goals and
vision; auditing your customers;
continuous monitoring for internal
fraud and integrity; implementing
risk-based auditing; complexities
and challenges of implementing enterprise GRC; data risk
management; red flags in vendor
audits; and social network sites’
emergence. Keynotes include Greg
Ip, The Economist, speaking on the
economic outlook for 2011.
Venue: Chicago
Contact: misti.com
JUNE
Int’l Cloud Computing
Conference & Expo
June 6-9
The organizing principle of this
event is to ensure – through
keynotes, sessions, and an expo
floor – that attendees leave with
abundant resources, ideas and examples they can apply immediately to leveraging the cloud, helping
them to maximize performance
and minimize cost.
Venue: New York
Contact:
cloudcomputingexpo.com
At WGU we respect your time and intelligence, because
what you know is more important than time in a classroom.
WGU’s ONLINE competency-based approach puts you in
control of your academic destiny... and your own security.
ADVERTISER INDEX
Company
Page
URL
3M Mobile Interactive Solutions
19
www.3MPrivacyFilters.com
CA Technologies
5
www.security.com
Deloitte & Touche LLP
30
www.deloitte.com
ESET
Back Cover
www.eset.com
GuardTime
67
www.guardtime.com
HID Global
50
www.hidglobal.com
IBM
Inside Back Cover
www.ibm.com
ISACA
10,64
www.isaca.org
Palo Alto Networks
25
www.paloalto.com
Penn State University
63
www.worldcampus.psu.edu
PhoneFactor
21
www.phonefactor.com
SC World Congress 24/7
63 www.scmagazineus.com/scwc247
Symantec-VeriSign
13
www.VeriSign.com
Trend Micro Inc
Inside Front Cover
www.trendmicro.com
TriGeo Network Security
9
www.trigeo.com
Univ. of Maryland University College 54
www.umuc.edu
Western Governors University
69
www.wgu.edu
Master of Science
Information Security and Assurance
O
TOLL-FREE AT:
1.866.225.5948
OR VISIT OUR WEBSITE AT:
O
O
O
Incorporates (and includes in the tuition!) 6 security and networking
certifications. (Your time to completion will be shorter if you already
hold any of these certifications.)
Certified by the National Security Agency’s
IACE program.
Meets CNSS National Training Standards.
Scholarships Available.
www.wgu.edu/scm
O N L I N E . A C C E L E R AT E D . A F F O R D A B L E . A C C R E D I T E D .
Previous
Next
LastWord
Smarter business for a Smarter Planet:
Smart mobile app development
Mobile threats will
soon be used to
gain access to
personal and
business devices,
says Sean Martin.
T
he mobile world has
pretty much taken over
our lives. To address
operational concerns, we
are seeing some activity in
the space to enable multiple
virtual environments to run
on a single device, allowing
individuals to possess a single
device that can separate personal use from business use.
Still, each device brings
with it a different network,
a different platform, various
operating system versions,
and a new set of apps to run
on them. This nearly infinite
combination oftentimes leaves
a path wide open for vulnerabilities or other weaknesses
to be exploited. While we
have yet to experience large
quantities of widespread and
widely publicized attacks
against the mobile space, we
have to accept the fact that it
is just a matter of time before
attacks against these mobile
vulnerabilities or weaknesses
are used to gain access to
personal/business devices,
the critical business systems
they are connected to, and
the sensitive information that
they host.
Unfortunately, for most app
builders, the security requirements fall to the bottom of
the requirements bucket
as a priority of being quick
to market trumps all else.
Quickly building a secure
app designed to run on one or
more platforms/devices can
be extremely challenging if
the wrong environment and
tools are selected. The real
challenge is balancing the
right level of security with the
right multidevice/platform
strategy with the right timeto-market delivery.
To begin with, addressing
security for each app built
on a device-by-device basis
is not the right answer. This
requires too much time to
design, implement, test and
deliver, thereby impacting
the ability to get the app to
market quickly to the widest
audience possible. Additionally, it can be nearly impossible for an app development
team to truly understand
the nuances of each device,
operating system and security
requirement while trying to
keep up with the changes to
each of them over time.
Alternatively, most developers will look for a way to
write the code once and have
it run on multiple devices.
This is typically accomplished
by building a wrapper app.
However, leveraging a wrapper app as an attempt to
secure the app across multiple
platforms is not the right
answer either.
Here’s another consideration: If your organization
is planning to build apps
that run on multiple mobile
devices, then it is critical to
select a mobile development
platform provider that offers
a completely native development environment for each of
the mobile applications.
This provider should
support the delivery of a rich
and secure cross-platform
Addressing
security for
each app built
on a deviceby-device
basis is not
the answer.”
experience for both the
development team and the
applications’ users such that
the time-to-market requirements can be met.
The development environment should eliminate the
producer’s burden of having
to configure for each individual device and operating
system, such that multiple
platforms and operating
systems can be supported
through a single release.
The development platform
provider must research and
implement a secure development environment, such that
the application itself is secure
and will use each of the
mobile device platforms and
operating systems securely.
With these requirements
met, your organization
should fi nd they are able to
deliver releases with greater
quality, quicker release
times, improved application
scalability and reliability,
proper system security and
data integrity.
If an organization chooses
to address the security risks
of each platform through a
‘write once, run anywhere’
mobile development platform,
the model of lowest common
denominator security can be
avoided and mobile apps can
be brought to market both
quickly and securely.
Sean Martin is the owner
and directing consultant at
imsmartin consulting.
What a predictive model means
to a hospital in Africa.
It means that this hospital in Ethiopia will be able to help HIV patients receive the best treatment regimen possible.
The EuResist Network is helping doctors predict patient response to multiple HIV treatments with over 78% accuracy.
In a recent study, the EuResist prediction engine outperformed 9 out of 10 human experts in choosing the best drug
combinations for a range of HIV genetic variants. The tool is built on an IBM analytics solution that integrates over
41,000 HIV treatment histories from a variety of disparate databases onto a flexible IBM DB2® platform. A smarter
organization is built on smarter software, systems and services.
Let’s build a smarter planet. ibm.com/hospital
A data visualization of 41,000
HIV case histories.
The EuResist Network is a nonprofit partnership composed of Karolinska Institutet (Stockholm, Sweden), Max Planck Institute for Informatics (Saarbrücken, Germany), University of Siena (Italy), Informa s.r.l. (Rome, Italy) and University of Cologne
(Germany). The EuResist project has been cofunded by the European Commission. IBM, the IBM logo, ibm.com, DB2, Smarter Planet and the planet icon are trademarks of International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml. © International Business Machines Corporation 2011.
Previous
Next
for Mac
Cross-platform protection
— one console
Our award-winning ESET NOD32® Antivirus is the faster, smarter, easier-to-manage
defense against Internet threats. With a unified management console that scales to
support small and large business networks, ESET NOD32 delivers advanced proactive
protection for all your endpoints, whether they are running Windows, Mac or Linux.
www.eset.com

Narrowing the gap Across the line

Transcription

Similar documents

Shut the Front Door (and the Back Door too)

Vol. 4, Issue 4 - Cert-Mu

Haciendo Inteligente mi movilidad

Misery from Social Media (and other thoughts)

Prevent Malware attacks with F5 WebSafe and MobileSafe

What We`ve Seen in Q2 2015

A 3-STEP PLAN FOR MOBILE SECURITY

IT Security Survey 2016 - AV

Indian Service Providers and the Messaging, Malware, Mobile Anti

IAN PARRY SCHOLARSHIP 2010 Winner is Sebastian Liste

The development of a heat wave vulnerability index for

Where are the Vulnerable Places in Africa?

Trend Analysis