"Integrated security" is an illusion - you need many different solutions, and a system that ties them together. The big, acquisitive infrastructure vendors insist that security inevitably will be built into their architectures, but critics rightly warn of the pitfalls of a fully integrated approach.
By Rob Preston
InformationWeek
Feb 10, 2007 12:00 AM (From the February 12, 2007 issue)
Since the dawn of time, it customers and vendors alike have debated "best of breed" vs. "integrated solution." Preaching lower total costs, simpler management, and ease of use, the biggest software vendors have pushed ahead with their integrated "platforms," sometimes to the chagrin of the competition authorities. Windows is now crammed with Web browsing, media playing, and other adjunct features. Enterprise application suites pack supply chain and CRM modules. Databases are integrated with analytics tools, and management systems are taking on software distribution, compliance, and other capabilities. Best-of-breed software vendors still compete at the edges, but the platform purveyors are taking charge. Security is a different beast, however. Although the industry is consolidating, it's still populated by hundreds of small to midsize companies that sell intrusion detection, event management, vulnerability assessment, authentication, identity management, network forensic, anti-spam, antivirus, access control, and other point products. The acquisitive infrastructure vendors now insist that security, too, inevitably will be built into their architectures, but critics warn of the pitfalls of a fully integrated approach. Art Coviello, president of RSA Security, acquired by EMC last year, told the audience at his RSA Conference in San Francisco last week that security must be built "more and more" into infrastructure to assure active, manageable defenses. He predicted the demise of the standalone security industry within three years. "If I'm proven wrong about the timing," Coviello said, "I won't be proven wrong in the need for this." Not so fast, said John Thompson, CEO of Symantec, the largest of the "independent" security vendors. Security products and services must continue to be offered by specialist companies, he said in a separate conference address. "Who would entrust one company to do this?" Thompson said. "You wouldn't want the company that creates your company's operating system to be the one to secure that operating system. It's a conflict of interest." Not that Microsoft or its infrastructure brethren Cisco, EMC, and IBM are conflicted about building the best security they can into their software, networking, storage, and management platforms. But what about interoperability with other products? Independent security vendors will remain critical as long as every last customer isn't a card-carrying Microsoft, Cisco, EMC, IBM, or some other shop. Before his Internet Security Systems was acquired by IBM last year, CEO Tom Noonan argued that big infrastructure vendors such as Microsoft and Cisco have no incentive to work with competitors on security. Doesn't that reasoning also extend to IBM Tivoli, which is now building ISS security into its management infrastructure? But customers also can't manage 32 separate security vendors and their products--a number cited by Noonan last week as the average these days for a large enterprise. IT security spending continues to grow at three times the rate of other tech investments, he said, "a pretty unsustainable business problem." Customers are conflicted. When asked to rate their most important criteria in selecting a security vendor, the 966 U.S. respondents to last year's InformationWeek Global Security Survey picked "integration considerations" fifth, behind the technical strength of the product, total cost of ownership, vendor service and support, and pricing. More than half of those companies said the most compelling reason to build their security around a single vendor would be to reduce the complexity of managing the technology, not so much to improve their security. However, in Europe, China, and India, where a total of 1,227 companies were surveyed, superior protection was cited as the most compelling reason to go with an integrated solution. Built-in security may prevail by the sheer force of the biggest vendors' will, but the independents will remain a force for the foreseeable future. Labels: Security Integration
How will IT security be integrated with physical access control?? "Protection from internal threats, such as accidental or malicious disclosure of confidential information, is expected to be a major topic this week. Websense is expected to unveil its new Content Protection Suite and McAfee also is entering the space crowded with smaller players such as Vontu, Code Green Networks and GTB Technologies." OK - How will all of those be integrated? Does anyone really believe one company can provide all the answers? Dynamic Security can integrate these systems if they have an interface...
Feb 6, 2007 3:39 PM
The annual RSA Conference is showing evidence of a maturing information security industry with an increasing role for big-name companies. The event has developed into an annual gathering for corporate IT pros and a showcase for hundreds of companies, small and large, that market security products and services to businesses.
Security is becoming more structured and part of the IT infrastructure at companies, instead of being added on later, analysts tell USA Today. Companies including Oracle, Microsoft, Sun Microsystems, Cisco Systems and Intel are vying for a piece of the pie, which may hurt the smaller industry players, they add.
"There seems to have been a recognition among some of the larger vendors that they can make money with security or, more likely, that they're not going to make any money if they don't have security in the future," said Gartner Analyst Ray Wagner. "That's certainly going to hurt some of the smaller vendors."
Case in point: Database giant Oracle for the first time will have a major presence at the RSA Conference. The company will promote its identity management products as well as software to secure the applications it sells to help large enterprises with things like accounting and human resources. Oracle CEO Larry Ellison is slated to deliver a keynote speech at the San Francisco event.
Microsoft Chairman Bill Gates kicked off the conference Tuesday in a keynote.
"In a lot of ways security is becoming more boring," Andrew Jaquith of the Yankee Group tells USA Today. "But boring is good. Boring means maturation. Boring means you're seeing large companies like IBM have a really rounded out security story. This is good for the mainstreaming of security into the way people run their business."
As products have become more mainstream, so have the RSA attendees. The bulk of the event is geared to less specialized visitors. "Security concerns are moving away from tech geeks with pocket protectors monitoring networks in a back closet somewhere, to something that business managers and more senior folks are concerned with," says George Tubin, an analyst with TowerGroup.
Of the more than 340 exhibitors at the RSA Conference in San Francisco's Moscone convention center, many companies in the security arena are using the event to announce new initiatives, products or product updates.
Protection from internal threats, such as accidental or malicious disclosure of confidential information, is expected to be a major topic this week. Websense is expected to unveil its new Content Protection Suite and McAfee also is entering the space crowded with smaller players such as Vontu, Code Green Networks and GTB Technologies. Labels: IT Security, Security Integration, Security Policy
"After years of acquisitions, Cisco is just now starting to hook its security products together, said Robert Whiteley, a senior analyst at Forrester Research Inc." And if you have the old versions, and those of other firms, Dynamic Security can put them together for you. Cisco focuses on security product integration Vendor set to unveil several security offerings at RSA Conference Robert McMillan February 06, 2007 (IDG News Service) -- Over the next few months, Cisco Systems Inc. plans to enhance a range of its security products, offering customers an integrated and improved line of products. The company plans a major new release to the software that runs its Adaptive Security Appliance (ASA) product. Also in the works are updates to its Intrusion Prevention System (IPS), the Cisco Security Agent (CSA), the Cisco Security Manager (CSM), and its Mitigation Analysis and Response System (MARS). The upcoming Version 8.0 of the ASA software will include about 120 enhancements, but perhaps the most significant change is that its AnyConnect VPN client will now work on a much broader range of platforms, including Windows Vista, Mac OS X, Linux and Windows Mobile 5.0 Pocket PC Edition. "We're extending this out of the traditional realm of just laptops," said Bob Berlin, a Cisco senior product marketing manager. Cisco is also improving the information-sharing capabilities between its IPS 6.0 and CSA 5.2 software to make the products better able to identify and block emerging threats. Another new feature will allow CSA to assign quality-of-service tagging to network traffic so performance can be boosted on applications such as voice over IP. Using engineering talent it acquired in its 2004 purchase of Riverhead Networks, Cisco has also developed new algorithms that allow the IPS software to better analyze potentially malicious activity on a network. The ISA software will also be better integrated and easier to manage with the upcoming Version 3.1 of CSM. After years of acquisitions, Cisco is just now starting to hook its security products together, said Robert Whiteley, a senior analyst at Forrester Research Inc. This is critical if Cisco wants to maintain its new position as a player in the security space, he said. "Whether people acknowledge it or not, Cisco is one of the largest security vendors," Whiteley said. "But they haven't had quite as much of an integrated story as you'd see from a [security ] specialist." Cisco has had a lot of integrating to do. The company has made about 10 security-related acquisitions in the past three years. It now takes in more than $2 billion in annual revenue from security product sales, and it employs more than 1,400 security engineers, according to Richard Palmer, senior vice president of Cisco's Security Technology Group. Cisco may be starting to integrate its existing security products now, but it would also like to extend its offerings to address new areas such as data leakage -- a hot new area in the security field. "That's certainly an area where we're going to be investing, " Palmer said.
Labels: Security Integration
Gotcha, Gotcha, Gotcha. Always forgetting something! Dynamic
Security can handle all these problems. It is like having central locking in
your automobile.
The 10 Most Overlooked Aspects of Security NOVEMBER 29, 2006 | Feel like you're forgetting something? Most likely, you are. Did you post a surveillance camera in your server room? Check the trash can for discarded disk drives that weren't wiped clean of sensitive data? Do a deep background check on that new database administrator you hired? Look into that new third-party security services offering? Encrypt the backup of the year-end financial data? Gulp. Maybe you're not quite ready for the holidays. You'd better watch out. But don't cry, and don't pout, because you're not alone. Most organizations have at least a few security issues that have been lost in the shuffle, and it's not too late to give them some attention. So, with the help of Dark Reading's editorial advisory board, we've compiled this list of The 10 Most Overlooked Aspects of IT Security, along with the risks of skipping out on them, and some advice on how to attend to them. Our research turned up a wide variety of opinions on these topics, many of which are environment-dependent, so we're giving you this list in no particular order. You decide which bases you've got covered -- and which ones need your attention. Consider this our contribution to your holiday shopping list. Post 'em on your blog and the company intranet, pass them on to your colleagues and business partners, all in good cheer. There is still plenty of time to make your own list -- and check it twice. (Editor's note: If there are other commonly forgotten security measures you've just remembered, we'd love to hear about them. Please send comments via the message board associated with this story, not by email. All postings are completely anonymous. Enjoy.) Contents: — The Staff, Dark
Reading Next Page: Physical
security
|
The 10 Most Overlooked Aspects of
Security |
|
1. Physical
security |
|
NOVEMBER 29, 2006
| When you review your IT security architecture, you
probably don't consider your organization's physical security.
But that can be a lethal oversight.
"In order to truly achieve 'defense in depth,'
we have to think physical security as well as information
security. The best [logical] security can't prohibit a
physical theft of a server if the computer room is not
adequately protected," says Steve Delahunty, senior associate
with Booz Allen Hamilton.
More often than not, the people who do IT
security and the people who do physical security in large
organizations don't work with one another. Many small- to
mid-sized enterprise IT security groups may overlook physical
issues altogether. It's not until a building break-in occurs
that the two may even meet at all.
"It's always somebody else's fault when there's
a break-in in the building," says Steve Stasiukonis, vice
president and founder of Secure Network Technologies,
regarding IT security blaming facilities management and vice
versa. But IT security should be on the same team as the
facilities management group, he says.
In many organizations, physical security is
often focused more on protecting copiers, printers, and fax
machines from theft -- not servers or computer equipment,
Stasiukonis says.
"A lot of companies are allocating surveillance
technology in the wrong places," he says, and not where
intruders are more likely to gain access, such as the cargo
landing where smokers take their breaks, or on the cafeteria
patio.
Leaving physical access to chance in these
areas makes it that much easier for an attacker to simply walk
in and make a network attack or other breach.
"A lot of attacks become much easier because of
physical security weaknesses," says Sean Kelly, technology
consultant for Consilium1, who does penetration testing for
clients. "It makes things a lot easier if you can walk in the
door. And you don't have to be a technical person to perform
these breaches -- it opens the door to a wider pool of data
thieves."
Social engineering is way too easy a ploy to
get a foot in the door, experts say. Stasiukonis, who stages
social engineering exploits for his clients to audit their
security, recently duped employees at a credit union client's
facility, posing as a copier repairman stopping by to "clean"
the copier machine.
"I busted into a credit union last week,
wearing one of those copier company t-shirts," Stasiukonis
says. "So I jacked in and grabbed the password and log-ins in
clear text and then [used them] to break in from the outside,
too."
Getting the IT and physical security teams
together is crucial to thwarting social engineering attacks
like these. But it's not easy to teach employees who to trust
and who not to trust.
"Social engineering is a huge issue no matter
what level of organization you're in," Consilium1's Kelly
says. "Security awareness training needs to stress more on
auditing and procedures to identify people you're giving
information to, and for questioning people without badges."
Next Page: Proper
disposal of devices, storage media, and sensitive
documents |
|
|
|
|
The 10 Most Overlooked Aspects of
Security |
|
2. Proper disposal of
devices, storage media, and sensitive
documents |
|
NOVEMBER 29, 2006
| IT people hate dealing with trash. Attackers, on the
other hand, love it. That should tell you something right
there.
Each day, corporations dump tons of material on
the curb, most of it useless landfill. But companies that
don’t have strong policies on garbage disposal may be leaving
bits of gold for hackers seeking passwords, customer
information, or other sensitive data. And if they’re not
careful, those organizations may just be throwing out the keys
to their most valuable information.
One of the most frequently-overlooked treasures
for attackers is the discarded hard drive. As companies
upgrade their old machines, they often donate them to
recycling centers, charities, or simply mark them as trash.
But some IT departments are lax in their efforts to wipe those
old hard drives clean, creating potentially damaging data
leaks.
In a study published in August, researchers at
the U.K.’s
University of
Glamorgan and
Australia’s
Edith Cowan University bought more
than 300 hard drives in auctions and computer fairs all over
the world. What they found was a surprising array of data that
should have been erased long before the drives were sold or
tossed. Some of the data included payroll information,
employee names and photos, IP addresses, network information,
mobile phone numbers, copies of invoices, and financial
information such as bank and credit card accounts. (See Second-Hand Drives Yield First-Class
Data.)
And the problem isn’t limited to hard drives.
In a separate study also published in August, security firm
Trust Digital made similar purchases of used cell phones and
PDAs on eBay, and researchers were able to recover sensitive
data on nine of ten devices in the study.
”The file system on your cell phone or PDA is
just like the one on your PC’s hard drive,” said Norm
Laudermilch, CTO at Trust Digital. “If you delete a file,
you’re not really overwriting the data. All it’s doing is
changing the index of the file system, or the file’s
pointers.” (See Study: Used Cell Phones, PDAs Contain
Confidential Data.)
And companies shouldn’t overlook one of the
oldest forms of stolen data: paper trash, experts say. Jim
Stickley, CTO at penetration testing company TraceSecurity,
says he has found a wealth of sensitive information --
including user identities and passwords -- simply by
dumpster-diving on unshredded company trash. “Shred, shred,
shred,” he says. (See 'Analog Hackers' Overlooked,
Undetected.)
Next Page: Background
checks |
|
|
|
|
The 10 Most Overlooked Aspects of
Security |
|
3. Background
checks |
|
NOVEMBER 29, 2006
| A background check? When did it
become necessary to do more than call references and verify
past employment?
It's easy and tempting to overlook the
character issue when hiring employees, or even managing them
over the long term. But as the strategic value and importance
of IT has risen, so has the need to make sure those with the
keys to the kingdom aren’t eavesdropping, stealing, or worse.
"It's become more the norm that companies
screen all their employees," said Jason Morris, president of
Background Information Services, Cleveland. "People quickly
realized that IT is one of their biggest liabilities -- when
employees take home data tapes, for example. So they may not
screen low-level carpet sweepers, but if they have access to
sensitive areas, employers screen."
In addition to verifying education and previous
employment, Morris encourages making sure there are no
unexplained gaps in a candidate's job history. Are they
claiming MCSE or Cisco router certifications? Get it
confirmed, he suggests. "Driver's records could also be a good
measure of responsibility, as are credit reports."
A basic check might include SSN verification,
address history, and a search of county records for felonies
and misdemeanors. Background research can get even more
detailed (and expensive) with searches of sex offender
databases, state and national archives, even international
resources.
So how much should a company expect to spend on
a background check? "It varies, but a good rule of thumb is
one day's salary" for the position for which you're hiring,
Morris says. "It can be a lot less too."
Doug Shields, president of Secure Networks
finds less value in sifting through official records and
prefers to drill down more on what he calls "character
issues."
Shields, who worked at the CIA for nine years,
is more interested in why a prospect left his last job, or if
he was an Eagle scout, for example. "That may sound hokey, but
it tells you something."
You can also learn about character issues by
asking a candidate how they safeguard their own data. Do they
use encryption on their personal laptop? Have they even set up
a wireless LAN at home, and if so what security protocol did
they use? The answers will tell you something about
consistency and follow-through, Fields suggests.
And while screening before employment begins is
great, it doesn't help much if you don't continue to keep tabs
of some sort on employees. "If they go bad over time, you're
not going to know about it" unless there's continued
monitoring, Shields explains. "It doesn't matter what industry
you're in. You have to make sure your stuff is secure and that
people only have access to things they should have access
to."
Next Page: Getting
control of the at-home user
|
|
|
|
|
The 10 Most Overlooked Aspects of
Security |
|
4. Getting control of the
at-home user |
|
NOVEMBER 29, 2006
| Out of sight, of out mind. Many IT departments
carefully watch their employees in the office, but they fail
to monitor just what software their users are installing or
what hardware (think thumb drives and iPods) they're plugging
into their desktop or laptop machines at home -- or who else
may have access to those machines.
The rash of laptop losses and thefts at major
corporations and government agencies over the past year has
red-flagged the problem of securing data when it leaves
company premises. But what about the machines that sit in home
offices where telecommuters work daily, or company executives
work after-hours? And what happens when a user's home is
broken into and his laptop or PC stolen?
"The problem companies face with home workers
is that the security boundary with the Internet has been
extended to hundreds, even thousands of remote locations,"
says Geoff Bennett, director of product marketing at
StreamShield. "The odds of a weak point are multiplied
exponentially."
Ironically, top execs can be the biggest
weakest links in the home-user chain. "The CEO and CFO want to
store sensitive information locally on their laptops because
they don't want to worry about VPNing in," says Consilium1's
Kelly.
Few IT organizations have the means to restrict
user-access when it's not on-site: Home users may leave their
machines connected to the company network, or give passwords
out to family or friends. And watch out for those
technologically precocious kids in the house.
"In one instance, a CEO’s kid got on his
machine and renamed critical financial files. The firm was
unable to do a planned stockholders' meeting as a result,"
says Rob Enderle, principal analyst with the Enderle Group.
"End point security remains important especially if the
equipment isn’t on premise."
Security assessments are rarely, if ever, done
of the homes of these users, Enderle says.
And now, as home users increasingly become the
targets of phishing attacks and botnet attacks, the
company-issued laptop and the user's home PC with VPN access
can leave the corporate network at risk. "If their machine has
turned into a zombie and has access through a VPN to the
corporation, the corporation is clearly exposed," Enderle
says.
Most zombie infections use keylogging, which
captures password information. And a zombie PC also becomes a
spam pipeline, says StreamShield's Bennett, which can wreak
havoc since most corporate email systems are configured to
filter inbound, not outbound, spam.
"The assumption is that one's own employees are
not likely to send spam. But a compromised PC will act as a
spam relay," he says, which could result in the company's
legitimate email being blacklisted by other organizations.
One way to lock down home users is to eliminate
VPN access and instead use biometric, multi-factor
authentication to email and "the most limited set of resources
needed to do the job," Enderle says.
A home security audit is also helpful, as well
as training home users how to best protect their computer and
the company network. "And the computer accessing the corporate
resources should remain administered and patched, and
protected to a degree sufficient for the level of access the
remote employee has."
Next Page: Taking
advantage of built-in security functions
|
|
|
|
|
The 10 Most Overlooked Aspects of
Security |
|
5. Taking advantage of
built-in security functions |
|
NOVEMBER 29, 2006
| Security is big business these days, and hardware
vendors know it. As a result, many hardware vendors have begun
to build security features directly into their devices, giving
them out-of-the-box capabilities that are often unexplored or
overlooked.
One of the best examples of this phenomenon is
the Trusted Computing Group’s Trusted Platform Module (TPM)
1.2, a set of specifications that enables vendors to add a
"security chip" microprocessor to any PC. TPM 1.1 chips made
by vendors such as Atmel, Broadcom, and Infineon, have become
standard issue on most PC hardware, but PCs that use TPM 1.2
only began shipping in the first half of this
year.
Companies that have begun using TPM packages,
such as Wave Systems’ Embassy Trust Suite 5.1, are giving it a
thumbs up. "Using TPM and Embassy Trust Suite has made a huge
difference in the way we administer security," says Chris
Cahalin, network manager at Papa Gino's, which operates some
400 restaurants throughout New
England. "It's not only made our client machines
and files more secure, but it's given us a lot more control in
IT."
ETS 5.1 is a set of security tools and
applications that leverage TPM chips to encrypt files,
folders, and passwords on a laptop or PC, leaving the key only
in the hands of the end user and the IT department. The keys
can be given out in the form of smart cards, or the user can
be authenticated via biometrics or digital
certificate.
The net result is that users of TPM 1.2 and ETS
1.1 can lock their hard drives, folders, and files via an
encryption key that can only be decrypted by the authorized
user. A thief can't read any of the files on a stolen TPM
laptop, and even users inside the company can be locked out of
sensitive files on any end station.
Although most new PCs have TPM, many
enterprises have yet to turn on their functionality, concedes
Steven Sprague, president and CEO of Wave Systems. "I would
encourage every enterprise to take a few of their new PCs into
the lab, turn on this technology, and see what it can do," he
says. "It'll change the way they look at end-user
security."
Most experts see TPM as a boon for enterprises because it
is a standard that works uniformly across vendors and PC
models. But they are more wary of proprietary built-in
security capabilities that are now being added to
consumer-oriented machines.
Over the last few weeks, PC hardware vendors have been
rolling out security technology at a rapid rate. On Nov. 1,
Hitachi Global Storage Technologies announced that it will
offer optional hardware encryption on all of its new 2.5-inch
disk drives, which are expected to ship at a rate of a million
units per quarter in early 2007. That announcement came on the
heels of new drives from Seagate Technology, which will not
only offer hard drive encryption but also multi-factor
authentication options that would make it impossible for
unauthorized users to access any data on the hard drive. (See
Dark
Reading) |
|
|
Labels: IT Security, Security, Security Integration
|
Made4biz Security
Translating real-world security knowhow into state of the art security systems.
Made4biz Security
Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)
- Nov 22, 2006
- Nov 23, 2006
- Nov 29, 2006
- Dec 11, 2006
- Dec 17, 2006
- Dec 21, 2006
- Jan 3, 2007
- Jan 5, 2007
- Jan 7, 2007
- Jan 8, 2007
- Jan 10, 2007
- Jan 11, 2007
- Jan 14, 2007
- Jan 16, 2007
- Jan 17, 2007
- Jan 18, 2007
- Jan 21, 2007
- Jan 22, 2007
- Jan 23, 2007
- Jan 24, 2007
- Jan 28, 2007
- Jan 29, 2007
- Jan 30, 2007
- Jan 31, 2007
- Feb 1, 2007
- Feb 4, 2007
- Feb 6, 2007
- Feb 7, 2007
- Feb 8, 2007
- Feb 9, 2007
- Feb 11, 2007
- Feb 12, 2007
- Feb 14, 2007
- Feb 15, 2007
- Feb 19, 2007
- Feb 20, 2007
- Feb 21, 2007
- Feb 25, 2007
- Feb 27, 2007
- Feb 28, 2007
- Mar 4, 2007
- Mar 6, 2007
- Mar 8, 2007
- Mar 11, 2007
- Mar 13, 2007
- Mar 15, 2007
- Mar 18, 2007
- Mar 19, 2007
- Mar 20, 2007
- Mar 22, 2007
- Mar 25, 2007
- Mar 27, 2007
- Mar 28, 2007
- Apr 1, 2007
- Apr 3, 2007
- Apr 5, 2007
- Apr 8, 2007
- Apr 10, 2007
- Apr 12, 2007
- Apr 15, 2007
- Apr 18, 2007
- May 8, 2007
- May 16, 2007
- Oct 24, 2007
- Nov 28, 2007
Subscribe to
Posts [Atom]
Technorati Profile
RSS Syndication
|
|
Made4Biz Dynamic IT Security News