BestNetworkSecurity Articles

Hard Drive Recovery

2008-10-27T21:27:19+00:00

Your computer has become the single most important appliance in your home. You use it for everything from playing games to playing music, watching movies and tracking your finances. Think of all the data that is stored on your computer and then consider what would happen if you lost it. That’s why qualified hard drive recovery is such an essential service. The hard drive in your computer is one of the most failure prone components, yet it holds all of your critical data: your financial info, your music files and digital photos. What would you do if your hard drive died? If you hear clicking noises, there’s a very good chance that the read/write heads of your hard drive have malfunctioned. Hard drive repair is possible, but you should immediately bring your computer in to a company that specializes in hard drive recovery – continuing to run the hard drive in a damaged state may make your data loss permanent. Even if you have suffered data loss through accidental deletion or because of a virus, there’s a good chance it can be recovered if your computer is brought in to a specialist.

Whats new in Small Business Solutions 4.0

2009-10-27T14:56:22+00:00

Sophos small business solutions 4.0 still includes three editions(see over) all of which incorporate a number of innovations that will help small businesses solve both their malware and data protection problems. This release includes enhanced security features, integrated data loss prevention features and a new Sophos Control Center that makes managing protection across Windows and Mac computers even easier. Key new features Improved ease of use New event dashboard panel enables the administrator easily see exceptional levels of recent event activity and provides up-to-date view on security status with improved reporting New firewall configuration wizard to simplify policy setting and the ability to run in alert only mode before deploying a new policy Automates the process of removing old AV solution with built-in third party software removal New Sophos Update Manager, integrated into the Sophos Control Center, for updating protection from Sophos that will ensure faster deployment of all Sophos updates Enhanced Single Agent Single Endpoint agent now includes firewall along with AV, HIPS, application control and device control New look agent interface – designed to support the wide range of capabilities the single agent now delivers Enhanced Zero-day Threat Detection Our Host Intrusion Prevention (HIPS) technology uses 4 layers of integrated detection to stop zero-day threats without the need for complex configuration Safer web browsing – our new Internet Explorer plug-in blocks web-based script attacks within the browser Extended Client Firewall provides Location-awareness to allow for different configurations for different locations Integrated Application Control Our single Endpoint agent further controls the risk of malware infection and data loss by detecting the unauthorised use of controlled applications such as VoIP, IM, P2P and games Administrator can simply set a block or allow policy Sophos Control Center depending on productivity or security concerns. The Sophos approach to application control simplifies administration, updating and maintenance. Sophos removes the need for administrators to create detection for applications and keep that detection accurate when vendors are frequently updating and patching them Granular Device Control Flexible control of removable storage devices allowing the authorization of specific devices, enforcement of encrypted devices or even just read-only access Control over the modems, including 3G modems. Prevention of network bridging by turning off wireless interface if the endpoint is connected to the company network via an Ethernet connection Data protection with SafeGuard encryption Protects data on mobile devices and in email with Sophos SafeGuard PrivateCrypto and PrivateDisk encryption technology Prevents unauthorized viewing of files and securely wipes data on deletion and allows secure data exchange with any partner, even without a shared IT infrastructure Upgrading to the new release What’s included? Sophos Security SuiteSBE / Sophos Computer Security SBE Expert 24 support direct from Sophos Sophos Control Center 4.0 SAV for Mac 7.x SafeGuard PrivateCrypto Sophos Anti-Virus for Windows, version 4.7 (Windows 98 SE/Me) Endpoint Security and Control (SAV) for Windows, version 9 (Windows 2000/XP/2003/Vista/7) Integrated Application control Granular Device control Sophos Client Firewall SafeGuard PrivateDIsk PureMessage for Windows/Exchange, version 3.0 Sophos Anti-Virus SBE Expert 24 support direct from Sophos Sophos Control Center 4.0 SAV for Mac 7.x SafeGuard PrivateCrypto Sophos Anti-Virus for Windows, version 4.7 (Windows 98 SE/Me) Endpoint Security and Control (SAV) for Windows, version 9 (Windows 2000/XP/2003/Vista/7) Integrated Application control How much does it cost? All existing customers of Sophos Small Business Solutions are entitled to receive the version 4.0 under the terms of the current license agreement and at no additional cost. You may wish to purchase an upgrade to a different edition — some advantages are outlined in the table below. For more information, please contact your local Sophos Partner or representative. Where can you download it? To help you through the upgrading process there is an upgrade guide available. You simply check what steps you will need to go through to prepare for and then carry out the upgrade. When upgrading you can keep your existing policy settings and the endpoint agent will change version automatically. You can download the latest software and upgrade guide from the downloads section on Sophos.com at https://secure.sophos.com/support/updates/. To access this download, you will need to login using your MySophos account. Try Sophos SBE free for 30 days Download Sophos Security Suite SBE 4.0 Download Sophos Computer Security SBE 4.0 Download Sophos Anti-Virus SBE 4.0 or order online now

Endpoint Security and Control 9.0 Released

2009-10-26T18:17:10+00:00

New integrated data loss prevention capabilities, improving management features with Sophos Enterprise Console and enhancing firewall usability are the focus for this exciting release. Integrated Data Loss Prevention Fully integrated content monitoring for storage devices and applications to control the transfer of sensitive data and minimize an organization’s risk of breaching data security compliance legislation Supported by an extensive library of global sensitive data definitions supplied and updated by SophosLabs that reduces the IT burden of manual creating and maintaining lists Granular Device Control Flexible control of removable storage devices allowing the authorization of specific devices, enforcement of encrypted devices or even just read-only access Control over the modems, including 3G modems. Prevention of network bridging by turning off wireless interface if the endpoint is connected to the company network via an Ethernet connection Improved Reporting New reporting wizard that makes it straightforward for administrators to create and customize reports that can be scheduled with results emailed to selected recipients. Increased number of reports to address compliance reporting requirements. User based reporting for control policies (firewall,application, device and data Enhanced Agent Single Endpoint agent now includes firewall along with AV, HIPS, application control, device control and data control. New look agent interface – designed to support the wide range of capabilities the single agent now delivers Extended Client Firewall Location-awareness to allow for different configurations for different locations New configuration wizard to simplify policy setting and the ability to run in alert only mode before deploying a new policy Simplified Updating New Sophos Update Manager, integrated into the Enterprise Console, for updating protection from Sophos that will ensure faster deployment of all Sophos updates Broadened Compliance Java-based dissolvable compliance agent that does not require administrator or power user privileges to run. New pre-defined assessment for Sophos encryption to check compliance with policy

My Sophos Clients Aren’t Updating

2009-08-20T18:27:37+00:00

Here is a list of items to check if you are having issues updating clients. My Sophos clients aren’t updating: Make sure you have correct user name and password Enterprise Manager to connect to Sophos Attempt to download packages and check message log for any problems Check that update policy is correct in primary server and that credentials are correct Change log level to verbose to investigate further on the desktop Check that Sophos Sweep is shared Make sure routerNT.exe is running Telnet to ports 8192-4 on the deskttop. You should be able to connect without errors. This is what RMS uses. You should receive an IOR response on 8192 and nothing on 8193 and 8194. Make sure server is listening on right interface: netstat -na | find “819” Make sure workstations are reporting to that interface. look in mrinit.conf (in the central installation directory) at parentrouteraddress variable Check for packetloss that may cause problems: netstat -s 2 | “Segments Retransmitted” Sophos includes 24×7 support with every license. If you need assistance, call 888-SOPHOS9.

How Xyloc Works

2009-03-06T18:44:32+00:00

XyLoc is the only information security solution that continues to protect the computer and the network after a user has logged on. The XyLoc system consists of a radio transceiver “Lock” that plugs in to the USB port of the computer, and a discrete wireless radio transmitter “badge” or “Key” worn by the user. Using radio frequency to communicate, the Lock and Key determine a user’s identity and location relative to the computer. When a user wearing a XyLoc badge approaches the workstation, the badge transmits a unique, secure code. The XyLoc Lock receives this code and passes on the processed information to the XyLoc software. If authorized, the user can access their standard Windows logon process. If the system also has XyLoc’s Application Integration enabled, or an integrated ESSO solution, XyLoc will pass the user’s stored User IDs and Passwords to his/her applications, eliminating the need to enter the credentials manually. When the user moves outside of a pre-programmed distance from the PC, XyLoc immediately secures the computer and any open applications, restoring them as soon as the authorized user returns to the workstation.

Common Issues in the Healthcare Environment

2009-03-06T18:43:45+00:00

XyLoc is a comprehensive and scalable solution that delivers convenient security when it’s needed most—after logon, whenever the user steps away from the workstation. Common Issues in the Healthcare Environment: We need faster and more convenient access to records on our shared workstations. Our workstations are located in non-secured public areas and can be viewed and possibly accessed by unauthorized individuals. Our current system secures the log-on process, but leaves the system vulnerable if the user does not lock the screen or log-off the workstation when leaving the area. XyLoc is the solution to these issues: XyLoc is the most convenient solution providing walk-up recognition of user. XyLoc is integrated with the top ESSO solutions (including Imprivata and Citrix XenApp – Password Manager) and is compatible with other authentication methods,such as biometrics, for strong authentication. XyLoc’s patented technology is the only solution that provides walk-away security. XyLoc provides an audit log, of who accessed the workstation and when.

Addressing Encrypted Security Threats Inside SSL

2009-03-06T17:42:59+00:00

Web applications (and their derivatives – IM, P2P, Web Services) continue to comprise the overwhelming majority of new applications being deployed across today’s distributed enterprises. Much of the new growth in Web application development is focused on business-critical applications. Furthermore, many of these applications and related components are hosted by 3rd parties or accessed over public infrastructure. Not surprising, the criticality and confidentiality of Internet-accessible applications has caused organizations to rely more heavily on SSL encryption. SSL encryption was designed to create a trusted class of Web traffic – when the little padlock shows up in a browser, the traffic is deemed “secure.” This confidentiality has enabled businesses and consumers to take advantage of “anywhere, anytime, any user” encrypted connection to drive tremendous commercial exploitation of the Web. There is, however, a downside: encryption, the very thing that keeps prying eyes from SSL traffic, also makes it nearly impossible to see, understand, or manage that traffic. Indeed, in most organizations, port 443 (the designated port for SSL traffic) is not scrutinized– traffic freely and blindly flows in and out of the enterprise. This raises three sets of issues: first, IT lacks any control over this traffic; second, IT has no ability to protect itself from threats flowing in the encrypted traffic stream; and third, IT cannot prioritize and accelerate encrypted traffic – some of which may be mission-critical. Most SSL traffic is, of course, benign and provides no threat to the organization. Further, much of it is key business traffic to business partners or to outsourced application providers. One example is salesforce.com, the online CRM provider, where all data is transferred using SSL technology. On the other hand, users can use SSL technology to circumvent the usual policy controls. They can use SSL encrypted web email services (such as Yahoo! mail) to send out confidential information. They can also set up an SSL tunnel between the organization and their own home PC to transfer information and users have been known to use SSL to surf for inappropriate content on the web. The newer types of Spyware are now using SSL to get around spyware controls both for entering organizations and for sending out their information to the spyware control points. And, of course, often the worst attacks for individual users is phishing attacks where the user is fooled into entering their private information onto a bogus site and these are very often secured by SSL as it helps the user feel confident that this is a legitimate banking or finance site. If an organization were to adopt a solution to resolve these issues, it would need to understand native SSL traffic flowing to external applications, be operationally affordable, not impede business (neither performance nor privacy), and be extensible and adaptable. Unfortunately, most technology efforts to resolve these issues for unencrypted traffic have proved inadequate – none can “see” the encrypted traffic. While SSL offload or SSL VPN technologies can help organizations manage SSL traffic for applications that they control, there has not been a practical solution for “inside-out SSL.” In other words, traditional security and networking solutions cannot effectively protect users inside the corporate network from safely accessing applications and information outside the corporate network (e.g., Salesforce.com, employee benefits providers, and the wide variety of non-business-related applications their employees use). IT organizations can overcome these limitations with intelligent proxy appliances that allow inbound and outbound encrypted traffic to be terminated – thereby enabling unprecedented visibility and context of the encrypted content. From there, proxy appliances can reinitiate the sessions according to the policies set by IT. Termination by a proxy is the only way to gain visibility and control of SSL communications. It provides a critical control point for protection (against viruses, worms, spyware, and phishing), policy (manage the who, what, where, when, and how of user/application interaction), and performance (cache, compress, and prioritize traffic). Lastly though, organizations have to be responsible about use of this technology, understanding the privacy of the individual. The set up of the devices needs to understand the context of the SSL session before deciding whether to intercept the data stream. As an example, if you trust a certain site (or types of sites) then there is no need to intercept, for instance, data to and from salesforce.com or known banking and shopping sites (as defined by URL filtering categorization). Perhaps an organization allows users to access web-based email from work, but this should be intercepted. At this point, before carrying out any inspection, the user should be informed with a message that points out that the data is about to be checked for the their own good and the good of the organization. The user then has the option to cancel the request. The most dangerous types of SSL transaction are those to unknown destinations – the new phishing site that has just been created or just a plain IP address that is unknown and the organization’s efforts should be focused on those, as they hold the most danger.

Email Archiving - To stub or not to stub?

2009-02-18T19:25:04+00:00

Most companies have never considered the impact one, untraceable email can have on an organization or an individual’s career. With so much information contained within email, it is not surprising that industries and governments are insisting that all email should be retained for legal and compliance reasons. Not only, but a proper email set up solves major problems for systems administrators. Over time stub files will impact negatively on Exchange Server performance. Most companies have never considered the impact one, untraceable email can have on an organization or an individual’s career. With so much information contained within email, it is not surprising that industries and governments are insisting that all email should be retained for legal and compliance reasons. Not only, but a proper email set up solves major problems for systems administrators. A survey carried out by GFI Software showed that just over 51% of SMBs do not archive corporate email with 33% using their email client and PST files to store email correspondence. This approach to email archiving creates massive problems for administrators who need to search through PST files on individual workstations for emails while the unreliability of PST files can prove to be a serious legal liability. The task of managing email is often split between the system administrator and the end user however relying on end users to backup corporate email is risky to say the least. The optimum solution, which gives administrator full control over corporate email management while allowing users to keep and access old or deleted emails, is to use email archiving. There are a number of archiving technologies in use today and solutions that integrate with Microsoft Exchange Server and the Outlook client predominantly use stub files to archive their emails. According to an August 2008 paper from Microsoft, the use of stubs does not, however, really avoid the problems that stubbing was meant to prevent. The use of stub files may address one’s email archiving needs but it also creates thousands of small stub messages that affect both Exchange Server’s storage capabilities and overall performance. Using Exchange’s journaling feature, however, not only eliminates the need for stub files but it also improves performance. This white paper examines these two types of archiving technology and explains why IT administrators should stop using stub files to archive email. “Over time, an archiving solution working on hundreds of mailboxes will create thousands of small stub messages. Each of these stub messages may be between 2 and 15 kilobytes and still amount to a performance hit since item counts is the primary performance driver for the Exchange store rather than aggregate size,” GFI states in a white paper being released today. To download a copy of the white paper, please visit http://www.gfi.com/whitepapers/stubbingwp.pdf For information on GFI’s email archiving and email management software, GFI MailArchiver, visit http://www.gfi.com/mailarchiver/

Web 2.0: Open Season for the Attackers?

2009-02-18T18:32:19+00:00

The Web is quickly becoming a participatory medium—users contributing, communing, and building. The downside of this ubiquitous user participation is a new slew of security threats many IT professionals have yet to fully grasp. For a number of years, the Web was a relatively one-dimensional experience characterized by the delivery of static HTML pages within a one-way client-server environment –with little direct user involvement. The security threats were and are real. But Web 2.0 is a different animal. Web 2.0 is a participatory client is server environment of P2P networking, AJAX-generated applications, social networking, bookmarking, media-sharing sites, blogs, wikis, and RSS feeds. A world largely outside of the IT department’s control. The boundary between the trusted network and the Internet is quickly disappearing, leaving the corporate enterprise open to a new generation of threats that make the previous generation’s seem benign. Take email. Several years ago, SMTP was the main vector for viruses and other malicious content. In Web 2.0, SMTP is no longer the carrier for the malicious payload. Instead, email only directs the unsuspecting user to a web site, where the more dynamic HTTP can be exploited for nefarious purposes. Today, many malicious attacks target the browser. Among other techniques, attackers can now manipulate the DNS protocol to mask a malicious website as legitimate in order to gain access to the corporate network via the user’s browser and virtually any information the user can access. A chilling possibility. Web 2.0 is by definition dynamic, social, and collaborative. Users supply the data that make many Web 2.0 applications and services what they are—Google Earth works because users interact with it, MySpace is only as great as the sum of its members, del.icio.us functions because users share their bookmarks, the Blogosphere because users blog. It is this very collaboration and openness that attackers thrive on. Users today share information in multiple venues—email was once the venue. In this open environment monitoring for corporate data leakage and unwanted content becomes a Herculean task. The danger has increased in orders of magnitude. An email leaking corporate information has a limited reach and shelf-life (delete it and it’s gone). But sensitive data leaked into the blogosphere has the potential to do significant, long-term damage. Blogs are stored in searchable archives. Redirects to thousands of websites put data at the fingertips of anyone interested in the information. As always, the challenge is balancing user expectations with corporate security. Users demand unfettered connectivity—email, IM, and video conferencing—and access to Web-based applications. More and more companies are outsourcing their mission-critical data (e.g. CRM systems) to web-based hosting infrastructures. These applications enable organizations to reduce IT administration costs and headaches associated with traditional, locally-hosted applications. But hackers have been quick to exploit vulnerabilities in Web applications. For example, Web 2.0 has been especially good to phishing attackers. Phishing sites built using Rich Internet Applications (RIAs) appear so legitimate that even seasoned users and early-generation security solutions are fooled. Nomadic attack patterns make it almost impossible to track down the attackers. (Interestingly, more than half of all known phishing sites were located in the U.S.) Legitimate stand-alone RIAs are powerful because they offload most of processing to the client machine via a client engine that acts as an extension of the user’s browser. This client executable can be used as a vector for malicious code. RIAs that use ActiveX plug-ins, a common RIA technique, are especially vulnerable to attack. (Eighty-nine percent of browser plug-in vulnerabilities disclosed by Symantec in the first half of 2007 affected ActiveX plug-ins in Internet Explorer.) Legitimate websites aren’t safe anymore either. Attackers can (and do) embed executable XML malware on popular sites—last year, computer experts found virus code embedded in MySpace pages. Streaming video is the next vector of choice. Imagine the effect of a Trojan horse embedded in one of YouTube’s featured videos which, potentially, millions of unsuspecting users would view. The long-running Storm Trojan horse that has infected user machines via SMTP, made the jump to HTTP. Storm backers infected the website for Republican Party in the 1st Congressional District of Wisconsin. Fortunately, the site’s owners were able to remove the dangerous code within a few hours. Security experts estimate that as many as two million machines are part of the Storm botnet; its tentacles could reach into the tens of millions with the move to the Web. Blanket blocking of legitimate sites is not the solution; arguably some of these sites fulfill legitimate business functions for some users. SSL-encrypted websites also pose a threat. Most web security solutions don’t inspect the SSL tunnel, which carries the encrypted data point-to-point, making SSL an effective vector for stealing data. Attackers also set up SSL-enabled web servers to appear legitimate to phishing victims. When the user receives an email and clicks through to what he believes to be his banking site, the familiar lock within his web-browser gives him a false sense of security. SSL is also an effective ways of getting bots and Trojans past a corporate firewall and onto the trusted networks. Once a bot is installed, it forms botnets that use similar SSL sessions to leak sensitive data and other valuable content out of the corporate network. Most content filters and other security products fail to identify these attacks as they occur because they can’t view the encrypted data so these sessions are allowed in and out of the network. What can security professionals do to protect their enterprises? First they must have the ability to scan legitimate websites in real-time for executable viruses and other malware. Blanket blocking is not the answer—many legitimate web-based business applications use executables to enrich the user experience. Security professionals must also be able to establish both broad and granular user-based policy controls over P2P applications such as IM and Skype, without hindering user productivity and application performance. An understanding of today’s phishing techniques is also essential. Users should be blocked from posting data to high-risk sites and sites with invalid SSL certificates. Finally, IT pros should exercise broad protocol control over RTSP, MMS, IM, SSL, and P2P applications so threats can be identified and blocked. Some of the more comprehensive web security solutions offer this level of functionality along with basic messaging, anti-virus and anti-spam filters. The key is to ensure a seamless, unfettered user experience. It’s a tall order, but not an impossible one. Enterprise security threats have evolved Web 1.0Web 2.0 Primitive phishing attacksEvolved phishing attacks; RIA’s and other techniques “legitimize” phishing sites Email-borne virusesEmail for social engineering, not malicious payload Corporate data leakage via emailCorporate data leakage on blogs, social networking sites, etc. Website defacements (“Hactivism”)Website Infections (Malware inserted into XMLtags for financial gain) “Clear text” malwareMalware “hidden” within SSL-encrypted traffic

Anti-Phishing and WebFilter Real-time Rating Service

2009-02-16T19:05:44+00:00

Phishing is an aptly named exploit that shares some elements with the similar sounding sporting activity. Both require a combination of expert casting and convincing bait. Casting is equivalent to a legitimate looking email or Web domain for phishers, the next step is to get the consumer/victim to click on the link – take the bait. The email needs to look like it is from a trusted Web site. If the email is convincing enough, the consumer will click on the link which leads them to a Web site where they will likely be tricked into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. The more popular form of phishery is the Web based phishing attack. No emails are involved with these phishing attacks as SPAM filters are getting better at catching them. A Web domain phishing attack is when a user typos a common Web domain, for example a bank domain, online shopping site domain and many others. Once Web surfer types their favorite Web site domain they could be taken to an infected site. Attackers know that compromising sites with generally good reputations coupled with more effective and targeted e-mail lures, can increase the success rate of attacks. The typo phishing attack and open hacking on popular sites to funnel users into a phishing site are more common today. Phishing is all about getting the user to provide access credentials, identity information, or financial credentials by leveraging the trust model of a known brand. Time has evolved, people are getting smarter about these tricks and attacks have moved to key loggers loaded onto user PCs via browse-by installs from infected popular Web sites. So collecting valuable user information started out with phishing tricks to get the user to type it into a phony Web form/site, now the attacks have gone stealth, the user does not even know the malware loaded into their system when they visited a popular infected Web site, and that it has logged keystrokes and sent a file back to the “dark side”. According to industry researchers, the average loss from phishing is now over $3,000 per incident and the total damages suffered by users victimized by phishing are well over $1 billion per year. Banking and retail sites, including Amazon.com, Ebay and PayPal, have been some of the most popular for criminals to impersonate with counterfeit sites using phishing schemes. Social networking sites, such as MySpace and Facebook, are also key targets for ‘social phishing’ since personal details included within such sites can be used in identity theft. Experiments show a success rate of over 70% for phishing attacks on social networks. Many phishers will try to get around anti-phishing solutions by using SSL encryption. The Blue Coat Real-Time Anti-Phishing protection technology assesses the Web page being requested using Blue Coat WebFilter and Dynamic Real Time Rating (DRTR). Blue Coat WebFilter runs on current ProxySG appliances and uses Dynamic Real Time Rating technology to keep up with the ever-changing Internet and phishing sites. DRTR is based on patented technology that can ”on the fly” categorize new, unfamiliar Web sites as they are being requested and then block or allow user’s access according to the rating DRTR assigns and in accordance with the organization’s or user’s policies. If the page is not found in the Blue Coat WebFilter database, a query is sent to Blue Coat Labs where the Web page is analyzed automatically in real time. Because these phishing Web sites are only up for a short time ranging from hours to minutes it’s hard for most anti-phishing databases to catch them. This is why having a solution that assess URL’s on the fly is essential. The service will then categorize the page based on its content, forms, links and originating URL. If the Web page is categorized as a phishing site, Blue Coat’s software will block the requested Web page or warn the user. The entire process can be completed in between 250-750 milliseconds. So has phishing ran the course of time? Not really, as there is sucker born everyday that is new to the Internet, and old tricks still work. However the ROI for crime organizations is not very high with phishing as people are smarter and more defenses are in place, plus the phony Web site may leave tracks to the crime organization for law enforcement. Newer tactics have lower visibility, lower risk, and high return rates, which leads to more profits. Underground phishing is a business which requires …time and effort to gain profits. Phishing attacks come in short bursts, hide their host & domain to avoid reputation filters and only real-time analysis can protect users. Phishing is still a considerable threat. Fortunately, through real-time assessment, most ploys can be thwarted.