BestNetworkSecurity Articles

How Xyloc Works

2009-03-06T18:44:32+00:00

XyLoc is the only information security solution that continues to protect the computer and the network after a user has logged on. The XyLoc system consists of a radio transceiver “Lock” that plugs in to the USB port of the computer, and a discrete wireless radio transmitter “badge” or “Key” worn by the user. Using radio frequency to communicate, the Lock and Key determine a user’s identity and location relative to the computer. When a user wearing a XyLoc badge approaches the workstation, the badge transmits a unique, secure code. The XyLoc Lock receives this code and passes on the processed information to the XyLoc software. If authorized, the user can access their standard Windows logon process. If the system also has XyLoc’s Application Integration enabled, or an integrated ESSO solution, XyLoc will pass the user’s stored User IDs and Passwords to his/her applications, eliminating the need to enter the credentials manually. When the user moves outside of a pre-programmed distance from the PC, XyLoc immediately secures the computer and any open applications, restoring them as soon as the authorized user returns to the workstation.

Common Issues in the Healthcare Environment

2009-03-06T18:43:45+00:00

XyLoc is a comprehensive and scalable solution that delivers convenient security when it’s needed most—after logon, whenever the user steps away from the workstation. Common Issues in the Healthcare Environment: We need faster and more convenient access to records on our shared workstations. Our workstations are located in non-secured public areas and can be viewed and possibly accessed by unauthorized individuals. Our current system secures the log-on process, but leaves the system vulnerable if the user does not lock the screen or log-off the workstation when leaving the area. XyLoc is the solution to these issues: XyLoc is the most convenient solution providing walk-up recognition of user. XyLoc is integrated with the top ESSO solutions (including Imprivata and Citrix XenApp – Password Manager) and is compatible with other authentication methods,such as biometrics, for strong authentication. XyLoc’s patented technology is the only solution that provides walk-away security. XyLoc provides an audit log, of who accessed the workstation and when.

Addressing Encrypted Security Threats Inside SSL

2009-03-06T17:42:59+00:00

Web applications (and their derivatives – IM, P2P, Web Services) continue to comprise the overwhelming majority of new applications being deployed across today’s distributed enterprises. Much of the new growth in Web application development is focused on business-critical applications. Furthermore, many of these applications and related components are hosted by 3rd parties or accessed over public infrastructure. Not surprising, the criticality and confidentiality of Internet-accessible applications has caused organizations to rely more heavily on SSL encryption. SSL encryption was designed to create a trusted class of Web traffic – when the little padlock shows up in a browser, the traffic is deemed “secure.” This confidentiality has enabled businesses and consumers to take advantage of “anywhere, anytime, any user” encrypted connection to drive tremendous commercial exploitation of the Web. There is, however, a downside: encryption, the very thing that keeps prying eyes from SSL traffic, also makes it nearly impossible to see, understand, or manage that traffic. Indeed, in most organizations, port 443 (the designated port for SSL traffic) is not scrutinized– traffic freely and blindly flows in and out of the enterprise. This raises three sets of issues: first, IT lacks any control over this traffic; second, IT has no ability to protect itself from threats flowing in the encrypted traffic stream; and third, IT cannot prioritize and accelerate encrypted traffic – some of which may be mission-critical. Most SSL traffic is, of course, benign and provides no threat to the organization. Further, much of it is key business traffic to business partners or to outsourced application providers. One example is salesforce.com, the online CRM provider, where all data is transferred using SSL technology. On the other hand, users can use SSL technology to circumvent the usual policy controls. They can use SSL encrypted web email services (such as Yahoo! mail) to send out confidential information. They can also set up an SSL tunnel between the organization and their own home PC to transfer information and users have been known to use SSL to surf for inappropriate content on the web. The newer types of Spyware are now using SSL to get around spyware controls both for entering organizations and for sending out their information to the spyware control points. And, of course, often the worst attacks for individual users is phishing attacks where the user is fooled into entering their private information onto a bogus site and these are very often secured by SSL as it helps the user feel confident that this is a legitimate banking or finance site. If an organization were to adopt a solution to resolve these issues, it would need to understand native SSL traffic flowing to external applications, be operationally affordable, not impede business (neither performance nor privacy), and be extensible and adaptable. Unfortunately, most technology efforts to resolve these issues for unencrypted traffic have proved inadequate – none can “see” the encrypted traffic. While SSL offload or SSL VPN technologies can help organizations manage SSL traffic for applications that they control, there has not been a practical solution for “inside-out SSL.” In other words, traditional security and networking solutions cannot effectively protect users inside the corporate network from safely accessing applications and information outside the corporate network (e.g., Salesforce.com, employee benefits providers, and the wide variety of non-business-related applications their employees use). IT organizations can overcome these limitations with intelligent proxy appliances that allow inbound and outbound encrypted traffic to be terminated – thereby enabling unprecedented visibility and context of the encrypted content. From there, proxy appliances can reinitiate the sessions according to the policies set by IT. Termination by a proxy is the only way to gain visibility and control of SSL communications. It provides a critical control point for protection (against viruses, worms, spyware, and phishing), policy (manage the who, what, where, when, and how of user/application interaction), and performance (cache, compress, and prioritize traffic). Lastly though, organizations have to be responsible about use of this technology, understanding the privacy of the individual. The set up of the devices needs to understand the context of the SSL session before deciding whether to intercept the data stream. As an example, if you trust a certain site (or types of sites) then there is no need to intercept, for instance, data to and from salesforce.com or known banking and shopping sites (as defined by URL filtering categorization). Perhaps an organization allows users to access web-based email from work, but this should be intercepted. At this point, before carrying out any inspection, the user should be informed with a message that points out that the data is about to be checked for the their own good and the good of the organization. The user then has the option to cancel the request. The most dangerous types of SSL transaction are those to unknown destinations – the new phishing site that has just been created or just a plain IP address that is unknown and the organization’s efforts should be focused on those, as they hold the most danger.

Email Archiving - To stub or not to stub?

2009-02-18T19:25:04+00:00

Most companies have never considered the impact one, untraceable email can have on an organization or an individual’s career. With so much information contained within email, it is not surprising that industries and governments are insisting that all email should be retained for legal and compliance reasons. Not only, but a proper email set up solves major problems for systems administrators. Over time stub files will impact negatively on Exchange Server performance. Most companies have never considered the impact one, untraceable email can have on an organization or an individual’s career. With so much information contained within email, it is not surprising that industries and governments are insisting that all email should be retained for legal and compliance reasons. Not only, but a proper email set up solves major problems for systems administrators. A survey carried out by GFI Software showed that just over 51% of SMBs do not archive corporate email with 33% using their email client and PST files to store email correspondence. This approach to email archiving creates massive problems for administrators who need to search through PST files on individual workstations for emails while the unreliability of PST files can prove to be a serious legal liability. The task of managing email is often split between the system administrator and the end user however relying on end users to backup corporate email is risky to say the least. The optimum solution, which gives administrator full control over corporate email management while allowing users to keep and access old or deleted emails, is to use email archiving. There are a number of archiving technologies in use today and solutions that integrate with Microsoft Exchange Server and the Outlook client predominantly use stub files to archive their emails. According to an August 2008 paper from Microsoft, the use of stubs does not, however, really avoid the problems that stubbing was meant to prevent. The use of stub files may address one’s email archiving needs but it also creates thousands of small stub messages that affect both Exchange Server’s storage capabilities and overall performance. Using Exchange’s journaling feature, however, not only eliminates the need for stub files but it also improves performance. This white paper examines these two types of archiving technology and explains why IT administrators should stop using stub files to archive email. “Over time, an archiving solution working on hundreds of mailboxes will create thousands of small stub messages. Each of these stub messages may be between 2 and 15 kilobytes and still amount to a performance hit since item counts is the primary performance driver for the Exchange store rather than aggregate size,” GFI states in a white paper being released today. To download a copy of the white paper, please visit http://www.gfi.com/whitepapers/stubbingwp.pdf For information on GFI’s email archiving and email management software, GFI MailArchiver, visit http://www.gfi.com/mailarchiver/

Web 2.0: Open Season for the Attackers?

2009-02-18T18:32:19+00:00

The Web is quickly becoming a participatory medium—users contributing, communing, and building. The downside of this ubiquitous user participation is a new slew of security threats many IT professionals have yet to fully grasp. For a number of years, the Web was a relatively one-dimensional experience characterized by the delivery of static HTML pages within a one-way client-server environment –with little direct user involvement. The security threats were and are real. But Web 2.0 is a different animal. Web 2.0 is a participatory client is server environment of P2P networking, AJAX-generated applications, social networking, bookmarking, media-sharing sites, blogs, wikis, and RSS feeds. A world largely outside of the IT department’s control. The boundary between the trusted network and the Internet is quickly disappearing, leaving the corporate enterprise open to a new generation of threats that make the previous generation’s seem benign. Take email. Several years ago, SMTP was the main vector for viruses and other malicious content. In Web 2.0, SMTP is no longer the carrier for the malicious payload. Instead, email only directs the unsuspecting user to a web site, where the more dynamic HTTP can be exploited for nefarious purposes. Today, many malicious attacks target the browser. Among other techniques, attackers can now manipulate the DNS protocol to mask a malicious website as legitimate in order to gain access to the corporate network via the user’s browser and virtually any information the user can access. A chilling possibility. Web 2.0 is by definition dynamic, social, and collaborative. Users supply the data that make many Web 2.0 applications and services what they are—Google Earth works because users interact with it, MySpace is only as great as the sum of its members, del.icio.us functions because users share their bookmarks, the Blogosphere because users blog. It is this very collaboration and openness that attackers thrive on. Users today share information in multiple venues—email was once the venue. In this open environment monitoring for corporate data leakage and unwanted content becomes a Herculean task. The danger has increased in orders of magnitude. An email leaking corporate information has a limited reach and shelf-life (delete it and it’s gone). But sensitive data leaked into the blogosphere has the potential to do significant, long-term damage. Blogs are stored in searchable archives. Redirects to thousands of websites put data at the fingertips of anyone interested in the information. As always, the challenge is balancing user expectations with corporate security. Users demand unfettered connectivity—email, IM, and video conferencing—and access to Web-based applications. More and more companies are outsourcing their mission-critical data (e.g. CRM systems) to web-based hosting infrastructures. These applications enable organizations to reduce IT administration costs and headaches associated with traditional, locally-hosted applications. But hackers have been quick to exploit vulnerabilities in Web applications. For example, Web 2.0 has been especially good to phishing attackers. Phishing sites built using Rich Internet Applications (RIAs) appear so legitimate that even seasoned users and early-generation security solutions are fooled. Nomadic attack patterns make it almost impossible to track down the attackers. (Interestingly, more than half of all known phishing sites were located in the U.S.) Legitimate stand-alone RIAs are powerful because they offload most of processing to the client machine via a client engine that acts as an extension of the user’s browser. This client executable can be used as a vector for malicious code. RIAs that use ActiveX plug-ins, a common RIA technique, are especially vulnerable to attack. (Eighty-nine percent of browser plug-in vulnerabilities disclosed by Symantec in the first half of 2007 affected ActiveX plug-ins in Internet Explorer.) Legitimate websites aren’t safe anymore either. Attackers can (and do) embed executable XML malware on popular sites—last year, computer experts found virus code embedded in MySpace pages. Streaming video is the next vector of choice. Imagine the effect of a Trojan horse embedded in one of YouTube’s featured videos which, potentially, millions of unsuspecting users would view. The long-running Storm Trojan horse that has infected user machines via SMTP, made the jump to HTTP. Storm backers infected the website for Republican Party in the 1st Congressional District of Wisconsin. Fortunately, the site’s owners were able to remove the dangerous code within a few hours. Security experts estimate that as many as two million machines are part of the Storm botnet; its tentacles could reach into the tens of millions with the move to the Web. Blanket blocking of legitimate sites is not the solution; arguably some of these sites fulfill legitimate business functions for some users. SSL-encrypted websites also pose a threat. Most web security solutions don’t inspect the SSL tunnel, which carries the encrypted data point-to-point, making SSL an effective vector for stealing data. Attackers also set up SSL-enabled web servers to appear legitimate to phishing victims. When the user receives an email and clicks through to what he believes to be his banking site, the familiar lock within his web-browser gives him a false sense of security. SSL is also an effective ways of getting bots and Trojans past a corporate firewall and onto the trusted networks. Once a bot is installed, it forms botnets that use similar SSL sessions to leak sensitive data and other valuable content out of the corporate network. Most content filters and other security products fail to identify these attacks as they occur because they can’t view the encrypted data so these sessions are allowed in and out of the network. What can security professionals do to protect their enterprises? First they must have the ability to scan legitimate websites in real-time for executable viruses and other malware. Blanket blocking is not the answer—many legitimate web-based business applications use executables to enrich the user experience. Security professionals must also be able to establish both broad and granular user-based policy controls over P2P applications such as IM and Skype, without hindering user productivity and application performance. An understanding of today’s phishing techniques is also essential. Users should be blocked from posting data to high-risk sites and sites with invalid SSL certificates. Finally, IT pros should exercise broad protocol control over RTSP, MMS, IM, SSL, and P2P applications so threats can be identified and blocked. Some of the more comprehensive web security solutions offer this level of functionality along with basic messaging, anti-virus and anti-spam filters. The key is to ensure a seamless, unfettered user experience. It’s a tall order, but not an impossible one. Enterprise security threats have evolved Web 1.0Web 2.0 Primitive phishing attacksEvolved phishing attacks; RIA’s and other techniques “legitimize” phishing sites Email-borne virusesEmail for social engineering, not malicious payload Corporate data leakage via emailCorporate data leakage on blogs, social networking sites, etc. Website defacements (“Hactivism”)Website Infections (Malware inserted into XMLtags for financial gain) “Clear text” malwareMalware “hidden” within SSL-encrypted traffic

Anti-Phishing and WebFilter Real-time Rating Service

2009-02-16T19:05:44+00:00

Phishing is an aptly named exploit that shares some elements with the similar sounding sporting activity. Both require a combination of expert casting and convincing bait. Casting is equivalent to a legitimate looking email or Web domain for phishers, the next step is to get the consumer/victim to click on the link – take the bait. The email needs to look like it is from a trusted Web site. If the email is convincing enough, the consumer will click on the link which leads them to a Web site where they will likely be tricked into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. The more popular form of phishery is the Web based phishing attack. No emails are involved with these phishing attacks as SPAM filters are getting better at catching them. A Web domain phishing attack is when a user typos a common Web domain, for example a bank domain, online shopping site domain and many others. Once Web surfer types their favorite Web site domain they could be taken to an infected site. Attackers know that compromising sites with generally good reputations coupled with more effective and targeted e-mail lures, can increase the success rate of attacks. The typo phishing attack and open hacking on popular sites to funnel users into a phishing site are more common today. Phishing is all about getting the user to provide access credentials, identity information, or financial credentials by leveraging the trust model of a known brand. Time has evolved, people are getting smarter about these tricks and attacks have moved to key loggers loaded onto user PCs via browse-by installs from infected popular Web sites. So collecting valuable user information started out with phishing tricks to get the user to type it into a phony Web form/site, now the attacks have gone stealth, the user does not even know the malware loaded into their system when they visited a popular infected Web site, and that it has logged keystrokes and sent a file back to the “dark side”. According to industry researchers, the average loss from phishing is now over $3,000 per incident and the total damages suffered by users victimized by phishing are well over $1 billion per year. Banking and retail sites, including Amazon.com, Ebay and PayPal, have been some of the most popular for criminals to impersonate with counterfeit sites using phishing schemes. Social networking sites, such as MySpace and Facebook, are also key targets for ‘social phishing’ since personal details included within such sites can be used in identity theft. Experiments show a success rate of over 70% for phishing attacks on social networks. Many phishers will try to get around anti-phishing solutions by using SSL encryption. The Blue Coat Real-Time Anti-Phishing protection technology assesses the Web page being requested using Blue Coat WebFilter and Dynamic Real Time Rating (DRTR). Blue Coat WebFilter runs on current ProxySG appliances and uses Dynamic Real Time Rating technology to keep up with the ever-changing Internet and phishing sites. DRTR is based on patented technology that can ”on the fly” categorize new, unfamiliar Web sites as they are being requested and then block or allow user’s access according to the rating DRTR assigns and in accordance with the organization’s or user’s policies. If the page is not found in the Blue Coat WebFilter database, a query is sent to Blue Coat Labs where the Web page is analyzed automatically in real time. Because these phishing Web sites are only up for a short time ranging from hours to minutes it’s hard for most anti-phishing databases to catch them. This is why having a solution that assess URL’s on the fly is essential. The service will then categorize the page based on its content, forms, links and originating URL. If the Web page is categorized as a phishing site, Blue Coat’s software will block the requested Web page or warn the user. The entire process can be completed in between 250-750 milliseconds. So has phishing ran the course of time? Not really, as there is sucker born everyday that is new to the Internet, and old tricks still work. However the ROI for crime organizations is not very high with phishing as people are smarter and more defenses are in place, plus the phony Web site may leave tracks to the crime organization for law enforcement. Newer tactics have lower visibility, lower risk, and high return rates, which leads to more profits. Underground phishing is a business which requires …time and effort to gain profits. Phishing attacks come in short bursts, hide their host & domain to avoid reputation filters and only real-time analysis can protect users. Phishing is still a considerable threat. Fortunately, through real-time assessment, most ploys can be thwarted.

Obama Worm Not Harmless

2009-02-04T04:47:00+00:00

The Obama worm may not have a malicious payload like most other malware, but it will still cause harm. The worm will still cause an increase in helpdesk calls and time required for system cleanup and that means time and money wasted. Learn more about cleaning up the Obama worm W32-Karab-A

Palo Alto Technical Demo On Demand

2009-01-22T22:29:00+00:00

The Palo Alto Networks VP of Product Management demonstrates the Palo Alto Firewall. Learn why the Palo Alto firewall was developed and view a technical demonstration of the solution. You can skip around, making it easy to view. Palo Alto Networks On Demand Demo

Palo Alto Networks Turning Heads

2009-01-19T23:04:00+00:00

Palo Alto Networks is turning heads. Jay Rollins, a CIO blogger at TechRepublic, explains the surprise he experienced when he saw a demo of Palo Alto Networks “next generation” firewall. >When I spoke with the Palo Alto Networks company representative, my expectations were pretty low. Once we got into what the appliance did, I had to say “WOW!” Palo Alto Networks allows companies to policies based on application and user. This increases security because it is more effective given today’s web-based technologies. If you would like to learn more, give us call. Link: Palo Alto Networks offers a next-generation firewall… really

Investing in Palo Alto Networks Pays Cost Savings Dividends

2009-01-19T22:54:01+00:00

In these challenging economic times, cost savings and TCO are becoming important factors in every IT purchase decision. There are many examples of Palo Alto Networks customers that have enjoyed significant, measurable cost savings as a result of investing in their innovative, next generation firewalls. Three of these examples have been carefully documented and included in a new “must read” white paper, Reducing Costs With Next Generation Firewalls. This important paper highlights not only the specific cost savings, but makes the case effectively that there is no longer a need to compromise between cost savings and true product innovation. Palo Alto Networks delivers both values to customers.