Tuesday 25 August 2009
The first thing to check for any manager...
Yesterday I was invited to attend an internal discussion with one of our customers. The customer main business is in finance and they did something that I think more companies should do: they did a war game. They tried to find any potential breach they could have from any type of source, internal or external. I was invited to help them with questions to ask themselves. They did a good and thorough job so I ended up with only one question: Is anyone responsible for all access systems? I think that in any security environment there should be a 2-hand principle. As an example: one person handles the access system, another person should handle the LDAP. We ended up doing a map of whom was responsible for which system. A couple of minutes ago I go an email from my customer where they told me that they added the principle to their security plan and they already changed some access rules internally.
Thursday 20 August 2009
A very intelligent article by someone else then me....
I get happy when other people express what I am trying to say (in a much better way then me..). AppGate has a new partner in South Africa: Condyn. They recently wrote an article about security that I think is great...so here are some quotes:
Most investigations concerning computer crimes show that 60% to 80% of all security breaches are performed by insiders. These statistics highlight the fact that the most common method of protecting a corporate network and computers – the “ring wall” – is ineffective as it is assumed that attacks will come from the outside.
“This type of firewall-centric solution was designed many years ago and is slowly becoming obsolete,” explains Jorina van Rensburg, CEO of Condyn.
“Protection has been moved closer to the assets, such as application servers as well as workstations and laptops. So, how do you transform this traditional view into a more modern and effective architecture?” she asks.
According to Van Rensburg, the first step forward is simply observing the fact that the larger a network becomes, the more insecure it will be. This means that security can be improved by partitioning the corporate network.
Traffic between domains should be strictly controlled and potential problems logged. This immediately puts a limit on the maximum amount of damage a security problem can cause, and increases the possibilities to both detect and deal with potential problems.
The next step is to fully move away from the “ring wall” architecture. “If the servers can be protected against all unauthorised traffic, then operating systems, network protocols and applications cannot be attacked.
Step three involves improving client security. Clients need to be correctly configured, configurations must be reviewed and all software patched to make sure they do not contain any publicly known vulnerabilities. The security system should also be able to do a “client-check” before access to sensitive resources are granted. This check could guarantee, for example, that the client has anti-virus software installed, a good personal device firewall is in use, that no file sharing software is present, or any other rules the application system owner would like to enforce before access to that application is granted.
I really looking forward to work this company, they know what they talk about.
Most investigations concerning computer crimes show that 60% to 80% of all security breaches are performed by insiders. These statistics highlight the fact that the most common method of protecting a corporate network and computers – the “ring wall” – is ineffective as it is assumed that attacks will come from the outside.
“This type of firewall-centric solution was designed many years ago and is slowly becoming obsolete,” explains Jorina van Rensburg, CEO of Condyn.
“Protection has been moved closer to the assets, such as application servers as well as workstations and laptops. So, how do you transform this traditional view into a more modern and effective architecture?” she asks.
According to Van Rensburg, the first step forward is simply observing the fact that the larger a network becomes, the more insecure it will be. This means that security can be improved by partitioning the corporate network.
Traffic between domains should be strictly controlled and potential problems logged. This immediately puts a limit on the maximum amount of damage a security problem can cause, and increases the possibilities to both detect and deal with potential problems.
The next step is to fully move away from the “ring wall” architecture. “If the servers can be protected against all unauthorised traffic, then operating systems, network protocols and applications cannot be attacked.
Step three involves improving client security. Clients need to be correctly configured, configurations must be reviewed and all software patched to make sure they do not contain any publicly known vulnerabilities. The security system should also be able to do a “client-check” before access to sensitive resources are granted. This check could guarantee, for example, that the client has anti-virus software installed, a good personal device firewall is in use, that no file sharing software is present, or any other rules the application system owner would like to enforce before access to that application is granted.
I really looking forward to work this company, they know what they talk about.
Wednesday 19 August 2009
Why are not all patches applied?
One of reasons for security breaches is that security patches have not been applied. The message from the vendor often seems to be: yes we screwed up but now there is a patch so it is not our problem anymore. They seem to expect everybody to jump on any new patch and install them in an instant...this seems not to be the case. Are people stupid or lazy (or both?)? I do not think so; I think it is a question of time and resources. Any given company or organisation runs several applications and hardware at the same time. Just to know that there is a new patch out there can sometime be a problem. Another problem is to find out if the patch will have any implications on the rest of infrastructure.
This is especially true when it comes the network and security infrastructure where many point products interact with each other (many times in strange ways...). As always there is no simple solution but I have over the years recommended a short list of things to do...
1. Make sure that you UTM products instead of point products...that is an easy one.
2. Limit people’s access to applications (when things goes wrong the problem is isolated)
3. Make a list of the most dangerous applications and systems you have and grade them.
4. Check how different point products interact with each other.
5. Make a due diligence plan..and do due diligence often..
With this you hopefully created time....use that to patch.
This is especially true when it comes the network and security infrastructure where many point products interact with each other (many times in strange ways...). As always there is no simple solution but I have over the years recommended a short list of things to do...
1. Make sure that you UTM products instead of point products...that is an easy one.
2. Limit people’s access to applications (when things goes wrong the problem is isolated)
3. Make a list of the most dangerous applications and systems you have and grade them.
4. Check how different point products interact with each other.
5. Make a due diligence plan..and do due diligence often..
With this you hopefully created time....use that to patch.
Friday 14 August 2009
What will you do if the Swine flu hits your organisation?
The latest UK Government figures suggest a worst case of up to one in eight employees forced to take time off work due to swine flu. On 28 th July, the British Chambers of Commerce (BCC) advised businesses to consider offering staff the option of home working to maintain continuity during the swine flu epidemic. The organisation warned that companies could be hit by intense periods of staff absence if projected figures for infections are realised.
Remote access is simple in theory but hard to achieve on a mass scale...here are some things that needs to be considered:
1. Who should be able to access and what should they be able to access? It is never a good idea to open the whole network for access.
2. How should they be able to access? To let everybody use their private PC:s for access could be a security challenge. How do you know if the PC is infected or not? Maybe a USB client with terminal access would be the best and most cost-effective solution.
3. How do the users authenticate themselves? I have seen many times that intruders use crises in a organisation to exploit networks..simply because no-one cares about IT Security during (as an example) a bomb threat. I strongly recommend 2-factor authentication.
I guess what I am trying to say is to plan ahead. The cost of trying to solve the problem during the crises will always be more expensive then fixing the problem beforehand. A small investment now can save tons of money later.
Remote access is simple in theory but hard to achieve on a mass scale...here are some things that needs to be considered:
1. Who should be able to access and what should they be able to access? It is never a good idea to open the whole network for access.
2. How should they be able to access? To let everybody use their private PC:s for access could be a security challenge. How do you know if the PC is infected or not? Maybe a USB client with terminal access would be the best and most cost-effective solution.
3. How do the users authenticate themselves? I have seen many times that intruders use crises in a organisation to exploit networks..simply because no-one cares about IT Security during (as an example) a bomb threat. I strongly recommend 2-factor authentication.
I guess what I am trying to say is to plan ahead. The cost of trying to solve the problem during the crises will always be more expensive then fixing the problem beforehand. A small investment now can save tons of money later.
Wednesday 12 August 2009
How to survive vacation?
I do not know about you but being away from the office could be quite stressful for me..I need to be in the loop. Luckily enough I have an understanding wife and I work in a company that makes remote working possible. This year I added to the technical infrastructure in my boat by installing a wireless router that I connected to my 3G data card. That made it possible for both me and my wife to "work" and use Internet...even on a remote island (and mostly in the rain..). I now had the same access as if I was in the office.
I had one technical problem this summer...when I learned that mobile phones do not swim very well. Skype helped me to overcome that burden until I could buy a new phone.
Sitting in my boat I realised that all this has created a new level of freedom, just a couple of years ago this would have been impossible or very expensive. Now it is easy and actually quite cheap. My wife in the end had a slightly other view..she told me that I now gone from working full time to working all-the-time.
I had one technical problem this summer...when I learned that mobile phones do not swim very well. Skype helped me to overcome that burden until I could buy a new phone.
Sitting in my boat I realised that all this has created a new level of freedom, just a couple of years ago this would have been impossible or very expensive. Now it is easy and actually quite cheap. My wife in the end had a slightly other view..she told me that I now gone from working full time to working all-the-time.
Monday 10 August 2009
I am back from vacation....
I have not posted anything in a while...mostly because I have been away from my desk and in my boat...and partly because this summer has been different from most other summers in terms of business. We have never been more active then we are right now at AppGate. I think this is proof of that the customers are looking for security solutions that are built around another concept then the old "firewall inside-outside" model. Anyway I am happy....
Subscribe to:
Posts (Atom)
