Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security Wire Perspectives, Vol. 6, No. 11, February 9, 2004
- From: Howell, Paul
- Date: Mon Feb 09 07:59:38 2004
-----Original Message-----
From: Security Wire Perspectives
[mailto:searchSecurity-2289A1ED4C2EC6BD@lists.techtarget.com]
Sent: Monday, February 09, 2004 4:01 AM
To: Security Wire Perspectives
Subject: Security Wire Perspectives, Vol. 6, No. 11, February 9, 2004
Security Wire Perspectives is published by Information Security, the
industry's leading magazine for security news and information, and
SearchSecurity.com, the Web's best security-specific information
resource for enterprise IT professionals. Additional newsletters
available at http://searchsecurity.techtarget.com/?track=NL-358&Offer=swp
IN THIS ISSUE:
A READ ON THE NEWS
*The End of the Internet?
*'Spamnabbit!' Getting a Handle on Junk E-Mail
HEADLINES
*Multiple Vulnerabilities Leave Millions of RealPlayer Users Open to
Attacks
*IPv6 Vulnerable to Remote Denial-of-Service Attacks
*Flaws Afflict Check Point Firewall-1, VPN-1
*Cisco Devices Vulnerable to Frame-based Attacks
*Mydoom, Bagle Deliver Double Blow in January
SOUND BYTES
*Secure Coding? Absolutely!
By Mary Ann Davidson
LINKS TO THE INDUSTRY
YOUR TWO CENTS
Readers sound off on DHS' new alert system and risk management
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE PERSPECTIVES IS SPONSORED BY: AirDefense
*** ROGUE WLAN DETECTION for the ENTERPRISE -- GET THE WHITE PAPER
***
Rogue wireless LANs put your information assets at risk by
circumventing your investment in network security. This white paper
will help you understand the proliferation of different types of
rogue wireless LANs (including Soft Access Points, Ad Hoc Networks,
Accidental Associations) and the actual risks organizations face from
their spread.
Learn multiple approaches to detecting rogue networks, including:
* Handheld scanners and sniffers
* Infrastructure based monitoring
* 24x7 wireless monitoring for the enterprise
Request your complimentary NEW WHITE PAPER at:
http://searchSecurity.com/r/0,,24263,00.htm?track=NL-358&airdefense
=====================================================
A READ ON THE NEWS
*THE END OF THE INTERNET?
By Hank Hogan
According to privacy and security expert Stephen Cobb, a rising tide
may not lift all boats. Instead it may sink them. Cobb recently
predicted that the increasing flood of spam and fraud would begin to
drive consumers and perhaps even some companies away from the
Internet. Surveying the situation, Cobb said, "There's a limit to how
many worms, phishing schemes and fraudulent messages consumers and
companies will take."
There's evidence this is already happening. A worldwide survey
conducted in the fall of 2003 by the Transatlantic Consumer Dialogue
showed that spam negatively impacted online shopping for 52% of
respondents. One out of five didn't shop at all online because of
spam.
Doug Peckover, president of the software firm Privacy Inc., put the
growth of spam at 2% a month.
"According to one of our sources at IBM, more spam was blocked in
July of 2003 than all of 2002. The way things are going, it's
possible that we'll block more spam this coming July than in all of
2003," he said.
Ron Moritz, senior VP and chief security strategist at Computer
Associates, doesn't see the doom cited by Cobb and doesn't believe
consumers and companies will turn their backs on the Internet. But he
readily acknowledged a looming problem.
"This year, worms created nuisances -- and spiked the stocks of
consumer antivirus providers -- but in retrospect ultimately caused
little damage. With minimal advances by the bad guys, however,
catastrophic damage could occur," said Moritz.
As for what can be done, experts advocate antivirus and content
filtering. Beyond that, they promote the use of alternatives to spam
filtering, such as an antispam router. Proactive privacy protection
systems are another possibility. Security managers also need to
address the social engineering side of the problem.
"You need to be actively enforcing strict controls over company
e-mail usage and protecting your mail servers from both outbound, as
well as inbound, abuse," said Cobb.
A final tool is a financial analysis. Many companies lack a clear
picture of the cost of spam and related activities. Quantifying this
expense leads to a better idea of how much to spend on a solution.
This ties into the idea of making security management strategic
instead of tactical in nature.
Collective solutions include fully implementing such things as IPv6;
strong authentication of Web sites and e-mail senders; and upgrading
the intelligence of routers and switches so that malicious activity
can be detected and stopped as soon as possible. Individual companies
and security managers can band together to push for such solutions.
Other possible fixes include the equivalent of an electronic stamp,
as well as legislation to control spam. Unfortunately, in the past
the latter has been found wanting. Based on this experience,
Privacy's Peckover warned, "Do not rely on industry self-regulation."
*'SPAMNABBIT!' GETTING A HANDLE ON JUNK E-MAIL
By Shawna McAlearney
Looking for a solution to the ever-increasing tide of spam pouring
into your enterprise? New research from the Yankee Group gives five
recommendations to consider before making the investment.
"Spam filtering is 95% effective with less than 0.002 percent false
positives," said Yankee Group Analyst Phebe Waterfield. She
recommends that organizations invest in a flexible system that
permits setting different rules for users and filters by domain,
business unit and end-user.
Other suggested qualities include combining antispam or e-mail
content filtering with antivirus protection at the perimeter and
finding a product with reasonable administrative overhead -- one or
two hours a week -- to maintain effective spam signatures and track
down false positives.
"Administrators and end-users can expect to spend some time deleting
spam, or chasing accidentally blocked e-mails," said Waterfield. "The
amount of overhead depends on the quality of the solution."
"Flexible solutions can grow with the enterprise and accommodate
changing business needs," said Waterfield's report. "Look for
features that allow a balance between the need to block unsolicited
commercial e-mail and end users' preferences for receiving commercial
e-mail."
Increasing effectiveness is often a trade-off with more false
positives. According to the report, using multiple layers -- such as,
heuristics, artificial-intelligence-aided pattern recognition, spam
fingerprinting and advanced statistics -- can help. Waterfield
reminds international enterprises to ensure foreign languages don't
adversely affect detection rates.
Implementing technology from different vendors provides a more
effective layered defense; look for solutions with multiple antivirus
engines or a different antivirus engine than the solution employed at
the desktop, according to the report.
Waterfield recommends adding protection for externally accessible
e-mail servers by choosing a solution that prevents invalid requests
from being processed, allowing e-mail servers to process only
legitimate e-mail. SMTP relay users can reconfigure perimeter
security devices to only accept e-mail traffic from the service
provider.
Small- and medium-sized businesses should use hardware and
service-based solutions because software solutions require more
administrative overhead, according to the report. Hardware and
service-based solutions should combine antispam, antivirus and
perimeter security to address multiple business goals in a single
package.
"New e-mail security devices offer a solution to unsolicited e-mail
almost "off-the-shelf,'" said Waterfield. "The one-time price and
ease of installation are attractive to small and medium business with
limited IT resources."
=====================================================
HEADLINES
A look at other significant industry happenings from our sister
publication, Security Wire Daily
*Multiple Vulnerabilities Leave Millions of RealPlayer Users Open to
Attacks
SearchSecurity.com
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94913
2,00.html?track=NL-358
Multiple vulnerabilities in the RealPlayer application can leave
users open to buffer-overflow attacks if the upgrade isn't applied.
*IPv6 Vulnerable to Remote Denial-of-Service Attacks
SearchSecurity.com
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94912
8,00.html?track=NL-358
There's a new OpenBSD vulnerability with the implementation of IPv6.
Organizations need to upgrade to prevent a possible denial-of-service
attack.
*Flaws Afflict Check Point Firewall-1, VPN-1
SearchSecurity.com
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94877
2,00.html?track=NL-358
Serious security holes have been discovered in ubiquitous Check Point
products. The vulnerabilities could put sensitive data at risk.
*Cisco Devices Vulnerable to Frame-based Attacks
SearchSecurity.com
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94877
5,00.html?track=NL-358
Cisco is urging network administrators to upgrade 6000, 6500 and 7600
series network devices to cure a denial-of-service vulnerability.
*Mydoom, Bagle Deliver Double Blow in January
SearchSecurity.com
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94849
4,00?track=NL-358
IT administrators had to fend off two sizable malicious code
outbreaks in January, including the one sparked by the most prolific
e-mail worm of all time -- Mydoom-A.
=====================================================
*ADVERTISEMENT*
Webinar: Top Five Web Application Server Protection Strategies In
order to maintain optimal uptime and performance, you need to keep
your web servers protected against known and unknown vulnerabilities.
Join this free webinar on February 12 at 2pm EST and walk away with
the top five tips to fend off future attacks. You will also receive a
hands-on look at a SecureIIS Web Server Protection and how it can
help improve your security efforts.
http://searchSecurity.com/r/0,,24262,00.htm?track=NL-358&eeye
=====================================================
SOUND BYTES
*SECURE CODING? ABSOLUTELY!
By Mary Ann Davidson, CSO, Oracle
Andrew Briney's "Secure Coding? Bah!" article struck a chord, as it
should have been titled "Secure Coding? Absolutely!" Given that the
software industry as a whole has never made a concerted effort to
write better code, it's far too early to throw in the towel.
Many are convinced that because we can't have perfect code, we
shouldn't even try for good code. It's nonsense to give up on writing
better code, especially when we appear to have plenty of time to
invent new technologies that don't solve our problems.
Briney said, "Risk reduction is all about reducing vulnerabilities,
mitigating threats and lowering event costs." However, most customers
have almost no information on the security-worthiness of the products
they buy, and some risks can't be mitigated. The single best thing
the industry can do to mitigate users' risk is to write better
software.
Software development must improve because software has become part of
our critical infrastructure. As such, software development should be
held to the same standards as other facets of critical
infrastructure. Imagine if civil engineers built bridges with the
same inattention to fundamental engineering practices as many
software developers. Would it be acceptable to hear:
"I can't be bothered to figure out how to make the bridge secure. I'm
only interested in using the latest cool building materials and
having a sexy facade."
"Time to market is crucial. If I can't get my bridge up this month,
my competitor will."
"It's not my fault if the bridge fails. I didn't expect so many heavy
trucks on it."
There are no perfect bridges, but engineers are keenly aware of the
ramifications of poor engineering practice. If they were as
unschooled in secure design practice as the average software
developer, we would have collapsing bridges and severe loss of life.
Briney said, "But it's even faster and cheaper to build crappy
software to get the project rolled out immediately, please your boss
and help the company make its quarterly number." Actually, it isn't.
Much of secure coding practice is just good coding practice.
Observing a good development process actually gets better quality
products out the door faster.
"Secure programming is an oxymoron because none of the parties who
could make it happen on a broad scale are properly 'incentivized,'"
Briney said. There are many things that can and have happened to
refute this. For one, customers can demand more secure software. The
Department of Defense has made a good start by requiring formal,
third-party security evaluations for products used in national
security systems. This requirement may be extended to other agencies.
Security evaluations don't result in perfect software, but they do
force vendors to follow a secure development process. Oracle has
invested more than $17 million in security evaluations throughout the
last 12 years, and I can categorically state that it has resulted in
better products and more "security awareness" among our developers.
Avoidance of even one significant security fault would more than pay
for the cost of an evaluation.
More than 50% of security faults are a result of buffer overflows. If
we, as an industry, merely stamped out buffer overflows in the next
two years, we would reduce security faults by half and would
significantly decrease our customers' risk exposure. Checking
boundary conditions is measurable, achievable and something that
every developer should have learned in their first programming class.
If they didn't, they shouldn't be working in the industry.
In summary, my response to Briney's editorial is "Secure coding? Yes,
absolutely."
MARY ANN DAVIDSON is CSO at Oracle. Please send any comments on this
article to mailto:SWPcomments@infosecuritymag.com
=====================================================
*E-CARD MINIPOLL*
E-cards can present many risks to the enterprise, from viruses to
URLs directing traffic to malicious Web sites. Please take our
1-minute poll on how your enterprise deals with the threat.
http://searchsecurity.techtarget.com/news?track=NL-358
=====================================================
LINKS TO THE INDUSTRY
Industry Notebook:
SonicWALL Launches PRO Series Platforms
SonicWALL announced two new rack-mounted platforms, the SonicWALL PRO
2040 and the SonicWALL PRO 5060, which will be available this summer.
Both platforms integrate with SonicWALL's security products that
include antivirus, content filtering and its Global Management
System. Designed for distributed networks, the PRO 2040 comes with a
firewall, VPN capabilities, rapid deployment and installation
features and remote network management.
http://www.sonicwall.com
Other industry news:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94826
5,00.html?track=NL-358
Happenings
Current industry events:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281973,0
0.html?track=NL-358
Security training:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281975,0
0.html?track=NL-358
Market Monitor
Current security company stock prices:
http://searchSecurity.com/r/0,,22258,00.htm?track=NL-358&n/a
SearchSecurity.com Top 10
Weekly recap of top news stories and security tips by our sister site
SearchSecurity.com:
http://www.searchSecurity.com/originalContent/0,289142,sid14_gci913161,00.ht
ml?track=NL-358
=====================================================
YOUR TWO CENTS
Have an opinion on a Security Wire Perspectives article? We're
interested in your feedback. E-mail your letters to Shawna McAlearney
( mailto:smcalearney@infosecuritymag.com ), and include your name,
title and organization. Letters may be edited for space and clarity.
*Where's the value in DHS' new alert system?
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94736
9,00.html?track=NL-358
Short Answer: In informing and advising home users.
Mid-length Answer: Security professionals regularly report loosing
sleep over the number of wide open, broadband-connected, home PCs.
Mydoom brought the threat into focus. The technical alerts issued by
the DHS may be redundant, but the non-technical alerts and tips may
help tighten the security on the typical home computer. It's
certainly worth a shot.
--Jim Marek
*Is Your Risk Management Plan as Good as It Gets?
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci94872
6,00.html?track=NL-358
I just read your article "Is Your Risk Management Plan As Good As It
Gets?" Excellent article but I noted a slight problem. Although the
title of your article included "Risk Management," the crux appeared
to be incident response. And, the NIST guideline on incident response
is: NIST SP 800-61 Computer Security Incident Handling Guide, January
2004. At the very end of your article, you include a reference for
incident response guidelines but the hyperlink is to the recently
released draft revision to NIST SP 800-30, Risk Management Guide for
Information Technology Systems, NIST SP 800-30 Rev A. I just thought
I'd point this out as other readers may have been as
confused/perplexed as I was.
--James E. Wingate, CISSP, VP, Backbone Security.com Inc.
::::::::::::::::::::: ABOUT THIS NEWSLETTER ::::::::::::::::::::::
Security Wire Perspectives (BPA E-Mail Audit Report, June 2002*) is
an e-mail newsletter brought to you on Mondays and Thursdays by
Information Security magazine, a TechTarget publication. Copyright
(c) 2004, Information Security and TechTarget. No reuse or
redistribution without the express written authorization of
Information Security and TechTarget.
Permission requests, questions or comments should be e-mailed to
Shawna McAlearney, online editor,
mailto:smcalearney@infosecuritymag.com.
*A copy of the BPA Audit is available for download at:
http://www.bpai.com/library/statement_files/s343h0j2.pdf
_____________________________________________________________________
To unsubscribe from "Security Wire Perspectives":
Go to unsubscribe:
http://SearchSecurity.com/u?cid=476129&lid=559334&track=NL-358
Please note, unsubscribe requests may take up to 24 hours to process;
you may receive additional mailings during that time. A confirmation
e-mail will be sent when your request has been successfully
processed.
Contact us:
SearchSecurity
Member Services
117 Kendrick Street, Suite 800
Needham, MA 02494
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
