Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security Wire Perspectives, Vol. 6, No. 19, March 8, 2004
- From: Howell, Paul
- Date: Mon Mar 08 06:33:57 2004
-----Original Message-----
From: Security Wire Perspectives
[mailto:searchSecurity-791F07DD6794E083@lists.techtarget.com]
Sent: Monday, March 08, 2004 4:01 AM
To: Security Wire Perspectives
Subject: Security Wire Perspectives, Vol. 6, No. 19, March 8, 2004
Security Wire Perspectives is published by Information Security, the
industry's leading magazine for security news and information, and
SearchSecurity.com, the Web's best security-specific information resource
for enterprise IT professionals. Additional newsletters available at
http://searchsecurity.techtarget.com/?track=NL-358&ad=477764&Offer=swp
IN THIS ISSUE:
A READ ON THE NEWS
*Instant Messaging Creates Security Headaches for Enterprises
*Essential Linux Skills
HEADLINES
*E-mail, Attachments Heading for a Divorce
*Experts See IM as Foundation for New-age Apps
*'Productivity' Trumps 'Security' as IM Buzzword
*MCI Offers DoS Guarantee
*Planning and Forethought: The Needle and Thread of Patch Management
SOUND BYTES
*An Indictment for Applications Development
LINKS TO THE INDUSTRY
YOUR TWO CENTS
Readers sound off on our weekly security planner column
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE PERSPECTIVES IS SPONSORED BY: TruSecure
Live Webcast: "Is the BS 7799/ISO 17799 Standard Right for You" - Mar. 18th
The 7799 standards dominate internet security in the UK, Australia and the
Asia Pacific region, and have increasingly been adopted by financial
services and energy industries in Europe, Canada and the United States. But
are they right for your organization? Join TruSecure on Thursday, March
18th, for a live webcast to learn about common concerns that companies have
when considering these standards, frequent pitfalls experienced by those
that have used them in the past, and how your organization can avoid them.
Whether you're just evaluating BS 7799 for possible use, at the
implementation stage, or anywhere in between, we can help! Click here to
register!
http://searchSecurity.com/r/0,,25745,00.htm?track=NL-358&ad=477764&trusecure
=====================================================
A READ ON THE NEWS
*INSTANT MESSAGING CREATES SECURITY HEADACHES FOR ENTERPRISES
By Keith Regan
Instant messaging entered the enterprise and network environment by the back
door, creating special challenges for security managers. But the still-wild
technology can be corralled.
"IM took a guerilla pathway into the enterprise and onto the network," said
Kailash Ambwani, the CEO of Foster City, Calif.-based IM solutions vendor
FaceTime. "It's not like it grew in an orderly fashion that was controlled
by the IT managers."
While IM is now standard in many industries and trusted, enterprise-quality
solutions are readily available, it still brings its own set of challenges.
In addition to requiring open Web ports, IM can put sensitive corporate
information and private data at risk. It also invites a new breed of
unwanted commercial messages that seem poised to clog servers just starting
to get relief from the spam influx. Ferris Research recently predicted some
4 billion "spim" messages will be sent in 2004.
Though IM-borne viruses have been rare to date, that's likely to change.
"It's only a matter of time before hackers realize that their e-mail
payloads are being stopped and look for the next route," says Ambwani.
"A logical approach is needed," said Peter Shaw, CEO of San Diego-based IM
security provider Akonix Systems Inc. "Every company has to arrive at a
conclusion about what approach works best for it."
Just as with e-mail, there are multiple technological solutions to the IM
problem, said Eric Johnsen, director of IM products at San Francisco-based
firewall provider Zone Labs, which was recently acquired by Check Point
Software Technologies. For example, corporations that use IM for sensitive
communications can opt for encryption.
But that still leaves internal problems that IM poses, says Shaw, such as
those created by the fact that instant messaging tends to be far more casual
than e-mail. "People say and do things in IM they wouldn't dream of in an
e-mail," he adds. "That creates a host of issues from a human resources and
liability standpoint."
To date, providers of IM security and privacy solutions have relied upon
regulated industries such as financial services and energy for the bulk of
their business. But that's starting to change, says Ambwani. "Companies that
have no regulatory oversight are starting to realize that IM is going on
within their walls, whether they want it or not and realizing they have to
do something about it," he adds.
*ESSENTIAL LINUX SKILLS
By Jay Beale
The increased reliability and potentially better security of Linux is
tempting more than a few frustrated Windows shops to consider jumping ship
to the popular open-source OS.
You'll need competent Linux admins and managers to deploy and maintain
secure systems. This is critical, since the security of any system is
directly proportional to the abilities and experience of the people
operating them.
While there are a number of things you'll want your Linux admins to know,
they should have the following security-specific skills.
--OS Hardening. This involves reconfiguring core settings, deactivating
unneeded programs and tuning the remaining services for better security. In
Linux implementations, this also can involve configuring the embedded
system-level firewall. These steps will mitigate most known vulnerabilities
and neutralize most attacks -- up to 97% in some lab tests.
Freeware applications and tools like Bastille Linux, Titan and the Center
for Internet Security's (CIS) Unix security scoring tool help audit the
hardening work once it's done. CIS's Linux Benchmark and books like
"Building Secure Servers with Linux" are practical, step-by-step guides for
hardening Linux and Unix systems.
--System Assessment. Once an OS is hardened, a sysadmin must be able to
determine if it has been attacked or compromised. System assessments start
with creating a baseline of the normal system and then checking the system
against the baseline on a regular basis. This assessment might begin with
looking at what programs are running, what user context they're running
under, what files they have open, and what their level of resource
consumption is.
This process is both highly technical and somewhat intuitive, thus requiring
experience and knowledge. A sysadmin must know what information is important
and how to gather that information. Experience will tell a sysadmin when
something is amiss. Technical skills come into play to discover if the
problem is really an attacker or just a system failure, such a faulty hard
drive or overloaded application.
--Intelligence Gathering. Next, your sysadmin must be able to gather and
manage intelligence specific to your systems' security. A Linux admin needs
to know what techniques are used by both attackers and defenders. He must be
able to follow the trend data to keep up to date with current attacks. This
helps an organization adapt its defensive posture to changing threat
conditions.
Of course, security intelligence directly feeds into the first two skill
sets. A good Linux or security admin will check sites such as SecurityFocus
and Incidents at least once per day for alerts and advisories. Security
newsletters published by supporting vendors and media outlets help admins
keep up with threat trends.
Where will you get people with such skills? Believe it or not, a good place
to start is with your Windows admins, many of whom are closet Linux geeks or
have experience on Linux systems. They'll also have a firm understanding of
hardening systems, since locking down Windows boxes before they go into
production is nearly a necessity.
JAY BEALE is the lead developer of the Bastille Linux project.
=====================================================
HEADLINES
A look at other significant industry happenings from our sister publication,
Security Wire Daily
*E-mail, Attachments Heading for a Divorce
SearchExchange.com
With e-mail attachments sucking up ever-increasing amounts of enterprise
storage resources, something has to give. One messaging expert makes a case
for caching.
http://searchexchange.techtarget.com/qna/0,289202,sid43_gci953592,00.html?tr
ack=NL-358&ad=477764
*Experts See IM as Foundation for New-age Apps SearchNetworking.com Experts
at the Instant Messaging Planet Conference & Expo said that, in the absence
of an IM strategy, "stealth" IM use could have dangerous consequences in the
enterprise.
http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci9535
83,00.html?track=NL-358&ad=477764
*'Productivity' Trumps 'Security' as IM Buzzword SearchWin2000.com Microsoft
executives at a conference in Boston addressed changes in attitudes about
enterprise instant messaging over the past year.
http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci953623,
00.html?track=NL-358&ad=477764
*MCI Offers DoS Guarantee
SearchSecurity.com
On the eve of its emergency from bankruptcy, MCI plans the industry's first
denial-of-service guarantee to help strengthen overall network security
protection.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95343
0,00.html?track=NL-358&ad=477764
*Planning and Forethought: The Needle and Thread of Patch Management
SearchCIO.com
When it comes to security and patch management, there's no substitute for
planning and analysis. Get advice for industry experts on how to make patch
management a little less painful.
http://searchcio.techtarget.com/infoCenter/originalContent/0,294292,sid19_gc
i953025,00.html?track=NL-358&ad=477764
=====================================================
FREE WHITE PAPER: Enterprise-wide security policy enforcement. Insure 100%
network security-policy compliance-wherever employees work-with Zone Labs
Integrity(TM). Restrict network access to security compliant PCs. Learn how
you can enforce wired & wireless LAN and remote-access security TODAY.
Download our FREE white paper, "Real World Security with Cooperative
Enforcement."
http://searchSecurity.com/r/0,,25746,00.htm?track=NL-358&ad=477764&zonelabs
=====================================================
SOUND BYTES
*An Indictment for Applications Development
Ben Rothke, CISSP
Many transformations begin with an indictment. Two notable examples are
Martin Luther's "95 Theses" criticizing the Catholic Church, which began the
Reformation, and Ralph Nader's denunciation of the auto industry with
"Unsafe at Any Speed." An indictment of the software industry and its
indifference to writing secure software has been published in "Building
Secure Software: How to Avoid Security Problems the Right Way" by John Viega
and Gary McGraw.
Twenty years into the client-server revolution, and a decade into the
Internet revolution, it's a measure of inadequacy of secure coding that only
now are the first books being written on how to secure software -- the very
foundation of information systems.
Software developers who code without taking security into consideration are
potentially as dangerous as a physician prescribing a drug without knowing
its side effects. As a society, we should tolerate neither.
While security products such as firewalls, encryption devices, event
monitoring and intrusion-detection systems are needed to secure networks; it
must not be forgotten that behind every security problem is a common enemy
-- insecurely written software.
Building secure software is not rocket science. Writing secure code doesn't
mean turning every developer into a world-class cryptographer. It simply
means training them in the fundamentals of how software works, including
security. If corporate end users can be trained not to send inappropriate
(sexist, racist, confidential,
etc.) e-mail via corporate servers, then software developers can certainly
be trained to write secure software programs.
The revolution needed in software development is to integrate security into
software engineering. The current approach in software is to patch problems
after they occur. In fact, 2003 saw the rise of many patch management
companies; a sector that only came to be recently. Endless patching is a
downward spiral that only serves to treat the symptoms, not the true
problem, and only in a reactive manner. Had those same programmers been
trained in writing secure code, much of the problems would have been
obviated and billions of dollars saved in the interim.
It's all the rage to send development offshore in the name of saving money.
If companies understood how much more money could be saved by building
secure software from the get-go, rather than bolting security on as an
afterthought; wouldn't they do the same?
It's frightening to think that in just a matter of years, everything but the
food we eat will have an IP address attached to it. When the time comes that
your family vacation commences with a flight on a pilot-less airplane,
here's hoping the developers of the navigation and control systems knew the
rudiments of writing secure software.
BEN ROTHKE, CISSP is a New York-based security consultant with ThruPoint
Inc. McGraw-Hill has just published his book, "Computer
Security: 20 Things Every Employee Should Know."
Have an opinion on this article? E-mail your letters to Shawna McAlearney (
mailto:smcalearney@infosecuritymag.com ), and include your name, title and
organization. Letters may be edited for space and clarity.
=====================================================
LINKS TO THE INDUSTRY
Industry Notebook
Marimba Releases Patch Management Product
Marimba announced the release of its Security Patch Management solution. New
features include patch analysis and collection, patch testing, patch
auditing and reporting, and patch deployment and compliance. Security Patch
Management can be purchased as a stand-alone product or part of a Marimba
Six product suite beginning at the end of March. Pricing is based on the
number of end-points and computer systems involved. http://www.marimba.com
Other industry news:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95341
7,00.html?track=NL-358&ad=477764
Happenings
Current industry events:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281973,0
0.html?track=NL-358&ad=477764
Security training:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281975,0
0.html?track=NL-358&ad=477764
Market Monitor
Current security company stock prices:
http://searchSecurity.com/r/0,,22258,00.htm?track=NL-358&ad=477764&n/a
SearchSecurity.com Top 10
Weekly recap of top news stories and security tips by our sister
site:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci91316
1,00.html?track=NL-358&ad=477764
=====================================================
*****Don't Miss Our Live Expert Webcast this Wednesday!*****
Join security guru Joel Snyder for a live Webcast, "Application-Layer
Firewalling: Raise Your Perimeter IQ" this Wednesday March 10 at 12:00 p.m.
EST on SearchSecurity.com.
(http://searchsecurity.com/firewall2?track=NL-358&ad=477764) Snyder
separates the hype vs. reality of application-layer firewalling and digs
even deeper into his "Advanced Screening" cover story that appears in this
month's issue of Information Security magazine.
=====================================================
YOUR TWO CENTS
Have an opinion on a Security Wire Perspectives article? We're interested in
your feedback. E-mail your letters to Shawna McAlearney (
mailto:smcalearney@infosecuritymag.com ), and include your name, title and
organization. Letters may be edited for space and clarity.
Weekly Security Planner
http://searchsecurity.techtarget.com/tipsIndex/0,289482,sid14_tax295570_alpD
_idx0,00.html?track=NL-358&ad=477764
Your series for security managers is excellent work. I have found every week
useful, and I especially like the perpetual calendar idea. It is so easy to
get caught up in the day-to-day activities that the items you highlight on
the calendar come and go. Before you know it, you are answering to Internal
Audit why there are 600 unused accounts on the NT Server.
Keep up the good work, I really enjoy the series.
--Dennis Rittenhouse, CISSP
::::::::::::::::::::: ABOUT THIS NEWSLETTER ::::::::::::::::::::::
Security Wire Perspectives (BPA E-Mail Audit Report, June 2002*) is an
e-mail newsletter brought to you on Mondays and Thursdays by Information
Security magazine, a TechTarget publication. Copyright
(c) 2004, Information Security and TechTarget. No reuse or redistribution
without the express written authorization of Information Security and
TechTarget.
Permission requests, questions or comments should be e-mailed to Shawna
McAlearney, online editor, mailto:smcalearney@infosecuritymag.com.
*A copy of the BPA Audit is available for download at:
http://www.bpai.com/library/statement_files/s343h0j2.pdf
_____________________________________________________________________
To unsubscribe from "Security Wire Perspectives":
Go to unsubscribe:
http://SearchSecurity.com/u?cid=477764&lid=559334&track=NL-358&ad=477764
Please note, unsubscribe requests may take up to 24 hours to process; you
may receive additional mailings during that time. A confirmation e-mail will
be sent when your request has been successfully processed.
Contact us:
SearchSecurity
Member Services
117 Kendrick Street, Suite 800
Needham, MA 02494
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
