Is Two Factor Authentication for internet banking a flop or success?

Q: Is Two Factor Authentication for internet banking a flop or success. read ard some articles regarding two factor authentication, studies shown that two factor authentication does not address some present issues and with man in the browser attack shown and also recent cases like ABN ambro, one may wonder is two factor authentication tat safe, would like to hear ur views on this guys

A: Hi …,
I agree with the previous answers.
2-factor authentication is more secure than password-only single factor authentication.
• Does it answer some security problems? Yes.
• Does it answer all security problems? No.
This is the fact. I do recommend increasing security levels to mitigate the risk (You can go up several factors but you cannot eliminate the risk)

If you have the second factor on a hardware (token, smart card etc) or biometrics it is even more secure. It is like the ATM card... You loose your PIN, no problem; you still have card in your pocket. You loose your ATM card, no problem; because you still keep the PIN. If you loose both of them, yes you have a problem.

Having 2nd factor on the same media (e.g. on your computer, or 2 passwords) is not as safe as tokens, smart cards etc.

During online transactions the problem of man-in-the-middle, man-in-the-browser threats can bypass 2-factor authentication but this does not mean that the financials should rely on static passwords only.

There are also a lot of creative “virtual” 2-factor authentication systems like Tricipher (more links in the DHS link below).

FFIEC :Single factor authentication methodologies may not provide sufficient protection for internet-based financial services; Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council

In financial sector, after the FFIEC requirements above, many banks implemented cheaper pseudo 2-factor systems (sitekey, captcha type) . Tokens/Cards are better but when the cost is the important factor, sitekey type systems increase security relatively. Mutual authentication systems are better but very difficult to manage (e.g. PKI). I like out band authentication a lot. When I try a high-risk transaction my banks sends a one-time-password to my cell phone.


Here are some links that may help:
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
http://www.forrester.com/Events/Content/0,5180,1429,00.ppt#418,1,Slide 1
http://www.cyber.st.dhs.gov/phishing-dhs-report.pdf


Let me know if you have a specific question,
Cheers,
- yinal

Routing protocol in IPSEC tunnel mode?

Q: Why can't you run a routing protocol in IPSEC tunnel mode? why do you need GRE to run a routing protocol?

A: Hi …,
You can run routing protocols in IPSEC tunnel mode. You don't have to have GRE all the time.

In the past we could not do this due to the limitation on the IPSEC termination gateways...The gateways could not participate in routing and tunnel mode encapsulated on IP headers. In order to eliminate the problems we were tunneling traffic in GRE

Today many of the modern IPSEC gateways (e.g. Check Point, Juniper, Cisco etc) do support route based VPNs via virtual tunnel interfaces (VTI). Implementation does not have a standard (most functions are proprietary) so intra device (e.g. Check Point to Juniper) route based VPNs are very difficult. But if you have a single brand of gateways, you can route in VPN tunnels easily. We have migrated proprietary TELCO MPLS networks to IPSEC VPNs with keeping the redundancy with dynamic route based VPNs.

On the other site Cisco is trying to reinvent the wheel by bringing the 10 year old transport VPNs (encrypting only the payload not the IP header) in order to make MPLS network more secure and scalable. This Cisco Group Encrypted Transport VPN is promising to address multicast VPN problems as well.

All vendors have several solutions for several scenarios so it would be best to run proof of concept before production deployment.

cheers,
- yinal

Do you consider web scraping a threat to your organization?

Q: Do you consider web scraping a threat to your organization?
We have a client whose physician finder page was being scraped. A competitor was regularly sucking all of the doctors out of it and probably importing them as leads right into their own CRM database. We found a good solution but I also found out there are many software tools and service companies now who claim to be able to "collect data from the competition and track their behavior over time". I wondered how wide spread this might be and how much people were concerned about it in general. Any war stories or thoughts on web scraping ? Thank you!

A:
Hi ...,
Internet domain is named "public" for a reason. On the long term no protection (applets, images. scripts etc) is valid if the information is on Internet. There is a very common principle for information security. Security through obscurity is not real security.

The only information you may protect on an online directory system maybe the phone numbers and e-mail addresses (by not using them) You can proxy them via some web applications, but even if you do this, it is not very difficult to figure out all e-mail addresses if the names of the doctors are displayed on the pages (assuming that you follow a standard naming convention).

I have been working with enterprise security and web development teams for years and I remember stories from 1996. After the search engines (which are another kind of scrapers) the web/screen industry was legitimized

Scraping technology is relatively simple (programming 101) and in the long run there is no permanent fix. Yes, you can slow them down (no queries in 10 minutes from the same IP address?) but is not the solution.

I do recommend having very strict data classification, and privacy policies
• Identify the classified/sensitive/unclassified etc data
• personally identifiable information
• business and legal requirements (e.g. compliance)
• internal policies
at your operation and design your internet facing content according to your requirements. On public pages, classification is quite straight, so label all internet facing non-authenticated pages “public/unclassified”.

You can protect your private/high security demanding competitive data inside the perimeter, and protect your sensitive information with several DRM solutions.

If you have any question I would be happy to elaborate more.

cheers,
- yinal

Commercial products for "breakglass" account control

Q: Commercial products for "breakglass" account control
Has anyone reviewed commercially available "breakglass" tools for account control of privileged system and application accounts?. If so, please advise.

A: Hi ......,
There are several ways to achieve your goals. Entitlement and Privilege Management (Authorization Management) is a very active topic and there are several creative approaches to deliver the solution. You can control privilege at the client level, network level and application level.

I will skip the client level applications (yes there are plenty of VB magic out there), and discuss the network and agent based policy/audit/privilege control tools for centralized management.

The idea is very simple, targets systems lack required native controls or the native controls are not centrally manageable, or granularity of the controls are not deep enough for security/compliance requirements, so you need to proxy the authentication requests and authorize the privileged access based on your policy.

Basically all “identity management” shops (IAM, SSO, Entitlements) offer some sort of privilege control (CA, IBM Tivoli, BMC, Novell, EMC (RSA), SUN, Oracle and Microsoft - http://static7.userland.com/oracle/gems/nishantKaushik/gartnerUPQ07.jpg). But the solutions may require some tweaking and coding.

But if all you need is “break-glass” control, you can use some specific applications/appliances like CA’s Access Control, Symark PowerBroker, Cyber-Ark, Securent, Password Auto Repository or Bayshore Networks etc.. These solutions also integrate closely with the applications for entitlements management as well..

If you need a quick and dirty solution, build a SSH proxy server (public domain) with strong authentication, and authorize all system management access via SSH Proxy. But that won’t be a complete solutions like runas, sudo variants

In the past I worked with CA, they have an extensible solution.

cheers,
- yinal

Defining the Endpoint Security UTM

Endpoint security is getting more complex... At the end of the day we have only 1 endpoint to integrate all those glorious safeguards. The target (laptop, desktop, pda, Smartphone, blackberry) has limited resources.

This makes the perfect case for endpoint unified threat management (UTM) concept. Clientless control is golden so OS specific safeguards such as GPO or remote enforcement tools such as promisec would be great. Or the utility based offerings such as Postini and Scansafe will decrease the load/tax on the client.

Here is my list for the endpoint security functionality list for the UTM (a single executable or everything in the cloud are the golden wishes)

- Port Control (USB, CD, Floppy, Bluetooth, IR, Wi-Fi, Ethernet etc)
- Location awareness
- Encryption (file, disk, mail), key/cert management
- Firewall
- IPS
- Antivirus (http and SMTP)
- Antispam, Phishing, Malware control (http, SMTP, SMS)
- URL filtering
- Application control, and tripwire type change control
- Remote device management (in a secure manner :)
- Biometrics/TPM/SSO/802.1x support
- Easy to scale on multiplatform esp. on mobile

Of course all should be managed centrally.

Do I ask for too much? I already see several initiatives before Microsoft, Nokia, and RIM wakes up.

Deployment is a topic for another post.

cheers,
- yinal

Running a Security Operations Centre

Q: Running a Security Operations Centre
Can anyone tell me is they have had any success is setting up an internal SOC (security operations Centre) compared with outsourcing / smartsourcing it to a third-party to manage or partially manage

A: Hi ......,
We have set up several SOCs for ourselves (us being MSSP) and for our clients.

I assume you are interested in a SOC type that our clients use for internal security operations.

Yes, an internal SOC is very tricky and can be very expensive based upon the initial scope.

Here are the initial problems that we faced for internal SOC initiatives

1) Developing the redundant infrastructure. Real time active-active SOCs are recommended, this makes the infrastructure complex
2) Finding right people: It is tough to find people who can work in 7x24x365 work schedule with a lot of stress. It is tough to keep trained security experts in-house. It is tough to run follow-the-sun or 3-shift teams. If this is the first time for the client, expect major problems for the first year
3) Developing operational procedures: Unless you mimic a working operation, starting from the scratch will not be easy. Security monitoring and management procedures are dependant on the toolsets, resources and the architecture. Internal SOCs require a long learn by mistake period..
4) Integration with internal workflow. All internal IT procedures must be updated to work with the new SOC
5) Integration with existing IT infrastructure. All existing systems and policy should work together.
6) Achieving the certification and compliance for the new SOC (SAS 70 type II, ISO 27001, PCI etc)

If you have any specific questions I might give more definite details. I think the link below will help you for the SOC operation scoping on the technical side:

http://infosecforum.blogspot.com/2007/08/ideal-managed-security-service-provider.html

regards,
- yinal ozkan

Classification of Information Security Products

We usually use 4 main solution categories... Perimeter, Threat and Vulnerability, Content, and IAM... But if you want to look at the solutions with product categories, here is my high level view:

Security Product Areas
• Firewall
• IPS IDS
• Antivirus,Antispam, Malware(email)
• Encryption
• URL Filtering (and AV AS Malware)
• Proxy-Cache-WAN Acceleration
• Web/XML gateway frontend security
• VPN management
• Remote Access (SSL ,client)
• DRM
• Authentication
• NAC, 802.1x
• Wireless
• UTM
• Endpoint UTM
• DDOS
• NBAD
• SIM
• Risk Management
• BCP/DR
• Vulnerability Management
• Patch Management
• Virtual Machine - Vmware
• Compliance / Policy management
• Identity / Provisioning Management
• Incident management
• Secure Application Development
• Platform Security (e.g Sap, Mainframe )
• Database

There are also generic areas, and a detailed endpoint products area which I will discuss in another post.

What benefits have you received from ISO 17799 certification?

Q:What benefits have you received from ISO 17799 certification?
Other then usual (managerial and legal) benefits of getting standards compliant, what exactly have you gained from doing 17799? Would it really improve security for small organizations, or those with distributed working environments?


A: Hi ...,
ISO 27001 certification is very useful for any company whose business requires information security.

What I see in thousands of organizations is the unstructured security practice. Or the malpractice.

This (Information Security) discipline requires maturity like any other and ISO 27001 is a one nice way of getting maturity in practice.

Here are the characteristics of Information Security operations that we see everyday:
Information security operation does not have a clear defined scope (e.g. is accounting in your scope?),
information security does not have well defined process/lifecycle model,
information security operation does not have a risk management model and risk analysis,
information security operation does not have document management,
information security operation does not enforce regular audits,
information security operation does not have metrics and measurement in place..


ISO 27001 like many other security frameworks promotes one main idea; a more secure operation.. You may individually applying one or two of the missing components but having everything organized under 1 framework , having this certified by a 3rd party ha a different value.

Your organization gains a very important thing for information security operation: Governance.
With the certification you and the rest of the world will know the scope, processes, policies, documentation, risk management, audit plans, metrics and measurement, where you can continuously improve your security level.. As you know according to the very basics of information security principles, you cannot improve a system where you do not have a well defined scope, where you do not know the assets and risks and where you cannot measure the metrics.

ISO27001 actually delivers a security program to address your organization’s information security requirements. You can check CMM offerings to value the changes in information security with ISO27001.

My organization gained a lot with the certification in terms of certification and we still do because every year we go through it again.. The certification is not for compliance, we actually improve our security posture and this progress is verified/certified by 3rd party accreditors.

Let me know if you have a specific problem
cheers,
- yinal

Web Application Testing

Q: I am a performance tester. can you suggest me a third party tool for network monitoring? Our application is web based and my client requirement is to find Latency and Bandwidth.

A: Hi …
To find real latency and bandwidth requirements of your web applications a dedicated performance measurement tool would be more helpful than a network monitor.

For network monitoring, you can use free domain or commercial packet sniffer with analysis capability. Check the utilities that use PCAP or simply tcpdump, snoop, kismet or wireshark (a.k.a. ethereal). But seeing all network data and analyzing raw data for application level latency and bandwidth problems will require a lot of additional time from you. There are also professional network monitoring tools but I will skip that part. You can monitor all traffic via taps and traffic replicators or simply use netflow, sflow, cflow data from routers. There are many tools to analyze network capture and flow data.

For your web applications what you need is a web performance test tool. A long list of test tools are listed at the URL address below:
http://www.softwareqatest.com/qatweb1.html

Your options are
1- Use a free domain tool from the list above
2- Use a web based performance measurement service. To use this kind of in-the-cloud services, your application must have public IP addresses (Internet Facing). Gomez, Keynote and Alertsite are a couple of examples. Network Computing had ran a test long ago: http://www.networkcomputing.com/showitem.jhtml?docid=1423f4
3- You can use a professional load generator. All these appliances have a web testing feature. Web testing is not their strongest point (they are really good at generating IP traffic at all sizes –helps to measure performance) These tools are for deep pocket projects. Spirent Avalanche / Reflector, IXIA IXChariot are the first names
4- For web application testing, there are complete toolsets (big ticket items again). You can get much more than latency and server response time data. These tools come with ready to use test scripts and scripting environments. The big players are usual suspects:
a. Mercury interactive tools (Acquired by HP) : http://www.mercury.com/us/
b. BMC Performance Management: http://www.bmc.com/products/products_services_detail/0,,0_0_0_2001,00.html
c. CA Wily : http://www.wilytech.com/solutions/products/BRTAdapter.html
d. Compuware: http://www.compuware.com/products/vantage/464_ENG_HTML.htm . You can also get good network analysis tools from Compuware
e. NetIQ's AppManager: http://www.netiq.com/products/am/default.asp
f. IBM (which is a mix of rational, candle and micromuse) : http://www-306.ibm.com/software/tivoli/products/composite-application-mgr-rtt/
g. Quest: http://www.quest.com/performance-management/
h. Veritas (now Symantec) http://www.symantec.com/enterprise/products/overview.jsp?pcid=2246&pvid=1861_1

Security of MVNO and MVNE

Q: I'm interested to deepen the threats and risks connected to the deployment of MVNEs (Mobile Virtual Network Enablers) in a MNO (Mobile Network Operator) environment. If you have concrete experience in this area I ask you to share the main important aspects a MNO should consider for the deployment of MVNEs.

A: A very important question. I am not from the TelCo world but here is my view as an information security professional.
The answer depends on the deployment type. If MNO will keep existing services in house but offer MVNE services to MVNOs; proper segmentation and segregation of roles are the key points.

If MNO will replace existing internal operations or acquire new functionality with MVNE based offerings that is a more complex security status. I will not discuss the specifics for that scenario since it is specific to MNO infrastructure.

For security controls on MVNE services for MVNOs, I do not think that any MNO has the means to differentiate the virtual service provider's traffic at the field (Base Station) level. Base station's are trusted by Authentication Stations and Service Gateways. I think it is okay to assume native GSM security is sufficient. Basically MVNO and the MNO users will have same level of security experience. This will be the least expensive way for the MNO as well.

Here are the possible problem points for MNO/MVNO/MVNE type of deployment security:

User Space:
1- Any existing application/feature that is based on handsets’ properties will not be valid for MVNO users (SIM based applications, java applications such payment/banking, or client based application such as content players). Handsets will basically be out of control, it is a good practice for MNO to have a solid disclaimer at the initiation of the project.

2-MNO will still be able to identify/authenticate and authorize all end users by SIM. I will not discuss how secure this is , but MVNO users will be as secure as MNO users. MVNE will not utilize any new services but will need to access MNO resources. Communication must be managed

Backoffice:
3-As it has been stated above the biggest concern will be the provisioning, performance and the utilization of infrastructure (basically how to share it). The links between MNO and NVNE systems, esp. messaging/data access must be regulated. Physical segmentation with proper audit trails would be nice. MNO must have a very clear visibility for MVNE operations and the MNO infrastructure should support multiple MVNEs for business and technical reasons. Capacity planning will be very complex. QOS, VOIP, RSVP will be the tough words.. But it is more of a deployment question than security

4-Backoffice Service Gateways esp. IP security systems (e.g. Proxies, LDAP, GPRS firewalls, URL filters, SPAM gateways, Email/SMS gateways) are capable of supporting multiple providers. This won't be a main security issue. Check support for virtual systems on these gateways (e.g. virtual firewalls).. MNOs can cross sell their existing gateways to MVNEs or buy services from MVNEs for their own users. Security deployment should be structured. I do recommend following a framework like ISO 27001 to verify that all controls are in place.

If the architecture and the scope of the services are listed it is possible to elaborate more on the specific controls.

cheers,
- yinal

MSSP History and Company Names,,

Since I have started working actively in the MSSP field.. I have heard hundreds of stories about how lucrative the market is ,why everybody should be in this business. There aren't so many pure play managed security services providers but all companies are offering something: Integrators, TelCos, Product Vendors, ASPs and ISPs keep offering managed security services. Of course this makes the market complex after several M&As , bankruptcies, takeovers, name changes and spin offs. Here is a draft map that I had scratched on my notes. Again this is draft and open for corrections. Let me know what is missing in the picture..

MSSP Market - http://istanbul.tc/blog/MSSPhistory.pdf

Here are the list of companies in the Map :

Charted:
AT&T, Ameritech, Pacific Telesis, Southwestern Bell, Bellsouth, Us West, QWest, Nynex, Bell Atlantic GTE, BBN Planet, Verizon Communications,SBC, SNET, Nap Net, Intermedi Network, Genuity, Fiberlink, Sprint, Verizon, Level 3, Nextlink, Concentric, XO, Allegiance, Exodus, Cable & Wireless, SIT Europe Aethis, Netvision, Global Sign, Network Exchange, ubizen, Baltimore PKI, Be Trusted, Three Pillars, Digital Mojo, TruSecure, Defcom , Cybertrust, Verizon Business, MCI, NetSec, KSR, Virtela, Aptegrity, Globix, Postini, Google, Unisys, Altoria, PresiNet, Neon, RCN, Quality Tech,E^Deltacom, Verio, NTT Bangalore Labs, Net ProActive, Planet One,UUNET, worldCom, OneSecure, RipTech, iDefense, Telenisus, DefendNet, Guardent, Symantec, Verisign, Farm9, Mailmax, SecurePipe, Alasson, Articon, Content Technologies, Articon-Integralis, Atlantic, Axipe, NetSecure, Abax Partners, ComCad, Tercom, Centaur, MessageNet, Guarded, Cybergnostic, MessageSecure, USNetworks, Permiter, RedCliff, Breakwater, Global One, Equant, Orange, Infonet, BT, Counterpane, T-Manage, Netrex, ISS, IBM, Verisect, Secure 360, RedSiren, SecureWorks, Lurgh, Boxing Orange, Megapath, Netifice, Solicium, Start Technology, Omnipod, MessageLabs, Vistorm, Netstore, Securalis, Thales, Telindus, Belgacom, Espria, Vigiland Minds, Solutionary, Diebolt, ExpertCity, Citrix, NetSolve, Cisco, MessageRite, Frontbridge, Microsoft,SiegeWorks, TrueNorth, FishNet,

Not Charted:
Alliant Technologies, Altoria, Anchor Technologies, asiGuardian, BigCity Networks, CNS, CSC, Cyberklix, Generis Technologies, HostMySite.com, indevis, Lightedge, McKesson, Nexum, Positive Networks, QuoVadis, RKON, SADA Systems ,Secure Network Technologies, Signify, VanguardMS, Wipro, BTI Net, Armadillo ,NETBENEFIT, Zen Internet , Mistral Internet,DXI Networks. Atos Origin, Damavo, aimNet Solutions, iOmega, Netboundary, NUSpire, Rackspace, sureSec, Global Crossing, Open Systems, Netsieben, Above Security, Elefire Limited ,Wavenet, Illumen, eSentire,HarrierZeuros, EXL , Koc Net, VeroTek, Sirocom, VPN Solutions, Coalfire Systems, Total Sentry, Isblanket, Sentry Metrics, VPNet, Earthwave, Ambersail, NABLA, FrontGate Systems, Backbone Security, NetworkCloaking, Secure Crossing, Exceed Security, Lazarus Alliance,Intrusion Protection,Oxstrad