Monday, February 18, 2008

Enterprise File Transfer Solutions

Q:
Enterprise File Transfer Solutions
I am researching Best Practices surrounding File transfer between business partners. The solution must be able to integrate with various back-end systems and offer Internet facing FTP, SFTP and FTP-SSL.
I have identified the following requirements:
The solution must offer automated encryption/decryption via PGP.
The solution must be able to route the information received to its' final destination.
No data may be unencrypted within the DMZ
(must be encrypted before being sent or decrypted after being moved internally)
Clarification
The PGP requirement is due to legacy considerations. All our current transfers are encrypted using PGP. Would entertain other encryption mechanisms... but PGP suport provides the most effective migration strategy.


A:
Hi …..,
Best practices are the least headaches on the operation side :) (not necessarily on the security side). Best practices are usually determined by the resources and the flexibility of your operations

You need a solution that is both transparent to existing operations while satisfying security and regulation requirements. That is a double edged sword.

If you have in house developers, the most customized way is to use "PGP Command Line" series of products. This is very flexible since it works on all platforms...

SCP, SSL, SSH and SFTP are usually not the full answer set since they encrypt "data in transit" do not answer the "data at rest" questions. I like certificate based encryption solutions but that is far away from PGP keys.

When using a key based solution, the ugly part is the automated key management with remote 3rd parties. You can use a trusted directory like PGP global directory for this purpose.

When you do not have flexibility to touch anything on the servers and the host then there are gateway products:

Sterling Commerce, and Globalscape are referenced above.

You can also check Forum Systems' Presidio OpenPGP security gateway…

Tumbleweed SecureTransport is the other gateway that is used by financial services.

And there is PGP Universal Gateway.

There are several other “store and forward” / “message both parties” secure enterprise data transfer solutions, you can check Ironport (Post x), SecureComputing (Ciphertrust), Zix, Voltage, Entrust and Accelion web sites for different solution sets.

Let me know if you have a specific question,
Regards,
- yinal ozkan

Monday, February 11, 2008

Information Security Statistics

"Statistics are like a bikini. What they reveal is suggestive, but what they conceal is vital."

Recently a colleague of mine recommended me to use statistics on my presentations.. When I see a bunch of numbers, pie charts and the percents signs on the screen, I get back to dot.com hey days… By 2008 we will see a world domination in…..

Statistics are only useful when they are generated according to statistical reality.A complete statistics survey result must contain links for methodological details including population coverage,. sample design, sample size and several other quality indicators .(for those who are wondering the source of the FUD).

In information security world, I see statistics in like “according to xxx institute 60% of the US businesses had been hacked last year so that you have to buy our product”. I have been expecting this cheap FUD to be over for so long, but no, it keeps coming back..
Well, as the smart audience you should ask, what do you mean by hacking, how did you question the respondents, what’s their role, what do they do, who do they work with etc.. You will end up with 300 respondents telling you the fate of the information security industry…By the way. I usually end up believing these numbers since the survey respondent (supposedly CISOs) had nothing else to do but answering these valuable surveys so that they form a lucky set of “60% hacked US operations”..

Tuesday, February 5, 2008

Vulnerability Assessment Vendors

Q: Do you have any recommendations for the Vulnerability Assessment Vendors / Products / Services?

A: Hi ...,
My recommendations will not be neutral (since I did not evaluate all vendors), but I might help you to identify the better Vendors/Products/Services.

There are so many options maybe that is why recommendations matter. Here is my quick dirty list:

Option 1: You can go to a security consultancy shop and ask for vulnerability assessment service.
All accounting firms and IT consultancy shops will offer something. (PWC, Deloitte & Touché, Ernst & Young, KPMG, Grant Thornton LLP, or BDO)...There are risk management companies like Protiviti who can also offer high end assessment services.

As expected the bodyshops with security practices like CSC and IBM offer the vulnerability assessment services along with the Telcos (Verizon, AT&T etc)

And of course all security integrators offer the service

My quick qualification criteria would be:
1- See the actual resumes of the consultants who will perform your scan, buy consultants not the brand. If possible interview consultants.
2- Check methodology documents from the consultancy shop; make sure that the structure is detailed enough for your requirements. You may also check with frameworks like OSSTMM, OWASP etc
3- Check previous deliverable document (sanitized versions)
4- Check references

Option 2: Using regular vulnerability scanner products in a box : You can start with free Nessus and go all the way with Tenable, NCircle, ISS, Foundstone (McAfee), eEye, Saint etc..
These products require your internal resources but you have the option to automate scheduled or event driven scans.

My quick check list would be:
1- Research arm depth of the vendor, are they using public data or actual vulnerability research information
2- Open source integration, ability to support custom signatures, 3rd party signatures
3- Integration with other enterprise tools, esp. with IPS, SIEM, GRC and help desk systems
4- Easy to use, easy to configure , support for dist. Deployment
5- Ability to understand network topology, (hosts behind firewall, hosts that are not routable or hosts that have host firewall etc)
6- Non-intrusive
7- Speed – Must be fast to scan a large quantity of hosts in a limited time frame


Option 3: Find an in the cloud service offering from product companies or specialists like Outpost24, Qualys (Vulnerability scanner-as-a-service or On-demand vulnerability scanning)., or managed security services providers (MSSPs). Payment card industry approved scanner services (ASVs) may give you good start for the list of service providers
https://www.pcisecuritystandards.org/pdfs/asv_report.html
Lately all product vendors joined the long list of on-demand remote scanning providers

When buying a service make sure that you check both option 1 and option 2 checklists , you need the both. It is also important to see how can a remote scanner company will scan your internal systems, they need a device at your premises (CPE) which should not require a lot of attention firewall configuration etc.. I have also seen that self-service providers should have state of the art portal interfaces to manage your scans. Test portals before moving forward.

Option 4: Specialty Scanners.. So far I have talked about regular network scanners. If you are planning to scan a web application, a database or an enterprise application with XML transactions, you should check different vendors/consultants/services. The criteria are a little bit different, Deep levels of application know-how is a must. There are also a couple of pen test tools in the market (e.g. core impact)

I strongly recommend going over the following ppt to find out what is out there:
http://www.owasp.org/images/f/ff/AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt



Well still no recommendation , but please let me know if you have any specific questions,

Regards,
- yinal ozkan