Saturday, October 16, 2010

Why Did Nokia Fail in Enterprise Smartphone Business ?

Q: Why Did Nokia Fail in Enterprise Smartphone Business?


I do write about security, but seeing Nokia fail hurts everyone. (When Dilbert Came to Nokia - http://www.theregister.co.uk/2010/10/14/nokia_dilbert/ )  So here is my part of the story.

Being a part of one of the largest Nokia Enterprise Security Partners, we felt the Dilbert story of Nokia organization at first hand. Since Nokia Enterprise Security is no more, I can write about what happened. It was around 2004 when Nokia Reps, SEs started to visit us regarding “Mobile Business Solutions” even back then Blackberry was so popular, so we developed an interest in “free” Nokia phones handed to us by Nokia.

Nokia Access Mobilizer ( NAM which became N1BS  -Nokia One Business Solution) was our first hit. Our idea was that Nokia will deliver an excellent mail server, and then Blackberry would be the history

Here is an email I have written to a colleague in 2004 regarding  NAM / N1BS

Here are my notes:
N1BS is the new name that Nokia marketing geniuses found for Nokia Access Mobilizer. N1BS stands for Nokia One Business Server.
N1BS does not run on classic Nokia hardware and the IPSO operating system. Instead, this product runs on a specific blend of Linux called IPSO-SX and the proprietary "Intel" server called EM6000. If you need to dig more here is the Nokia's acquisition path for these products:
a- N1BS was acquired from EIZEL in 2003. Its original name was Amplifi : http://web.archive.org/web/20030422051926/http://www.eizel.com/
b-The Linux kernel for IPSO-SX is from Montevista. Isn't it a coincidence that Montevista is a Linux distributor for mobile phones :) http://www.mvista.com/
c- The em6000 hardware is from ablecom which sells the system in the name of superserver: http://www.ablecom.com/system/6013p-8.htm

N1BS is good for the following:
1- Any mobile device with wap browser can access to any web page through its proxy. Device independent internet service. N1BS morphs the web pages to your tiny mobile device screen.
2- Email and PIM (Calendar-contacts) integration. Supports exchange and Lotus Notes in native mode
3- Offline sync for PIM and e-mail (through IMAP client)
4- Content processing; N1BS aggregates/abbreviates the data for you. Image processing: Images are re-rendered.
5- Viewers for most of the attachments. E.g. powerpoints. pdfs on your phone
6- Secure, reliable, flexible etc, enterprise marketing stuff..

Here are the highlights that drew my attention
a- Licensing is important. This device uses FlexLM licenses. This means you get a LAC (License Authorization Code) and generate the real license on Nokia web site. 2 per LAC.
b- Sensitive information on the device is encrypted with Blowfish
c- Regular RPM packages are installable by newpkg command. Nokia recommends some packages so this means it does not break the support agreement
d- There is an integrated postgreSQL on the box
e- X libraries are there too. The reason is attachment processing
f- No "Voyager" or "Clish" on this new IPSO-SX. You are on your own.
g- No HA or load balancing solutions are in place
h- No central authentication system integration (LDAP, Radius, AD etc). Even with Radius you need to define users one by one
i- No central "config" file like IPSO
j- No CD bay on the EM6000 hardware
k- No Cron :)
l- No SSL accelerator
m- Nokia gives NAM support from India
n- There is integrated openoffice for attachment viewing
o- You may see NAM, MCA, Documa, names in the documentation . They all mean N1BS
p- No SNMP integration
There is a rumor that Nokia will use this IPSO-SX on the firewalls too but I think it is still too early(See items above that start with No). I have heard that Nokia quit message protector which was also runnning on IPSO-SX

N1BS had a brilliant idea, back then smartphones were very expensive and there was a clear need for a mid market mail solution. With Sync-ML and integrated mail/calendar/contact synchronization this was the right solution for midmarket. It also had auto abbreviation which is made sense where data was costing arms and legs.. So we made the decision and I spearheaded the investment on developing a managed services solution for N1BS.. Then came the Nokia announcement, “We do not think that N1BS works like Blackberrry so we are changing the platform”

When Nokia canceled N1BS you could tell there was an internal friction at Nokia organization. In September 2005 (http://www.theregister.co.uk/2005/09/13/nokia_unveils_mobile_email_drive/) Nokia told us that we were supposed to use Nokia Business Center – NBC,  NBC would support push mail that N1BS suffered. So we formatted the N1BS server started from the scratch with NBC, we were still ok because I was a big fan for  my S80 9500. We believed in Nokia and continued to market the Nokia mail solution.We built NBC server, tried to build the services around it. But there were problems here is an email I have written in Oct 2005. You can tell that NBC was buggy..Now looking back, I can tell what the problem was; Symbian Group did not work with NBC group at Nokia, they were simply different business lines (retail vs enterprise), so NBC could not use any of the OS level features, even cut&paste was not available to NBC mail client, without phone OS integration NBC's doom was fixed.

The email client interface is not good. It lacks the basic editing functionality of Nokia Symbian interface. I even could not select-cut&paste the e-mail content. Mouse over dial/e-mail things do not work, I have to go over the menu. Body of the messages format is clumsy.
If this is a unified messaging tool, then it should. I like the built-in messaging interface more. Built-in mail client has the ability to forward mails to cell phones, and fax (fax, SMS, MMS profiles). Built-in client works perfect..on the other hand NBC client is worse than built-in mail client.
External e-mail does not work with the following message:
Sending of e-mail failed . Please try again
mail.send.failed:Invalid Addresses
 nested exception.js
class.javax.mail.SendFailedException: 451 Can't connect to gmail.com – psmtp. This problem has been fixed
PIM sync has its own problems
This problem has been fixed. I get PIM sync failed errors sporadically. It works after 2-3 trials
When I forward reply and e-mail with NBC, I do not see forward, reply information in Exchange. It only marks read/unread data. If an e-mail is forwarded or replied via business center client, exchange not update the  forward/reply history
Embedded URL links are stripped. No URL links in incoming mail
URL links are stripped by NBC server or the client. An example is the following mailAttached below is the outlook version where URL and the links are working.. On NBC both the format is gone and there are no links..
I did a couple of tests, this mail goes to gmail as a multi-part message in MIME format with base64 encoding. That may be the problem.
NBC does not work well with these mails.
Attachments open a separate interface when 'add' is chosen. This interface requires shut down after adding the attachment.This problem has been fixed
I could not manage to delete/edit original mail content when replying
Connectivity is a big problem… It never survives the night. Executives will not like that.
Clients still hang due to GRPS errors. If they are left on all night (sometimes) or phone is shutdown during communication, the client hangs up in "connecting" state.
Here is the fix that works for me:
  1. From tools conn.manager menu highlight GPRS connection and disconnect
  2. Go to NBC client and switch to offline
  3. Reconnect from NBC choose GPRS connection.

Wouldn't be easier if the NBC client disconnects GPRS and reconnects instead off trying "connecting" for hours..?
But if the G sign is still there and the connection is not there (G sign not in the box) the conn manager displays receive/sent 0/0kB duration 00:00:00, this means remove the battery - hard reset solution.. I cannot kill/disconnect a an already disconnected GPRS connection..
This will be annoying for novice executives..
Sometimes after rebooting I get the "install business extras?" installation prompt even if it is installed.. Ususally phone crashes afterward, 2,nd remve battery insert batttery solved the problem.. Can we request for a reboot, or ctrl+alt+del button?
Signature sends a garbage character with rich text. There is no option to choose text/html only signature
Directory search does not search local contacts database. Sending e-mail to local contacts is difficult.
When the phone is off (or no coverage), NBC does not work over wi-fi for 9500 hundred. There is no switch connection option either.


You would think Nokia was settled no, right after we deployed NBC Nokia announced that they have acquired intellisync (Nov 2005) for $430M.( http://www.infoworld.com/d/networking/update-nokia-acquires-intellisync-430-million-221) I was furious I have developed a solution 2 times for nothing. Intellisync was simply a replication platform on steroids. It was replicating files, emails whatever it could find. Nokia liked it because Verizon, and Vodaphone used it.. (Service Providers used Intellisync because it was cheap) ..Right after the acquisition, I was told we should wait because Intellisync did not match the development quality of Nokia….It was so bad even internal Nokai employees couldn’t switch, they were still on NBC.. So within that turmoil I was invited to a partner conference. Partner conference was for  Nokia Business as it is described in the recent register article

So this time we did not move.. In 2006 I received an invite from Nokia


Hello Nokia Partner,
Just a note to remind you to register for the Nokia Enterprise Solutions Partner Conference in Boston next month on October 25-27 2006
Your participation and feedback as one of our most valued partners is vital to our continued growth and success together.  This will be one of the most substantial and important Partner Conferences we have had in a number of years.  This event will be an opportunity to meet and listen to Nokia Enterprise Solutions Senior Management as they share their vision and strategies for the enterprise market.  Mary McDowell, Executive Vice President and General Manager, Nokia Enterprise Solutions, David Petts, Senior VP Global Sales, Marketing & Services, Nokia Enterprise Solutions, and other members of the Nokia management team will be there to present their ideas and to meet you personally.
You do not want to miss the kick off of our newly designed Partner Program or the roll out of new products that will offer your business new strategic directions.  I guarantee you will leave the conference excited, energized, and ready to get to work.  We also have a little fun planned.


During the conference I did speak. I told hundreds of Nokia Executives that as a partner I lost my confidence that nokia could deliver a solution that could last more than 1 year.. nobody listened they were all lost in the glory of the "Intellisync", they even didn’t know about competition, I remember 1 comment, “We are bigger than Microsoft in Operating Systems”…That was nothing more than self soothing propaganda - as we all expected the truth was not so far in the future (http://www.theregister.co.uk/2010/10/22/symbian_wound_down/

So Nokia Enterprise Business gave their promise on 2 major tickets at the Boston conference
  • Intellisync is the last stop, trust us, and invest in Intellisync
  • Nokia IPSO platform is here to stay, trust us, do not invest in any other appliance


I was like Cassandra, So as expected nothing happened with intellisync, Nokia was so lost, you could tell is when they announced that they are killing Intellisync (http://www.open-horizons.net/blog/erno/replacement-strategies-did-nokia-kill-intellisync-or-protect-your-investment) in Sep 2008 Nokia made the expected announcement


"The Nokia-Microsoft collaboration to bring corporate mobile email to businesses and mobile professionals is truly unbeatable. No other device manufacturer provides the wide range of devices that we have which immediately mobilize the hundreds of millions of email accounts from Microsoft Exchange," said Anssi Vanjoki, Executive Vice President, Markets, Nokia. "The costs of mobility are contained as companies are able to utilize existing Microsoft Exchange infrastructure, and there is also the strong possibility that a large number of employees already have one or more of the 43 Nokia devices that enable Exchange ActiveSync -
http://www.designtaxi.com/news/20941/Nokia-brings-Microsoft-Exchange-ActiveSync-Corporate-Mobile-Email-Solutions/"


But this time we were prepared we already had Blackberries everywhere..


Sunday, August 22, 2010

IT-GRC ( Governance Risk and Compliance) Tools - 2010

I have updated this list (October 2011), you can find the recent copy @ this URL:
http://security.24kasim.org/2011/10/itgrc-software-vendors-2011.html

Here is the 2010 version:
-----------------------------------------------------------------------

I stand by my statement that IT-GRC does not stick due to several reasons.

My previous posts with risk management frameworks and tools are at this link (I will update risk management tools next month)

Currently there are 4 types of companies at IT GRC market:
1- IT-GRC vendors: IT Risk Management solutions with integrated workflow and compliance features.
2- Enterprise GRC vendors: Audit driven ERM tools expanding into IT GRC space
3- Glorified Access Control Tools: This is the world of SAP, Oracle and the related vendors ( note to the vendors - GRC is not SoD)
4- Compliance Management Tools (without risk focus)

There are a lot of changes in the market. Market is not as colorful as 2009. I think the main reasons are:
1- Global market for pure IT-GRC vendors are still around $120M /year.
2- Entry to market is not very difficult

Big News are:
CA killed the whole GRC Manager line.
Archer was acquired by RSA (of EMC) - 04-Jan 2010
Compliance Spectrum is now history.


Before moving forward, please remember that Excel is 'by far' the most common application in IT-GRC market : )

IT-GRC vendors

Agiliance
http://www.agiliance.com/
RSA eGRC - Archer
http://www.rsa.com/node.aspx?id=2428
Trustwave GRC (Control Path)
https://www.trustwave.com/GRC.php
Symantec (Control Compliance Suite)
http://www.symantec.com/business/control-compliance-suite
Modulo
http://www.modulo.com/
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Lumension
http://www.lumension.com/Solutions/IT-Risk-Management.aspx
BPS
http://www.bpsresolver.com/
Avedos
http://www.avedos.com/en/home/home.html
BWise
http://www.bwise.com/
Neupart
http://www.neupart.com/
Metric Stream
http://www.metricstream.com/
Nemea
http://www.nemea.us/
Highpoint
http://www.highpointgrc.com/
Paisley Enterprise GRC® for IT (Requires registration to display product information :)
http://paisley.thomsonreuters.com/website/pcweb.nsf/pages/ARAE-6XLQSR
OpenPages
http://www.openpages.com/solutions/governance_risk_compliance_management_solutions.asp
IDS Scheer (GRC is a part of BPM offering)
http://www.ids-scheer.com/us/en/ARIS/ARIS_Solutions/Governance_Risk__Compliance_Management/139893.html 
ARC Logics  - Axentis (same company for CCH TeamMate audit)
http://www.axentis.com/Products/Axentis/ProductOverview.html
Methodware
http://www.methodware.com/grc/
Protiviti
http://www.protiviti.com/grc-software/Pages/default.aspx
Cura Software
http://www.curasoftware.com/pages/content.asp?SectionId=7&SubSectionID=48
Mega
http://www.mega.com/index.asp/l/en/c/grc
ControlCase
http://controlcase.com/it-grc.htm
Simeio Solutions GRCAXS (IT GRC module)
http://www.simeiosolutions.com/
Compliance 360 ( eGRC )
http://www.compliance360.com/
eGestalt SecureGRC -  SaaS hosted GRC offering
http://www.egestalt.com/
Aline GRC
http://www.alinegrc.com/GRC-Platform/20/
TrueArx
http://www.truarx.com/
Easy2Comply
http://www.easy2comply.com/
SAI Global
http://www.saiglobal.com/compliance/grc-software/


There are many other tools with ERM (Enterprise Risk Management) Compliance Management, Audit and Access Control Governance feature sets.

Here is a long list of indirect GRC software providers that make auditors happy:
Oracle (formerly Logical Apps and Oracle GRC Manager)
http://www.oracle.com/solutions/corporate_governance/it-grc-management.html
SAP (no clear IT-GRC besides Access Control - SoD)
http://www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx
Greenlight
http://www.greenlightcorp.net/index.aspx
Qumas avoids GRC term (Regulatory Compliance)
http://www.qumas.com/
Aveksa (Enterprise Access Governance)
http://www.aveksa.com/
Trintech (Financial controls- no IT)
http://www.trintech.com/
Doublecheck ERM
http://www.doublechecksoftware.com/solutions.htm
ACL - Transactional controls testing
http://www.acl.com/products/ccm.aspx
Approva (ERP Audit / SoD on steroids)
http://www.approva.net/solutions/itsecurity/
Strategic Thought (Full Service ERM)
http://www.strategicthought.com/
Open Text Governance, Risk Management & Compliance
http://www.opentext.com/2/global/sol-products/sol-pro-compliance-governance/pro-open-text-governance-risk-compliance.htm
Enablon - ERM
http://enablon.com/products/risk-management.aspx
Pentana Audit Work System (risk Audit)
http://www.pentana.com/products.asp#PAWS
Grant Thornton - Compliance Management - GT acquired  Avalion Consulting ComplianceSet solution
http://bit.ly/9bvCFB (Long URL shortened)
Incom Enterprise Risk Mgr ISO 31000
http://www.incom.com.au/products.asp?ID=407
EIQNetworks SecureVue also avoids the GRC acronym
http://www.eiqnetworks.com/products/SecureVue.shtm
Brinqa brings privacy, identity and vendor management http://www.brinqa.com/solutions
SecurityWeaver (SoD tool) http://www.securityweaver.com/Products_Separations_Enforcer.asp
ControlpanelGRC - SOX compliance for SAP users http://www.controlpanelgrc.com/
Xpandion SAP Security - http://www.xpandion.com/


IT-GRC software make our lives more organized but we should not skip the motto of the CSI audit people : " ‘A fool with a tool is still a fool’"

Thursday, June 17, 2010

Free and Commercial Firewall Analysis Tools

Q:Hello,

Do we have a tool for analyzing Cisco ASA/PIX and router config files? The client has a 2500 line config, and I would like to be able run some reports on the configuration.

Thanks,

A:,
There are several audit tools with different features. The most common features in these tools are:
  • Rule Analysis to detect security holes in the configuration (e.g. allow any)
  • Configuration Analysis to find duplicate/overlapping unnecessary setting/rules/object
  • Logfile analysis to find most used rules objects
  • Rulebase analysis to find unused/unconsolidated objects rules
  • Simulation of changes.
  • Risk Analysis
  • Access Analysis using multiple firewall rules (Can Point A reach at Point B using service C)
  • Workflow automation
  • Backup management
  • Normalization of different firewall rules (e.g. Cisco Juniper Check Point on the same format)
  • Change Management
  • Regular Log Analysis

Of course, it is not possible to find all features on all solutions. Firewall vendors do also provide several tools to make audits easy.

That being said, I have seen 2 freeware config audit tools for Cisco (RAT and Nipper)
http://www.titania.co.uk/ Nipper
http://ncat.sourceforge.net/ RAT

Commercial Area is more active and they usually cover the known suspects (Check Point, Juniper, Cisco, Fortinet):

http://www.tufin.com SecureTrack, SecureChange Workflow
http://www.algosec.com Firewall Analyzer, FireFlow
http://www.securepassage.com Firemon
http://www.manageengine.com Firewall Log Analyzer
http://www.skyboxsecurity.com/ CertiFire, Firewall Analysis
http://www.redseal.net/ Redseal Vulnerability Advisor
http://www.athenasecurity.net FirePac, Verify

Let me know if you have a specific question.
cheers,
- yinal

HIPS and VPN Concentrator Network Deployment

Q: How decide the placement of Host Based Intrusion prevention System & VPN Concentrator
What is criteria to decide the placement of HIPS and VPN Concentrator.

A: Hi XXXXX,
Your question generated more questions than answers : )
Here is how I think on where host based IPS should be:
  • HIPS should be installed on hosts which need IPS (based on risk assessment).
  •  HIPS should not be installed on hosts where installing a 3rd party agent may decrease the reliability of the services on the host system
  • HIPS should not be installed on hosts where installing a 3rd party agent may slow down the speed of the host system due to extra resource utilization, added latency etc.
  • HIPS should be installed when it is possible to manage HIPS. In large scale deployments remote installation, central management etc are usually more important than security.
Here are the important points of VPN Concentrator placement:
  • It is recommended that your VPN concentrator has trusted and untrusted segments (It is also possible to deploy one-arm single interface deployments – but for management and audit I do recommend 2 segments – where untrusted segment is Internet facing
  • Untrusted segment should be protected by a firewall  (usually in a dedicated DMZ) even if all VPN vendors claim to be very secure. Make sure that the firewall protecting your VPN supports IPSEC pass through (if you are using IPSEC).
  •  Instead of hooking the trusted (Internal) segment into your (internal) networks, connect your trusted segment back to the firewall so that decrypted traffic is firewalled. If you have an IPS make sure that IDS/IPS is inspecting decrypted traffic.
  • Make sure that you have a dedicated management network to manage the VPN concentrator. If you do not have an extra management interface, use trusted interface for management. Do not allow management over untrusted interface.
  •  Do not deploy NAT before the VPN traffic hits your concentrator,  try to use real public IP address (es)  on the untrusted /public  side of your concentrator   since using private addresses may create configuration nightmares
  • Check destination networks for VPN clients / or remote VPN sites on your network. Analyze the protocols. Sometimes based on the nature of the traffic (e.g. complex VOIP)  you may need to hook your concentrator directly into your network.  Always check reverse routing for VPN networks.
  • Verify IP addressing assignments for VPN clients, choose a subnet that will not create internal routing problems (e.g. overlapping IP address space. Dynamic routing etc). If you are dealing with site to site VPNs make sure that you address overlapping IP address spaces.
  • Check the location of authentication servers. The placement of the concentrator must be is close/redundant proximity to authentication servers (AD, RADIUS, TACACS, LDAP etc). Make sure that the communication with auth servers is not a n issue
  • Verify multiple entry points, if you are deploying concentrators in HA, make sure that failover works properly, and NAT issues, IP address assignments for different concentrators  are configured properly. Also make sure that your access logs can be unified.

Let me know if you have a specific question,
Cheers,
- yinal

Saturday, June 5, 2010

Why did Symantec buy Verisign's security business ?

Q: Why did Symantec buy Verisign's security business ?
A 3.5 revenue multiple for a revenue stream comprising largely of a commoditized business (SSL) begs for a strong rationale that goes beyond pure top line growth for this acquistion. Would love to hear of use cases that this will enable that will result in new products/offers from this combined entity.

A: Here are quick comments:
1- Symantec will have direct access to almost all major enterprise accounts using Verisign's SSL certificate relationship. there are a lot of cross-sell opportunities for Symantec such as securing server 2 server communication. On the retail side Symantec can cross sell Norton line at Verisign's high-volume SSL online store

2- Last year Verisign asold MSS (to Secureworks) and security consulting (to AT&T) units, these were the overlapping units for Symantec. The security products that Symantec acquired from Verisign do not have an overlap with Symantec's existing portfolio.

3- Related with the note above, Symantec could not provide full identity management solutions. With Verisign acqusition (SSL certificates, Trust Seal, PKI, VIP ) they will fill-in a big gap. This creates a nice go-to-market plan. e.g. Hosted PKI, Norton Identity Safe etc..

4- All cloud based / remote management solutions (e.g. HEP from Symantec) rely on certificates, Verisign acquisition will play a strong role for Symantec's cloud strategy. Identity security is a key block in delivering cloud based solutions for data security and compliance.

5- Check-out PGP and GuardianEdge acquisitions. They will all integrate well with Vontu line when Verisign's solutions are added to the mix..Verisign complements encryption really well. Re-evaluate data at rest, data in transit and data in use terms : )

6- Verisign has a good brand name, Symantec can definitely leverage the Verisign name

7- The value of the deal can be multiplied if Symantec manages to integrate security solutions (inlcuding this Verisign Portfolio) with its Veritas, Altiris, MSS, and Hosted Security (MessageLabs) lines.

Let me know if you have a specific question,

regards,
- yinal ozkan
 (on personal behalf)

DLP as a Service: What's the business case for this?

Question:
DLP as a Service: What's the business case for this?

Answer:
Xxxxxx,
DLP can leverage all the advantages of service-alization on legacy information systems.
If we define service a standard offering delivered by a service provider, business case (of DLP as a service versus technology solution) can be summarized as:
1- Leveraging economies of scale with utilizing shared resources at service provider
2- Leveraging deep-dive technical specialization at service provider since service provider can effort dedicated specialists (not because they are more intelligent). Levering know-how gained from managing multiple customers.
3- Measurements and metrics program guaranteed by service level agreements
4- Ability to scale up/down easily, more reliability and redundancy on the provider side.
5- The old capex vs opex discussion
6- No operational worries (e.g. who will patch my appliance) / focus on core business goals, competitiveness
7- Pay as you go elastic service.

But if you look at DLP specific cases, the answers could be categorized in many different buckets. (this might be different for different organizations). We believe that a DLP program must include
• DLP program management (GRC, Policies , Procedures)
• Endpoint enforcement components,
• Secure remote access components,
• Data classification & governance components,
• Encryption components
• Rights management components.
• Training and user awareness component
• Incident management component
• Central monitoring , Access Control, RBCA the usual InfoSec components

This can all be offered as a hybrid service of people, process, technology and managed services. Usually an important component of DLP program is the network based DLP gateway solutions. A managed offering for network level DLP gateway may offer
1- Ability to get a clean pipe from service provider (e..g prevention in the cloud)
2- Ability to leverage a wide set of solutions for the recognition of different data types / file formats since service provider is developing the service for other customers
3- Ability get experts for custom scripting (yes you will need this)
4- Transparent deployment
5- Correlation of events with other network activities (e.g. IPS, Anomaly Detection, Content security solutions, Firewalls, AV etc)


Type rest of the post here

Open Source IDS/IPS

Question : Are there an open source IDS or Firewall which alert the command center or system administrator by pager, e-mail or cell phone when an event listed on the company’s security event list is triggered?

Answer:
Xxxxxxxxxx,
The answer will be based on the company’s security event list. The first prerequisite is that you need to find an opensource IDS or Firewall that can detect security events in the list. Detection success rate will be based on the complexity of the security events in your list.

Firewalls are usually not very good in malicious activity detection so IDS/IPS is a better idea. Snort is a good start (http://www.snort.org/) . It is opensource and it allows you to configure your custom detection signature and rules.

Alerting is simple, you can configure Snort to alert via e-mail E-mail messages can be converted to SMS and pager messages easily. (you may need to pay for SMS messages depending on the destination and or geographic location)

For IDS/IPS deployment you have to be careful. You might be receiving millions of alerts so forwarding them as a message might not be the best good idea. You need to tune your IDS to report real incidents only (e.g. you may have detected 1 million identical events but all you need is to know what the incident is when it started and what is the frequency). Also remember that Snort will only inspect cleartext traffic in day1 unless you are decrypting the encrypted traffic.

Another approach is to use a Security Information Event Management Solution in addition to the IDS. Forward all Snort alerts and other alerts (e.g. Windows logs, Syslog) to your SIEM tool and make sure that the SIEM consolidates normalizes and correlates the alerts for you, so that you receive the ultimate information from SIEM instead of IDS tools. There are opensource SIEM tools like OSSIM (http://sourceforge.net/projects/os-sim/) and Cyberoam iView (http://sourceforge.net/projects/cyberoam-iview/files/)

Let me know if you have a specific question,

Cheers,
- yinal

Tuesday, March 23, 2010

Securing Offshore Remote Access

Question:
How to secure data and protect intellectual property while allowing remote access to remote consultants / outsourcing partners / offshore captive operations?

Answer:
This is a long procedural and legal discussion. Restriction of access for remote administrators / consultants / offshore centers is not an actual “productivity” solution, so there is a clear need for sharing data in an intelligent and secure way.
Recently I have seen several discussions on policy based governance and operational controls but I was disappointed with the available technical options. Most of the articles I have seen so far were limited with phrases like “We do use firewalls”, ”We have SAS 70” , “We have strong authentication” or “We do have encryption” type of over the counter canned answers. The most joyful one was (this was on an overseas web site describing how secure the outsourcing operations were) : “We do use SecureFTP”
Well, basic technical controls are nice, like using scrubbed test data, segmenting servers,  using strong auth, physical data center security, or using full VPNs..But, what if the requirement is to have real controls?

The technical controls can be deployed at 2 layers:
1-    Controls at the Offshore Center: Regardless of the desktop security controls, endusers at remote data centers can access and steal critical data, at the end of the day, who will stop them if they can take a 5 megapixel shot of their screens with their cell phones. So it is a good idea to have a CCTV / camera based monitoring where access stations are (All remote access should be limited to secured facilities where it is possible – try to avoid roaming laptop based remote workers). I use the term access station because it makes no sense to have regular desktops at offshore operational centers.  Using terminal server type of solutions are great but citrix/terminal server type of emulations do not work great for developers. I like virtual desktop infrastructure (VDI) for developers since it gives them full independence in a controlled environment.  Base station should be thin clients or must be managed (e.g. group policies with limited user rights) even if they are using the base station only for terminal session.
If you do not have a captive center, and you do not have the full control on remote desktops or you cannot enforce thin client stations or managed workstations, securing the other endpoint (where terminal connection/citrix/VDI term is run) is very difficult. On these cases, make sure that you require VPN connection from individual endpoints so that you can control split tunneling, and you can apply /enforce pre-auth/during-auth posture checks very much like a NAC. The idea is to enforce endusers to install a security applet before they login to your network and run cleaning prior to auth. Create onetime secure virtual workspace that expire at the end of the session. You may also create remediation and quarantine options for non-managed remote access.
When you are securing the remote offshore centers never skip the “air” piece. Roque AP detection is a key feature. Your remote switch must detect any attached device to network esp if it is working as a switch. Also your policies must limit usage of cell phones and other wireless gadgets.
Of course endpoint security is still a key, like using full group policies, firewall/IPS, antimalware, antivirus, encryption, rights management etc, but it is much better to have it on a VDI system. It is also easier to control peripherals on a VDI.
Non-repudiation is another important point. Like the physical camera, a secure remote tamper proof logging facility is highly recommended.
2-    Controls at the server level: Consultants / remote system administrators/ offshore developers do need to access servers in development, test and sometimes production environment. It is a mandate to enforce individual user identities, with full access audit. Actually you can steal the PCI requirements.  There are systems that record every single move (literally on a video file  - ObserveIT) of a remote administrator. Or you can basically deploy privilege escalation management systems integrated with jump servers (e.g. SSH proxies, Power Broker) Need to know access is essential, but even after policy decisions, make sure that every activity is logged at different layers (network layer, OS layer, DB layer and Application layer) Remote admins should never access to log settings or the log repository (tamper proof logging is the key). This is the time to put SIEM solutions in use. Write correlation rules to alert you when suspicious activity is detected.
Segmentation is another key, but today’s high speed computing makes network level firewalling very difficult. (If you have 100 servers with only 1 Gbps NICs, you will a 100Gbps full duplex firewall ,  and as of today there is no IPS). I do expect switch vendors to offer port based filrewalling / IPS in the very near future but not today unless you have 7 figures to spend. Either way segment your servers at network level as much as possible, Even if you are using VMware, categorize servers physically according to their risk levels. There are also creative solutions like Apani Networks, Rohati Networks (now Cisco), or the NAC vendors for network based segmentation using user identities. Basically segmenting users with their user IDs instead of their source and destination addresses is better. You can even utilize secure de


Again, none of the technical controls eliminate the need for governance, policy based controls and the risk management frameworks.
Full data life-cycle management, data privacy, data security, audit program, security management program (like ISO 27001)  are all essential. But technical controls do really help you to reach your security objectives.

Let me know if you have a detailed question

Regards,
-    Yinal Ozkan

Monday, February 8, 2010

Security awareness - what worked for you

Question:
I am interested to know from you guys what methods you have used to prick the consciousness of your end users - from the standard policy delivery & enforcement tools (e.g. neupart, policy matter, netconsent, et al), through posters & startup screens, right through to "guerilla tactics" rather like Chris Nickerson & hisd guys who did the job on the car dealer.

I had thought of gearing ideas around end user pain points - e.g. post-it notes with a PIN on a dummy credit card, etc. Interested in what low-cost ways others have used.

Thanks in advance guys

Answer:

........,
I have gone through several iterations of awareness initiatives. Web based, class based, print media based, campaign based you name it…
Information Security Practitioners usually skip a very important part of awareness programs, these programs are not security projects where you deliver a technical solution; awareness programs depend on the training component…
Here is the most important thing I learned: Adult psychology is different, you cannot train adults as you train kids.. When you put kids a in a class they simply listen and they learn. Adults never do, they keep questioning: “ Why I am here? Is this good for me? What will I lose if I do not listen? What is in it for me? etc”  The questions above must be answered within security awareness initiative since they will keep occupying the short focus of the of the adult minds during training..
So the important structural shift of awareness program initiative is that this is not a project, this not about a portal with multiple choice questions with diagrams, this is not about an application that pops-up,  this is about training, and the adult training rules apply.
Years ago, I was in charge of security awareness training  of a large trading house.. Participation of all employees was mandatory. Everybody in the class (pre WebEx days) thought this was yet another training, and the eyes were focused on the clock.. I started the conversation with, “I am reading all your e-mail” Well, I got the attention. The whole class got mad . But we had established the training rationale, everybody wanted to how and why I was able to read their e-mail , they were questioning on who else can read their e-mail. Until that moment most of them thought the problems were someone else’s.
In order to share create the  personal interest, the best way is to demonstrate vulnerability in day to day applications with live demonstrations (not the checklists, and the pop-quizzes) that employees can associate themselves individually.  The demo should not be about the millions that a distant company lost (yes we all heard about TJ Max) or powerpointing defaced web sites to death to bore sales team away. There must be personal interest in security awareness program. Unfortunately not too many people care about the greater good of their employers or the security teams…A salesperson will be more interested so see his CRM database being stolen using his own small blackberry.  Or displaying chain of evidence for intellectual property for design engineers, more examples can be given but I think everybody who has managed to read until this paragraph gets the idea; unless there is personal interest there won’t be success.
That being said classical program components like continuous improvement, cyclic approach, audit, measurement/metrics etc will help. ISO programs or the programs like neupart can be used as a good base program management.
-Regards,
-          Yinal Ozkan