Predictions for 2008

The year is winding down, and the world loves a list, so I thought I’d jump on the bandwagon as well. I will start by saying that, thus far, the only prognostications for next year that I have read were Richard Bejtlich’s on his TaoSecurity blog. So, before I read any more that might taint my own predictions, here is what I foresee for 2008:

  1. Consolidation: One of the big technologies of 2007 was the introduction of unified communications by both Microsoft and Cisco. The merging of all communications technologies into a single, unified system will continue into 2008. Aside from the whiz-bang, “keep-up-with-the-Jones’s” aspect, there is a lot to be gained in terms of efficiency and productivity for organizations that leverage unified communications.
  2. Consolidation: The computer and security technology industry is like a chess game of mergers and acquisitions. Watching the Big Dogs (Microsoft, Cisco, Symantec, McAfee, Checkpoint, etc.) make strategic moves reminds me of watching my kids negotiating and trading cards for one of the their games. The key to winning the trading card game is apparently the same as the key to dominating the information security industry- collect the right components to build the better team. I predict that the Big Dogs will continue to swipe up innovative and bleeding edge companies in an effort to achieve or retain that slight advantage over the rest of the pack.
  3. Consolidation: Organizations are going to evolve their compliance efforts to the next level. Rather than launching a SOX project to get compliant and pass the audit, and then a HIPAA project to get compliant and pass the audit, and then a PCI DSS project to get compliant and pass the audit, organizations will seek to manage compliance as a whole. The goal will be to maintain compliance beyond the audit to get some leverage from the effort and resources invested in getting compliant in the first place. The separate compliance projects will converge under a single Compliance initiative that will merge the various requirements so that they can be managed as one.
  4. Information Protection: Were you expecting “Consolidation” again? With much of information security more or less in a state of functional stalemate, organizations can move beyond firewalls, antivirus, and intrusion detection / prevention, and focus their attention on other areas. One of those areas for 2008 will be a greater focus on protecting confidential and sensitive corporate information. Data leakage appliances, and technologies such as Microsoft’s Windows Rights Management Services (WRMS) will be employed by more organizations to ensure that the crown jewels of data are not quietly leaked across the network.
  5. Virtualization: This is almost a variation on “Consolidation”, does that count? There are a lot of good reasons to virtualize. From a money saving perspective, you can save money on hardware, data center real estate, and electricity and cooling. By leveraging the memory and processing power of one hulked out server, companies can run multiple server instances, and even multiple operating systems on a single box. Virtualization can also be used to leverage a centrally installed application and allow multiple desktop users to access it. In either event, another advantage is that maintenance, upgrades, patching and troubleshooting are also more efficient because the support can be done on one box in one location. Virtualization has been a growing trend already, and in 2008 Microsoft will release their Hyper-V hypervisor application to add some fuel to the fire.

There you go. I don’t know if any of those are Earth-shattering shockers, but those are my predictions. Check back at the end of 2008 and we can recap to see how I did. But- come back frequently in the mean time. That wasn’t an invitation to stop visiting my blog for a year.

_________________________________________

Tony Bradley
www.tonybradley.com
Essential. Computer. Security.


Tags: Blog by Tony Bradley
Comments Off

Annual SANS Top 20 Report

Its that time again. The 8th Annual SANS Top 20 Report is out. Well, its the 8th annual report, but it hasn’t always been the top 20, and it hasn’t always been at the end of the year. The first one was a top 10 list released in June of 2000. This is must-read information though for anyone in information security or information technology management. The annual report lists the top 20 categories considered to be security issues, such as Phishing/Spear Phishing, or Windows Services, and supplies information about why you should be concerned, what systems are affected, how to determine if you are at risk, and how to protect your systems. It also provides links to further information in case you want to dive deeper. Here is an excerpt from this year’s Executive Summary [Read more →]

Tags: Blog by Tony Bradley
Comments Off

Proteccion del PC y seguridad en Internet

My book, Essential Computer Security, has just been translated and republished in Spanish as Proteccion del PC y seguridad en Internet. In addition to Spanish, my other international writings include German and Italian. Hacker’s Challenge 3, which I co-authored, was translated and republished in Italian as Hacker la Sfida. I am also writing a series of articles on the PCI Data Security Standard for TechTarget’s German site, SearchSecurity.de. The first article, which I called Complying With the PCI Data Security Standard, can be found online now titled Compliance nach dem Payment Card Industry Data Security Standard.


Tags: Blog by Tony Bradley
Comments Off

Secure Your Wireless Network

Convenience at a Price

Wireless networks have the potential to make enterprise networking much more efficient and cost effective. It is much easier to set a user up with a wireless network connection than to run Ethernet cabling from the nearest switch, through the walls and install a network jack at their desk. Wireless networks also help resolve the fairly ubiquitous problem of having too few network connections in conference rooms, and the fact that the conference room network connections are always at the least functional location possible.

The convenience of wireless networks comes with a price though. Wired network access can be controlled because the data is contained within the cabling that connects the computer to the switch. With a wireless network, the “cabling” between the computer and the switch is called “air”, which any device within range can potentially access. If a user can connect with a wireless access point from 300 feet away, then in theory so can anyone else within a 300 foot radius of the wireless access point.

Threats to Wireless Network Security

Aside from the threat of unauthorized users accessing your network and eavesdropping your internal network communications by connecting with your wireless LAN (WLAN), there are a variety of threats posed by insecure, or improperly secured WLAN’s. Here is a brief list with descriptions of some of the primary threats:

  • Rogue WLAN’s – Whether your enterprise has an officially sanctioned wireless network or not, wireless routers are relatively inexpensive, and ambitious users may plug unauthorized equipment into the network. These rogue wireless networks may be insecure or improperly secured and pose a risk to the network at large.
  • Spoofing Internal Communications – An attack from outside of the network can usually be identified as such. If an attacker can connect with your WLAN, they can spoof communications that appear to come from internal domains. Users are much more likely to trust and act on spoofed internal communications.
  • Theft of Network Resources – Even if an intruder does not attack your computers or compromise your data, they may connect to your WLAN and hijack your network bandwidth to surf the Web. They can leverage the higher bandwidth found on most enterprise networks to download music and video clips, using your precious network resources and impacting network performance for your legitimate users.

Protecting Your Network from Your WLAN

LAN segmentation is used by many organizations to break the network down into smaller, more manageable compartments. Using different LAN segments or virtual LAN (VLAN) segments has a number of advantages. It can enable an organization to expand their network, reduce network congestion, compartmentalize problems for more efficient troubleshooting, and improve security by protecting different VLAN’s from each other.

The improved security is an excellent reason to set your WLAN up on its own VLAN. You can allow all of the wireless devices to connect to the WLAN, but shield the rest of your internal network from any issues or attacks that may occur on the wireless network.

Using a firewall, or router ACL (access control lists), you can restrict communications between the WLAN and the rest of the network. If you connect the WLAN to the internal network via a web proxy or VPN, you can even restrict access by wireless devices so that they can only surf the Web, or are only allowed to access certain folders or applications.

Secure WLAN Access

Segmenting your WLAN from the rest of your network will help to protect the internal network from any issues or attacks on the wireless network, but there are still other steps you can take to protect the wireless network itself. By encrypting your wireless communications and requiring users to authenticate before connecting, you can ensure unauthorized users do not intrude on your WLAN and that your wireless data can not be intercepted.

Wireless Encryption
One of the ways to ensure unauthorized users do not eavesdrop on your wireless network is to encrypt your wireless data. The original encryption method, WEP (wired equivalent privacy), was found to be fundamentally flawed. WEP relies on a shared key, or password, to restrict access. Anyone who knows the WEP key can join the wireless network. There was no mechanism built in to WEP to automatically change the key, and there are tools available that can crack a WEP key in minutes, so it won’t take long for an attacker to access a WEP-encrypted wireless network.

While using WEP may be slightly better than using no encryption at all, it is insufficient for protecting an enterprise network. The next generation of encryption, WPA (Wi-Fi Protect Access), is designed to leverage an 802.1X-compliant authentication server, but it can also be run similar to WEP in PSK (Pre-Shared Key) mode. The main improvement from WEP to WPA is the use of TKIP (Temporal Key Integrity Protocol), which dynamically changes the key to prevent the sort of cracking techniques used to break WEP encryption.

Even WPA was a band-aid approach though. WPA was an attempt by wireless hardware and software vendors to implement sufficient protection while waiting for the official 802.11i standard. The most current form of encryption is WPA2. The WPA2 encryption provides even more complex and secure mechanisms including CCMP, which is based on the AES encryption algorithm.

To protect wireless data from being intercepted and to prevent unauthorized access to your wireless network, your WLAN should be set up with at least WPA encryption, and preferably WPA2 encryption.

Wireless Authentication
Aside from just encrypting wireless data, WPA can interface with 802.1X or RADIUS authentication servers to provide a more secure method of controlling access to the WLAN. Where WEP, or WPA in PSK mode, allows virtually anonymous access to anyone who has the correct key or password, 802.1X or RADIUS authentication requires users to have valid username and password credentials or a valid certificate to log into the wireless network.

Requiring authentication to the WLAN provides increased security by restricting access, but it also provides logging and a forensic trail to investigate if anything suspicious goes on. While a wireless network based on a shared key might log MAC or IP addresses, that information is not very useful when it comes to determining the root cause of a problem. The increased confidentiality and integrity provided are also recommended, if not required, for many security compliance mandates.

With WPA / WPA2 and an 802.1X or RADIUS authentication server, organizations can leverage a variety of authentication protocols, such as Kerberos, MS-CHAP (Microsoft Challenge Handshake Authentication Protocol), or TLS (Transport Layer Security), and use an array of credential authentication methods such as usernames / passwords, certificates, biometric authentication, or one-time passwords.

Wireless networks can increase efficiency, improve productivity and make networking more cost effective, but if they are not properly implemented they can also be the Achilles heel of your network security and expose your entire organization to compromise. Take the time to understand the risks, and how to secure your wireless network so that your organization can leverage the convenience of wireless connectivity without creating an opportunity for a security breach.

Tags: Blog by Tony Bradley
Comments Off

100% Protection at a 25% Savings

My kids have their own computer. They set a kitchen timer on each other to mediate the taking of turns. Basically, someone is on that computer, surfing the Web, all day. Generally, I know the sites they are visiting, and they are pretty good about asking before they click on anything that might be questionable, and they definitely ask before registering or signing up for anything. But, I am not there every second and it only takes one mis-spelled domain name, or errant click on a banner ad to unveil the dark side of the Web. I recently reviewed a product for Brighthub called Net Nanny which provides a solid bang for the buck. It is simple enough for non-techie parents to install and administer it, yet robust enough to provide the protection you want to make sure your kids surf the Web safely. Right now, you can even get Net Nanny for 25% off it’s normal price. So, you get the same bang for even less bucks.

Bright Hub

Tags: Blog by Tony Bradley
Comments Off

December 2007

To view a summary of the December bulletins, visit Microsoft Security Bulletin Summary for December, 2007. Click the links below to view the individual Microsoft Security Bulletins and to download any patches that might be required for your system. You can also visit Windows Update to automatically determine what patches or updates your system needs.

Tags: 2007 by Tony Bradley
Comments Off