The workplace is changing. It was once the norm for a small or medium sized organization, or even a larger enterprise, to operate out of only one building. Even global organizations tended to have a single headquarters with perhaps one or two other buildings in the continents in which the organization operated.
]]> Today this has all changed. Technology has made it possible for businesses of all sizes to have multiple locations throughout the world. This means employers can hire the best employees regardless of their location. Also high gas prices and the desire for a flexible work environment has caused many organizations to offer flex spaces and create connected work policies. As a result, we are seeing a more distributed workforce in companies large and small.The ability to have employees work from anywhere has been beneficial to most organizations. According to a recent study done by Link Resources, allowing employees to telecommute or work out of remote offices closer to their homes can improve productivity by up to 20%. Factors such as increased flexibility, reduced stress resulting in sick days, and the fact that minor health ailments will not impact an employee's ability to work are all contributing factors to the increased productivity. When working from home or at an office closer to their home employees tend to add the time they would have spent commuting to their work day, increasing the number of hours they will spend working a week and thus increasing their output.
Connection is only first step - then you need security
So what is the catch to this distributed workforce? - ensuring connectivity and security. Basic technologies such as a telephones, instant messengers (with or without video capabilities), email and mobile devices allow your employees to stay connected to the office no matter where they are. However, in order to make having office locations worthwhile it is critical for each location to be secure. Deploying separate security devices at each office location can ensure each office is secure, however this creates a huge administrative burden. I know of one company that has eight offices with a combined workforce of less than 100 employees. The time it would take the network administrator to install, maintain and update eight separate security appliances would negate many of the benefits of having a distributed workforce to begin with.
Despite the simple set up and configuration of some security products it is still necessary to have an individual with a technical background manage the initial deployment. With a distributed workforce this means extensive travel just to connect an office, creating a financial hurdle to having remote offices. There are only two ways to avoid spending valuable dollars on travel to connect and secure remote office: 1) don't open remote offices or 2) select security products that can be deployed by anyone - even non-technical employees.
This still leaves management as an issue. This can be combated if the network administrator is able to maintain or update the security solution remotely or from the central office.
Having multiple offices in spread out locations is a reality of the business world today but so is the need to secure your network. When an organization's network is distributed across multiple locations it can be a challenge to ensure their security but new technologies are making this possible. An example of this type of technology happens to be from Astaro. Information can be found here: http://www.astaro.com/landingpages/en-worldwide-innovations-2010
For more information about Astaro RED watch this short video here: http://www.astaro.com/landingpages/2min-explainer-red
Astaro Mail Archiving is a hosted service that is set up within 15 minutes. The service provides unlimited storage and users can find archived email quickly and easily through a convenient Microsoft Outlook plug-in.
For more information about Astaro Mail Archiving watch this short video here: http://www.astaro.com/landingpages/2min-explainer-ama
Astaro Wireless Security offers secure and uninterrupted WiFi signal throughout an office location through secure plug & play thin access points (802.11n). Astaro Wireless Security allows users to create guest Internet access without complicated configuration. Security is managed centrally with the Astaro Security Gateway web interface.
For more information about Astaro Wireless Security watch this short video here: http://www.astaro.com/landingpages/2min-explainer-wifi
In addition to the three new products, Astaro is currently developing version 8 of the Astaro Security Gateway. The new version will include support for IPv6, a reverse proxy - Web Application Firewall, admin change tracking and an updated interface. Many of the new features found in version 8 were suggested on the Astaro Feature Request Site, a site that was developed by Astaro product management to receive feedback on current and future offerings from Astaro's partner community and customers.
Find more information on the three new members of Astaro's product family on www.astaro.com/innovations-2010 and register for e-mail updates to receive latest information on them
]]>Massachusetts' MA 201 CMR 17.00 data protection regulations go into effect on Monday, March 1, and that is a huge step forward for the protection of personal information. Breach disclosure laws are old news, but 201 CMR 17.00 is different, it prescribes data protection specifics, and it is not limited to those in Massachusetts:
"201 CMR 17.01 (2) Scope
The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth."
"Owns or licenses, receives stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."
This is a big deal, for two key reasons.
First, it is leading the way in state regulation of the protection of data. There have been other regulations covering protection of data, but I believe this is ground breaking and will be followed by other states.
Second, it has a very broad reach, it is not industry-specific, and it applies to a large number of organizations which have never had regulatory requirements on their IT system before. Specifically, it applies to:
"Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof."
There is an exclusion for Massachusetts government, but they are covered under Executive Order 504, which mandates similar protection of data for them.
This regulation can put a significant burden on businesses which do business with Mass residents, and I believe that small businesses face the biggest challenges. (The burden is to do what they should already be doing, but are not; that doesn't mean it will be easy). Small businesses are the least likely to have dealt with regulation before (except in specific regulated fields), and they are the least likely to have the knowledgeable personnel and financial resources required to comply. Those organizations in the 40-200 user size are probably going to have the hardest time (as they often do), they're too big for doing everything manually, and not big enough to justify the enterprise tools to help manage some of the tasks at hand.
You can find a PDF of the regulations at: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
We decided to update our licensing model to create a more flexible licensing; now customers can buy exactly what they need. With this new model the clustering and user upgrades processes are much easier. This new model also includes a more competitive price point for smaller appliances. This will make it easier for our partners to initiate conversations with prospective customers with smaller budgets.
Additional information can be found here: http://www.astaro.com/news-events/press-releases/astaro-redefines-utm
Brian Krebs is reporting that Texas bank PlainsCapital is suing Hillary Machinery, a customer of PlainsCapital. This is significant because to this point it is common for customers to bring suit against a bank over lax security, but this is a rare case of a bank bringing suit against a customer. Details can be found at Krebs' blog. There are hazy details about the case. I don't want to take sides on the litigation, but I do want to point out that both parties could have prevented the actual breach.
]]> Bank's faultIt is not my intention to pick sides. In fact, I would place most of the blame elsewhere. However, I would like to use this example to make the concept of multifactor authentication clear. Multifactor authentication uses a combination of something that a user knows, something that a user has and something that a user is. In order for the multifactor authentication to be more secure than single factor, you need at least two of the three categories. Think about your ATM authentication for instance. You must insert your card and enter your pin. This is something you have and something you know.
The bank uses two instances of something you know (your username and password and then your email account's username and password). This is not any more secure than single factor and indeed is not considered multifactor authentication. If this was a phishing attack from the intruder, then the user could unwittingly give up both pieces of information and the attack would be successful because the attacker doesn't need to kidnap (something you are) or steal a physical item (something you have). It is incorrect to say that the Bank was using multifactor authentication for this reason. Had the bank really been using multifactor authentication (with a secure token or something similar for instance) then this attack would not have been successful. Banks should consider this in future litigation and policy making.
Customer's Fault
The customer is the actual target of the attack. The customer is responsible for the privacy of their security credentials. Unfortunately, these credentials have been known to be easy to leak. There is no detail about how they were leaked but there are a couple of possibilities.
The most obvious is a phishing attack. A user within the bank was simply asked to give the attacker the information that he was looking for. Probably believing that the attacker was a trustworthy individual, the user gave the credentials. After this and the lack of actual multifactor authentication there was no barrier to a successful attack. The way that the customer could have prevented this is to make sure that anybody that has access to the banking information is well aware and vigilant not to give the credentials to anybody. This is user training and is often a goal of any security strategy.
The more sophisticated route would be a fully technical breach. If the attacker(s) were able to gain access to an internal system that had the authentication credentials in an accessible place, then this is all that is necessary for the attack to work. There are mitigations that give you a reasonable expectation you are not going to be breached, but these technologies are never 100% effective. There are always 0-day attacks and obfuscation techniques to hide the presence of a breach. Technologically, the customer would have to make a risk based assessment as to when enough security is enough. This attack may have been more sophisticated than the security measure put in place. Currently, Hillary machinery has not released information about the measures they have in place. It is entirely possible that the state of their network security was woefully insignificant. However, the assumption that it was insignificant cannot yet be made.
Put It Together
All in all, both parties had an opportunity to stop this breach. In the end, the customer is responsible for keeping their credentials secure. The bank should have policies in place that would stop a breach if credentials are stolen, though. Neither party is fully responsible for the breach but neither party can claim that they aren't responsible. Of course, this is now a legal issue, and we'll have to see how the legalities work out.
These events will feature information regarding Astaro's product roadmap, the security industry, competitive messaging information and technical demonstrations as well as an opportunity to network with other members of the Astaro partner community.
The first two events will be held in Miami and Orlando on March 10th and 16th respectively. We encourage all partners in the area, as well as those considering joining the Astaro partner community, to attend an event.
For more information about dates, times and locations and to register for an event click here.
We hope to see you there!
Dan Goodwin recently reported that a new Internet Explorer exploit has been released into the wild. The exploit, known as CVE-2010-0249, attacks a known vulnerability in Internet Explorer and was most notably used to compromise Google. Luckily, networks with an Astaro Security Gateway are protected against this threat. Astaro is connected to the Microsoft Active Protection Program and therefore it is possible for the product's IPS to recognize and block attacks before other vendors are able to do so.
]]> According to the Goodwin article, this attack has been in existence and remained undetected for almost nine years. Obviously this attack is "highly sophisticated" and the only reason we are aware of the exploit now is because a very prominent company (Google), was targeted and compromised. It is important to note that Internet Explorer version 8 and Windows 7 were both able to withstand this attack- once again confirming the importance of updating your software. Microsoft is encouraging Internet Explorer users to upgrade version 8, a move that will help protect users from other known vulnerabilities.I believe the Google compromise is just the tip of the iceberg. Just because we are now aware of this exploit does not mean all networks and systems are fixed. Now that the vulnerability in Internet Explorer has been publicized we can expect more attacks looking to take advantage of the vulnerability until a patch is made. The next patch is scheduled for February 9th, however there is speculation a patch may be issued prior to the scheduled patch date.
A final thought about this exploit is how it transcends international borders. The cyber-criminals who created this exploit are from China but used the global reach of Internet Explorer to gain access to email accounts of users who trust Google from all over the world. We truly live in a global world.
The webinar featured a guest speaker, Astaro partner Dean Wescott, CMO of Kincaid Network Solutions. During his segment, Dean discussed his experiences leveraging the Astaro Security Gateway Essential Firewall Edition and how it will help VARs and managed services security providers gain momentum in 2010.
Among all of the New Year's normal ebb and flow, predictions for the upcoming year are ubiquitous. More than a couple of these predictions proclaim that 2010 will be "The Year of the Sandbox". While I think this is a sensationalist way of putting it and that it would be hard to pin down any timeframe for such a technology to become the norm, I do agree that the sandboxing of processes is becoming popular. In fact, if you look at the technology as a whole, virtualization can be thought of as macro-sandboxing - that is, making sure that one set of processes (the guest) cannot interact with another set (another guest). Virtualization has taken off and now sandboxing is headed towards stopping individual processes from communicating with things it shouldn't.
]]> The TheoryHarbingers of technology
Google's Chrome browser is already sandboxing itself. According to Google's Chromium Blog all of the Javascript and HTML processing is sandboxed in what is known as the renderer class. Each plug-in is separate from the renderer. As a result, Chrome runs in several OS processes, one for each tab and plug in. On top of this, the renderer is hardened using the most stringent OS security. If there is a vulnerability in one of these processes, it cannot interact with other processes, including your hard drive. This is unlike other browsers that have no separation. If there is a vulnerability in older-style browsers, it can still interact with anything running in the current single browser process, including crashing your entire browser session or interacting with other system resources.
Just Web Browsing?
This does not limit itself to browsers. This method applies to all processes running on the system. If there is a process that is allowed to interact with other processes, then it stands to reason that it can be used for malicious purposes. Enter another utility: Sandboxie (http://www.sandboxie.com/). Sandboxie is a great utility that allows any process to run in a sandbox. If there is a vulnerability or crash in the process that Sandboxie is running, it acts in a similar manner to Chrome's renderer, it won't interact with other processes to cause wider damage. You can close the Sandboxie process along with the misbehaving process and start over.
With this (lack of) power, it is no wonder that developers are leaning on this technology to help make computing safe for the masses again. It won't be impossible to mount a successful attack, but it will be much more difficult. The downside? Look for phishing to become more popular as it will be easier to use it as a tool than to exploit the actual system.
What do you think about Sandboxing when it comes to creating programs?
It has become more and more difficult to identify malicious links and content on the Internet. URL shortners, ads on legitimate websites , virus downloads posing as anti-virus software and of course fake e-cards all make it harder to know where you should and should not click
]]> Having a strong network security product in place will of course prevent the installation of malicious code on our computer even if you click on one of these links. But there are other ways to make sure you are protected from these hard to identify scams. The simplest way is to make sure your software is up to date. I am not taking about your security software (but keeping that up to date makes sense too). I am talking about the regular software you use every day.The Waldec virus, a virus that spreads through fake new years' e-cards, attacks known vulnerabilities in programs like Adobe Flash, Adobe Reader and Internet Explorer. How can they successfully attack known vulnerabilities? It isn't that Adobe and Microsoft ignored the vulnerabilities and didn't create patches. Instead, the Waldec virus depends on the fact that many people do not update their software with the latest patches and more often than not this is the case.
So, one important step towards protecting your computer and your network is to update your software when new patches come out. If the company that created the software is aware of the vulnerability, you can be sure cybercriminals not only know about it, but already created a program to exploit it.
Which brings me to a secondary tip - Do not open e-cards or emails if you don't know the source. You can spot fake e-cards because they typically have subject lines like "a friend sent you an e-card" while real e-card services will personalize the subject line to say something like "Bob send you an e-card".
Microsoft security patches can be found here: http://www.microsoft.com/security/updates/bulletins/default.aspx
Adobe security patches can be found here: http://www.adobe.com/support/security/
Protecting an organization from external threats is crucial; however, retail, wholesale and consumer goods organizations need to protect themselves from internal breaches as well. The majority of breaches originate from accidental downloads of malicious content by employees. Content filtering capabilities allow organizations to block access to websites with malicious content and prevent threats from being downloaded in the first place. If a computer on the network somehow becomes infected, a strong information security product will provide proactive notifications and quarantines of network traffic breaches and infections so network administrators at retail institutions can react to breaches before infections spread to the entire organization - protecting customer data and your organization's reputation.
Here are some examples of how retail, wholesale or consumer goods companies have protected their networks:
Kauffman Tire
Hannoush Jewelers
The trends seems to be moving towards doing more and more business online rather than in stores and banks. Many banks offer incentives for "going paperless" and for setting up automatic bill payments. Reports of these attacks may hurt smaller online shops that have sites full of ads, but for the average consumer, they will continue to trust name-brand sites like amazon.com or even ebay. Most educated consumers don't care about privacy issues, web hacks, or even user ID theft. They know their credit card companies protect them from fraudulent claims and are even willing to risk having their credit card information stolen on sites they haven't heard of before for the right price. If their information is stolen they will just call their credit card company and have the charges removed.
I am curious if my opinion was on track with others so we are conducting an informal poll on our Facebook fan page. We asked: Are you less likely to shop online because of reports of data breaches (like the Heartland breach)?
Respond to the survey by visiting Astaro's Facebook fan page (http://www.facebook.com/business/dashboard/#/pages/Astaro/107041096353?ref=mf) and leaving a comment, or leave a comment on this blog post. We will post the results on our blog after the new year.
In the US the term "hacker" carries a negative connotation. It conjures an image of a dark room filled with computers and a lone man attempting to break into bank or credit card networks to steal as much personal information as they can. While there are plenty of "black-hat" hackers engaging in criminal activity for their own gain, the term hacker has an entirely different meaning.
]]> . A hacker is simply a programmer for whom programming is reward enough. They tend to be curious individuals who test the limits of what is possible in computing. Unfortunately, the term has become synonymous with "cyber-criminal" and now that this image is etched into the conscience of American society there isn't much this unorganized group of people can do to restore their reputation. Articles like this one also make it difficult for ethical hackers to shed this image.Strict interpretations of DMCA, EULAs and other laws or regulations have made criminals out of white-hat hackers whose only goals are to test the bounds of computing. The truth is we need hackers. Hackers are some of the most computer savvy individuals and their unique knowledge can be helpful in all kinds of scenarios. For example, an organization can hire a hacker to find possible vulnerabilities in their network, or a network security company can hire a hacker to help create a more secure firewall or other security devices. While hiring true cybercriminals to may not be advisable in all cases, to say that someone who was convicted of a cybercrime could never be trusted is laughable. Criminals reform, and these cybercriminals posses knowledge that possibly no one else has. Why not use their expertise to create a safer Internet environment?
Other countries understand the distinction between cybercriminals and hackers. Some even create college programs that teach hacking techniques. Why? Because at the very least those who develop our network security solutions should understand how cybercriminals operate on a practical and technical level.
Many organizations view Internet security as a necessary expense and nothing more. They realize it is crucial to secure their network and select security products that will block malware and filter spam. While recognizing the need for security is a positive step, many of these organizations are missing out on an opportunity to improve their business operations by using these same tools. The most useful security products aren't simply roadblocks for hackers; they also help contribute to an organization's bottom line. Here are some ways security solutions can help improve business operations by improving productivity.
]]> Spam FiltersEmployee productivity can be difficult to measure but is an important part of creating a successful business. All organizations want their employees to be as productive as possible, but constant distractions sap productivity. Employees are bombarded with email all day long, and many of these messages are useless (and dangerous) spam messages. In fact, it has been reported that, depending on the source, somewhere between 80% - 90% of all emails can be classified as spam. Also spam costs the average medium sized company upwards of $185,000 a year in lost productivity - and that doesn't even include the costs of cleaning off a network if the spam message has malware, spyware or a virus on it.
With so many messages to wade through, classify and then delete manually, spam has a significant impact on productivity. Security solutions that posses strong spam filtering capabilities eliminate the majority of spam in employees' inboxes, preventing the productivity drain.
Content filtering
Content filtering capabilities prevent lost productivity due to inappropriate or excessive web surfing. It also helps reduce the risk of being labeled a hostile work environment by preventing employees from accessing sites that are considered offensive.
Properly filtering content can help keep your business's network safe from spyware as malicious sites are blocked from the network. This also preserves your networks performance as it isn't bogged down with spyware or malware, nor is bandwidth being eaten up by non-work web usage.
Working from home
Offering your employees the ability to work from home can increase employee morale and productivity. Employees who have access to the network from remote locations are more likely to work outside the office, and to contribute to the business outside regular business hours. As more and more businesses offer work at home policies and have mobile workers, remote access to the corporate network from any location will become a business staple.
Setting up VPN clients on individual machines his a huge administrative hurtle to offering VPN connectivity.
Internet security products do more than just protect your network from viruses and other malware. They improve productivity and increase
As we get closer and closer to the end of 2009 businesses are beginning to reevaluate their security products. When evaluating products most companies have a clear picture of the features they want. So they look for products that offer those features. This seems logical but when you think about it, this method is actually one of the worst ways to select a product.
]]> Let me use the analogy of a car. When you are in the market for a new car there are certain features you must have. You'll want an engine, four tires, power windows, anti-lock brakes etc. Now what if all you did was find a car that had all these features? You might end up with an engine that floods, tires that go flat, windows that don't work when it is cold or brakes that have cracked brake pads. Of course when you are looking for a car you are going to look at the quality of each feature not just if the feature is present. Why then do IT administrators simply use a simple feature check list when purchasing a security (or other technology) solution?When evaluating any purchase, be it a car or a network security product, customers should try to understand the depth or quality of the features each prospective purchase has. What is the best way to do this? Sticking with the car analogy here are a few ways to evaluate a security product effectively.
Industry reports/news items
When you begin your search for a new car one of the first things you should do is look for news items related to the industry. Have there been any serious recalls or safety problems? Is there a new model of a brand you like? You can do the same when searching for a security product. Google "network security" and look on the news pages and press release pages of the products you are short listing. This will give you an idea of what is going on with the companies and products you are looking at.
Customer References
Next you should talk to others you know who drive the type of cars you are interested in buying. Finding customer references may be easier with cars than with security products as you can easily determine what someone drive (just watch them get in their car), but companies don't advertise the security solution they are using on their website. Ask other IT administrators you know what they use and what their opinion of this product is, look on network security forums to see what people are saying and check out the companies web page - more than likely they have a library of customer success stories telling you how the product solved the customers problems.
Awards and Certifications
Car companies know awards matter. This is why so many car ads include information about what awards they have earned. Industry awards and certifications normally have clear guidelines for who will be recognized so if having a strong IPS is important to you, look for companies that have received awards for having a high performing IPS.
Test Drive
Of course all the research in the world can't replace a test drive. Once you've seen the awards, heard the customer success stories and read the industry or analyst reports you'll want to test the product yourself. If the vendor doesn't allow for a free trial ask yourself why? What are they hiding? A company that is confident in their products' feature depth as well as its breadth should have an issue with you testing their product for a given amount of time. How else would you know if you will like how the product drives?