In case you hadn't heard, McAfee had two bad updates recently (one in April 2010 and one in August of 2012), and so did Sophos in September of 2012. You'd think after the first botched update there would be procedures in place at McAfee to prevent it from happening again, and for Sophos, they would have seen what an embarassment it was for McAfee and put in procedures in their update process to make sure it wouldn't happen to them.
So how does a botched update happen? Most likely it's complacency. It happens to all of us, we get too comfortable with our daily routine, so much so we don't notice when something does go wrong. With the looming possibility that a desktop antivirus update can fail and cause problems again in the future, what can you do to protect yourself?
The best defense against failure in the desktop antivirus solution is to have protection at the gateway, that's from a different vendor. So if you're using McAfee at the desktop, make sure you web security gateway is using Sophos, Symantec, or another antivirus vendor, as it's unlikely two different vendors will have broken updates at the same time. That way if a broken update allows malware through, you're still protected from it getting to the end-user at the gateway level.
I often get asked why you would need redundant anti-malware scanning at both the gateway and desktop. If you're using the same vendor, then yes, it does seem a bit redundant, which is why you really need different anti-malware vendors at the gateway and the desktop.
In a conversation with one security product manager, he mentioned to me that in his analysis of their customer data, for any new malware outbreak, there was only an 80% overlap between vendors. Meaning if you only went with one vendor, you'd only catch about 80% of the known malware out in the wild. You really need a second vendor to close that 20% gap.
So make sure you've got an added layer of defense. It may save you a lot of headaches the next time there's a problematic anti-virus pattern update.
Thursday, October 11, 2012
Thursday, August 2, 2012
SSL Inspection, is it time yet?
I was at Black Hat in Las Vegas last week, and once again, one of the top questions I heard around web security was when and how does an organization start doing SSL inspection on web traffic. It's a tough issue for most organizations and many until now have chosen just to ignore it by bypassing SSL traffic and leaving it uninspected.
But it's getting harder for organizations to ignore that SSL traffic now that many common websites allow users to stay completely encrypted when using that site. This is true for Twitter, Facebook, Gmail, and other popular websites. Encryption lets malware through to the organization and also allows users to unintentionally (or intentionally) send out company confidential information to the internet.
The reason that organizations don't have a higher rate of SSL inspection already is that it's not an easy task to get it implemented through out the organization. First SSL inspection means breaking the SSL connection using an SSL proxy, essentially a man in the middle. The difficulty here is of course the SSL certificate presented back to the user won't be the one from the site they're trying to connect to. That means training the user to understand the certificate presented by the proxy is valid and to accept the warnings from the browser, or alternatively push out the certificate to all the systems in the organization so it's automatically accepted.
Then there's the fine line of determining what can be intercepted and what can't within the realms of the organizations policies around privacy. A decent web security gateway will let you set policy so that all SSL is intercepted except for say financial sites, where privacy may dictate letting those sites be bypassed. In addition, policy may differ by user or group, and perhaps there's different inspection even no inspection for certain users.
No matter what policy is actually implemented, it's not hard to see the writing on the wall, SSL inspection is coming to a web security gateway near you.
But it's getting harder for organizations to ignore that SSL traffic now that many common websites allow users to stay completely encrypted when using that site. This is true for Twitter, Facebook, Gmail, and other popular websites. Encryption lets malware through to the organization and also allows users to unintentionally (or intentionally) send out company confidential information to the internet.
The reason that organizations don't have a higher rate of SSL inspection already is that it's not an easy task to get it implemented through out the organization. First SSL inspection means breaking the SSL connection using an SSL proxy, essentially a man in the middle. The difficulty here is of course the SSL certificate presented back to the user won't be the one from the site they're trying to connect to. That means training the user to understand the certificate presented by the proxy is valid and to accept the warnings from the browser, or alternatively push out the certificate to all the systems in the organization so it's automatically accepted.
Then there's the fine line of determining what can be intercepted and what can't within the realms of the organizations policies around privacy. A decent web security gateway will let you set policy so that all SSL is intercepted except for say financial sites, where privacy may dictate letting those sites be bypassed. In addition, policy may differ by user or group, and perhaps there's different inspection even no inspection for certain users.
No matter what policy is actually implemented, it's not hard to see the writing on the wall, SSL inspection is coming to a web security gateway near you.
Monday, June 25, 2012
Zero Day, Negative Day Defenses
The buzzwords in anti-malware technology is all around getting your organization protected before something bad happens. Especially in this day and age when malware attacks are short-lived, and there isn't much time for a "signature" to be written to protect your users.
That's why anti-malware vendors are trying to get ahead of the game with so-called "zero-day" defenses, where they use heuristics, fuzzy logic, and other technologies to determine new viruses when they arrive on your doorstep.
There's a new terminology out there now, called "negative-day" defense, and refers to blocking websites that are hosting malware before those websites get used in an attack. It turns out there are lots of websites that are in existence all the time hosting malware that aren't actively being used in an attack. These are referred to as malware delivery networks or malnets for short. Apparently cyber-criminals keep these malnets around as an infrastructure for their cyber attacks. So when they do launch an attack, say on a popular website, and embed malware links, these links point back to these existing servers hosting malware in these malnets.
Blue Coat Systems is tracking malnets using their Webpulse cloud technology, and users of this technology get to block malnets before they get used in a live attack. Based on their statistics Blue Coat determined that approximately two thirds of all attacks in 2011 used malnets that Blue Coat was already aware of to deliver their malware. Blue Coat describes malnets and specific cases in their 2012 Web Security Report, including the case of the Urchin attack which lasted only 10 days, and in which only 4 out of 44 anti-malware vendors were able to produce a signature by the time the attack ended. Blue Coat customers were protected prior to the attack and during the attack, because Blue Coat was already blocking the malnet used to host the attack.
In Blue Coat's prediction for 2012, they predicted malnets will continue to be used in cyber attacks, and blocking known malnets seems like an easy way to protect yourself from at least a good portion of attacks on the web.
That's why anti-malware vendors are trying to get ahead of the game with so-called "zero-day" defenses, where they use heuristics, fuzzy logic, and other technologies to determine new viruses when they arrive on your doorstep.
There's a new terminology out there now, called "negative-day" defense, and refers to blocking websites that are hosting malware before those websites get used in an attack. It turns out there are lots of websites that are in existence all the time hosting malware that aren't actively being used in an attack. These are referred to as malware delivery networks or malnets for short. Apparently cyber-criminals keep these malnets around as an infrastructure for their cyber attacks. So when they do launch an attack, say on a popular website, and embed malware links, these links point back to these existing servers hosting malware in these malnets.
Blue Coat Systems is tracking malnets using their Webpulse cloud technology, and users of this technology get to block malnets before they get used in a live attack. Based on their statistics Blue Coat determined that approximately two thirds of all attacks in 2011 used malnets that Blue Coat was already aware of to deliver their malware. Blue Coat describes malnets and specific cases in their 2012 Web Security Report, including the case of the Urchin attack which lasted only 10 days, and in which only 4 out of 44 anti-malware vendors were able to produce a signature by the time the attack ended. Blue Coat customers were protected prior to the attack and during the attack, because Blue Coat was already blocking the malnet used to host the attack.
In Blue Coat's prediction for 2012, they predicted malnets will continue to be used in cyber attacks, and blocking known malnets seems like an easy way to protect yourself from at least a good portion of attacks on the web.
Monday, June 18, 2012
Is BYOD worrying you yet?
Among the latest buzzwords in the IT industry is the phrase BYOD. It stands for Bring Your Own Device and refers the burgeoning number of devices that employees are bringing into the office from home and attaching to the organization's network. It includes tablets, smart phones and home laptops. It's estimated by one analyst group that the average employee will own seven internet connected devices by 2015.
If the security risk of putting non-corporate owned devices on the network hasn't got you worried, think about the increased traffic trying to access the internet. If your employee only had one device and by 2015 they'll have seven, that's a significant bandwidth increase requirement for your infrastructure.
And of course we shouldn't toss aside security so quickly. Since these devices don't have any mandates from the corporate IT department on them, and have accessed networks other than the corporate ones, they're likely targets for malware, not to mention data loss.
The other fun statistic I saw recently was that it's estimated the average smartphone has 65 applications installed on it. That's an incredible number. Who has time to use 65 different applications? And what if any controls does the corporate IT department have over what applications can do and access?
So if you haven't started a BYOD initiative in your IT department, it's really time you started. It's more than just the web gateway security issues, but that's not a bad place to start.
If the security risk of putting non-corporate owned devices on the network hasn't got you worried, think about the increased traffic trying to access the internet. If your employee only had one device and by 2015 they'll have seven, that's a significant bandwidth increase requirement for your infrastructure.
And of course we shouldn't toss aside security so quickly. Since these devices don't have any mandates from the corporate IT department on them, and have accessed networks other than the corporate ones, they're likely targets for malware, not to mention data loss.
The other fun statistic I saw recently was that it's estimated the average smartphone has 65 applications installed on it. That's an incredible number. Who has time to use 65 different applications? And what if any controls does the corporate IT department have over what applications can do and access?
So if you haven't started a BYOD initiative in your IT department, it's really time you started. It's more than just the web gateway security issues, but that's not a bad place to start.
Wednesday, May 30, 2012
Almost 20 percent of US PCs have no A/V protection
A new study from McAfee is claiming that 17 percent of PCs around the world have no antivirus protection and in the U.S. that number is even higher at 19 percent. The study counted as unprotected machines those that had no antivirus protection installed, or whose antivirus subscription had expired. In the U.S., 12 percent of PCs did not contain any antivirus program, and 7 percent had software that was expired.
Along with BYOD (Bring Your Own Device), organizations that allow their employees to hook up their own devices to the corporate network should be making sure all users on the network (regardless of whether it's a personal or corporate owned device) are protected by a secure web gateway / proxy. With a high likelihood the device itself may not be protected, there really needs to be some line of defense, and it's the secure web gateway. In addition many proxies can also protect infected devices from uploading personal or corporate owned information back to hacker owned servers in the network that are trying to collect personal and corporate data.
Along with BYOD (Bring Your Own Device), organizations that allow their employees to hook up their own devices to the corporate network should be making sure all users on the network (regardless of whether it's a personal or corporate owned device) are protected by a secure web gateway / proxy. With a high likelihood the device itself may not be protected, there really needs to be some line of defense, and it's the secure web gateway. In addition many proxies can also protect infected devices from uploading personal or corporate owned information back to hacker owned servers in the network that are trying to collect personal and corporate data.
Monday, May 21, 2012
Why is SEP the number one vector for malware?
SEP (Search Engine Poisoning) is the number one vector for malware according to Blue Coat's 2012 Web Security Report. More people attempted to access malware through SEP than any other method in 2011. Blue Coat also writes a lot about SEP in their security blog. Some of the reasons SEP remains a popular choice among hackers include the breadth of reach (everyone uses search engines), how easy it is to infect search engine results, and the likelihood the end-user will trust the result and get infected as a by-product of selecting an infected search result.
One of the interesting things about Blue Coat's research is that celebrity searches and "big event" searches aren't nearly as dangerous as common search terms. The reason for this is with celebrity and "big event" searches there's an overwhelmingly large repository of "good results" to choose from, it's unlikely a cyber criminal will get a hit, whereas a common every day search may have fewer results, and it's easier for a hacker to get a result on the primary results page.
So what's the solution to SEP? Obviously an up to date web security gateway with real-time rating helps. But also user training is important. Users need to understand what looks like a bad URL, what looks like a shady site, and users also need to learn not to ignore warnings generated by the secure web gateway or their browser. It may even help to use a safe search tool like k9safesearch.com in place of regular search engines.
One of the interesting things about Blue Coat's research is that celebrity searches and "big event" searches aren't nearly as dangerous as common search terms. The reason for this is with celebrity and "big event" searches there's an overwhelmingly large repository of "good results" to choose from, it's unlikely a cyber criminal will get a hit, whereas a common every day search may have fewer results, and it's easier for a hacker to get a result on the primary results page.
So what's the solution to SEP? Obviously an up to date web security gateway with real-time rating helps. But also user training is important. Users need to understand what looks like a bad URL, what looks like a shady site, and users also need to learn not to ignore warnings generated by the secure web gateway or their browser. It may even help to use a safe search tool like k9safesearch.com in place of regular search engines.
Wednesday, May 16, 2012
BYOD
BYOD seems to be the latest buzz word in security. In case you aren't completely caught up with the news, BYOD stands for "Bring Your Own Device". It refers to the proliferation of smartphones and tablets that employees are bringing into work and attaching on to the organization's network. It's estimated the average employee owns 2.4 devices that they bring into work and connect to the network.
This brings its own challenges, including how to enforce corporate policy on those devices. While policy may be enforced by the secure web gateway or proxy when the device is on the organization's network, what about policy when it's off the network and on some public network? That's important to make sure the device doesn't get infected or suffers data loss due to a malware attack. Plus there's the issue that the device uses applications that sometimes use different URLs, protocols, and ports than the web version of that application. It's possible your secure web gateway may not understand the mobile app, while it's happily blocking or controlling the web application.
The other challenge these devices bring is around performance and bandwidth. While the secure web gateway may have enough performance and bandwidth for one device per employee, what happens when there's three and all three are checking and updating webmail and Facebook at the same time? These devices also have a bandwidth challenge when they download updates to their operating system. iOS updates have been rather large lately, and if every iOS device downloads their updates during work hours, is your secure web gateway prepared? BYOD only promises to increase as the tablet and smartphone market continues to grow.
It's time to make sure your secure web gateway has up to date technology to handle mobile, as well as enough capacity to handle the coming increase in bandwidth requirements. This may be a good time to look at bandwidth saving technologies as well, including caching and stream splitting for video, one of the biggest hogs of network bandwidth.
This brings its own challenges, including how to enforce corporate policy on those devices. While policy may be enforced by the secure web gateway or proxy when the device is on the organization's network, what about policy when it's off the network and on some public network? That's important to make sure the device doesn't get infected or suffers data loss due to a malware attack. Plus there's the issue that the device uses applications that sometimes use different URLs, protocols, and ports than the web version of that application. It's possible your secure web gateway may not understand the mobile app, while it's happily blocking or controlling the web application.
The other challenge these devices bring is around performance and bandwidth. While the secure web gateway may have enough performance and bandwidth for one device per employee, what happens when there's three and all three are checking and updating webmail and Facebook at the same time? These devices also have a bandwidth challenge when they download updates to their operating system. iOS updates have been rather large lately, and if every iOS device downloads their updates during work hours, is your secure web gateway prepared? BYOD only promises to increase as the tablet and smartphone market continues to grow.
It's time to make sure your secure web gateway has up to date technology to handle mobile, as well as enough capacity to handle the coming increase in bandwidth requirements. This may be a good time to look at bandwidth saving technologies as well, including caching and stream splitting for video, one of the biggest hogs of network bandwidth.
Friday, May 11, 2012
Is InterOp Even Relevant Anymore?
This week was InterOp in Las Vegas. If you've been in the industry as long as I have, you still have memories of InterOp as the premier networking event. I've been going to InterOp since 1992, before it merged with NetWorld. As I walked down the aisles this year, the event just seemed like it was only a shadow of its former self. While the economy has certainly taken some of the toll in the number of companies and attendees, it seems like it's more than that. Networking has broken off into a number of niche plays, and a general interoperability show doesn't seem as relevant today, when working together is just assumed, and expected.
Instead of going to a general purpose show like InterOp, I think IT admins are going to cloud, identity, security, mobility and other "themed" events. So you have to wonder, just how many years InterOp has left.
Instead of going to a general purpose show like InterOp, I think IT admins are going to cloud, identity, security, mobility and other "themed" events. So you have to wonder, just how many years InterOp has left.
Friday, May 4, 2012
Drive-by Malware Targets Android
PCWorld is reporting the first instance of drive-by malware for the Android operating system. Drive-by malware is malware that installs itself just by visiting a website, without having to click on anything on the webpage and without having to download or install anything. It's the most dangerous type of malware because it requires no action by the end-user to get infected. This is the first reported case of drive-by malware targeting the Android operating system. Drive-by malware for windows has been around for a while.
This specific malware is called "NotCompatible" and is a trojan that can be used by hackers to use the Android device as a relay point to break into secure networks or uses the device as a proxy.
This latest form of malware is a good reminder that all devices need to be protected, and coincides with Blue Coat's announcement this week of K9 for Android. K9 is Blue Coat's free, home-use web filtering software. Blue Coat already offers K9 for iOS, Windows and MacOS.
This specific malware is called "NotCompatible" and is a trojan that can be used by hackers to use the Android device as a relay point to break into secure networks or uses the device as a proxy.
This latest form of malware is a good reminder that all devices need to be protected, and coincides with Blue Coat's announcement this week of K9 for Android. K9 is Blue Coat's free, home-use web filtering software. Blue Coat already offers K9 for iOS, Windows and MacOS.
Thursday, May 3, 2012
Nine percent of websites malicious
A new report from Zscaler suggests that 9.5 percent of websites are malicious. Another 9.5 percent rated as suspicious in their study. It's no surprise that the web is an increasingly dangerous place to visit. One of the key drivers for this threat, is the fact that end-users aren't updating their plug-ins, leaving them vulnerable to a lot of older malware. An example of this is with Adobe Reader, which the report showed over 60% of users were running an outdated version of this software.
The report also noted that Apple devices are becoming more prevalent in the workplace as Android and Blackberry devices are becoming less prevalent. If anti-malware isn't part of your web security, this report is a good reminder, why it should be in your plans for this year.
The report also noted that Apple devices are becoming more prevalent in the workplace as Android and Blackberry devices are becoming less prevalent. If anti-malware isn't part of your web security, this report is a good reminder, why it should be in your plans for this year.
Monday, April 30, 2012
Conficker Malware Remains A Threat
Information Week published an article this week talking about why the Conficker Malware won't die. It's been 3 years since Conficker was discovered. Information week reports that Conficker launched 59 million attacks in the fourth quarter of 2011 against 1.7 million PCs. An impressive number for malware that should have already been eradicated.
The article on Information Week caught my eye, because I recently attended a talk where Conficker was discussed, but not in terms of the malware itself, but how it was discovered. It was important because the talk was actually about APTs (Advanced Persistent Threats), and how to keep an organization protected from APTs. Because APTs can come from anywhere and target almost anyone in the organization, it's tough for a single security solution to detect an APT when the threat happens. So how does one protect against an APT? The answer is of course, multi-layered defense. An organization needs to defend not only the web gateway/proxy, but also the router, the workstation, and other network devices.
That leads to the next question, which is how do you detect an APT when it's happening. And that's where Conficker comes in. Conficker was discovered by an IT administrator who knew what a normal log looked like and immediately recognized an anomaly in his DNS logs, which led to the discovery of Conficker. Specifically the administrator saw a spike in DNS requests for hostnames that did not map to IP addresses (Conficker automatically generates hostnames using an algorithm to look for payload servers).
The key here is familiarity with the logs on all your networking devices. Understand what's a normal day, and recognize when your network devices are producing anomalies, and investigate when these anomalies happen. Familiarity with your own logs may be the difference between early detection of an APT, and significant data loss.
So even though Conficker continues to haunt corporate networks, it does remind us we need to remain vigilent in security and become familiar enough with our environments that we recognize when something is out of the ordinary.
The article on Information Week caught my eye, because I recently attended a talk where Conficker was discussed, but not in terms of the malware itself, but how it was discovered. It was important because the talk was actually about APTs (Advanced Persistent Threats), and how to keep an organization protected from APTs. Because APTs can come from anywhere and target almost anyone in the organization, it's tough for a single security solution to detect an APT when the threat happens. So how does one protect against an APT? The answer is of course, multi-layered defense. An organization needs to defend not only the web gateway/proxy, but also the router, the workstation, and other network devices.
That leads to the next question, which is how do you detect an APT when it's happening. And that's where Conficker comes in. Conficker was discovered by an IT administrator who knew what a normal log looked like and immediately recognized an anomaly in his DNS logs, which led to the discovery of Conficker. Specifically the administrator saw a spike in DNS requests for hostnames that did not map to IP addresses (Conficker automatically generates hostnames using an algorithm to look for payload servers).
The key here is familiarity with the logs on all your networking devices. Understand what's a normal day, and recognize when your network devices are producing anomalies, and investigate when these anomalies happen. Familiarity with your own logs may be the difference between early detection of an APT, and significant data loss.
So even though Conficker continues to haunt corporate networks, it does remind us we need to remain vigilent in security and become familiar enough with our environments that we recognize when something is out of the ordinary.
Friday, April 27, 2012
Flashback attack and MacOS vulnerability
I know I've been remiss in keeping up with this blog and the latest news out in the security and proxy industry, but sometimes life happens. With that in mind, I'm going to recap probably the most important bit of news that happened over the last couple of months, and that was the reminder to everyone that Macs and specifically MacOS isn't completely protected from malware. The Flashback virus was widely reported on and was estimated to have infected over 600,000 Mac computers. Bigger news was of course that Apple first ignored the news reports and then slowly came around and said they would fix the flaw that caused the vulnerability.
But the big question for many of course, is whether any of the devices on their network helped to prevent the attack from happening, and this wasn't something that any vendor had an answer to. But Blue Coat Systems while they didn't claim to protect you from Flashback, they did claim they helped prevent an infected system from reporting back to the botnet systems collecting data from compromised Macs. You can read about how they did this on their security blog.
But the big question for many of course, is whether any of the devices on their network helped to prevent the attack from happening, and this wasn't something that any vendor had an answer to. But Blue Coat Systems while they didn't claim to protect you from Flashback, they did claim they helped prevent an infected system from reporting back to the botnet systems collecting data from compromised Macs. You can read about how they did this on their security blog.
Monday, February 13, 2012
Blue Coat Acquisition Approved By Shareholders
The Blue Coat Systems acquisition by the private equity firm Thoma Bravo was approved today, February 13, 2012 during the shareholder meeting in Sunnyvale, CA. The result of this is that Blue Coat has now been taken private, and will no longer be a publicly traded company. What effect this has on the product and roadmap remains to be seen, but the company claims this will help them focus on the product without having to worry about shareholders.
Subscribe to:
Posts (Atom)
Posts
