Network World: Secure Auth Tops in Two-Factor Tokens

We all know that relying on a simple user ID and password combination is fraught with peril. One alternative is to use one of the single sign-on solutions we reviewed last year, but there are less expensive options that could also be easier to install. That’s where two-factor authentication services come into play. I recently reviewed eight such tools, including Celestix’s HOTPin, Microsoft’s PhoneFactor, RSA’s Authentication Manager, SafeNet’s Authentication Service, SecureAuth’s IdP, Symantec’s Validation and ID Protection Ser- vice (VIP), TextPower’s TextKey and Vasco’s Identikey Authentication Server. SecureAuth (illustrated) came out on top.

You can read my review in Network World here.

You can download the various screenshots here.

And you can follow the Twitter handles of the various vendors here.

ITworld: Some quirky tech conferences worth attending

If you don’t want to go to Vegas for one of the mega-shows by IBM, Symantec, CA and whatnot, then perhaps you should consider one or more of the shows that I chronicle in my latest piece for ITworld. I tried to find conferences that you can actually learn something, and are small enough not to be overwhelming where you can spend some time meeting new people too.

You can read my article here.

Why small businesses need firewalls

I have been spending time this week at a small media company called Mercury Labs. Despite their name, they don’t normally test anything, but ironically that is what I have been doing there. I was testing a bunch of integrated network security devices for Network World.  These devices cover what is called unified threat management, but you can think of them as network firewalls with additional features, such as the ability to scan incoming and outgoing traffic for viruses and spam, blocking phishing URLs, and being able to set up a secure virtual private network connection when you are on the road.  I’ll call them advanced firewalls here for convenience.

I have a long history of testing these tools. Almost seven years ago, one of the Techtarget publications had me looking at them for larger enterprises, and I went out to the central IT department at Stanford University to put them through their paces. This time around, I wanted to find a small business site for the tests that I was going to be doing for Network World. That’s why I was over at Mercury this past week.

They have about 10 Macs connected to an Apple Airport, which is the center of their network, providing IP addresses, wireless connections and a shared hard drive to the entire office. The Airport is attached to a cable modem and the Charter broadband network.

Wait a minute. Don’t you need a firewall if you are going to connect your network to the badass Internet? Yes, and Mercury knew they were taking chances. A firewall is just the basic separation that keeps the bad guys from getting inside your network and causing havoc. That is why they were the perfect testing site. They were vested in my review and what I would find out about these products and their specific needs.

Interestingly, it isn’t just small businesses that don’t have firewalls. When I arrived at Stanford, the central network didn’t have any either. Partly that was because of some odd notion of academic freedom, but back then they realized they had to get better protection. Ironically, while I was doing my tests there we saw someone try to reach out from Germany one morning. Luckily, they had other defenses that prevented them from doing any damage, but it emphasized the reason why I was there testing these products. And coincidentally, when we brought up the advanced firewalls at Mercury, we could see all the network traffic where folks were continually scanning and looking for ways to enter their network too. It was a sobering illustration of why these products are essential.

When I first arrived on scene, I went into their phone closet where I tried to suppress a gasp. Yep, this was your typical small business: part storage room, part cable jungle, and mostly a mess. It was clear that trying to figure out the network topology was going to be a challenge, and my first act was to leave everything alone.

Inside the closet were two small gigabit switches from DLink that looked like they had been around since the days of DOS. This worried me, but since things were working, I wasn’t too concerned. Yet.

One of the vendors that were part of the test insisted on sending a product engineer to help with my testing, and I am sure glad that he was there. When we cut over to his device instead of the Airport, things initially went south. Turns out we found a bug in their firmware. Once that was fixed, all of the wireless Macs were quickly brought up on the network behind the new firewall. But the wired Macs had trouble connecting. It took a few reboots later before we got everyone back on board. It was ironic that the wireless portion of their network was easier to bring up than their wired portion. That was thanks to the wonky cabling in the closet.

So what are some takeaways from this experience?

If you are running gigabit Ethernet to your desktops, make sure your cable plant is up to snuff. Part of my problems had to do with the older cables used to connect things in their wiring closet. There is a difference between Cat5 and Cat5e, especially if you want to run the faster networks these days. Make sure you are using the right cables.

Disconnect any unused wired ports in your office.  This is just basic security practice, but bears repeating. And if your wiring contractor hasn’t done so, you should label your ports in the walls and in your closet so you can track things down more easily.

Understand the limitations of your core network gear, including switches, routers, firewalls, and wireless access devices. Your network installer should explain these things in terms that you can understand.

Have a separate guest network with the appropriate security measures. The Mercury folks were using the Airport guest network features, which were bare bones. One of the reasons they wanted to go to the advanced firewall was to provide better protection from their frequent guests and contractors who were going to be connecting in their offices.

Oh, and what happened with my review for Network World? Well, you will have to wait and read about it in their pages. I can tell you that I learned some interesting things about all the products that I tested.

Dice: Ways the AP Could Have Avoided Its Twitter Hack

A single tweet with a phony bit of news sent the stock market into a brief dive Tuesday, pushing the Dow Jones Industrial Average down more than 140 points in the three minutes from 1:07 to 1:10 p.m. ET. When the “news” — that two bombs had exploded in the White House, injuring the president — was debunked, the market regained its footing.

You can read my post on Dice.com here on what happened, and how the Associated Press could have avoided this exploit of their Twitter account.

Dice: The Security Implications of Fake Twitter Followers

A recent New York Times story about the fake Twitter follower community got me thinking. The newspaper claims that this is a $1 million industry, with followers being purchased in bulk for about a penny a head. Why does Twitter tolerate this? Certainly, the company could easily fix this problem with some clever software engineering. Instead, they’re turning a blind eye.

You can read the rest of my post on Dice here. It isn’t so cut and dried, as I found out myself.

Solution Providers for Retail: Time to Clean Up Your Identity Data

At the SailPoint user conference this month, I heard that one common problem they have is too many places that store their user’s identities. In some cases, they have to first filter their Active Directory data into a spreadsheet to make sense of who has what rights to particular datasets. That is just insanity.

It may just be time to start to clean up your retailers’ identity data. You can read more about what I have to say and what I heard at the conference on my post for the Solution Providers for Retail blog here.

Blogger in residence at SailPoint’s Navigate user conference

One of the more fun gigs I have is being the blogger on the ground during an event, and posting commentary and analysis in near-real-time on the sponsoring company’s blog. Today I am in Austin, along with a few hundred other identity geeks from the world’s largest companies at the SailPoint Navigate13 user conference. You can read my posts here on SailPoint’s blog:

• How Providence Health built its next generation IAM 
  
• How Equifax reduced their identity management risk
  
• Selecting your next single sign-on product
• How to Sell IAM to Your Executives and End Users at the Same Time
• The future of IAM according to Gartner’s Earl Perkins
• How do you future-proof your business?

In addition to this work, I also have written these articles on other blogs about what I saw at the conference:

• Time to Clean Up Your Identity Data (Solution Providers for Retail, 4/13)

• How do you terminate your employee’s access? (Eaton Switched on, 4/16)

Top ten security stories of last week

Over at Dice.com, I manage the security community where I curate each week my favorite stories in the IT media, blogs, and news sites. Here is my list for last week’s stories, in no particular order.

• Dark Reading — Mar 1  5 Lessons From The FBI Insider Threat Program
• ZDnet — Mar 2  Evernote hacked, forces password reset
• Citizen Lab — Feb 27  Social Media CyberWatch
• Network World — Mar 1  Prices fall, services rise in malware-as-a-service market
• Naked Security (Sophos blog) — Mar 4  Jailed cybercriminal hacked into his own prison’s computer system after being put in IT class
• Trend Micro Blog — Feb 28  AWS Security Tips: #3 Build a Secure Base Amazon Machine Image
• Information Week — Mar 1    5 Lessons From FBI Insider Threat Program
• Techworld — Mar 1  HTML5 Web Storage loophole can be abused to fill hard disks with junk data
• FireEye Blog — Feb 28  More on the remote administration tool 666 PDF vulnerability
• Imperva Blog – Feb 28  SQL Injection, Are you focused on the right problem?

Boundary.com: Some words of wisdom on networking technologies

The folks at Boundary.com, a networking vendor, have posted this interview of some thoughts of mine on the future of networking technologies, the cloud, and Web-based software.

Managing your reputation

On the Internet, no one knows you are a dog, but they certainly know your IP address. And there are a growing number of reputation management products that can track your address, interpret what you have been doing with it, and pre-screen your traffic if you are abusive. This is like stopping junk mail when the sender delivers it to the local post office before it enters the mail stream.

These services all operate the same way: the vendors deploy a bunch of sensors either at their customer’s sites or at major Internet peering points where they can examine traffic that is passing by. Each service screens for malware behavior, known virus signatures, and other anomalous actions. They then block all traffic from this IP address.

These services aren’t new, but they are getting more popular as they get more effective. Being proactive can save a lot of time, a lot of bandwidth, and provide a lot of protection before the bad stuff hits your corporate network.

When I was doing some work last month at Cisco with their intrusion prevention products, I saw how just turning on their reputation management tool (called Global Correlation) would stop more traffic than creating any other protection rule. It is a delicate balance. If you don’t have many malware signatures enabled, more traffic will slip through that sensor and will hit the reputation sensors and be blocked there. You have to ensure that both types of sensors work together to provide the best possible network threat protection.

There are several ways to get more familiar with reputation management. The easiest way to see what kind of information is being collected is to go to one of the reputation service management tools online. Cisco has its Senderbase.org, McAfee has its Trustedsource.org, and CommTouch.com has a third service. All are places where you can lookup particular domains and IP addresses and research what kinds of reputations they have and what traffic each vendor has observed coming from these domains. You can watch a screencast video that I did for McAfee from four years ago that shows how to use these services.

That is fine for one-off kinds of queries, but if you want to implement this type of protection on a consistent basis you will have to purchase a network security device. This typically involves using an intrusion prevention or unified threat management product from one of many vendors that build in reputation awareness. Apart from the usual suspects like Cisco, Blue Coat, Websense and others, there are a few other vendors on the landscape worth taking a closer look. These include Network Box, Alien Vault and Norse Corp.

Network Box is a managed UTM box that works with its own collection of malware sensors spread across the Internet and runs more than a dozen different anti-virus scanning engines. One nice feature is the product is geared towards VARs and managed service providers. I did a screencast video review that shows how it works.

Alien Vault ‘s Open Threat Exchange is building an open source intrusion detection system with built-in reputation management. They claim to have more than thirty different products that are part of the collection process.

Norse Corp. has two different products that can be deployed in this arena, IP-Venger and IP-Viking. Both make use of a very wide global sensor network to monitor and block threats. The IP-Venger service is a WordPress plug-in so you can stop malicious traffic and spammers proactively. I had some trouble with its beta version but it looked promising. A screen cap of its console is shown above.

As I said, this isn’t a new area, but one worth exploring if you aren’t familiar.