[SecurityRatty] tag: advises

What do High School Killers and Terrorists Have in Common?

Sun, 20 Jul 2008 16:37:00 +0000

Department of Homeland Security studies show that the Columbine High School killers and the Virginia Tech gunman planned those attacks using the same techniques used by terrorists.

The study talks about the "7 steps" that terrorists take prior to executing an attack. The steps begin with; Surveillance, Acquiring information, Testing security, Acquiring supplies, Appearance of being "out of place", Test run and putting everything into position for the planned attack/strike.

Is there much that ordinary civilians can do to thwart a Terrorist attack or High School killing spree? The answer is; MOST DEFINITELY. DHS advises that 25 possible school attacks have been prevented this year so far, due to attentive citizens noticing something that seemed unusual and then reporting it to Law Enforcement.

We should not be reluctant to report suspicious persons or circumstances. Every once in a while the media will run a story about a suspicious package being left behind in a taxi or public place. Many people will be afraid to report something like that in case it turns out to be a hoax. BUT YOU SHOULD REPORT IT, NEVERTHELESS. That "hoax" might very well be a "test/dry run" by terrorists to see if what they leave behind will be detected, or how long it will take to be reported. The terrorist/bad guy will most likely be timing the reponse as well.

Those of us who travel regularly can tell you how long an unattended backpack or shopping bag would be allowed to sit unattended in London or parts of the Middle East. A Police officer would never get angry at having to respond because; 1)they are happy to see it does not contain a life threatening device (that would threaten their life as well as the lives of the general public) and 2)they know that one day it will be the real thing and when that time arrives, they will be glad of the practice and the fact that the public are helping them to identify danger.

In these dangerous times, we should never forget that we are all in this together. There is no room for complacancy. Just because you think you are safe and on holiday - remember what happened in Bali. If you think you are safe because you are in a secured facility or an Embassy overseas, remember Oklahoma and the countless Embassies and Consulates where deadly attacks are becomming a daily occurance.

If something doesn't look or feel right to you, there is a reason that you feel that way. Like the animals in the jungle, we are able to sense fear/danger in order to assist us with survival. The next time you report a suspicious activity, the life you save just might be your own.

PCI compliance kit for NAC - do you believe it?

Tue, 24 Jun 2008 03:59:29 +0000

Tim Greene makes the point again in his column that NAC is a great tool to help with PCI compliance. He is right on. Here at StillSecure we have several customers who are using NAC to help with PCI. My issue is Tim highlights some recent spin fed to him from the "used car salesman of NAC". They claim to have a "PCI kit" that will help with 8 out of 12 PCI requirments. A kit sounds like something you put on your car to help with gas mileage or something and for all I know is just more snake oil. They claim to have an "unnamed customer" who is already using it. Who could that be, LVHH again? Or maybe they found a Cisco or Juniper customer that they say uses them for NAC now too. The BNBB advises to take anything they say or write with a grain of salt. Remember Caveat Emptor!

PCI compliance kit for NAC - do you believe it?

Tue, 24 Jun 2008 03:03:55 +0000

Virtual infrastructure: Threats lurk near open doors

Fri, 06 Jun 2008 09:00:00 +0000

Edward L. Haletky suggests three methods that can be used to limit access to the VMware ESX host, and he advises using two at any given time.

Top 5: Why Customers Consider NAC

Sat, 31 May 2008 18:10:33 +0000

On a daily (and nightly) basis I have the wonderful experience of talking to, chatting about, presenting on or asking questions of customers about NAC.

At each of these opportunities, I like to ask ‘Why are you considering NAC?”

Here’s my Top 5 of Why Customers Consider NAC (or think they want NAC). This is not based on any other organization’s research or polls, nor is it based on analyst analysis. It’s not based on forethought or musings of an ‘expert’. It’s just my personal experience from my daily interactions.

#1: Endpoint Compliance
I put this one first, because I think it’s the most-hyped and possibly least significant. I know, that’s harsh, especially when endpoint compliance seems to be the big bat NAC carries around. Truth be told, it’s more of an ‘icing on the cake’ for the people I talk to. Until the auto-remediation features are a little more mature, the idea of checking for much beyond presence of anti-virus and possibly patches is unattractive. Frankly, endpoint compliance for LAN-based devices can be a Charlie Foxtrot except under the most ideal circumstances. There are many large organizations and DoD groups that need endpoint compliance, and that’s a primary driver for them. For the rest, one of the other reasons below is a primary compelling feature and endpoint checking is just another knob they can play with.

The lack of fervent interest in endpoint checking is why I had to disagree so strongly with Stiennon’s when he advises in his NWW article “Don’t even bother investing in NAC”. The entire premise of his issues with NAC center around various endpoing checking. (You can check out Shimel’s response too Stiennon’s blog here.)

#2: Guest Access
Believe it or not, the most frequent response I get for “why are you considering NAC” is “guest access”. Guest access seems to be a thorn in every organization’s side. It’s a simple problem with impossibly complex solutions… or so they think. For years, we’ve been provisioning safe and secure guest access for customers with the use of clean and simple protocol-less VLANs and so, I know that about 82% of the time, there are much simpler ways to offer guest access than by rolling out a full NAC implementation. If guest access is your primary and only goal with a NAC solution, there’s probably a better, faster and less expensive solution. If money and time are no object, then NAC can be a good way to get from point A to B and give you a few fun technical trinkets to play with.

#3: Edge Port Security
After guest access, the next thing I hear most is interest in adding edge port security with a 802.1X NAC solution. (We call this Layer 2 NAC.) I tend to think for the time being, this is NAC’s sweet spot. Note I said ‘for the time being’, I think this may change in the next 18-24 months. But for now, the ability to lock down edge ports and secure switch-to-switch links is an extremely attractive feature. Outside of the 802.1X protocol, there aren’t really any other ways to skin this cat. I know what you’re thinking… you don’t have to do NAC to use 802.1X… and that’s certainly true, but for a network of any size, NAC makes an 802.1X implementation easier to manage and monitor centrally and gives you more of that NAC icing we all love.

When the 802.1X-REV comes out (probably early 2009) I think you’ll see organizations that have previously blown off 1X seriously considering it for all the added security and multi-user support it will bring to the table.

#4: User & Resource Accounting
Unless you have a 3rd party solution or want to dig through mounds of RADIUS syslogs, you probably don’t have a good way to account for user authentication and accountability of resource access throughout the network. Most vendors’ NAC solutions already have pretty good logging and reporting features built in today. Depending on the solution and integration of other devices, you may even get detailed accounts of which user viewed exactly what, when and from where. This is a great selling point to organizations that are trying to follow strict regulations for accountability of financial or extremely sensitive resources. The standards bodies (IEEE, TNC framework and IETF) are coming out with more and more ways to leverage 3rd party security devices within NAC. The IF-MAP is a great example and we’ll be seeing more I’m sure.

#5: Dynamic VLAN Assignment
Lastly, but not least, I hear a lot of customers that are looking for a good way to dynamically provision attributes, such as VLAN assignment and QoS to users or devices. It makes switch configuration and management much simpler, and eliminates the need to assign port-based VLANs. The ability to leverage your existing user directory and define both broad and very granular attributes is certainly a draw, and NAC is a great way to offer that.

That wraps up my Top 5. Of course, there are plenty more drivers, both business-based or technology-based, but these are the 5 I hear most.

# # #

Interesting Microsoft Patent Application

Tue, 13 May 2008 03:05:32 +0000

Guardian Angel:

An intelligent personalized agent monitors, regulates, and advises a user in decision-making processes for efficiency or safety concerns. The agent monitors an environment and present characteristics of a user and analyzes such information in view of stored preferences specific to one of multiple profiles of the user. Based on the analysis, the agent can suggest or automatically implement a solution to a given issue or problem. In addition, the agent can identify another potential issue that requires attention and suggests or implements action accordingly. Furthermore, the agent can communicate with other users or devices by providing and acquiring information to assist in future decisions. All aspects of environment observation, decision assistance, and external communication can be flexibly limited or allowed as desired by the user.

Note that Bill Gates and Ray Ozzie are co-inventers.

Petty local government bureaucracy alive and well!

Mon, 28 Apr 2008 08:00:14 +0000

In September of this year my daughter will be moving schools. The local council need a copy of her birth certificate as confirmation of her identity. This is despite the fact that her birth certificate was originally produced for the same council less than a year ago for the same purpose before she could attend her current school. Anyway, I dutifully posted said document. It has however, failed to arrive - either lost in the post or misplaced somewhere along the way. In conversation with the relevant admissions department this morning I asked why they actually need a copy of the birth certificate at all. The robot at the end of the telephone advises me that it's for identity and security purposes. So, I ask, why not simply refer to the previous submission. Because, the robot replies, that was for a different process. I don't give up so easily. As the document has clearly gotten misplaced somewhere between the post box and the admissions desk, could the process not be intelligent enough to note that my daughter still has the same date of birth and name as when we previously applied for a school place for her? Apparently not, "it's not the same process" is the response I get. Common sense and customer service clearly not strengths of Bracknell Forest School Admissions team...

Think of Guest Networking as a Strategic First Step Toward NAC

Thu, 06 Dec 2007 16:02:04 +0000

Lately, I have been speaking with a lot of clients about guest networking. In nearly every discussion, a client will tell a "war story" about a visitor that plugged his or her laptop into the wall jack and brought down the network (either via a worm or via a misconfigured device). A guest network would prevent most of these problems, by providing only Internet access to guests (or possibly tightly limited internal access to a contractor).

A lot of people confuse guest networking and network access control (NAC). A guest network is really a subset of NAC: It authenticates a user or device before it gains access to the trusted network. NAC takes things a step further: It says "let's make sure that this device is not dangerous to our network before we grant it access." In other words, we baseline the PC to make sure that it is free of malware or that it is at least compliant with our device policies. The guest networking/NAC distinction is an important one. Not all guest networking projects can easily and cost-effectively evolve to a full-blown NAC implementation. But, any true NAC solution can first be used to perform basic endpoint authentication for guest networking and then evolve to a complete NAC implementation.

There are multiple approaches to building guest networks, and some vendors have started to offer dedicated guest networking products. Last month, Cisco announced its Network Admission Control Guest Server, an appliance for building guest networks. It includes a management application that makes it simple enough for any employee to sponsor a guest. Startup vendor Identity Engines sells a guest networking solution with similar features. Cisco's solution works best in Cisco environments (it needs to integrate with Cisco's NAC appliance or Cisco's wireless LAN controllers). Alternatively, Identity Engines' solution works best in an 802.1X environment (although it does have an offering for non-802.1X LANs). Some network managers that I have spoken with have implemented a homegrown guest network based on MAC address authentication (although this approach is not a good steppingstone to NAC, since it does not provide a mechanism for baselining endpoint health).

Gartner advises clients not to think of guest networking as a stand-alone point solution, but to think of it as the first step toward a strategic NAC implementation. When you design a guest network, you should do so with the end goal of NAC in mind; that's the most cost-effective approach. You can read more in "Findings from the 'Security' Research Meeting: Go Beyond Guest Networks to Achieve NAC Benefits."