Intro about Muni:

Muni Tripathi is a Senior Software Engineer at Arcot Systems. Muni has over 8 years of experience in software development with various networking and security technologies. In his current role at Arcot, he is working on development of security applications. He has previously held engineering positions at Brocade Communications and consulted at Cisco Systems. He is a CISSP. He holds BE degree in Electronics and Communications from IIT, Roorkee and MS in Electrical Engineering from USC, LA. 

Understanding SSL VPN:

SSL VPN is based on SSL technology. SSL is a widely deployed security protocol on Internet and is used in e-commerce, most notably to secure HTTP connections. SSL provides assurance to a client that it’s communicating with a trusted and known entity (called authentication) and provides secrecy in data exchange between two entities (called confidentiality). These security objectives are accomplished by using digital certificates and cryptographic algorithms. Interestingly, SSL supports both one-way and two-way authentication. In one-way authentication, a client authenticates a server. In two-way authentication, reverse is also done, i.e. a server also authenticates a client. From security perspective, in a system relying on one-way authentication, a server cannot trust a client. This works very well on an e-commerce setup, where client anonymity is acceptable (in fact, a good thing to have), but creates vulnerability in a VPN setup.

It is believed that SSL VPN makes life easier with no reduction in network security by doing away with overhead of client software installation, and leveraging SSLs strengths. This belief is generated in part by marketing of SSL VPN vendors and is only partly true. The communication can't be secure if the host client is compromised. And without any kind of installation on client (digital certificates are required on client end for two way authentication), SSL cannot do client authentication and so has no way of knowing if client is compromised. Unless server authenticates a client, it’s not entirely correct to state that there is no reduction in security as compared to lets say IPSEC. As long as risks associated with not authenticating a client are understood and accepted, it justifies other benefits of clientless installation and configuration. Many organizations require that client computers install strong AV and firewall protection to provide one more layer of security. This may be acceptable for computers owned and managed by the organization; it still does not guarantee protection for connections originating from home computers of employees or public terminals. Attackers don’t play by rules; so can lie about these protections and still get through to make SSL connection.

SSL VPN brings promise of secure, remote anytime/anywhere access closer to reality by allowing users to connect over the Internet, using TCP with any browser. It provides easier configuration and access control at a more granular level than IPSEC. Because they operate close to application layer, SSL VPNs can filter on and make decisions about access to individual applications (ports), URLs, embedded objects and application commands. SSL VPNs can traverse firewalls and handle NAT (network address translation).  Most SSL VPNs provide secure access to Microsoft Outlook Webmail, network file shares and other common business applications. Most often those require custom development to support nonbrowser-based apps.

SSL VPNs tend to be deployed with more granular access controls than IPSec, but that also means admins may spend more time configuring and modifying individual and group access rules. SSL VPN is better suited, where trust relationships are limited or installing client certificates is not cost effective.

I am happy to announce the beginning of guest column series starting from today. The first article in the series is from my good friend Muni Tripathi who is a CISSP. Muni is a brilliant security engineer, but yet very humble. It is my privilege to have his column published. Thanks Muni!

I would be very happy if anyone among the readers is interested in contributing a guest column on security: it would be great for my blog readers to  have multiple view points rather than just my own. I am also trying to get security stalwarts to contribute guest column. I have got favorable responses from few of them!

Also, I am currently reading a book Beyond Fear by Bruce Schneier. I will share interesting perspectives from this book once I finish the reading.

"Publishers often refer to prohibited copying as piracy. In this way, they imply that illegal copying is ethically equivalent to attacking ships on the high seas, kidnapping and murdering the people on them."

-Richard Stallman

Recently, I made a presentation at my company's Toastmasters club. The objective of this presentation was to communicate technical matter to non-technical audience in an easily understandable way - I have been doing these type of speeches lately.

The presentation went on well, though I went little over the alloted time limit.  The topic of  the speech was Domain Name System. Being a technical person who is biased by the jargon (specialized technical language of trade), I had to think hard to pull this presentation together for non-technical audience members.

After the presentation, I felt my delivery was great, it was time for evaluation of my speech. Linda who is a Distinguished Toastmaster (DTM) evaluated. Linda, during her evaluation, asked me a simple question: what is an IP? Though I assumed no technical background for audience members - I inadvertantely used a technical acronym IP address (short form for Internet Protocol address) - duh.. I will get better next time

The reason I narrated this incident is to emphasize the point that it is extremely challenging to communicate in understandable terms to non-technical audience: this skill is one of the important requirements for professional growth - the simple reason being most of the decision makers (management) who control budget are non-technical - if you want a chunk of that budget, better get your communication skill right (or simplified!).

Information security world is full of jargons. Security professionals who can de-jargonize  their communication will score big. Happy de-jargonizing!

Security awareness training - Benefit is company will have employees who are conscious of security and will act as a catalyst to implementing security. This is will also minimize social engineering security threats.

Social engineering is defined as art and science of getting people to comply with your wishes. A simplistic example is to call up a user, pretend as an administrator and mention that there are some issues and ask for password and most likely the user will comply with the password request. What is the use of having the state of art firewall, if you have an employee who is ignorant enough to give out password of a critical system over the phone?

The goal of Security Awareness Training (SAT) is to make sure that employees are educated about company's security program. Some of the key things that needs to be communicated in SAT are:

1. Why is security important and relevant to all employees?

2. Good and bad security practices.

2. What are ramifications of the violation of security policy?

3. How can employees help to make security program a success?

4. How to report security violations?

It is important publicize the security program extensively (for example flyers) and also keep employees in the loop about the changes in the program - SAT will provide a good framework for the same. SAT should be designed to accommodate non-technical audience else it will dilute the purpose of SAT.

Thought # 16 - What is a good time for new employees to undergo SAT?

Implement spam control - Benefit is the company will prevent the entry of viruses and prevent other forms of attack such as phishing.

Spam refers to unwanted or junk emails. Spam is one of the mechanisms by which viruses enter. Spam is also a major source of phishing which dupes gullible users to give out their private information.

Spam control can be implemented in many ways. The simplest mechanism is  a spam filter at the user mailbox level. This method of spam control is inefficient because it depends totally on user's ability to create an efficient spam filter rule.  A centralized spam prevention software is another mechanism of spam prevention. Even more popular mechanism is to use a centralized spam prevention appliance. Another option is to outsource the spam prevention to an outside vendor: inbound mails to the company go through the outside vendor gateway where the spam gets filtered and the resulting clean mail, which is free of spam, reaches the company.  The spam control mechanism that a company chooses depends on its needs.

By implementing spam control, a company can not only prevent entry of virus, but also can save valuable employee time which otherwise would have been wasted in sifting through their mail box. It should be noted that spam is a type of denial of service (DOS) attack. Too many spams sent to a mailbox can overwhelm the user mailbox, making it harder to read legitimate emails and thus causing DOS.

Thought #15 - How can user awareness help them from being a victim of spam emails?

Security products bring ROI in terms of savings compared to the estimated loss if the risk event happened. Risk event occurs when threat agent takes advantage of vulnerability.

Security product is not a tool that customers use day in and day out, it just happens to run in the background, moreover customers would not like the security product to be too noticeable or intrusive. This makes me ponder: how you would even measure customer satisfaction about a security product.

- Do customers feel less vulnerable after  the deployment of security product?

- Do customers feel more annoyed after the deployment of security product?

- Do customers feel that the product addressed their pain point?

There are suttle ways to probe customer's feelings. Vendors who address customer's "feel factor" are those that score big in the long  run.

-

Constitute incident response team - Benefit is company is well equipped to handle any security breach incident

Many companies are not prepared well to handle security incidents. They try to mobilize resources to respond after the incident has happened: this type of panic mode response is not desirable.

Incident response team consists of team members drawn from cross functional teams. The incident coordinator should be a well seasoned security professional. The team members are well experienced in handling security incidents. The team has a preexisting relationship with legal department, public relations department of the company and also with law enforcement officials: this preexisting relationship will ease the escalation process during incident handling. As soon as a security breach incident is encountered, the team members group together and formulate a strategy for responding to the incident.

The incident response team has the following tasks:

- Assess the tangible and intangible damage due to the incident.

- Identify remedial actions, such as patching the systems.

- Asses whether the incident can cause in loss of faith or goodwill of customers

- Investigate the root cause of incident.

- Decide whether to involve law enforcement officials.

- Formulate a suitable public relations campaign about the incident.

- Identify legal and compliance ramifications of this incident.

- Keep the senior management updated about the status and seek their opinion when needed.

and so on..

Thought #14: Who makes the decision whether to make the incident public or not?

Implement anti-virus: Benefit is company can save money by minimizing and/or preventing system and/or user downtime.

Computer virus is a universal problem. Virus is defined as a malicious and destructive program designed to be passed unwittingly from machine to machine via floppy disks, downloading or other means. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself.

Anti-virus must be installed on every user's computer and should be manageable from a centralized console. The anti-virus software should be programmed to to run once every, week or month in order to update new signatures and to scan for any virus signatures it missed since the last update. It is a good idea to schedule the anti-virus software to run on user's desktop during work hours else most of the desktops would miss out the scanning, for example: run the anti-virus software at noon on first Monday of every month.

Anti-virus software should be installed on production systems too. It is a good idea to ensure that the anti-virus software will work smoothly with various other applications without affecting the performance of production systems. It is advisable to run on access virus scanner on production systems - on access scanner will check for virus in a file as soon as it is accessed.

Routine audits must be performed to make sure that all relevant production systems run anti-virus software.

Thought #13: Is two-tiered anti-virus solution a good idea?

Identity management policy - Benefit is there is an authentication, authorization and audit trail for users.

Identity Management (IM) is managing the user and group accounts. Identity management has three components: authentication, authorization and accounting. Authentication is who you are and authorization is what you can do. IM involves making sure that proper authentication mechanism is in place and a proper authorization profile is set.

There are multiple approaches for authentication:

- Single-factor authentication known as weak authentication,  is based on something you know: a good example is login and a password.

- Two-factor authentication known as strong authentication, is something you know plus something you have: a good example is an ATM card.

It is a good idea to use two-factor authentication since it is considered harder to break than login/password which is considered as one-factor authentication.

 A user having authorization to all the systems is not good either. User's authorization profile should be set based on user's clearance level.  Authorization profile should be mostly set on a need to know or need to use basis. Group accounts are very risky to have. It is a good idea to minimize the use of group accounts.

There are other critical aspects of IM such as account expiry and password expiry. It is critical to audit user accounts on a regular basis. An active user account  which continues to exist even after user has left the company is not desirable. Accounts should be forced to change the passwords on a regular basis. There has to be a mechanism  to enforce users to choose a strong password.

Last but not the least, all the authentication and authorization attempts should be logged, this is also known as accounting. Accounting provides the audit trail.

Thought #12:  How do you determine authorization profile of a user?

Proprietary information protection policy - Benefit is employees are educated about importance of handling proprietary information.

Earlier we described document classification policy: there is no use in classifying the documents unless we educate employees about how to handle proprietary information. Company needs have widely published Proprietary Information Protection Policy (PIPP) policy which outlines the information protection requirements. Some of the items in this policy are:

1. Identify PIPP team members who are responsible for driving this policy.

2. Regular audit by PIPP team members: as an example, walking by to employees desk during non business hours and identify any unattended confidential information on the desk and notify the employee of PIPP violation and advice them to be careful.

3. Make sure to educate employees about importance of tagging documents as confidential or under appropriate classification level, when they generate document.

4. Install separate printers for printing confidential documents and/or making sure confidential document print outs are not left un-attended in the general print area.

5. Installing document shredder or a bin for the purpose of disposing confidential documents.

The above list can grow based on company's context. The bottom line of PIPP policy is to educate employees about:  the importance of handling confidential documents, make them aware of the ramifications and police to a certain extent to identify violation of this policy.

Thought #11:  Social engineering is a big threat to security, can PIPP help to minimize such a threat?

"We Russians don't drink any more. We now work on computers. We use computers to send viruses to the West and then we poach your money. We have the best hackers in the world."

- Vladimir Zhirinovsky

Black-hat hackers are those hackers who have malicious or criminal intent. Black hat refers to a person who maintains knowledge of vulnerabilities and exploits they find as secret for private advantage.

These are some reasons why security vendors don't work with black hat:

- Some of them have cyber criminal past

- Most of them do not have a degree or pedigree that can be boasted of

- Why give them importance?

- Can we trust them?

Tables have turned in the recent past. Some companies do hire reformed hackers, they seem to have added value. Recently, Microsoft  took the initiative of communicating with black hats.

It is very easy to mock the pedigree of black-hat hackers and shun them off. Here are my questions to vendors:

1. Is education same as passion? Some one could be educated in computer security, but can they match the passion of black hats?

2. You have hired ethical people to develop your product, the thinking that goes to develop the product does not involve the thinking that black hats do to hack the product.

I am not encouraging black hats, they are out there anyway, why not keep your ears open for them?

"Social engineering bypasses all technologies, including firewalls."

- Kevin Mitnick

Two years ago, we implemented GSA (Google Search Appliance) for intranet search at my company: it has been a big hit since then. We selected GSA from several competing vendors. When Google sales approached me, they gave a cheat sheet which had the ROI (Return On Investment i.e. how much you gain out of your investment) calculation for GSA. It was no-brainer for me to sell the "buy GSA" pitch to the upper management - I just had to relay the ROI numbers from the cheat-sheet. Of course, there were other things that made GSA stand apart like their KISS - Keep It Simple, Stupid approach and the product competitive positioning. The bottom line that mattered most was the simplistic ROI cheat-sheet which sealed the deal in Google's favor.

Selling security software and/or appliances is not easy either. It is hard to measure ROI of a security investment. Security is more like selling insurance - investment in security helps to prevent or mitigate threats and thus prevent or reduce monetary loss. If security vendors get out of the trap of their narrow focus on features, product competitive positioning metrics; rather focus on tangible/intangible benefits to the customer and ROI of the security investment, they would be closer to sealing the deal.

It would help if security vendors:

1. Translate features of security product into how it can benefit customers.

2. Provide ROI for the security investment. Help ease the customer's purchase decision.

Based on the recent  "CSI/FBI Computer Crime Survey" the average cost of the breach is about $203,000. For serious breaches this cost could be way higher. Moreover, the breach can occur multiple times. Considering all these data, it may not be hard sell for security vendor at all - as long as they know how to use these numbers for security product ROI calculation.

Though this is topic not directly related to security, since it is relevant to those of us who have jobs, I thought of touching up on this issue.

I recently read a book "Beyond Code"  by my good friend Rajesh Setty. If you want to know how to become valuable for your current place of work and how to de-commoditize yourself from the rest, this book is a good read. Rajesh has many original and insightful ideas in this book: As an example when you seek job, you tend to compare the good aspects of future job with the bad aspects of the current job, but when you make the transition to the new job, you tend to compare the bad aspects of the new job to good aspects of the earlier job - is not this a trap we all fall into?  - I did not know about this trap till I read the book.

We all think job_security as preserving the current job and/or finding a job when you loose one, on the flip side Rajesh asks, are you findable?

This is the review that I wrote for the Beyond Code on amazon.com:

By the sheer practicality of "Beyond Code", Rajesh has clearly differentiated himself as an outstanding author. This book clearly demonstrates Rajesh's sincere intention - he wants his readers to be high achievers - nothing short! This book is packed with useful tips for IT professionals to succeed and motivates them to undertake journey beyond their status quo. Buy and read "Beyond Code" to start your exciting journey beyond!

Data backup policy - Benefit is company can rely on the backed up data in case of data loss, data corruption or a disaster

Data storage device failure, data corruption are fairly common. The lost data can severely impact company's existence as a going concern and/or can result in bad publicity for the company. If a critical customer data is lost it could result in a penalty or a lawsuit depending on the context.

The first step in creating a backup policy is identifying the data that needs to be backed up. It is important to perform this step because it can reduce the amount of data to be backed up and hence the cost of the back up.  This step also helps you classify the type of data i.e whether it a database or flat file: if this is a database backup, whether it needs a hot backup or a cold backup.

The next step is to determine the frequency of the back up: it depends on how frequently the data changes. The frequency of the backup determines the granularity of the data recovery point. In real world backup accomplished by suitably combining incremental backup and full backup.  There are many backup schemes such as Tower of Hanoi, Grandfather/Father/Son et. al. Choose the scheme that works best for you.

The third step involves identifying an off-site storage location for the backup tapes and logistics that is involved in the off-site storage and retrieval of the tape. Make sure that the off-site location is not very close to the data location, this will expose both the locations to similar disasters and defeats the purpose of the off-site storage.

The last and the final step is publish the backup plan so that customers (both internal or external) are aware of the backup plan and are agreeable with the backup plan - this will help to set their data recovery expectations right.

Thought #10 - What is a good time to run data backup job?

"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."

Bruce Schneier

We all seek technical help at one time or the other. We try googling for the keyword first, if that is not of much help, we seek mailing lists and/or newsgroups. Also, there is the other option of using your professional network.

In the early stage of my career in the US; I worked as a security consultant for a company's engineering group. My job was to secure the product that was about to launched. As usual, many vulnerabilities surfaced in the n-th hour. The looming pressure of the deadline compelled me to seek help from a relevant mailing list. I posted a question in the mailing list with the company's email address as the return address. Next day, the company's IT manager  who had pre-existing indignation towards engineering group, summoned me to his office. He showed me the question that I posted to the mailing list a day earlier (incidentally he was a member of the mailing list!) and rudely mentioned that I had exposed some internal IPs  (IP is a short form of Internet Protocol Addresses)in my question and duh.. my bad. I apologized to him. I regretted the inadvertent mistake. I headed back to engineering lab and started looking for the company's DNS for vulnerabilities. Fortunately or unfortunately: I found that the "ls" query which lists all IPs (including internal IPs) mistakenly enabled on the company's DNS server. Armed with this finding, I went back to the IT manager and mentioned to him that the company's  DNS servers were already exposing the internal IPs hence the mailing list question which exposed the internal IPs was insignificant compared to the IPs being exposed in real time by the company's vulnerable DNS set up - he was speechless for sometime! I walked out of the office with a sense of false victory. Irrespective of the tactic I adopted to save my face (or not), I believe that I could have been extra-careful when I posted the question to the mailing list. We all make mistakes, but what matters is whether we learn. I learned my lesson -  I am talking about this after several years!

These are the tips before you post to mailing list or newsgroup:

1. Please remember there is a potential someone with the intent to exploit the information that you post.

2. If possible provide minimal information about yourself in the posting. It is OK to give your name, if possible avoid giving your company name, phone and address.

3. Do not use your company email account to post questions. This eliminates major hint or guesswork.

4. Keep the context of the question as generic as possible - do not give any company specific information or hint. If you have to give sensitive details, mask or blur those sensitive details.

5. Do not post a question with proprietary information: if you have to share proprietary information, don't seek help via the Internet, hire a professional who signs the non disclosure agreement. 

6. Keep your message short and to the point. Do not volunteer more information than needed.

7. Re-read the information before you post. Make doubly sure that there are no giveaways of your or company information.

I am very happy to share with you all that readership to my blog is growing and my blog has experienced significant growth in readership in the last month. Thanks to you all for making my blog venture exciting.

I would like to share with you couple of valuable feedback from the readers.

One of the readers a senior security professional at Wipro India, who read my blog wrote: you seem to be broadcasting only your views, do you take inputs from others?

Thanks for your valuable feedback Srihari. Yes, I do take inputs from multiple security professionals that I network with on a weekly and sometimes daily basis. I am believer of the philosophy "multiple inputs is always better than few inputs or no inputs". I also glean thoughts from several white papers that I read in the security space. I have invited several of my blog readers to contribute a "guest column" for my blog. I am expecting to have several guest columns in the next few months.

Another reader Sheetal who works for Sun Microsystems  wrote to me: What is the objective of your blog? Why do you discuss business issues in the blog?

Thanks for your valuable input Sheetal. I want my blog to be the "epicenter of security musings" (that's probably helluva lot of work to do!), in short, I would like to: add value to readers, provoke their thoughts and add business bottom line dimension to the security issues. After all security is business!

Please provide me your valuable feedback and help me get better! - thank you.

For those who have exposure to some Realtors, you may have experienced that they never seem to open those cans of worms that can derail the transaction. Moreover, even though it is mandatory for a seller to disclose anything annoying - how many buyers would scrutinize the disclosures in detail? Most of the times the transaction would have happened - too late - too much of tangible and intangible overheads to roll back and buyers often end up compromising.

There are those security professionals who are bold enough to open those cans of worms. There are some who would not like to open those cans of worms, for various reasons, couple of reasons are :

1. Saying something bad about the security practice of their clients may be a career limiting move, may offend the CIO!

2. They may not want their clients to feel vulnerable.

and so on..

As an example, saying something like "you have a poor hiring practice" may hurt the pride of clients who think they always hire "the best". Security professionals who are bold enough to open those cans of worms add value to their clients by putting clients in the state of readiness!

It is well regarded fact that relying on a single vendor is a big risk. In general many companies use two vendor strategy. One is the primary vendor and the other is the backup vendor.

I was reading an article on Industrial-Strength Firewall Topologies by Paul A. Henry, a well regarded security expert.  He suggests that Information security designers can use a hybrid 1oo2 (One-out-of-Two) architecture for best effort risk mitigation and  reliability.  This architecture uses two HA (load balanced) firewall pairs from different vendors.

The advantages of the above approach are:

1. Since the firewalls are from disparate technologies, it would mitigate the risk of common mode failure.

2. Increases the reliability as we could have a failure of 1 complete HA pair and one of the firewalls in the other HA pair.

The above architecture triggered following thoughts in me.

Having disparate vendors will increase total cost of ownership and creates manageability issues. Why not the two disparate competing vendors get together and sell the hybrid 1oo2 firewall solution? As an example, Cisco and Juniper could collaborate and bundle 1oo2 hybrid solution. They could design the hybrid solution to reduce the total cost of ownership and to be manageable through a common framework - they need not share the core underlying technology or the source code. 

Extend the hybrid solution to other architectures which incorporates disparate vendors  - business opportunities are endless. The hybrid solution space could be very well billion $ opportunity. It is time to compete and collaborate for a win-win strategy!

The term hacker is used in a positive sense. The term cracker refers  to digital michief maker or digital miscreant. Whackers are wireless hackers, they do not take advantage of unauthorized access for criminal activities.

Imagine for a moment, you are carrying your Bluetooth enabled cellphone and you are shopping for a gift in one of the duty free shops at the airport: you get a text message on your cellphone which says "come on over to the shop in the corner we are cheaper and better." The anonymous hacker has sent a text message to your cellphone using the Bluetooth networking system: this is called "bluejacking" and whoever who sent the message is a bluejacker.

"The superior man, when resting in safety, does not forget that danger may come. When in state of security he does not forget the possibility of ruin. When all is orderly, he does not forget disorder may come. Thus his person is not endangered and his states and all their clans are preserved."

-Confucius  (551 BC - 479 BC)