MAKE IT - SC Magazine

APRIL 2015 •  WWW.SCMAGAZINE.COM 
REVIEWED IN OUR GROUP TEST
Entrust P39
A jack-of-all-trades
when it comes to
dual-factor
authentication
FEATURES:
MAKE IT
Sharing lessons learned with managers and
staff is key to halting breaches, says Lena
Smart, CIO, New York Power Authority. P20
Taming the third-party threat
The challenge for security practitioners
is to make the mobile ecosystem more
trustable. P24
Zone of protection
To what extent is state-sponsored
cybercrime extending the protection
for hackers who operate outside
U.S. borders? P28
PistolStar P43
Excellent first step
into dual-factor
authentication
VASCO P47
A trusted hardware
device for visual
transaction-signing
VOLUME 26 NO. 4 • April 2015 • WEBSITE WWW.SCMAGAZINE.COM • EMAIL [email protected]
A D MIN ACCESS SEC U R E D
R Å M NIC U VÅLCE A, R O M A NIA 0 4-2 3-2 01 5 2 A M
REGULARS
PRODUCT REVIEWS
4 Editorial Giving IT security pros
35
Product section
some love.
Strong authentication used to mean
multifactor. But now we have some
special use cases that call for strong
authentication, but do not necessarily
require multifactor.
8 Threat report Bitcoin exchange
CAVIRTEX is shutting down
following a database compromise.
10 Threat stats Data of 80 million
36
Group Test: Authentication
health insurance clients exposed.
It now is feasible for organizations
of just about any size to support
everyone in the organization with strong
authentication.
12 Update The “Equation” group was
unveiled by Kaspersky Lab.
13 Debate Your money is safe online.
48
First Look: Bromium vSentry
The most creative use of virtualization
we’ve seen.
14 Two minutes on… An answer to
ransomware?
15 Skills in demand IT pros are
needed for web application security.
16 From the CSO’s desk The
failure of the security industry,
by Alex Stamos, CISO, Yahoo.
17 Opinion Mobile interfacing with
Lena Smart, CIO, New York Power Authority P20
IoT, by Jonathan Carter, Arxan.
18 Analysis Strike back on payment
HE WILL GET IN.
security, by Stephen Orfei, GM,
PCI SSC.
19 Letters From the online mailbag.
49 Calendar A guide to upcoming IT
security shows and courses.
50 Last word Avoid a network
stampede, by Timothy Eades,
CEO, vArmour.
YOUR FATE WILL BE DETERMINED BY YOUR SPEED OF DETECTION AND RESPONSE.
20 Make it stop!
Sharing lessons learned with managers
and staff is key to halting breaches,
says Lena Smart, CIO, New York Power
Authority.
24 Taming the third-party threat
The challenge for security practitioners
is to make the mobile ecosystem more
trustable.
28 Zone of protection
To what extent is state-sponsored
cybercrime extending the protection
for hackers who operate outside U.S.
borders?
That’s where we come in. LogRhythm’s next-generation security intelligence platform identifies high-impact
threats and neutralizes them before they can result in a material breach. It uniquely unifies SIEM and log
32 Fit for a queen: Case study
management with network and endpoint forensics and advanced security analytics to provide comprehensive
threat life cycle management and the ideal foundation for today’s cyber security operations.
Jen Andre P12
IMPROVE YOUR SECURITY INTELLIGENCE POSTURE AT LOGRHYTHM.COM/SIMM
FEATURES
Alex Stamos P16
Queens College found a solution to
monitor activity and manage devices on
its network.
Cover photo by Susan Woog Wagner Photography
SecureAuth P45
Bromium P48
SC Magazine™ (ISSN No. 1096-7974) is published monthly,
10 times a year, with combined December/January and July/
August issues, by Haymarket Media Inc., 114 West 26th Street,
4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax
646-638-6110. Periodicals postage paid at New York, NY 10001 and
additional mailing offices. POSTMASTER: Send address changes
to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2015
by Haymarket Media Inc. All rights reserved. Annual subscription
rates: United States: $98; Canada and Mexico: $110; other foreign
distribution: $208 (air service). Two-year subscription: United
States: $175; Canada and Mexico: $195; other foreign distribution:
$375 (air service). Single copy price: United States: $20; Canada,
Mexico, other foreign: $30. Website: www.scmagazine.com.
Haymarket Media uses only U.S. printing plants and U.S. paper
mills in the production of its magazines, journals and digests which
have earned Chain of Custody certification from FSC® (Forest
Stewardship Council®), SFI (Sustainable Forestry Initiative) and
from PEFC (Programme for the Endorsement of Forest Certification
Schemes), all of which are third party certified forest sustainability
standards.
www.facebook.com/SCMag
www.scmagazine.com/linkedin
www.twitter.com/scmagazine
Editorial
Giving IT security pros some love
I
n last month’s edition I discussed the conflicting opinions about information security
needs that often pervade organizations and
how these can negatively impact budget and
resources to effectively address these requirements. But even nimble practitioners can
only be so crafty when the majority of CEOs
and boards of directors don’t really want to
hear about the fast-growing intensity of cyber
threats. According to the recently released
survey, “2015 Global Megatrends in Cybersecurity,” conducted by Ponemon Institute, 78
percent of senior IT leaders responding say
they hadn’t briefed their boards on corporate
IT security strategies in the last year.
Meanwhile, threats loom heavily on the
minds of those charged with keeping critical data safe from bad actors. Zero-days and
attacks on critical infrastructure are top of
mind for respondents to the survey.
And, the survey results indicate, the
problems confronting CISOs don’t stop there.
Another is the shortage of competent IT security pros. About 66 percent of those responding to the survey, which was commissioned by
Raytheon, say they need more “knowledgeable and experienced cybersecurity practitioners.” Yet the necessity to find more pros
armed with both business and IT security
acumen is hitting at the same time that most
in the IT security arena are acknowledging a
soon-to-be desperate shortage of pros to hire,
a fact also pointed out by this month’s cover
subject, Lena Smart, CIO of the New York
Power Authority. Combine this with a consistently high turnover rate of qualified pros and
this challenge to build more solid and expert
teams becomes even more complex.
SC Awards U.S., happening this month
at the RSA Conference, strives to help
here by acknowledging the indefatigable efforts of IT security practitioners,
as well as the rookie and long-standing
product and service providers that
support risk management plans and
everyday endeavors by calling out
outstanding achievements. In June,
the SC Awards U.K. will be doing
the same for organizations and IT
security leaders in Great Britain and
Europe.
It’s a small contribution we’ve
been making to the industry for a
number of years that enables us
to draw attention to IT security
and its leading players. If
you’ve never attended (or
entered any of our categories), please do consider it.
Meantime, this month’s
SC Awards gala in California
and the other fast-approaching
in the U.K. will show IT
security pros like you some love.
Survey results show y’all could
use some. Meantime, I welcome
your suggestions on other categories we can consider adding to our
SC Awards programs.
Illena Armstrong is VP, editorial of
SC Magazine.
[It’s a] necessity to find more
pros armed with both business
and IT security acumen...”
4 SC • April 2015 • www.scmagazine.com
SC CONGRESS 24/7
SC Magazine has created a free virtual
environment that is open year-round.
Each month we host online events
focused on subjects that you – as an
IT security professional – face on a
regular basis.
THIS MONTH
April 9
eSymposium: Mobile security
Use of mobile devices in the
has forced those
9 enterprise
in charge of maintaining the
integrity of business networks to
consider new security strategies and
new tools. All the old assumptions about
how to protect endpoints have been
under challenge and the threat picture
continues to only grow. We examine the
most recent developments in the area
of mobility and find out some programs
that are showing some positive inroads.
April 30
eSymposium: Cyberespionage
Even members of the U.S. Congress can
agree that cyberespionage is a major
problem for both the country’s private
companies and government agencies.
From direct attacks to backdoors, the
methods to conduct cyberespionage
attacks run the gamut. We take a look
at the threat and find out what the U.S.
government, private organizations and
others are doing to address the problem.
FOR MORE INFO
For information on SCWC 24/7 events,
please contact Jourdan Davis:
[email protected]
or 646-638-6176.
For sponsorship opportunities,
email Mike Alessie at mike.alessie@
haymarketmedia.com or phone him at
(646) 638-6002. Or visit scmagazine.
com/sc-congress-247-whats-new/
section/1223/.
SC MAGAZINE EDITORIAL ADVISORY BOARD 2015
Rich Baich, chief information security officer, Wells
Fargo & Co.
Greg Bell, global information protection and security
lead partner, KPMG
Christopher Burgess, CEO/president, Prevendra
Jaime Chanaga, global consultant and adviser;
formerly managing director, CSO Board Consulting
Rufus Connell, research director, information
technology, Frost & Sullivan
Dave Cullinane, CEO, Security Starfish; former chief
information security officer, eBay
Mary Ann Davidson, chief security officer, Oracle
Dennis Devlin, chief information security officer,
chief privacy officer and senior vice president of privacy
practice, SAVANTURE
Gerhard Eschelbeck, vice president security
engineering, Google
Gene Fredriksen, global information security officer,
PSCU
* emeritus
WHO’S WHO AT SC MAGAZINE
EDITORIAL
U.S. SALES
VP, EDITORIAL Illena Armstrong
[email protected]
VP, SALES David Steifman (646) 638-6008
[email protected]
ASSOCIATE EDITOR Teri Robinson
[email protected]
EAST COAST SALES DIRECTOR Mike Shemesh
(646) 638-6016 [email protected]
MANAGING EDITOR Greg Masters
[email protected]
WEST COAST SALES DIRECTOR Matthew Allington
ONLINE EDITOR Marcos Colón
[email protected]
EVENT SALES DIRECTOR Mike Alessie
(646) 638-6002 [email protected]
SENIOR REPORTER Danielle Walker
[email protected]
ACCOUNT EXECUTIVE Ife Banner
(646) 638-6021 [email protected]
REPORTER Adam Greenberg
[email protected]
ACCOUNT EXECUTIVE Gabby Brown
646-638-6101 [email protected]
ACCOUNT EXECUTIVE Jessica Andreozzi
646-638-6174 [email protected]
SALES ASSISTANT Kelli Trapnell
646-638-6104 [email protected]
MARKETING DIRECTOR Karen Koza
[email protected]
EDITORIAL ASSISTANT Ashley Carman
(646) 638-6183 [email protected]
SC LAB
TECHNOLOGY EDITOR Peter Stephenson
[email protected]
SC LAB MANAGER John Aitken
[email protected]
LEAD REVIEWER Jim Hanlon
[email protected]
PROGRAM MANAGER Judy Traub
[email protected]
REGULAR CONTRIBUTORS
James Hale, Karen Epper Hoffman,
Stephen Lawton, Jim Romeo
(415) 346-6460 [email protected]
MARKETING MANAGER Rochelle Turner
[email protected]
LEAD GENERATION CAMPAIGN MANAGER
Jennifer Brous [email protected]
SC MAGAZINE LIST RENTAL
REACH MARKETING
VP, MARKETING SOLUTIONS Wayne Nagrowski
(845) 201-5318 [email protected]
DESIGN AND PRODUCTION
CIRCULATION
ART DIRECTOR Michael Strong
[email protected]
AUDIENCE DEVELOPMENT MANAGER
Richard Scalise (646) 638-6190
[email protected]
PRODUCTION MANAGER Krassi Varbanov
[email protected]
SC EVENTS
PROGRAM DIRECTOR, SC CONGRESS
Eric Green [email protected]
EVENTS DIRECTOR Adele Durham
[email protected]
EVENTS MANAGER Maggie Keller
[email protected]
ASSOCIATE VIRTUAL EVENTS MANAGER
Jourdan Davis [email protected]
VIRTUAL EVENTS COORDINATOR
Anna Jurgowski [email protected]
6 SC • April 2015 • www.scmagazine.com
Maurice Hampton, director, field operations, Qualys
Paul Kurtz, partner and chief operating officer, Good
Harbor Consulting
Kris Lovejoy, general manager, IBM Security Services
Tim Mather, CISO, Cadence Design Systems
Stephen Northcutt, director - academic advising,
SANS Technology Institute
Randy Sanovic, owner RNS Consulting; former
general director, information security, General Motors
* Howard Schmidt, partner, Ridge-Schmidt Cyber
Ariel Silverstone, chief security officer adviser,
GNN; former chief information security officer, Expedia
Justin Somaini, chief trust officer, Box; former chief
information security officer, Yahoo
Craig Spiezle, executive director and president,
Online Trust Alliance; former director, online safety
technologies, Microsoft
Amit Yoran, president, RSA, the security division of
EMC
SENIOR MARKETING MANAGER
Edelyn Sellitto (646) 638-6107
[email protected]
SUBSCRIPTION INQUIRIES
CUSTOMER SERVICE: (800) 558-1703
EMAIL: [email protected]
WEB: www.scmagazine.com/subscribe
MANAGEMENT
CEO, HAYMARKET MEDIA Lee Maniscalco
COO John Crewe
CFO Donna Santarpia
DataBank
ThreatReport
Cybercriminal activity across the globe, plus a roundup of security-related news.
Colored dots on the map show levels of spam delivered via compromised computers
(spam zombies). Activity is based on the frequency with which spam messaging
corresponding with IP addresses is received by Symantec’s network of two million
probes with a statistical reach of more than 300 million mailboxes worldwide.
MEDIUM-LEVEL ACTIVITIES
LOW-LEVEL ACTIVITIES
RUSSIA – The U.S. Department of State’s Transna-
CANADA – Canadian Bitcoin exchange
CAVIRTEX is shutting down following a
database compromise. The company
stated that it has reason to believe that
an older version of its database, which
includes two-factor authentication secrets
and hashed passwords, may have been
compromised. The company believes its
reputation has been damaged and it can
no longer operate successfully.
HIGH-LEVEL ACTIVITIES
ONTARIO – The Ontario government
inadvertently disclosed the personal information of 720 individuals to third parties.
The information included the social insurance numbers of welfare and disability
support program recipients, as well as the
amount of assistance they received last
year. The issue was software related and
involved misdirected T5 forms.
NETHERLANDS – An international effort by Europol and private
companies, including Microsoft,
has resulted in the takedown of
command-and-control servers for
the Ramnit botnet. Additionally, the
takedown team redirected 300 internet domain addresses used by botnet
operators. Since its emergence,
Ramnit has infected an estimated
3.2 million computers worldwide.
tional Organized Crime Rewards Program has put a $3
million bounty on Russian hacker Evgeniy Mikhailovich
Bogachev for crimes he allegedly committed using
Zeus malware. Bogachev – who is said to have used
Zeus to steal banking information and empty compromised accounts – is believed to be living in Russia.
U.K. – A backdoor into a database
MIDLOTHIAN, ILL. – The police
department in a Chicago suburb paid an
unknown hacker $500 in Bitcoin to regain access to data on a police computer
infected with ransomware. An IT vendor
that works with the town indicated that
only one computer and specific files
located on it were impacted, and not the
entire department’s system.
NEW YORK CITY – A
16-year-old student was able to
change his grades after getting
through the password barrier and
other security on his school’s
computer system. The high
school junior was charged as
an adult with forgery, computer
trespass, unauthorized use of
a computer, computer tampering and criminal possession of
forgery devices.
belonging to PaymyPCN.net, which is
linked to the Driver and Vehicle Licensing Agency database, allowed the
public to access data on nearly 10,000
motorists. The information included
names, addresses, emails appealing
penalty charges, and photographs
taken by law enforcement of motorists
and their vehicles.
INDIA – A researcher, Laxman
Muthiyah, earned $12,500 from
Facebook after he identified a
vulnerability that allowed him to
delete any photo album on the
social media website. Muthiyah
reported the issue to Facebook,
and the social media company
applied a fix in less than two
hours.
Russia top producer of zombie IP addresses
For the period reported, the EMEA region (Europe,
Middle East, Africa) was the leading source of all
zombie IP addresses. Of the countries making up the
EMEA, Russia was the top producing country. For the
other regions, the top producers were Brazil in South
America, the United States in North America and
Vietnam in the Asia-Pacific region. Source: Symantec
8 SC • April 2015 • www.scmagazine.com
www.scmagazine.com • April 2015 • SC 9
DataBank
ThreatStats
Zombie IPs Global distribution
1,091,866
5. @MAIL.RU
912,807
12,500
6. Road Runner
780,703
7. American Express почта
706,291
8. Telstra
697,354
Names, Social Security
numbers and birthdates of
12,000 Florida residents on
a family services waiting list
were inadvertently exposed via
a PowerPoint email attachment sent as part of a measure
for transparency.
India
9. Microsoft
686,761
10. LinkedIn
587,161
815,842,526
07/14 08/14
09/14
10/14
11/14
12/14
01/15 02/15
The index queries information security industry professionals monthly to gauge their perceived risk to the corporate, industrial and governmental information infrastructure from a spectrum of cyber security threats. A higher index value indicates a perception of increasing risk, while a lower index value indicates the opposite.
Source: ICS, www.cybersecurityindex.com
10 SC • April 2015 • www.scmagazine.com
China
Russia
Taiwan
Argentina
5. Zeus trojan
Top 5 attacked countries
Russian Federation 1.93%
United States 11.74%
Kazakhstan 1.90%
Ukraine 10.38%
Qatar 1.76%
Russian Federation 6.14%
Ukraine 1.71%
China 5.31%
Algeria 1.68%
Spain 4.74%
7.0
6.5
6.0
5.5
5.0
4.5
4.0
3.5
3.0
2.5
2.0
1.5
1.0
06/14
Vietnam
Top 5 sources of spam
(as of March 10)
Rate of change
(continuously compounded)
05/14
Iran
There were 3,530,44 attacks in the United States last month, primarily
originating from Columbus, Ohio; Provo, Utah; New York; Atlanta; and Los
Angeles. There were 28,034,962 foreign attacks last month, primarily
originating from Amsterdam; Berlin; Bucharest, Romania; Lisbon, Portugal;
and Stuttgart, Germany.
Source: Dell SecureWorks
Source: Privacy Rights Clearinghouse (data from a service provided by DataLossDB.org,
hosted by the Open Security Foundation)
Index value
03/14 04/14
3. Glupteba trojan
Zombie IP addresses are recorded in CYREN’s database as having sent
spam in the past 24 hours. These are infected computers (zombies) that
are unknowingly sending spam. Based on the IP address, the company can
determine the country of the spam-zombie and then sums up the spamzombies per country.
Source: CYREN
Index of cybersecurity Perceived risk
2,650
2,550
2,450
2,350
2,250
2,150
2,050
1,950
1,850
1,750
1,650
1,550
1,450
2. Gozi trojan
4. Nymaim trojan
TOTAL number of records containing sensitive personal information involved in breaches in the U.S. since January 2005:
Source: Kaspersky
1. ZeroAccess trojan
2.9%
4. CNBC
Top 5 attacks used by foreign hackers
2.9%
2,309,984
5. ZeroAccess trojan
3.8%
3. Google
4. Downloader trojan
4.6%
80 million
9.8%
2,730,784
The second largest health insurance company was infiltrated by
a Chinese hacker group known
as “Deep Panda,” according
to journalist Brian Krebs. He
reports the hacking began as
early as April 2014.
3. Gozi trojan
7.0%.
2. mail.com
Anthem
Indianapolis
11.3%
10.7%
Type of breach
9.0%
Name
The Office
of Jeb Bush
Tallahassee, Fla.
5.0%
Number
of records
3,635,524
1. Upatre downloader trojan
2. CryptoWall trojan
5.5%
6.2%
1. Facebook
Top breaches in February Data loss
8.7%
Top 10 names used by phishing websites
9.3%
There were 3.5 million attacks in the U.S. last month.
Top 5 attacks used by U.S. hackers
Jan.
Feb.
0
5%
10%
15%
20%
25%
30%
0
1%
2%
Source: Kaspersky
3%
Source: Kaspersky
Internet dangers Top 10 threats
Name
Movement
First observed
Type
Last month
Months on list
1
Upatre.aa
p
05/09/14
downloader
0
0
2
Upatre
p
12/11/13
downloader
0
0
3
Simbot.gen
p
06/29/11
backdoor
0
0
4
Soltern.l
p
01/08/11
worm
13
7
5
Tugspay.a
Same
07/07/14
downloader
6
5
6
Ogimant.gen!c
09/17/14
downloader
3
2
7
Eggnog.a
p
01/15/14
worm
0
0
8
Berbew
p
01/31/11
backdoor
0
0
9
Ramnit.i
12/03/10
virus
11
1
10
Ramnit.a
01/05/11
virus
0
0
p
Source: Motive Security Labs
www.scmagazine.com • April 2015 • SC 11
Update
2 minutes on...
An answer to
ransomware?
P14
Me and my job
Finding out what
the bad guys are
up to next P15
NEWS BRIEFS
Web application
security pros are
needed P15
Equation quake
»Researchers disclosed a new
SSL/TLS vulnerability,
dubbed “FREAK,” which enables
attackers to intercept HTTPS connections between vulnerable clients
and servers and forces the use of
“export-grade” cryptography that
can more easily be decrypted. In
early March, analysts shared that
vulnerable clients include “many
Google and Apple devices” that
use unpatched OpenSSL, as well
as a “large number” of embedded
systems and other software products using TLS “behind the scenes
without disabling the vulnerable
cryptographic suites.”
Skills in demand
The “Equation” group targeted governments, financial institutions and
militaries in more than 30 countries, reports Kaspersky Lab.
Kaspersky Lab uncovered what it believes to
be the most advanced
threat actor the research
team has ever seen. The
“Equation” group targeted
institutions in more than
30 countries dating back
to 1996. Early reports
suggested that the group
and the NSA were closely
linked, if not one and the
same, and Kaspersky
noted that the gang’s
most impressive malicious
technique was infecting
hard drive firmware.
»An Arlington, Va.-based security firm uncovered connections
between a Chinese cyberespionage
group, called Axiom, and the
cyber attack against health insurer
Anthem. The Anthem breach,
which surfaced in early February,
exposed the personal information
of 78.8 million consumers, including Anthem and Blue Cross Blue
Shield (BCBS) members. Threat
intelligence firm ThreatConnect
found that malware used in a 2013
attack against BCBS was signed
with the same digital signature used
to spread other Chinese APT
malware. Suspicious domains
which appeared to mimic Anthem’s
infrastructure were also linked
to the distribution of a backdoor
program used by the APT attackers,
ThreatConnect found.
THE QUOTE
Dyranges [an
infostealer]...
first appeared
in June 2014
and its use has
skyrocketed
since.”
– “The State of
Financial Trojans 2014,”
Symantec, March 2015
»A hacker group stole as
much as $1 billion from 100 banks
in 30 countries by distributing a
12 SC • April 2015 • www.scmagazine.com
remote backdoor via spear
phishing emails targeting bank
employees, Kaspersky Lab
revealed in February. The group,
called Carbanak, is believed to
be the same gang that breached
Staples last fall. Based on information gathered from its own
research in addition to info from
law enforcement agencies, including INTERPOL and Europol,
Kaspersky Lab said that losses
ranged from up to $10 million per
bank. Rather than aiming their
attacks at accounts belonging to
customers, the miscreants went
after central sources, such as
e-payment systems and banks
primarily in Russia, but also in the
U.S., Germany and China.
»Computer maker Lenovo came
under fire for shipping adwareladen laptops to consumers.
Furthermore, data security
experts with knowledge of the preinstalled adware, called Superfish, revealed that the software
leaves users vulnerable to manin-the-middle (MitM) attacks that
break HTTPS security. After facing
backlash in February, Lenovo apologized for the security blunder and
told customers that it had stopped
preloading the adware on its laptops. The incident prompted the
Electronic Frontier Foundation (EFF) to publish a how-to on
uninstalling Superfish and removing the certificate, as the adware
installs its own root CA certificate
in Windows systems.
»Erratum: In last month’s Two
Minutes On column, we reported
that, according to Gartner, IT
security spending would reach the
$76.9 million mark in 2015. That
figure should, of course, be $76.9
billion.
Debate» Your money is safe online.
If you make electronic transactions in any form, your money
is already online. It doesn’t matter if you never enter a credit
into an e-tailer and only shop
brick-and-mortar. No business
operates without connectivity
to the internet. The point-ofJen Andre
chief scientist,
sales
breaches at Target and
Threat Stack
Home Depot deeply illustrate
this. Such breaches are not going to stop happening, and nearly every retailer (online or
not) will be vulnerable to them in some way.
Given that reality, consumers have some
onus to be savvy in choosing who they do
business with – and how – to protect their
own finances. Fortunately, technology is making advances to help us. Text messages and
mobile apps make it easy to monitor your
bank and credit card statements, and get alerts
instantly when something is suspicious. With
the increase of computing power and the rise
of machine learning and Big Data, fraud detection is getting faster and better. New payment
technologies are reducing the attack surface
for potential credit card thieves and ensuring
all transactions are safer.
FOR
THREAT OF
THE MONTH
AGAINST Unless you have protections,
digital awareness and training,
consumers expose themselves
to risks while banking or purchasing products online. Consumers must learn to choose
passwords wisely, change them
Cameron Camp frequently and limit their
security researcher,
exposure. They must also keep
ESET
sensitive personal information, bank account numbers and passwords in
unencrypted form off their phone.
On the institutional side, memory scraping
on point-of-sale and other related technologies will remain a scourge to payment card
participants. Financial institutions view theft
in terms of “risk management,” not specifically stopping theft because it’s bad. That is,
they assign a value to fund loss and attempt
to manage that relative to security purchases.
If that equation is at an acceptable level, they
feel a measure of success and proceed to other
issues. Consumers, on the other hand, think an
acceptable level of “loss” would be zero. Lack
of full disclosure on breaches, and/or delayed
reporting weaken security and trust across the
landscape in the interest of brand protection.
THE SC MAGAZINE POLL
When naming malware, should there be an industry
standard when sharing threat information?
THE STATS
16%
growth in mobile
malware in third quarter
of 2014.
No
5%
Yes
95%
76%
year-over-year growth
in overall malware
samples.
Komodia
libraries
What is it?
Komodia Redirector and
SSL Digestor libraries
provide a way for software
to intercept HTTPS traffic.
This is a feature commonly
used by various security
products. However, the
Komodia libraries contain
a flaw, allowing an attacker
to spoof the identity of
a web server or disclose
and manipulate HTTPS
traffic through man-in-themiddle attacks.
How does it work?
The Komodia libraries do
not properly validate selfsigned X.509 certificates.
Should I be worried?
Third-party libraries are
used more and more to
speed up the software
development process and
reduce cost. Unfortunately,
software vendors rarely
secure audit libraries before using them. A number
of privacy and parental
control software has been
confirmed to bundle the
vulnerable library.
How can I prevent it?
Some products have removed the feature or issued
fixes. Apply fixes if available
or delete the offending
program as well as the
installed root CA certificate.
– Carsten Eiram, chief research
officer, Risk Based Security
To take our latest weekly poll, visit www.scmagazine.com
Source: McAfee Labs
www.scmagazine.com • April 2015 • SC 13
Update
2 MINUTES ON...
An answer to ransomware?
I
n recent years we’ve seen
increasing numbers of
companies fall victim to
ransomware that encrypts
a compromised computer’s
files, threatening to delete
them all if a Bitcoin ransom
isn’t paid to the attacker.
Even police departments
have been strong-armed by
cyber bullies into shelling out
ransom payments.
While coughing up the
money may encourage attackers to continue their campaigns, it’s tough to blame
organizations for either not
wanting to lose their data
or receive negative press on
their security posture.
New variants of ransomware keep popping up, skirting anti-virus systems and
haunting security pros.
Briefs
A recent study conducted
by Malwarebytes indicates
that this is a primary cause
for concern. Of the 685 IT
decision-makers surveyed,
38 percent indicated that
ransomware had the most
severe impact on their
organization, moreso than
advanced persistent threats.
The same report also indicates that 84 percent of
respondents believe that traditional AV lacks in addressing modern threats.
So, is there an answer to
this proven threat? For TK
Keanini, CTO at security firm
Lancope, there’s a logical
one: Back up your data. If
organizations treated ransomware as “just a drive failure”
they’d be better off, he says.
“When you look at the
economics, it is most of the
time cheaper to have a cloud
backup system on a yearly
subscription than to pay
the ransom, and with the
backup, you get all the other
added benefits,” Keanini
says.
It may seem like a onesize-fits-all solution, but a
recent alert issued by The
Internet Crime Complaint
Center shed light on a new
attack that uses ransomware
84%
of respondents say
traditional AV is
insufficient today.
Source: Malwarebytes
to drop trojans and keyloggers, thus adding a new layer
to this already disruptive
threat. Thanks to that attack,
miscreants netted more than
$179 million from victims
in the U.S. and 45 other
countries.
While it’s essential to
ensure enterprises are
equipped to handle malware
threats, Christopher Budd,
threat communication manager at Trend Micro, believes
that so long as ransomware’s
brutal efficiency and effectiveness surrounding its
“data destructive qualities”
continues, this threat will
likely proliferate in various
forms.
“Ransomware has shown
time and again that it’s more
than willing to ‘pull the trigger’ and cause permanent
harm and heartache if the
criminals don’t get what they
want – and sometimes even
when they do,” Budd says.
– Marcos Colón
JOBS MARKET
Me and my job
Johannes Ullrich
dean of research for the
SANS Technology Institute
How do you describe your
job to average people?
I am helping an amazing
group of volunteers to try to
find out what the bad guys
are up to next and how we
can protect ourselves.
Why did you get into IT
security?
I started out in physics, but
ended up doing a lot of
“computer work.” Of course,
originally security wasn’t really something I thought about
too much until my home system was compromised. The
more I learned about security
and networks, the more I
found the dynamic of it more
and more interesting.
What was one of your
biggest challenges?
My biggest challenge is to
figure out what to focus on.
Decisions have to be made
quickly. It is always difficult
to find the right point to
publish findings. If you wait
too long, it doesn’t matter
anymore. But if you publish
too early, you may give people
bad advice.
What keeps you up at
night?
I am always worried about
the security of my own systems. Offering services and
data to the public in the form
of dynamic and complex web
applications is a challenge
that is at times exhilarating
and also frightening. The
more you know, the more you
worry.
What makes you most
proud?
The persistent and longtime
positive impact the Internet
Storm Center has had on
internet security. I am proud
to be able to work with an
amazing group of volunteers.
How would you use a
magic IT security wand?
The internet-wide implementation of BCP 38 (antispoofing) and, if I had some
powers left, the same for RFC
3514, which is just about as
likely to happen.
Skills in demand
With so many visiting the web
for social-networking, shopping, banking and paying bills,
it’s imperative that companies
ensure their web facing applications are secure and free
from vulnerabilities.
What it takes
Mid- to senior-level experience
enforcing web application
security in all phases of SDLC
with the ability to identify,
interpret and remediate vulnerabilities found within web
applications. Knowledge of the
OWASP Top 10, web vulnerability scanning tools and previous
web app development skills.
Compensation
Johannes Ullrich is responsible
for the SANS Internet Storm
Center (ISC) and the GIAC
Gold program. He founded
DShield.org in 2000, which is
now the data collection engine
behind the ISC.
Full-time salaries generally range from $90,000 to
$135,000 (higher in certain
regions and for contractors).
Source: Wils Bell, president,
SecurityHeadhunter.com
Company news
»Kurt Takahashi has
joined AMAG Technology,
a Torrance,Calif.-based endto-end security management
solutions provider, as its senior
vice president of sales. Takahashi leads the field sales team
and helps implement strategies
to drive growth and extend
customer service. He will report
to President Matt Barnette.
He most recently worked at
Quantum Secure as a vice
president of global sales and
marketing. While there, he
changed the company’s sales
»
Kurt Takahashi, senior vice president
of sales, AMAG Technology
approach through purchasing
agreements and by increasing customers’ pipeline and
account activity.
14 SC • April 2015 • www.scmagazine.com
Christopher Bolin has
joined Absolute Software,
a Vancouver, BC, Canada-based
endpoint security and management solutions provider, as
chief product officer. Bolin will
be responsible for Absolute’s
overall global strategy, and the
company’s product development
and product management teams
will report directly to him. Bolin,
who has worked in information
security for more than 20 years,
was previously executive vice
president of worldwide product
operations and CTO at McAfee.
During his time there, he grew
security specific product revenues
to more than $2 billion from under
$500 million.
»Emailage, a Phoenix-based
fraud prevention provider, has
received $3.8 million in funding
led by Felicis Ventures. Double M Partners and Much
Capital also joined the Series
A funding round. Emailage has
tripled the number of transactions analyzed over the past year
and flagged more than two million
transactions as “risky.”
» Chenxi Wang has joined
cloud platform and transition it to
a services-based software model.
CipherCloud as vice president
of cloud security and strategy. Prior, Wang was at Intel,
McAfee and Forrester
Research.
»
»
Sean Molloy has joined
Tenable Network Security,
a continuous networking monitoring company, as vice president of
cloud services. Molloy will oversee
the operations, deployment,
design and architecture of Tenable’s cloud product lineup. Molloy
previously worked as the direc-
Chenxi Wang, VP of cloud security
and strategy, CipherCloud
tor of software engineering at
Qualys until he was promoted to
chief architect. While in that role,
he helped deploy the company’s
Sydney Carey has joined
Zscaler, a San Jose, Calif.-based
internet security company, as
the company’s CFO. Carey will
report to the company’s founder
and CEO Jay Chaudhry. She
will be responsible for the company’s global financial operations.
Carey was named a Bay Area
CFO of the Year in 2012 and most
recently worked as the CFO of
MongoDB. Previous to that, she
spent nine year at TIBCO.
»
PayPal has acquired Israelbased CyActive, which claims its
offering – based on an algorithm
sourced from biology – is able
to foresee and forestall potential
cyberthreats. CyActive was incubated by Jerusalem Venture
Partners. It also received investment from Siemens.
Follow us on Facebook,
LinkedIn and Twitter
www.scmagazine.com • April 2015 • SC 15
Opinion
From the CSO’s desk
The failure of the security industry
I
CISO, Yahoo
t is a truth universally
acknowledged that a CSO
with budget must be in
want of a thousand dedicated
point solutions.
Like many security executives, my email, snail-mail
slot, LinkedIn profile and
cell phone field a constant
barrage of offers from wellmeaning but insanely aggressive account representatives.
They arrive in waves from
companies big and small.
They offer solutions to my
data analysis problems, zeroday malware and “advanced
APTs.” Any demonstration
of reluctance on my part is
parried with a quick “Ok,
I’ll circle back later.” In my
dreams, I squint up at the
flock of sales cybervultures,
“circling back” until I lose
my will to resist their entreaties, or perhaps to live.
The problem is not only
that these companies build
beautiful websites that refuse
to explain what they sell and
instead wax poetic on their
“solutions,” or that their slide
decks lecture me on what
– The explosion of security
needs means the median
security engineer in 2015
is less experienced than
her counterpart in 2005.
Security companies need to
recognize that most of their
addressable market cannot
properly consume their
products and that user
experience is a bigger
priority than getting more
checkmarks in a Gartner
report.
Accept asynchronicity –
That’s not an album from
The Police, but a mantra
that needs to be embraced
to provide security services
on modern networks. Big
Data, cloud and container
technologies mean that most
enterprises will be deploying
100GbE inside of the datacenter and corporate campus
this year. At those speeds,
security products have about
6.7 nanoseconds to decide
whether an Ethernet frame is
malicious or not.
Evolve or die, that is the
reality facing the security
vendors, lest the cybervultures feast.
threats I face (“BYOD really
means Bring Your Own
Malware!”). The problem
is that almost none of these
products work in a real
environment.
For the most part, the
security vendors I meet
believe that IT departments want to run
another agent on their
Windows laptops, that
production engineers are
willing to put a cheap
Lintel 1U security device
in their critical path,
and that every company’s
security team is staffed
like a Top-5 bank. These
assumptions are not true.
Some ways we can adapt:
Build platforms – The
activation energy to qualify,
purchase and deploy a security solution is not widely
variable and for most enterprises the opportunity cost
of choosing a product that
solves a very small problem
outweighs the price. The
security industry needs to
build reusable platforms with
pluggable use cases.
Focus on user experience
30seconds on...
» Don’t be the next headline
Companies are waking up
to the fact that their security posture is insufficient to
fend off today’s threats, says
Stamos. We can no longer build
products like it’s 2005.
» Hadoop to the rescue
Why would I keep many copies
of my syslogs in proprietary
databases when one standard
storage mechanism could be
queried by security products
from competing companies?
16 SC • April 2015 • www.scmagazine.com
» Build solid platforms
Why should five separate security agents hook the Windows
kernel (and introduce instability) when one collector process
could feed intelligence to five
products?
»Modern service
These days, network security
has to be pushed into the end
nodes, and decisions need to
be made at a much slower pace
than packets arrive and remediations performed out-of-band.
CEO, Caspida
I
Bad guys are inside
t is an assumption for many enterprises operating today
that they may already have been compromised. Hackers
and bad guys are likely already inside their network. With
the increasing sophistication of hackers, organized criminals
and cyberhack-focused countries, it is safe to presume that the
networks of many enterprises are already breached. Therefore,
perimeter-only protection practices are no longer sufficient and
firewalls and malware-detection products – while necessary –
are no longer sufficient.
Today’s enterprise is filled with security tools for which the
underlying technology and principles are likely 10-plus years
old. These might include firewalls and intrusion detection
systems, which operate on known signatures; rule-based detection; malware detection tools using sandboxing techniques;
and DLP systems, which look for specific content in the form of
keywords within documents leaving the enterprise.
Another challenge is that current security products rely on
known attacks, standard rules and correlations techniques.
This approach is generating millions of alerts and too many
false positives. It is unsustainable to go through millions of
alerts while relying on manual incident response with large
SOC teams. Naturally, this methodology increases time to
detection to weeks/months. Worse, these alerts are not actionable. Because security analysts and incident response teams
get a flood of alerts from many security products within an
enterprise, this creates a phenomenon called “analyst fatigue.”
Most of the alerts are not actionable and security professionals
have to spend a lot of time reviewing these alerts and developing required supporting evidence.
Most recent high-profile breaches involved the continuous
use of current-generation security products, yet the attackers
were able to infiltrate and exfiltrate data unhindered. There
needs to be advanced, deep data, science-driven and machinelearning security technology within the network that detects
advanced hack attacks and malware. It is imperative to detect
malware that has already penetrated your corporate network.
Mobile interfacing with IoT
T
Photo by J.M. Eddins Jr. Photography
Alex Stamos
Muddu Sudhakar
Jonathan Carter
technical director,
Arxan Technologies
...avoiding doing
sensitive things
via mobile devices
is not possible...”
he security community is abuzz about
the risks of reverse engineering code.
The overall belief is that it’s a bad thing
that can lead to cloning, repackaging, IP theft
and other types of attacks. Most professionals
believe there really isn’t much that can be done
about preventing an attacker from reverse
engineering their code. There are many excellent tools on the market that make the task
easy and affordable to the adversary.
However, there are things that can be done
to make reverse engineering a lot more difficult to execute. You can significantly raise the
bar for hackers without a lot of effort. Most
software engineers and security professionals
don’t have the technical background to understand or apply basic obfuscation techniques
that make reverse engineering much more
difficult for hackers.
I suspect that “solution bias” is driving
technical communities to avoid addressing
the risks of reverse engineering as it relates to
the IoT devices and their mobile interfaces.
Traditional security advice always recommends avoiding doing anything sensitive on a
mobile device. This is wise advice and should
be followed if possible.
But, avoiding doing sensitive things via
mobile devices is not possible when IoT devices are doing sensitive things and exposing
that functionality (and associated information
assets) via mobile interfaces. In this increasingly common business use-case, we are seeing
IoT devices that allow users to see/do things
via corresponding mobile interfaces: collect
and process medical data, unlock doors, start
cars, etc.
Hence, the issue of reverse engineering and code tampering of IoT devices and
their associated mobile app interfaces must
be addressed one way or another. But, let’s
be realistic. IoT and mobile are happening
because of the business case. Regardless of
what people may fear, it’s coming and we’ll
have to reckon with reverse code engineering
now or it will bite us later.
www.scmagazine.com • April 2015 • SC 17
Letters
Analysis
Strike back on payment security
Annual compliance
assessments are
merely the start of
a vigilant security
program, says
PCI SSC’s
Stephen Orfei.
M
ake no mistake,
we are in a battle. Cybercriminals
are raiding our financial
system. Armed with malware
and hacking expertise, they
are sneaking by breakdowns
in security protocol. Many of
these attacks are preventable.
The key is grasping how they
do it and knowing how to
strike back.
The common attack
pattern – as outlined in
Verizon’s “2014 Data Breach
Investigations Report” – is
hacking into a vulnerable
back office PC to implant
malware. This paves the way
to compromising connected
point-of-sale (POS) devices
and systems, collecting
magnetic-stripe data from
live transactions, exfiltrating
the stolen data – and cashing
in. Many of the breaches so
far reported in 2015 have
continued using this tactic.
So how do you strike back?
The PCI Council recommends three tactics: Ongoing
vigilance, proactive security
and solid preparation.
Malware is typically
installed because missing or
lapsed controls allow access
into systems attached to the
cardholder data environment
(CDE). In many of the recent
breaches, attackers exploited
remote access methods to
implant malware on vulnerable back office systems that
typically ran an unpatched
older operating system.
This is an easily preventable
breach of security protocol!
Vigilant risk mitigation
means your controls must
ensure that: Software is
frequently patched and
up-to-date; configuration settings do not expose devices
and systems to exploitation;
monitoring includes internal
and third-party access to systems in the CDE; and access
security includes strong
authentication and strong
passwords.
Ongoing vigilance means
you are continually monitoring controls as “business as
usual.” These controls are
your lifeline for they will
identify suspicious activity
18 SC • April 2015 • www.scmagazine.com
that may indicate a potential
breach – and let you react
quickly to remediate vulnerabilities.
To ensure strong POS
security, your organization
should use PCI-approved
point-of-interaction devices
that encrypt data where
it’s captured. This prevents exposure of plaintext
cardholder data in these
attacks. Also, consult your
POS device vendors and
IT partners to understand
options for strengthening
security with point-to-point
encryption and tokenization
throughout the cardholder
data environment. These
technologies have the potential to make cardholder data
unusable and worthless if
stolen. Finally, 2015 is a big
year of transition as merchants in the U.S. implement
EMV [Europay, MasterCard
and Visa] chip cards to
There is no
silver bullet
to security or
preventing
breaches.”
reduce fraud in card-present
transactions. Used together
with PCI standards, these
technologies provide a
layered approach to payment
security that makes theft of
cardholder data a non-event.
Often an organization’s
approach to PCI security is
to focus on passing the annual compliance assessment.
But this is just the start of a
vigilant, proactive security
program. Organizations also
need to anticipate and assess
new risks in order to get
ahead of emerging threats.
Ongoing threat assessments
and gap analyses will help to
identify vulnerabilities and
risks – and opportunities to
improve security with technologies such as encryption
and tokenization.
There is no silver bullet to security or preventing breaches. Yet, with a
multi-layered approach that
includes vigilance in monitoring and managing access,
proactively strengthening
security at the point-ofsale and actively preparing
to meet new threats, your
organization can significantly
reduce the types of risks
that have enabled recent
breaches. Take action now
and strike back with confidence to ensure the safety of
cardholder data.
Got something to say?
Send your comments, praise or criticisms
to [email protected].
We reserve the right to edit letters.
From the online mailbag
In response to February’s
Last Word, The security
model is broken, by Craig
Shumard, principal of
Shumard and Associates:
Craig is correct, a new security paradigm is needed to
address the realities of the
world we live in today. Even
using the term “breach”
these days is misguided.
Today’s enterprise networks
are porous. There are so
many ingress and egress
points that there is really no
way to keep the bad guys out.
Ask any IT or security worker
if he/she can still access
the network of the company
they worked for previous to
their current job. Don’t be
surprised that the answer is
“yes.” Floating credentials
are not uncommon, and as
long as that is the case and
we are not requiring two-factor authentication then these
breaches will continue. This is
not about the cost associated
with securing sensitive data,
it is more about the will to do
so and understanding how to
get the job done.
Ted Heiman
This is an interesting argument. Craig Shumard is correct that we need to rethink
the security paradigm, but to
imply that an influx of spending, technology deployments
and regulations with teeth
will make a difference is a
bit overreaching. We have
security in many physical
environments and still have
security breaches. Banks still
get robbed. Cars still get stolen. When you have facilities
and systems that either must
be open to public access or
access public resources,
you’re exposed to risk. The
goal is always mitigation or
risk exposure and diminishing
the probability of security
incidents. Elimination
of security risk exposure
and incidents is a practical
impossibility.
Larry Walsh
In response to a feature
article in the March issue,
Closing the gate:
Good article. It’s not enough
to monitor for known threats
or to rely on stale security
products that provide an
inaccurate view of the environment. Organizations
must focus on detecting data
breaches in real-time and
respond appropriately.
To minimize potential
harm, it’s crucial to place
controls around sensitive
data with DLP tools which can
accurately alert and prevent,
in real-time, unsanctioned
sensitive data extraction thus
enabling incident response
teams to disrupt, respond
and contain a possible APT/
malware attack.
Wendy Cohen, CIO/CISO,
GTB Technologies
Stephen Orfei is general
manager of the PCI Security
Standards Council.
www.scmagazine.com • April 2015 • SC 19
Data breaches
MAKE IT
Sharing lessons learned with managers and staff
is key to halting breaches, says Lena Smart, CIO,
New York Power Authority. Steve Zurier reports.
M
oving into 2015, there’s a
general sense of uneasiness
in the IT security community. While the Ponemon Institute
dubbed 2014 the year of mega breaches, there’s no indication that this year is
going to be any better.
Dave Frymier, CISO, Unisys
John Kindervag, analyst, Forrester
Kevin Mandia, SVP and COO, FireEye
Donald “Andy” Purdy, chief security
officer, Huawei USA
Lena Smart, VP and CIO, New York
Power Authority
Nathan Smolenski, CISO, Zurich
North America
20 SC • April 2015 • www.scmagazine.com
Lena Smart,
VP/CIO,
New York Power
Authority
Photo by Susan Woog Wagner Photography
OUR EXPERTS:
Intelligence sharing
If anything, IT security workers
may feel that whatever new risk
management program they roll out
or security product they deploy, the
bar constantly moves higher. Many
fear privately that the hackers are
winning, and that it’s impossible to
stop nation-states, organized crime
gangs and amateur hackers out
to prove they can access Defense
Department systems or Wall Street
bank accounts. Anyone and everyone
can be hacked – and it often happens
without the IT staff even
knowing about it. Even the harsh
20-year federal prison sentences
handed out to TJ Maxx hacker
Albert Gonzalez and credit card
scammer David Ray Camez haven’t
really proved an effective deterrent.
However bleak it may appear,
though, the tide started to turn with
the Target hack in late 2013. In fact,
the Ponemon Institute reports that,
following the Target breach, survey
respondents said the percentage of
senior management
who considered
data breaches an
“extremely high”
concern rose to
55 percent – up
from just 13
percent.
It also didn’t
hurt that heads
started to roll from
the corner offices.
Without question, CEOs woke
up when they read last year that
35-year company veteran Gregg
Steinhafel was forced to resign at
Target, and CIO Beth Jacob also
lost her five-year-old position.
And if Target was a wake-up call,
the Sony hack late last year pushed
cybersecurity into the mainstream as
President Obama weighed in on the
issue and even Entertainment Tonight
reporters gushed cybersecurity news
www.scmagazine.com • April 2015 • SC 21
Data breaches
when Amy Pascal, former co-chair of Sony
Pictures Entertainment, was forced to
resign over revelations about embarrassing emails that were stolen by the hackers.
High-profile data breaches have
certainly attracted the attention of
C-suites, says Nathan Smolenski, CISO for
Zurich North America, a global insurance
company. He says these incursions have
changed the game in terms of exposing
the capabilities of nation-state-type threat
actors and provided a view into the
collateral damage that can occur as part of
a large-scale breach with the public release
of HR data and emails.
“But C-suite awareness has actually
been growing over the past five years,”
he explains. “They are seeing the
importance of increased focus and
targeted communication and bringing all
key stakeholders to the table, including
risk management, privacy, legal and
supply chain teams.
“The nature of the threat is
ever-evolving,” Smolenski says. “Our
mission is ultimately to continuously
improve our visibility into the assets we
protect, increase the cost to our adversary
– time, complexity, risk of being caught,
etc. – as well as measuring, reporting and
effectively eliminating residual risk.”
For many, all of these requirements
can be confusing and hard to sort out.
Cynics may point out that JPMorgan
Chase spent tens of millions in IT security
and employed 300 people focused on
security and it still was hacked. On the
other hand, while it was hacked, it had
the personnel to remediate the issue and
sense to admit that there was a problem,
55%
After the Target incident
Before the Target incident
Source: Ponemon Institute
13%
which ultimately changes how his
security team delivers awareness and
targeted information throughout its
business units – such as providing
awareness to executives about wi-fi
attacks to ensure that individuals
traveling to high-risk location are
outfitted with the proper equipment.
23%
3 or 4
8%
1 or 2
28%
26%
22 SC • April 2015 • www.scmagazine.com
– Kevin Mandia, SVP and COO, FireEye
The Target breach in November 2013
served as a wakeup call for senior
management. Level of concern runs
from 1 = none to 10 = significant concern.
9%
SOURCE: Ponemon Institute, “2014: A Year of
Mega Breaches,” January 2015
Know what matters most and
protect it.”
Senior management’s data breach concern
5%
eBay: 145 million people affected
JPMorgan Chase: 76 million households and 7 million small businesses
Home Depot: 56 million cards
CHS Community Health
Systems: 4.5 million people
Michaels Stores: 2.6 million people
Nieman Marcus: 1.1 million people
At stake
“Risk management is our business,” says
Smolenski at Zurich North America.
“Top management makes it their
business to understand what is at stake.
Management is made aware of the types
of vulnerabilities, their probability and
the implications of an incident.”
Key executives at Zurich, he says, are
informed of the latest threat activities,
11%
THE YEAR THAT WAS:
2014 mega breaches
hundreds of millions of endpoints for
hackers to attack.
Finally, Frymier says there’s a
general rush by software makers to
bring products to market too quickly.
“Companies push product out the
door as fast as they can with the lowest
cost,” he says. “The result is that a lot of
software is full of vulnerabilities.”
In the long run, he says, all of these
issues will have to be addressed in order
for the industry to make progress on
breaches.
22%
Only the serious need apply
Much of this publicity and the focus by
the press on the next “9-11 event” that
will affect the security industry troubles
Lena Smart, vice president and CIO of
the New York Power Authority (NYPA).
“I really don’t respond well when people
compare these hacking attacks to 9-11,”
she says. While it’s regrettable that
personal information and credit card
data was stolen in these recent incursions,
there was no loss of life, she says.
Smart, who worked for more than 11
three steps to protect their organizations:
years as NYPA’s CISO before assuming
discover and classify their data; gain
the CIO position, knows what she’s
visibility into the company’s internal
talking about. Along with her role
network; and deploy data encryption and
at NYPA, Smart serves as the power
tokenization.
industry sector chief for the New York
“I really wish that more people
State chapter of InfraGard,
understood that there are
a partnership between
real consequences to not
the FBI and the private
doing anything,” Kindervag
sector, where she receives
says. “But people don’t
briefings on cybersecurity
put alarm systems in
events from the FBI and
their homes until they get
shares lessons learned with
burglarized.”
other IT managers and FBI
Meanwhile, Dave
officials.
Frymier, CISO at Unisys,
She says following the
an information technology
Sony hack, she met with
company based in Blue
top management at NYPA Tom Smedinghoff, partner,
Bell, Penn., says while it’s
Edwards Wildman Palmer
and explained to them
important to encrypt data
that the FBI believed the hack was tied
and deploy two-factor authentication,
to North Korea and how her security
companies also need to support their IT
program at NYPA puts the organization
departments. “What Target did was like
in a strong position to withstand an attack. planting a vegetable garden with a shovel,
“I told them we use a combination of
rake and hoe, but not have anyone to tend
data encryption, complex passwords and
the garden,” he says. “They bought some
identity and access management tools
tools, but they made no investment in
that weren’t necessarily applied to the
human resources to learn how to manage
same extent at Sony,” Smart says.
IT security.”
NYPA also has an aggressive security
Better and more universally applied
education program. Anyone who enters
crypto can help, but Frymier points to
the organization, whether it’s their first
three main factors that have led to the
day on the job or are there as a visitor
rise of data breaches. First, he says when
or contractor, is trained in IT security.
the internet was first developed it ran
Further, Smart will run unannounced
on unauthenticated and unencrypted
phishing attacks throughout the year
packets. A packet is authenticated when
to raise awareness so staff understands
its origin is known and verified. Packets
better what to look for. She also does
can be authenticated by sending a digital
“brown bag” lunches with the rank-andsignature (generated with a digital
file staff where she offers tips on how
certificate unique to the sender) along
to spot a suspicious email that may be a
with it.
phishing attack or contain malware.
“In the early days of electricity,
“We do videos of these sessions
houses were routinely outfitted with
and people who may have missed the
bare wire,” he says. “As you can imagine,
presentation are encouraged to watch
many burned down. Fifty years from
and learn what’s going on,” she says.
now, the notion that we are sending
around unauthenticated and unencryptA focus on crypto
ed packets will seem as absurd as wiring
The techniques that Smart uses at NYPA houses with bare metal.”
Second, he says standardization
are accepted best practices that most
has been a double-edged sword. For
experts recommend. John Kindervag,
example, Microsoft Office is universal
a Forrester analyst who focuses on IT
at most corporations, but it also created
security, says companies need to take
5 or 6
7 or 8
9 or 10
and then move on.
Kevin Mandia, SVP and COO at
FireEye, a Milpitas, Calif.-based network
security company that has often been the
“go-to” vendor for remediation following
high-profile hacks, says what really needs
to change is the idea that the victims
have done something wrong.
“Organizations are compromised all
the time, often without them knowing
it,” he says. “When you’re talking about a
nation-state hacking into an educational
institution or a media or financial
company, it’s really an unfair fight.”
Above all, Mandia says companies
need to prioritize which information
and data is most valuable. “Know what
matters most and protect it,” he says.
There are many components to
protect data, adds Smolenski. “While
encryption, password complexity
and the management of identity are
important, they certainly are only a few
pieces to the puzzle.”
Having the capability to proactively
understand the motive, intent and
capabilities of adversaries, being
aware of vulnerable conditions, and
maintaining continued discipline in all
of the security and technical operation
activities can go a long way in appropriately managing risk, he says.
With all these latest developments,
consequently, there are jobs aplenty in
the security field. It’s just a matter of
finding the right people to fill the posts.
“As for security becoming the hot career,
while the industry needs people, what
we really need are people who are ready
to roll up their sleeves and do the hard
work. I’m still finding it hard to find
qualified people,” Smart says.
CISOs and CIOs may not be able
to make the hacks stop completely.
But they can certainly apply the best
possible tools and work with top
management to identify the data and
intellectual property that matters most
to the organization. Short of an incident
in which there’s a loss of life, the primary
concern may not be about what was
lost or stolen, but more about how the
organization responds. n
www.scmagazine.com • April 2015 • SC 23
Application security
TAMING THE
THIRD-PARTY
THREAT
T
hey are ubiquitous. Apps, the new short-form
word, describes the thousands of software applications designed to run on mobile Android or
Apple devices. From kids to corporate CEOs, everyone
with mobile technology has come to depend on apps to
perform tasks that range from basic to arcane. Given
that most are either inexpensive or free, they have been a
temptation that is simply too hard to resist.
But all is not well in this Garden of
Eden. Security professionals have long
fretted over their lack of insight into
the source of apps or their sometimes
nefarious nature. On top of this
formidable challenge, social media, a
nearby element in the mobile technology
spectrum, is also problematic. Last
year, for example, a security researcher
discovered a vulnerability in Twitter,
since repaired, that allowed applications
to access users’ direct messages without
their knowledge. The vulnerability exploited users who signed into
third-party applications using their
Twitter credentials, a common authentication capability offered by many web
and mobile apps.
In fact, many apps use Twitter handles
or other social media identities for sign-on
– both on PCs and on mobile devices.
Everyone is worried, or so it seems.
According to “Advanced Malware
Detection and Prevention Trends,” a
report by Enterprise Strategy Group,
an IT research, analysis and strategy
firm based in Milford, Mass., mobile
security monitoring weaknesses and
application security are the top concerns
of those surveyed. So, just how risky
are apps? A 2014 study from Symantec
reported that vulnerabilities discovered
within an operating system (OS) are not
the main focus of attacks. Rather, it is
the top layer of the security stack – the
application layer – that is the primary
point of risk within a mobile device.
Another study of app vulnerabilities
comes from the folks at Appthority. Its
researchers studied the activities of the
top 400 mobile apps – including the
top 100 free apps and 100 paid apps
for both of the most popular mobile
platforms, iOS and Android. Among
other things, the report found that the
popular perception that iOS devices
24 SC • April 2015 • www.scmagazine.com
The challenge for
security practitioners
is to make the
mobile ecosystem
more trustable, reports
Alan Earls.
are a “safer” choice was not supported
when it came to relevant app activity.
In fact, Appthority saw consistent risky
app behaviors across both platforms.
The company also found the top risky
app behaviors for both operating
systems most often fall into one of two
categories: sensitive data being captured
and sensitive data being shared.
Significantly, it’s not just personal data
but also corporate data that may be at
risk. In general, the company concluded
that free apps are the most problematic,
generating the most risky behaviors.
Perhaps not surprisingly, Appthority
also found that free apps aren’t really
“free” to consumers in that developers
often earn compensation by routing
user data to third parties, such as
advertising networks and analytics
companies. In fact, the authors noted
that app developers, in an effort to
expand their customer base, often
transmit the contacts or even the full
address book located on the device.
Of course, if a device is connected to a
corporate desktop, it could potentially
be permitted to sync with contacts from
Outlook, many of whom are contacts
actually owned by the organization.
In short, mobile apps are the
quintessential Pandora’s box, chock full
of woes for the unwary.
Jon Oltsik, an analyst with the
Enterprise Strategy Group, sees the
challenges in the
explosive growth
of applications used
on mobile devices and he
says organizations have to
formulate responses for both
consumer applications and business
applications.
He says organizations are addressing
this growth in several ways. Some
segregate devices and networks between
consumer and corporate use. “In the
best case, nothing from the consumer
side ever touches the corporate side,”
says Oltsik. They also do things like
application reputation checking to
assess the riskiness of consumer
applications. “Based upon this
knowledge, organizations may force
users to uninstall applications or
disallow their use on the corporate
network,” he says.
Overall, the key issue is whether
business or consumer applications
have or should have access to
sensitive data. “This could be contact
lists or it could be
regulated data,”
Oltsik explains.
“The first thing
you have to do
is understand what
data the application
wants access to.” Once
you know this, he says
admins can build in
controls, like VPNs
and data encryption, and
then monitor activity to
detect anomalous or suspicious
behavior.
When it comes to app security,
authorization is where a lot of the
problems start, according to Tyler
Shields, a senior analyst at research and
advisory firm Forrester. When authorization occurs through a common social
platform, such as Facebook or Twitter,
there is a clear tradeoff between user
experience and security.
“The most secure option would
be to have high-strength, two-factor
authorization that is specific to each
property,” says Shields. But user
experience is horrible when you do
that, he adds. Therefore, at some
point admins must be willing to
centralize and federate identity in
exchange for ease of use. “That is
what consumers are saying. They
don’t want to deal with 20 passwords.
They want one, or a password safe
that remembers them, or they want to
use Facebook or Google.”
McAfee, for one, offers personal
password managers
that aim to provide
the convenience of
single sign-on but
with a lot more
Application security
security built in, notes Gary Davis, chief
consumer security evangelist at security
technology company McAfee.
Further, many businesses are adopting
a similar approach by offering enterprise
identity, with one log-in that is federated
across the enterprise. Forrester’s Shields
says federated enterprise sign-on is
growing more popular. For example,
users can now federate one’s ID into the
cloud and let a provider, such as Ping
Identity or Okta Identity Management,
handle it. Conceptually, notes Shields,
this should be even better than
consumer-grade federation because it
will be designed for situations where
there is fiduciary responsibility. However,
he adds, “they are going to be better, but
they are still a single point of failure.”
Although those corporate approaches
could be configured to also include
access to popular consumer apps and
sites, as a rule, notes Shields, they are
reserved for enterprise functions.
Where are the vulnerabilities?
Shields says there are two types of
app issues: security flaws and privacy
problems. The security flaws are not that
different from traditional PC code or web
code flaws. Those problems could lead
to a single issue or a mass compromise.
However, there are two components to
worry about in mobile apps: the client
side and the server side. Servers will be
using JSON [JavaScript Object Notation,
a lightweight data-interchange format] or
some other API so the client can request
data, Shields explains. Naturally, a flaw
on the client side is less serious than a
flaw on the server side.
The privacy pieces are completely
different because they stem more from
the client side than the server side, he
says. For example, an app could try to
get information from all the sensors on a
mobile device – like GPS, RFI and Wi-Fi
connection – as well as contacts, calendar
information, health and payment capabilities. “An app can then try to send out the
information to an advertising group or a
library or even a malicious hacking entity.”
they can’t secure it. “However, you need
Of course, the builder of the phone or app
to do this in an automated fashion,” says
also may access this information in ways
Shields. “Without that you can’t possibly
that the user probably didn’t explicitly
keep up with the pace of change.”
approve, Shields says.
To that end, he advises admins
Or did they? In most cases, Shields
to inventory every app in their
says, users mark a check box or two
environment. “Once you know, you
when they acquire an app, indicating
can build out profiles of acceptable
their agreement with terms and
risk for specific apps and for specific
conditions. But these end-user license
user segments.” For
agreements (EULAs)
example, executives
are flawed at their
may be allowed to do
core in Shields’ view.
certain things – or not.
Few users read or
Admins, he points out,
understand them.
might not want location
Many simply don’t care.
data to be available
Thus, when a consumer
for CEOs. Or perhaps
installs an app, they are
location data for people
frequently giving a wide
involved in delivering
range of permissions.
packages might be
“In some cases, the
deemed too sensitive.
app developers may not
Each group will have
even know how this
a risk threshold which
works or what might
Jon Oltsik, Enterprise Strategy Group
must be mapped to the
happen to the data,”
privacy impact of each app. It is typically
says Shields. And there may not be any
a complex and time-consuming activity
simple technical fix as long as most users
that demands automation.
either ignore the EULA or simply agree.
Fortunately, he notes, there are lots of
That may make app vulnerabilities,
off-the-shelf offerings, such as a mobile
whether caused by poor engineering or
by onerous EULA agreements, a real
device management (MDM) system,
public policy problem. “I don’t feel
which can provide a good overview
developers are incentivized enough to
of one’s environment. Some can be
write secure code because the negative
integrated with reputation systems, such
repercussions of unsecure code are
as Veracode and Appthority, so that the
minimal,” says Shields. “And for users, a
application and its risk rating can be
lot of it depends on individual sensitivity
contained within the MDM. “If you are
to privacy. So, developers don’t feel their
going to allow apps into the highest risk
code needs to be submarine tight.”
segments, you will want to do a security
Instead, they prioritize getting to
assessment, too. For example, a static
market fast, before someone else gets
analysis of the code,” notes Shields.
there. “I’m afraid better app security
At this point, he says most organizamight have to come down to litigation
tions lack maturity. Many are just
or regulation,” says Shields, citing the
starting to figure out policies on BYOD
planned addition of chips to credit cards
and MDM, just starting to understand
in the U.S. in order to improve security,
security at the application layer, and
which is a government mandate rather
just starting to grasp their application
than something demanded in the market.
count and the types of applications
For enterprises, the first step is
in their environment. Few have done
knowing what is there. That is achieved by
user segmentation and risk threshold
implementing an inventory of all the apps
assessment. And fewer still have created
in the enterprise’s environment –because
policies, procedures and full automation.
if the admin doesn’t know what is there,
“All that takes time,” Shields says.
26 SC • April 2015 • www.scmagazine.com
An alternative can be to try to simply
keep devices out of the organization
or sharply limit their use. This can be
done, but in most companies with a lot
of younger employees, this can damage
morale and probably lose people, says
Shields. Because of that, some enterprises have just given up and gone “open.”
But that’s not a good response for the
security practitioner. “The answer is to
think through the challenges and match
the risk threshold to user expectations,”
says Shields. “It is a long process and you
can’t flip it on in a day.”
The people problem
With so many users and devices, a big
challenge is people. “Consumers do not
have the same level of security controls
and security technology as the enterprise,”
says Mike Spanbauer, managing director
of research at NSS Labs, a security
research and advisory firm with headquarters in Austin, Texas. As a consequence, he
says, these devices should never be allowed
directly on the trusted network. “There
is always a risk of compromise to the user
when utilizing commercial applications
for identity management. Consumers
must practice security awareness for their
personal safety,” he says.
And complicating the user experience
is the issue of email. “There are emails
people receive on a mobile device,
where they are typically rushed and
not careful,” says Gordon MacKay,
EVP/CTO for Digital Defense (DDI),
a San Antonio, Texas-based provider
of managed security risk assessment
solutions. There is no silver bullet, he
points out. Rather, in this scenario, users
are particularly vulnerable to phishing or
instances where people, especially using
single sign-on, may inadvertently convey
permissions, he says.
McAfee’s Davis recommends engaging
employees in the effort. For example,
people often download apps that they
never or rarely use. Asking them to
reduce their app count or at least reduce
those that share a common or “social”
sign-on can cut risk significantly.
Businesses need to allow the
use of personal devices, but...”
– Mike Spanbauer, NSS Labs
Adam Ely, COO and co-founder of
of business applications and information
Bluebox Security, a San Francisco-based
from personal applications and
mobile solutions firm, says many security
information,” Spanbauer says.
teams overlook social media apps because
Ely recommends that companies work
they are personal in nature. “Since there
with employees to understand their needs
has always been a risk of employees
and adopt the technologies that make
over-sharing information via email and
them more productive. Furthermore, any
forums, teams tend to treat this problem
app with company data has to be thought
as an existing issue and don’t focus on
of as a business enabler and a potential
it too much.” However, he says a lot
risk, and the company must determine if
of organizations are drifting to social
the risk is real and acceptable or not.
messaging apps for internal communicaIt comes down to distinguishing
tions since they are easier to use, everyone
identities. “The dynamics of cybersecuhas them and they are outside of the
rity have changed and identity is
company’s data archiving and monitoring. becoming the new perimeter,” says
Then there are the efforts to make the
Ken Ammon, chief strategy officer
ecosystem more trustable. It may not
of Xceedium, a Herndon, Va.-based
prevent all problems,
network security
but it provides a
software company. “The
baseline mechanism
idea that there is an
for imposing order.
inside and an outside
In that vein, there
to a system has broken
are industry efforts,
down,” he explains.
such as the FIDO
“It is really a mesh
(Fast IDentity Online)
of interconnectivity
Alliance, formed in 2012
whereby people use
to address the lack of
mobile devices to access
interoperability among
corporate data and go to
strong authentication
Facebook.”
devices. The group is
Moving forward,
working to develop
Ammon
says the
Mike Spanbauer, NSS Labs
specifications that define
underlying effort needs
an open, scalable, interoperable set of
to be to separate identity, authentication
mechanisms that reduce the reliance on
and authorization so that users get what
passwords.
they need. “I am encouraged to see what
However, the fundamental problem is
Apple is doing with payments,” he says,
reliance on the consumer to understand
referring to the company’s new Apple
how authentication and access works
Pay mobile-payment system. “It seems
in an open environment and who owns
like we are finally moving in the right
what information. Rogue apps exploit
direction at the consumer level. But the
this lack of awareness to bypass a
rate of adoption will have to catch up,”
system’s security controls.
he says. n
“Businesses need to allow the use of
personal devices, but they should do so
A more extensive version of this article is
in a manner that provides for separation
available on our website.
www.scmagazine.com • April 2015 • SC 27
Hacker havens
ZONE OF
PROTECTION
To what extent is statesponsored cybercrime
extending protection for
hackers operating outside
the U.S.? Karen Epper
Hoffman investigates.
W
hen considering the impact
of globalization, organizations
nowadays must not only think
about reaching out to people in other
parts of the world, but also who is reaching back.
Increasingly, cybercrime is not just being perpetrated by hackers
and syndicates within U.S. borders, but those that operate outside
them. And, many of the countries where these online attackers
operate are either actively supporting them, or at the very least,
allowing them to thrive and perpetuate their crime. “Russians,
for example, turn a blind eye to a lot of crime, they have a more
permissive attitude toward organized crime,” says Gary
McGraw, chief technology officer at Cigital, a software
security firm based in Dulles, Va. “The government
looks the other way.”
Russia and a number of countries in Eastern
Europe initially emerged as hacker havens – areas
of the globe where cybercriminals could ply their
trade without worrying that the government or state
law enforcement would crack down on their work, or
28 SC • April 2015 • www.scmagazine.com
...intrusions are...the state’s
global strategy...”
expend much effort to extradite them
to the United States or other countries
that would penalize or jail them. Why
here? Eastern Europe has been a haven
for cybercriminals since the internet
– Andrea Little Limbago, Endgame
began, according to Rick Howard, chief
security officer at Palo Alto Networks,
a network security company based
technology officer and SVP of Blue
ties – are creating more of these hacker
in Santa Clara, Calif. “Many of these
Coat Systems, a Sunnyvale, Calif.-based
hotspots throughout the globe. “It
countries have excellent engineering
provider of security and networking
really comes down to there being a
schools [and] when the wall came down
solutions. The whole discipline is
climate that’s conducive to the proliferain 1989, there was no work for these
becoming more professionalized in
tion of cybercrime,” says Casey Ellis,
brilliant engineers,” he says. “Some of
these countries that support it, he says,
CEO and co-founder of Bugcrowd,
them went into cybercrime in order to
pointing up the improved quality of
a San Francisco-based vulnerability
make a living. Some organized crime
phishing emails with fewer misspellings
assessment company. “Of course, not
factions scooped these technicians up to
or tell-tale signs of their point of origin.
everyone with cybersecurity chops in
add cybercrime to the portfolio.”
Criminals based in these hacker havens,
these parts of the world are malicious,
Johannes Ullrich, dean of research for
he says, are getting far more sophisticatbut this does somewhat explain the
the SANS Technology
ed about writing in the local language of
concentration of gifted
Institute (STI), which
the countries where they are perpetrathackers in those parts
educates managers
ing their exploits. As well, they and
of the world.”
and engineers in
putting in false clues, making it harder
Kevin Epstein, vice
information security
president of advanced
practices and
security and governance
techniques, and
for Proofpoint, a
OUR EXPERTS:
chief technology
Sunnyvale, Calif.-based
Border patrol
officer of the
provider of SaaS and
SANS Internet
on-premises solutions,
Casey Ellis, CEO and co-founder,
Storm Center,
agrees. “Any city or
Bugcrowd
a division of
geographic region that
Kevin Epstein, vice president of
STI which
hosts smart people with
advanced security and governance,
keeps track
access to computing
Proofpoint
Hugh Thompson, CTO, Blue Coat Systems
of malicious
technology will breed
Rick Howard, chief security officer,
activity on
hackers,” he says.
Palo Alto Networks
the internet, agrees that
“Whether those hackers choose gainful
Rodney Joffe, SVP, senior
Russian and eastern
legal employment or a life of crime
technologist and fellow, Neustar
European cybercrimidepends on the same factors that would
Andrea Little Limbago, principal
nals often work
influence residents to pursue legal or
social scientist, Endgame
together, creating
illegal activities in the physical world. As
Marc Maiffret, chief technology
“a strong criminal
has been proven over centuries, a poor
officer, BeyondTrust
infrastructure…
economy and minimal law enforcement
Gary McGraw, chief technology
with a good range of technically savvy
presence can push even honest citizens
officer, Cigital
individuals.”
into committing criminal acts.”
Vikram Phatak, CEO, NSS Labs
But the threat is no longer isolated
Hugh Thompson, chief technology
to a single region, or even a single class
State sponsorship
officer and SVP, Blue Coat Systems
of nefarious groups. In countries like
In some countries, particularly Iran and
Peter Tran, senior director for the
China, Ukraine and Iran, and some
China, the offensive capability can be a
advanced cyber defense practice, RSA
countries within the Pacific Rim, South
direct result of sponsorship by the states
Johannes Ullrich, dean of research,
America and Africa, a tolerance for
themselves, Ellis adds. Increasingly,
SANS Technology Institute; chief
fraudulent activity combined with the
malware distribution is “controlled by
technology officer, SANS Internet
emergence of more skilled engineers –
the nation-state and the highest bidder,”
Storm Center
who may lack for legitimate opportuniaccording to Hugh Thompson, chief
www.scmagazine.com • April 2015 • SC 29
Hacker havens
for companies and law enforcement to
trace malicious code back to the source.
As a result, we will see two distinct
kinds of havens for internet-based
criminal activity, says Andrea
Little Limbago, principal social
scientist at Endgame, an Arlington,
Va.-based vulnerability research
firm, and co-author of a whitepaper,
“Operational Cyber Intelligence,” for
the Intelligence and National Security
Alliance (INSA). She believes countries
like Ukraine and Belarus are havens for
non-state criminal networks, whereas
Iran, China and Russia are havens for
state-sponsored espionage. The low
barriers to entry and weak economies
make criminal behavior on the internet
a relatively easy, low-risk, high-reward
alternative to traditional crime in
places like Eastern Europe, where
criminals are motivated by opportunity,
she says. Conversely, groups in
Iran, China, and Russia are usually
either state-sponsored or motivated
by nationalism. These groups have
emerged to lead cyber-espionage efforts
on behalf of their states’ economic or
military interests.
Attacks emanating from these hacker
havens are not only growing in number
and sophistication, but are increasingly
becoming more high-profile, more
adversary, they must instead make it extremely difficult for them to
operate. Specifically, he recommends deploying security controls at
each point in the kill chain; configuring and adapting each security
control to function properly; regularly capturing metrics for each
t is hard enough to combat the existing cybercrime threat on our
deployed security control so that the security department can conown home turf – with the weight of local and federal law weighfirm that it is doing what it is originally designed to do; and reviewing
ing in support. But how can organizations hope to limit the efinitial design considerations and making the appropriate changes.
fect of malicious hackers who operate far from the reach of U.S. law
While organizations have no control over these malicious attacks,
and under the protection of their own sympathetic governments?
managing their own vulnerabilities and response is key, says Casey
Many experts say that the first step is understanding that it
Ellis, CEO and co-founder of Bugcrowd. “Identify your assets and
might not be a matter of if, but when, these foreign hackers will
prioritize their protection. Determine where your vulnerabilities are
come calling.
– in your code, your networks and your processes – and run through
“I believe that these days there isn’t a single company in the
scenarios within your company to determine how you’d react and
United States with more than 50 employees that hasn’t already
what would happen if a breach were to occur,” he says.
been compromised in some way,” says Rodney
However, companies will likely need the
Joffe, senior vice president, senior technologist
support of the U.S. federal government and law
and fellow for Neustar, a Sterling, Va.-based firm
enforcement if they want to slow the forward
that provides real-time information and analytprogress of activities at the source. “Companies,
ics. “Unfortunately, a lot of companies refuse to
industries and governments must find a way to
believe that.”
adjust the cost-benefit calculus using tools of
Government protection, or even support, has
cyber, diplomatic, legal and economic statecraft,”
boosted these adversaries to the point that typisays Andrea Little Limbago, principal social
cal counter-measures simply will not do, accordscientist, Endgame. Currently, there are ecoing to Peter Tran, senior director for the advanced
nomic sanctions against Russia, Iran and North
cyber defense practice at RSA. These criminal
Korea – three of the leading countries involved in
elements have an unprecedented business model
state-sponsorship of digital economic and intelthat legitimate businesses can’t keep up. “Comlectual property theft against the United States,
panies, industries and governments have used
she points out. Additionally, the FBI just placed a
Rodney Joffe, senior vice president,
traditional approaches to cyberdefense that have senior technologist and fellow, Neustar
$3 million bounty on Evginy Bogachev, a Russian
been reactive as opposed to intelligence-driven,”
hacker and the world’s most wanted cybercrimihe says.
nal, and Senator Mark Warner (D-Va.) recently called for increased
And, as the Internet of Things seeps into more areas, the attack
efforts to combat cybercriminals in Ukraine as a condition for a
surface for foreign hackers will only increase, says Hugh Thompson,
military aid package to that country, says Limbago.
chief technology officer of Blue Coat Systems.
“Integrating cybersecurity cooperation into other forms of coopA lot of the advice offered by experts is just for organizations to
erative agreements can impact governments harboring non-state
operate solid, standard cybersecurity hygiene and protocol. Rick
sponsored criminal groups as well,” Limbago says. “All of these
Howard, chief security officer at Palo Alto Networks, says that
tactics – both sticks and carrots – must be thoughtfully employed
since organizations will never be able to keep out every advanced
to impact the risk calculus of adversaries.” – KEH
FIGHTING THE HIDDEN FOE:
Integrating cybersecurity
I
30 SC • April 2015 • www.scmagazine.com
damaging and harder to root out.
Ellis points up the widely publicized,
and highly embarrassing, hack on
Sony’s internal systems, which has
been attributed to North Korea, as
well as Operation Aurora, a series of
information security attacks against
Google tracing back to 2009, which
reportedly came from groups in China.
Since many of these emerging hacker
havens have poor relations with the
United States, or have a wide base of
citizens that dislike U.S. policies, there
is a ripe climate for these attacks to
be directed toward U.S. companies,
government agencies and private
citizens.
Global strategy
In countries like Iran, China and
Russia, governments employ digital
statecraft externally as part of espionage
campaigns, but also internally as part of
propaganda or information suppression
campaigns, Limbago says. “Computer
intrusions against adversaries are not
only condoned, but are also supported
and perceived as a legitimate aspect of
the state’s global strategy,” she adds.
Russia condones the global bank
breaches with ties to Russian-based
groups, while also hampering law
enforcement efforts. Particularly in the
former Soviet bloc countries, Limbago
says that states will often turn a blind eye
to criminal activity, even if they aren’t
necessarily protecting the transnational
groups perpetrating the crime. The
government of Ukraine, for example,
was recently linked to $1 billion in
global banking heists executed by
individuals hiding out there.
Chinese hackers have been implicated
in cyberattacks on the U.S. Office
of Personnel Management, the U.S.
Postal Service and National Weather
Service, and the theft of F-35 jet fighter
blueprints from Lockheed Martin
and its contractors, as well as exploits
against steel industry companies such
as Alcoa, U.S. Steel and Westinghouse.
Indeed, Howard says that China has
Identify your assets and prioritize
their protection.”
– Casey Ellis, Bugcrowd
been famous for cyberespionage ever
since TITAN RAIN, the code name that
the U.S. Department of Defense used
to label cyberespionage activities from
the Chinese government, became public
in the early 2000s. Meanwhile, system
breaches of the White House and U.S.
State Department unclassified networks,
Neiman Marcus and J.P. Morgan Chase
& Co. have been traced back to groups
in Russia. Similarly, the cyberattacks on
Home Depot and Target, as well as the
pernicious Zeus malware can be linked
to groups or individuals in Eastern
Europe. Groups in Iran were implicated
in a series of denial of service attacks on
U.S. banks in 2012.
There are examples of hackers in
Ukraine, Russia and the United States,
says Marc Maiffret, chief technology
officer for BeyondTrust, a a global cyber
security company based in Phoenix.
“And, of course, no day goes past where
an attack isn’t linked to China.”
It’s not just a matter of sophisticated state-sponsored hacking mixed
with everyday cybercrime, according
to Maiffret, but also that foreign
intelligence agencies will do things
like hacking or leveraging existing
cybercrime networks or botnets in order
to piggyback these systems and better
blend in with the noise.
Vikram Phatak, CEO of NSS Labs,
an information security research and
advisory company based in Austin,
Texas, is increasingly seeing a blending
where cybercriminals are “reservists”
for their governments. Pakistan and
Syria are just the latest hacker hotspots
that Phatak has seen emerge.
And, this widespread protection is
also paving the way to more sophisticated exploits. State-sponsored hacking
does not necessarily create centers
for protection, but what they do is
create a resource-rich environment to
support globalized attacker anonymity
or obfuscation, says Peter Tran, senior
director for the advanced cyber defense
practice at RSA, a Bedford, Mass.-based
computer and network security
company. “It achieves this by creating
economic ecosystems for cybercriminals
and nation-state hackers to collaborate,
partner or use a globalized channel over
the internet to monetize malware as a
commodity.”
Enabling criminal behavior
Industry observers say that these hacker
havens will continue to evolve and
flourish. Mideast warriors ISIS (the
Islamic state of Iraq and Syria) is gaining
traction with its digital activities, and
given the established nexus between
criminal groups and terrorist organizations, it seems likely that they will
explore digital theft and espionage as
well, according to Limbago.
Similarly, Latin American drug gangs,
such as Los Zetas and the Sinaloa cartel,
have a similar organizational structure
to groups in Eastern Europe and have
demonstrated criminal activities in the
cyber domain. There also are signs of
Russian organized crime syndicates in
places like Peru that could transfer their
knowledge to local groups, exploiting
some of the under-governed spaces and
government corruption, she says.
“Many of these countries are
particularly susceptible,” Limbago adds,
“because they have an IT infrastructure that is mature enough to enable
cybercriminal behavior coupled with
weak rule of law and preexisting
criminal networks.” n
www.scmagazine.com • April 2015 • SC 31
Case study
FIT FOR A
QUEEN
Queens College found a
solution to monitor activity and
manage devices on its network,
reports Greg Masters.
T
he list of its alumni who rose
from humble beginnings to
prominence stretches from
Robert Moog, the inventor of
the Moog synthesizer, to musicians Carole King and Paul Simon and
comedians Joy Behar, Roy Romano and
Jerry Seinfeld. But none of these distinguished figures ever had to contend with
the challenges Morris Altman, director
of network services and internet
security officer at
Queens College,
faces on a daily basis:
malware.
Queens College is located
in Flushing, Queens, the easternmost and
largest in area of the five boroughs that
make up New York City. Perhaps
most readily identified as the home of
LaGuardia Airport and Mets ballpark,
CitiField, the borough is also home to
a diverse population – of its 2.3 million
residents, half are foreign born.
The college is one of nearly 20 schools
spread throughout New York City
comprising the City University of New
Before searching for a network
security solution, his team had no way
to effectively estimate the number of
devices, including desktops and laptops,
that were connecting to the Queens
College networks. Therefore, he says,
being able to identify and classify these
endpoints was imperative while at the
same time he looked to improve the
school’s network
security posture.
“More so, we
had to securely
manage users,
students and
faculty and their
personal
mobile
ForeScout CounterACT benefits span across the IT team at Queens College.
devices connecting
to our computing resources.”
and faculty population.
Another issue that prompted his team
“So we needed a solution that would
to search for a new network security
not only let us better manage and
platform was the increasing incidence of
organize corporate assets, but also
more sophisticated threats – including
provide continuous monitoring of our
zero-day and propagating worms. It
network, and ultimately comprehensive
was not uncommon, he explains, for
visibility and policy-based control over
hundreds of computers on the network
devices accessing or on our network,”
to be regularly infected – leading to
says Altman.
York (CUNY) system. With 20,000
students and 5,000 faculty and staff,
Queens College faced the modern-day
plague of network attacks. And Altman,
along with about 40 full-time and 100
part-time personnel on his IT security
staff, were challenged with preventing
computers from becoming infected and
adversely affecting network performance
of both the student
32 SC • April 2015 • www.scmagazine.com
the spreading of malware to other
machines. These threats even consumed
enough bandwidth to take the college
network services offline on a number of
occasions.
The network group – specifically the
CIO – began the search for a solution.
A number of offerings either failed
evaluation or could have potentially
created future limitations, such as
bandwidth limits of in-line network
security solutions, says Altman.
“We initially turned to ForeScout
CounterACT to help protect us against
advanced threats and propagating
worms, which, in the past, would have
infected hundreds of computers, literally
bringing the network to a crawl.”
Eliminating infections
Once the college had CounterACT in
place, the first time a new worm broke
out, Altman’s team only saw three
computers become infected. Those
three were immediately isolated from
the network and the infection was
contained. Additionally, those three
users were automatically notified of
the problem and were instructed to
call the help desk so the IT team could
rectify the situation. “Instead of weeks,
problems were solved in less than a
day and had minimal impact on our
students, faculty or staff,” Altman says.
After such a positive experience
with the initial implementation, the IT
team expanded its use of ForeScout
CounterACT to enhance visibility and
control over who and what types of
devices were connecting to the networks.
“Prior to CounterACT, we were
forced to conduct manual investiga-
OUR EXPERTS:
Preventing malware
Morris Altman, director of network
services and internet security officer,
Queens College
Jack Marsal, director of solution
marketing, ForeScout
We needed a solution to reduce
the risk of security breaches.”
– Morris Altman, Queens College
tions – even going through firewall logs
to identify infected devices and one by
one disabling their network ports,” says
Altman. At that time, the user and help
desk didn’t know why their network
ports went down, he adds, which
required more resources to determine
the source and scope of problems and
could take weeks to resolve. As a result,
both the network group and the help
desk shouldered a huge workload.
“ForeScout CounterACT works with
a majority of existing networks, both
wired and wireless, and integrates
with the existing switch, identity
and access infrastructure,” says Jack
Marsal, director of solution marketing
at ForeScout, a Campbell, Calif.-based
network security company.
“ForeScout CounterACT automatically
identifies, classifies and applies security
policy to all network devices,” he says.
“Unlike first-generation network access
control systems, CounterACT continuously monitors devices on the network to
ensure that they remain compliant with
the organization’s security policies.”
The tool ships with numerous policies
out-of-the-box and offers customers
a great deal of flexibility in terms of
designing custom policies that are
tailored to their environment, Marsal
says. “For example, CounterACT
can inform users if they are running
prohibited kinds of software. This
allows users to take corrective action.
If corrective action is not taken,
CounterACT can block the user’s device
from the network.”
The offering also includes the ability
to identify when malware is trying to
spread through a network and it blocks
the propagation, Marsal says. This is
done without any need for signatures or
signature updates, so the management
overhead is very low compared to
traditional IPS systems.
“We needed a solution like ForeScout
CounterACT to help us reduce the risk
of security breaches and threats to our
students’ computing resources,” says
Queens College’s Altman. Prior to
implementing the appliance, the college
had a significant number of network
outages that cost Altman’s team time
and money and severely disrupted the
experience of students and staff. “We
needed a solution that could protect our
network while providing us with ROI.
Plus, in higher education, the students
are your organization’s customers, and if
they are inconvenienced or unhappy, it
affects the business.”
The solution is easy to operate, says
Altman. And, he adds, “It has done a
great job for us for many years. We’ve
maintained our CounterACT appliance
as updates have been released, and we
are currently using the CounterACT
Enterprise Manager, which has
centralized administration of our four
CounterACT 4000s.”
Improved network uptime
Altman and his IT team also use
CounterACT to automate help desk
alerts. Prior, individuals with a
networking, system or security issue
would have to call the help desk on their
own. Now, he says, with the ForeScout
solution, the help desk knows of the
issue – often before the user does – and
calls them first to resolve the issue
quickly and conveniently.
“CounterACT benefits span across the
entire IT team at Queens College,” says
Altman. “Asset management uses it for
visibility into the network. For example,
the endpoint team is monitoring device
posture, the help desk is examining
www.scmagazine.com • April 2015 • SC 33
Case study
...monitoring for network anomalies
is no longer good enough.”
what’s going on with the device when an
issue is reported, and the network and
security teams are constantly monitoring
for risks and exposures.” Further, he
adds, students and staff can even use
– Morris Altman, Queens College
CounterACT desktop support for
personal patches.
that have become part of a botnet. The
return on investment from your existing
The implementation improved
FireEye appliance is integrated with the
systems, and you shorten the window
network uptime. Whereas prior in the
ForeScout network, which alerts the end
of time that an attacker has to gain a
early 2000s, the school would have
user and the Queens College help desk,
security incident-related network outages foothold in your network.”
and then blocks internet access until the
At Queens College, this means that
at least two or three times per year,
endpoint is remediated.
unauthorized applications are blocked
now it no longer has outages and enjoys
“Being vigilant with regard to
from running on the network and
nearly constant uptime.
CounterACT allows the IT updating signatures and reputation lists,
Another benefit, the
or monitoring for network anomalies, is
teams to notify students
tool allows Queens
no longer good enough,” says Altman.
and faculty when their
College to comply with
“With FireEye and ForeScout, we know
machines are lacking
copyrights as it is able
the details, security posture and activity
up-to-date software. This
to limit P2P software,
of all devices on our network, and we
feature also supports the
says Altman. “We’re
can automatically isolate violations,
Family Educational Rights
using CounterACT to
malware and affected systems before
and Privacy Act (FERPA) –
block unauthorized and
anything gets out of hand.”
a federal law that protects
noncompliant users.”
Altman says there is no resting on
the privacy of student
That’s an added benefit
laurels, however. His team has seen
education records – by
because, like all colleges
a huge increase in phishing over the
keeping all endpoints
and universities, the
years in the college environment. He
up-to-date.
school must comply with
Jack Marsal, ForeScout
also needs to make sure systems are
The tool itself does
such regulations as the
up-to-date and have active defenses.
not require constant updates. Thus,
Digital Rights Millennium Copyright
“Until we had CounterACT, we really
it requires very little in terms of
Act, which makes it illegal to produce
didn’t have an idea of
management overhead,
and disseminate technology, devices
how many devices were
Marsal points out. “If
or services aimed at getting around
on our networks, or if
CounterACT discovers
DRM measures that regulate access
they were compliant and
that an endpoint computer
to copyrighted works. The ForeScout
up-to-date.”
is running old software, it
solution assists IT in resolving
The tool, he says, allows
can trigger the endpoint to
take-down notices for music and
his team to “discover all
fetch an update, or it can
movies with copyright violations being
sorts of things. We now
automatically run a script
downloaded from peer-to-peer software.
know that there are about
on the endpoint to install
6,000 wireless and 5,000
the
updated
software.”
Easy installation
wired endpoints at any
The
offering
is
deployed
In many situations, CounterACT does
on all parts of the Queens
not require any agents to be installed on
given time.”
College wired and wireless
the endpoint, ForeScout’s Marsal points
This detailed insight on
Morris Altman, Queens College
network. Some other
out. “This makes CounterACT much
network endpoints allows
CUNY colleges have
easier to install and maintain than other
his team to understand
adopted ForeScout following success at
NAC products that require agents.”
the diversity of devices and prioritize the
the Queens campus.
The gadget integrates with many
devices or operating systems it supports
And, Altman says his team will
different types of security systems, he
when new applications are released, he
continue to add appliances to support
adds. “The goal is to share information
says. For example, if only 10 users have
additional users. For example, they
and automate actions. By coordinating
Windows phones and thousands have
recently added FireEye to the edge of its
security intelligence and automating
Android and iPhone devices, the priority
network to act as a sensor for computers
security responses, you obtain a higher
shifts, he explains. n
34 SC • April 2015 • www.scmagazine.com
Product Section
Deepnet
PistolStar
The multifactor
authentication
pros need P38
For that first step
into dual-factor
authentication P43
Let’s get authentic
R
eviews this month addressed authentication. It used to be that we knew exactly
what we meant by authentication. It was
part of the access control function: identify,
authenticate, authorize. It’s not quite so simple
today. Today, the perimeter is porous and we sort
of let strangers into parts of our systems – think
online banking, for example. The notion of strong
authentication used to mean multifactor and, to
some extent, it still does. But now we have some
special use cases that call for strong authentication, but do not necessarily require multifactor.
An example is that awful tool, CAPTCHA. This has to be the most
user-unfriendly contrivance in the history of computing. However, it is
just that which makes it useful. It is, in its own way, an authentication
device. It authenticates the user as a human rather than a bot. There is
no multifactor, but it changes with each use, so it is not predictable. In
short, it is rather like a one-time pad in encryption.
At the other end of the spectrum we have biometrics. Now, if we
combine with a PIN or password for multifactor, we have pretty much
the strongest authentication around. Unless you are very clever. Fans of
Sherlock Holmes may recall “The Adventure of the Norwood Builder.”
In that story, Holmes discovers that a fingerprint on the wall was fashioned by making a rubber mold of a fingerprint and using it rather like
a stamp. Fantasy? Not really. At the annual scientific meetings of the
American Academy of Forensic Sciences this year, a project was shown
that demonstrated that the Holmes story works just fine: a latex facsimile
can be used to unlock a mobile phone.
However, in this month’s parade of products we tried no such subversion. Our testing was very straightforward. For each product, we created
its own test bed and put it through its paces. Everything tested worked
well and the result was a crop of first-rate products – some spectacular.
The name of the authentication game this year seems to be price/ease
of use. Now, the average person can use strong authentication easily, and
the tools are inexpensive.
Hats off this month to the reviews team of Sal Picheria, Ben Jones and
James Verderico. Now, on to the products.
– Peter Stephenson, technology editor
RSA
Has features not
found anywhere
else P44
How we test and score the products
Our testing team includes SC Labs staff, as well as external experts
who are respected industry-wide. In our Group Tests, we look at
several products around a common theme based on a predetermined set of SC Labs standards (Performance, Ease of use,
Features, Documentation, Support, and Value for money). There
are roughly 50 individual criteria in the general test process. These
criteria were developed by the lab in cooperation with the Center
for Regional and National Security at Eastern Michigan University.
We developed the second set of standards specifically for the
group under test and use the Common Criteria (ISO 1548) as a
basis for the test plan. Group Test reviews focus on operational
characteristics and are considered at evaluation assurance level
(EAL) 1 (functionally tested) or, in some cases, EAL 2 (structurally
tested) in Common Criteria-speak.
Our final conclusions and ratings are subject to the judgment
and interpretation of the tester and are validated by the technology editor.
All reviews are vetted for consistency, correctness and completeness by the technology editor prior to being submitted for
publication. Prices quoted are in American dollars.
What the stars mean
Our star ratings, which may include fractions, indicate how well
the product has performed against our test criteria.
★★★★★ Outstanding. An “A” on the product’s report card.
★★★★ Carries out all basic functions very well. A “B” on the
product’s report card.
★★★ Carries out all basic functions to a satisfactory level.
A “C” on the product’s report card.
★★ Fails to complete certain basic functions. A “D” on the
product’s report card.
★ Seriously deficient. An “F” on the product’s report card.
LAB APPROVED
What the recognition means
Best Buy goes to products the SC Lab rates as outstanding.
Recommended means the product has shone in a specific area.
Lab Approved is awarded to extraordinary standouts that fit into
the SC Labs environment, and which will be used subsequently in
our test bench for the coming year.
www.scmagazine.com • April 2015 • SC 35
PRODUCT SECTION
GROUP TEST Authentication
Authentication
Specifications for authentication tools
It now is feasible for organizations of just about any size to support everyone in the organization
with strong authentication, says Peter Stephenson.
Deepnet
Entrust
SafeNet
Imation
LoginTC
PistolStar
RSA
Auth
Swivel
Secure
Vasco
Supports Yubikey?
●
○
●
○
○
●
○
●
○
○
Supports physical
token?
●
●
●
●
○
●
●
●
●
●
Supports software
authenticator?
●
●
●
○
○
●
●
●
●
●
Offers self-service
password reset?
●
●
●
●
○
●
●
●
●
●
Offers API for
custom products
●
●
●
○
●
●
●
○
●
●
Offers biometric
support
●
●
○
●
○
○
●
○
○
○
Offers RADIUS
support
●
●
●
○
●
●
●
○
●
●
Offers Active
Directory support
●
●
●
●
●
●
●
●
●
●
Offers VPN
support
●
●
●
○
●
●
●
●
●
●
Offers SMS
authentication
●
●
●
○
○
●
●
●
●
●
Offers Bluetooth
authentication
●
●
○
○
○
○
●
○
●
○
Gemalto
Vendor
PICK OF THE LITTER
PistolStar PortalGuard is one of
the most full-featured products
we’ve tested this time around,
with great value per user, ease
of use, impressive customer
support and support for a wide
range of products and services
for multifactor authentication
integration. We picked this as our
Best Buy.
RSA Authentication Manager
is more expensive than other
alternatives, but it also comes
with several features not found
anywhere else. This combined
with its tight integration with
popular business applications
make it a great choice for organizations of all sizes. Our pick for
Recommended.
T
his month we look at
authentication. Most
years we begin this
review section with a basic
chat about the access control
process. This year, let’s have a
look at how that process has
changed. The big news is price
and ease of use. While there
still are a few pricey solutions
to the authentication challenge, the trend – absolutely –
is to make it fiscally practical to
move from passwords to strong
authentication.
Authentication is a component of the access control
process. That includes identification, authentication and
authorization. More and more
organizations are realizing
that access to sensitive systems
is way too easy. The cry to
“encrypt everything” has met
with resistance, both due to
cost and to the weakness of
encryption as a confidentiality
solution. If you can compromise
the admin account, you can
get in. The encryption is pretty
useless in that situation. That,
of course, is not an admonition
to scrap encryption entirely.
It does have its place. But
wholesale encryption of entire
hard disks probably – by itself
– won’t solve the confidentiality
issue.
So, we’re back to the real
gatekeeper: strong authentication. Today, as always, that
probably means multifactor
authentication in most cases.
Traditionally, multifactor has
been expensive. And, as you
will see, there still are some
36 SC • April 2015 • www.scmagazine.com
pricey products. Those, however, need to be taken in context
with how many users they are
intended to support. Looked at
that way, the price starts looking much more reasonable.
The other issue that has
pushed strong authentication out of the reach of many
organizations is ease of use.
While it probably is reasonable
for system administrators to
have the technical chops to use
just about any authentication
tool, it is not as reasonable to
expect that of the average business user. And, why should it
be? The average business user
should address computing as a
tool to get his or her job done,
not an end in itself. Such things
as email encryption and data
classification – very cumbersome at one time – now almost
are automatic. Strong authentication should be as well. And,
many vendors of strong authentication have addressed that, as
we saw this year.
So, where does strong authentication fit in the confidentiality
scheme of most organizations?
It depends on when you ask. In
years past, the answer was “for
high risk accounts.” That meant
that the system administrators
or any other person who had
access to sensitive data got the
hardware tokens.
Today, though, that is not
necessarily the best solution.
Certainly you might want to
keep the hardware tokens
for the high-risk accounts –
although they are nowhere
near as expensive as they once
were – but there are other
schemes that are cheap and
will work for the average user.
Also, mixing products is viable
and integration into existing
systems is pretty simple. This is
a sea change from the past. Part
of why this is possible – and
practical – is the pervasive use
of cloud computing. Sitting the
heavy lifting on a big server
farm readily accessible from the
internet makes a lot of sense. It
also has the economy of scale
that puts the cost of the service
well within the reach of most
organizations.
Given these changes, how do
you build out a strong replacement for passwords? Carefully!
First, evaluate, evaluate and
then evaluate some more. When
you get down to a couple of
products that you like, run a
small pilot. Most vendors will
gladly help you do that.
Now, look at deployment.
If you are a big organization
spread all over the country or
the world, you might want to
consider something that can
be self-deployed by your users.
Self-service systems are becoming much more common, especially for cloud-based vendors,
and that could ease your support pains significantly.
The bottom line is that it
now is feasible for organizations of just about any size to
support everyone in the organization with strong authentication. It is cost-effective and
easy to use in most cases. As
the old TV commercial said,
“Try it…you’ll like it!”
●=yes ○=no
Secure-
www.scmagazine.com • April 2015 • SC 37
GROUP TEST Authentication
Deepnet Security
Entrust
DualShield v5.8.1
IdentityGuard
D
DETAILS
Vendor Deepnet Security
Price $649.
Contact deepnetsecurity.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
OVERALL RATING ★★★★★
Strengths Simple setup, wide
variety of deployment for security
strategies.
Weaknesses None found.
Verdict Given the great price
and the simple integration into
one’s infrastructure, the product
is exactly what security professionals are looking for to provide
multifactor authentication.
GROUP TEST Authentication
ualShield is an enterprise-grade, unified, multifactor authentication platform that protects all commonly used
business applications with a large selection
of multifactor authentication methods. This
product provides an advanced level of security
when identifying and authenticating users.
DualShield works in conjunction with other
OATH-compliant, one-time password (OTP)
hardware tokens, mobile apps, grid cards, as
well as Google Authenticator, RSA SecurID,
VASCO DigiPass Go tokens and YubiKey.
Deepnet’s product was shipped to us with
a setup CD and a SafeID OATH token. With
the provided documentation, the setup was
a breeze. We followed the installer wizard
found on the CD and were able to choose
between a back-end, front-end or complete
installation. The installation type depends on
what machine one wants to install the appropriate functionality. By default, a MySQL
server and database are installed once the
native software is finished downloading.
Additional security functionality can be
implemented during installation.
The device was very simple to use. Once
installation was complete, to test the authentication capabilities it was necessary to create
the identity source, link it to Active Directory,
create a domain for the identity source and
create a basic Windows logon procedure to
test user authentication. Using the installed
Self Service module enables administrators to
38 SC • April 2015 • www.scmagazine.com
manage end-users, request replacement tokens
or even request an emergency login code.
Unlike most other two-factor authentication
products that commonly provide only one or
a few authentication methods, DualShield
provides more than 10 authentication methods including token-less on-demand password
delivered by SMS, email and voice; tokenbased mobile app, key fobs, display cards and
grid cards; device-based device fingerprinting;
biometrics voice, face and keystroke recognition; and PKI certificates and smartcards.
The documentation provided by Deepnet is
found on the setup CD, which also gives users
links to access further materials. The documentation is clear-cut and well put together
and allowed us to easily follow along or find
help for procedures to get everything running. Throughout, images aid the user during
both installation and setup.
Deepnet provides its clients with both basic
no-cost and fee-based support options. Basic
no-cost support includes assistance by email,
phone and WebEx.
Overall, DualShield is a complete solution for strong user authentication that is
extremely user-friendly, cost-effective and
easy to integrate into a customer’s existing IT
infrastructure. For the price point, functionality provided and security management capabilities of this product, it is a great option for
a multifactor authentication solution on one’s
network.
E
ntrust IdentityGuard is a dual-factor
authentication server, app, smart card
manager, biometrics server and general
jack-of-all-trades when it comes to dual-factor
authentication. It has a large volume of features and supported factors. It is part of the
Entrust IdentityGuard Software Authentication Platform and, along with other products
in the suite, covers just about authentication
task you can imagine.
Setup could have been easier – the administrator interface is nearly overwhelming at first.
Although IdentityGuard has a level of granularity in settings that goes unmatched, setup
on the administrator side is a little complicated to match. The user setup is much easier. It
has an easy-to-use web interface, particularly
on the smartphone application, with a level of
cleanliness and intuitiveness that we expect
from a big name like Entrust.
Entrust IdentityGuard has security questions; GRID/eGRID (basically a matrix);
an app for both iPhone and Android, with
mobile device certificates to match; one-timepassword authentication; SMS authentication as well as soft tokens. Soft tokens are
software-based authentication methods that
reside on the device to authenticate the device
itself. IdentityGuard also includes a Bluetooth
authentication method in the form of a fingerprint scanner that ties in with the app, smart
cards, USB tokens and biometrics. The app is
an easy-to-use self-service for employees, and
enlists a method of authentication through
either one-time-password generation or
through Bluetooth.
The documentation includes setup guides
for each of the protocols and supported services, as well as self-service-oriented videos
that could be used as teaching materials for
employees learning how to use the app. We
were quite pleased with the documentation.
The site is exactly what you would expect
from a name such as Entrust. Product sales
documentation is plentiful as are technical
brochures that discuss how IdentityGuard fits
into compliance and standards.
Entrust IdentityGuard has three support
tiers: TrustedCare Platinum, Gold and Silver.
TrustedCare Platinum costs 22 percent of
total software investment annually with 24/7
support. TrustedCare Gold costs 20 percent
of total software investment annually with
24 hours a day, Monday to Friday support.
TrustedCare Silver costs 18 percent of total
software investment annually, with aid 8 a.m.
to 8 p.m., Monday to Friday.
IdentityGuard is a feature-packed tool that
surpasses our expectations, with support for
every protocol on our matrix and at the same
time the most options for different forms factor types. It also has an extra bit of security
and ease of use by being a certificate authority
manager. It provides a great value per user
and will make a contribution to your authentication across every service in your network.
DETAILS
Vendor Entrust
Price $8 per user, $3.75 per user
above 25,000.
Contact entrust.com
Features
★★★★★
Ease of use
★★★★
Performance
★★★★½
Documentation ★★★★★
Support ★★★★★
Value for money ★★★★★
OVERALL RATING ★★★★½
Strengths Sheer volume of
features.
Weaknesses Administrator
learning curve.
Verdict A solid product for a
great price, one of the most
comprehensive platforms
we’ve seen.
www.scmagazine.com • April 2015 • SC 39
GROUP TEST Authentication
DETAILS
Vendor Gemalto
Price $1 per user/per month for
2,500 token configuration.
Contact safenet-inc.com
Features
★★★★★
Ease of use
★★★★½
Performance ★★★★★
Documentation ★★★★★
Support ★★★★½
Value for money
★★★★½
OVERALL RATING ★★★★¾
Strengths Wide range of
supported products.
Weaknesses No serious liabilities
found.
Verdict Full of features and
solid on performance, well worth
looking at.
GROUP TEST Authentication
Gemalto
Imation IronKey
SafeNet Authentication Service
F200 Flash Drive
S
T
afeNet Authentication Service is a
cloud-based authentication service that
uses a wide range of tokens and custom
agents to support multifactor authentication
to include one-time passwords generated by a
phone app, SMS, a hardware token or email.
Setup, as with many cloud-based solutions,
is a breeze. The MP-1 software token is a onetime password that expires every 60 seconds
and generates a new one. This is as simple as
install and activate. Simply follow the email
link and copy-paste an activation code. SMS
authentication is as simple as inputting a cell
phone number.
One of SafeNet’s big selling points is its
API, and consequently, Safenet can be integrated into just about any application one
may be working on. It has many agents for a
long list of already existing applications, services and servers, including Microsoft Active
Directory and RADIUS. SafeNet also allows
SAML services, like Google Apps and Salesforce.
The tool has granular logging and reporting
and a self-service portal, both of which greatly
reduce the amount of management time
required while keeping both the user and the
administrator more informed.
Documentation is extensive and complete.
The agents themselves each have a spot on
their website that is easy to find and the diagrams are clear in describing what is happening every step of the way. However, they may
40 SC • April 2015 • www.scmagazine.com
have overdone themselves here as there is so
much documentation it can be challenging to
find what you might be looking for. For some
applications, it seems like a great deal of reading is needed to get one’s feet off the ground.
One interesting part of the SafeNet web
site is the sction on software monetization.
Departing from the traditional sales pitch for
strong authentication, this part of the site discusses how to apply SafeNet to your software
product to make more money. Also departing
from the traditional use of hardware tokens
for copyright protection, this part of the product allows enforcement of copyright through
the cloud.
SafeNet’s Extended Support is included in
the subscription cost and includes online and
telephone assistance during regional business hours with an eight-hour response time.
SafeNet’s Plus Support costs 10 percent of
the subscription price and includes 24/7/365
online and telephone aid with a one-hour support time. If you are a global operation this
type of support probably makes sense for you.
SafeNet has one of the broadest ranges of
agents we have ever seen. There is a small,
easy to set up agent for seemingly every service we can shake a stick at. The interface
feels intuitive and clean and presents logging
information at the fingertips of the administrators. Overall, this is a very nice piece of
work – easy to deploy, easy to use and a lot of
functionality.
he Imation IronKey F200 Flash Drive
is a simple, easy to set up and extremely
secure device for users who need to
transport confidential data between computers. Because of its non-involved setup, users
who are not necessarily tech savvy can suddenly equip themselves with top-tier protection. It is available in 8, 16, 32 and 64 gigabyte
variations, which allows organizations to
purchase the F200 based on the storage needs
of individual users. For extra security and
manageability, the enterprise version of the
management software can be purchased. This
allows organizations to centrally manage and
provision secure flash drives across the enterprise.
For our tests, we received the 8GB model
in a small package. After unpacking the
device, we were greeted with what appears
externally to be no more than a very sturdy
flash drive. After removing the sleek metal
cover, it is immediately obvious that this
tool means business. The sturdiness aspect
is further exemplified by the internal device
construction and the biometric sensor lies in
an ergonomic groove for easy swiping. We
plugged it into one of our lab machines, which
automatically opened the Imation Access software – the gateway to the device. Once it is
connected, two drives automatically install on
the system. The first appears as a virtual CDROM drive, where the system files live. The
second appears as a removable disk named
LOCKED. We followed the software through
the GUI wizard, which was where we configured the device. Here, we were prompted to
create an administrator password. After we
did that, it prompted us for the number of
users we wanted to create.
As far as security is concerned, the Imation IronKey F200 is an excellent choice. By
default, the device operates in biometric-only
mode, but users who opt to go through the
advanced options in the setup are afforded
several more options.
One feature we really liked is the ease of
mounting it read only. When logging into the
device, the user is prompted to enable the
device as read only. This provides an extra
layer of security for users transporting very
sensitive documents or users connecting to
devices they suspect may contain malware.
Because the F200 uses hardware encryption,
once it has been set up it is supported by
virtually every device that accepts USB disks.
The only drawback we could find was its
speed. Read speeds were average, but writing
large files took a long time.
Because of its advanced security, we find
this solution to be useful with a reasonable
price tag. The granularity aspect of purchasing makes it affordable for organizations of all
sizes. As the enterprise grows, the centralized
management software can be added, which
increases the value of the device as a longterm investment.
DETAILS
Vendor IronKey by Imation
Price $189 per unit.
Contact ironkey.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★½
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
OVERALL RATING ★★★★★
Strengths Very secure
with the ability to add central
manageability at any time.
Weaknesses It’s not a big issue
for most users, but the lack of
USB 3.0 support will slightly slow
power users or individuals moving
large files.
Verdict Great price point and
advanced security.
www.scmagazine.com • April 2015 • SC 41
GROUP TEST Authentication
Cyphercor
PistolStar
LoginTC
PortalGuard
L
DETAILS
Vendor Cyphercor
Price $16.80 per user per year, or
$15 per user per year over 1,000
users.
Contact logintc.com
Features
★★★½
Ease of use
★★★★★
Performance ★★★★★
Documentation ★★★★½
Support ★★★★★
Value for money
★★★★½
OVERALL RATING ★★★★½
Strengths Ease of use and
beautiful interface.
Weaknesses Limited feature set.
Verdict A great solution that can
be up in no time at all.
GROUP TEST Authentication
oginTC from Cyphercor is a cloudbased solution that uses a mobile device
or a desktop for authentication. It
has easy-to-use iOS, Android and Chrome
desktop applications to approve logins to a
variety of products. Their big selling points
are reliability of the cloud, ease of use and
cost. Because Cyphercor uses a mobile device
it is far less likely that the user will lose the
device than it is if the user has a traditional
hardware token. According to Cyphercor
users check their mobile devices every five
minutes on average.
Setup is as easy as it gets. RADIUS, VPN,
WordPress, Drupal and Joomla connectors
all simply work off the bat. Documentation
provides a simple, step-by-step guide to starting up all of these connectors. There is a
User Sync Tool to synchronize users (in one
direction) to any LDAP server, including
Active Directory and OpenLDAP.
On the user end, it gets even easier. Downloading an app is something everyone knows
how to do by now. One then types in an activation code and is done. The Chrome app is
no different: follow the link in an email upon
registration, or look them up on the Chrome
app store, input activation code and one is
done.
LoginTC supports RADIUS, Cisco ASA,
OpenVPN, PHP web-based, Unix SSH,
Drupal, WordPress and Joomla, as well as a
REST API. The interface itself is beautifully
42 SC • April 2015 • www.scmagazine.com
simple and intuitive, the Google Chrome app
takes advantage of the browser’s push notifications, which makes this one of the simplest
and most intuitive software-based tokens
we’ve used.
The documentation is some of the best
we’ve seen. It’s easy to get to on the top
of the website. The category view makes
sense. Complicated concepts are expressed
in simple and easy to understand diagrams.
It made the setup step a whole new level of
easy.
There are three support packages that are
all free, but depend on the number of users:
Starter support is for less than 10 users and is
via email 8 a.m. to 8 p.m. EST; Professional
support is available for less than 1,000 users
and has phone support 8 a.m. to 8 p.m. EST
and email support 24/7; Enterprise support
is 24/7 phone and email aid.
LoginTC’s API sets it apart from many
other products. LoginTC does exactly what
it says it does very well, arguably the best for
its feature set. LoginTC being cloud-based
takes out much of the work, but also restricts
some of the use cases. LoginTC is a great
product that deserves your consideration,
especially if you do much of your work
on the web. This is one of those tools that
brings strong authentication to the average
user in a cost-effective (up to ten users are
free), easy to use package that works in the
user’s familiar environment.
P
ortalGuard is a multifactor authentication, web-based single sign-on (SSO)
through internet information services (IIS) and self-service password reset server
and application rolled into one.
The install is guided by a PistolStar engineer who has either developed or tested
PortalGuard through screen sharing and
VoIP, included with every purchase. This is a nice touch. The
PortalGuard server application is
easy to install, no doubt because
the engineer guiding us through
the install knew the product inside and out.
This almost doubled as a training session, as
during the install we were able to ask questions and learn how the product worked.
This saved us a tremendous amount of time
in setup and reduced the gap between setup
and actually having something useful to work
with. PortalGuard has support for RADIUS
servers; SSL VPNs; single sign-on (SSO) web
servers and Active Directory servers; Sharepoint, Exchange and Outlook Web App, federation websites, like Google Apps, Microsoft
Office 365; and many more.
The offering does exactly what one would
expect it to – as a dual-factor authentication
server and then some. The different authentication methods include a mobile authenticator
(like Google Authenticator), phone call, SMS,
email, RSA SecurID, Yubico Yubikey, and/or
a number of personal challenge answers to be
set up by the users when they configure their
preferred methods of authentication. Many
of these are taken care of on first startup.
However, if one has the user’s email or phone
number already in an Active Directory field,
PortalGuard can optionally look for some of
that information. PortalGuard also supports
extra logging functionality and tying this
extra data into a SIEM.
The aspects that really set PortalGuard apart
are its granularity of controls, ease of use and
contextual-based authentication. The tool
allows every detail to be different between
user groups, or even individual users, all from
an easy-to-use GUI application that sits on the
server. With the configurable contextual-based
authentication, if a user logs in consistently
from a certain IP at the same time every day
and doesn’t get their password wrong, PortalGuard does not need to ask for another factor.
If a user is logged into a local network inside
the building, the policy could be set to be a
little more relaxed than if the user was logging
in through a VPN while on vacation.
PistolStar PortalGuard is one of the most
full-featured products we’ve tested with great
value per user, ease of use and impressive customer assistance, as well as support for a wide
range of products and services for multifactor
authentication integration.
For the combination of these assets – in
combination with no real downsides – we
picked this as our Best Buy.
DETAILS
Vendor PistolStar
Price $10,000 (initial purchase);
$2,500 (yearly renewal).
Contact pistolstar.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
OVERALL RATING ★★★★★
Strengths Does everything
expected and then some – with
ease of use and unlimited users.
Weaknesses None.
Verdict Excellent product for
that first step into dual-factor
authentication. We select it as
our Best Buy.
www.scmagazine.com • April 2015 • SC 43
GROUP TEST Authentication
DETAILS
Vendor RSA, the security division
of EMC
Price $46 per user.
Contact emc.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
OVERALL RATING ★★★★★
Strengths Scalable, made for
large environments, integration
with many applications.
Weaknesses None found.
Verdict It’s clear why this is one
of the most popular dual-factor
authentication products.
Recommended.
GROUP TEST Authentication
RSA
SecureAuth
Authentication Manager
IdP
T
S
he RSA Authentication Manager is
a dual-factor authentication system
designed from the ground up for
enterprise deployment. It is one of the most
widely deployed systems out there and is
available in many different configurations to
fit the needs of any business. In the backend,
RSA Authentication manager can run as a
VM or preconfigured hardware
appliance. RSA has preconfigured
VMs available for Hyper-V and
VMware virtualization platforms.
End-users can then select from a
credit card-sized token, the traditional dongle
token, the more advanced USB dongle token,
the software token or the mobile device
authenticator. Mobile device authenticator
apps are available for iOS, Windows Phone,
Android and BlackBerry. For larger organizations, individual RSA Authentication
Manager Instances can be set up in a pool for
load balancing capabilities. Also available is a
self-service component, where users can reset
their PINs or create requests for new tokens.
We received RSA Authentication Manager
as a preconfigured virtual appliance for
VMware. In addition to the software kit, we
received 25 SecurID dongles, 25 SecurID
800 dongles and 25 software token licenses.
After we removed everything from the box,
we logged into our VMware ESX server and
inserted the provided CD containing the
VM. In VMware, we opened the CD and dis-
44 SC • April 2015 • www.scmagazine.com
covered an OVA file with the VM in it. After
opening the OVA, we accepted the license
agreement and VMware did the rest. After
it was done copying files, we powered on the
VM to complete the VM equivalent of hardware setup. After booting, the Authentication
Manager VM automatically started a Linux
shell script which ran us through the network
configuration. Here, we set up our network
settings by following the wizard. Once the
network settings were configured, the VM
then continued starting up and eventually
stopped at a screen which provided us with
a quick setup code and prompted us to complete configuration in our web browser. We
went to the webpage to upload our license,
set the passwords for various accounts and set
up the time. Overall, setup was very easy and,
for the most part, entirely automated.
RSA Authentication Manager is more
expensive that other alternatives, but it also
comes with several features not found anywhere else. RSA is built from the ground up
to be used in an enterprise environment and
it is clear when using the tool. Its scalability
means that users can set up only on Authentication Manager in smaller environments
and then add more as load increases or the
business grows. This combined with its tight
integration with popular business applications
makes it a great choice for organizations of all
sizes.
Our pick for Recommended.
ecureAuth IdP is an identity provider
– with a unique approach to securing
user access control. With control of the
device, applications and even the infrastructure moving out of the data center, IdP is the
perfect solution to maintain secure control of
user access to resources and data, whether on
premise, in the cloud, on the web, via a mobile
device or through VPN. SecureAuth IdP can
be purchased as a standalone subscription service, a preconfigured virtual server, a standard
physical server or a high availability physical
server. The product is an on-premise or cloudbased solution that allows single sign-on
(SSO) and two-factor authentication for many
enterprise environments, such as legacy web
applications, VPNs/gateways, cloud resources
or Windows Logon. This product also offers
the security authentication concepts of “something you have,” as well as the traditional
“something you know.”
The SecureAuth IdP was extremely easy to
set up. We were sent the download link for
the preconfigured virtual server, downloaded
it and logged in with the provided credentials.
Upon initial login to the account, the native
install wizard began installation and we followed the documentation to finish integration
into our network. Once installation was complete, we accessed the SecureAuth SSO portal
and were able to easily manage various user
accounts and credentials. All configuration
and management for the server itself is done
through the web-based management console
that is implemented during installation. Users
are easily added to the business environment
and the admin can easily customize authentication methods for the users’ portable devices.
For documentation we were given the link
to a website. The documentation is clear and
thorough providing the user with an appliance setup and administrator guide as well
as guides for certain network and application
integrations. The website provides clients
with access to an immense knowledge database to answer most questions and a plethora
of other resources.
SecureAuth IdP provides its clients with a
basic no-cost support option. If the user has
a valid license, they are given all the following: The no-cost support provides licensed
users 24/7 coverage support, ranging from
24/7/365 phone assistance as well as an email
support staff. The response times range from
as short as 30 minutes to up to one business
day depending on the severity of the ticket.
This is an interesting approach to aid and is
definitely a cost-effective solution compared
to other options.
Overall, SecureAuth IdP is the perfect
solution for maintaining secure control of
user access to resources and data, whether on
premise, in the cloud, on the web, via a mobile
device or through VPN. The product is easily
setup and integrated into the network, has a
great price point and offers great support.
DETAILS
Vendor SecureAuth
Price $19.50 per user/per year
(price drops as users are added).
Contact secureauth.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
OVERALL RATING ★★★★★
Strengths Provides users with a
variety of authentication methods
and an easy-to-use management
console.
Weaknesses None found.
Verdict With a diverse set of
functionality for authentication
methods and support offered for
licensed users, this product is
definitely worth every penny.
www.scmagazine.com • April 2015 • SC 45
GROUP TEST Authentication
Swivel Secure
VASCO
Swivel Appliance
DIGIPASS 760 and DIGIPASS for Mobile
T
DETAILS
Vendor Swivel Secure
Price $3,047.04 for virtual
appliance (prices go up for
hardware appliances).
Contact swivelsecure.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★
OVERALL RATING ★★★★★
Strengths The Swivel appliance
can be seamlessly integrated into
an infrastructure with little to no
downtime.
Weaknesses Steep price.
Verdict The easy-to-use management console allows for seamless
integration of authentication for
new users with few steps.
GROUP TEST Authentication
he Swivel Appliance is a competitive
solution for two-factor authentication
methods for clients searching for a
secure product. The product uses a variety of
authentication methods from its own patented
OTC extraction protocol, called PINsafe,
to PINs via OATH tokens, and one-time as
well as password-based. The product is also
capable of providing a user with authentication using the PINsafe protocol over SMS, a
mobile app, telephony or in-browser imagery.
Swivel is easily implemented and can integrate
into an IT infrastructure with minimal downtime. This solution also provides users with
the satisfaction of knowing that their authentication methods are reliable, safe and secure.
It was easily set up. We were given the links
to download a virtual appliance, downloaded
it and began setup almost immediately.
Also provided was a converter application,
which converts the Windows-based physical machine into a VMware virtual machine
image. This tool was extremely useful because
it made integration into VMware much easier.
The virtual appliance is managed through
Webmin, a web-based management console.
Webmin allowed for the initial configuration
into our network to be extremely simple and
the GUI was clean. The setup, configuration
and integration process is easily followed
through provided documentation and offers
ease of mind during this process.
With its streamlined setup process, the
46 SC • April 2015 • www.scmagazine.com
appliance can be easily integrated into one’s
current IT infrastructure. When authentication occurs, seeing as the OTC code is not
generated by the server, it makes interception
by an unauthorized user nearly impossible.
This can provide a great sense of security
when integrating Swivel into a network or
with the many types of devices supported.
The product comes packed with compatibility to leading SSL VPN technologies, such
as Juniper, F5, Sonic Wall, Citrix, Palo Alto,
Cisco and more. Swivel also supports a wide
variety of remote access and web platforms,
such as Microsoft Sharepoint, Exchange,
OWA and IIS via an ISAPI filter, as well as a
wide range of cloud services, such as Microsoft Office 365, Huddle, Google Apps and
Salesforce.com. The full list of integration
supported can easily be found on the website
or from documentation.
Overall, the Swivel Secure Swivel Appliance
is a great product – but for a steep price. The
easy-to-install functionality of this program
is a great plus; however, the product is tailored toward those with extra money seeking an absolute top-of-the line product. The
appliance provides exactly that and offers its
clients a simple and intuitive management
console to easily customize authentication
methods for its users. For those who want a
permanent solution to authentication security
and have the extra cash, the Swivel Secure
Swivel Appliance is definitely your product.
D
IGIPASS 760 is a trusted hardware
device for visual transaction-signing
that creates a secure optical communication channel between the end-user (client)
and the organization (server). This product
makes use of QR reader functionality where
a unique code is generated as a token for the
transaction. The DIGIPASS 760 is then used
to read the QR code and give the user the
unique one-time code generated for the transaction. The device can be used in conjunction
with a custom application in order to create a
secure two-factor authentication transaction.
It can also work with mobile platforms to
ensure secure communication between user
and the server.
VASCO’s product was very easy to set up.
We removed the DIGIPASS 760 hardware
device from the package, powered on and
connected to the demo website created for
testing. The hardware device is the size of
a small wallet and is used to decrypt the
information displayed in the cyrptogram for
verification. Once powered on and using its
built-in camera, we connected to the VASCO
authentication web address and decrypted
the cryptogram. The cryptogram provided us
with the activation license that we validated
with company’s website. At this point, the
basic setup was complete and the DIGIPASS
760 device was ready.
The device is easy to use, seeing as we simply pointed the device at the cryptogram and
received the code on the screen. The other
component was the setup of IDENTIKEY
and DIGIPASS gateway on our backend server. IDENTIKEY is the access-management
software installed in order to validate user
login on web-hosted applications. The entire
security package gives users the ability to integrate security with the development of both
mobile- and cloud-based applications. But
most importantly it can give users an ease of
mind when implemented for transaction security. The DIGIPASS 760 is used to validate
the user with the generation of a unique signature. A very important aspect to this service
is that no sensitive data, including account or
cardholder information, is stored as part of
any transaction, which alleviates the burden
from the organization and further protects
user data.
Both the DIGIPASS 760 and DIGIPASS
for Mobile provide clients with basic no-cost
or fee-based support options. The fee-based
option offers 5/10 and 24/7 support that varies depending on the initial amount of licenses purchased. Levels of support vary from
standard to a remote assistance package.
Overall, both the DIGIPASS 760 and DIGIPASS for Mobile security packages can provide users with an ease of mind for security.
Whether for secure transactions, secure communication or mobile and cloud app security,
these VASCO products are well worth checking for users with security on their minds.
DETAILS
Vendor VASCO
Price DIGIPASS 760: $4,030.60;
DIGIPASS for Mobile: $905.75,
with $226.44 maintenance fee.
Contact vasco.com
Features
★★★★★
Ease of use
★★★★★
Performance
★★★★★
Documentation
★★★★★
Support
★★★★★
Value for money
★★★★★
OVERALL RATING ★★★★★
Strengths Limitless options
of integration with custom
applications.
Weaknesses None found.
Verdict With an excellent price
point and the security provided
to its users, this product is a
must-see.
www.scmagazine.com • April 2015 • SC 47
FIRST LOOK
Events Seminars
APRIL
»INTERPOL World 2015
Bromium
vSentry
AT A GLANCE
Product vSentry
Company Bromium
Price $150 list price (volumebased discounts available).
What it does Creates micro-VMs
to encapsulate running processes
and protect them from malware.
What we liked This is the most
creative use of virtualization
we’ve seen to date and certainly
the best anti-malware protection
around. We also loved its forensic
capabilities.
The bottom line Absolutely
rock-solid malware protection
and forensic diagnostic tool for
endpoints, arguably the most
vulnerable part of the enterprise.
W
e hear that anti-malware tools just
are not effective anymore. Malware
is way too sophisticated for the
types of protection that we have relied upon
traditionally. So what is the answer?
A company called Bromium may have solved
this one. The answer is not what it seems on
the surface, though.
A sandbox, by the company’s definition, is
a layer between the malware you are dissecting – or protecting against – and the operating environment. I agree. I would not trust a
sandbox that could be bypassed any number
of ways by a really smart bit of code. Locking
malware in (or out) is exactly what vSentry
does. vSentry contains anything that needs
protection inside a virtual environment and
that environment uses a bare metal hypervisor
– which they call a Microvisor – just as does
our big VMware virtual cluster at the Center
for Advanced Computing.
By placing all vulnerable tasks in the Windows environment inside micro-VMs that
are tied to the hardware, there is no way for
malware to work through a sandbox layer and
attack the operating environment. Each process gets its own micro-VM, and that VM is
dissolved when the process stops, taking any
malware with it.
There are two issues that need to be
addressed to ensure isolation. First, processes
cannot be allowed to write to a “golden
48 SC • April 2015 • www.scmagazine.com
image” that has been installed on the computer. When one of those golden images executes
– in memory, of course – vSentry makes a
copy and writes to the copy. Bromium calls
this process “Copy on Write.” Windows sees
the micro-VM as the executing task and the
micro-VM isolates everything to its own
Microvisor.
The second issue is that malware often will
try to infect anything it can see. In vSentry,
the Microvisor restricts the micro-VM from
seeing anything that it does not need to see in
order to run. Think of this as a sort of “virtual
machine need to know.” If the particular process caged in the micro-VM needs a resource,
it can see it. If it doesn’t, it can’t.
Finally, vSentry limits a process’s access to
the Windows Registry. This prevents malware
from modifying Registry entries, a favorite
malware trick.
But what we liked – perhaps even more than
vSentry itself – was its Live Analysis and Visualization (LAVA). With LAVA you can see the
behavior of otherwise undetectable malware,
including watching execution and capturing
destinations – helpful in finding commandand-control servers – and seeing how the malware attempts to hook processes and modify
the Registry.
Overall, this is a first-rate tool and as a way
of isolating a system from malware it is about
the best we’ve seen.
April 14-16
INTERPOL World is a new
international security event that
will showcase innovation, and
achievements among the public
and private sectors in the security arena. It will address the rising
demand for technology to meet
real global security challenges.
It will focus on cybersecurity,
border management, safe cities
and supply chain security.
Venue: Singapore
Contact: cloudsecurityalliance.
org/events/#_industry
»CSA Summit 2015
April 20
Cloud computing is now a
mission-critical part of the
enterprise. Join CSA to discover
lessons learned from enterprise
experts in securing their clouds
and achieving compliance
objectives. A global list of
industry experts will share their
experiences and discuss the key
security challenges of tomorrow.
Get the big picture view of the
future of IT and CSA’s mandate
to revolutionize security at this
traditional Monday kickoff to the
RSA Conference.
Venue: San Francisco
Contact: cloudsecurityalliance.
org/events/csa-summit-2015/
»
RSA Conference
April 20-24
This year’s gathering is dedicated
to leading-edge information
security topics, including data
breaches, threats, compliance,
social engineering, cloud, risk
management, applications,
mobile, governance, data, legislation, policy, law, cryptography
and identity management. More
than 400 speakers will be presenting, including General Keith
Alexander, former director, NSA;
Michael Assante, director of ICS,
SANS Institute; Gene Fredriksen, CISO, PSCU; and Johannes
Ullrich, dean of research, SANS
Technology Institute.
Venue: San Francisco
Contact: rsaconference.com
MAY
»SANS Security West 2015
May 4-12
SANS Security West 2015 will
focus on emerging trends and
feature evening talks and an interactive panel discussion on the
future of cybersecurity. Attendees can take courses from top
SANS instructors and real-world
practitioners who can ensure you
not only learn the material, but
that you can apply it immediately
when you return to the office.
Venue: San Diego
Contact: sans.org/info/171472
JUNE
»Infosecurity Europe
2015
June 2-4
Infosecurity Europe addresses the latest challenges in
information security to provide
attendees with businesscritical insight, best practice and
practical case studies. Speakers
include information security
thought-leaders from public
and private sector end-users,
policy-makers and government
analysts, industry experts, as
well as service providers and
vendors. More than 345 exhibitors will be on the expo floor and
more than 100 hours of free
education offered.
Venue: London
Contact: infosec.co.uk
Start here for a calendar of events.
To have your event included, contact
[email protected]
Venue: São Paulo
Contact: gartner.com/
technology/summits/la/
business-intelligence-brasil
»SC Congress Toronto
June 10-11
SC Congress Toronto returns for
another exciting two-day program. We’re bringing together
leaders in the information
security industry in both the
public and private domains, particularly based in Canada. You
will have a chance to walk our
expo floor exploring the latest
trends and products best suited
for your company, as well as
sit in on keynote and breakout
sessions. Don’t miss this opportunity to earn nine CPE credits,
network with other information
security professionals, and better equip yourself to stay ahead
of the pack.
Venue: Toronto
Contact: congress.scmagazine.com/page.cfm/link=10
»
Portland SecureWorld
June 17
This gathering offers a full day
of cybersecurity education. Attendees can earn up to eight CPE
credits, network with industry
peers, partake in any of 30-plus
educational elements.
Venue: Portland, Ore.
Contact: secureworldexpo.com/
portland/home
»
»
Gartner Business
Intelligence & Information
Management Summit
June 23-24
This year’s agenda explores
how to apply new technologies
and information management
practices, analytics and business
intelligence to improve performance management, generate
new revenue and drive progress
toward business goals.
SANS Rocky Mountain
2015
June 22-27
Attendees will see the SANS
promise in action: what one
learns in the classroom will be applicable to use immediately upon
returning to the office.
Venue: Denver
Contact: sans.org/u/PJ
JULY
»
SANS Capital City 2015
July 6-11
Choose from an outstanding
offering of courses. SANS knows
that training and travel budgets
are tight, so it is offering courses
at the Capital Hilton.
Venue: Washington, D.C.
Contact: sans.org/u/PO
ADVERTISER INDEX
Company
Page
URL
CyberSponse
19
cybersponse.com
Dell
5
software.dell.com
LogRhythm
SANS
SC Awards 2015
SC Congress Toronto
Inside Front Cover
7
logrhythm.com
sans.org
Inside Back Cover
awards.scmagazine.com
Back Cover
sccongress.com/toronto
www.scmagazine.com • April 2015 • SC 49
LastWord
Avoid a network stampede
IoT will require a
new approach to
security, says
vArmour CEO
Timothy Eades.
B
oth enterprises and the
consumer anxiously
await the convenient
future promised by the
Internet of Things. The
predictions place IoT at the
precipice of opportunity, but
for users and companies to
fully tap its potential, they
must first remove obstacles
preventing a completely connected and secure network.
People are plugging into a
virtual stream of data, which
offers great promise, productivity and an improved
way of life. But, simultaneously, it creates gateways for
attackers to penetrate. Every
device and login is a potential access point for attack,
making protecting against
every intrusion impractical. Already, found vulner-
abilities and reported hacks
suggest a foreboding future
in which hackers can spy on
our homes or use a cool new
office gadget to make their
way to sensitive information.
Data’s new nature –
coupled with poor process
management and the rapid
evolution of the malware
landscape – will mean
unprecedented and potentially disastrous modes of
attack, unless users implement software-based security
to accommodate the changing landscape.
To make IoT safe, users
and companies must devise
a way to visualize networks
and understand their traffic
at a lateral level – from device
to device. Moreover, security
processes need to improve
between C-level execs, gatekeepers and users to align
them in a world of increasing
information and connectivity.
It is already difficult to
view laterally moving data
traffic in existing data
centers. In 2015, it can be
expected that the expanding
IoT space, with its growing
number of interconnected
devices serving as data hubs,
will fall victim to the same
issue to obscure data moving
behind a perimeter.
The current opaque nature
of networked infrastructures
has already made east/west
traffic practically invisible,
creating a virtual playground
for would-be cybercriminals.
In the future, perimeter
defenses will amount to little
more than chain-link fences
weakened by the expanding
thicket of interconnected
devices. Companies will need
to focus on understanding
traffic flows to strategically stop attacks and impede
exfiltration. Additionally,
they will require systems
that map hacker movement
through files. Visualization
of the network will also allow
C-suite executives to understand security and enact
better policies.
Until the recent barrage of
breaches, the C-suite was not
as aware of security concerns
as they should have been.
But hackers aren’t slowing,
and cloud-based information
infrastructures are far from
safe, especially considering
how administrative control is
...the
management
of personal
and enterprise
devices will
need to be
managed...”
often managed.
Further, internal monitoring of admin controls will
uptrend as more attacks gain
momentum and enterprises
will be more stringent on
gatekeepers and top-down
permissions. But the management of personal and enterprise devices will also need
to be managed as systems
become automated and new
devices are introduced into
company infrastructures.
The face of data infrastructure and function has
dramatically changed as the
enterprise has progressed
down the path of cloud, app
and mobility. What is needed
is the ability to place security
controls closest to the asset
wherever it resides. In this
way, enterprises will have a
distributed and consistent
layer of visibility, control and
threat defense across all of
their assets – physical, virtual
or cloud.
With new devices computing at unprecedented levels,
a smart watch or appliance
will have the computing
power your laptop or phone
now has. Security needs
to be addressed and built
into the networks and IoT
devices or it will open doors
for an attack – and even the
botnets of the future. A new,
software-based, distributed
approach is needed in order
for IoT to realize its full
potential. I hope we are
ready.
2015 SC Awards
Tuesday, April 21, 2015
InterContinental San Francisco
Visit awards.scmagazine.com
to view the finalists and book tickets.
50 SC • April 2015 • www.scmagazine.com
You only have a few
WEEKS
LEFT!
Register TODAY for
SC Congress Toronto
June 10 - 11, 2015
8:15 a.m. - 6:00 p.m.
Metro Toronto Convention Centre
SC Magazine subscribers
can register today for $595.
At SC Congress Toronto you
will:
• Gain insights from leading
industry insiders convened only
for SC Congress Toronto
• Experience firsthand the latest cybersecurity
solutions in our newly enhanced
Exhibition Hall
• Network with information
security luminaries and peers
over two days
• Earn up to 14 CPE credits
Kindly visit our new website at www.scongress.com and register today. Through April 15, please
use Discount Code EARLYBIRDPRINT to receive $700 off the Full Conference Rate of $1,295.
Visit SCMagazine.com for the latest in cybersecurity and to sign up for our newsletters and more.