Friday, January 30, 2009

This blog goes to Eleven

Woo-hoo, I made it to double digits on the leader board! Can you see the confetti and marching band going by <insert music here>?  Sure, Lori may do close to 11 a week but I’m starting to contribute a lot more.  Back when I entered my first blog, I was ripe with excitement and ready to school the world with insightful, topical, and comment-able entries.  I launched my blogging tool and stared as the cursor kept blinking waiting for that magical inspiration.  If you do any amount of writing, no matter what the vehicle, there are going to be days where you wonder, ‘I got a lot of things on my mind but what do I want to share,’ or ‘I got nothing on my mind and a deadline to meet.’ 

‘Oh, a shiny penny!’

I attended a party a few years back and had the chance to chat with M. Night Shyamalan just as he was finishing The Village.  Like his work or not, we had an interesting conversation about writing, artists, movies, family and a bunch of other topics.  At one point, I asked him flat out, ‘Do you write when you ‘feel’ it or have inspiration or do you just plunk yourself down every day and tap some words out?’  He said (now granted, this is his profession), ‘This is my work, this is my job.  I go to the office every day whether I have ideas or not, and just start writing – sometimes it’s good, sometimes it isn’t….but I do it.’ 

A few weeks ago I reminded myself of that and made it a mission to increase my submissions.  Fortunately & unfortunately, there have been many security incidents reported since the new year and plenty to write about.  Where before I would read a story, and then all the other articles/blogs/posts about that story feeling like the topic has been fully covered.  Now when I see something of interest, I jump on it and give my perspective.  I hope you find them interesting and I appreciate your continued support.  And if you are a blogger and having difficulty today getting a word out – maybe just talk about your own blog today, like I did.  Next year, we all can claim January 30, 2010 as ‘Blog about your own Blog’ Day. Just make it one louder.


Thursday, January 29, 2009

Encryption Anywhere and Everywhere

Will 2009 be the year where 'Encryption Everywhere' is a necessity? If you noticed, many of the recent breaches, like TJX and Heartland, have happened on the internal, private network. Scammers were able to get to the private network and watch as sensitive info flew by in clear text. Certainly, there are many technologies that should help in keeping those undesirables off the internal network, if configured properly. But if they do make it in, one easy way to thwart that front-row seat is to encrypt sensitive info on the Internal network. We've discussed how PCI DSS only covers transmissions over the public network(s) yet these have occurred on the internal network. This isn’t a challenge to PCI to include encryption on private networks but I do think they should consider it soon.  Even the Heartland CEO is now saying they are going adopt end-to-end encryption. Others should follow as the cost barriers have dropped since the initial PCI scope.

OK, that's good, that these huge credit card processing firms are protecting our information as it navigates their networks. But how would/could this be applicable to an enterprise that might not need to be PCI compliant? Aren’t there some sensitive financial statements or sales numbers that need to be kept confidential? What about sensitive documents that have trade secrets or patent information? There's plenty of information available on the internal network that probably should be secure - even from insiders. You can certainly restrict them from certain subnets & VLANS when they connect to the domain. And there are solutions like BIG-IP Secure Access Manager that can do all the end point host checks, AAA authentication, ACL's, resource assignment and granular application access control for remote workers. This ensures that users only have access to certain resources, subnets, applications and so forth. But that might not protect the sensitive file from being seen as it passes through the internal network to the CFO's office/device. Here again, BIG-IP SAM can play a role in protecting your internal LAN and files.

Think of it this way. Many companies have Intranets which are only accessible when authenticated to the domain. Many of these sites also have numerous links to the various internal resources available when you're 'on-net' like 'Human Resources' or 'Corporate IT' or 'Customer info' or 'Finance.' For most of the links, like HR for instance, users should be able to navigate and download files pertaining to insurance, benefits and any other pertinent info. These might just be the PDF versions of the insurance brochure and it doesn't need any additional security measures. But, say I'm the CFO and I click through to the Finance portal. Even here, you can restrict access to only certain users. There might be some documents pertaining to the last fiscal quarter and maybe some other non-sensitive files available. But also available is the current fiscal quarter numbers and that certainly needs to be kept confidential. With BIG-IP SAM, you can create a policy that launches a SSL tunnel for specific resources that need confidentiality. So when the CFO tries to access the sensitive financial info, BIG-IP SAM can create an encrypted tunnel so even if someone is sniffing the network, they won't be able to see the jewels.

So you might not need encryption Everywhere but you do need it Anywhere.  Anywhere there’s a potential risk and threat.   Granular Application Access Control that's Fast, Available, Secure.


Friday, January 23, 2009

Another Breach, another F5 Solution

Yesterday I wrote about how some of the recent security incidents seemed to play on old school social engineering like phishing & unaware users. I suggested that for 2009, re-training users of both the old & new potential perils of the internet might be worth doing. Today, lets look specifically at the Heartland breach and how F5 technology would be able to prevent this.

Let's set it up a little. High-end Criminals have moved on from trying to steal a couple credit cards from a single merchant to attempting breaches of these large payment processing firms. 100 million transactions a month is much more attractive than the Dry Cleaners down the street. They go where the data is. Another contributing factor is PCI. PCI is great at setting minimum requirements and an excellent starting point for securing electronic transactions. PCI requires encryption of sensitive data over the Public infrastructure but PCI does not require encrypted transmission on Private networks. This is where the breach occurred. With very little info to go on (as they haven't released much) it seems that a phishing scam got the crooks on the network, they installed a sniffer and were able to see the sensitive data passing in clear text. Visa & MasterCard noticed something fishy and alerted Heartland. By then, the damage was done.

So could this have been prevented? Most experts agree that an additional layer of encryption on the internal transmissions would have prevented the sniffer from seeing actual data. Some would argue that requiring encryption on the private systems would be costly...but so is a breach.

Now, could this have been prevented with F5 solutions? Yes, with BIG-IP Secure Access Manager (SAM). BIG-IP SAM is a high-performance, flexible platform for Unified Security along with granular Identity and Access Management (IAM) capabilities. BIG-IP SAM uses SSL technology to encrypt data and provides policy-based, secure access to enterprise applications for any client. In fact, the same FirePass DevCentral SDK is fully compatible with BIG-IP SAM. (we do have an updated SDK coming with additional examples (e.g. Vista gadget example), and documentation updated to cover BIG-IP SAM.) But, even the existing SDK works great if you replace references to FirePass with SAM. There are also a few scripts for administrators looking to build this into Linux-based appliances or embedded systems. The API is useful if you’d like to build the secure access function directly into client-side financial applications.

How would this work? Our new BIG-IP Secure Access Client (running in the background, auto-connecting/reconnecting) along with BIG-IP SAM or BIG-IP LTM + SAM add-on (to provide authentication, authorization, confidentiality, and access control) can be a great fit for protecting sensitive internal servers or networks (e.g. access to financial or HR internal networks). The client can configured with location-awareness, for example, to always have the Secure Access Client connected. You can then configure split-tunneling so that “only” the traffic to particular networks/subnets or servers go over the secure tunnel - such as sensitive 'batch' transaction data. All other traffic is routed in normal way to the internal network.

For example, if within your infrastructure all financial servers were on a particular network/subnet, you’d put a BIG-IP SAM or BIG-IP LTM + SAM in front of this network/subnet. Then, deploy the Secure Access Client, and configure split-tunneling so that only traffic to this particular network is routed over the Secure Access tunnel. Since the client is running in the background (systray), users (or even the lone server) will not have to do anything special. The traffic to the protected network is sent over a SSL tunnel running in the background, while normal internal traffic is unaffected.

So, if you're processing sensitive data, need to be 'more' than PCI compliant and don't want to end up in the headlines, F5 can help.


Thursday, January 22, 2009

Blame it on the Brain

Not that it ever let up, but we continue to see breaches, hacks, attacks and malware incidents being reported almost daily.  Botnets are abound and the targeted (adware, trojan, spyware, browser modifier) threat growth is on the up-climb.

Companies are challenged to keep their infrastructure safe and are deploying various technologies to thwart the threat.  The thing I find fascinating about some of the recent stories is that while some hackers are changing tactics, many of these incidents weren’t accomplished using any ‘advanced’ techniques to break in, they just exploited the human factor.

Human curiosity, willingness to help and general unawareness have helped the malware mania and with these visceral times, we don’t sometimes stop and think of the ramifications of our clicks.  I’m sure many of you have heard about Social Engineering, the USB Way story where a consultant ‘seeded’ loaded USB thumb drives in a bank parking lot and watched (with his eyes) as employees grabbed them and watched (via returned emails) as they started to plug them into corporate workstations.  The fake Obama website had a simple link with a eye catching headline: ‘Barack Obama Has Refused to Be President.’  ‘What?!?  No Way, I gotta read this story…’ Click - and the damage is done.  It has been reported that the Checkfree breach was possibly due to a phishing scheme and certain MITM (man-in-the-middle) attacks require the user to click thru the certificate warnings.

2009 is certain to bring new infections to devices, new techniques to slip through firewalls, new social media outbreaks and probably a few more big names in the headlines – and F5 has plenty of solutions to solve emerging threats - but I also think simple Social Engineering threats will have a huge impact this year.  There are many folks who might be anxious about their situation and when we’re under a lot of stress, we don’t always think clearly.  With all of the technological challenges facing IT departments this year, don’t forget about your users and how our brains work.  These threats, while simple, require new education and refresher training, both to protect your infrastructure and sometimes, us from ourselves.


Wednesday, January 14, 2009

Hello world!

Welcome to This is your first post. Edit or delete it and start blogging!