Over the last week or so, the internet has been awash in reports of the latest piece of malware targeting Apple OS X systems called MacDefender , MacSecurity or MacProtector. This is a piece of software that Symantec calls FakeAV, which is an entire family of “scareware.” A browser window pops up and says the machine is infected and to download a particular piece of software to remove the issue, when in fact the software you download is the payload that infects your machine. This is not new to the Windows camp as FakeAV products have been around for many years. Everyday many bogus antivirus and security applications are released and pushed to unsuspecting users through various delivery channels. Many of these programs turn out to be clones of each other. They are often created from the same code base but presented with a different name and look - achieved through the use of a "skin". These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased.

The problem is that we don’t typically have a disciplined methodology for arriving at a plan of action. Consider the following: You have to know what the loss is that you are trying to avoid. Sound simple? I assure you that most money is spent protecting assets without any regard to the loss that they represent. Remember, it’s not the laptop computer that you are protecting per se. It is the monetary value of some aspect of that asset. It could be the replacement cost of the asset. Do you think that would change your view of what was needed as a control? Of course! The replacement value of the computer is only a factor if you physically lose the computer or it is broken through physical damage. Anti-theft devices, padded carrying cases, security awareness training for employees are all possibilities but if the cost of these measures exceeds the cost of the computer then I’m guessing that you wouldn’t be likely to apply them. You may do some but not all and it would depend on analysis of which would represent a greater cost reduction.

(Network Access Control and Gateway Protection) In previous blogs we talked about the need to educate end users, knowing the details of what activity is occurring on your network, and managing the threat through compliance. In part 4, we’re going to talk about protecting your network and web/email traffic. First let’s talk about Network Access Control. Most enterprises have widespread networks across multiple locations with hundreds or thousands of network ports at each. Protecting these networks gives you peace of mind that a rouge machine will not get on the network and potentially capture data or cause disruptions. Another way to think of this is network endpoint compliance. Compliant machines get access to the network.

It is interesting that there is no equivalent term in Latin for risk outside of the word for danger. While security is the state of being free from danger or threat, risk, is a more complex topic and cannot be addressed without the concept of loss. It is the probability, not merely the possibility of something unpleasant or unwelcome happening that will result in a loss of some kind (life, liberty, property). The term did not even come into existence until the 17th century after the Medici had leveraged eastern mathematics in the calculation of probability in financial terms and still the word risk is derived from the word danger. Big mistake!

“Good security doesn’t stop with just an anti-virus client and a perimeter firewall.” Government Security News (GSN) recently published an article written by DLT Engineer, Aaron Payne, about bringing “Security back to the basics: Managing the threat” that addresses the concern that there are many layers necessary to keeping enterprise IT systems secure.

In previous blogs we talked about needing to educate the end users and knowing the details of what activity is occurring on your enterprise’s systems. In part 3, we’re going to talk about Compliance and Endpoint Management. Simply speaking, Compliance is setting a policy and how well you adhere to the policy. If a policy is set to only allow passwords longer than 8 characters in your enterprise, Compliance is the measurement of enforcement of that policy. Any deviations or exceptions from the policy are clearly documented and recorded. So why is Compliance important? A well-developed endpoint security policy ensures that common attacks and threats can be mitigated before they happen. By adhering to that policy, you are protected and secure from attacks without any other controls. There are many examples of compliance guidelines like NIST 800-53 and FDCC (Federal Desktop Core Configuration).

I am often asked to explain the Common Criteria certification process. If you dig below the surface a bit you will find that Common Criteria certification is very Un-Common. The name originated in the multilateral agreement that established the process in 2000: Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security. The certification is called ‘Common’ criteria because the ‘Arrangement’ was initially agreed to, in common, by the nations of Australia, Canada, Finland, France, Germany, Greece, Italy, The Netherlands, New Zealand, Norway, Spain, the United Kingdom, and the United States of America. It just so happens that these countries often cooperate on global security issues, more so than, for example, with China or the Russian Federation. The value of the certification is the assurance to manufacturers that the product certificate will be accepted by signatories to the Arrangement. In many cases a project engineer or architect may look first to the list of certified products rather than marketing collaterals when designing a secure system. So, if vendors expect to sell into a secure environment, the applicability of Common Criteria certification should be a consideration early in the product roadmap.

If you have come across a requirement for product compliance with FIPS 140-2, Security Requirements for Cryptographic Modules, you may have wondered about FIPS and its applicability to information technology products. FIPS is the acronym for Federal Information Processing Standards. FIPS was established in the 1960s to provide uniform guidelines or specifications for processes, data interchange, and functionality within the Federal government’s early information technology departments. Currently FIPS are maintained by the National Institute of Standards and Technology (NIST). In general, FIPS are developed and issued when there are no industry standards available for citation in requirements and/or procurement documents.

In previous blogs we talked about needing to educate the end users and knowing the details of what activity is occurring on your enterprise’s systems. In part 3, we’re going to talk about managing the threats that occur with a layered approach. Good security doesn’t stop at the endpoint with just an antivirus client (link to symc sep), it doesn’t stop with just a perimeter firewall. It starts with good knowledge of your environment, and grows out to each layer (Network, Endpoints, Client Hardware, Storage, etc) we’ll talk about each one in the next paragraphs.

In Part 1 we investigated effective end-user education by making them take part in exercises to ensure that they are aware of risks out in the wild that exploit the well meaning insider. In Part 2, we’ll educate the IT department by learning what’s happening on their network. The best way to do this is with an appliance like the Symantec Security Information Manager (SSIM). The way that SSIM works is by collecting logs from a multitude of devices, whether they be network devices like firewalls and routers, or application log files like IIS or Symantec Endpoint Protection to correlate events to determine if any malicious activities are occurring across multiple layers. This level of visibility into the enterprise is critical to maintain your level of situational awareness.